Thursday, 12 December 2013

Hacker Sentenced for attempt to sell access for $50,000 to two supercomputers

A Pennsylvania man was sentenced to serve 18 months in prison for his role in a scheme to hack into computer networks and sell access to those networks.
Acting Assistant Attorney General Mythili Raman of the Justice Department’s Criminal Division and U .S. Attorney Carmen M. Ortiz of the District of Massachusetts made the announcement after sentencing by U.S. District Judge Mark Wolf in the District of Massachusetts on Dec. 11, 2013.
Andrew James Miller, 23, of Devon, Pa., pleaded guilty to conspiracy and computer fraud on Aug. 26, 2013.   According to court documents, from 2008 to 2011, Miller remotely hacked into a variety of computers located in Massachusetts and elsewhere, and, in some instances, surreptitiously installed “backdoors” into those computers.   These “backdoors” were designed to provide future administrator-level, or “root,” access to the compromised computers.
Miller obtained login credentials to the compromised computers.   He and his co-conspirators then sold access to these backdoors, as well as other login credentials.   The access sold by Miller and his co-conspirators allowed unauthorized people to access various commercial, education and government computer networks.   Miller attempted to sell access for $50,000 to two supercomputers at the Lawrence Livermore Laboratory in Oakland, California, that were part of the National Energy Research Scientific Computing Center.
The case was investigated by the FBI and prosecuted by Senior Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Adam Bookbinder of the U.S. Attorney’s Office for the District of Massachusetts.

Poker Shark's Laptop Pwned by "Evil Maid" Attack

Sharking RAT Professinal poker player Jens Kyllönen learned a lesson about computer security earlier this year: Don't leave your computer unattended without securing it first, not even in your hotel room.
Kyllönen was playing in the European Poker Tour event in Barcelona last September when he discovered that his laptop had gone missing from his hotel room. Since the laptop reappeared exactly where he had left it a short while later, he thought maybe his roommate, another professional poker player in the tournament, had borrowed it. Kyllönen became suspicious when he discovered he no longer needed to log in to his laptop and the operating system did not boot up properly, according to a write-up of the incident.
When his roommate Henri Jaakkola denied knowing anything about it, Kyllönen asked F-Secure to investigate.
Eek! A RAT Found!
Kyllönen was right to be concerned, as F-Secure researchers found a remote access Trojan (RAT) installed on the laptop, F-Secure posted on its blog earlier this week. It appeared the attacker had installed the malware using a USB stick and configured it to automatically start whenever the computer turned on to monitor Kyllönen's activities.
This RAT allowed attackers to view what Kyllönen was doing on the computer, a very serious problem considering Kyllönen also plays in online poker tournaments. F-Secure posted screenshots showing how the attacker could see what cards Kyllönen was holding during a game. If the attacker was sitting at the same virtual poker table, then the attacker has an advantage and "knows to hold out for a better hand," F-Secure said.
"He's a high-roller by any measure, with wins in the range of 2.5 million dollars from the past year," F-Secure said.
An Evil Maid Attack
Written in Java, the Trojan can work on any platform (Windows, Mac, Linux), and appears to work against any online poker site, the researchers found. F-Secure has investigated several instances of targeted attacks against professional poker players using tailor-made Trojans to "steal hundreds of  thousands of euros," F-Secure said. The company has dubbed these attacks against professional poker players as "sharking," much in the same way "whaling" refers to targeted attacks against high-profile business managers.
It's also important to note that the Trojan did not rely on online methods to infect the players, highlighting how important it is to physically secure our electronic devices from attack.
Security professionals refer to this technique as an evil maid attack, evoking the image of a hotel employee who has access to the computer while cleaning the room and can do something malicious without anyone else knowing. It's easy to forget that the easiest way to compromise a computer is to get to it while it is on and left unattended.
It's important to lock your laptop when you step away from it, even for a short period of time and require an actual login to get access to your desktop. Hard drives should be password protected, and full-disk encryption would prevent anyone else from maliciously installing malware in your absence. If you are on a trip, keep the laptop locked in a safe in a room only you can access, or keep it with you at all times.
"If you have a laptop that is used to move large amounts of money, take good care of it," F-Secure said. That is good advice, and not just for poker players. It doesn't matter if you are using your laptop for online banking or if you handle your company's payroll—you don't want the criminals getting access to your money.

Biometrics will become “mainstream” in 2014 – and fingerprints are just the start, says Ericsson

Fingerprint identification systems could sweep through the world of technology faster than most have predicted, according to an annual report released by Ericcsson, the world’s largest cellphone network maker – based on opinion polls of 100,000 smartphone users around the world.
Nearly three-quarters of those polled (74%) believe biometric smartphones will become mainstream next year – and more than half of those polled were interested in the idea of fingerprint ID replacing passwords for card purchases online (50%), and in fingerprints being used in place of all internet passwords (52%).
“People are accessing more and more services through the cloud, and from a growing number of devices,” Ericssson said in the report. “Although consumers love to have their content and information available at all times, logging in to retrieve it is causing frustration. Sites are demanding longerpasswords with a mixture of numbers, letters and symbols, making them almost impossible to remember.”
Ericsson’s poll for the biometrics pages consisted of 5,000 iPhone and Android users, all of whom used mobile internet services daily, in 10 major cities. It also found that consumers were comfortable with  more exotic biometric technologies, such as smartphones which recognized users via their eyes. Nearly half (48%) of users were keen on this idea.
Ericsson said that “growing fatigue” consumers felt for passwords meant that, “Consumers would rather get rid of them completely, and for this reason are showing interest in biometric alternatives.”
Other handset makers will follow Apple’s lead in using fingerprint technology, according to a report by Reuters. Reuters quoted the CEO of Swedish biometrics firm Fingerpint Cards, who predicted that at least seven major smartphone firms, including Samsung, would release handsets incorporating the technlogy next year.
Stephen Cobb, Security Researcher with ESET said, when Apple unveiled the fingerprint sensor in Apple’s iPhone 5S that the device could be a “game changer” in a We Live Security report here.
Cobb said, “Successful implementation of biometrics in a segment leading product could bode well for consumer acceptance. I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words the iPhone 5S could advance biometrics, or put a whole lot of people off biometrics.”
CNET said in its report on Ericsson’s research that other handset makers would offer “more seamless” ways to lock smartphones, driven in part for the trend for workers using their own devices at work (Bring Your Own Device, or BYOD), “Mobile makers are expected in the coming year to include increasingly seamless ways of unlocking devices and securing data — particularly as the bring-your-own-device (BYOD) trend continues to grow even further.”
Several start-ups are investigating even more out-there methods of biometric authentication, with some using user behavior as a metric, and shipping in the form of apps. Further We Live Security reports on the cutting edge of biometrics and passwords can be found here.

Reverse charges: How one man turned the tables on PC phone scammers

The fake “tech support” call is one of the most enduring cyber-scams out there – a phone call purportedly from a Windows engineer or an independent expert, offering help with a problem they detected on your machine. The scam, however, ends with the “engineer” defrauding victims of money.
This week, UK IT worker and social engineering blogger Dale Pearson was targeted – with eight phone calls from a company claiming there was a fault on his PC, and offering to fix it.
Residents in the area had recently been targeted, with scammers demanding £200 ($330) to fix a non-existent problem on their PC. Pearson, though, had the tools, and time, to fight back, using a virtual machine, and a fake IP address, to watch what the scammers did as they “worked”, according to local paper the Evesham Journal.
Despite crackdowns on the firms which perpetrate this fraud, it remains common – and ESET Senior Research Fellow David Harley has chronicled many variations of the scam on We Live Security. He also offers a useful guide to spotting such scams here.
Pearson says, “ I had heard of people getting done by these sort of scams, but I had never had the privilege myself. So I thought I would keep them on the phone for a while to run up abit of a bill for them, and at the same time get my VPN and Virtual Machine up and running to see exactly how these guys operate.”
“There were three of them,” Pearson told Yahoo News. “The first guy, I call the Convincer. He tries to hook you in, make you believe there’s a problem. The second guy who came on the line, I could hear he was more experienced at ‘social engineering’ – convincing you it was all legit. Then there’s a third guy you never see, the hacker who goes into your PC. Most people think they’re just after your credit card details – but there’s three parts to the scam. When they ‘fix’ the problem, they get full access to the machine – and that stays there, for them to use later.”
“They actually asked me, during the call, whether I did online banking, whether I shopped online,” he said. “Even if I had not handed over my card number, they could have installed a keylogger.”
Pearson’s video – complete with audio – is shown off on his blog, Subliminal Hacking. It offers a unique insight into one variation of an attack that has remained an enduring threat to computer users.
Pearson played along with the scam for half an hour, asking for repeated callbacks – and posting the numbers on his blog, and in his local newspaper, while using a VPN and Virtual Machine to watch, safely, what they did. First, the “technician” said Pearson should visit their site (titled PC Wizards), and then said that he should run software to allow remote access.
“So one guy is doing the quick talking, whilst the other is uploaded backdoors to my VM, opening command windows and listing directory structures and then tell me my “Software Warranty Has Expired” and this is the reason I have all these errors and my computer runs slow.”
“I am in luck, for £119 and my credit card details they can renew this warranty for me, then my computer will be better than new. These really are nice folks. Oh the other point they like to make, my computer will be all kinds of awesome as long as I dont format it – they don’t have persistence after formatting.”
Pearson said he finally “got bored” and politely thanked them “for hacking my machine,” at which point he says, the technicians were irate. “how dare I claim they are hacking my machine, they are trying to help me. Then they tell me that next time I turn on my computer I am going to be in trouble, and it wont work properly.”
“Perhaps it’s a mysterious virus, corrupted files or disk partitions, or attacks by a remote hacker) that the caller will be pleased to fix for you, for a “small” fee,” he wrote in a blog post this year. Harley says that new versions of the scam include threats – with callers claiming that the government has detected scam emails from an IP address.

All of Android’s top 100 apps have been hacked – and banking apps are now a prime target, report finds

Smartphones are now a serious target for cybercriminals, with 100% of the top 100 Android apps having been hacked in the past year. Hackers now specifically target financial apps, such as those used by banks – with 53% of Android banking apps having been cracked, and 23% of iOS apps, according to a report by app security company Arxan.
Such ‘hacked’ apps are often distributed through unofficial stores such as Cydia, or via torrent sites  – and some have been downloaded hundreds of thousands of times, Arxan said.
“Pirated versions of popular software are available on numerous unofficial app stores like Cydia, app distribution sites, hacker/cracker sites and file download and torrent sites,” said Morgan.
“During our research we discovered that some of the hacked versions have been downloaded over half a million times which gives a sense of the magnitude of the problem especially as we embark upon a season of high consumer activity that will involve payment transactions, and consumption of products and services via the mobile.” Kevin Morgan, chief technology officer at Arxan said in an interview with The Telegraph.
“Mobile financial apps are very fallible,” the report said, “Financial services app owners will commonly deploy on multiple mobile platforms toensure their new mobile services can reach the majority of their total customer base.Evident in this finding, is that these innovative apps are likely targets of hackers as theseapps may support monetary transactions. This high-risk category, especially withregards to mobile banking and payment applications, requires extra vigilance.”
PC World commented, “Hackers often target financial apps, and with good reason. If criminals can get between you and your bank, they have access to your account numbers, passwords, and other useful information. They can easily turn your money into their money.”
While the greatest risks came from apps acquired via torrent sites, unofficial stores and other semi-legitimate sources, Android users could be fooled into downloading “modified” apps even from the official Google Play store, Arxan warned, according to The Guardian’s report.
“Google Play isn’t a vetted app store – it tends to have a lot of cruft,” said Morgan. “Whereas in the Apple Store you’re almost certain to see just legitimate apps.”
Morgan said it would be “easy” to insert an app entitled “Bank of America” into google’s Store. The research was based on data accessed in October 2013, and the Top 100 Paid app lists on Apple App Store and Google Play. The researchers also analyzed 20 popular financial apps for each platform.
The researchers said that the fragmented nature of Android – and the huge number of devices at low price points, “clearly underlines that Android is the more insecure operating system. hackers can more readily target a fragmented, and open Androidecosystem to insert malware into the Google Play Store. Specifically, the majority of Android devices will not be able to receive new security measures provided by Google, which results in users being vulnerable to even known threats.”
ESET Senior Research Fellow Righard J. Zwienenberg commented in a post earlier this year, “The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version.  Regardless of whether Google releases patches for these  versions, the phones will remain vulnerable.”
Financial watchdogs have warned that the growing use of banking apps poses a serious threat to banks and their customers, as reported by We Live Security Earlier this year.
“For firms to successfully provide mobile banking services to their customers, they will bedependent on IT systems, technical expertise and detailed knowledge of the payments system.
Many of the firms entering this market are using the specialised services of outsourcing partners,” the FCA said. “This leads to the risk that there may be a chain of companies involved in a customer’s transaction,resulting in a greater likelihood of a problem occurring.”

UK cyber economy will rise to £2bn by 2016, aided by partnerships with Facebook and BT

Large gold pound sign
The UK government has announced plans to grow the country's cyber economy to £2bn by 2016, as a part of its ongoing Cyber Strategy.
A senior government official revealed the plans during a briefing attended by V3, confirming the growth will require the public and private sector to increase their current levels of collaboration. The official highlighted accreditation initiatives, like the government's ongoing CESG Certified Professional (CCP) scheme as key ways the government planned to achieve its growth target.
"We developed the scheme through the cyber growth partnership to blitz any obstacles. With the industry we've been developing an organisational standard, a badge of quality for cyber to give people who know about this but haven't studied it something to bite into," said the official. "We're aiming to grow this [the UK's cyber economy] from £850m to £2bn by 2016."
The CCP scheme is a joint endeavour designed to test and accredit workers responsible for securing UK industry networks at all types of organisations. Applicants seeking accreditation are required to pass a series of tests run by the Institute of Information Security Professionals (IISP), the Council for Registered Ethical Security Testers (CREST) and Royal Holloway University's Information Security Group (ISG).
The official said the government plans to lead by example and will launch a new initiative to ensure all appropriate partners in its own supply chain meet the standards it sets for industry. "The government is hoping to adopt that standard in its own procurement where relevant, so some people will need this badge if they want to do business. We're ensuring our chain is cyber resilient," he said.
The official also confirmed plans to expand its partnership with private companies, confirming new partnerships with several new businesses, including Facebook and security firm Sophos, although the nature of the partnerships remain unknown. The official also announced plans to double the number of companies participating in the ongoing Cyber Information Sharing Partnership (CISP), from 250 to 500 by the end of 2014.
CISP was launched in March, following a two-year trial period. The initiative is designed to facilitate real time data sharing about cyber threats between the public and private sector. Since officially launching, some security professionals have criticised the initiative. Experts from the International Information Systems Security Certification Consortium (ISC2) and security firm FireEye highlighted CISP's failure to support SMEs as a particular shortcoming at the RSA conference in Amsterdam in October.
The official said the government plans to create a host of new initiatives to help support SMEs. "The strategy is working, at least with large companies [...] inevitably it is harder to get to the smaller companies in. The scale of things makes it harder to get to them individually [...] So we're announcing a project with Nominet to produce a tool that helps SMBs audit themselves against key guidance in this area," he said.
"We're publishing a set of guiding principles to explain what they should do, to let them know what they should do to protect themselves and, if they do have an issue, where to go."
Finally the official announced plans to create several new initiatives designed to expand the UK's pool of cyber experts. At the top end this includes the creation of a new research institute designed to investigate new ways to protect industrial control systems. At the lower end, the future plans include a new partnership with the Open University and fresh funding for the Cyber Security Challenge initiative.
"Skills are vital, we've been doing a lot on skills to broaden the pipeline of people coming into this area. The government is partnering with the Open University to do a new scheme on cyber, through which we hope to get about 200,000 into the topic. This will happen for the first time in summer 2014," he said.
"We're also giving money to the Cyber Security challenge to roll out nationally. It's going to be about getting groups and school children and pitting them against code created by experts. It's about broadening awareness and skills, but hopefully also getting a few interested in becoming the next generation of experts."
Training the next generation has been a staple goal of the UK government's Cyber Strategy since it launched in 2011. The National Audit Office (NAO) forecast the UK cyber skills gap to last 20 years costing the nation £27bn a year despite the government's efforts in February.

Google launches Android Device Manager remote security app

Google has extended the capabilities of its Android Device Manager tool, launching a new app for Android that allows users to remotely secure their other Android devices without the need for a desktop browser.
The Android tool features the same functionality as the desktop app, launched in August. This includes geolocation, which will use the missing device's GPS service as well as its WiFi and cellular radio in order to place the device within as small a radius as possible.
For locating units that are lost in a known area, such as in the same building, the app allows users to play their phone's default ringtone at full volume for five minutes. This can be triggered by another Android device with the app installed, such as a tablet. As a short-term security solution, users can also set a password for the device remotely, which must be entered in addition to any other security measures already in place on the device.
Android Device Manager app for Android
Otherwise the tool can remotely wipe all data from the missing unit, thereby securing any personal data that may have been on it. All the features of Android Device Manager require the missing device to be connected to the internet via a WiFi or mobile data connection, and must also be switched on.
Such measures are becoming increasingly important for businesses and public sector bodies handling sensitive data, with the Information Commissioner's Office dishing out most of its fines for simple mishandling and loss of technology holding sensitive data. Since it was set up in 2011, the ICO has levied more than £4m in fines to public sector bodies alone.

PRISM: Government asks for feedback on spying practices

The government has issued a call for evidence and opinions on the extent to which it should be able to monitor private communications as the fallout from PRISM continues.
The Intelligence and Security Committee of Parliament (ISC) said in October that it would conduct a public review of the extent of surveillance in the UK after the PRISM spying scandal broke. This came three months after it had cleared GCHQ of any legal wrongdoings regarding the programme.
The ISC has now set out its guidelines for these submissions, with the ISC asking for responses of no more than 3,000 words with a deadline of 7 February 2014. The ISC asks in particular for thoughts on three particular areas.
The first asks: “What balance should be struck between the individual right to privacy and the collective right to security?”
Arguments about national security and protecting the public have been used to defend the spy agencies’ activities from day one, with governments arguing it is vital to monitor communications to catch suspected terrorists.
Furthermore, the ISC said it needs to consider the issue of this surveillance within the wider framework of other forms of monitoring.
“How does this differ for internet communications when compared to other forms of
surveillance, such as closed-circuit television (CCTV) cameras? To what extent might it be necessary and proportionate to monitor or collect innocent communications in order to find those which might threaten our security?
“How does the intrusion differ between data (the fact a call took place between two numbers) as opposed to content (what was said in the call)?”
The second area of interest relates to the legal justification for mass monitoring of communications.
“Whether the legal framework which governs the security and intelligence agencies’
access to the content of private communications is ‘fit for purpose’, given the
developments in information technology since they were enacted.”
The final area relates to, whether there is a need for “specific changes to specific parts of legislation governing the collection, monitoring and interception of private communications."
All submissions have the potential to be published and those who provided particularly astute evidence may be asked to attend meetings to expand on their submissions. Responses can be emailed to the ISC’s dedicated email address for this inquiry.
Many tech giants such as Google, Microsoft and Apple could be among those who submit evidence, as they continue to protest against the extensive monitoring that has come to light thanks to papers leaked by former CIA analyst Edward Snowden.

More than 15,000 lost mobile phones on London Underground pose security risks

More than 15,000 mobile phones were lost on the London Underground in 2013, according to data released under a Freedom of Information request, underlining the security issues thrown up by device loss.
Security vendor McAfee got hold of the data from Transport for London (TfL) and found that in total 15,833 mobile phones were handed to its lost property department after being lefts on trains, buses and tubes. To date only 2,308 have been returned, with 13,525 still unclaimed.
Even larger sized devices are prone to being lost, with 506 misplaced tablets during the past year, up from just 17 lost tablets in 2009. So far only 290 of the 506 were reclaimed. Perhaps even more worryingly, a total of 528 laptops were handed in and 191 are yet to be claimed.
Raj Samani, security expert at McAfee, said the figures underlined the importance of ensuring adequate device security, because mobiles, tablets and laptops can go missing very easily, as the numbers proved.
“Small businesses should ensure they have the appropriate security measures in place so that even if they do misplace their tablet or smartphone after the office Christmas party, they won’t be at risk of identity theft or have their personal details compromised,” he said.
Businesses would do well to note this data as it shows that even major items such as laptops and tablets can be easily lost and that having the right encryption and device management systems in place is vital. Lost devices lacking basic security measures such as encryption is often the cause of ICO fines, which this year passed the £4m threshold.
The one consolation was that the figure of mobile loss in 2013 was down notably on 2012 when 20,906 devices were lost.
Samani also noted that the figures would hide those devices not returned to the lost property office, so the real figure of mislaid items is probably higher. "In some lucky cases, lost devices will get handed in to TfL lost property, but in many others they will get snatched by opportunistic thieves,” he said.
Theft is also a major concern in London for devices, especially smartphones, with the Mayor of London Boris Johnson working to crack down on this issue.

Bitcoins 100 years away from being viable global currency

Bitcoin is at least 50 to 100 years away from being a challenger to traditional currency, according to EY.
Fraud investigation dispute services expert at EY (formerly Earnst & Young) Roger Willis, said Bitcoin's lack of progress to overcome traditional banking systems is due to a misunderstanding about its original goal and nature, during a press briefing attended by V3.
"Bitcoin was originally an experiment, it's just morphed into something massive [that] no one envisaged and there are hurdles that need to be jumped over to make it work. Bitcoin is not designed to replace fiat and if it does it will be 50 to 100 years in the future. Bitcoin was developed to be used in e-commerce and microtransactions – it wasn't made to replace dollars or euros," he said.
Fiat currency is money declared by a government to be legal tender, while Bitcoins are a cryptographic currency that first appeared five years ago. The currency lets users make peer-to-peer transactions without going through traditional banking exchange systems. It uses a self-perpetuating algorithm to automatically determine the value of each Bitcoin.
EY director Colin Pickard, added that despite not being a viable fiat replacement, Bitcoin does still have the potential to revolutionise the way companies do business. "There are definite possible gains, in terms of reduced transaction costs, but there are issues with anonymous users and a lack of regulation. We're not pro or anti-Bitcoin, but we do see there are significant risks," he said.
"Not being controlled by a single state has a number of impacts, one of these is the deflation of the currency. Inflation lets governments borrow from tomorrow's children. A decentralised currency [such as Bitcoin] means this is not an option, so there is a potential positive. The negative is its not subject to regulation or democratic control."
The unregulated nature and potential theorised anonymity of Bitcoins has made the currency popular with criminal groups. The currency is known to be accepted on numerous cyber black markets, including the recently shut down Silk Road.
Willis questioned criminal interest in Bitcoin's alleged anonymity powers, and confirmed that there are ways to track transactions made on the platform. "The notion Bitcoin is anonymous, a lot of people say it is anonymous and untraceable, this isn't necessarily true," he said.
"By nature, to create a decentralised currency you need a record of where each coin is, that's the blockchain and in it you can see every Bitcoin transaction in real time. If a law enforcement agency wanted to trace transactions they could use the blockchain to do this."
Pickard added that criminals are interested in Bitcoins because of the currency's ever-increasing value. "Bitcoins are currently being traded more like a commodity than a currency. This is a problem as it leads to crime and stealing. The crime here is not the same as people stealing pounds. People don't steal pounds to wait and see them go up in value," he said.
Pickard said in order to become properly fit for business, Bitcoin will have to make some concessions to the way the platform runs and find a way to work within the world's existing banking regulatory framework.
"These unregulated virtual currencies are difficult for our traditional banking exchanges to engage with. I would not want to be the first tier-one bank to be doing this. They have to work and think how they can engage with this new currency. This will be a big thing in the US. This is sad as there is a potential gain for the global economy, but we have to figure out how to make it work with our existing banking regulatory framework."
He added that to fully function Bitcoin should be regulated by elected officials, not an independent body.
The EY experts' comments follow widespread reports that hackers are altering their operations to illegally horde Bitcoins. Security firm Symantec reported that the infamous ZeroAccess botnet had been altered to mine Bitcoins using enslaved machines earlier this year.