Thursday, 30 October 2014

BlackEnergy malware has compromised industrial control systems for two years

US CERT logo
THE US DEPARTMENT OF HOMELAND SECURITY Computer Emergency Response Team (US-CERT) has warned that industrial control systems (ICS) in the US have been compromised by the BlackEnergy malware for at least two years.
The BlackEnergy family of malware is believed to be the same used in the cyber attack against Georgia in 2008.
It uses a malicious decoy document to hide its activities, making it easier for the hackers to mount follow-up attacks.
US-CERT said the malware campaign is sophisticated and "ongoing", and attackers taking advantage of it have compromised unnamed ICS operators, planting it on internet-facing human machine interfaces (HMI) including those from GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.
It is currently unknown whether other vendors' products have also been targeted, according to US-CERT.
"At this time, Industrial Control Systems-CERT has not identified any attempts to damage, modify or otherwise disrupt the victim systems' control processes," said the team in an alert.
"ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system.
"However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment."
US-CERT describes the malware as "highly modular", and said that not all functionality is deployed to all victims.
An analysis run by the team identified the probable initial infection vector for systems running GE's Cimplicity HMI with a direct connection to the internet.
"Analysis of victim system artefacts has determined that the actors have been exploiting a vulnerability (CVE-2014-0751) in GE's Cimplicity HMI product since at least January 2012," the alert read.
On Monday, US-CERT also warned of attacks spreading the Dyre banking malware, which steals victims' credentials.
The department said that, since mid-October, a phishing campaign had targeted "a wide variety of recipients", but elements, such as the exploits, email themes, and claimed senders of the campaign, "vary from target to target".
"A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services," the alert warned.

T-Mobile toughens network encryption against government snooping

(Image: CNET/CBS Interactive)
T-Mobile's networks may have changed for the better — stronger signal, faster speeds, better coverage — but what you probably didn't know is that they're now even more secure.
In upgrading its U.S. networks, the fourth largest cellular giant in the country also bolstered encryption in a number of cities, switching to A5/3 encryption from the A5/1 standard on the older 2G networks, which in some cases still carry calls or text messages when faster data isn't available. Newer technologies, like 3G and 4G (LTE), already offer significantly stronger encryption.

The Washington Post, which first tested the networks in a number of cities, said New York, Washington, and Boulder, Colorado are now using the newer standard, covering tens of millions of customers.
Upgrading the network to the newer A5/3 encryption makes it significantly harder to eavesdrop on calls and text messages. Even for the National Security Agency, which reportedly is able to decode the older, legacy A5/1 encryption, may face headaches with the new standard.
T-Mobile did not comment on the encryption.
In densely populated areas, such as the cities with enhanced encryption, monitoring cellular calls becomes more difficult — simply because of the volume of people. The call and text data is still routed through ground networks, but filtering it becomes difficult. The Post explained that an "IMSI catcher," which can identify an individual cell subscriber, can make it easier to snoop on calls and texts without having to crack the phone or network's encryption.
AT&T said it is already ramping up its encryption efforts by offering A5/3 encryption, but tests by the Post found  in U.S. locations where T-Mobile upgraded, AT&T had not.
In any case, AT&T is shutting down its A5/1-encrypted 2G network by 2017, and replacing it with newer technology.

White House computer network 'hacked'

The White House  
According to reports, an unclassified network was breached
A White House computer network has been breached by hackers, it has been reported.
The unclassified Executive Office of the President network was attacked, according to the Washington Post.
US authorities are reported to be investigating the breach, which was reported to officials by an ally of the US, sources said.
White House officials believe the attack was state-sponsored but are not saying what - if any - data was taken.
In a statement to the AFP news agency, the White House said "some elements of the unclassified network" had been affected.
A White House official, speaking on condition of anonymity, told the Washington Post: "In the course of assessing recent threats, we identified activity of concern on the unclassified EOP network.
"Any such activity is something we take very seriously. In this case, we took immediate measures to evaluate and mitigate the activity.
'State-sponsored' "Certainly, a variety of actors find our networks to be attractive targets and seek access to sensitive information. We are still assessing the activity of concern."
The source said the attack was consistent with a state-sponsored effort and Russia is thought by the US government to be one of the most likely threats.
"On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system," a second White House official told the Washington Post.
"This is a constant battle for the government and our sensitive government computer systems, so it's always a concern for us that individuals are trying to compromise systems and get access to our networks."
The Post quoted its sources as saying that the attack was discovered two-to-three weeks ago. Some White House staff were reportedly told to change their passwords and there was some disruption to network services.
In a statement given to Agence France-Presse, a White House official said the Executive Office of the President received daily alerts concerning numerous possible cyber threats.
In the course of addressing the breach, some White House users were temporarily disconnected from the network.
"Our computers and systems have not been damaged, though some elements of the unclassified network have been affected. The temporary outages and loss of connectivity for our users is solely the result of measures we have taken to defend our networks," the official said.
The US's National Security Agency, Federal Bureau of Investigation and Security Service were reportedly investigating.
Requests for comment were referred to the Department for Homeland Security, a spokesman for which was not immediately available. A White House spokesman has not responded to the BBC's request for comment.

Carders offer malware with the human touch to defeat fraud detection

A new cybercrime tool promises to use credit card numbers in a more human way that is less likely to attract the attention of fraud-detection systems, and therefore be more lucrative for those who seek to profit from events like the Target breach.
The "Voxis Platform" is billed as "advanced cash out software" that promises to help carders earn "astronomical amounts" of cash by faking human interaction with different payment gateways, authors bragged in an ad posted around underground forums and to Bitcoin payments site Satoshibox.
The operator of the Voxis Team crime group, an entity known as Bl4ckS14y3r, has claimed the platform can funnel cash through 32 payment gateways without human interaction and automatically create fake customer profiles to make the transfers less suspicious.
IntelCrawler cybercrime investigator Andrew Komarov reported the software being flogged by Voxis Team member using the handle Conaco in October for US$180.
"The sophisticated Voxis Platform provides the underground economy options for washing stolen credit cards," Komarov said.
"Taking advantage of fraudulently obtained merchant accounts, bad actors can use speed to automate and load cards to be charged for pre-determined amounts at pre-determined times, all with the goal of sliding under fraud detection systems.
"The emulation of human behaviour and buying patterns increases their probabilities of having charges authorised."
Voxis Platform The Voxis Platform: a pretty UI, but is it more than carder phooey?
If the wares work as advertised it could help carders to do without money mules and stolen identities.
Supported payment gateways included Coinbase, Paypal, and WorldPay.
"Past breaches of retailers like Target and Home Depot have created a demand in the underground to quickly try and monetise the stolen cards," Komarov said. "Groups of cyber criminals actually pool their programming resources to build tools like the Voxis Platform."
He said IntelCrawler recommended processors bolster their know-your-customer capabilities in respect to new merchant accounts and tighten transaction scrubbing thresholds.
Voxis Team developers promised in the advertisement "so advanced" it was dubbed 'fantastico Platform' that would support Amazon EC2 and tunnelling via proxy.

Monday, 13 October 2014

Kmart Says Card Data Stolen in Latest Retail Cyber Hack

Sears Holdings Corp. (SHLD)’s Kmart discount chain, the latest victim of hacker attacks on retailers, said it detected a security breach this week and is investigating the incident with law enforcement officials.
The retailer’s information-technology team identified the breach on Oct. 9 and is working with a top security firm to assess the incursion, which happened in early September, Kmart said in a filing yesterday. Customer payment-card information was probably exposed by the attack.
“According to the security experts Kmart has been working with, the Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” the company said. “Kmart was able to quickly remove the malware. However, Kmart believes certain debit and credit card numbers have been compromised.”
A wave of data breaches at companies including Home Depot Inc. (HD), Target Corp. (TGT) and Neiman Marcus Group Ltd. have pressured retailers to bolster database and credit-card processing security. Nationwide concerns about cyber intrusions have escalated after JPMorgan Chase & Co. (JPM) recently disclosed that an attack by hackers exposed contact information of 76 million households and 7 million small businesses.
Kmart said it doesn’t appear that personal information, debit-card PINs, e-mail addresses or social security numbers were obtained by the hackers. Howard Riefs, a spokesman, was unable to provide the number of customers affected.

‘Advanced Software’

Kmart said in the statement that it’s working closely with federal law enforcement authorities, banking partners and IT security firms in the ongoing investigation and is “deploying further advanced software to protect customers’ information.”
Home Depot’s data breach between April and September put about 56 million payment cards at risk, the company said in September. The hackers used custom-made software to evade detection as they infiltrated computers at stores in the U.S. and Canada, relying on tools that haven’t been seen in previous attacks, according to the Atlanta-based home improvement retailer.
The company began investigating the attack on Sept. 2, immediately after banking partners and law enforcement raised alarms that its systems may have been infiltrated. Home Depot has said that while payment systems were hacked, there is no evidence that debit-card PINs have been compromised.

Discount Chain

Target has recorded $146 million in expenses as of Aug. 2 related to the discount chain’s breach in which data for 40 million accounts were stolen. Part of the expenses include an estimate on claims yet to be made by the credit card companies.
More than 100 lawsuits have been filed against Target relating to the breach, which contributed to the ouster of Chief Executive Officer Gregg Steinhafel in May. The chain also blamed the attack, which became public in December, for a sales decline in the fourth quarter.
Hackers also have attacked Supervalu Inc. (SVU) and AB Acquisition LLC, the operator of the Albertsons supermarket chain.
Shares of Sears, based in Hoffman Estates, Illinois, fell 6 percent to $24.78 at the close in New York yesterday, taking its decline for the year to 38 percent.
The parent of Kmart is struggling to revive sales growth and is unloading assets to generate cash after nine straight quarters of losses.

Meet the UK's PRISM program

(Image: ZDNet/CBS Interactive)
British police have access to an automated data demand system, which is regularly used to acquire data belonging to customers of three of the four major UK mobile networks.
According to a report first published on Friday by The Guardian, customer data is handed over "like a cash machine" to British police, in many cases automatically and without the direct consent each time of the phone companies.
EE, the company behind T-Mobile and Orange, along with Vodafone and Three give police "click of a mouse" access to tens of millions of UK mobile customers.
A fourth operator, O2, is the only major phone network requiring staff to review police requests, the newspaper cited the company as saying.
Although the system "mirrors" the US PRISM program, the name of the UK program is not known.
For more than a decade, every single mobile, cellular, and landline operator in the UK has been obligated under British law, specifically the Regulation of Investigatory Powers Act (RIPA), to store communications data for up to two years. That includes calls made, when, for how long, and to whom.
RIPA was introduced in 2000, pre-dating a mass surveillance effort in the US following the September 11 attacks a year later. It acts as the US' equivalent of the Patriot Act and the Foreign Intelligence Surveillance Act (FISA), which can force a company to hand over data — often in secret — without public judicial oversight.

Such laws have been the basis of the modern-day UK-USA agreement, which has been used to conduct surveillance on a massive scale — not just on citizens but also governments, politicians, private companies, and journalists.
There is little oversight for RIPA, either. A senior police officer must give the authority to access the UK's PRISM system, but in many cases these can be conducted without any significant checks and balances from the British courts.
But to date, it's believed that not a single UK mobile operator has released figures showing how many data demands they are served each year under British surveillance laws, either through RIPA, or through warrants or court orders.
Vodafone, however, became the first UK operator to disclose that in some countries law enforcement has "direct access" to its networks. Thanks to the new report by The Guardian, that also includes the UK.
Earlier this year, the European Court of Justice struck down a crucial data retention law that forced phone networks to store communications data, ruling it unlawful. The data retention laws were critical for British police and intelligence agencies to acquire this data. It took a matter of weeks for the British parliament to create its own emergency data retention laws to allow the UK's PRISM program to continue.

"Without these capabilities we run the risk that murderers will not get caught, terrorist plots will go undetected, drug traffickers will go unchallenged, child abusers will not be stopped, and slave drivers will continue in the appalling trade in human beings," UK Home Secretary Theresa May said at the time.
One of the more recent concerns with US surveillance laws was the allegation that there were "two versions" of the Patriot Act: one that was written in the public law books, and a secret interpretation developed and used by the US Justice Department.
However, by contrast, RIPA is relatively straightforward and lays out much of what British police and intelligence agencies can do.
The UK has been working to expand its snooping powers during the Cameron-Clegg coalition administration, but failed due to strong opposition. But in the Queen's Speech in 2013, the proposals to widen the tracking of people's internet and phone activities were rekindled.
These proposals, although still in Home Office development, remain vastly under wraps.

Researcher makes the case for DDOS attacks

To some people, a political mission matters more than anything, including your rights. Such people (the Bolsheviks come to mind) have caused a great deal of damage and suffering throughout history, especially in the last 100 years or so. Now they're taking their mission online. You better not get in their way.
Molly Sauter, a doctoral student at McGill University and a research affiliate at the Berkman Center at Harvard ("exploring cyberspace, sharing its study & pioneering its development"), has a paper calling the use of DDOS (distributed denial of service) attacks a legitimate form of activism and protest. This can't go unchallenged.

Sauter notes the severe penalties for DDOS attacks under "...Title 18, Section 1030 (a)(5) of the US Code, otherwise known as the CFAA" (Computer Fraud and Abuse Act). This section is short enough that I may as well quote it here verbatim:
(5)(A) [Whoever] knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
There are other problems with the CFAA with respect to some legitimate security research and whether it technically falls afoul of the act, but that's not the issue here.
Sauter goes on in some detail with the penalties under Federal law for violating this act and, no argument here, they are extreme and excessive. You can easily end up with many years in prison. This is, in fact, a problem generally true of Federal law, the number of crimes under which has grown insanely in the last 30 or so years, with the penalties growing proportionately. For an informed and intelligent rant on the problem I recommend Three Felonies a Day by Harvey Silverglate. Back to hacktivist DDOS attacks.
She cites cases of DDOS attacks committed against Koch Industries, Paypal, the Church of Scientology and Lufthansa Airlines, some of these by the hacktivists who call themselves Anonymous. In the US cases of the attacks against Koch, Paypal and the Church, the attackers received prison time and large fines and restitution payments. In the Lufthansa case, in a German court, the attacker was sentenced to pay a fine or serve 90 days in jail; that sentence was overturned on appeal. The court ruled that "...the online demonstration did not constitute a show of force but was intended to influence public opinion."
This is the sort of progressive opinion, dismissive of property rights, that Sauter regrets is not happening here in the US. She notes, and this makes sense to me, that the draconian penalties in the CFAA induce guilty pleas from defendants, preventing the opportunity for a Lufthansa-like precedent.
This is part and parcel of the same outrageous growth of Federal criminal law I mentioned earlier; you'll find the same incentive to plead guilty, even if you're just flat-out innocent, all over the US Code. I would join Sauter in calling for some sanity in the sentencing in the CFAA, but I part ways with her argument that political motives are a mitigating, even excusing factor.
Sauter's logic rises from a foundation of anti-capitalism: would appear that the online space is being or has already been abdicated to a capitalist-commercial governance structure, which happily merges the interests of corporate capitalism with those of the post-9/11 security state while eliding democratic values of political participation and protest, all in the name of 'stability.'

Once you determine that capitalism is illegitimate, respect for other people's property rights is no longer a problem. Fortunately, the law protects people against the likes of Anonymous and other anti-capitalist heroes of the far left.
I would not have known or cared about Sauter's article had it not been for a favorable link to it by Bruce Schneier. Schneier is a Fellow at the Berkman Center.
Progressives and other leftists who think DDOS, i.e. impeding the business of a person or entity with whom you disagree in order to make a political point, should consider the shoe on the other foot. If I disagree with Schneier's positions is it cool for me to crash his web site or those of other organizations with which he is affiliated, such as the Berkman Center, the New America Foundation's Open Technology Institute, the Electronic Frontier Foundation, the Electronic Privacy Information Center and BT (formerly British Telecom)? I could apply the same principle to anti-abortion protesters impeding access to a clinic. I'm disappointed with Schneier for implying with his link that it's legitimate to engage in DDOS attacks for political purposes.
It's worth repeating that Sauter has a point about the CFAA, particularly with respect to the sentences. It does need to be reformed — along with a large chunk of other Federal law. The point of these laws is supposed to be to protect people against the offenses of others, not to protect the offender.

Saturday, 4 October 2014

CBS Investigates Closed Captioning Hacking Incident

CBS Captioning Statement
The closed captioning that we receive from CBS in New York for tonight's episode of Blue Bloods was hacked and unfortunately contained profanity and other statements that do not represent those of News 9 or CBS. We sincerely apologize for this and the lack of captioning for our hearing impaired viewers.
CBS is currently investigating and will implement steps to insure that this does not happen again.

Phone hacking: News of the World’s Ian Edmondson pleads guilty

The News of the World's Ian Edmondson has admitted he was involved in phone hacking
The News of the World’s Ian Edmondson has admitted he was involved in phone hacking. Photograph: Ray Tang/Rex Features
A former News of the World news executive has admitted he was involved in phone hacking, 16 months after pleading not guilty to the crime in the Old Bailey.
Ian Edmondson’s about-turn marks the final chapter in the phone-hacking trial that ended in June with the conviction of Andy Coulson and the acquittal of Rebekah Brooks, both former New of the World editors.
Edmondson, 45, spoke only to confirm his name and to say “guilty” when asked to formally enter his plea.
He was charged with conspiring to hack phones between 3 October 2000 and 9 August 2006 together with the paper’s former editor Andy Coulson and with hacker Glen Mulcaire, the paper’s former royal editor Clive Goodman, its former newsdesk executives Greg Miskiw, Neville Thurlbeck and James Weatherup, the paper’s former feature writer Dan Evans, and other persons known and unknown.
Edmondson was one of the original eight defendants at the Old Bailey trial but, for health reasons, was deemed “unfit” to continue on the 29th day of proceedings. He was deemed fit to stand trial in July.
Before he was released from trial, the jury heard how he was one of four news editors for whom convicted hacker Mulcaire worked.
Edmondson, who is now facing the possibility of jail, was bailed and will be sentenced at a date in November.
Edmondson’s barrister Sallie Bennet-Jenkins QC told the court that Mulcaire had frequently “bragged” about hacking and Edmondson was aware that this was one of the tools of his trade when tasking him.
She added, however, that Edmondson had been acting “under direct instructions by senior executives to use Mulcaire”.
Mark Bryant Heron QC, for the prosecution, told the court that Edmondson was not the most prolific tasker of Mulcaire during the six-year phone hacking conspiracy at the paper.
At one stage he even wanted to sack him, telling his bosses that the £2,019 a week for “special investigations” being paid to Mulcaire’s Nine Consultancy “had to stop”.
But, said the prosecutor, once Mulcaire’s previous handler Miskiw – also a former news editor – left the paper, Edmondson became a “frequent” tasker of the private investigator.
Between July 2005 and August 2006 records showed there were 800 callsand texts, or 90 a month Bryant Heron said.
The court also heard for the first time of a tape recording of a conversation between Edmondson and a News of the World colleague. The tape was undated but from its contents it was evidence the conversation took place following the arrest of the royal editor Clive Goodman in 2006 on suspicion of phone hacking.
The colleague said: “But you know what the vital difference is you haven’t done anything yourself or from your number. That is not what Clive’s caught on, he’s fucking done it himself ...”
Edmondson replied: “ Yeah – I’ve done it myself ...”
The prosecution said that Edmondson’s name was on 334 of the 8,000 notes seized from Mulcaire’s premises linking him to the hacking of celebrities, politicians and sportspeople.
In addition to Lord Prescott, former culture secretary Tessa Jowell, and Lord Freddie Windsor, targets linked to Edmondson’s instructions to Mulcaire included Sienna Miller, her friend Archie Keswick and her former boyfriend Jude Law, and George Best’s son Callum Best, the court heard.
He also employed Mulcaire to investigate Sir Paul McCartney and Heather Mills in May 2006.
The NoW published nine articles about the couple between over one month, said Bryant Heron. “Ian Edmondson wished, unsurprisingly, to get information on the marital break-up. He employed Mulcaire to do so.”
He told the court: “There was an aggressive newsgathering culture. The end justified the means to get results, to get the story, in an extremely competitive market.”
Edmondson worked for the paper in the 1990s, and then rejoined the tabloid’s news desk in 2004, becoming news editor in 2005, a position he held until he was suspended in December 2010 and subsequently dismissed for gross misconduct in January 2011.
He was in charge when Mulcaire and the paper’s royal editor Clive Goodman were arrested in August 2006 on suspicion of hacking.
His suspension four years later came after three emails implicating him in Mulcaire’s hacking came to light. These suggested that hacking was not confined to Goodman, who the company had claimed was operating as a single “rogue reporter” and led to the launch of Operation Weeting, Scotland Yard’s phone-hacking investigation in January 2011.
They contained the mobile and pin numbers for Joan Hammell, a special adviser to Lord Prescott, former culture secretary Tessa Jowell and royal Freddie Windsor.
The jury heard that during Edmondson’s reign on the news desk the paper also hacking rival journalists on the Mail on Sunday in an attempt to discover what they knew about Prescott’s affair with his diary secretary Tracey Temple in a “dog-eat-dog” fight for stories.
After the paper hacked Temple and her ex-husband and got nowhere, the prosecution said that Edmondson then got hold of Hammell’s number and passed it to Mulcaire. Mulcaire went on to get her pin and listened to 45 messages. He then emailed Edmondson telling him: “This is how you can hack the phone so that you too can hear them”, according to emails disclosed during the trial.
“In the dog-eat-dog world of journalism, in this frenzy to get the huge story and to try to get something other than everybody else, that is what you do, we suggest, if you are Ian Edmondson – you hack the competition,” prosecutor Andrew Edis QC told jurors in his opening speech.
One defendant had claimed that hacking was so widespread that Edmondson was even accessing Coulson’s voicemail to find out which stories he favoured.
When Mulcaire’s home was raided by police in 2006, officers discovered a large cache of notes recording who had tasked him to hack phones, including “Ian”.
His decision to plead guilty means that eight of the 10 so far charged and dealt with for phone hacking at the NoW have been convicted or pleaded guilty.
Before the trial had got underway had sought disclosure of internal emails distancing himself from the work of Mulcaire.
He sought the emails to prove that he thought Mulcaire was “inefficient” and “a waste of money” and wanted him sacked and that after he arrived at NoW in November 2004 that he cut down on the cash payments.

Are Bots Hijacking Your Marketing Budget?

Editor’s note: Noam Schwartz is leading Business Development in SimilarWeb. His previous company Tapdog was acquired by SimilarWeb in the beginning of 2014.
Ad fraud is a well-known “secret” in the online marketing world, and it’s been around ever since ads have existed on the Internet. Experts estimate that for every $1 a company spends on online advertising, almost half is lost to digital ad fraud.
But in 2014, ad fraud has taken center stage. This month the Interactive Advertising Bureau (IAB) released their “Anti-Fraud Principles,” meant to reduce robotic traffic, or bots, and other forms of online traffic fraud. And earlier this year, IAB chairman and Ziff Davis CEO Vivek Shah publicly admitted that 36% of all web traffic is non-human traffic. (Other ad execs say it’s closer to 50%.)
What more, the problem seems to be growing. Last year, Google disabled ads from more than 400,000 sites hiding malware, up from 123,000 sites in 2012.

Bots, Stuffing, and Stacking Scams

So how exactly do fraudsters hijack your marketing budget? Unfortunately, there are a lot of ways to perpetrate traffic fraud, including the following:
  • Clickjacking malware. This kind of malware sends real users to websites they never planned to visit in the first place. Another method is to have bots imitate real users by “clicking” on ads or repeatedly loading a page.
  • iFrame stuffing. iFrame stuffing compresses an ad into a tiny one-by-one pixel size. The ad is served up on a site as a real ad and reported as a view, even though a real user would never be able to view such a tiny ad.
  • Ad stacking. In this type of scam, multiple ads are placed on top of each other in a single ad placement. Only the top ad is in view, but all of the ads are reported as viewed.
These kinds of traffic fraud manipulate metrics like page views and click-through rate, making cost-per-impression a dangerous pricing model for advertisers.
To get an idea of just how dangerous it can be, let’s look at one of the most elegant scams out there today, one that works using illegal bot activity. To set up the scam, a fraudster could create a magazine-style website for the sole purpose of hosting ads. Content is added automatically from content farms or copied from real publishers.
Then, the fraudster distributes malicious software (or piggybacks on existing ones), that causes the infected computers to open numerous browser windows in the background, completely hidden from the user.
The browsers are directed to the fraudster’s fake webpage and emulate human behavior by hopping from link to link, virtually moving the cursor, scrolling, and occasionally clicking on ads.
Here you can see a video of illegal bots in action:
So here’s where advertisers take a hit in the marketing budget. Let’s say that the fraudster manages to distribute malicious software to just 100,000 computers. If each of these computers opens 50 hidden browsers every day, spending 30 seconds on each page and clicking an ad once every 200 pages, the fraudster can generate 72 million fake clicks in a single day! And advertisers are paying for every one of those clicks.

Online Ads Are Easy Targets

Online advertising is a fraudster’s heaven, and even the savviest advertisers lose millions of dollars each month.
So what makes ads so easy to target?
For one thing, advertisers often have no idea fraud has even occurred. Typically, advertisers only get standard metrics on their ad campaigns, like cost per lead and conversion rate. There’s no way to detect ad fraud or to know just how much it cost you because it’s just rolled into the cost of acquiring real customers.
Also, ad networks don’t ask a lot of questions when a new ad publisher registers their site. Usually the ad network only asks for a publisher’s basic traffic, engagement, and demographic stats, and that’s it. Then the publisher gets the code that will allow them to present ads from the ad network inventory. The ad networks have nothing to lose—if the publisher generates clicks, it’s a win. If not, the ad server will push the ads elsewhere.
Finally, those same ad networks actually benefit from ad fraud. They get paid for each click or impression, regardless of whether the ad is served to a real person or a fraudulent bot. So eliminating 36-50% of those bad clicks would negatively affect their bottom line.

What Advertisers Can Do About Ad Fraud

Few substantial and scalable solutions exist for ad fraud.
Ad fraud detection companies such as Telemetry, Forensiq, White Ops, (recently acquired by Google), and SimilarWeb’s Traffic Guardian use several approaches, including comparing visit patterns with known behavior, monitoring malicious software, proxy unmasking, device verification, and manipulation recognition.
For instance, an algorithm can determine whether a website is legitimate or fraudulent by comparing the way real people are using that website to actual online behavior. Advertisers can view that data themselves, which can help them decide whether one of their publishers needs to be red-flagged, or even rejected immediately.
Unfortunately, the outcome of the online ad game will not decided by a knockout. New technologies and state-of-the-art algorithms are continually being developed both by fraudsters and those trying to fight them.
And while it’s promising that agencies and publishers have started talking about the problem, advertisers have to be involved, too. After all, they’re the ones with the most skin in the game.

JPMorgan Chase Hacking Affects 76 Million Households

The Manhattan headquarters of JPMorgan Chase, which securities filings revealed was attacked by hackers over the summer.
 A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever.
The details of the breach — disclosed in a securities filing on Thursday — emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target, Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards.
But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers’ credit card details and potentially includes more sensitive data.
“We’ve migrated so much of our economy to computer networks because they are faster and more efficient, but there are side effects,” said Dan Kaminsky, a researcher who works as chief scientist at White Ops, a security company.
Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.
As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days, bank executives scrambled for the second time in three months to contain the fallout and to reassure skittish customers that no money had been taken and that their financial information remained secure.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.
Operating overseas, the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders. In its regulatory filing on Thursday, JPMorgan said that there was no evidence that account information, including passwords or Social Security numbers, had been taken. The bank also noted that there was no evidence of fraud involving the use of customer information.
Still, until the JPMorgan breach surfaced in July, banks were viewed as relatively safe from online assaults because of their investment in defenses and trained security staff. Most previous breaches at banks have involved stealing personal identification numbers for A.T.M. accounts, not burrowing deep into the internal workings of a bank’s computer systems.
Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.
Jamie Dimon, chief executive of JPMorgan Chase, says that the digital threat is on the rise.Credit Richard Drew/Associated Press
Jamie Dimon, JPMorgan’s chairman and chief executive, has acknowledged the growing digital threat. In his annual letter to shareholders, Mr. Dimon said, “We’re making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe.”
Even though the bank has fortified its defenses against the attacks, Mr. Dimon wrote, the battle is “continual and likely never-ending.”
On Thursday, some lawmakers weighed in. Edward J. Markey, Democrat of Massachusetts and a member of the Senate Commerce Committee, said “the data breach at JPMorgan Chase is yet another example of how Americans’ most sensitive personal information is in danger.”
Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts.
That lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Southern Europe, may have been sponsored by elements of the Russian government, the people with knowledge of the investigation said.
By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.
The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.
Beyond its disclosures, JPMorgan did not comment on what its investigation had found. Kristin Lemkau, a JPMorgan spokeswoman, said that describing the bank’s breach as among the largest was “comparing apples and oranges.”
Preparing for the disclosure on Thursday, JPMorgan retained the law firm WilmerHale to help with its regulatory filing with the Securities and Exchange Commission, people with knowledge of the matter said. Earlier on Thursday, some executives — Barry Sommers, the chief executive of Chase’s consumer bank — flew back to New York from Naples, Fla., where they had convened for a leadership conference, these people said.
The initial discovery of the hack sent chills down Wall Street and prompted an investigation by the Federal Bureau of Investigation. The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach.
Faced with the rising threat of online crime, JPMorgan has said it plans to spend $250 million on digital security annually, but had been losing many of its security staff to other banks over the last year, with others expected to leave soon.

Botnet hits over 17,000 Mac OS X users via Reddit

Botnet hits over 17,000 Apple Mac computers running OS X
A RUSSIAN SECURITY FIRM has discovered a botnet that has hit over 17,000 Apple Mac computers, using information posted in messages on social media website Reddit to navigate.
Researchers at Russian antivirus company Dr Web said in a report that the sophisticated "multi-purpose backdoor" malware that it dubbed "Mac.Backdoor.iWorm" has infected more than 17,000 computers running Mac OS X by allowing criminals to issue commands to carry out a wide range of instructions on the infected machines.
"Criminals developed this malware using C++ and Lua. It should also be noted that the backdoor makes extensive use of encryption in its routines," said Dr Web in its report. "During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically."
Compromised computers receive commands from servers under the control of botmasters using information posted in messages on Reddit as navigational aids. Then Mac.Backdoor.iWorm opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote website to acquire a list of command and control (C&C) servers, and then connects to the remote servers and waits for instructions.
"It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at, and - as a search query - specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date," said Dr Web. "The search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd."
Security expert Graham Cluely said on his blog that while it isn't presently documented how the malware spreads, the consequences clearly can be serious.
"Like any computers that have been recruited into a botnet, Macs that have been hijacked in this attack could have information stolen from them, further malware planted upon them, or be used to spread more malware or launch spam campaigns and denial of service attacks," Cluley explained.
Security firm Lancope CTO TK Keanini added that the botnet "will begin to co-evolve as countermeasures are put in place and they engineering and innovate around them".

The internet will never be hacker free, warns DARPA

Hackers are here to stay, says DARPA
The US Defense Advanced Research Projects Agency (DARPA) has warned that users of the internet will never be fully secure.
DARPA director Arati Prabhakar made the claim during the Washington Post's Cybersecurity Summit, arguing that the only way fully to secure the internet is to seal it off and make it available only to selected people.
"The power of information technology, and the reason we put up with all these problems, is that it is phenomenally capable for all the things that change how we live and how we work and how we create national security," she said.
"You don't want to cut out any of that capability in the process of building cyber security."
Prabhakar added that, while wholly securing the internet is impossible, DARPA is working on new ways to track hackers and criminals operating on the Dark Web.
She listed the need for increased computing power and more advanced, scalable big data analytics tools as key challenges in this endeavour.
"[When searching for cyber criminals] you start by creating a different way to look at this vast information environment," she said.
"The moon shot for cyber security, in my view, is to find techniques that scale faster than the explosion in information."
Prabhakar revealed that DARPA began working on advanced big data solutions in March, and is also working on several projects designed to bolster global cyber security levels.
She highlighted a research project to create an "unhackable system" as particularly important owing to its potential application in critical infrastructure.
"What [the unhackable software project] means is there is a mathematical proof that this particular function can't be hacked from a pathway that wasn't intended," she said. "That won't solve the entire problem, but it might make it more manageable."
Attacks on critical infrastructure are a problem facing governments across the globe owing to their use of insecure SCADA systems.
These concerns peaked in September when researchers uncovered a critical bug, codenamed Shellshock, in the bash code used in Unix and Unix-like systems that could theoretically be exploited to hack SCADA systems.

Bored hackers flick Shellshock button to OFF as payloads shrink

Malicious and benign attacks against systems vulnerable to Shellshock had halved by Sunday after peaking three days following the bug's disclosure, Akamai researchers say.
The variety of payloads targeting vulnerable sites increased dramatically over the same period before tapering off, in a possible sign that hackers were bored with the bug.
The number of unique payloads increased from 43 on day zero to a whopping 10,716 just 24 hours later. It peaked on 27 September at 20,753 before falling off.
The numbers demonstrated the effectiveness of Shellshock as an attack vector, researchers Ezra Caltum, Adi Ludmer and Ory Segal wrote in a co-authored post.
"One of the troubling aspects of the Shellshock vulnerability is the ease of exploitation, which can be seen by the dramatic increase in the number of unique payloads between the first and the second days," they said.
"The sheer number of creative payloads also demonstrates how effective and deadly this vulnerability can be – most of the scanning and exploitation process is already fully automated.
"With such a low barrier to entry, and the simplicity of writing powerful exploits, we believe that Shellshock-based attacks are going to stay around for months if not years, and will probably top the botnet infection method charts in the near future."
Two-thirds of the 22,487 unique attacking IP addresses were from the US, with Germany, Britain and seven other countries sharing the remainder.
Almost 300,000 gaming domains made up the vast majority of Shellshock targets, with consumer electronics, email marketing among the less affected industries.
More than half of all detected Shellshock probes however were illegitimate scans of the sort conducted in unpaid security research which did not involve exploitation, while about a third were legit.
Akamai found eight percent of payloads were attempts by internet idiots to exploit Shellshock to open CD trays, play audio files, and dump nonsensical payloads.
More malicious acts including Bitcoin and database stealers made up less than one percent of payloads.

Marriott fined $600k for deliberately JAMMING guests' Wi-Fi hotspots

Marriott has been fined $600,000 by the FCC for paralyzing guests' personal Wi-Fi hotspots, forcing them to use the hotel giant's expensive network instead.
The US watchdog today said the Marriott Gaylord Opryland in Nashville, Tennessee, used equipment to illegally boot hotel and convention center guests off their own networks, which were typically smartphone hotspots.
Meanwhile, Marriott managers encouraged everyone to connect to the hotel's Wi-Fi network, which cost from $250 to $1,000 to access.
According to the commission, the Gaylord Opryland installed an Allot NetEnforcer, and configured it to continually flood the surrounding ether with de-authentication packets. An attacker does not have to know a Wi-Fi network's password, or be authenticated in any way, to send a successful de-auth packet. All devices and computers that receive the management frame over the air are instructed to disassociate from their network.
Essentially, it was virtually impossible to use Wi-Fi, unless it was the Marriott's.
"It is unacceptable for any hotel to intentionally disable personal hotspots while also charging consumers and small businesses high fees to use the hotel’s own Wi-Fi network," said FCC enforcement bureau chief Travis LeBlanc.
"This practice puts consumers in the untenable position of either paying twice for the same service or forgoing internet access altogether."
The fine is part of a consent decree [PDF] Marriott has signed in order to end the watchdog's investigation into Wi-Fi jamming. Marriott has also agreed to send a report on its Wi-Fi "containment functionality" tools to the commission.
Allott Communications, which makes the NetEnforcer hardware used by Marriott, did not respond to a request for comment on the matter. It markets the devices as "purpose-built appliances for monitoring and managing data traffic on enterprise, cloud and broadband service provider networks."
Allott has boasted that it provides network services to the Gaylord Opryland as well Gaylord hotels in Florida, Texas and Maryland.
"In each of the facilities, dedicated internet service is provided by a Gigabit fiber-optic backbone with 100 megabit edge connections for meeting rooms, ballrooms and exhibit hall space," the company writes [PDF].
"Each resort provides an always-up installation that serves thousands of internet users every day of the year."
Thousands of users ... willing or not, it seems.