Tuesday, 18 February 2014

The Moon router worm. Your anti-virus has probably been updated to detect it, but won’t protect you

Late last week news emerged of a worm that was spreading between Linksys routers.
What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer.
And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it.
And it also means that the worm doesn’t care whether your computer is running Windows, Mac OS X, or a flavour of Unix. It’s irrelevant. Your LinkSys router could still be at risk.
Because the only things that The Moon worm is interested in infecting are Linksys routers – like the one you might use to connect computers in your home or office to the internet – that suffer from an authentication bypass vulnerability.
The self-replicating worm compromises your Linksys router, without needing to know your router’s password, and then uses the device to scan for other vulnerable routers on the internet.
One consequence of this is that a lot of network traffic can be generated by the worm, slowing down internet access.
The following Linksys routers are thought to be vulnerable:
E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N.
Linksys says it is working on a firmware fix for the vulnerability, and that it plans to post it “in the coming weeks”.
Linksys Moon advisory
It is, of course, a race against time as hackers might attempt to exploit the same vulnerability for more obviously malicious purposes. There is already evidence that script kiddies have created working exploits of the vulnerability.
While a proper firmware fix is awaited, Linksys is encouraging owners of Linksys routers to update their firmware to the latest version and disable remote management.
Linksys screenshot
Hmm… wouldn’t it have been better if Linksys had also advised users to choose HTTPS access in that screenshot?
Linksys screenshot
Whatever brand of router you use in your home or small office, you should consider disabling features which might expose you to risk.
For instance, turning off remote administration and limiting access to specific trusted IP addresses can reduce the potential attack surface, and make life much harder for online criminals who may attempt to infiltrate your network.
Furthermore, always be sure to not be using the default passwords which shipped with your router.

Phony Order Faxed to Registrar Leads to Metasploit Defacement

A pro-Palestine hacker collective went old-school in its takedown of the Metasploit and Rapid7 websites today.
Metasploit creator and HD Moore confirmed via Twitter that Metasploit.com was hacked via a spoofed DNS change request sent via fax to its registrar, Register.com.
“Hacking like it’s 1964,” Moore tweeted a short time ago.
The hacking group known as KDMS hijacked DNS records and replaced the two sites’ respective homepages with a note claiming responsibility for this attack and similar hacks against other security companies.
“You are one of our targets,” the group wrote. “Therefore, we are here.” The group also left a politically charged statement regarding Palestine liberation.
The DNS hijacking attack was resolved within an hour, Moore said.
“We have taken action to address the issue and both sites are now locked down,” Rapid7 said in a statement. “We apologize for the service disruption, and do not anticipate any further implications for our users and customers at this time. We will keep everyone posted as we learn more, and let the community know if any action is needed.”
Moore cautioned in a another set of Twitter messages that this group has the ability to change any domain registered with Register.com. He also confirmed the Metasploit and Rapid7 DNS settings temporarily pointed to 74[.]53[.]46[.]114.
Earlier this week, KDMS claimed responsibility for a similar attack on another registrar Network Solutions. The group was able to change the DNS records managed by Network Solutions for a number of security companies and redirect traffic to a hacker-controlled domain.
Leaseweb, a large hosting provider, disclosed on Monday that it detected malicious activity on its network and hackers managed to redirect traffic from leaseweb.com to another domain its DNS records were changed.
“No internal systems were compromised,” Leaseweb wrote on its blog on Monday. “One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack.”
Initially, it was believed the Leaseweb hack was related to an exploit of a WHMcs vulnerability, but Leaseweb said that was not the case.
“Right now, it appears the hijackers obtained the domain administrator password and used that information to access the registrar,” Leaseweb said.

First U.S. bitcoin ATMs to open soon in Seattle, Austin

Some of Bitcoin enthusiast Mike Caldwell's coins are pictured at his office in this photo illustration in Sandy, Utah, January 31, 2014. REUTERS/Jim Urquhart
Robocoin said on Tuesday that later this month it will install the first automated teller machines in the United States that let users buy and sell bitcoin, the latest step into the mainstream for the digital currency.
The kiosks, to be installed in Seattle, and Austin, Texas, are similar to ATMs but have scanners to read government-issued identification such as a driver's license or a passport to confirm users' identities.
The ATMs will allow people to swap bitcoin for cash, or deposit cash to buy more bitcoin by transferring funds to or from a virtual wallet on their smartphones.
Bitcoin was launched in 2008 and is traded within a global network of computers. It is not backed by a single company or government and has no assets behind it, but its release is tightly controlled, mimicking a central banking system's control over the minting of money.
Robocoin, based in Las Vegas, installed its first bitcoin ATM in Vancouver last fall and will also start operating one in Calgary, Alberta, later this month. Robocoin also is planning to install ATMs in Asia and Europe.
A bitcoin is currently worth about $636, but its value has fluctuated widely as the currency's visibility has increased. Last September, a bitcoin was worth around $150. By late December the value was near the $1,000 mark.
Users can buy products and services online on sites including Overstock.com or in a handful of stores.
The currency's reputation took a hit last week when two of its best known exchanges suspended withdrawals. One of them, Slovenia-based Bitstamp, said Friday it planned to allow redemptions to resume.

US CERT warns Operation SnowMan hackers are unstoppable

The US Computer Emergency Response Team (CERT) has said it is yet to find a way to fix or protect against the recently discovered Operation SnowMan hackers.
The Operation SnowMan campaign was uncovered by security firm FireEye last week, when researchers spotted hackers trying to infiltrate US military veterans' website VFW.org.
The attack leveraged vulnerabilities in the Microsoft.XMLDOM ActiveX control to break into systems and siphon data, as explained in the CERT advisory.
"Microsoft.XMLDOM is an ActiveX control that can run in Internet Explorer without requiring any prompting to the user. This object contains methods that can leak information about a computer system to the operator of a website.
"By looking at error codes provided by the XMLDOM ActiveX control, an attacker can check for the presence of local drive letters, directory names, files, as well as internal network addresses or websites."
Despite being uncovered, CERT confirmed: "This vulnerability is actively being used by exploit code in the wild. We are currently unaware of a practical solution to this problem."
It is currently unclear when a patch fixing the vulnerabilities being exploited by Operation SnowMan hackers will be released, though FireEye researchers confirmed in a blog post that "Microsoft is aware and they are working on a fix ASAP".
Operation SnowMan is listed as following a similar exploit strategy to the notorious DeputyDog hack campaign. The campaign targeted public-sector organisations and companies in defence, law, IT and mining in 2013.
The campaign is one of several advanced threats discovered this year. Kaspersky's Global Research and Analysis Team (Great) uncovered dangerous advanced malware, codenamed Mask, earlier in February. The Mask campaign is believed to have infected 380 governments and businesses across 31 countries including the UK.

Snowden Documents Reveal Covert Surveillance and Pressure Tactics Aimed at WikiLeaks and Its Supporters

Featured photo - Snowden Documents Reveal Covert Surveillance and Pressure Tactics Aimed at WikiLeaks and Its Supporters WikiLeaks founder Julian Assange. (AP Photo/Kirsty Wigglesworth)
Top-secret documents from the National Security Agency and its British counterpart reveal for the first time how the governments of the United States and the United Kingdom targeted WikiLeaks and other activist groups with tactics ranging from covert surveillance to prosecution.
The efforts – detailed in documents provided previously by NSA whistleblower Edward Snowden – included a broad campaign of international pressure aimed not only at WikiLeaks founder Julian Assange, but at what the U.S. government calls “the human network that supports WikiLeaks.” The documents also contain internal discussions about targeting the file-sharing site Pirate Bay and hacktivist collectives such as Anonymous.
One classified document from Government Communications Headquarters, Britain’s top spy agency, shows that GCHQ used its surveillance system to secretly monitor visitors to a WikiLeaks site. By exploiting its ability to tap into the fiber-optic cables that make up the backbone of the Internet, the agency confided to allies in 2012, it was able to collect the IP addresses of visitors in real time, as well as the search terms that visitors used to reach the site from search engines like Google.
Another classified document from the U.S. intelligence community, dated August 2010, recounts how the Obama administration urged foreign allies to file criminal charges against Assange over the group’s publication of the Afghanistan war logs.
A third document, from July 2011, contains a summary of an internal discussion in which officials from two NSA offices – including the agency’s general counsel and an arm of its Threat Operations Center – considered designating WikiLeaks as “a ‘malicious foreign actor’ for the purpose of targeting.” Such a designation would have allowed the group to be targeted with extensive electronic surveillance – without the need to exclude U.S. persons from the surveillance searches.
In 2008, not long after WikiLeaks was formed, the U.S. Army prepared a report that identified the organization as an enemy, and plotted how it could be destroyed. The new documents provide a window into how the U.S. and British governments appear to have shared the view that WikiLeaks represented a serious threat, and reveal the controversial measures they were willing to take to combat it.
In a statement to The Intercept, Assange condemned what he called “the reckless and unlawful behavior of the National Security Agency” and GCHQ’s “extensive hostile monitoring of a popular publisher’s website and its readers.”
“News that the NSA planned these operations at the level of its Office of the General Counsel is especially troubling,” Assange said. “Today, we call on the White House to appoint a special prosecutor to investigate the extent of the NSA’s criminal activity against the media, including WikiLeaks, its staff, its associates and its supporters.”
Illustrating how far afield the NSA deviates from its self-proclaimed focus on terrorism and national security, the documents reveal that the agency considered using its sweeping surveillance system against Pirate Bay, which has been accused of facilitating copyright violations. The agency also approved surveillance of the foreign “branches” of hacktivist groups, mentioning Anonymous by name.
The documents call into question the Obama administration’s repeated insistence that U.S. citizens are not being caught up in the sweeping surveillance dragnet being cast by the NSA. Under the broad rationale considered by the agency, for example, any communication with a group designated as a “malicious foreign actor,” such as WikiLeaks and Anonymous, would be considered fair game for surveillance.
Julian Sanchez, a research fellow at the Cato Institute who specializes in surveillance issues, says the revelations shed a disturbing light on the NSA’s willingness to sweep up American citizens in its surveillance net.
“All the reassurances Americans heard that the broad authorities of the FISA Amendments Act could only be used to ‘target’ foreigners seem a bit more hollow,” Sanchez says, “when you realize that the ‘foreign target’ can be an entire Web site or online forum used by thousands if not millions of Americans.”

GCHQ Spies on WikiLeaks Visitors

The system used by GCHQ to monitor the WikiLeaks website – codenamed ANTICRISIS GIRL – is described in a classified PowerPoint presentation prepared by the British agency and distributed at the 2012 “SIGDEV Conference.” At the annual gathering, each member of the “Five Eyes” alliance – the United States, United Kingdom, Canada, Australia and New Zealand – describes the prior year’s surveillance successes and challenges.
In a top-secret presentation at the conference, two GCHQ spies outlined how ANTICRISIS GIRL was used to enable “targeted website monitoring” of WikiLeaks (See slides 33 and 34). The agency logged data showing hundreds of users from around the world, including the United States, as they were visiting a WikiLeaks site –contradicting claims by American officials that a deal between the U.K. and the U.S. prevents each country from spying on the other’s citizens.
The IP addresses collected by GCHQ are used to identify individual computers that connect to the Internet, and can be traced back to specific people if the IP address has not been masked using an anonymity service. If WikiLeaks or other news organizations were receiving submissions from sources through a public dropbox on their website, a system like ANTICRISIS GIRL could potentially be used to help track them down. (WikiLeaks has not operated a public dropbox since 2010, when it shut down its system in part due to security concerns over surveillance.)
In its PowerPoint presentation, GCHQ identifies its target only as “wikileaks.” One slide, displaying analytics derived from the surveillance, suggests that the site monitored was the official wikileaks.org domain. It shows that users reached the targeted site by searching for “wikileaks.org” and for “maysan uxo,” a term associated with a series of leaked Iraq war logs that are hosted on wikileaks.org.
The ANTICRISIS GIRL initiative was operated by a GCHQ unit called Global Telecoms Exploitation (GTE), which was previously reported by The Guardian to be linked to the large-scale, clandestine Internet surveillance operation run by GCHQ, codenamed TEMPORA.
Operating in the United Kingdom and from secret British eavesdropping bases in Cyprus and other countries, GCHQ conducts what it refers to as “passive” surveillance – indiscriminately intercepting massive amounts of data from Internet cables, phone networks and satellites. The GTE unit focuses on developing “pioneering collection capabilities” to exploit the stream of data gathered from the Internet.
As part of the ANTICRISIS GIRL system, the documents show, GCHQ used publicly available analytics software called Piwik to extract information from its surveillance stream, not only monitoring visits to targeted websites like WikiLeaks, but tracking the country of origin of each visitor.
It is unclear from the PowerPoint presentation whether GCHQ monitored the WikiLeaks site as part of a pilot program designed to demonstrate its capability, using only a small set of covertly collected data, or whether the agency continues to actively deploy its surveillance system to monitor visitors to WikiLeaks. It was previously reported in The Guardian that X-KEYSCORE, a comprehensive surveillance weapon used by both NSA and GCHQ, allows “an analyst to learn the IP addresses of every person who visits any website the analyst specifies.”
GCHQ refused to comment on whether ANTICRISIS GIRL is still operational. In an email citing the agency’s boilerplate response to inquiries, a spokeswoman insisted that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight.”
But privacy advocates question such assurances. “How could targeting an entire website’s user base be necessary or proportionate?” says Gus Hosein, executive director of the London-based human rights group Privacy International. “These are innocent people who are turned into suspects based on their reading habits. Surely becoming a target of a state’s intelligence and security apparatus should require more than a mere click on a link.”
The agency’s covert targeting of WikiLeaks, Hosein adds, call into question the entire legal rationale underpinning the state’s system of surveillance. “We may be tempted to see GCHQ as a rogue agency, ungoverned in its use of unprecedented powers generated by new technologies,” he says. “But GCHQ’s actions are authorized by [government] ministers. The fact that ministers are ordering the monitoring of political interests of Internet users shows a systemic failure in the rule of law.”

Going After Assange and His Supporters

The U.S. attempt to pressure other nations to prosecute Assange is recounted in a file that the intelligence community calls its “Manhunting Timeline.” The document details, on a country-by-country basis, efforts by the U.S. government and its allies to locate, prosecute, capture or kill alleged terrorists, drug traffickers, Palestinian leaders and others. There is a timeline for each year from 2008 to 2012.
An entry from August 2010 – headlined “United States, Australia, Great Britain, Germany, Iceland” – states: “The United States on August 10 urged other nations with forces in Afghanistan, including Australia, United Kingdom, and Germany, to consider filing criminal charges against Julian Assange.” It describes Assange as the “founder of the rogue Wikileaks Internet website and responsible for the unauthorized publication of over 70,000 classified documents covering the war in Afghanistan.”
In response to questions from The Intercept, the NSA suggested that the entry is “a summary derived from a 2010 article” in the Daily Beast. That article, which cited an anonymous U.S. official, reported that “the Obama administration is pressing Britain, Germany, Australia, and other allied Western governments to consider opening criminal investigations of WikiLeaks founder Julian Assange and to severely limit his nomadic travels across international borders.”
The government entry in the “Manhunting Timeline” adds Iceland to the list of Western nations that were pressured, and suggests that the push to prosecute Assange is part of a broader campaign. The effort, it explains, “exemplifies the start of an international effort to focus the legal element of national power upon non-state actor Assange, and the human network that supports WikiLeaks.” The entry does not specify how broadly the government defines that “human network,” which could potentially include thousands of volunteers, donors and journalists, as well as people who simply spoke out in defense of WikiLeaks.
In a statement, the NSA declined to comment on the documents or its targeting of activist groups, noting only that the agency “provides numerous opportunities and forums for their analysts to explore hypothetical or actual circumstances to gain appropriate advice on the exercise of their authorities within the Constitution and the law, and to share that advice appropriately.”
But the entry aimed at WikiLeaks comes from credentialed officials within the intelligence community. In an interview in Hong Kong last June, Edward Snowden made clear that the only NSA officials empowered to write such entries are those “with top-secret clearance and public key infrastructure certificates” – a kind of digital ID card enabling unique access to certain parts of the agency’s system. What’s more, Snowden added, the entries are “peer reviewed” – and every edit made is recorded by the system.
The U.S. launched its pressure campaign against WikiLeaks less than a week after the group began publishing the Afghanistan war logs on July 25, 2010. At the time, top U.S. national security officials accused WikiLeaks of having “blood” on its hands. But several months later, McClatchy reported that “U.S. officials concede that they have no evidence to date that the documents led to anyone’s death.”
The government targeting of WikiLeaks nonetheless continued. In April 2011, Salon reported that a grand jury in Virginia was actively investigating both the group and Assange on possible criminal charges under espionage statutes relating to the publication of classified documents. And in August of 2012, the Sydney Morning Herald, citing secret Australian diplomatic cables, reported that “Australian diplomats have no doubt the United States is still gunning for Julian Assange” and that “Australia’s diplomatic service takes seriously the likelihood that Assange will eventually be extradited to the US on charges arising from WikiLeaks obtaining leaked US military and diplomatic documents.”
Bringing criminal charges against WikiLeaks or Assange for publishing classified documents would be highly controversial – especially since the group partnered with newspapers like The Guardian and The New York Times to make the war logs public. “The biggest challenge to the press today is the threatened prosecution of WikiLeaks, and it’s absolutely frightening,” James Goodale, who served as chief counsel of the Times during its battle to publish The Pentagon Papers, told the Columbia Journalism Review last March. “If you go after the WikiLeaks criminally, you go after the Times. That’s the criminalization of the whole process.”
In November 2013, The Washington Post, citing anonymous officials, reported that the Justice Department strongly considered prosecuting Assange, but concluded it “could not do so without also prosecuting U.S. news organizations and journalists” who had partnered with WikiLeaks to publish the documents. According to the Post, officials “realized that they have what they described as a ‘New York Times problem’” – namely, that any theory used to bring charges against Assange would also result in criminal liability for the Times, The Guardian, and other papers which also published secret documents provided to WikiLeaks.

NSA proposals to target WikiLeaks

As the new NSA documents make clear, however, the U.S. government did more than attempt to engineer the prosecution of Assange. NSA analysts also considered designating WikiLeaks as a “malicious foreign actor” for surveillance purposes – a move that would have significantly expanded the agency’s ability to subject the group’s officials and supporters to extensive surveillance.
Such a designation would allow WikiLeaks to be targeted with surveillance without the use of “defeats” – an agency term for technical mechanisms to shield the communications of U.S. persons from getting caught in the dragnet.
That top-secret document – which summarizes a discussion between the NSA’s Office of the General Counsel and the Oversight and Compliance Office of the agency’s Threat Operations Center – spells out a rationale for including American citizens in the surveillance:
“If the foreign IP is consistently associated with malicious cyber activity against the U.S., so, tied to a foreign individual or organization known to direct malicious activity our way, then there is no need to defeat any to, from, or about U.S. Persons. This is based on the description that one end of the communication would always be this suspect foreign IP, and so therefore any U.S. Person communicant would be incidental to the foreign intelligence task.”
In short, labeling WikiLeaks a “malicious foreign target” would mean that anyone communicating with the organization for any reason – including American citizens – could have their communications subjected to government surveillance.
When NSA officials are asked in the document if WikiLeaks or Pirate Bay could be designated as “malicious foreign actors,” the reply is inconclusive: “Let us get back to you.” There is no indication of whether either group was ever designated or targeted in such a way.
The NSA’s lawyers did, however, give the green light to subject other activists to heightened surveillance. Asked if it would be permissible to “target the foreign actors of a loosely coupled group of hackers … such as with Anonymous,” the response is unequivocal: “As long as they are foreign individuals outside of the US and do not hold dual citizenship … then you are okay.”

NSA Lawyers: “It’s Nothing to Worry About”

Sanchez, the surveillance expert with the Cato Institute, says the document serves as “a reminder that NSA essentially has carte blanche to spy on non-Americans. In public statements, intelligence officials always talk about spying on ‘terrorists,’ as if those are the only targets — but Section 702 [of the 2008 FISA Amendments Act] doesn’t say anything about ‘terrorists.’ They can authorize collection on any ‘persons reasonably believed to be [located] outside the United States,’ with ‘persons’ including pretty much any kind of group not ‘substantially’ composed of Americans.”
Sanchez notes that while it makes sense to subject some full-scale cyber-attacks to government surveillance, “it would make no sense to lump together foreign cyberattackers with sites voluntarily visited by enormous numbers of Americans, like Pirate Bay or WikiLeaks.”
Indeed, one entry in the NSA document expressly authorizes the targeting of a “malicious” foreign server – offering Pirate Bay as a specific example –“even if there is a possibility that U.S. persons could be using it as well.” NSA officials agree that there is no need to exclude Americans from the surveillance, suggesting only that the agency’s spies “try to minimize” how many U.S. citizens are caught in the dragnet.
Another entry even raises the possibility of using X-KEYSCORE, one of the agency’s most comprehensive surveillance programs, to target communications between two U.S.-based Internet addresses if they are operating through a “proxy” being used for “malicious foreign activity.” In response, the NSA’s Threat Operations Center approves the targeting, but the agency’s general counsel requests “further clarification before signing off.”
If WikiLeaks were improperly targeted, or if a U.S. citizen were swept up in the NSA’s surveillance net without authorization, the agency’s attitude seems to be one of indifference. According to the document – which quotes a response by the NSA’s Office of General Counsel and the oversight and compliance office of its Threat Operations Center – discovering that an American has been selected for surveillance must be mentioned in a quarterly report, “but it’s nothing to worry about.”
The attempt to target WikiLeaks and its broad network of supporters drew sharp criticism from the group and its allies. “These documents demonstrate that the political persecution of WikiLeaks is very much alive,” says Baltasar Garzón, the Spanish former judge who now represents the group. “The paradox is that Julian Assange and the WikiLeaks organization are being treated as a threat instead of what they are: a journalist and a media organization that are exercising their fundamental right to receive and impart information in its original form, free from omission and censorship, free from partisan interests, free from economic or political pressure.”
For his part, Assange remains defiant. “The NSA and its U.K. accomplices show no respect for the rule of law,” he told The Intercept. “But there is a cost to conducting illicit actions against a media organization.” Referring to a criminal complaint that the group filed last year against “interference with our journalistic work in Europe,” Assange warned that “no entity, including the NSA, should be permitted to act against a journalist with impunity.”
Assange indicated that in light of the new documents, the group may take further legal action.
“We have instructed our general counsel, Judge Baltasar Garzón, to prepare the appropriate response,” he said. “The investigations into attempts to interfere with WikiLeaks’ work will go wherever they need to go. Make no mistake: those responsible will be held to account and brought to justice.”

Belkin WeMo smart home networks in danger of hacks

Belkin WeMo switches can be controlled with a smartphone from anywhere in the world.
(Credit: Jason Cipriani/CNET)
Smart home networks are rapidly gaining popularity, but some security experts worry that not enough encryption controls are coming with the products.
Security firm IOActive released an advisory (PDF) on Tuesday saying more than half a million Belkin WeMo devices are susceptible to widespread hacks. The firm uncovered several vulnerabilities in these devices, which would let hackers gain access to home networks and remotely control Internet-connected appliances.
The hacks could range from a mean-spirited prank to actually posing a danger. For example, they could be as benign as turning someone's house lights on-and-off to something dangerous like getting a fire started.
Many of Belkin's WeMo home automation products let users build their own smart home solutions by adding Internet connectivity to any device -- like sprinkler systems, thermostats, and antennas. Once connected, users can control their appliances with a smartphone from anywhere in the world.
However, hackers could also get into these networks, warns IOActive. The vulnerabilities found by the firm would let hackers remotely control and monitor home networks, along with perform malicious firmware updates and gain access to other devices, like laptops and smartphones.
According to IOActive, the vulnerabilities would let hackers impersonate Belkin's encryption keys and cloud services to "push malicious firmware updates and capture credentials at the same time."

As long as Belkin doesn't patch these vulnerabilities, IOActive recommends that users refrain from using the WeMo devices. The firm has worked with the US government's Community Emergency Response Team (CERT) on these recommendations and CERT issued its own advisory on Tuesday. "As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles," IOActive's principal research scientist Mike Davis said in a statement. "This mitigates their customer's exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home."

Asus router vulnerabilities go unfixed despite reports

Despite a few quirks, the Asus RT-N66U makes an excellent N900 router for homes and small offices alike.
(Credit: Josh Martin/CNET)
It may be news to you that some Asus wireless routers leave your computer and networked drives open to hackers, but Asus has known about the problems for months, reports indicate.
The vulnerabilities make it possible for hackers to access directories on networked drives using Asus' proprietary AiCloud option. Enabling features such as "Cloud Disk," "Smart Access," and "Smart Sync" appear to enable the vulnerability, security researcher Kyle Lovett told Ars Technica.

Enabling the file-sharing tool Samba in the router also exposes the vulnerability to hackers.
Lovett told CNET that following his report of a related vulnerability in June that exposes hard drives of computers connected to the affected Asus routers, he reported to Asus representative Nick Mijuskovic the newer flaw to Asus in both September and November to no avail.
"I only received a reply of we'll look into it," Lovett wrote in an e-mail.
Asus did not immediately respond when asked for comment. CNET will update the story when we hear back from the company.
Two weeks ago, suspected hackers posted a list of more than 13,000 IP addresses gleaned from vulnerable Asus routers.
The vulnerability affects nearly a dozen Asus routers, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Apparently, Asus has released a firmware update that patches the vulnerabilities, but owners of those routers will have to manually install the update by going to the Asus site and following their instructions.
Jacob Holcomb, a security researcher at Independent Security Evaluators who uncovered widespread Wi-Fi router vulnerabilities first reported by CNET last year, said that the prevention of these kinds of attacks depends on the router vendor, and not the end user.
"These types of attacks could be prevented if security was a higher priority in the router manufacturers software development life cycle," Holcomb said. "At the end of the day, this is just the tip of the iceberg; with the amount of vulnerable network hardware comprising the internet infrastructure, people should count on more large scale attacks."
Both Holcomb and Lovett pointed to ongoing problems with routers. Linksys, for example, has struggled with vulnerabilities beyond the self-replicating malware afflicting some of its Wi-Fi routers.
Since last year, Wi-Fi routers have found themselves in the cross-hairs of researchers becoming increasingly aware of their inherent weaknesses.
These security problems with home wireless routers -- devices specifically designed to connect the Internet to your phone, tablet, and computer -- underscore the difficulty that makers of devices just now gaining Internet connectivity will face in keeping hackers out of their connected home products in the years ahead.

AT&T reports more than 300,000 data requests in 2013

AT&T is the latest carrier to share data on government requests for its information, and once again, the sheer amount of requests is staggering.
AT&T revealed Tuesday that it received nearly 302,000 data requests in 2013 relating to criminal and civil cases. The demands -- made by federal, state, and local authorities -- include more than 248,000 subpoenas, nearly 37,000 court orders, and more than 16,000 search warrants. In 17,000 cases, AT&T provided no or partial data in response to those demands.
In addition to court-related demands, AT&T was also asked nearly 38,000 times last year to share both real-time and historical locations of its customers, while another 94,000 requests were considered "emergency" in nature. Just 22 demands were placed on AT&T by international agencies.
The report underscores a similar finding from AT&T's chief competitor Verizon Wireless. That company revealed last month that it received more than 320,000 data requests, including 164,000 subpoenas and nearly 71,000 legal orders.
Perhaps the big issue on the minds of US citizens, however, is the nature of demands made under the banner of national security. Given the rash of news surrounding Edward Snowden's leaks and claims that the US government has obtained information for the purposes of intelligence, many have a short fuse as it relates to national security requests.
According to AT&T, it received between 2,000 and 2,999 national security letters last year from the US government, requesting access on between 4,000 and 4,999 customer accounts. During the first six months of 2013, total content demands under the auspices of the Foreign Intelligence Surveillance Act stood at between 0 and 999, while customer account information requests were between 35,000 and 35,999.
Like Verizon, the federal government banned AT&T from providing exact numbers on FISA and demands related to national security -- a move that has angered many major technology companies (such as Google and Yahoo) that have urged the US to allow them to release more information.
So far, it doesn't appear the US government is willing to let that happen.

Government hacking needs to be addressed, Yale panel says

Sophisticated computer hacking software is finding its way to law enforcement agencies around the world, and neither the courts nor Congress is ready to handle the consequences, a Yale University panel said Tuesday.
It’s the sort of technology that can infect laptops, activate personal webcams and extract data from cellphones and tablets. Yet according to experts, it is not known how many law enforcement agencies have the software, how many times they’ve used it and whether or not such actions are constitutional.
“We don’t have a secure Internet, and I think we need one,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union.
The multi-panel conference looked at the history of hacking technology, its current use by police and government groups and the legal implications. Wall Street Journal reporter Jennifer Valentino-Devries moderated the event.
Texas magistrate Judge Steve Smith told of a search warrant application for police hacking he received recently. It involved a person suspected of obtaining the password for another person’s bank card.
Investigators wanted to install “data extraction software” that would search through all the data stored on a particular computer and activate its webcam so investigators could take a photo of the computer’s user.
The problem, Smith said, was that investigators didn’t know the identity of the computer’s owner and didn’t know where the computer was located. Smith turned down the warrant request.
Georgetown University Law Center professor Laura Donahue said at least four FBI units, as well as the ATF and NSA, are using computer hacking tools. She’s identified dozens of law enforcement hacking cases around the country, from California to New York — many of them sealed from public scrutiny.
“These obviously raise Fourth Amendment concerns,” Donahue said. Often, hacking warrants seek to sift through someone’s computer for up to a month, searching for proof of criminal activity.
But Donahue and other panelists said the potential for abuse is high. What if the computer is located at an Internet cafe, a public library or a university? Do you search the activity of every person who used that computer? What if the hacking virus infects other computers in a network?
“These law enforcement techniques are stretching the bounds of statutory language and Congressional oversight,” said Stephanie Pell, a former national security prosecutor. This is particularly true when hacking software allows law enforcement to bypass Internet service providers to get at data.
“When government is accessing information directly, it is doing it invisibly,” Pell said.
There also is some question about whether evidence gathered through law enforcement hacking is always accurate. Panelists said the hacking technology sometimes provides a “back door” for other parties to manipulate the data being extracted, for example.
Such vulnerability is rampant throughout the spectrum of personal digital products, according to Matt Blaze, a computer security expert from the University of Pennsylvania.
“I have no idea how to defend these devices against outside attack,” Blaze said of cellphones.
Soghoian agreed. “Phones are just a disaster,” he said.
Meanwhile, politicians and the judiciary are struggling with the problem. As Judge Smith noted, secrecy at all levels tends to keep the issue hidden from view.
“It’s difficult for me to find out what’s going on in another district,” he said. “We’re basically crying out for authority. Tell us what to do.”

Sands: Hacking Went Further Than Email, Websites

Casino giant Las Vegas Sands Corp. said Tuesday that hacking into their websites and internal systems last week went deeper than the company had previously known.
All of the Las Vegas-based company's sites were down for six days after hackers posted images apparently condemning comments CEO Sheldon Adelson made about using nuclear weapons on Iran.
Sands said hackers crashed its email system and stole employees' Social Security numbers.
But a video posted online appears to catalog stolen information that goes much further.
Sands spokesman Ron Reese said the company is reviewing the 11-minute video that appears to show dozens of administrator passwords, including passwords for slot machine systems and player information at Sands' Bethlehem, Pa. casino. It also shows employee files and a diagram of the company's internal networks. He said the company did not know about the additional incursions until it started investigating the video.
"We have now determined that the hackers reached at least some of the company's internal drives in the US containing some office productivity information made up largely of documents and spreadsheets," he said in a statement. "We have seen the video and are continuing to investigate what, if any, customer or additional employee data may have been compromised as part of the hacking."
The FBI, Secret Service and Nevada Gaming Control Board are investigating the hacking. Neither of the federal agencies would comment on the matter, and Control Board Chairman A.G. Burnett also declined to comment, saying he had not yet seen the video.
A person using the name Zhao Anderson sent the video to The Associated Press on Monday by email, and it was also posted on YouTube by a person using the same name. The AP could not verify the person's identity, or the information contained in the email.
Reese declined to say whether Sands had changed its administrative passwords in response to the hacking.
The hacking affected Sands' corporate website, as well as the sites for casinos in Las Vegas, China, Singapore, and Bethlehem, Pa. Sands restored the websites Monday afternoon, though not exactly as they were before the attack.
Adelson is an outspoken supporter of Israel and a generous donor to U.S. Republican Party campaigns. He spoke in October about dropping a nuclear bomb on Iran, saying strength was the only thing the country understands.
The hackers at one point referred to themselves as the "Anti WMD Team." Cybersecurity experts say it could have taken several months for so-called "hacktivists" to complete an attack on Sands' networks.
Sands, which is the world's largest casino company in terms of revenue, also owns the world's largest casino, in the Chinese gambling enclave of Macau. The company's net income was $2.31 billion last year.
Sands has not said what effect the hacking attack has had on the company's bottom line. Sands has said it has been able to continue booking visitors by telephone.
Since the hacking became public last Tuesday, Sands stock has risen about 3.7 percent to $80.69.

US CERT warns Operation SnowMan hackers are unstoppable

The US Computer Emergency Response Team (CERT) has said it is yet to find a way to fix or protect against the recently discovered Operation SnowMan hackers.
The Operation SnowMan campaign was uncovered by security firm FireEye last week, when researchers spotted hackers trying to infiltrate US military veterans' website VFW.org.
The attack leveraged vulnerabilities in the Microsoft.XMLDOM ActiveX control to break into systems and siphon data, as explained in the CERT advisory.
"Microsoft.XMLDOM is an ActiveX control that can run in Internet Explorer without requiring any prompting to the user. This object contains methods that can leak information about a computer system to the operator of a website.
"By looking at error codes provided by the XMLDOM ActiveX control, an attacker can check for the presence of local drive letters, directory names, files, as well as internal network addresses or websites."
Despite being uncovered, CERT confirmed: "This vulnerability is actively being used by exploit code in the wild. We are currently unaware of a practical solution to this problem."
It is currently unclear when a patch fixing the vulnerabilities being exploited by Operation SnowMan hackers will be released, though FireEye researchers confirmed in a blog post that "Microsoft is aware and they are working on a fix ASAP".
Operation SnowMan is listed as following a similar exploit strategy to the notorious DeputyDog hack campaign. The campaign targeted public-sector organisations and companies in defence, law, IT and mining in 2013.
The campaign is one of several advanced threats discovered this year. Kaspersky's Global Research and Analysis Team (Great) uncovered dangerous advanced malware, codenamed Mask, earlier in February. The Mask campaign is believed to have infected 380 governments and businesses across 31 countries including the UK.

FTL: Advanced Edition's Clone Bay, hacking system detailed

Subset Games' free expansion for FTL: Faster Light, FTL: Advanced Edition, will feature new systems and subsystems such as the Clone Bay, hacking and mind control, the developer announced via the game's official website.
FTL: Advanced Edition, announced alongside the iPad port of full game, will include only eight systems installed on one ship at a time. According to a post from Justin Ma, this requires players to prioritize which systems will "work the best for your current strategy."
One of the game's new systems, the Clone Bay, acts an alternative to the MedBay by allowing players to replace a dead crew member without losing some skills.
"The goal of the Clone Bay was to really disrupt the core way you play the game," Ma wrote. "You'll be able to send crew off into dangerous situations without fear of death. Giant alien spiders will no longer be the terrifying, unstoppable force that you're used to, since the system can simply revive your crew after the event. But, if a stray missile takes out the system mid-clone, you'll find death can still be quite permanent. And you probably shouldn't let your crew ponder too long on the fate of their previous iterations."
The expansion will also include hacking drones players can use to target a specific system on enemy vessels. Weapons that are hacked, for example, will lose their charge immediately and be delayed from firing.
Other systems include Mind Control, which turns one enemy into an ally, and a Backup Battery for extra power.
Last month, Subset Games announced that the upcoming expansion would feature a new alien race of metallic scavengers known as The Lanius. FTL: Advanced Edition is slated for launch this year. Those who own the game on Linux, Mac or Windows PC will be able to pick up the expansion for free, while the iPad port with updated content will be available as a separate purchase.

Merkel and Hollande to talk about avoiding US servers

In an unrelated photo, French President Francois Hollande speaks with German Chancellor Angela Merkel as she arrives at the Elysee Palace in Paris December 18, 2013.
Image credit: REUTERS/Philippe Wojazer
German Chancellor Angela Merkel and French President François Hollande will discuss this week how Europe can keep email traffic away from U.S. servers.
Merkel is planning to discuss this issue when she meets her French colleague on Wednesday, she said in a weekly podcast.
"We will talk with France about how we can maintain a high level of data protection. Above all, we will discuss which European providers we have who offer security to citizens. So that you don't have to cross the Atlantic with emails and other things, but also can build up communication networks within Europe," Merkel said Saturday.
The talks come in the wake of the revelations about the surveillance programs of the U.S. National Security Agency (NSA). The agency allegedly monitored phone calls and emails from millions of people including German citizens, while it also allegedly spied on Merkel's phone.
Meanwhile, the German federal prosecutor is considering starting a formal investigation into Germany's part in the NSA affair. The German government, including Merkel, are targeted in a criminal complaint filed by human rights groups in Germany for allegedly aiding the NSA in its spying efforts.
During the podcast, Merkel also discussed data protection issues with Google that have been going on for years in Europe.
In the latest development, the company published commitments to settle an E.U. antitrust case that was started in 2010 on Friday.
Over the last couple of years there have also been privacy and data protection issues with other big tech companies, like Facebook for instance, in several E.U. countries, including Germany.
"We need to do more for data protection in Europe, that is indisputable," Merkel said when asked if she thought that a German/French or European data protection network could mitigate privacy troubles with big tech companies.
At the moment there are negotiations for a uniform data protection standard in Europe, Merkel said. However, such a standard is not easy to negotiate because some countries have less stringent data protection than Germany, she added.
"And we don't want our data protection weakened," Merkel said. On the other hand, if there won't be an E.U. wide data protection regime, companies like Google and Facebook can settle where the data protection level is lowest, she said.

Chip Shop Awards gets hacked by entrant in 'Best use of hacking for self-promotion' category

It is one of the novelties of the Chip Shop Awards that entrants can invent their own categories. But when one agency submitted an ad named ‘Hacker’ into the category of ‘Best use of hacking for self-promotion’, the organisers probably should have sensed danger.
Fast forward 24 hours and the agency in question had breached the Chip Shop Awards’ defences, hacked into the voting system and racked up more than 30,000 votes for their entry to be Ad of the Month. A brilliant – if extremely dicey – demonstration of how to marry medium with message.
The hack was the brainchild of Sheffield agency The Black Eye Project, whose partner Jim Lobley has been kept busy this morning dealing with the Twitter storm from other entrants unimpressed by their illicit tactics.
He told The Drum: “It was just a bit of fun really. We’ve wound some snotty nosed kids up.
“By putting the code on the ad we tried to make sure that it was fair to everybody. We gave them the means to do it themselves but no one picked up on that.
“It was one of our coders who saw a hole in the code and decided to exploit it.
“It’s just a different format. We always try not to do knob gags. We haven’t created any Mugabe vote rigging of epic proportions. The majority of people have enjoyed it.
“It was poignant that we’ve done it in the Chip Shops.”
Having since closed the loophole, a Chip Shop Awards spokesperson explained that The Black Eye Project’s illegitimate votes would not count in the final tally.
They said: "In any other industry awards the organisers would be thoroughly hacked off and the culprits would get an instant DQ. But the Chip Shops isn't like any other awards scheme.
"While we wouldn't want to encourage other hackers, we preach creativity without limits so we have to take our hats off to The Black Eye Project for their sheer audacity.
"To reassure entrants, the vote count on the website is only a visual representation of a vote. In the interests of fairness, only genuine social media shares are counted by the CSA voting system and invalid votes are disregarded overnight, so the real total hasn’t been rigged.”
The Chip Shop Awards is open for entries until Friday 14 March.