Friday, 21 March 2014

Banks race to update Windows XP ATMs as support deadline looms

Some of the UK's biggest banks are feeling the effects of the Windows XP support cut-off date, rushing to update cash machines and put in place new contracts with Microsoft as the 8 April deadline nears.
According to a report from Reuters, some banks are facing a bill of up to £60m to overhaul their networks of ATMs. Cash machine operators have a choice as to how they handle the deadline: some are taking the opportunity to upgrade to Windows 7, while others are simply extending support contracts with Microsoft or third-party firms.
Many operators will have extra time to handle the change, as Microsoft had already extended the deadline for its point of sale operating system XP Embedded - found in many ATMs and cash register units - until 2016.
Link, the company which provides the back-end systems for the UK's ATM network, said in a statement to V3 that while it did not operate any machines directly, it had been working closely with the banks in question to ensure the machines would continue to work reliably and securely.
A spokeswoman for the company said: "All Link members have fully considered, and have plans in place for dealing with the withdrawal of Windows XP support. Most will migrate to Windows 7-based ATMs, either through upgrading existing machines or replacing existing ATMs with new, Windows 7-based devices."
She added that the majority of these upgrades would take place during 2014 and 2015. "During this migration period, ATM operators will mitigate any additional risk through the use of third-party security software and/or by purchasing extended Windows XP support."
According to Reuters, RBS is beginning to upgrade its machines to Windows 7, a process it expects to take three years. Lloyds, meanwhile, has extended its support contract with Microsoft to 2016 while it updates 6,000 units. Barclays is still negotiating a deal, while Santander and HSBC already have agreements in place with Microsoft.
Last week, V3 revealed that many cyber criminals have been saving up their XP hacks for when the support deadline passes, with many organisations fearing a fresh onslaught of malware.

Hackers hit financial sector with evolved WinSpy Windows and Android RAT

Google Android Malware
Security firm FireEye has uncovered a new evolved version of the notorious WinSpy remote administration tool (RAT), capable of simultaneously infiltrating Windows and Android systems.
FireEye researchers uncovered the campaign while investigating an attack on an unnamed US financial institution, they reported in a blog post.
"FireEye recently observed a targeted attack on a US-based financial institution via spear-phishing email. In the process of investigating the Windows modules for WinSpy we also discovered various Android components that can be employed to engage in surveillance of a target," read the post.
"We have found three different applications that are a part of the surveillance package. One of the applications requires commandeering via a windows controller and requires physical access to the device while the other two applications can be deployed in a client-server model and allow remote access through a second Android device."
Senior threat intelligence researcher Nart Villeneuve told V3 the combination of Android and Windows components could be used by hackers for a variety of purposes.
"The attacker has the capability to drop and run additional payloads, exfiltrate sensitive data such as account credentials and intellectual property, move laterally across the network as well as surveil the victim by enabling various connected peripherals such as webcams and microphones," he said.
"The data exfiltration component was particularly interesting in this case as the data is stored on a shared command-and-control server offered by the author of the RAT, which provides another level of deniability and anonymity for the attacker."
He added that the attack's focus on targeting both Android and Windows is atypical. "I haven't seen any other RATs that have both Windows and Android capabilities. We have seen Android RATs and Windows RATs, but not the combination of both of them," he said.
Villeneuve said the variant is being traded online and will likely be used to target European businesses in the near future. "The RAT can be purchased online, so it can be used by a variety of attackers. If the RAT's popularity increases, we could see it used in more attacks," he said.
The FireEye researchers said the attack is part of a wider shift within cybercrime communities to adjust their campaigns to target Android. "With the widespread adoption of mobile platforms such as Android, a new market continues to emerge with the demand for RATs to support these platforms," read the post.
FireEye is one of many security companies to report a marked rise in the number and sophistication of attacks targeting Android. Security firm McAfee reported detecting a spike in mobile malware levels in its McAfee Labs Threats Report: Fourth Quarter 2013 earlier in March.

Nato websites overwhelmed by Ukrainian hacktivists' DDoS attack

Ukraine flag
Several websites run by the Nato alliance have been knocked offline following a cyber attack from a pro-Ukrainian hacktivist group.
A group known as Cyber Berkut claimed responsibility, and were able to take down multiple Nato sites including and its main website using a distributed denial of service (DDoS) attack. The attack took place on the eve of a vote in Crimea, which favoured the region leaving the Ukraine and joining Russia.
Cyber Berkut took issue with Nato forces occupying areas of Ukraine, accusing them of spreading propaganda through the media and social networks. The group has also worked to block multiple news websites in the region, which it said are guilty of "double standards".
In a post on its website, Cyber Berkut said the ease by which it was able to take down three Nato websites reflected badly on the alliance's other operations: "If Nato cannot protect their resources, the protection of personal data of ordinary Europeans cannot be considered," it said.
Nato said that no other systems had been affected and that the integrity of the alliance's data remained secure.
DDoS attacks are often the easiest way for smaller groups to make their presence felt quickly, using botnets of hijacked computers to send a barrage of requests to web servers in order to take them down. These websites are often unprepared for such traffic and buckle under the strain.
Last year, Nato announced plans to create new teams of elite cyber defence experts intended to deal with highly sophisticated threats, but has seemingly been unable to defend its own websites this time round.

Student wins 2014 Cyber Security Challenge as UK seeks top IT talent

Cyber Masterclass Will Shakleton
The Cyber Security Challenge has crowned 19-year-old student William Shackleton (pictured left) its latest champion, after he beat 41 competitors at the Masterclass Final.
The final challenge was developed by cyber security experts from BT, the Government Communications Headquarters (GCHQ), the National Crime Agency (NCA), Juniper Networks and Lockheed Martin. Finalists competed to defend the City of London from a simulated cyber attack.
As the winner, Shackleton will be offered a choice of £100,000 worth of career-enhancing prizes including training courses, access to industry events and opportunities for paid internships and university bursaries.
Shackleton is the third individual to win the competition since the Cyber Security Challenge began operating in 2010. UK chemist Stephen Miller won the previous Cyber Security Challenge.
The Cyber Security Challenge is one of many government-sponsored initiatives designed to help increase the number of people entering the information security industry. Shackleton praised the challenge, listing it as an effective way to get young people such as himself interested in a career in security.
"I never considered a career in cyber security before taking part in the Challenge, but playing their competitions and meeting the industry leaders has shown me there are exciting jobs which need filling," he said.
"I'm convinced security is an area I want to pursue and I can't wait to take what I have learnt from the Challenge into my university studies and summer internship, and eventually into a job where I can do this stuff for real."
The news comes during a reported UK cyber skills drought. Numerous government agencies and private sector firms have reported difficulties in recruiting skilled cyber security professionals. The National Crime Agency pledged to train 400 new cyber intelligence officers over the next year to help plug the gap in October last year.
National cybercrime capabilities manager at the NCA, Kevin Williams, said the Cyber Security Challenge was a key initiative to spot undiscovered talent during its recruitment drive.
"Events such as the Cyber Security Challenge provide a fantastic opportunity for us to not only test the skills of those taking part but also provide them with pathways which allow them to exploit their sought-after cyber skills," he said.
"As we modernise our workforce by welcoming new people and new ideas into the NCA, we want roles at the agency to be the career of choice for people wanting a future in tackling cybercrime and, more broadly, in law enforcement."
Cabinet Office minister with responsibility for the UK Cyber Security Strategy Francis Maude mirrored Williams' argument. "To get ahead in the global race we need more people with the skills and abilities to protect businesses and meet the challenges of the future.
"The Cyber Security Challenge encourages talented people into cyber security careers, bringing together industry, security services and law enforcement to develop cyber battle competitions".
Registrations for the next Cyber Security Challenge are open now. Entrants will have to mitigate attacks from a new multi-threat opponent codenamed The Flag Day Associates.

Hackers hit Unix servers to send 35 million spam messages a day

A criminal group has seized control of 25,000 Unix servers since 2011, forcing them to send out more than 35 million malware-laden spam messages per day, according to security researchers at ESET.
ESET uncovered the campaign, which is codenamed Operation Windigo, during a joint operation with the German Bund Computer Emergency Response Team (CERT) and the Swedish National Infrastructure for Computing (SNIC) agency.
The attack reportedly used advanced malware designed to target the Unix servers. The malware let the hackers take control of the servers and use them to infect visitors to sites hosted on them with data-stealing code. The popular cPanel and Linux Foundation sites are confirmed victims of the Windigo hackers.
ESET security researcher Marc-Étienne Léveillé said: "Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control.
"Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements."
Léveillé added that the malware used reacts differently to Mac and Windows systems. Sites under Windigo's command reportedly only attempt to infect Windows machines and simply redirect Mac users to non-malicious dating sites and iPhone users to pornographic webpages.
Léveillé said the advanced nature of the malware means victims will have to wipe infected systems and reinstall their operating systems and software from scratch.
"We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks," he said.
"Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems – potentially putting more internet users in the firing line."
Using legitimate websites to spread malware is an increasingly common tactic within cyber criminal groups. Researchers at security firm Sucuri uncovered a similar campaign that had hijacked more than 162,000 legitimate WordPress sites earlier in March.

Hackers besiege PHP sites with 30,000 attacks hitting patched exploit

Malware cyber criminal
The number of cyber attacks targeting PHP sites using a known vulnerability has skyrocketed over the past six months, despite the availability of a patch fix for the exploit.
Security firm Imperva reported detecting a marked increase in the number of attacks targeting a vulnerability in PHP, which was patched in May 2012, in its Threat Advisory: PHP-CGI white paper.
"On October 2013, a public exploit in PHP was disclosed, the exploit uses a vulnerability found in May 2012 and categorised as CVE-2012-1823," read the report.
"Soon after the exploit was released, our honeypots have detected web servers being attacked with this exploit in different flavours. In the three first weeks following the publication we were able to record as many as 30,000 attack campaigns using the exploit."
PHP is a common coding language used by 82 percent of the world's websites. The Imperva researchers said since the exploit was detailed, attacks targeting it have also increased in sophistication.
"In previous cases, the attack relied on the server configuration to redirect all PHP files to PHP CGI and thus making it vulnerable to code leakage, code execution and more. The new attack however, tries to access the PHP CGI directly and hence must use the exact location of the PHP CGI executable," read the report.
The attacks reportedly utilised 43 different types of payload data, each of which are designed to connect the affected system to a botnet owned by the criminals. Imperva said the complexity of the attacks suggest they are being mounted by organised groups.
"Our experience shows that this level of sophistication is linked with industrialised crime, also known as bot herding," read the report.
"The attackers in this case, scan for servers that are exposed to the vulnerability (using PHP CGI from vulnerable versions) to infect them with their bot clients, thus transforming them into zombies, which receive commands from a command-and-control server under their control. These botnets are then sold or rented to the highest bidder."
The Imperva researchers highlighted how crucial the time between a vulnerability being found and a patch being released is. "It is a very intriguing point, to show that cyber criminals understand the serious gap that exists between the time that a vulnerability is found in the wild, to the time it gets reported then the time the vendor issues a patch," read the report.
The dangers resulting from publicly disclosing details about newly uncovered vulnerabilities has been a source of constant debate within the security community. Many researchers have argued that disclosing them helps hackers become aware of exploits they may otherwise have missed.
Paul Ducklin, senior security analyst at Sophos, told V3 in February that Microsoft's Windows XP support cut-off in April will inevitably lead to security issues, as updates to supported Windows versions will point hackers to previously undiscovered flaws in the older operating system.

FBI accuses Australian man of hacking US-based video game database

A man from Queensland, Australia is accused of hacking an unnamed U.S.-based video game company's database to sell information to players seeking revenge, The Brisbane Times reports.
According to the publication, the charges stem from an investigation involving the FBI and local authorities, who seized files and hardware last November and again this past Wednesday. The accused, who is also alleged to have hacked the company's Twitter account, has been charged with "computer hacking and misuse, fraud, and property offenses," according to the Times.
A separate report says that the 21-year-old hacked a database to sell information. By providing Internet Protocol (IP) addresses, one could launch a denial of service (DDoS) attack, which could interrupt a home internet connection.
"What this guy allegedly did was set up his own website where you could purchase or get access to the IP addresses of other players," said Brian Hay, detective superintendent of the Queensland Police's fraud and cybercrime group.
"The idea being that you can facilitate a denial of service attack on opponents and slow down the speed at which they can play the game."
According to Hay, the name of the company will be revealed at a hearing April 8.

Symantec fires CEO Steve Bennett

After less than two years in the top job at Symantec, Steve Bennett has been fired.
The security software firm announced Thursday that Bennett had been terminated as the company's president and CEO, and he has resigned from the company's board of directors. Board member Michael Brown will take over as interim president and CEO, effective immediately.
"Our priority is now to identify a leader who can leverage our company's assets and leadership team to drive the next stage of Symantec's product innovation and growth," said Daniel Schulman, chairman of Symantec's board, in a statement. "This considered decision was the result of an ongoing deliberative process, and not precipitated by any event or impropriety."
Symantec said a special committee of the board will immediately begin a search for new CEO.
Bennett replaced ousted CEO Enrique Salem back in 2012 as the company, which makes Norton antivirus software, attempted to reverse falling profits. Bennett joined Symantec's board of directors in the beginning of 2010 and became chairman in 2011. Previously he was president and CEO of Intuit for seven years, and before that he worked for General Electric for 23 years.
Brown joined Symantec's board in 2005 following the company's merger with Veritas Software. He previously served as chairman and CEO of Quantum.

Syria's Internet goes dark for several hours

A sustained Internet outage affected nearly the entire country on Thursday.
(Credit: Renesys)
After a more than seven-hour blackout, it appears the Internet has returned to Syria.
On Thursday morning several Internet monitoring firms began reporting a halt of online traffic in and out of the war-torn country. While it was clear something was amiss, it was unclear who or what was causing the outage.
In the past, divergent players such as the online hacking collective Anonymous or the Syrian Electronic Army -- a President Bashar Assad loyalist group -- have waged attacks on the country's Internet. However, Thursday's outage appears to have two different sources.
First, a group calling itself the "European Cyber Army" claimed responsibility by posting a message on Pastebin. The group claimed to have waged the attack in retaliation for hacks by the Syrian Electronic Army on US and European Web sites over the past year.
"As you may or may not have noticed Syria was wiped off the face of the Internet!," the group wrote on Thursday. "SEA is a grave threat...A threat that must be neutralized before it spreads like a disease!"
The second group taking the blame was the Syrian government. In a message posted on the country's state-owned Syrian Arab News Agency, the government claimed, "regional and international communications and Internet network were cut off in all the provinces due to a breakdown in the optical fiber cable."

It's unclear which of these two scenarios actually caused the blackout. The outage started early this morning and affected nearly the entire country, according to Internet monitoring firm Renesys. The only link able to reach Syria was TurkTelecom, which was able to power up the country's largest city Aleppo. Akamai showed the same type of disruption. "Today's blackout in Syria is not surprising," Renesys wrote in a tweet. "Renesys rates Syria at 'severe risk' of disconnection."
This isn't the first time Syria has been yanked offline. In November 2012, a massive outage shut down not only all access to the Web but also phone lines. And last May, a similar breakdown in communications occurred when Internet, mobile, and landline networks became inaccessible countrywide.
View image on Twitter

Microsoft defends opening Hotmail account of blogger in espionage case

Microsoft's Panos Panay proudly shows off the then-new Surface hardware at the company's unveiling event at Chelsea Piers in New York, October 2012.
(Credit: Seth Rosenblatt/CNET)
Microsoft defended what it called the "exceptional" step of a "limited review" of a blogger's Hotmail account as part of a larger Windows espionage case, saying it had caught the blogger selling Microsoft's intellectual property without permission.
A court filing alleges that the unnamed blogger had been provided prerelease Windows 8 RT source code by then-Microsoft employee Alex Kibkalo. Kibkalo is being charged with stealing trade secrets.
The filing says that Microsoft triggered an internal investigation into the blogger's actions when the blogger sent the source code to an unnamed person, hoping for verification of its origins. Instead, that person tipped off then-Windows chief Steven Sinofsky, who forwarded the details to Microsoft's Trustworthy Computing Investigations department, which investigates external threats and internal information leaks.
The March 17 filing (PDF) alleges that the unnamed blogger confessed to selling Microsoft's intellectual property.
During his interview, the blogger admitted to posting information on Twitter and his Web sites, knowingly obtaining confidential and proprietary Microsoft IP from Kibkalo, and selling Windows Server activation keys on eBay.
Microsoft provided CNET with a statement defending its actions:
During an investigation of an employee, we discovered evidence that the employee was providing stolen [intellectual property], including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.

Linux worm Darlloz targets Intel architecture to mine digital currency

credit cnet
A Linux worm variant found in the wild targets routers, set-top boxes, and now PCs in order to mine for cryptocurrency.
According to research firm Symantec, a new Internet of Things (IoT) worm was discovered last November. Dubbed Linux.Darlloz, the worm targets computers running Intel x86 architectures, as well as devices running the ARM, MIPS and PowerPC architectures, such as routers and set-top boxes.
Preloaded with usernames and passwords in order to crack into such systems, a new variation has now been found, which continuously updates and is now making money through the mining of cryptocurrency.
Kaoru Hayashi, a senior development manager and threat analyst with Symantec, wrote that the new version focuses on finding Intel architecture PCs in order to install "cpuminer," an open-source mining program. As Bitcoin can no longer be mined effectively from personal computers, the worm mines spin-off currencies such as Mincoins and Dogecoins instead, where money can still be made.

"The reason for this is [that] Mincoin and Dogecoin use the scrypt algorithm, which can still mine successfully on home PCs, whereas Bitcoin requires custom ASIC chips to be profitable," Hayashi wrote.
In Symantec's last scan, researchers found that 31,000 devices have been infected with the worm, with half of the infections based in India, China, South Korea, Taiwan, and the United States. By the end of February this year, the cyberattackers were able to mine 42,438 Dogecoins and 282 Mincoins, worth approximately $46 and $150. While this is a low amount, further attacks can boost the monetization substantially over time.
It is believed that the hackers capitalize on a backdoor in several router types, which can be exploited to gain remote access. However, this represents a threat to Darlloz if more malware is installed, and so the author implemented a feature to block the backdoor port by "creating a new firewall rule on infected devices to ensure that no other attackers can get in through the same back door."
In total, 31,716 identified IP addresses were infected. 43 percent of Darlloz infections compromised Intel based-computers or servers running on Linux, and 38 percent of Darlloz infections have affected a variety of IoT devices.
IoT devices are often left on default password settings and generally have lax security, leaving such vulnerabilities wide open. Symantec suggests that security patches are applied to all software installed on PCs or IoT devices, and passwords are changed from default settings. In addition, to further improve security, blocking connections on ports 23 and 80 are recommended.

Tech giants knew about data collection, says NSA’s top lawyer

AFP Photo / Jonathan Nackstrand
The top lawyer for the National Security Agency told a civil liberties oversight board on Wednesday that US technology companies were fully aware of the surveillance agency’s data collection – knowledge which the firms have vigorously denied having.
NSA general counsel Rajesh De said companies like Facebook and Google had complete knowledge of all communications information and metadata collected by the agency pursuant to the 2008 FISA Amendments Act, whether the material was gathered by the internet data-mining program PRISM or by the “so-called ‘upstream’ collection of communications moving across the internet,” the Guardian reported.
When asked during a hearing with the Privacy and Civil Liberties Oversight Board whether data collection under Section 702 of the FISA Amendments Act was done with the “full knowledge and assistance of any company from which information is obtained,” De said, “Yes.”
PRISM was exposed to the public in June, when news outlets first published classified documents leaked by former NSA contractor Edward Snowden. The companies implicated in the program – including AOL, Apple, Google, Facebook, Microsoft, and Yahoo – immediately denied knowing that the NSA had such access to customer data.
The companies are still in the midst of an at times coordinated PR assault to counter any claims that they are complicit in NSA spying. For instance, last week, Facebook chief Mark Zuckerberg claimed he had called President Barack Obama to voice displeasure about “the damage the government is creating for all our future.”
De explained that the nature of data collection was communicated to the companies.
“PRISM was an internal government term that as the result of leaks became the public term,” De said. “Collection under this program was a compulsory legal process that any recipient company would receive.”
De told the Guardian after the hearing that such notification and legal framework apply to not only PRISM-like back-door access to companies’ systems, but also when the NSA collects data traveling across the internet, pursuant to Section 702.
It is not clear what, exactly, the legal process is that De referred to when the government demands a company offer communications data under PRISM and the like. Snowden documents suggest the NSA has unfettered access to tech firm data.
The secretive FISA (Foreign Intelligence Surveillance Act) court oversees US surveillance requests under Section 702, which permits NSA collection of phone, email, internet, and other communication content when one party is believed to be a non-American outside of the US. However, a substantial amount of American data is also collected in this process.
PRISM data is stored for five years, while “upstream” data taken straight from the internet is kept for two years.
De and other administration figures testifying before the civil liberties board bristled at suggestions that the FISA court authorizes searches for American data that is already gathered inside the databases sanctioned by Section 702.
“If you have to go back to court every time you look at the information in your custody, you can imagine that would be quite burdensome,” deputy assistant attorney general Brad Wiegmann said.
De said that once information is collected under FISA court permission, surveillance analysts should be able to search it, adding that there are privacy considerations in place that respect Americans’ data.
“That information is at the government’s disposal to review in the first instance,” De said.
De and his colleagues did not discuss legal authority for other forms of government data collection outside of Section 702. For instance, Snowden documents published in October showed how the NSA can infiltrate the likes of Yahoo and Google data centers worldwide under executive order 12333.