Thursday, 5 February 2015

AT&T previews lawsuit it plans to file against FCC over net neutrality

AT&T seems resigned to the near-certainty that the Federal Communications Commission will reclassify broadband as a common carrier service in order to enforce net neutrality rules. But it isn't going to let the decision stand without a legal challenge, and the company is already telling the world what it's going to argue in court.
"I have no illusions that any of this will change what happens on February 26," when the FCC is expected to vote, AT&T Federal Regulatory VP Hank Hultquist wrote in a blog post yesterday. "But when the FCC has to defend reclassification before an appellate court, it will have to grapple with these and other arguments. Those who oppose efforts at compromise because they assume Title II rests on bullet proof legal theories are only deceiving themselves."
Hultquist's blog post summarized arguments AT&T made in two new filings with the commission. "Given that this decision seems driven by political considerations, I hold out little hope that the FCC will alter its course, but the letters nonetheless try to set out what we see as significant infirmities with reclassification," Hultquist wrote.
The first of AT&T's two filings concerns whether Internet service providers are information service providers, telecommunications service providers, or both. They are currently treated as lightly regulated information service providers, but they would be reclassified as telecommunications providers under the FCC's expected action. This would let the FCC regulate fixed and mobile broadband with the same "Title II" statute it uses to regulate the traditional telephone network, but the FCC could pick and choose which exact rules to apply. Specifically, the FCC would impose bans on throttling or blocking traffic and paid prioritization deals in which a Web service pays for priority access.
AT&T argues that the capabilities ISPs would use to throttle, block, or prioritize traffic must be classified as information services because of the way information services are defined under the law. "[T]he capabilities that allow prioritization... involve the use of an ISP’s 'computing functionality' to provide 'the capability of getting, processing, and manipulating information,'" AT&T General Attorney Christopher Heimann wrote in the filing. Thus, they can't be part of a transmission component that would be "understood as a separate telecommunications service subject to Title II."
"[T]he plain meaning of the statutory definition mandates the result that any offering including ISP functionalities—and thus, as discussed above, any offering that includes the ability to prioritize or block content—necessarily is an information service," Heimann wrote.
AT&T's second filing contains a procedural argument, accusing the FCC of making a decision without doing a required analysis. "Under longstanding precedent, the FCC must make particularized findings with respect to the offerings of individual carriers in order for it to find that either they are operating as common carriers, or should be required to operate as common carriers," Hultquist wrote. He continued:
The FCC has not engaged in the kind of detailed analysis that would be needed to assess the offerings of every ISP that would be subject to its rules.
In order for the FCC to find that an ISP is operating as a common carrier, it would have to examine the terms on which that ISP holds itself out to customers to assess whether it offers to serve indifferently, or whether it retains the ability to decline to serve customers. The underlying record in this proceeding simply does not contain the level of detail needed for the FCC to determine that any ISP, let alone every ISP, holds itself out to serve customers indifferently. And in some markets, such as for peering and interconnection, the record is in fact quite clear that ISPs do not operate as common carriers, and expressly retain the right to refuse to provide service. These services are unique carrier-to-carrier arrangements commercially negotiated in a robustly competitive market and it would strain all logic to find that they instead are offered indiscriminately to the public for a fee, the core requirement of common carriage.
The FCC cannot mandate that a service be offered on a common carrier basis without, at a minimum, a finding that a particular provider has market power in a particular geographic market. Needless to say the FCC has engaged in no analysis of market power on a geographic market basis. Accordingly, this option is simply not available to the FCC.
The FCC in 2010 passed net neutrality rules using its powers to regulate information service providers. Verizon sued and won, with the court ruling that the FCC had imposed per se common carrier restrictions without first reclassifying broadband as a common carrier service. That's what led the FCC to consider using its stronger regulatory powers.
FCC Chairman Tom Wheeler says he expects a lawsuit no matter what the FCC does and that the commission will write its rules so that they can survive a court decision. He is expected to reveal more details on his plan Thursday.
Verizon has also warned the FCC that it will face lawsuits over reclassifying broadband providers.
AT&T and Verizon each face common carrier rules for telephone service, including cellular voice. But the companies are not (yet) treated as common carriers for Internet service on either fixed or mobile networks.

Dreaming of Credit Card Security

Security Slice: Dreaming of Credit Card Security
 Mastercard and technology start-up Dynamics Inc. have teamed up to develop a new payment card that’s “a security lover’s dream.” The card will feature multiple layers of protection, including a light to indicate when the card is usable, and a code that unlocks the card when entered on an included keypad.
Can this card deliver on its promises?
Listen to the latest security slice podcast and hear Lamar Bailey, Lane ThamesTyler Reguly and Craig Young discuss their opinions of the cards security measures, why consumers shouldn’t have to pay extra for this card, why the United States is still so far behind the rest of the world on credit card security and how this credit card compares to other third party payer options like Apple Pay and Google Wallet.


GHOST in the Shell

Security Slice: GHOST in the Shell
At the end of January, security firm Qualys disclosed a new vulnerability they dubbed “GHOST” (CVE 2015-0235). GHOST is a critical vulnerability in glibc, the GNU C library, and it impacts Linux systems dating back to 2000.
Redhat listed GHOST in its CVE database as ‘critical’ with a CVSS v2 score of 6.8, and the media immediately began to compare GHOST to other high-profile vulnerabilities like Heartbleed and Shellshock.
Should you be haunted by GHOST?
Listen to the latest security slice podcast and hear VERT researchers Craig Young and Lane Thames discuss exactly how the GHOST vulnerability works, why GHOST has such a checkered past and how IT and security teams should evaluate GHOST against other critical security bugs.


Siemens sighs: SCADA bugs abound

Wimax network kit vulnerable
 Another security advisory covering Siemens industrial kit has reached the public, this time covering wireless industrial networking hardware.
ICS-CERT advises that the Ruggedcom range of 802.16e (Wimax, for those with long memories) switches from the company carries a range of vulnerabilities that let attackers scam admin privileges for themselves.
The vulnerabilities are:
  • CVE- 2015-1448 – attackers can get administrative access to the kit over the network, without authentication;
  • CVE- 2015-1449 – a buffer overflow in the integrated Web server means an attacker over port 443 might get remote code execution access; and
  • CVE- 2015-1357 – a real treat: password hashes and other sensitive information “might” be stored in an insecure format and accessible from local files or security logs.
Products impacted are in the company's WIN 51xx, WIN 52xx, WIN 70xx and WIN 72xx series. These are Wimax base stations designed for harsh environment deployments.
The ICS-CERT note puts the kit in a wide range of industries worldwide, including chemical, communications, critical manufacturing, dams, defence, energy, food and agriculture, government facilities, transportation systems, and water and wastewater systems.
Siemens is asking customers to get in touch (online support request to get a firmware update.
And in a separate advisory, the company also updated the firmware for its Scalance-X switches (which connect things like programmable logic controllers to the control interfaces) to block yet a separate authentication failure in the Web interface. Details here.

NSA raided hackers' troves of stolen data: report

At last government outsources to proper experts at taxpayer-friendly price of free

The NSA and its allies have raided the pockets of independent and nation-state hackers and monitored some of the security industry's foremost researchers in its bid to hoover information on targets and find better ways to break systems, Snowden documents reveal.
Spooks would monitor the work of 'freelance' and rival state hackers, notably those plundering email accounts owned by targets of interest to the NSA and friends, and pilfer the stolen contents, according to a report by The Intercept.
That stolen data, referred to as 'take', was then pinched from hacker targets such as journalists, activists and military sources including the Indian Navy. Those hacks were likely the handiwork of other nation-state hackers given the sophistication of the breaches.
The documents revealed the hackers' email-plundering infrastructure was referred to under the moniker INTOLERANT and that Canada and the UK had hands in hacker pockets.
Here's a choice bit from one of the alleged NSA documents:
"Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers’ sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect."
The NSA would tip-off allies such as the UK and Australia when it found data in hackers' take.
Snowden's trickle-feed cache also revealed the NSA had run an open source intelligence gathering service known as Lovely Horse which monitored the Twitter feeds of security bods including Mark Dowd, Tavis Ormandy and HD Moore. The Intercept listed 36 other Twitter sources who could be flattered by the agency's interest.
The agency also scraped security blogs for data in its bid to keep abreast of emerging exploits and vulnerabilities.
It need not have go to the length to build in-house systems however. Plenty of RSS feed platforms and page-monitoring browser extensions exist, while Aussie hacker Matt Jones (@volvent) had in 2012 created the TalkBack portal to analyse Twitter chatter and pry out new vulnerability information using known good security sources.

Forget Norks, Russian hackers are in Sony Pictures' servers – claim

Infosec bod reckons he has seen internal documents not yet leaked by studio ransackers

There's a new twist in the already tangled tale of the Sony Pictures mega-hack: it's now claimed Russians possibly broke into the company's computers.
Miscreants in the Putin-led nation comprehensively compromised the Hollywood studio's servers, and were responsible for most of the damage against its systems, reckons Jeffrey Carr, chief exec of security consultancy Taia Global.
Thousands of highly sensitive personal files on employees, past and present, and celebrities, plus emails, scripts and unreleased video, were leaked all over the internet as a result of the infiltration.
The US government blames North Korea for hacking into the Sony Pictures network and leaking copious amounts of data before finally thrashing the computers with disk-wiping malware. The FBI is confident the Norks are the culprits because the NSA apparently pwned North Korea's onramp to the internet in 2010 – and presumably the spies tipped off the Feds to what was going on.
Over in the land of computer security professionals, it's argued a disgruntled former techie at the studio is more likely to be behind the ransacking.
Carr, founder of the Suits and Spooks conference, has come up with a third theory: he says he's heard from "a Russian hacker living in Ukraine" who has apparently made contact with someone in a Russian crew involved in the Sony security breach.
Carr claims he has seen internal Sony documents that have yet to be publicly leaked: five Excel spreadsheets dated from 30 November 2014 through 10 December 2014, and two email messages dated 14 January and 23 January 2015.
This, he says, is evidence the Russians gained access, and may still have access, to the studio's systems. Word that Sony Pictures had been compromised emerged around November 25, triggering a shutdown of the company's networks and machines.
"All of the documents appear to be authentic and one has been proven to be authentic by the film analyst who created it. They are not part of any prior release by the Guardians of Peace, the presumably North Korean team who claimed credit for the attack," a blog post by Taia Global states.
It's entirely possible, as far as El Reg can see, that the Russians broke into the company's computers after the mega-hack and swiped more files – or the original hackers were or are still in the network and documents have somehow made their way into Russia – assuming Carr is correct.
Taia Global reckons either Russian and North Korean hackers simultaneously ran separate attacks against Sony Pictures Entertainment – or that the North Korean government’s denial of involvement is accurate, that other hackers were responsible, and at least one or more of them were Russian. It's still possible an ex-employee helped out whoever broke into the studio's machines from afar.
"There were probably multiple bad actors in Sony's network," Carr told El Reg.
If the latest leak is genuine, it means Sony Pictures is still losing crucial information a full two months into its effort to clean up the mess and lock down security – which has already cost the Hollywood studio $15m.
Security experts point out that even if the Russians have the data now, it doesn't necessarily mean they hacked into Sony's network themselves.
Rob Graham, of Errata Security, told El Reg: "The hackers exfiltrated much more than they've revealed. The Russians can just be using the exfiltrated data."


"Yama Tough", the Ukraine-based bod who contacted Carr, has been previously claimed responsible for network breaches at Symantec, VMware, and others. He's not claiming responsibility for the Sony hack directly.

Regin super-malware has Five Eyes fingerprints all over it says Kaspersky

Keylogger plugin built on source code known to come from spookhauses
The Regin malware, often described as the devil spawn of Stuxnet and Duqu, is the handiwork of the Five Eyes nation state spy apparatus, analysis reveals.
The malware was named in November by researchers impressed with the smarts that helped it hide in plain sight for up to six years.
Analysis overnight by Kaspersky malware reversers Costin Raiu and Igor Soumenkov found a Regin plugin - a keylogger called QWERTY - used source code known to be the product of a Five Eyes intelligence alliance member nation.
"We've obtained a copy of the malicious (QWERTY) files published by Der Spiegel and when we analysed them, they immediately reminded us of Regin," the duo said.
"Looking at the code closely, we conclude that the "QWERTY" malware is identical in functionality to the Regin 50251 plugin.
"Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together."
Malware QWERTY was a keylogger plugin built for the modular WARRIORPRIDE malware platform revealed under the Edward Snowden trove of NSA project documents.
The plugin and the platform were considered related due to multiple shared code references including WzowskiLib and CNELib.
Kaspersky's work opens the possibility that Regin and WARRIORPRIDE were the same malware.
The research duo said the plugins did not function as stand-alone malware and relied on kernel hooking functions.

Fake hottie hackers flung info-slurping malware at Syrian opposition – FireEye

Love RAT heartbreak Skype chat booby trap

Close-up of a woman's lips, slightly pixelated as if on a CRT TV.  Pic via SXC - no restrictions
Cyberspies used social engineering trickery to steal Syrian opposition’s strategies and battle plans, according to security researchers.
Hackers employed a familiar tactic: ensnaring victims through conversations with seemingly sympathetic and attractive women. As the conversations progressed onto Skype chats, the “women” would offer up a personal photo that was laden with malware and designed to compromise the target’s computer or Android phone.
Prospective marks were tricked into revealing what type of device they were using (Android phone or a computer) before hackers behind the attack slung the appropriate custom malware, said the securobods.
Typically, a female avatar would strike up a conversation on Skype and share a "personal photo" with her target. This photo file is booby-trapped with malware. Attackers are deploying a range of widely available and custom malware to hack their targets, including the DarkComet RAT, a customised keylogger, Android malware and cracking tools with different shellcode payloads.
The campaign was discovered by security researchers at FireEye, who are unsure who is running it. The researchers have said that if the data was acquired by President Bashar al-Assad’s forces or allies, it would benefit his military efforts. There are multiple references to Lebanon in the malware and in the avatars’ social media use, but this by itself doesn't prove much.
The stolen data includes battle plans and maps, supply needs and routes as well as weaponry and ammunition lists, FireEye claimed. It also exposes the personal information of fighters battling against President Assad’s forces as well as media activists, humanitarian aid workers and others within the opposition located in Syria and beyond. The avatars' campaign began in November 2013.
Hacking and malware-slinging has been a side show of the Syrian civil war for around three years. The latest research shows that hackers are refining their tactics and adopting the subtlety of social engineering attacks associated with state-sponsored hackers and intel agencies.
FireEye's research is summarised in a blog post and explained in more detail in a report here (PDF).

'Ruskie' malware pwns iOS 7

Worse fate for jailbreaks

Attackers, perhaps of Russian origin are infecting the iPhones linked to government, defence and media sectors with dangerous spy malware capable of breaching non-jailbroken devices, researchers say.
The XAgent malware part of attacks unveiled last year against Windows devices has moved to iOS targeting iOS 7 and to much lesser effect iOS 8.
About a quarter of Apple users still ran iOS 7.
Trend Micro threat researchers Lambert Sun, Brooks Hong, and Feike Hacquebord said the malware could monitor and siphon media, directories, text messages to remote servers and capture photos and audio on jailbroken devices.
"The XAgent app is fully functional malware," the trio said in a research note.
"The exact methods of installing these malware is unknown; however, we do know that the iOS device doesn't have to be jailbroken ... we have seen one instance wherein a lure involving XAgent simply says 'tap here to install the application'."
That attack relied on Cupertino's ad hoc provisioning used by app developers to enable installation with a link.
Attacks against iOS 7 devices quietly restarted when closed and remained invisible to the user as a background process. It fared far worse on iOS 8 where it had to be manually started on reboot by victims and could not hide.
Researchers said the malware appeared to be carefully maintained and consistently updated
XAgent was tied to a campaign dubbed Operation Pawn Storm targeting anti-Russian actors linked to the Ukraine conflict (pdf) which used typosquatting and phishing to compromise high-profile victims.
The command and control server used in the attacks was operation at the time of research.