Happy Workers(MAY) Day to All, Have Fun!!!

Governments will fall if cyber attackers succeed, warns MoD

Governments across the globe could be brought to their knees by successful cyber attacks, according to Ministry of Defence (MoD) head of information security, Adrian Price.
Price said that the threat posed by state-sponsored hackers and hacktivist groups to national security and stability is increasing to worrying levels.
"From my perspective the state sponsored and terrorist groups [are a major issue], and to a lesser extent the hacktivist groups as they try to deface our websites as a matter of routine or get into our systems to steal our information to pass on to the press," he said during a debate at Infosec in London.
"Any of these could affect a military operation or damage the reputation of the government - depending on sensitivity they could even bring about a vote of no confidence in parliament, taking down the current regime."
Price said the government will have to work more closely with academia and private industry to ward of the increased threat posed by cyber attacks.
"We are looking to join up and get clever about this but we could still do a lot more. It's really about educating people that we're all in this together and get people to share information amongst the community," he said.
FBI legal attaché at the US embassy London, Scott Cruses, supported Price, saying the US government is detecting a similar increase in the number of cyber attacks targeting its systems.
"I've sat in a number of meetings over the last few years with directors and senior members of the FBI and cyber is fast emerging as the next threat on the horizon to eventually surpass counter terrorism," he said.
"We've also changed some of our priorities, to prevent cyber-attacks against our critical infrastructures, reduce the national vulnerability of these cyber-attacks and lastly, to minimise the damage and recovery time of cyber-attacks when they do occur."
Price and Cruses' comments mirror those of numerous other politicians and security vendors. Prior to it UK minister for Universities, David Willetts issued a similar call-to-arms for businesses to work more closely with the government to combat cyber attacks.
Russian security expert Eugene Kaspersky also warned that it is only a matter of time before terrorist groups begin mounting cyber attacks on governments and businesses.

NATO Team Wins the Locked Shields Cyber Defence Exercise

International Cyber Defence Exercise Locked Shields ended yesterday evening with NATO’s Blue Team receiving the first place among the ten teams participating. The two-day exercise aimed to test the defence skills of IT experts under real-life conditions and also practise working side-by-side with different nations.

“It is good to see that the Blue Teams have really prepared well for this year’s exercise and the opposing team had to work a lot harder to keep the difficulty level high for the defenders,” said Mr Jaan Priisalu, White Team leader and Director General of the Estonian Information Systems' Authority. “This is a highly positive sign because it shows that the teams take the exercise very seriously and also that they are learning from the best practises and lessons from previous years.”

“The exercise has come a long way since the first event in 2008 and the fact that the teams are improving shows that the exercises do what they were developed for, namely train the IT specialists to work together and enhance their skills,” noted Colonel Artur Suzik, Director of the NATO Cooperative Cyber Defence Centre of Excellence. “I firmly believe that we owe the success of the exercise to our partners without whom this event could not take place and we are hoping to cooperate with all of them again for the Locked Shields 2014.”

In the end of the exercise Mr Jaan Priisalu received the honorary title of a Senior Fellow of the NATO Cooperative Cyber Defence Centre of Excellence for his outstanding contribution to the Centre’s technical exercises since 2008 and for his continuous support to Centre’s activities. 

The exercise was organised by NATO Cooperative Cyber Defence Centre of Excellence, Finnish Defence Forces, Estonian Defence Forces, Estonian Cyber Defence League and Estonian Information Systems' Authority. Great technical support was received from Cisco, Clarified Networks, Clarified Security and Bytelife.

The ten Blue Teams were from Estonia, Finland, Lithuania, Germany, Holland, Italy, Poland, Spain, Slovakia and NATO. Exercise control was located on the premises of NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia.

NATO Cooperative Cyber Defence Centre of Excellence is an International Military Organisation located in Tallinn, Estonia. It is not an operational centre and does not fall within the NATO command structure; it is guided and financed by the nations participating in its work. Centre’s mission is to enhance the capability, cooperation and information sharing among NATO, its member nations and partners in cyber defence by virtue of education, research and development, lessons learned and consultation.

Shell plans to move 135,000 staff to BYOD

Shell is undertaking a huge bring your own device (BYOD) project which will see it supporting around 135,000 devices picked by users rather than dictated by the IT department.

At the CA World show in Las Vegas on Monday, Ken Mann, enterprise information security architect at the oil and gas firm, outlined Shell’s shift to become a cloud-first and BYOD outfit.

Shell had already undertaken a project to centralise all its IT, and has outsourced its infrastructure to three main suppliers – AT&T, EDS – since purchased by HP –and T-Systems. Two years ago, the firm adopted a cloud-first policy, which means that any new applications have to be in the cloud unless there is a business case for them to be on-premise.

The next project for Mann’s department was BYOD – which Mann’s boss defines as buy rather than bring your own device.

The BYOD scheme is a major undertaking. Shell has 90,000 permanent employees, and an additional 60,000 on a contract basis so the company is managing 150,000 clients, from desktops to portables to tablets.

Of those users, 10,000 are already on a BYOD scheme, but Mann said Shell expects that in a few years, less than 10 percent of its users will be using company-provided IT equipment. Or taken another way, Shell will soon have 135,000 BYOD users to support.

“We’re looking at true BYOD, not just for mobile, but bring in your own laptop,” he said.

“Windows, iOS and Android are key operating systems for us, but if Windows Phone 8 becomes popular, we’ll look into using that.”

Part of the decision for the BYOD drive is around recruitment and staffing.

“In about five to 10 years, 50 percent of our staff worldwide will retire,” Mann explained.

“We’re going to have a lot of people turning over, and we want to be able to attract and retain talented and young staff. They don’t want to come into a locked corporate environment.”

To support this major BYOD drive, Mann’s job was to secure the different devices accessing the corporate network. 

“We had two-factor authentication using smartcards and one time passwords (OTP) as default. But we started to look at how we could do two-factor authentication in the cloud. We wanted a solution for single sign-on from any device, whether in the cloud or an in-house app, and we wanted to support authentication standards like SAML and OAuth and translate between these,” he explained.

“We also wanted device authentication – is it from a Shell device or a kiosk in an airport?”

Mann said that four IT companies were in the running to provide Shell with its desired cloud authentication system, and each was visited to carry out an on-site proof of concept, with CA being one of the four.

“We didn’t find one company that could do everything we wanted to do. CA showed us the guts and development code, but they didn’t have a solution ready at the time,” he noted.

“Based on the four firms, we ended up selecting CA CloudMinder – it didn’t have a name at the time – as it was highly focused on cloud apps, and we’re already using SiteMinder, which focuses on in-house authentication, so there was a good bridge to link cloud and on-premise apps.”

CA CloudMinder was released in February, and is designed to offer enterprises key security capabilities including advanced authentication, identity management, and federated single sign-on as cloud services.

CA also unveiled a partnership with SAP at the Las Vegas show, to license the latter's Afaria software for mobile device management.

Hackers hit thousands of websites with Apache backdoor attack

Security firm Eset has uncovered a malicious cyber campaign using a backdoor exploit in Apache web servers to herd web users to sites carrying Blackhole exploit packs. The security firm reported uncovering the campaign on Friday, warning that thousands of websites have already fallen victim.
Eset senior research fellow, Righard Zwienenberg, told V3 the backdoor, codenamed Linux/Cdorked.A, is one of the most advanced attacks to target the Apache platform, boasting advanced detection dodging powers.
"The configuration of Linux/Cdorked.A is pushed to the system using obfuscated HTTP requests not apparent in Apache's log. This hides the fact that the web server is compromised. Linux/Cdorked.A can also receive commands with HTTP-POST," he said.

"The problem here is that Linux/Cdorked.A leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. It will be difficult to assess the dangers and actions of specific compromised systems if only the binary is found and the active shared memory is not.
Zwienenberg said the compromised servers are being used to drive web traffic to a number of malicious websites containing malware and exploits from the Blackhole exploit kit. The campaign has already compromised hundreds of Apache servers, meaning that thousands of websites could potentially have been affected.
The attack is particularly dangerous as Apache web servers are among the most well-known and widely-used in the world and are used by numerous companies. This means that a successful security breach can affect numerous different businesses across a diverse range of industries.
"With so many web servers running Apache, potentially hundreds of thousands of sites are vulnerable to this hard-to-detect threat. Other than modifying the existing httpd daemon service, all other traces are only in memory. Traffic to the website may be directed to other sites, where some of the redirects are to sites that carry the notorious Blackhole Exploit Kit," said Zwienenberg.
"Businesses must make sure they are always are up to date in applying all security patches. The days when patch management was a luxury are long gone. These must be completed so every employee is safe, and complemented with appropriate prevention measurements, such as anti-malware security suites."
The backdoor is one of many advanced threats uncovered targeting businesses over the last month. Prior to it security firm Seculert uncovered a 'Magic Malware' that features several detection dodging capabilities.
The influx of new sophisticated attacks has caused numerous security vendors and government groups to call on industry to improve their cyber defences. Most recently, Metropolitan Police Central e-crime Unit head Charlie McMurdie said businesses must work more closely with law enforcement to protect themselves from advanced threats.

Facebook loses millions of users in UK and US

Millions of active users have left Facebook in the last six months – many from some of its largest markets, including the US and the UK – according to independent data.
Figures from analyst firm Social Bakers show that the decline in users has picked up pace recently, particularly over the last month.
During the last six months, the social networking giant has lost over five percent of its US user base, the equivalent of 8.6 million people. Meanwhile 6.5 percent of UK users and over four percent of Canadian users have deserted the social networking giant over the same period.
The biggest losses over the period for Facebook occurred in Japan with a drop of nearly 20 percent of its users, Nigeria with over a 26 percent drop, and South Africa with a 19 percent drop.
Nearly four percent of the US losses and nearly five per cent of the UK's have occurred in the last month. The last month has also seen a decline in Facebook users in France and Germany.
Facebook could not immediately be reached for comment on the news.
Ovum analyst Richard Edwards told V3 that there could be a multitude of factors responsible for the decline.
"It could be that users are concerned over the privacy or that simply exam season is coming around," said Edwards. "The loss could also be due to a fashion element with other social networking services, whether it be LinkedIn or Instagram, gaining traction."
Edwards also suggested that the loss of Facebook users could be because the service had reached saturation point in a number of markets.
In related news, V3 last week reported that Facebook has confirmed plans to build a massive new datacentre in rural US that will make extensive use of wind power.

PDF-tracking flaw found in Adobe Reader

McAfee Labs has uncovered a zero-day vulnerability in Adobe Reader that could be exploited by hackers to track PDF file movements.
McAfee's advanced exploit detection system (AEDS) uncovered the threat on Friday, and it relates to an unpatched security flaw contained in every version of Adobe Reader, including the latest 'sandboxed' Reader XI (11.0.2).
McAfee declined to reveal the details of the vulnerability as Adobe is yet to release a patch for it. The vendor said that it has already detected a number of groups and people exploiting it, potentially for malicious purposes.
"We have detected some PDF samples in the wild that are exploiting this issue. Our investigation shows that the samples were made and delivered by an ‘email tracking service' provider. We don't know whether the issue has been abused for illegal or APT attacks," wrote McAfee's Haifei Li.
"Some people might leverage this issue just out of curiosity to know who has opened their PDF documents, but others won't stop there. An APT attack usually consists of several sophisticated steps. The first step is often collecting information from the victim; this issue opens the door. Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, internet service provider, or even the victim's computing routine."
Despite its potential application, McAfee confirmed that it has made Adobe aware of the issue and the company is working on a patch. At the time of publishing Adobe had not responded to V3's request for comment when the patch will be released.
The zero-day vulnerability is one of many targeting popular platforms to have been discovered in recent weeks. Many of the vulnerabilities have related to Oracle's Java platform. The number of attacks led Finnish security firm F-Secure to list Java as the victim of choice for criminals.

Pocket rockets: NASA turns to hackers for new breed of space apps

7
inShare

NASA isn’t exactly known for thinking small. This is, after all, the agency that’s trying to lasso an asteroid into orbit around the Moon before 2025. But one group at NASA is focused on a far leaner goal: outsourcing the development of new NASA apps to hackers around the world. Earlier this month, they managed to convince 9,000 people in 44 countries to split up into teams and compete against one another to build software and hardware projects that show off NASA data. The goal is to make apps not only for the public audience, but also that NASA may use internally.

Called the International Space Apps Challenge, the second annual event was the largest "hackathon" in world history, according to the agency: Between April 20th and 21st, over 770 submissions poured into NASA’s main Space Apps website. NASA is now combing through these and assembling a panel of judges, and will announce the five global winners in May.

"This is a striking example of what the future of government looks like."

In several cities, participants organized and funded in-person gatherings, with only loose direction from NASA’s Space Apps team. And, as Space Apps’s organizers emphasized, they themselves only spent a few months and $70,000 to get the project off the ground—peanuts for an agency that regularly signs multiyear, multibillion-dollar aerospace contracts. "This is a striking example of what the future of government looks like," said Nicholas Skytland, manager of NASA’s Open Innovation Program, in a phone interview with The Verge. The numbers sound great, but two key questions remain, not only for NASA’s Space Apps contest but for the larger trend of crowdsourcing the agency has embraced: How good are the results? And what do participants think about the process when it’s all said and done?

"They are definitely results NASA will use."

NASA says it’s too early to say which, if any, of the apps developed during this year’s challenge the agency itself will choose to adopt. But at least two of the apps from last year’s hackathon have become staples for NASA's staff. One is an app that converts the obscure image file format VICAR—used by many NASA employees—to PNG format, and the other is a software platform for NASA’s underwater robotic submarines. "Those are getting heavy rotation at NASA," said Sarah Rigdon, the communications leader of the NASA Space Apps Team. "I can tell you that while the results from this year are still being compiled, they are definitely results NASA will use."

Participants in the Space Apps challenge seem to have bought into the concept of free labor—mostly because they’re enthusiastic about space and appreciate competition for its own sake. "It was overall so much fun, and crazy, when you realize the space and time difference between participants," said Arman Atoyan, who led one team and is the founder of the startup software company X-Tech, based in Yerevan, Armenia. His team built an app, called "Feel the Moon Gravity," that uses NASA data and Microsoft’s Xbox Kinect motion controller to simulate jumping on the surface of the moon.

Atoyan and co.’s app is one of the flashier designs to emerge from the challenge, but it’s in good company: other projects include Sol, a beautifully designed iPhone app from Kansas City company Ingenology, which displays the weather on Earth and Mars; and Inbound, a hardware project that consists of a series of LED lights linked together by an Arduino (an open-source microcontroller) to track the path of solar flares and charged particles from the Sun to the Earth.

"We heavily focused on simplifying the complex data that NASA provided, trying to make it a bit more abstract and digestible at a glance," said Matthew Congrove, a developer at the mobile software company Appcelerator in Mountain View, California, who worked with a few colleagues on the Inbound project. "I don't think there's anything more simple than showing the Sun, the Earth, and the coronal mass ejections travelling between the two."

It remains to be seen whether any of these eye-catching apps are among the winners of this year’s challenge, but the fact that they were created by teams of professional developers seems to undermine NASA’s claim that the event was designed for average "citizens from around the world." Still, NASA maintains that the overall goal of making its data more accessible was met, both in this and last year’s challenge.

"Making vast reservoirs of data available to the public."

"Our goal has been to infuse a lot of Open Government's values within NASA," said Rigdon. "Part of the work of the Open Government division has been to make our vast reservoirs of data available to the public." That NASA Open Government effort extends beyond NASA to other federal agencies. In fact, it was catalyzed by an edict from President Obama himself in 2009. But NASA has embraced the idea with vigor, and other branches of the agency are already holding their own contests, including one in March of this year that was focused on video game development.

As for Space Apps, NASA’s plan to effectively "gameify" the development of new apps and hardware seems to have worked out better than the agency could have hoped. Although NASA already produces and commissions many official iOS and Android apps under its own label, the goal with Space Apps was to harness both amateur and professional developers' talent from around the world without forking out for employees. "When you think about a professional developer's salary, it’s about $75 an hour," Skytland said. NASA estimates 60 percent of the participants in Space Apps had professional qualifications, a number Skytland says may have earned the agency about a $14 million return-on-investment.

"Right now, we’re just excited we survived it."

Still, despite its apparent success, the crew of 12 on the Space Apps project aren’t sure whether there will ever be another hackathon. "Who knows?" Skytland said about a Space Apps 2014. "Last year we swore we’d never do anything like this again. Right now, we’re just excited we survived it."

Hackers get root access on Google Glass ahead of retail release

Tinkerers have only had their hands on the Google Glass "Explorer Edition" for a few days, but they've already found a way to achieve root on Google's much-ballyhooed face-computer, granting full access to the device's Android operating system.

The hack comes courtesy of legendary iOS jailbreaker Jay Freeman, aka Saurik, who tells Forbes that he cracked the device using a known exploit used to get root on Android 4.0, first discovered by another hacker named B1nary. Freeman says it was a simple task, accomplished in a matter of hours by fooling the device into thinking it's actually an emulation instead of the real hardware. Since emulations are used for testing, all permissions are granted and root is achieved.

Freeman is not the first to crack Glass, though: just yesterday, another developer, Liam McLoughlin, also got root on his device. Although both jailbreaks were successful on the current Explorer Edition of Glass, it's not clear whether those holes will still be available in the consumer edition. But it's potentially a boon for those concerned about the fact that Google can remotely deactivate the device it you attempt to sell it — or anyone not fond of the fact that Google will be pre-screening all the apps that go on device, unlike its more open app ecosystem on Google Play.

Update: Google X project engineer Stephen Lau has confirmed what was suspected: Google purposely left Glass unlocked "so you guys could hack it and do crazy fun shit with it." It's not clear if consumer versions of Glass after the developer-friendly Explorer Edition will be unlocked as well, but Lau is encouraging early adopters to "show me something cool."

Brazen Crimeware Marketing Branches Out to Social Networks

The secrecy of underground forums where financial malware and crimeware kits are traded is well guarded, to the point that few are able to penetrate them without some kind of internal sponsor. Here, criminals value their privacy as much as those from whom they steal.
That’s what makes a recent discovery from RSA Security’s FraudAction Research Lab all the more jarring. Expert Limor Kessem found this week that a new fraud service was being marketed over Facebook. The developer, an Indonesian-speaking person, was selling a customized botnet panel for the Zeus Trojan.

Kessem said the Facebook page was updated frequently with information about botnets, exploits and their version of Zeus.
“Beyond having compiled a working Zeus Trojan kit, the developer customized an attractive control panel for the admin (basic and familiar in functionality, and taken from previous Zeus versions), the developer and his team created a demo website for potential buyers—which they have no qualms about sharing publicly,” Kessem said.
While this particular criminal is an outlier, the use of social networks to market crimeware speaks to the commodity nature some of the malware used for fraud. Zeus source code was leaked online in 2011, and since then many variants have popped up, each with varying degrees of functionality. While high-end underground forums are out of reach for many, others such as this developer, might be trying to expand their reach with his own version of the banking malware and taking advantage of a market shift where some of the more professional malware dealers have been laying low. Some, such as the keepers of the Citadel Trojan, have sworn off commercially selling their kit and will trade only with current and trusted customers.
“Underground forums are fairly well protected; these folks want to keep a low profile,” said George Tubin, senior security researcher at Trusteer. “But, you can imagine that maybe some want to branch out a little and get into a new market and attract folks who are not part of this secret underground as a way to reach out. Maybe they want to reach out to a new group of folks with no access to forums or don’t know how to get to them.”
In fact, commercial versions of Zeus, SpyEye and Ice IX aren’t for sale either, another trend leading toward crimeware kits and service offerings available online.
“This case shows that the code leak, leading to the availability of the Trojan, makes for an even more diverse crimeware market, one that gives room to new offerings, especially at a time when all the major developers are staying away from the commercial arena,” Kessem said. “Marketing cybercrime in such an open and accessible manner is not something common.”
Crimeware kits and fraud services have become increasingly specialized, Tubin said, and cheaper. Criminals not only sell malware, phishing kits and botnets ready for launch, but have added features such as phone flooding capabilities for denial-of-service attacks, as well as check-forging specialists who can create counterfeit personal checks from stolen online check images. Specialization has also come to malware and botnets, to the point where compromised computers making up a botnet can be sold or rented according to geography if an attacker wants to target a particular regional financial institution.
“It’s amazing how every piece can be bought directly or as a service,” Tubin said, adding that malware writers want to make these kits sellable, therefore, easy to use.
“There are a broad range of kits out there,” he said. “Malware writers want to make them as intuitive as possible in order sell to a wide variety of folks, not just sophisticated programmers. That’s probably what is being sold on social networks and other outlets where they are reaching out to folks they have not before hoping these people just get sucked in once they realize how easy it is to do.”

Hackers Blocked By Stealth Login Scripts For WordPress

After being hacked over a period of several months and as a result, experiencing very high CPU usage on his shared hosting websites, Dr. Peter Achutha has developed several techniques to defeat hackers.
One of these techniques is to use login php scripts that are designed to defeat hackers and make it very difficult to login into software such as WordPress. He has developed two php login scripts that he is giving away freely so that many honest to God hard working bloggers can protect their blogs from hackers. Login php scripts can now operate in stealth mode. His article on stealth login in scripts on his website shares more details and the free download.
The other technique he has explained is how to generated powerful easy to remember passwords. From experience he has found that good passwords can take years to hack. He says “A government or private institution had used 30 PC’s or more to break my passwords. They had tried more than 28,000,000 attempts over a 24 hour period to log into my websites and then gave up. My sites are still running.” His other article on secure hack proof passwords teaches users how to make passwords more difficult to hack.
Dr. Achutha states that some other application other than WordPress is still able to use his php login scripts. As long as there is a separate php login script for the application package one can substitute his login scripts to block hackers. Having installed his login scripts you can then go into stealth mode and hide from potential hackers. He says, “Techniques similar to password protection methods can be used to go into stealth mode. In addition if your software is not WordPress but you have a wp-login.php login script then hackers will be misguided and try to hack your site as a WordPress site. This will increase the difficulty level for hackers.”

Military grooms new officers for war in cyberspace

 

AIR FORCE ACADEMY, Colo. – The US service academies are ramping up efforts to groom a new breed of cyberspace warriors to confront increasing threats to the nation’s military and civilian computer networks that control everything from electrical power grids to the banking system.
Students at the Army, Navy and Air Force academies are taking more courses and participating in elaborate cyber-warfare exercises as the military educates a generation of future commanders in the theory and practice of computer warfare.
The academies have been training cadets in cyber for more than a decade. But the effort has taken on new urgency amid warnings that hostile nations or organizations might be capable of crippling attacks on critical networks.
James Clapper, director of national intelligence, called cyberattack the top threat to national security when he presented the annual Worldwide Threat Assessment to Congress this month. “Threats are more diverse, interconnected, and viral than at any time in history,” his report stated. “Destruction can be invisible, latent, and progressive.”
China-based hackers have long been accused of cyber intrusions, and earlier this year the cyber-security firm Mandiant released a report with new details allegedly linking a secret Chinese military unit to years of cyber-attacks against U.S. companies. This year, The New York Times, The Wall Street Journal and The Washington Post all reported breaches in their computer systems and said they suspected Chinese hackers. China denies carrying out cyber-attacks.
On Tuesday, hackers compromised Associated Press Twitter accounts and sent out a false tweet. AP quickly put out word that the report was false and that its accounts had been hacked. AP’s accounts were shut down until the problem was corrected.
Once viewed as an obscure and even nerdy pursuit, cyber is now seen as one of the hottest fields in warfare – “a great career field in the future,” said Ryan Zacher, a junior at the Air Force Academy outside Colorado Springs, Colo., who switched from aeronautical engineering to computer science.
Last year the US Naval Academy in Annapolis, Md., began requiring freshmen to take a semester on cyber-security, and it is adding a second required cyber course for juniors next year.
The school offered a major in cyber operations for the first time this year to the freshman class, and 33 midshipmen, or about 3 percent of the freshmen, signed up for it. Another 79 are majoring in computer engineering, information technology or computer science, bringing majors with a computer emphasis to about 10 percent of the class.
“There’s a great deal of interest, much more than we could possibly, initially, entertain,” said the academy’s superintendent, Vice Adm. Michael Miller.
Since 2004, the Air Force Academy has offered a degree in computer science-cyberwarfare – initially called computer science-information assurance – that requires cadets to take courses in cryptology, information warfare and network security in addition to standard computer science. The academy is retooling a freshman computing course so that more than half its content is about cyberspace, and is looking into adding another cyber course.
“All of these cadets know that they are going to be on the front lines defending the nation in cyber,” said Martin Carlisle, a computer science professor at the Air Force Academy and director of the school’s Center for Cyberspace Research.
About 25 Air Force cadets will graduate this year with the computer science-cyberwarfare degree, and many will go on to advanced studies and work in their service’s cyber headquarters or for US Cyber Command at Fort Meade, Md., the Defense Department command responsible for defensive and offensive cyberwarfare.

Yahoo! Blind SQL Injection could lead to data leakage

It seems that 2013 is the "Data Leakage Year"!many customers 

information and confidential data has been published on the 

internet coming from government institutions, famous vendors, and

 companies too.

Ebrahim Hegazy(@Zigoo0) an Egyptian information security advisor

 who found a high severity vulnerability in "Avira license daemon" 

days ago, is on the news again, but this time for finding and reporting

 Blind SQL Injection vulnerability in one of Yahoo! E-marketing applications.

SQL Injection vulnerabilities is ranked as Critical vulnerabilities, because

 if used by Hackers it will cause a database breach which will lead to 

confidential information leakage.

A time based blind SQL Injection web vulnerability is detected in

 the official Yahoo! TW YSM Marketing Application Service.The vulnerability 

allows remote attackers to inject own sql commands to breach the database

 of that vulnerable application and get access to the users data.

The SQL Injection vulnerability is located in the index.php file 

of the so easy module when processing to request manipulated said

 parameters. By manipulation of the said parameter the attackers can inject own

 sql commands to compromise the webserver application dbms.

The vulnerability can be exploited by remote attackers without

 privileged application user account and without required user interaction.

 Successful exploitation of the sql injection vulnerability results in 

application and application service dbms compromise.

But Ebrahim is a white hat hacker, so he reported the vulnerability to 

the Yahoo! security team with recommendations on how to patch the vulnerability. 

Title:
======
Yahoo! TW YSM MKT - Blind SQL Injection Vulnerability


Common Vulnerability Scoring System:
====================================
7.1

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=892

Introduction:
=============
Yahoo! Inc. is an American multinational internet corporation 

headquartered in Sunnyvale, California. It is widely 
known for its web portal, search engine Yahoo! Search, and

 related services, including Yahoo! Directory, Yahoo! Mail, 
Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising,

 online mapping, video sharing, fantasy sports 
and its social media website. It is one of the most popular sites in the

 United States.

 According to news sources, 
roughly 700 million people visit Yahoo! websites every month. Yahoo! 

itself claims it attracts `more than half a 
billion consumers every month in more than 30 languages.

(Copy of the Vendor Homepage: http://www.yahoo.com )

Report-Timeline:
================
2013-02-24: Researcher Notification & Coordination
2013-02-25: Vendor Notification
2013-03-01: Vendor Response/Feedback
2013-04-01: Vendor Fix/Patch by check
2013-04-03: Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
A time based blind SQL Injection web vulnerability is 

detected in the official Yahoo!

 TW YSM Marketing Application Service.
The vulnerability allows remote attackers to inject 

own sql commands to compromise the affected application dbms. 

The SQL Injection vulnerability is located in the index.php file

 of the so easy module when processing to request manipulated 
scId parameters. By manipulation of the said

 parameter the attackers can inject own sql commands

 to compromise the webserver 
application dbms.

The vulnerability can be exploited by remote attackers 

without privileged application user account and without required 
user interaction. Successful exploitation of the sql 

injection vulnerability results in application and application 
service dbms compromise.

Vulnerable Service(s):
    [+] Yahoo! Inc - TW YSM Marketing

Vulnerable Module(s):
    [+] soeasy

Vulnerable Module(s):
    [+] index.php

Vulnerable Parameter(s):
    [+] scId


Proof of Concept:
=================
The time-based sql injection web vulnerability 

can be exploited by remote attackers without privileged 

application user account and without 
required user interaction. For demonstration or reproduce ...

Vulnerable Service Domain:  tw.ysm.emarketing.yahoo.com
Vulnerable Module:   soeasy
Vulnerable File:   index.php
Vulnerable Parameters:   ?p=2&scId=

POC:
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113;

 select SLEEP(5)--

Payload:
1; union select SLEEP(5)--


Request:
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113;%20select%20SLEEP

(5)--

GET /soeasy/index.php?p=2&scId=113;%20select%20SLEEP(5)-- HTTP/1.1
Host: tw.ysm.emarketing.yahoo.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0)

 Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: is_c=1; device=pc; showNews=Y;

 B=9tgpb118xilu04&b=3&s=mu; AO=o=1&s=1&dnt=1;

 tw_ysm_soeasy=d%3D351d9185185129780476f856.
17880929%26s%3DxLxK2mb96diFbErWUyv_jGQ--;

 __utma=266114698.145757337399.1361672202.1361672202.1361672202.1;

 __utmb=2663114698.
1.10.1361672202; __utmc=2636114698;

 __utmz=266114698.13616732202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
DNT: 1
Connection: keep-alive

HTTP/1.0 200 OK
Date: Sun, 24 Feb 2013 02:16:48 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml",

 CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi 
SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV

 INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: no-store, no-cache, must-revalidate

, post-check=0, pre-check=0, private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip


Note:
Since it'a time based blind so the page will

 not give an output as a result in the reply,

 but it will SLEEP/DELAY for 5 seconds before it load.


Solution:
=========
The vulnerability can be patched by a restriction 

and secure parse of the said parameter request.


Risk:
=====
The security risk of the time based

 blind sql injection web vulnerability is estimated as critical.


Credits:
========
Ebrahim Hegazy(@Zigoo0) 

Thanks for Vulnerability-laboratory Team

How phishing attack can destroy US stock market

Somebody’s prank turned into a nightmare for the world, as the word spread about the  a series of explosions taking place at the White House and rendering the U.S. President Barack Obama, injured. The news released by the international news agency Associated Press, that caused a virtual plunge in the stock market within three minutes, apart from panicking the world, was later found to be false and sent from the hacked twitter account of the agency.
Considered to be the high-profile hacking in the recent times, the hackers took control of the Associated Press Twitter account and tweeted “Breaking: Two Explosions in the White House and Barack Obama is injured.”
Apart from @AP being hacked, the hackers also targeted @AP_Mobile, another account operated by the news agency and tweeted from the account: “Syrian Electronic Army was here. A group calling itself the Syrian Electronic Army, which is supportive of that country’s leader, President Bashar al-Assad, in its two-year civil war, claimed responsibility on its own Twitter feed for the AP hack. The group has in the past taken credit for similar invasions into Twitter accounts of National Public Radio, BBC, CBS’ “60 Minutes” program and Reuters News.
Following the incident that once again exposed the vulnerability of the social networking sites, as the news spread like wild fire, AP spokesman Paul Colford quickly confirmed the tweet was “bogus,” and White House spokesman Jay Carney told reporters that Obama was fine.
Immediately after the incident Twitter suspended the account of the news agency @AP and @AP_Mobile, even as it put out word through other accounts, including that of its correspondents, that it was the victim of an egregious hacking episode.
Though it was not clear how hackers got the control of AP’s Twitter account, but there is possibility of the hackers managing it by mistaking a AP employee. Confirming this Mike Baker, an AP reporter, in his tweet said that the employees of the company had received a phishing email. He tweeted: “The @AP hack came less than an hour after some of us received an impressively disguised phishing email.
Phishing emails are disguised as genuine notification from a reputed company like Twitter and seek account information. Cyber criminals often use phishing emails to fool web users.
Even as the false piece of the news of the explosions was immediately denied by other journalists present inside the White House at the time of incident, the damage has already been done.
E McMorris-Santoro, Buzzfeed’s White House reporter, tweeted: “from here in the WH basement, this acct (AP) seems hacked.”
Michael Skolnik, editor of GlobalGrind, said that the AP tweet was an obvious fake as it was made from a web browser while the news agency always uses a tool called SocialFlow to push news through its Twitter account.
The biggest setback of the false news piece was borne by the stock markets that plunged just as the report came out, resulting in the Dow Jones Industrial Average losing 130 points, or 0.9 percent, and the S&P 500 dropping 12 points, or 0.8 percent.
Meanwhile the FBI has already started a probe into the incident along with the US Securities and Exchange Commission. SEC Commissioner Daniel Gallagher said:”I can’t tell you exactly what the facts are at this point or what we are looking for, but for sure we want to understand major swings like that, however short it was.
Commenting upon the Twitter Security issues, Stewart Baker, a cyber security lawyer at Steptoe & Johnson in Washington, said: “At a time when cyber security and hacking have become top national security concerns, Twitter and its reach to hundreds of millions of users is coming under growing scrutiny for the risk of privacy breaches on the site. there was plenty of blame to spread around regarding Tuesday’s incident. AP should have had better passwords, Twitter should have gone to at least optional two-factor authentication months ago, and guys on the Street really should be thinking twice before they trade on Twitter reports. That’s risky.
This is not the first time false claims have been made from a hacked Twitter account. In February, Twitter account of Burger King was hacked. It then tweeted that the company has been acquired by McDonald’s.

Source: Northern Voices Online (NVOnews)

Samsung to Block Access to App Store in Iran

Iranian users of Samsung mobile applications said Thursday that the company had notified them that they will no longer have access to the company's online store as of May 22.
The move is seen as part of international sanctions on the country over its disputed nuclear program. The West has imposed banking and insurance sanctions on Iran since it suspects Iran is pursuing nuclear weapons, a charge Tehran denies.
At a Tehran shopping mall, owners of mobile phones and tablets said Thursday that they had received the message via email from the company late the night before. Retailers said they had no power over the decision.
"We have heard about it, but we are only responsible for hardware here, not software and apps," shopkeeper Bijan Ashtiani said.

In the message, Samsung said that it cannot provide access to the store, known as Samsung Apps, in Iran because of "legal barriers." It apologized to customers in emailed statement seen by the Associated Press on Thursday.
Samsung's offices in Tehran could not be immediately reached for comment due to the weekend there, and its headquarters in South Korea did not immediately respond to a request.
The decision quickly provoked ire on social media.
"Samsung is to stop its apps in Iran, oh how we appreciate our officials," wrote Bahareh, a Twitter user blaming Tehran's policy. Another, named Armin, pointed at the technology giant itself, saying: "Now, Samsung's sanctions honor us as well!"
Samsung spokesman Chris Jung in Seoul said the company is still looking into the matter and could not confirm any details.
Unlike Apple, Microsoft and Adobe, Samsung has provided localized services to Iranians in their native Persian language. In 2012, Finnish communications giant Nokia stopped its services in the country.

US banking Sector too Vulnerable to Hackers

US authorities charged with overseeing the financial sector are worried about its vulnerability to cyberattacks, they said in a report published Thursday.

"Security threats in cyberspace are not bound by national borders and can range widely from low to high security risks," wrote the Financial Stability Oversight Council in its 2013 annual report.

The council is worried, in particular, about the increasing skill of hackers attacking the US financial system.

Making reference to a series of cyber attacks that targeted several of the biggest US banks toward the end of 2012, the FSOC noted "the knowledge and skill of the attackers appeared to increase over time."

In an attempt to protect the financial system against these attacks, the FSOC proposed "enhancing cross-sector cooperation, particularly with industries upon which the financial sector is dependent, such as energy, power, and telecommunications."

"Public-private partnership improvements in the analysis and dissemination of robust information to improve real-time responses to cyberattacks will enhance incident management, mitigation, and recovery efforts," the report added.

Source: http://www.globalpost.com

Blogger Ladun Liadi’s website hacked, later restored

Latest Hack attack  second in this month: All over the media:
Can cyber hacking be the new trend? Just a week after NET Newspaper's website thenetng.com got compromised, a Lagos based entertainment blog Ladunliadi.blogspot.com also fell to the hands of hackers, temporarily....Report says the site now reads ‘This website has hacked by TheArchAngels.’ First, it was The NET NG, now Ladun… "These hackers sha!!! 

Interesting that hack attacks are now frequent in the media, maybe is time to sit up and implement security. As a Security Analyst and Forensics Investigator, These questions are on my mind:

How come ?
How did it happen?
Why her?

As a security analyst, the hack attack could be as a result of these issues:
1. Might be as a result of a weak password, guessable password
2. Or she access the blogger in an unsafe Network or compromised PC, once a network is compromise all your key logs and screen shot will be sent to the attacker
3. Or some links are sent to her via her gmail acount and she did visit where the login credential are asked.(Phishing)
4. Or maybe tryed to follow some link to her traffic sometime bloggers get high amount of traffic from some malicious sources you endanger your blog by visiting via the blogger.


My little advice to other bloggers out there is to try to be security cautious.
Am an hacker and ethical one, but hacking dont succeed except there is a loop hole. How to prevent these loop holes:

1. 1. Have a good antivirus software, is like we are a custom to the free antivirus which wont give us protection against internet threats, there are some good ones which are: Norton , Kaspersky, Avast , McAfee. etc
2. Sorry to say this but accessing your email from a free wireless without a key might endanger your info cause someone may monitor what happens within the network
3. Also becareful of using cyber cafe, wont say you shouldnt browse from there, preferably go with your own device if there is none then while browsing use private browsing so all your history wont be logged and remember to sign out after use. If you dont, anyone can access your blogger by just typing google.com on the browser and going to your blogger and gbam already in there... this time no need to guess password cause your session is still on.
4. You dont have to visit the traffic source all the time, sometime they are BOTNETS... some machines send request to your blog which seems you have several visitors. 

Thanks to google retreiveing a blogger is quiet easy if the password recovery details have not been changed. 

Cyberinfocts Ethical Hackers Forum May 11 2013

Event Details

The Hackers Forum is a unique event, where the best of minds in the hacking world, cyber community along with policy makers meet to join their efforts to co-operate in addressing the most topical issues of the Internet Security space.
The next forum will be held in Lagos, on the 11th of May 2013, to share knowledge and leading-edge ideas about information security ad everything related to it.

Topics:

• Introduction to Hacking  Foot Printing by Chidi Obumneme

• Physical security and Operating System Password hacking by  Engr Adesoji Adeyemo TopWaves Technologies

• IP Surveillance Camera by Azeez Taiwo Perfect Touch Consulting Limited

• DIgital media marketting by Eugene Celestine King Elite Media

• Batch Programming and Virus Programming by Adebayo Mofehintoluwa  Appin Technologies

Refreshments

Who can attend?
Hackers
Government Agencies
IT companies and Security Professionals
Programmers
System Admins
Database Admins
Network Admins
Website Admins
 

Date: 11/05/2013
Saturday 11th May 2013
Time 10:00 am - 1:00 pm
Fees: N 500
Venue: 1st Floor Buffallo Plaza No 2 Allen Avenue Ikeja Lagos
Land mark Sweet Sensation Allen
for further details please contact : cyberinfocts@yahoo.co.uk
or call 07037288651 or visit : http://cyberinfocts.blogspot.com

For sit reservation please visit  http://cyberinfoctsh4ck3r.eventbrite.com

Malware Callbacks

FireEye monitored more than 12 million malware communications seeking instructions—or callbacks—across hundreds of thousands of infected enterprise hosts, capturing details of advanced attacks as well as more generic varieties during the course of 2012. Callback activity reveals a great deal about an attacker’s intentions, interests and geographic location. Cyber attacks are a widespread global activity. We’ve built interactive maps that highlight the presence of malware globally: 

Key findings:

1. Malware has become a multinational activity. Over the past year, callbacks were sent to command and control (CnC) servers in 184 countries—a 42 percent increase when compared to 130 countries in 2010.
2. Two key regions stand out as hotspots driving advanced cyber attacks: Asia and Eastern Europe. Looking at the average callbacks per company by country, the Asian nations of China, South Korea, India, Japan, and Hong Kong accounted for 24 percent. Not far behind, the Eastern European countries of Russia, Poland, Romania, Ukraine, Kazhakstan, and Latvia comprised 22 percent. (North America represented 44 percent but this is due to CnC servers residing in the United States to help attackers with evasion.)
3. The majority of Advanced Persistent Threat (APT) callback activities are associated with APT tools that are made in China or that originated from Chinese hacker groups. By mapping the DNA of known APT malware families against callbacks, FireEye Malware Intelligence Lab discovered that the majority of APT callback activities—89 percent—are associated with APT tools that are made in China or that originated from Chinese hacker groups. The main tool is Gh0st RAT.
4. Attackers are increasingly sending initial callbacks to servers within the same nation in which the target resides. To improve evasion, hackers are increasingly placing CnC servers within target nations. At the same time, this fact gives a strong indicator of which countries are most interesting to attackers.
5. Technology organizations are experiencing the highest rate of APT callback activity. With a high volume of intellectual property, technology firms are natural targets for attackers and are experiencing heavy APT malware activity.
6. For APT attacks, CnC servers were hosted in the United States 66 percent of the time, a strong indicator that the U.S. is still the top target country for attacks. As previously mentioned, attackers increasingly put CnC servers in the target country to help avoid detection. With such a high proportion of CnC servers, by a wide margin, the U.S. is subject to the highest rate of malware attacks. This is likely, due to a very high concentration of intellectual property and digitized data that resides in the U.S.
7. Techniques for disguising callback communications are evolving. To evade detection, CnC servers are leveraging social networking sites like Facebook and Twitter for communicating with infected machines. Also, to mask exfiltrated content, attackers embed information inside common files, such as JPGs, to give network scanning tools the impression of normal traffic.
8. Attack patterns vary substantially globally:
   1. South Korean firms experience the highest level of callback communications per organization. Due to a robust internet infrastructure, South Korea has emerged as a fertile location for cybercriminals to host their CnC infrastructure. For example, FireEye found that callbacks from technology firms are most likely to go to South Korea.
   2. In Japan, 87 percent of callbacks originated and stayed in country. This may give an indication of the high value of Japanese intellectual property.
   3. In Canada, 99 percent of callbacks exited the country. In the U.K., exit rates were 90 percent. High exit rates indicate attackers are unconcerned about detection. In Canada and the U.K., attackers appear to be unconcerned about detection and pursue low-hanging fruit opportunistically.
   Source: Fire Eye
   

New Targeted Attack On Taiwanese Government & Tibetan Activists Open Up a Can Of Worms – GrayPigeon, Hangame & Shiqiang gang

We observed new targeted attacks targeting various personnel with pro-Tibetan views.  The targets? We’ve seen targets at various branches of the Taiwanese government as well as a professor at the Central University Of Tibetan Studies in India.
Taiwan is a logical target since they have a history of accepting Tibetan refugees. Also, the other target is a professor at the Central University Of Tibetan Studies in India—a institution founded by the first Prime Minister of India with the Dalai Lama himself. It was established in 1967 to educate exiled Tibetans and to preserve Tibetan culture and history.
The attackers, called the “Shiqiang gang“[1], show a consistent modus operandi. They use similar remote administration tool (RAT) payloads, stolen certificates, and seem to target anyone pro-Tibetan. The RAT payload in this attack in called “GrayPigeon,” also known as ”Huigezi” in Chinese[2]. It is very popular in the Chinese webspace which indicates that the attackers speak the language. The RAT payload has multiple layers of encryption making it harder to identify.

Attack Vector:
The threat arrives in the form of a targeted email with an XLS attachment. The content  of the emails are as shown below in Figure 1 and Figure 2. The email attempts to draw on the sentiments of the Taiwanese government and activists towards the exiled members of the Tibetan government.

Figure 1

Figure 2

The content of both the emails are similar and roughly translate to:

To friends who care about the Tibetan government-in-exile Now we publish this for you <<Tibetan government-in-exile offices in the Americas 2013 for the second half the year with detail list requesting for comments>> Do not distribute this letter and this is only for friends who care about this Also hope that you can actively participate in our activities in the second half of the year                    Office of the Tibetan government-in-exile in the Americas                     Chinese chief liaison officer Gongga Tashi kungatashi

Technical Analysis: How the Attack Works
The attached file in both emails is the same (2010790755b4aca0edc3c50ee8480c0b) When opened, the XLS file exploits CVE-2012-0158 and launches a decoy document as shown in Figure 3. The decoy document contains a ruse as usual and this time it states that Tibetan fonts are missing. In the background, it drops a series of files eventually leading to the launch and execution of 2013soft.dll. This in turn injects a RAT payload in to explorer.exe.

Figure 3

Analysis of Payload:
The main functionality lies within 2013soft.dll (28426ddc3c49635c11a2ee72118e9814) and the subsequent DLL it decrypts and injects in to explorer.exe (05eda4aaa49b2409f52cf2356f4a91db).
On inspection of 2013soft.dll, it is evident that this payload contains a rather large resource section. The MAIN stub in resource section holds large amount of data however it appears to be encrypted.

Figure 4

On dynamic analysis of the payload, it becomes clear that the Main stub eventually decrypts to the final DLL payload. The stub is loaded into memory and decrypted using the loop shown in Figure 5. It operates on 8 bytes of data at a time and uses the 16 bytes key “1234567890ABCDEF”. This, in addition to that fact that it uses the constant value 0x9E3779B9, gives away the algorithm as TEA (Tiny encryption algorithm). The TEA algorithm uses this value as the Delta constant.

Figure 5

It then jumps to the decrypted stub after setting the memory region it resides in as executable. The start of this decrypted MAIN stub contains an XOR decryption loop shown in Figure 6. This decryption loop decrypts the remainder of the stub. Notice how the XOR key “0x27691C” is only 3 bytes in length but the EAX pointer is incremented by 4. This means the first byte in every 4 bytes (little endian) is not subjected to XOR.

Figure 6

You would think we have the payload after two levels of decryption but not in this case. It jumps to another shellcode, which performs a rolling byte XOR decryption using a 4 byte key on the latter part of the stub.

Figure 7

Now we are getting somewhere as we can see an MZ file header interspersed with other characters past the “MinxxxA” marker as shown in Figure 8. This data is then subjected to what appears to be a custom decompression algorithm, following which it is injected into a new instance of explorer.exe

Figure 8

The injected DLL payload is a variant of the RAT called “GrayPigeon“[2] also known as “Huigezi” which is popular in the Chinese web space. It is written in Delphi and contains comprehensive functionality. The RAT uses various Pascal modules [3] such as “TscreenCaptureUnit.pas” and “UnitServices.pas” also widely seen on Chinese forums and associated with this RAT.
It creates a mutex “\BaseNamedObjects\windows!@#$” and sets up startup persistence by adding a registry key “\Software\ts\Explorer\run\2013Soft\run = rundll32.exe C:\WINDOWS\2013soft.dll,Player”. In this case the RAT was observed key logging and storing the data under C:\WINDOWS\2013soft.log along with the corresponding Window names.
It then uses the same TEA (Tiny Encryption algorithm) described earlier to decrypt the address of the command and control server “help.2012hi.hk”. It reuses the key “1234567890ABCDEF” for TEA decryption. It makes a DNS query specifically to Google’s DNS server 8.8.8.8 and it attempts to connect to the resolved server on port 91.

Figure 9

We observed the following outbound communication on port 91.

Figure 10

This GrayPigeon RAT instance we analyzed had extensive functionality and a summary of the features is listed below:

• Determine Host name and OS version
• Ability to log keystrokes and mouse events
• Ability to capture users screen
• Ability to use Telnet protocol
• Ability to send and receive files
• Sniff URL addresses from Internet Explorer and read form values
• Get list of active services
• Ability to shutdown/restart etc.

Connection to Shiqiang Gang:
We mined for other samples talking to the same C&C infrastructure and we found two with the md5sums 4e454584403d5521abea98d21ee26f72 and 7de5485b7dd154a9bbd85e7d5fcdbdec which drop Hangame RAT and GrayPigeon RAT respectively. The RAT payloads in these instances also phone home to help.2012hi.hk. This C&C domain was also referenced in a white paper published by Symantec as part of the overall campaign coined the Elderwood project [4]. The campaign in the current instance and related samples are more in line with Tibetan themed attacks on NGOs and Taiwanese officials. The campaign also heavily uses stolen certificates. These have been attributed with the Shiqiang gang as discussed by Snorre Fagerland from Norman[1] and also discussed by Trend [5] and AlienVault [6].

Figure 11

The decoy document associated with 7de5485b7dd154a9bbd85e7d5fcdbdec also has a Taiwanese target as evident from the contents of the document.

Figure 12

Also, both these two variants interestingly have digital certificates in the payload [1]. The certificate for 4e454584403d5521abea98d21ee26f72 is a stolen certificate that has already been revoked.

Certificate:     Data:         Version: 3 (0×2)         Serial Number:             38:93:f1:3d:d3:9f:e0:88:fd:f5:4e:e0:08:ae:38:e1         Signature Algorithm: sha1WithRSAEncryption         Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA         Validity             Not Before: Dec  8 00:00:00 2011 GMT             Not After : Dec  7 23:59:59 2012 GMT         Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Xuri Weiye Technology Co., Ltd., OU=Digital ID Class 3 – Microsoft Software Validation v2, CN=Shenzhen Xuri Weiye Technology Co., Ltd.

The certificate for 7de5485b7dd154a9bbd85e7d5fcdbdec appears to be modified manually and is invalid.

Certificate:     Data:         Version: 3 (0×2)         Serial Number:             02:fe:4b:0a:55:23:56:65         Signature Algorithm: sha1WithRSAEncryption         Issuer: C=CN, ST=Beijing, L=Beijing, O=CA365, CN=CA365 Free Root Certificate         Validity             Not Before: Oct 23 10:47:29 2010 GMT             Not After : Oct 23 10:47:29 2011 GMT         Subject: C=CN, ST=shanghai, L=shanghai, O=International Test User, OU=Market, CN=International Test User

 Hashes of Analyzed Samples:

• 2010790755b4aca0edc3c50ee8480c0b
• e0dfe50c38ac7427ba4f3fcf4a35da74
• f17bbcef66f82552a23fdd494bb20d81
• 28426ddc3c49635c11a2ee72118e9814
• 05eda4aaa49b2409f52cf2356f4a91db
• 4e454584403d5521abea98d21ee26f72
• 7de5485b7dd154a9bbd85e7d5fcdbdec

Chinese Hackers Take Aim at American Drones

China has its own fairly sophisticated drone program, but that has not prevented the country from being unduly curious about how other countries manage theirs. A sophisticated hacking initiative called Operation Beebus has set its sights on drone programs in both the United States and India, and experts believe that the culprits behind the hacking effort are the notorious Comment Crew — hackers who operate as part of the Chinese military.
The information comes by way of FireEye Labs, a high-profile tech security firm. Since December 2011, hackers have attempted to slip malicious DOC and PDF files into important aerospace, defense and communications machines.
Operation Beebus utilizes the exact same methodology as the Comment Crew: It creates bogus text documents and seeds them with very subtle malware. Later, the Crew can extract sensitive information from a protected system via a backdoor. Although the malware compromises the computers, it does nothing to harm them: Operation Beebus wants information, and likely won't risk damaging its prize.
The backdoor pretends to be software from Google or Microsoft, which renders it hard to detect, especially since it does not harm users' computers in any way. Once in place, the backdoor allows alien IP addresses access to private files.

If the Comment Crew is indeed responsible, it's hard to say what the group's ultimate goal is. The organization has been fairly broad in choosing targets. It has attempted to hack into vital systems in companies that produce drones, as well as academic institutes with military funding that research the devices.
The Comment Crew is also interested in more than just drones. In 2012, it targeted North American and Spanish energy companies to learn about their automation processes. The group has also hacked the New York Times database to learn about sources for a damning exposé on the Chinese prime minister, and tried to shut down Tibetan activist websites. The Comment Crew typically seeks protected information, opting for outright harassment less frequently.
Most of the DOC and PDF files are unreadable nonsense, intended only to spread malware. However, one document provides a key misdirection: an analysis of a potential Pakistani drone program, purportedly penned by one Aditi Malhotra. Malhotra is a real person, and an expert not only on drone warfare, but also on the links between the Chinese and Pakistani militaries.

<p>Your browser does not support iframes.</p>

Whether Malhotra actually wrote the document is difficult to say, and it's highly unlikely that she would identify herself so brazenly if she were involved in the attacks. Furthermore, Malhotra is Indian: Indemnifying herself through an attempted hack on her own government would be counterproductive. Although the attacks are veiled in Pakistani garb, FireLabs asserts, responsibility still likely lies with China.
Everyday users don't have much to worry about from Operation Beebus, since it has only targeted major players in the drone industry. Even so, avoiding strange attachments is always sound advice. If you're a member of the DIY drone community, keep an eye out for emails from unfamiliar senders, as well.
Operation Beebus wants some very specific information and likely has nothing good planned for it. Hijacking drones may not be commonplace just yet, but that capability could raise some serious questions about widespread drone use.


Source Tech news Daily

Twitter Malware: Spreading More Than Just Ideas

News, blogs, opinions – Twitter is one of the most popular social networks for spreading ideas. It has revolutionized the way millions of people consume news. With 288 million active users, Twitter is the world's fourth-largest social network. So it’s no surprise that Twitter is also being used for spreading malware.

Trusteer researcher Tanya Shafir has recently identified an active configuration of financial malware targeting Twitter users. The malware launches a Man-in-the-Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, which has been used as a financial malware to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time the attack is targeting the Dutch market.  However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry.   

The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim. 

Here is an excerpt from the injected Javascript code:
 

 

Here are some examples of the tweets posted by the malware from victim accounts. (Tweets containing explicit content were omitted from this blog post).
 

Original text (in Dutch): 

"Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris"

(English translation: "Our new King William will earn even more than Beatrix. Check his salary")

 

Original text (in Dutch):

"Beyonce valt tijdens het concert van de superbowl, zeer funny!!!!"

(English translation: "Beyonce falls during the Super Bowl concert, very funny!!!!")

 

Original text (in Dutch): 

"topman [Dutch Bank] gaat ervandoor met onze miljoenen!! De minister heeft weer het nakijken... zie"

(English translation: "CEO of [Dutch Bank] is off with our millions!! The minister is inspecting again... see". We have removed the Bank’s name from the original tweet)

 

The tweets include the following malicious links (all appear to be inactive at the moment):

hXXp://yix.be/b18e9

hXXp://yix.be/11efb

hXXp://ow.ly/hr6a6

hXXp://01.nl/rohvj9

 

Trusteer researchers found these texts in multiple Twitter posts indicating that this attack has been successful at ensnaring victims.

 

Protecting users and enterprise endpoints from this attack

This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing. Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious.
 

While Trusteer did not inspect the URLs involved, it is quite possible that these URLs lead to malicious webpages. If so, when the browser renders the webpage’s content an exploit can silently download the malware to the user’s endpoint (a drive-by download).
 

This type of attack increases the need for enterprise exploit prevention technology: By blocking the exploitation of vulnerable endpoint user applications, like browsers, and preventing the malware download, exploit prevention technology stops the attack and prevents the malware from spreading and infecting more users. External sources like web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted. Such content should only be opened while monitoring the application state to ensure it is operating legitimately. Stateful Application Control should be used for analyzing what the application is doing (operation) and why it is doing it (state), to determine if an application action is legitimate or malicious

Securities regulators turn gaze to cyber-threat

Imagine you are a European futures trader sitting at your desk on a quiet trading day when your phone rings. At the other end of the line someone claims to be from the IT department and requires permission to access your PC remotely to urgently fix a bug. You oblige and pop to the coffee machine in the interim. When you return to your trading terminal a hugely oversized sell order has been sent to the exchange, which subsequently sparks a catastrophic selling frenzy, destabilising the market.

This may seem far-fetched, but it is just one of several possible scenarios that concern regulators as the threat of cyber-crime and terrorism intensifies. “This is not science fiction,” said Larry Ponemon, founder of information security think tank the Ponemon Institute. “A cyber-war is happening today.”

The rise of hostile cyber-activity has led to a series of high-profile incidents in recent years. During the past six weeks, for example, several US banks have suffered sustained attacks from hacktivist group Izz ad-Din al-Qassam Cyber Fighters that have taken their websites offline, according to reports. And last month a stand-off between a spam-filtering company – Spamhaus – and a group blacklisted by the firm reportedly slowed the entire European internet.

And this might be only a glimpse of what could come. The European Commission cites research by the World Economic Forum, which says there is a 10% chance that a cyber-related incident could result in a critical national infrastructure breakdown in the coming decade, costing an estimated $250bn.

Governments and regulators are rattled. In February, the European Commission, alarmed by the increasing “frequency, magnitude and complexity” of the cyber-threat, unveiled a new cyber-strategy and a proposed directive for national information security.

Currently, only Europe’s telecommunications industry is subject to direct regulation of information security controls, but the directive proposes to extend this regime to other economically critical institutions, including banks, stock exchanges and market infrastructure firms. The rules will require these institutions to report big online attacks to national authorities, disclose security breaches and implement basic standards.

Financial News has also learnt that the International Organization of Securities Commissions, the global body that represents the world’s major securities regulators, is also working in conjunction with the World Federation of Exchanges on research into cyber-attacks. This may form the basis of a Iosco report and potential cyber-security standards for market infrastructure firms.

The move to directly supervise cyber-security controls reflects a growing realisation among regulators that cyber-attacks present a form of systemic risk, according to one member of a research team at a regulatory institution.

He said: “This is a sensitive topic that has been in the back of regulators’ minds but it has largely been seen as an IT issue out of their control. It is clear, however, that the impact of a successful attack on a stock exchange or a service provider could be significant for the financial markets.”

Evolving threat

IT experts agree that the threat to securities markets is growing. Historically, hostile cyber-activity in the financial services sector has involved criminal gangs targeting retail bank platforms in a bid to steal customer funds. The growth of so-called hacktivism, state-sponsored cyber-espionage and cyber-terrorism, however, has resulted in more attacks on market infrastructure firms.

In 2011 the Hong Kong Exchanges and Clearing group was forced to suspend trading in certain stocks as a result of an attack on its website, and in February 2012 Bursa Malaysia, the Kuala Lumpur-based stock exchange, experienced a similar assault.

These attacks have typically targeted firms’ web-facing services and applications that are vulnerable to external assaults through direct hacks or so-called distributed denial of service (Ddos) onslaughts designed to overwhelm a website with extreme levels of web traffic.

Michael Cooper, chief technology officer at BT Radianz Services, a provider of trading infrastructure, said: “All sorts of market participants are susceptible. In particular, the increase in the number of instances of distributed denial of service attacks is self-evidently a concern.”

He added: “All trading infrastructures are being probed all day long.”

Although attacks on exchanges’ web-facing services have proved disruptive for the firms concerned, IT experts have long believed that they could not result in widespread disruption to the markets because trading networks are private, resilient and isolated from the internet.

But the growing sophistication of socially engineered attacks, which are designed to target specific individuals within a firm, has led security experts to question this assumption.

Ponemon said: “Closed telecommunications systems are in fact vulnerable. More recently we have seen attacks become more stealthy, and getting into the transactional layer.”

Mark Clancy, managing director of technology risk management at the Depository Trust & Clearing Corporation, the US post-trade giant, said people are the biggest challenge. “Someone surfing the internet could serve as a bridgeable channel between the outside world and a closed network. As a result, companies are having to create greater isolation between those two areas.”

One individual at a regulatory body said it was “a matter of if, not when” a socially engineered attack resulted in a significant trading disruption.

Information sharing

According to the European Commission, Europe’s thus-far fragmented approach to cyber-security has hindered co-operation between all but a handful of member states. It hopes that the proposed rules, which have yet to enter negotiations, will promote information sharing on the nature of the threat, allowing firms to better defend against it.

The DTTC’s Clancy said: “Europe has a particular challenge with respect to cyber-security due to its composition of several member states. It is drafting a strategy similar to that of the US, but there is a need for greater co-ordination in the EU. The region has a big challenge around privacy and civil liberty concerns with respect to sharing information regarding cyber-attacks. It needs to come up with a way to share information that doesn’t raise concerns on a privacy front.”

Udo Helmbrecht, executive director of the European Network and Information Security Agency, Europe’s cyber-security body, which is expected to play a greater role under the new regulatory regime, said another challenge for legislators as they come to negotiate the final text would be in setting the reporting threshold.

He said: “One of the questions is to whom should companies report breaches, how often and to what extent. This has to be defined and quickly.”

Mark Waghorne, senior manager in KPMG risk consulting, warned against creating a new compliance burden for the financial sector, which has traditionally proved extremely skilled in dealing with cyber-threats.

He said: “Banks and other financial services organisations are extremely good at working co-operatively on cyber-security issues. I think the Commission proposal is well intentioned but it may produce a compliance burden, which could actually deflect resources away from existing defences. Firms might be compliant, but not, in fact, secure.”‰

•Empowering Enisa

The European Network and Information Security Agency was first established in 2004 as Europe’s cyber-security agency, acting as a centre for cyber-security expertise and information-sharing. The Crete-based agency has long-suffered from a lack of financial and political support among member states, and possesses no enforcement powers. But its fortunes are changing.

Amid the rising tide of cyber-attacks, UK Conservative MEP Giles Chichester, who sits on the Industry, Research and Energy Committee in the European Parliament, has led a campaign to beef up the agency.

Last week, the European Parliament voted to extend Enisa’s mandate by a further seven years and expand its responsibilities, in what European Commission vice-president Neelie Kroes described in a statement last week as a “new start” for the agency.

Enisa is also set to play a key role in establishing network and information security standards under the European Union’s recently proposed EU cyber-security strategy and network information security directive.

Udo Helmbrecht, executive director of Enisa, said: “During the past five years, we’ve seen increasing political awareness regarding cyber-security. When we came into force in 2004, some member states were reluctant. We’re now in good shape. We’ve received great support from Giles, but we’re not dependent on party politics.”

Source:http://www.efinancialnews.com