Thursday, 1 August 2013

Black Hat: Intercepting Calls and Cloning Phones With Femtocells

Femtocell 1
The sign at the door is pretty ominous with its simple warning: "Cellular Interception Demonstration In Progress."
"While in this room, CDMA cell phone users may experience cellular interception, modification, or loss of service, including loss of 911 service. By entering this room, you acknowledge and consent to that interception, modification, or loss of service. If you use a CDMA device while in this room, you may only communicate with parties have consented to interception and modification of communications. If you wish to avoid interception or modification of your CDMA communications, please turn off your CDMA devices while in this room."
The sign was over the doorway to the room where researchers from iSec Partners demonstrated how they exploited a vulnerability in the way mobile devices connected to a femtocell, a miniature cell tower, to eavesdrop on people's conversations and impersonate their phones. If this sounds scary, it should. This is the Black Hat conference at Las Vegas, and researchers take pride in showing how practically any form of technology can be hacked.
Black Hat 2013 Bug
Femtocells are network devices that people can get from their carrier to boost their cellular signal. For example, your office building or your house, may have really poor cell reception. You can request a femtocell from the carrier and plug it into your local network. The femtocell communicates with the carrier's internal network over a secure tunnel to become part of the cellular network. Mobile devices connect to the femtocell and function as if it was connecting to one of the cellular towers. Most users won't even notice the difference.
This is an automatic process, as phones connect to the tower with the strongest signal. That can be the cell tower, or it can be the femtocell, Doug DePerry, senior security engineer at iSec Partners said in his presentation. "This is not like joining an open WiFi network. There is no user interaction," he said, before adding, "You might be on ours right now."
What Can HappenResearchers were able to eavesdrop and record all voice calls, intercept incoming SMS and MMS messages, launch a man-in-the-middle attack to view Web sites being accessed, and strip SSL from secure pages, Tom Ritter, principal security engineer at iSec Partners said. They were also able to clone mobile devices without having physical access to the device. It could intercept cellular signals at even 40 feet away, depending on certain environmental factors, Ritter said.
Ritter and DePerry demonstrated how a phone call to DePerry's phone was recorded, and displayed a phone's incoming text messages on a computer screen. They also intercepted MMS messages, a list of Web sites being accessed from a mobile device, and any information entered on those Websites (including passwords).
"Eavesdropping was cool and everything, but impersonation is even cooler," DePerry said, noting that femtocells are essentially mini towers. With a rogue femtocell, an attacker can become the person holding the targeted mobile device without ever touching the phone, he said. If someone was calling the victim's phone, the attacker's cloned phones would also ring, letting the attacker listen to the call in a "2.5 way" calling.
Without a femtocell, an attacker interested in cloning a mobile device could "wait for the victim to go to the bathroom and write down the identifiers associated with the phone," DePerry said. It's much easier, and harder to get caught, if you just set up the femtocell and wait for mobile devices to register automatically with the tower. All the necessary identifiers are transmitted during the registration process, so attackers can easily get the information to create a cloned phone without ever touching the victim's device, DePerry said.
This hack targeted a Verizon femtocell, which is on a CDMA network. Verizon has patched the issue, although both Ritter and DePerry declined to discuss the patch's effectiveness. A similar vulnerability was found in a femtocell from Sprint, as it was made by the same manufacturer. However, it is naïve to think the problem is specific to a manufacturer or to a particular carrier.
"Femtocells are a bad idea," Ritter said, noting that Verizon, Sprint, and AT&T all offer femtocells.
While the immediate danger has been addressed, iSec Partners has "serious architectural concerns about femtocells," DePerry said. The better option is for carriers to stop using femtocells altogether and look into WiFi calls using IPSec or SSL Tunnels for security. Until the carriers take steps to secure the calls, users can encrypt their calls, using tools such as RedPhone or Ostel, Ritter said.
The researchers announced the "femtocatch" tool, which will detect femtocells and automatically put the device into "airplane mode" instead of connecting, Ritter said. The tool will be available "soon," once some kinks have been worked out, he said.

Black Hat: Adobe security chief preaches virtues of education


Adobe headquarters in San Jose 
Las Vegas: Adobe chief security officer Brad Arkin is preaching a unique brand of education which he says has helped to make his company's products more secure and given employees valuable professional skills.
Arkin, who joined the company in 2008, has overseen a transition ad Adobe which saw the company move from offering its products and boxed discs and digital downloads to hosted cloud services.
“It has been a big thing for us, when you are putting software in a box, it is really just the code and you don't have any control over the environment theey are putting that code on top of,” he told V3.
“When we are writing code for our servers, we control in theory every aspect of it.”
With the transition from shipping products to hosting them on servers, the company has had to focus on new areas such as managing and securing servers, protecting infrastructure and preventing attacks on company systems.
To help guard the cloud infrastructure and improve the security of Adobe products, Arkin insituted a unique system based on a martial arts structure of 'belt' ranks. By reading security materials and inline seminar material developed by security staff, employees earn a “white belt” ranking, a basic competency which can be obtained over a few days.
Further on, employees can spend more time studying materials and training over the course of several weeks to get a “green belt” certification, then a “brown belt” program designed to run six months and a top “black belt” certification obtainable over the course of a year or more.
The structure then plays a vital part in how development teams are assembled. Arkin and his team mandate that each project has a certain amount of team members with green and white certifications as well as brown belt and black belt developers overseeing security.
In addition to making products more secure, Arkin says Adobe employees are teaching themselves valuable professional skills.
“We went from getting not just the security geeks to do the training, but also the career-oriented people,” he explained.
“You go from a less-sexy project to one that is more exciting.”
The formula has proven so successful that Adobe has exported its security programme to other firms. The company has joined the Safecoat project, which is now offering Adobe's training materials to other firms for free.
Arkin hopes that the model will help other firms to implement best practices and improve the security of their products, particularly those which interact with Adobe's own platforms.
He is also calling on the experience of other firms to help Adobe in its transition from software vendor to cloud provider. Arkin said that as he has encountered various hurdles in the company's efforts to take its products online, Silicon Valley neighbours such as Salesforce.com and Netflix have been valuable sources of information.
“The good news is we are not the first company to encounter these problems,” he said.
“We talk with all these guys and we can cherry pick what works and put that in our environment.”

Black Hat: Multiple "Master Key" Vulnerabilities Afflict Android

Android Master Key Presentation
It all started as a prank, explained Bluebox Security's Jeff Forristal. The Bluebox team wanted to create a hacked version of the FourSquare app that would make it seem like you're somewhere odd, like Antarctica. Alas, Google Maps rejected requests from the tweaked app. Pursuing ways around that problem led the team to the weakness they dubbed "Master Key". "This topic has already been covered," said Forristall. "It leaked. It's been out for a few weeks. But actually there's more than one master key, so this talk grew from one bug to four." Forristal explained that by disassembling, modifying, and reassembling the app, they had changed its developer signature. The new signature wasn't licensed to use Google Maps, so it was rejected. Their new quest; change the code without changing the signature.
Forristal walked through the detailed series of events that occur when Android verifies a signed app. Each layer verifies the previous one, starting with verifying that the code models haven't been tampered and ending with a digital signature of the package as a whole. He tried attacking the system at every stage, mostly without luck.
"The APK, JAR, and ZIP formats are basically the same," noted Forristal. "JAR and APK just have additional components." His final success involved leveraging the ZIP format. When he inserted an "evil" file with the same name as an existing valid file, the verifier signed off on the valid file, but the "evil" file got launched.
Why? Because Android uses different ZIP file management code in the verifier and in the actual installer. "A discrepancy of ZIP file parsing is the source of this error," explained Forristal. "In fact, there are eight separate ZIP file parsing implementations in the Android code base."
Out of the Sandbox
"I used this trick for good," said Forristal. "Now let's take it to awesome." Like iOS, Android runs each app in its own sandbox, so an app can't access resources belonging to another app. "The only way into the sandbox is to be signed by the same developer," he explained. "That's what makes updates possible."
Black Hat 2013 Bug
"The system as a whole, subscribes to the same notion," he continued. "The system sandbox enforces all the other sandboxes. It controls all your settings. It's not root, but it has all your data, apps, passwords, and settings—what's left? System is pretty powerful." Apps that access the system sandbox are typically signed by the platform maker. "I just needed to get a platform-signed app and do my little trick, and I should have system-level access. That's cooler than FourSquare maps," he concluded.
It turns out that third-party VPNs need to be platform-signed, and as a bonus they already request access to the system sandbox. Forristal displayed the three simple commands he used to insert his "evil" code into a third-party VPN, joking about "über hacking tools." The result? A Trojan with full system-level access.
Easy Exploitation
Master security technologist Saurik (Jay Freeman) took the concept to the next level, explained Forristal. His Cydia Impactor tool runs on OSX and Windows and automates the exploit. "Connect a device," said Forristal, "it figures out the right app, builds it, add the appropriate hack to get root access, and delivers it. I was gonna release some cheesy little proof of concept apps, but this is awesome."
Forristal noted that the device's processor type doesn't matter. The attack isn't affected by ASLR (Address System Layout Randomization) or DEP (Data Execution Prevention). He made one version that works on four generations of Android, and the only real skill needed is knowledge of Java. "I submitted this for Black Hat because it's easy to understand and exploit," said Forristal.
More Master Keys
Forristal ran down a number of other recently discovered bugs that could be considered "master keys." When going through the code for a feature called Authenticated Attributes, Bluebox researchers found a line commented out and marked "TODO." As a result of the missing code, no matter what changes you make the file passes verification. Not many files use this feature, noted Forristal. "If you find one, you can copy and paste the certificate file and assume the identity of the developer. If you signed an app with Authenticated Attributes, you've given your identity away." As this bug was fixed before Bluebox reported it, they don't take credit.
The "Hidden Trojan" attack reported by a Chinese researcher turns out to be just one of several possible ways to exploit Android's multiple ZIP file parsers. These attacks take advantage of the fact that one parser users signed integers and the other uses unsigned integers.
"It's not even about replacing one file," enthused Forristal. "You can use this trick to feed in a completely different ZIP file. One gets verified, the other runs. A couple tricks and tidbits in this space may show even more power to this approach."
Although malware using this technique has already been seen in the wild, it shouldn't be possible to get a Trojanized file like those described here into Google Play. You probably will be safe if you always and only install apps that have passed official scrutiny. Still, to be safe, be sure to install any available Android updates immediately.

Russian VKontakte Offers Snowden Job


American fugitive Edward Snowden was offered a job by Russia's top social networking site on Thursday, hours after the former intelligence contractor received a year-long asylum in Russia.
"We invite Edward Snowden to Petersburg and will be happy if he decides to join the star team of programmers at VKontakte," Pavel Durov, one of the founders of the St. Petersburg-based VKontakte, Russia's answer to Facebook, said on his profile.
Snowden's temporary asylum papers allow him to work in Russia, according to Anatoly Kucherena, a lawyer close to the Russian authorities, who has been assisting the American.
Moscow has refused Washington's repeated requests to hand over the 30-year-old to face trial on espionage charges after he leaked details of secret U.S. surveillance programs involving phone and Internet data.
Seeking to avoid U.S. prosecution, Snowden arrived to Moscow from Hong Kong on June 23 has been stuck in the transit zone of the Sheremetyevo airport for more than a month before slipping out on Thursday with new refugee documents.
The spat over Snowden's fate has added to tensions between Russia and the United States, already at loggerheads over the conflict in Syria as well as other defense and human rights issues.
But Snowden is also a useful propaganda tool for Moscow, which often accuses Washington of preaching on human rights abroad what it does not practice at home.
Durov of VKontakte, or "InTouch", which says it has more than 210 million registered profiles and up to 47 million daily users, said he took pride in Russia's decision to harbor Snowden.
"Today Edward Snowden - the man who denounced U.S. security services' crimes against citizens of the whole world - received temporary asylum in Russia," Durov said.
"In such moments one feels pride with our country and regret over the course taken by United States - a country betraying the principles it was once built on," he added.

Cyber Command Seeks To Close Gaps in Offensive, Defensive Skills

The Defense Department wants cyber experts who understand both offensive and defensive cyber operations.
The barrage of malicious attacks from insider threats, hactivists, cyber criminals and nation states is forcing DoD organizations to rethink how they train the cyber workforce to equip cyber defenders and attackers with similiar skill sets, according to officials.
“Today our defenders are being trained co-equal with our exploiters and attackers,” which has not always been the case, said Rear Adm. Sean Filipowski, director of intelligence for U.S. Cyber Command. “Why? Because defense has to be our first line of defense.”
Cyber Command can’t be overly reliant on the fact that its attackers may be able to “create an effect that would not enable an adversary to hurt us in cyberspace,” said Filipowski, who spoke Tuesday at the AFCEA Global Intelligence Forum in Washington. “So our defenders have to be trained at the same level.”
One problem is that cyber defenders often do not operate at the same security clearance levels as intelligence professionals, who can exploit enemy networks, and therefore they do not have access to the same information.
Filipowski said intelligence personnel have to understand how the networks operate in order to support the people who defend it. “If each of them are not in a good symbiotic relationship then, quite frankly, we can’t create the atmosphere we need for the exchange of information to understand the context of what we’re fighting in cyberspace,” he said.
DoD officials have said little publicly about the specific offensive capabilities they are building within the department’s workforce. Such skill sets could allow cyber experts to slip into an adversary’s network undetected to gather intelligence or prepare for an offensive operation.
The Air Force, for example, is developing systems “designed for the exfiltration of information while operating within adversary information systems,” according to reports by USA Today.
To adapt to evolving cyber threats, the Marine Corps also wants its cyber defenders and attackers to have similar training, said Ray Letteer, senior information assurance official for the service. “I’m seeing more and more of that,” he said.
Sequester budget cuts are also forcing agencies to re-evaluate how they train and hire cyber experts.
The sequester is “having an enormous impact on us,” said Dan Scott, deputy assistant director of national intelligence for human capital.
“The workforce that we have today is the workforce that we will have in 2020,” said Scott. “There is no getting around it. I can’t really hire thousands of people, I’ve got to develop the people I have, or I need to get rid of the people that I don’t want and then hire replacements.”
He stressed the need for comprehensive civil service reform and flexibility “to bring people in, to retain the skills that we need, to refresh those skills that are out of date, and, to those who just decide that they cannot perform or will not get up to date, we need to be able to send them along the way.”
When it comes to training, there is value in combining traditionally separate disciplines, such as attackers and defenders, into one cyber workforce, said Mark Young, former executive director for plans and policy at Cyber Command. Young is president and general counsel at cyber consulting firm Ronin Analytics.
“If you could hand me a guy … who can design, build, operate, defend and attack our network, they are that much more powerful a player for me to use in defense of the country,” Young said. “What used to take me about 50 people to do, you give me that kind of skill set, I can do it with 10.”
Given the current budget environment, “we are going to be driven to that one way or another,” he said.

1,000 plus Government Websites Hacked in three years

More than a thousand government websites, including those managed by the security agencies and the Ministry of Defence (MoD), have been hacked in the last three years and the first half of this year.
Various interception and security measures in place have failed to prevent hacking and stealing of data, including some sensitive ones.
The number of such cyber attacks has seen a gradual increase over the years.Retired defence personnel and cyber security experts at the State-level feel there is a need to address the flaws in the systems of the softwares that most government agencies work with, as it can provide the most-needed security at the basic level.
Given that all the operating softwares (OSs) are developed by private companies, mostly outside of India, the concerns are more, some of them feel.
In the backdrop of several perceived threats like these and actual incidents of cyber attacks, a collective decision was taken by Union ministries and the MoD in 2010 to develop an indigenous OS. The OS was supposed to make all the three forces––the army, navy and the air force––and other key wings of the government secure.
Three years after that, Bangalore hosts a complex where work on the said project is being done, but little progress has been made. Senior officials from the Defence Research and Development Organisation (DRDO), which has been given the responsibility of developing the OS said it will take them another three years to complete the project.
This, despite some of the best brains from institutes like the IISc and IIT having been roped in and another centre working simultaneously in Delhi.
Information gathered from the Indian Computer Emergency Response Team reveals that at total of 1,030 websites belonging to ministries or departments were hacked during 2010-2013 (up to March).
The number of hackings has gradually increased over the years. While there have been 48 such attacks in the first three months of 2013, the number of hackings during 2010, 2011 and 2012 stands at 303, 308 and 371, respectively.

Snowden gets a job offer from founder of "Russian Facebook"

The founder of Russia's most popular social network VKontakte on Thursday offered a job to Edward Snowden, after the US intelligence leaker left a Moscow airport with his new asylum papers. "Today Edward Snowden, the man who has exposed the crimes of American security services against the
world's citizens, received temporary asylum in Russia," Pavel Durov who co-founded the network in 2006, wrote on his VKontakte page. "We invite Edward to Petersburg and will be happy if he decides to join the dream team of VKontakte programmers," wrote 28-year-old Durov.
Durov's young age and sometimes extravagant statements have earned him comparisons with Facebook founder Mark Zuckerberg.
"No other Internet company in Europe is more popular than VK," Durov said, referring to the shortened name of the social network, which boasts 210 million registered users and is based in Saint Petersburg.
"I think Edward would be interested in working on security of personal data of the millions of our users."
A former contractor for the NSA, Snowden has been in Russia since June 23, when he arrived from Hong Kong after leaking details of US surveillance operations in the world.
He had stayed in the airport transit zone until Thursday, when Russia granted him asylum status for one year, allowing him to formally cross the border.

Exclusive: NSA pays £100m in secret funding for GCHQ

GCHQ's site in Bude, Cornwall 
• Secret payments revealed in leaks by Edward Snowden
• GCHQ expected to 'pull its weight' for Americans
• Weaker regulation of British spies 'a selling point' for NSA
 
The NSA paid £15.5m towards redevelopments at GCHQ’s site in Bude, north Cornwall, which intercepts communications from the transatlantic cables that carry internet traffic. Photograph: Kieran Doherty/Reuters
The US government has paid at least £100m to the UK spy agency GCHQ over the last three years to secure access to and influence over Britain's intelligence gathering programmes.
The top secret payments are set out in documents which make clear that the Americans expect a return on the investment, and that GCHQ has to work hard to meet their demands. "GCHQ must pull its weight and be seen to pull its weight," a GCHQ strategy briefing said.
The funding underlines the closeness of the relationship between GCHQ and its US equivalent, the National Security Agency. But it will raise fears about the hold Washington has over the UK's biggest and most important intelligence agency, and whether Britain's dependency on the NSA has become too great.
In one revealing document from 2010, GCHQ acknowledged that the US had "raised a number of issues with regards to meeting NSA's minimum expectations". It said GCHQ "still remains short of the full NSA ask".
Ministers have denied that GCHQ does the NSA's "dirty work", but in the documents GCHQ describes Britain's surveillance laws and regulatory regime as a "selling point" for the Americans.
The papers are the latest to emerge from the cache leaked by the American whistleblower Edward Snowden, the former NSA contractor who has railed at the reach of the US and UK intelligence agencies.
Snowden warned about the relationship between the NSA and GCHQ, saying the organisations have been jointly responsible for developing techniques that allow the mass harvesting and analysis of internet traffic. "It's not just a US problem," he said. "They are worse than the US."
As well as the payments, the documents seen by the Guardian reveal:
GCHQ is pouring money into efforts to gather personal information from mobile phones and apps, and has said it wants to be able to "exploit any phone, anywhere, any time".
• Some GCHQ staff working on one sensitive programme expressed concern about "the morality and ethics of their operational work, particularly given the level of deception involved".
• The amount of personal data available to GCHQ from internet and mobile traffic has increased by 7,000% in the past five years – but 60% of all Britain's refined intelligence still appears to come from the NSA.
GCHQ blames China and Russia for the vast majority of cyber-attacks against the UK and is now working with the NSA to provide the British and US militaries with a cyberwarfare capability.
The details of the NSA payments, and the influence the US has over Britain, are set out in GCHQ's annual "investment portfolios". The papers show that the NSA gave GCHQ £22.9m in 2009. The following year the NSA's contribution increased to £39.9m, which included £4m to support GCHQ's work for Nato forces in Afghanistan, and £17.2m for the agency's Mastering the Internet project, which gathers and stores vast amounts of "raw" information ready for analysis.
The NSA also paid £15.5m towards redevelopments at GCHQ's sister site in Bude, north Cornwall, which intercepts communications from the transatlantic cables that carry internet traffic. "Securing external NSA funding for Bude has protected (GCHQ's core) budget," the paper said.
In 2011/12 the NSA paid another £34.7m to GCHQ.
The papers show the NSA pays half the costs of one of the UK's main eavesdropping capabilities in Cyprus. In turn, GCHQ has to take the American view into account when deciding what to prioritise.
A document setting out GCHQ's spending plans for 2010/11 stated: "The portfolio will spend money supplied by the NSA and UK government departments against agreed requirements."
Other documents say the agency must ensure there has been "an appropriate level of contribution … from the NSA perspective".
The leaked papers reveal that the UK's biggest fear is that "US perceptions of the … partnership diminish, leading to loss of access, and/or reduction in investment … to the UK".
When GCHQ does supply the US with valuable intelligence, the agency boasts about it. In one review, GCHQ boasted that it had supplied "unique contributions" to the NSA during its investigation of the American citizen responsible for an attempted car bomb attack in Times Square, New York City, in 2010.
No other detail is provided – but it raises the possibility that GCHQ might have been spying on an American living in the US. The NSA is prohibited from doing this by US law.
Asked about the payments, a Cabinet Office spokesman said: "In a 60-year alliance it is entirely unsurprising that there are joint projects in which resources and expertise are pooled, but the benefits flow in both directions."
A senior security source in Whitehall added: "The fact is there is a close intelligence relationship between the UK and US and a number of other countries including Australia and Canada. There's no automaticity, not everything is shared. A sentient human being takes decisions."
Although the sums represent only a small percentage of the agencies' budgets, the money has been an important source of income for GCHQ. The cash came during a period of cost-cutting at the agency that led to staff numbers being slashed from 6,485 in 2009 to 6,132 last year.
GCHQ seems desperate to please its American benefactor and the NSA does not hold back when it fails to get what it wants. On one project, GCHQ feared if it failed to deliver it would "diminish NSA's confidence in GCHQ's ability to meet minimum NSA requirements". Another document warned: "The NSA ask is not static and retaining 'equability' will remain a challenge for the near future."
In November 2011, a senior GCHQ manager working in Cyprus bemoaned the lack of staff devoted to one eavesdropping programme, saying: "This is not sustainable if numbers reduce further and reflects badly on our commitments to the NSA."
The overriding necessity to keep on the right side of the US was revealed in a UK government paper that set out the views of GCHQ in the wake of the 2010 strategic defence and security review. The document was called: "GCHQ's international alliances and partnerships: helping to maintain Britain's standing and influence in the world." It said: "Our key partnership is with the US. We need to keep this relationship healthy. The relationship remains strong but is not sentimental. GCHQ must pull its weight and be seen to pull its weight."
Astonishingly, the document admitted that 60% of the UK's high-value intelligence "is based on either NSA end-product or derived from NSA collection". End product means official reports that are distillations of the best raw intelligence.
Another pitch to keep the US happy involves reminding Washington that the UK is less regulated than the US. The British agency described this as one of its key "selling points". This was made explicit two years ago when GCHQ set out its priorities for the coming years.
"We both accept and accommodate NSA's different way of working," the document said. "We are less constrained by NSA's concerns about compliance."
GCHQ said that by 2013 it hoped to have "exploited to the full our unique selling points of geography, partnerships [and] the UK's legal regime".
However, there are indications from within GCHQ that senior staff are not at ease with the rate and pace of change. The head of one of its programmes warned the agency was now receiving so much new intelligence that its "mission management … is no longer fit for purpose".
In June, the government announced that the "single intelligence account" fund that pays for GCHQ, MI5 and MI6 would be increased by 3.4% in 2015/16. This comes after three years in which the SIA has been cut from £1.92bn to £1.88bn. The agencies have also been told to make £220m savings on existing programmes.
The parliamentary intelligence and security committee (ISC) has questioned whether the agencies were making the claimed savings and said their budgets should be more rigorously scrutinised to ensure efficiencies were "independently verifiable and/or sustainable".
The Snowden documents show GCHQ has become increasingly reliant on money from "external" sources. In 2006 it received the vast majority of its funding directly from Whitehall, with only £14m from "external" funding. In 2010 that rose to £118m and by 2011/12 it had reached £151m. Most of this comes from the Home Office.

Twitter used to send bomb threats to several women in UK

Several women in the UK, including three prominent journalists, have received bomb threats on micro-blogging site Twitter, prompting the Scotland Yard to launch a probe. "We can confirm that the Metropolitan police has received allegations relating to bomb threats sent to a number of
females on Twitter," a Metropolitan police spokesperson said here today. There have been no arrests and no bombs actually went off, the spokesman said.
Columnists Hadley Freeman at 'The Guardian', Grace Dent at 'The Independent' and Catharine Mayer, Europe editor of 'Time' magazine, were among those who received the Twitter threats from anonymous user @98JU98U989 yesterday.
Freeman had written a column a day earlier headlined 'How to use the internet without being a total loser', responding to a series of violent messages on the social network aimed at women.
The anonymous account has been suspended by Twitter last night, however, a screen grab was posted on the site by one of the journalists.
The threat read: "A BOMB HAS BEEN PLACED OUTSIDE YOUR HOME. IT WILL GO OFF AT EXACTLY 10.47PM ON A TIMER AND TRIGGER DESTROYING EVERYTHING".
After receiving the threat, Hadley Freeman wrote on Twitter that she was calling the police, adding: "If it's illegal to threaten to bomb an airport, it's illegal to threaten to bomb me".
Grace Dent described the threat as a "new low".
The latest incident comes just days after rape threats to Walthamstow MP Stella Creasy and women's campaigner Caroline Criado Perez on Twitter successfully lobbying for famous British author Jane Austen to appear on British banknotes.


Television historian Professor Mary Beard was also targeted by a Twitter user, who she named and shamed.
He apologised after Beard threatened to send a copy of his comments to his mother.
Meanwhile, over 100,000 people have signed a petition calling on Twitter to beef up its procedures for dealing with abuse.
The social media site has announced plans to include a button for reporting abuse within every tweet -- something which is already available on its iPhone app.

Soca chief steps down over conflict of interest issue

Resignation letter
The chairman of the UK’s cyber crime fighting body, the Serious Organised Crime Agency (Soca), has resigned after admitting that he failed to declare a potential conflict of interest.
Sir Ian Andrews had his resignation accepted by home secretary Theresa May after he failed to declare the fact he is the director of Abis Partnership, a firm through which he provides management consultancy services.
Although he declared providing the consultancy work, he did not provide information on the company itself. In a letter published by Soca, he also wrote to the chairman of the Home Affairs Select Committee, Keith Vaz, explaining that he now felt he had no choice but to resign.
“I have realised that I had failed to register, as I am obliged to do under the SOCA Code, that I became a director of Abis Partnership Ltd – the company through which I provide management consultancy services to clients whom I did declare,” he said.
“I have no explanation for this other than it was both a genuine and unintentional oversight but it is nonetheless inexcusable: and the responsibility is mine alone."
May said she accepted the resignation but did so with “regret”, adding that an interim appointment will be made in due course.
“Sir Ian has had four decades of distinguished public service in roles ranging from second permanent secretary and chief executive of Defence Estates, to his current position as the chairman of SOCA,” she said.
The resignation comes a few weeks before Soca will officially disappear to be replaced by a wider National Crime Agency (NCA), which will offer a more complete centre to tackle issues such as cyber crime and organised crime.

Businesses warned to prepare for evolved Andromeda botnet

malware virus security
The authors of the Andromeda botnet are on the verge of releasing a radically updated, more dangerous version of the tool, according to Trend Micro researchers.
Trend Micro reported uncovering an advert announcing the upgrade on an unnamed cyber black market, warning businesses to be extra vigilant. "The Andromeda botnet is still active in the wild and not yet dead. In fact, it's about to undergo a major update real soon," read the blog post.
"Just recently, however, we've uncovered that there is an ongoing development in the Andromeda botnet. This latest announcement was posted just recently and basically says that Andromeda code is going to be updated heavily. They suspended the sales of plugins to focus more on developing the new version."
The authors promised the upgraded version will feature several enhanced features in the post. "The project is undergoing a global modernisation. In the near future there will be a few important but not visible changes," read the hacker's advert, translated from Russian. "We will update the admin principal. All plugins will undergo fundamental changes both in format and structure."
The changes will reportedly fix a number of bugs in the hack tool and make it quicker and easier for criminals to use. Trend Micro reported the criminals behind Andromeda also announced a sale on other tools. "Rootkit and Socks5, which are popular plugins, are also now free of charge. Previously, the rootkit was sold $300 and $1,000 for Socks5 with BackConnect," read Trend's statement.
The new version's exact release date remains unknown. The Andromeda botnet has been an ongoing problem facing businesses since first appearing in 2011. The current version of Andromeda was discovered in March.

PRISM: Edward Snowden granted temporary asylum by Russia

Edward Snowden NSA Prism whistleblower
Edward Snowden, the whistleblower who revealed the US and UK’s huge internet surveillance programmes PRISM and Tempora, has been allowed to leave Moscow airport for the first time since fleeing to the country a month ago.
Russia has granted Snowden temporary asylum, in a move that is bound to anger US authorities, which were hoping to have him extradited to face charges.
Multiple sources have said that a lawyer for Snowden in Russia confirmed he has been given the temporary clearance.
"I have just passed him documents from Russia's Federal Migration Service," Russian news agency Interfax reported lawyer Anatoly Kucherena as saying, as cited by Reuters.
The approval is a huge victory for Snowden, who has been on the run for over a month since his revelations were first reported. Initially he fled to Hong Kong before moving on to Russia. At one stage it was believed he was flying to Cuba, but that proved to be a red herring.
Since then he has been holed up in Russia, but now appears to be a step closer to securing his safety. However, the US will no doubt continue to fight for his extradition.
Snowden’s revelations continued on Wednesday with information on the XKeyscore software used by US security officials to trawl the web for vast reams of data on practically anyone.
The system reportedly allows analysts connected to the browser-based system could search through the NSA's records without any review process, meaning data searching was effectively a free-for-all for employees and contractors.

Black Hat: Don't Plug Your Phone into a Charger You Don't Own

Mactans - malicious iOS charger
This news couldn't wait for the Black Hat conference happening now in Las Vegas. We reported in June that Georgia Tech researchers had created a charging station that could pwn any iOS device. The full presentation revealed precise details on how they managed it. I'm never plugging my iPhone charger into a USB port in a hotel desk again. iOS Security
Billy Lau, a research scientist at Georgia Institute of Technology, led off with a review of iOS security. "Apple uses mandatory code signing to enforce their walled garden model," noted Lau. "No arbitrary person can install an arbitrary app. Who can sign an app? Only Apple and iOS developers."
Lau explained that the Georgia Tech team saw developer code-signing as possible channel into creating iOS malware. "We went to the developer portal, submitted our credentials, paid $99, and then we are approved," said Lau. "Now I can sign any app and run it on any iOS device."
Black Hat 2013 Bug
Lau explained that Apple rejects apps based on rules that aren't entirely public. By examining rejected apps, the team determined that any apps using Apple's private APIs would be banned. He also pointed out that the iOS sandbox features and entitlement checks make sure an app can't attack another app, "in contrast to PCs, where such attacks are easy." The Mactans attack works around both of these safety limitations.
How Does Mactans Do It?
"Mactans challenges the very fundamental security assumptions that people make," said Lau. "In particular, people assume it's safe to charge the device and use it when charging." He continued, "I must emphasize that this is not a jailbreak, and it does not require a jailbreak. The attack is automatic; simply connecting the device is enough. It's stealthy. Even if the user looks at the screen there's no visible sign. And it can install malicious apps on the target device."
The Mactans prototype is a bit large, as it's based on a three-inch square BeagleBoard inside a three-d printed case. Lau noted that there are plenty of ways to make it smaller, or hide it inside something larger.
Yeongjin Jang, a PhD student at Georgia Institute of Technology, took on the task of explaining the details. It turns out that any device you connect with an iOS via the USB port can obtain your device's Universal Device ID (UDID), as long as the device isn't passcode-locked. It just takes a second, so if you plug in your device while it's unlocked, or unlock it while plugged in, or just don't have a passcode, Mactans can attack.
Using the UDID, it effectively claims your device as a test device using the team's Apple developer ID. "The iOS device must pair with any USB host that claims it," said Jang. "Any USB host that initiates contact, they cannot reject it. It doesn't ask the user's permission and gives no visual indication. The only way to prevent a Mactans attack is to lock your device before charging it and keep it locked for the entire time." Once accomplished, the pairing is permanent.
The team found an attribute that Apple uses internally to make apps hidden, so they don't show up on the screen or in the task manager. They leveraged this, along with access to the Apple private APIs, to create a Trojan that can take over the phone completely and invisibly. As a final (and alarming) demonstration, they showed a Mactans-pwned phone turn itself on, swipe open, enter the passcode, and call another phone. The audience cheered wildly (though perhaps a bit fearfully).
What Can Be Done?
Chengyu Song, a PhD student at Georgia Institute of Technology, detailed just what Apple should do to make this type of attack impossible. Apple actually invited the team to have a look at an early version of iOS 7. Silent, forced pairing with any host is what gives the Mactans attack a foot in the door. "We noticed that they have added a new feature," said Lau. "When you connect to a new host it will ask if the host is trusted."
However, that was the only good news. Song detailed a number of other changes that Apple would have to make in order to prevent attacks like Mactans.
Any current iPhone is vulnerable to this attack. The only defense is a very simple rule: don't plug your phone into a charger you don't own. If you do, you could find your supposedly-secure iOS device totally owned by malware. Even then, don't assume you're safe. As a parting shot, the team recommended a coming UseNix talk called "Jekyll on iOS" which will explain a non-hardware technique that lets an app bypass Apple's review.

Black Hat: Ads Could Provide a Vehicle for Enslaving Your Browser

An attacker could spend a small amount to almost instantly create a massive JavaScript-driven browser botnet, WhiteHat researchers found.
LAS VEGAS—Every day millions of ads are displayed to tens of millions of users across the Web. According to a pair of WhiteHat Security researchers speaking at the Black Hat security conference here, those ads could be the gateway to enslaving your browser into a botnet army.

There is little preventing an attacker from spending a small amount of money to almost instantly create a massive JavaScript-driven browser botnet—a so-called "million browser botnet," Matt Johanson, manager of the Threat Research Center at WhiteHat Security, told eWEEK.

Perhaps even more disturbing is the fact that WhiteHat's browser botnet attack isn't technically about disclosing a vulnerability. Rather, it's about abusing functionality that is part of the way the Internet works today.

Johanson explained that WhiteHat deployed some JavaScript inside of ad code and then submitted the ad to various ad networks. He noted that some networks allow JavaScript code functionality, while others do not. The overall goal for WhiteHat was to generate as much traffic as possible.


In short order, WhiteHat's bogus ad generated 20 million hits on the target tracking site. But that doesn't mean the ad was deployed or clicked 20 million times. The JavaScript code that WhiteHat deployed forces the browser to repeatedly connect as quickly as possible to a given target. It's a condition that if deployed widely could enable a distributed denial-of-service (DDoS) attack.

WhiteHat's JavaScript code wasn't doing anything overtly malicious and it wasn't dropping a payload on any user's machine either, Johanson said. The attack isn't even a cross-site scripting (XSS) issue, and it isn't abusing the same domain origin policy—designed to limit the risk of external scripts acting outside of a specific domain—that most browsers respect.

"This is just how the Internet works," Johanson said. "A Web browser can go grab an image that sits on a third-party site and the source of the image doesn't even matter."

He explained that all they did was deploy simple code, that is just running through a loop as the ad is displayed. It's also possible that WhiteHat could have extended their JavaScript code to perform other functions, such as distributed hash cracking.

The WhiteHat browser botnet only worked on ad networks that allowed JavaScript code in submitted ads.

"Ad networks go through an approval process, but all they care about is that the image looks right and fits, and when you click, it goes to a page that exists," Johanson said. "On the networks that allowed JavaScript, there was no analysis done of our code."

Though it was the ad networks that allowed the WhiteHat code to run, Johanson said that he's not pointing fingers at any particular ad network. The challenge, he said, is a bigger one than just the ad networks, as JavaScript code running in a browser is commonplace across the Web. The ad network in the Million Browser Botnet example was merely the distribution mechanism.

In Johanson's view, the ad code issue isn't an issue of avoiding certain sites either, as he found that he was able to get the ads running on common legitimate Websites.

In terms of fixing the problem, browser vendors might be part of the solution. Johanson said that WhiteHat has already opened up lines of conversation with Google and Mozilla.

So what should users do today to protect themselves?

There aren't too many options, but there are a few. Johanson suggests the browser users make use of browser extensions to control what's running. Two tools in particular are NoScript and Request Policy, which explicitly ask the user if they want to enable a script to run and make an external site request.

Black Hat 2013: Five Security Trends That Will Draw Most Attention

NEWS ANALYSIS: The most talked about trends at Black Hat 2013 will include the Internet of things, hacking mobile platforms, Android vulnerabilities, privacy and government snooping.
This year’s annual Black Hat security conference is about to get underway this week. The conference always promises a security professional's mix of research, vulnerability disclosures and general updates on the state of digital security.

This year’s keynote speakers include Gen. Keith Alexander, director of the NSA and commander of the U.S. Cyber Command and someone right in the middle of the government privacy versus protection debate. Here are the five trends as I see them shaping up in advance of the conference.

1. Hacking PCs is so, so yesterday. The state of Microsoft Windows security used to be a big topic. Of course, there are still Black Hat panels on Windows vulnerabilities. “A Tale of One Software Bypass of Windows 8 Secure Boot” is the topic of one panel. But as the personal computer industry has slowed so has interest in Windows hacks.

Or maybe—and this is clearly how Microsoft would like to view the digital world—all those dollars poured into shoring up the Windows security system is finally paying off. But in any event, with mobile devices and Web applications much more inviting targets these days, hacking PCs is clearly a passé activity for the most modern hacker based on the Black Hat agenda.


2. The Internet of (Hacked) Things. If the Windows hacker is no longer at the forefront, that position has been usurped by the Thing Hacker. The rise of the connected world of sensors, home security and self driving cars sounds great until you find that you are not doing the driving. I’m guessing that the Internet of Things and Thing Hacking will become its own conference in the not too distant future. One presentation is titled, “Let’s Get Physical: Breaking Home Security Systems and Bypassing Building Controls.”

3. Calling Android. There are lots of panels and activity around mobile security. The focus on mobile security is often aimed at Android devices. Why Android? First hackers like to go after the big targets (which is why Windows mobile is not getting much attention) and iOS and Apple devices still tend to be more secure than the Android gang. One session is titled, “Android: One Root to Own Them All."

4. Privacy, identity and security. The three topics are intertwined. Despite the rise of biometrics and other non-traditional identification methods, hacking passwords is still a large and growing industry. If you can’t assure identity, you can’t assure security and that simple equation gets an endless amount of venture investment and activity. Take it from me—the rise of all those connected mobile devices puts security beyond the reach of mere mortals. Whereas cloud computing is overtaking traditional data center computing, it will take something on the scale of cloud security to lock down the mobile, social, connected digital world.

5. Snoops with Badges. The extent of government access to the digital world as evidenced by the information released by Edward Snowden has created a new level of discussion regarding the role of government and the digital public. Black Hat (and its somewhat related DEF CON conference) was always a place where the hackers in white hats, black hats and government hats all mingled. That is no longer the case with DEF Con out and out trying to block government employees from attending. The role of the NSA in digital monitoring has propelled the discussions on the proper role and limits of privacy versus protection to an intensity level not previously seen in the 16 years of Black Hat.
2. The Internet of (Hacked) Things. If the Windows hacker is no longer at the forefront, that position has been usurped by the Thing Hacker. The rise of the connected world of sensors, home security and self driving cars sounds great until you find that you are not doing the driving. I’m guessing that the Internet of Things and Thing Hacking will become its own conference in the not too distant future. One presentation is titled, “Let’s Get Physical: Breaking Home Security Systems and Bypassing Building Controls.”
3. Calling Android. There are lots of panels and activity around mobile security. The focus on mobile security is often aimed at Android devices. Why Android? First hackers like to go after the big targets (which is why Windows mobile is not getting much attention) and iOS and Apple devices still tend to be more secure than the Android gang. One session is titled, “Android: One Root to Own Them All." 4. Privacy, identity and security. The three topics are intertwined. Despite the rise of biometrics and other non-traditional identification methods, hacking passwords is still a large and growing industry. If you can’t assure identity, you can’t assure security and that simple equation gets an endless amount of venture investment and activity. Take it from me—the rise of all those connected mobile devices puts security beyond the reach of mere mortals. Whereas cloud computing is overtaking traditional data center computing, it will take something on the scale of cloud security to lock down the mobile, social, connected digital world. 5. Snoops with Badges. The extent of government access to the digital world as evidenced by the information released by Edward Snowden has created a new level of discussion regarding the role of government and the digital public. Black Hat (and its somewhat related DEF CON conference) was always a place where the hackers in white hats, black hats and government hats all mingled. That is no longer the case with DEF Con out and out trying to block government employees from attending. The role of the NSA in digital monitoring has propelled the discussions on the proper role and limits of privacy versus protection to an intensity level not previously seen in the 16 years of Black Hat. - See more at: http://www.eweek.com/security/black-hat-2013-five-security-trends-that-will-draw-most-attention/#sthash.lJQIonjw.dpuf

Black Hat :Hacking RFID Tags Is Easier Than You Think

hacking
You know all those security badges people use to get into buildings? Many of them are hackable, according to Francis Brown, an executive at Bishop Fox.
LAS VEGAS—Radio-frequency identification tags are widely deployed around the world and commonly used for building security system cards. As it turns out, those RFID security cards might not be all that secure.

That is the conclusion of Francis Brown, managing partner at security firm Bishop Fox, who detailed his research on RFID hacking on July 31 at the Black Hat security conference here. In an interview with eWEEK, Brown said he started out doing his RFID research focused on a specific requirement: He needed to break in to a building.

Although there are multiple types of RFID technologies, the focus of Brown's efforts is on the 125KHz frequency, which is the primary technology used for badge readers and physical security systems in buildings.

"I want to be able to silently and discretely steal that information as I walk by them," Brown said.

Step two is to make a copy of the RFID badge-reader card. Step three is the penetration tester, which is then able to get access to the target building.

"Out of those three steps, the part that was most lacking in terms of existing tools was step one," Brown said.

To aid in the silent theft of RFID information from unassuming passersby, Brown developed an open-source Arduino-based tool. Arduino is an open-source electronic prototyping platform often used by artists, designers and others.

"What I basically did, is take a long-range reader, that is typically meant for parking garages, to collect the RFID data," Brown said. "Normally, you'd run a wire from the reader down a pole and into a building with a computer that makes the decision on whether the badge is valid or not."

Brown is using the Arduino-powered tool to get the output, instead of it going into a building computer. At Black Hat, Brown is releasing the code that will need to run on the Arduino.

"I'm letting the reader do all the work, and the Arduino is processing it and writing it to a text file," Brown explained.

Brown, who acquired the RFID reader on eBa, explained that for legal reasons it's not possible to build an RFID reader due to a number of patent-related concerns.

The RFID output that the Arduino gets is a 10-digit hexadecimal. With that in hand, Brown said it's simple to replicate the remotely stolen information using a Proxmark device.

The unfortunate reality, according to Brown, is that with most of the building security badges that are running at 125KHz, there is no secure authentication mechanism.

"Basically, if the card gets close enough to a card reader, it just starts yelling out its ones and zeroes," Brown said.

He added that there are more secure solutions available from commercial RFID vendor HID, though they are not widely deployed.

So how can people protect themselves and their badge IDs from being remotely stolen?

The simple fix could be as easy as having a protective sleeve or wallet to keep the security badge information safe.

Black Hat Briefing: Building a Million Browser Botnet for Cheap

Black Hat 2013
To create a botnet, you have to find some way to take control over thousands of computers and bend them to your will. That's a tough job, right? Well, no. In a presentation at Black Hat in Las Vegas, Jeremiah Grossman, founder and CTO of WhiteHat Security, and Matt Johansen, manager of WhiteHat's Threat Research Center, revealed an extraordinarily simple way anyone can control of thousands or even millions of browsers.
Grossman led off with enthusiasm, saying "We've been working on this for six months, and we're anxious to present. This will go fast, and we'll have fun. We'll crack browsers and use them to crack websites."
The Power of the Web
Grossman went on to note, "The Web has near complete control of your browser as long as you're connected. Everything we do in our demo, we're not hacking anything. We're using the web the way it was meant to be used." Johansen added, "My apologies, we don't have a solution."
The presentation reviewed a huge number of ways a website can subvert your browser simply using a line or two of Javascript, or even a simple (but tweaked) HTML request. "We control the browser without zero-day attacks," said Grossman, "and we have complete control."
Black Hat 2013 Bug
Illustrating with a slide showing the simple code involved, he said, "We can force your browser to hack another website, download illegal files from torrents, make embarrassing searches, post offensive messages, even vote for Ed Snowden as Time's person of the year."
Million Browser Botnet
All this was just introduction to the research being presented. Johansen and Grossman devised a very simple denial of service attack and tested it on their own server. They even demonstrated it in real time during Black Hat. This particular attack did nothing more than overload the server with connection requests, but the technique used could do more, much more. And all they had to do was spend a few dollars to place an ad containing the attack.
"Some ad networks allow arbitrary Javascript in the ad," said Grossman, "and some don't." The team had no trouble setting up their attack Javascript. "The ad network reviewers weren't good at reading or even caring about Javascript," said Johansen. "The real problem was making an ad image that looked pretty and looked like an ad."
At first the team was slowed by the need to get re-approval from the ad network every time they changed the Javascript code. They solved that by moving the code to their own host and simply calling it from the ad's code. This step left the ad network completely unable to see what the code might do; they didn't seem to care.
As soon as they enabled the attack code, it started executing on browsers all over. Every time anyone surfed to a page containing the ad, it started making connections to the victim server. The server couldn't withstand the load; it failed.
All browsers impose a limit on the number of simultaneous connections. Johansen and Grossman found a way to raise Firefox's limit from six to hundreds. It turned out their simple attack was completely effective even without this power-up, so they didn't use it.
Whose Problem to Fix?
"This attack is not persistent," said Grossman. "There's no trace of it. It does its ad-display and goes away. The code isn't crazy fantastic, it's just using the Web the way it's supposed to work. So whose problem is it to fix?" 
The same technique could be used to run distributed calculations via Javascript, for example, to brute-force crack password and hashes. "We'll try that hash-cracking for next Black Hat," said Grossman. "How much can you crack for each 50 cents worth of paid page views?"
The presentation left attendees with the unsettling thought that the attack described uses the Web exactly as it's meant to be used, and we don't really know whose responsibility a fix would be. Grossman has said in the past that we must break the Web in order to fix it. Could he be right? Could we even survive a reboot of the entire Internet?

Black Hat: NSA boss Keith Alexander claims PRISM only gathers terrorist data

LAS VEGAS: The head of the US National Security Agenchy (NSA) spoke in front of an audience of thousands of security professionals to explain his agency's controverisal surveillance programmes.
NSA boss Keith Alexander 
General Keith Alexander told attendees at the 2013 Black Hat conference that the agency's Foreign Intelligence Surveillance Act (FISA) and PRISM procedures are being carried out with far more discretion and oversight than commonly believed and are solely used for the purpose of gathering data on known or suspected terrorists.
“Their intention is not to go after our communications, their intention is to find the terrorists that walk among us,” Alexander said of the NSA. “We comply with court orders and do this exactly right, and if we make a mistake we hold ourselves accountable and report it.”
According to Alexander, the NSA operates under a strict set of limitations and is subject to regular audits over all collected data, much of which is highly anonymised. According to screenshots provided by the NSA, phone data is limited to dates and times, origin and destination numbers, and means of collection. No audio, SMS or account information is harvested at any point in the process.
The number of people in charge of the surveillance information is limited as well. Alexander said that just 22 inividuals within the NSA are allowed to authorise data collection, and just 35 analysts are authorised to view phone data collected through the FISA programme.
Alexander also talked up the strict judicial regulations that govern the programme and require the NSA to obtain authorisation from federal courts for all surveillance activities. Contrary to popular belief, says Alexander, the NSA often finds itself with a skeptical audience when it seeks judiciary approval.
“They want to make sure that what we are doing comports with the constitution and federal law, and they are dead serious about it,” Alexander told attendees. “These are tremendous judges, they are not a rubber stamp.”
The NSA boss was not without his detractors, however. Sporadic heckling from the crowd roasted Alexander for issues ranging from the constitutionality of the programme to the US policies behind its activities in the Middle East.
Ultimately, however, Alexander would reach out to the audience, inviting security professionals to submit their questions and comments with the administration and help it to revise and improve its policies.
“We need to hear from you because the tools and the things we use are very much the same as the tools you use in securing your networks,” he said. “The difference is the oversight and compliance we have in these programmes, that part is missing in much of the discussion.”

Black Hat: Microsoft brings fingerprint sensors to Windows 8.1


fingerprint-pa
LAS VEGAS: Microsoft's upcoming launch of Windows 8.1 is set to include a host of features designed to simplify authentication and data protection, the company said.
Speaking with V3 at the 2013 Black Hat conference, Microsoft Windows security and identity group programme manager Dustin Ingalls said that the company would be investing in both its in-house security tools as well as the options the company provides to third-party security vendors for managing and securing applications.
Among the new features will be an update to Internet Explorer which will allow anti-malware applications to load prior to any Active-X components in the browser's boot process. By having the ability to load early, the security tools will be able to spot and block potential threats from malicious ActiveX controls.
Also featuring in the 8.1 release will be Selective Wipe, a remote management component which will allow administrators to revoke encryption keys on specific files and remotely revoke the keys to block access when a device is lost or a user leaves a company.
Ingalls said that with consumerisation increasingly bringing personal tablets and PCs into the office, a conventional wipe tool that deletes all data on a device is no longer practical.
“If you wipe a whole phone today the worst you lose is a couple of text messages or some photos,” he said.
“You can't go wiping somebody's personal PC, you could find yourself in the middle of a nasty lawsuit or all sorts of other things.”
Perhaps the feature Microsoft is most proud of, however, is a leap forward in support for biometric authorisation. Once the domain of clumsy and unreliable swipe scanners, Microsoft has improved biometrics support and is working with hardware vendors on a new generation of sensors which will be able to authorise a user with a simple press of a fingerprint to a sensor embedded in a keyboard, notebook casing or tablet bezel.
Ingalls believes that with passwords no longer proving a practical measure and elaborate two-factor authentication schemes frustrating users, the time has come for a new generation of intelligent and precise biometric scanners.
This is going to be a big deal. When even Twitter has to release a two-factor authentication passwords are reaching the end of their road,” he said.
[Two-factor] might be more secure than just a password, but they are definitely not more usable, and that is why users won't use them.”

Google Code developer site targeted by hackers


Google logo (Robert Scoble Flickr)
Hackers are using the Google Code developer site to spread malware, according to security firm Z-Scaler.
Zscaler ThreatLabZ security researcher Chris Mannon, reported uncovering the scheme, warning that it is a marked development on criminals' usual attack strategy.
"Malware writers are now turning to commercial file-hosting sites to peddle their wares. If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether. The kicker is that this time we see that Google Code seems to have swallowed the bad pill," he wrote.
He said businesses using the service should adapt their security protocols accordingly to deal with the new threat.
"This incident sets a precedent that no file-hosting service is beyond reproach. Blind trust of specific domains should not be tolerated from an organisational or personal perspective. So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location."
The professional-focused site is one of many hit by cyber criminals in recent months. Other websites that have been recently targeted include the Apple Developer and Nasdaq community forums. Both the attacks were designed to steal users' password information rather than alter them to become malware-distribution tools.
Security experts have said the attack is part of a growing trend within the hacker community. FireEye regional technical lead Simon Mullis said he expects to see more similar attacks in the very near future.
"We see this all of the time. In many cases we see fragments of multi-stage attacks for specific campaigns hosted across a variety of intermediate locations. Any site with user-editable content can be used to host part of the malware attack lifecycle," he said.
"The key part here: if you cannot detect the initial inbound exploit, then the rest of the attack can be hidden or obfuscated using this approach. This technique has been used for years (see Aurora in 2009, Pingbed in 2011 and MiniDuke this year) and the traditional security model and simple discrete sandboxing has no answer for it."

Crooks using Android master key to sneak Trojans onto smartphones and tablets devices

A Trojan exploiting a master key vulnerability in Android has been uncovered infecting smartphones and tablets.
Russian security firm Dr. Web found the malicious Android.Nimefas.1.origin Trojan, warning that it offers criminals a variety of powers over the infected Android device
"Android.Nimefas.1.origin can send text messages, transmit confidential information to criminals and allows intruders to remotely execute certain commands on the infected mobile device," said Dr. Web's statement.
Dr. Web reported that the Trojan exploits a master key vulnerability to bypass Android's inbuilt defences.
"Recall that the vulnerability master key concerns installation of applications under Android: if an APK package contains a subdirectory with two files that have the same name, the operating system verifies the digital signature of the first file, but installs the second one, whose signature hasn't been validated. Thus, intruders bypass the security mechanism that prevents installation of applications that have been modified by a third party," read the statement.
"The recently discovered Trojan spreads with Android applications as a modified dex-file located in the same directory as the original dex-file of the program."
The Russian security firm said the attack has several other detection-dodging powers. "When launched on a device, the Trojan first checks if a service of a known Chinese antivirus is running in the system. If at least one such service is detected, Android.Nimefas.1.origin searches for the files "/system/xbin/su" or "/system/bin/su" to determine if root access is available. If a file is found, the Trojan process is terminated. If none of the above conditions is met, the malware keeps running," read the statement.
"The Trojan can also hide incoming messages from the user. A corresponding filter to conceal messages by their text or number is also downloaded from [the] attacker's server."
Dr. Web said the attack is currently focusing on Chinese Android users, but will likely soon expand to target other regions. "To date, Android.Nimefas.1.origin poses the greatest threat to Chinese users because it spreads with a large number of games and applications available via a Chinese software catalogue."
"The site's administration has already been notified about the problem. However, it is possible that in the near future malware exploiting the vulnerability master key will grow in number and thus the threat geography will expand too," read the statement.
The master key vulnerability was first uncovered by Bluebox Security. Google has released a patch for the vulnerability to carriers and hardware partners. Dr. Web said exploits targeting the master key will continue to appear and spread until mobile phone manufacturers update their devices to run the latest Jelly Bean version of Android, which contains the fix.
"While manufacturers of mobile Android devices do not release corresponding updates of the operating system to close this vulnerability, many devices can be affected by such malicious applications," read the statement.
"Provided that a large number of devices available on the market are no longer supported by their manufacturers, their owners are likely to get no protection at all."
The campaign is similar to the Android.Skullkey attack discovered by Symantec earlier this month, which also targeted the Android Master Key vulnerability. It is currently unclear if the two campaigns are linked. At the time of publishing Symantec and Dr. Web had not responded to V3's request for comment.

Hackers pose as Department of Homeland Security in ransomware web scam

Digital security padlock red image
Hackers are extorting vast sums of money from unwary web users, using ransomware posing as the US Department of Homeland Security (DHS).
The US Computer Emergency Response Team (CERT) reported unearthing the ransomware, warning that one variant has advanced webcam hijacking powers.
"US-CERT has received reports of increased activity concerning an apparently DHS-themed ransomware malware infection occurring in the wild. Users who are being targeted by the ransomware receive a message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it," read the CERT alert.
"One iteration of this malware also takes a webcam (if available) photo or video of a recipient and posts it in a pop-up to add to the appearance of legitimacy. The ransomware falsely claims to be from the US Department of Homeland Security and the National Cyber Security Division."
The CERT team said victims of the scam should not pay the blackmailers, and should instead contact a reputable security provider to remove the malware.
"Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or perform a clean reinstallation of their OS after formatting their computer's hard drive. US-CERT and DHS encourage users and administrators not to pay the perpetrators and to report the incident to the FBI at the Internet Crime Complaint Center (IC3)."
The DHS ransomware is one of many new types of malware discovered masquerading as a law enforcement or government agency.
Within the UK a ransomware locking computers and displaying a bogus message claiming to come from the Serious Organised Crime Agency (SOCA) was uncovered targeting British web users.

Black Hat: Biases skew vulnerability reports for companies

Black Hat 2013
LAS VEGAS: The security vulnerability reporting, analysis and patching landscape is being warped by a set of biases throughout the chain, according to researchers.
Steve Christey, principal Infosec engineer with MITRE, and Brian Martin of the Open Security Foundation said at Black Hat that the chain ranging from the researchers to the vendors, to the vulnerability databases that classify bugs is clouding the picture for executives and administrators.
Martin said: “People make security decisions, big ones, based on these stats. And that is depressing.”
The pair showed how a number of basic biases in human thinking can help to create a skewed picture of just how vulnerable a platform can be. For example, researchers may focus their efforts onto a single platform or a specific type of vulnerability for a short period of time, inflating the number of bug reports for one platform while flaws in others may go unreported or unnoticed due to lack of attention.
Even when the flaws are reported, differences in classification methods can help to create a bias in the way flaws are viewed. The researchers noted that common platforms, such as the Common Vulnerabilities and Exposures (CVE) system, can often classify or present issues in such a way that multiple individual flaws will be presented under a single entry and considered to be one vulnerability.
Further complicating matters can be vendor policies, which dictate how flaws are disclosed. While some vendors provide detailed security information with their patches, others provide little to no detail, often leaving privately disclosed issues completely undocumented.
The result, say the pair, is a complex system that will be nearly impossible to address with a simple formula. Rather, the researchers believe that the databases and groups that report flaws note the limitations in their methodology and help to inform administrators as to a flaw's impact on specific platforms and versions.
The public, meanwhile, is advised to take security figures with a pinch of salt. Any time you see someone using stats to say one OS is superior to the other just walk away,” Martin advised. No vulnerability data set out there can truly cover and answer that question.”

Black Hat: Researchers exploit iPhone flaws with charger attack

LAS VEGAS: A trio of university researchers have developed a method for infecting iOS devices through the Apple power port.
Posing as a charger device, the Mactans proof-of-concept is able to pair with an iOS device, gain access to heightened privileges and install both hidden and visible applications onto the targeted device through a USB connection.
Researchers Billy Lau, Yeongjin Jang and Chengyu Song of the Georgia Tech Information Security Center said that their device, and the exploit it is based on, preys upon a set of basic security flaws in the way Apple handles peripheral connections, device pairing and developer access on the iOS platform.
The attack is launched when the iOS device is plugged into the Mactans and unlocked. The Mactans, which was built using a BeagleBoard microcomputer, then uses the USB link to pair with the device, install a developer-provisioning profile, and begin loading applications onto the iOS device without any user warning or notification.
According to the researchers the device is able to take advantage of a flaw in pre-iOS 7 versions, which pair the device without ever notifying the user. The Mactans then lifts the device's unique device identifier (UDID) and uses the information to authorise the installation of a “provisioning profile”, a component intended for developer use, which allows for additional privileges usually walled off from iOS apps.
With the heightened access, the Mactans is able to perform tasks such as remotely controlling the device or hiding applications. In one demonstration, the attacker was able to hide the iPhone Facebook application and install a malicious copy in its place. The malware executed its task, then launched the legitimate “hidden” copy of Facebook, leaving the user none the wiser.
The trio said that possible scenarios for infection in the wild could include disguising the Mactans as a free charger in public spaces, or porting the software and attack techniques to PC or OS X malware infections and executing attacks when the device is synched.
Apple customers will be given some reprieve as the company will address the USB airing issue in iOS 7 by asking users to verify all attempted pairings. The three researchers, however, noted that additional holes remain, including flaws in the way provisioning profiles are issued and a lack of tools to detect suspicious or potentially abuse activity on developer profiles.

Q2 2013 Superfecta report, constant increase for automated attacks

FireHost announced the Q2 2013 Superfecta report, an interesting set of statistic related to attacks against web applications. The Superfecta is a group of four attack types considered by the FireHost Secure cloud hosting company as being the most dangerous for company businesses, to be precise they are Cross-site Scripting (XSS), Directory Traversals, SQL Injections, and Cross-site Request Forgery (CSRF).
Following the definition provided for Superfecta:
  • Cross-site Scripting (XSS) – Cross-site scripting involves the insertion of malicious code into webpages in order to manipulate website visitors. It is used by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks against web users.
  • Directory Traversal – A Path Traversal attack aims to access files and directories that are stored outside the web root folder.
  • Cross-Site Request Forgery (CSRF) – CSRF is an attack that forces an end user to execute unwanted actions on a Web application in which he/she is currently authenticated.
  • SQL Injection – SQL Injection involves the entering of malicious commands into URLs and text fields on websites that happen to be vulnerable, usually in an attempt to steal the contents of databases storing valuable data such as credit card details or usernames and passwords. The attack vector has been associated with many high profile data breaches.
FireHost examined more than 24 million cyber attacks observing a meaningful increase for Cross-Site Request Forgery and  SQL Injection, the concerning trend is attributable to the large diffusion of automates attack tools. Automated attacks allow attackers conduct various types of offensives on a large scale and in short time, data stealing, malware spreading, DDoS attacks and vulnerability exploiting are activities really easy to conduct also without any particular expertise.
Another concerning data proposed by Q2 2013 Superfecta report is that blended and automated attacks are conducted by criminals that are exploiting cloud service provider networks.
Q2 2013 Superfecta report

 
Compared to the previous quarter the volume of Cross-Site Request Forgery (CSRF) attacks is increased of 16% and SQL Injection attacks are continuing to increase of 28%. SQL Injection attacks are considered very aggressive meanwhile Cross-site Scripting (XSS) is still the most prevalent attack type.
FireHost experts state in the Q2 2013 Superfecta report to have blocked more than 1.2 million attacks in Q2, they highlighted that the smallest percentage increase (0.7 %) in XSS attacks suggests that this type of  attack is commonly used in conjunction with other exploits, probably to allow an attacker to gain access to more complex attack vectors.
Cybercriminals can easily deploy and administer powerful botnets that run on cloud infrastructure,”  “Many cloud providers unfortunately don’t adequately validate new customer sign-ups so opening accounts with fake information is quite easy. Once the account is created, APIs can be leveraged to deploy a lot of computing power on fast networks giving a person the ability to create a lot of havoc with minimal effort.” said FireHost founder and CEO Chris Drake.
According many security experts cyber criminals are targeting hosting services to gather information to use in successive attacks. Recently the APWG Global Phishing Survey revealed that hackers are targeting shared virtual servers for various purposes such as bot recruiting and malware distribution, following an excerpt from the study:
“In late 2012 into 2013, we have seen increasing use of tools targeting shared hosting environments, and particularly WordPress, cPanel, and Joomla installations. For example, beginning in late 2012 criminals hacked into server farms to perpetrate extended DDoS attacks against American banks. And in April 2013, a perpetrator launched wide-scale brute force attacks against WordPress installations at hosting providers in order to build a large botnet. Tens of thousands to hundreds of thousands of these shared servers have been cracked by such techniques. Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and of course, phishing. These attacks highlight the vulnerability of hosting providers and software, exploit weak password management, and provide plenty of reason to worry.”
Cybercriminals are also enumerating target workstation clients to identify software VPN connections to shared services platforms and accordingly, taking over workstations to gain access into cloud environments.
Following the Key statistics for the Q2 2013 Superfecta report include:
  • Total number of all attack types blocked by FireHost in Q2 2013: 24,074,406 (This includes low level attacks that are automatically blocked by FireHost’s IP Reputation Management “IPRM” filters)
  • Superfecta attacks increased by six percent during the quarter with a total number of 3,643,620 blocked in Q2 2013 (up from 3,410,212 in Q1 2013)
  • XSS was the most prevalent Superfecta attack type in Q2 2013 – with more than 1.2 million attacks being blocked, 33 percent of the total Superfecta attacks
  • SQL Injections now represent 18 percent of all Superfecta attacks, CSRF attacks are now 26 percent of the Superfecta total. Both have grown in volume since Q1 2013.
Pierluigi Paganini