Thursday, 12 September 2013

Windows 8 Boosts Security with 5 New Features

The Windows OS has never been known for its security features. Microsoft hopes to change that with Windows 8.
When it comes to platform security, Microsoft is still trying to earn back the trust it so badly lost during the Windows XP era. At its worst, an unpatched Windows XP machine connected to the Internet could become infected by malware in an average time of four minutes.
Subsequent Windows releases have certainly improved on this rock-bottom situation. Windows Vista saw infection rates drop by about half compared to XP. And with Windows 7, infections dropped on average by half again compared to Vista.

Without a doubt, Windows security has been improving. But Windows still possesses the lion's share of the desktop OS market – particularly in the enterprise – and as such still remains a favored target of malware distributors.
The newly released Windows 8 features major interface changes, which have drawn the bulk of attention. But the differences between Windows 7 and 8 aren't only on the surface. A short list of new security features promise to significantly decrease the Windows 8 infection rate, even as compared to the improvements seen in Windows 7.
Here are some of the most significant security features, all of which will be available in Windows 8.1, the upcoming update of Microsoft's latest operating system, which a growing number of sources are reporting will be released in October.

Early Malware Detection

As anti-malware scanners have become the standard on many machines, malware distributors have increasingly looked for new attack vectors. One such strategy is to target malware further up the chain in the OS. Typical anti-malware software employs runtime scanners – meaning that they detect malware after the OS is already up and running.
But malware like rootkits and bootkits install themselves earlier in the OS sequence, meaning their hooks are in place before conventional anti-malware scanners are launched. Windows 8 introduces two new defenses to combat this problem; secure boot and ELAM, or "Early Launch Anti-Malware."

Secure Boot

Windows 8 support for secure boot is one of the more controversial new security features. In brief, secure boot requires that code launched at boot possess a secure certificate verifiable by a hardware module.
The argument behind secure boot is that it will prevent infections from bootkits, which weasel their way into the boot code of the machine. Bootkits can be very difficult to remove. However, they also make up a relatively small proportion of malware infections. The secure boot feature can make it more complicated to install alternative operating systems on a machine, such as Linux. Windows 8 installed on non-certified hardware (e.g. machines which are not brand new) will likely not support secure boot anyway.
Some critics say that secure boot will make Windows machines into "closed" systems by more closely tying the hardware to the OS, while preventing a limited vector of attack. Although true, this fact is not likely to present a real practical problem for enterprise deployments where control and uniformity of workstations is generally desirable.
As with just about any security feature, though, determined hackers can find a way around it. Security researchers demonstrated two exploits of Secure Boot at the recent Black Hat security conference. It is worth noting, however, that the attacks are possible because of shortcomings in how some PC vendors implement the Unified Extensible Firmware Interface (UEFI) specification on their machines rather than weaknesses in the secure boot feature itself.

Early Detection: ELAM

With ELAM, Windows 8 essentially possesses a built-in scanner for operating system drivers. When the OS boots ELAM is launched before other drivers, so that they can be checked against a blacklist of known infection signatures.
Enterprises can use the group policy editor to configure exactly how ELAM behaves. For example, administrators can decide whether the system should be allowed to boot only when known good drivers are present or whether to also allow unknown drivers – which may be infected or may simply be installed by useful third-party products.

Runtime Security

When the Windows 8 OS is up and running, several more security defenses have been introduced to further limit the attack surface area.
Windows Defender, which was originally included with Windows 7 as an anti-malware scanner, now runs by default and its job scope has been expanded to look for suspicious network activity as well as malware executable signatures. Note, though, that PC vendors may opt to replace Defender with third-party anti-malware solutions of their choosing, which may be limited-time trial editions.

Sandboxing with AppContainer

The biggest new security feature introduced to runtime Windows 8 is the new AppContainer. When an application runs inside a "sandbox," it is limited in how it can interact with the underlying OS. Depending on the sandbox, apps may be restricted from reading or writing files outside prescribed locations, accessing location awareness, modifying operating system files and so on.
If you've installed apps on an Android phone, you've seen the screen where it describes which privileges the app requests access to. If an app requests overly broad privileges relative to its functionality, you may decide to abandon the install. Microsoft's AppContainer roughly applies this concept to Windows 8 Metro apps. Wait – what?
A key new and/or confusing aspect of Windows 8 is that it now supports two types of applications. There are the traditional desktop applications that look and operate just like applications on Windows 7, and then there are Metro apps which are more like mobile applications. You discover and install Metro apps from a central app store, you launch them from a grid display, and each app runs full screen. In short, Metro apps are the part of Windows 8 where it behaves like a mobile OS.
AppContainer is designed to apply to these Metro apps. But wait – there's more. Microsoft extends the AppContainer feature to also apply to browser tabs inside Internet Explorer 11. Therefore, potentially malicious apps that could run inside a Web page will be isolated inside an AppContainer sandbox.

Portable Enterprise Security

Organizations that use the Windows 8 Enterprise edition can deploy an interesting new twist on platform security called Windows To Go. With WTG, a pre-configured installation of Windows 8 can be installed to and launched from an approved USB stick.
In this context, an enterprise can be assured that an employee or contractor is using a securely configured Windows 8, which for example might be set up to access the corporate VPN. Separating business and personal silos addresses the increasing trend toward BYOD, ensuring that personal devices are securely used for business work.
To further secure WTG, the USB drives can be encrypted either at creation time or after the fact using Microsoft’s Bitlocker.

Security by Default

Although a feature like Windows To Go requires active adoption by an organization, most of the new security enhancements to Windows 8 are baked in to run out of the box. This should be good news to organizations that are hesitant about adopting Windows 8.

Can Your Printer Put Your Whole Network at Risk?

Almost everything can connect to the Internet these days – printers, of course, and webcams, radios and even refrigerators. HVAC systems for home and business and industrial SCADA systems are often online, too. These specialized devices typically do their work quietly and out of sight, unlike the machines we physically interact with on a daily basis.
But out of sight should not translate to out of mind. Embedded systems – all-in-one machines with on-board software baked into the device – pose potential security risks to networks large and small.
While any network-aware machine presents some degree of risk, embedded devices possess a cluster of characteristics worthy of particular notice:
  • The software built into the device may be simpler and less sophisticated than software built for more powerful machines, potentially exposing more weaknesses.
  • Manufacturers may be slow to build or release patches for devices with a niche market.
  • Likewise, many embedded devices have a small user base, meaning less opportunity for end users to discover and report bugs.
  • End users are more likely to "set it and forget it" when deploying embedded devices, particularly those without screens or those that operate out of sight.
  • Limited memory and storage can translate into little or no activity logging, making it harder to detect malicious activity before or right after it takes place.

Embedded Devices: Online and Exposed

In 2012 an anonymous security researcher deployed software to infect over 400,000 embedded devices, creating a botnet called Carna. The software was designed to be non-malicious; it harvested information from infected machines to build a "census" of connected devices online. Putting aside the ethics of the project, Carna vividly demonstrates how vulnerable many printers, webcams and other embedded devices can be.

In this instance, the infected devices were vulnerable because they were Internet-facing and in default configuration states, either without authentication controls or default passwords.
Another security researcher, HD Moore at Rapid7, recently published about finding over 100,000 open serial ports accessible online. Serial access can provide attackers with live, unauthenticated access to a server when an authorized user has already opened a shell on the device. Again, these machines could have been configured with restrictions on their serial ports but simply were not. While open serial ports aren’t specific to embedded devices, they represent the kind of "forgotten" access routes that can fly under the radar in many organizations securing their networks.
As we've explored previously, tools like the public search engine Shodan have made it easier for both the malicious and the just curious to identify Internet-facing machines -- including embedded devices which likely have security shortcomings.

Assessing Security Risks of Embedded Devices

At first glance it is tempting to think, "What can an attacker really do with access to my company's printer? Waste a lot of ink and paper?" Yes, an attacker can very well interrupt operations of the embedded device itself, effectively a type of denial of service attack. While that may not seem like such a big deal for relatively innocuous devices like printers, it is critical to think of the bigger picture.
Of course, embedded devices that control important systems such as industrial processes are in and of themselves high risk targets. But even more limited embedded devices can become "mouseholes" into your network.
A particular embedded device might have limited capabilities itself, but an attacker who compromises it can gain valuable insight into your network. It’s like they are inside the mousehole looking into your house. Depending on the device, they may even be able to execute or load their own software onto it – like the Carna bot did -- potentially sniffing intranet traffic or performing other types of surveillance that give them tools for new avenues of attacks against your network.

Securing Embedded Devices

If there is an upside to the risks posed by embedded devices, it is that a few simple practices will secure the largest surface areas of vulnerability:
Inventory all embedded devices on your network. Because their nature lends them to be "hidden," it is important to start by thoroughly accounting for all network-aware machines on your network.
Ask which embedded devices really need Internet access. If you never access your network printer from outside the office (or outside a VPN), then block it from external access. If the printer's own configuration doesn't support this, any good firewall will.
Employ non-default passwords. As we've seen, many embedded devices are at risk simply because they are online in a default configuration mode.
Keep up to date on firmware updates. This is often a key weakness in embedded devices from two angles.
One, as we've said, is the tendency to forget about embedded devices. So don't. Unfortunately, manufacturers can forget about them, too. Maybe not "forget" in the literal sense, but embedded devices are more vulnerable to becoming stale. Firmware updates can stop coming, and the support lifetime may be shorter than for PC-based software. Consequently, it may be necessary to replace embedded devices with newer models if and when a manufacturer stops publishing updates.
Consider the UPnP vulnerability discovered in a library common to many devices. This particular flaw actually can expose UPnP-supporting devices to the public Internet even when their operation should be limited to a local intranet. Of course, anyone with an affected device should apply the most recent firmware updates. But invariably, some such devices have not been patched by their vendors and won't be – a case study in embedded devices that will need to be replaced with newer models.

Workplace Surveillance Revisited

Each new revelation about the National Security Agency (NSA) and its domestic surveillance program heightens concern about possible abuses of government power. So it wasn't surprising when a news item went viral about a New York woman who believed her house was visited by authorities because of Web searches made from her family PC.
But as the facts came out, there was more to the story. The tip that led authorities to investigate the family came not from the NSA, but from the husband’s employer. He had searched for terms related to potential incendiary devices from a workplace computer just before being let go from his job.
The employer in this story discovered the potentially troubling actions because it, like some two-thirds of companies, monitors employee activity online. While surveillance by government agencies like the NSA is still highly controversial, enterprise surveillance of workers’ activities is now commonplace and in most scenarios, perfectly legal.

But crafting and implementing a company-wide monitoring program is more nuanced than just flipping a switch. As the NSA is discovering, there are potential consequences to consider when deciding just how and what to monitor.

Legality of Workplace Surveillance

While this article does not constitute legal advice, companies are generally in safe territory when monitoring or recording any communications using employer-owned equipment. The only specific protection is for employees making personal phone calls. In terms of online activity, employers can legally monitor and record all electronic communications. That includes literally monitoring employees’ computer desktops and archiving all emails sent and received, including “deleted” messages.
That said, the current trend toward BYOD or "Bring Your Own Device" policies in the workplace does create a new wrinkle in companies' legal right to unfettered monitoring. In a BYOD environment where an employee or contractor uses a personally owned device for work purposes, businesses do lose the right to, for example, monitor keystrokes or desktop activity without employee permission.
Still, most corporate monitoring focuses on network activity such as emails, instant messages and website visits. As long as an employee-owned device is using the corporate network, these activities remain subject to legal surveillance.

Surveillance vs. Monitoring

The terms "surveillance" and "monitoring" are used almost interchangeably when talking about workplace spying, for lack of a better word, but the two are different in some important ways.
In a surveillance environment, employees are likely to be watched in realtime. This could include using tools like security cameras, listening in on phone calls and remotely viewing computer desktops. Whereas a workplace which "monitors" activity may use tools less pervasively – keeping archives, for example, of electronic messages or logging visits to unapproved websites.
Both strategies have a place. For example, surveillance of phone calls may be appropriate in a customer service call center. But misapplying a strategy to a workplace environment can have negative consequences.
For example, in a company where employees work independently and are self-directed, active surveillance can undermine trust and discourage the best employees from staying with the company. On the other hand, passive monitoring of employee activity where productivity needs to be focused on a narrow task might allow too much slack to accumulate in employee output.

Risky Information

The temptation to monitor as much as possible is a natural extension of a company’s desire to protect its business and the ease with which modern tools can do so. But there are some hidden dangers in monitoring too much, especially in realtime.
In this day and age many employees mix business and personal activity. For example, sending email to both business and personal contacts. In some companies, these activities are separated through independent email identities, but not always.
Now suppose that in the course of company surveillance, it is revealed that an employee is pregnant or has been diagnosed with a serious medical condition. Knowing this information without the employee having volunteered it can put the company at risk. For example, if there is later a dispute between the employee and company, he or she might point to these factors in potential claims of wrongful dismissal or discrimination. In other words, there can be a risk to a company who "knows too much."

Out in the Open

When law enforcement agencies monitor individuals, they often do so covertly. After all, if targets knew they were being watched, they might not behave badly. Of course, "not behaving badly" is precisely what a company wants from its employees. To help ensure this, organizations needs to be upfront about their monitoring:
  • Define what "not behaving badly" means. Clearly worded policies should unambiguously define acceptable and unacceptable online activity on the job.
  • Detail the monitoring program in place. Although there is no legal requirement to do so, a company which explains what it monitors and why will both earn the trust of employees and discourage bad behavior.

Workplace Monitoring Software

Major players in corporate monitoring include SpectorSoft, Spytech, SONAR, and Net Spy Pro, among many others in this large market sector. Licensing costs can range from $40 to $300 per employee. Some suites are multi-platform; for example appropriate for businesses with both Windows and Mac machines. Some tools also extend to include mobile devices like smartphones and tablets.
No matter which monitoring suite an organization chooses, its effectiveness ultimately comes down to strategy and transparency. Develop the right monitoring strategy for the workplace and make its policies clear for everyone to whom it applies.

Blackberry patches vulnerabilities in BB10 smartphones and PlayBook tablet

BlackBerry Z10 front
BlackBerry has released fixes for vulnerabilities in Flash, WebKit and libexif that left Z10, Q10 and PlayBook users open to attack by hackers.
With the Adobe vulnerability, the attacker would require BlackBerry users to download Flash, which does not come preinstalled on BlackBerry's BB10 or tablet OS. For those with Flash, the vulnerability meant hackers could target Z10, Q10 and PlayBook devices running older versions of its tablet and BB10 OS, using infected webpages containing Flash content or malicious Air applications.
The BlackBerry alert said: "Successful exploitation requires that an attacker craft malicious Adobe Flash content that they must then persuade the customer to access on a webpage, or as a downloaded Adobe Air application. If these specific requirements are met, an attacker could potentially execute arbitrary code in the context of the application that opens the specially crafted Adobe Flash content."
The significance of the libexif vulnerability has also been questioned as it only relates to BlackBerry's PlayBook tablet, a device that boasts woefully low sales even in the enterprise space. BlackBerry confirmed that the vulnerability relates to multiple flaws in the libexif code.
"Multiple vulnerabilities exist in the open-source EXIF tag parsing library (libexif) supplied with affected versions of the BlackBerry PlayBook Tablet OS. The libexif library is an open-source component used for processing EXIF metadata tags embedded in images. Successful exploitation of one or more of these vulnerabilities could result in an attacker executing code in the context of the application that opens the specially crafted image," read the advisory.
"In order to exploit these vulnerabilities, an attacker must craft an image with malformed EXIF data. The attacker must then cause the user to take action to open or save the image, after the image has been displayed in an email message or on a webpage."
The two WebKit vulnerabilities relate to the Z10 and Playbook tablet, though BlackBerry claims neither is currently being exploited by hackers. BlackBerry reported the two meant hackers could theoretically use a malicious JavaScript to mount a remote code execution strike.
Despite being theoretically interesting, the security community has supported BlackBerry's claim that it is unlikely that the vulnerabilities have been exploited by hackers. F-Secure security analyst Sean Sullivan told V3 this is because BlackBerry's robust security and low market share mean it would not be financially worthwhile for criminals to exploit them.
"I don't think this makes for very useful crimeware. Not a good return on investment. However, this could be very useful for espionage efforts. There are probably some vulnerability vendors already sitting on exploits that might be useful to chain to this Flash one. And there are still important people using BlackBerrys. So a targeted attack could be a concern," he said.
Smartphone security has been a growing concern for businesses, though traditionally Google's Android operating system has been the main target. This is because it takes an open approach, allowing coders and developers to tweak it and release products on it outside of official Google marketplaces.
The approach has made it easier to sneak money-making Trojan apps onto Android and is often listed as a key reason why it is the most targeted mobile operating system. Most recently the US Department of Defense issued a report warning that 79 percent of all mobile threats are designed to target Android.

A scam-spotters guide: Ten things your bank will NEVER do – but cybercriminals will

Technologies change, but cybercriminals will always dream up new ways to fool you into handing over your bank details – whether via phishing emails, SMS or by phone.
Hesperbot – a new Trojan detected by ESET – uses hi-tech methods to bypass bank security systems, and clever social engineering to ensure victims play along.
These days cybercriminals will use phone calls, SMS messages, emails – and even couriers – in an effort to get your money.  Many of these attacks can seem very convincing – at least at first.
The key to staying safe is to recognize behavior that isn’t quite “right”. Here are ten things a bank will never do – but a fraudster, phisher, or thief will.
Text you asking for details to “confirm” it’s you
Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords in a text. Banks also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number – Google it if you don’t know – and check whether the text is from them. More advice on avoiding SMS phishing scams can be found here.
Give you a deadline of 24 hours before your bank account erases itself
Many legitimate messages from your bank will be marked “urgent” – particularly those related to suspected fraud – but any message with a deadline should be treated with extreme suspicion. Cybercriminals have to work fast – their websites may be flagged, blocked or closed down rapidly – and need you to click without thinking. Banks just want you to get in touch – they won’t usually set a deadline.
Send you a link with a “new version” of your banking app
The new banking Trojan Hesperbot, discovered by ESET and reported here uses a malicious webpage to instruct users to enter their cellphone number and make, and attempts to install a malicious app that bypasses security systems. Your bank will not distribute apps in this way – instead, download from official app stores, and ensure yours is up to date. Advanced malware such as Hesperbot can compromise both PCs and smartphones, making it difficult for victims to tell if they are being scammed. “ESET products like ESET Smart Security and ESET Mobile Security protect against this malware,” says Robert Lipovsky, ESET malware researcher who leads the team analyzing this threat.
Use shortened URLs in an email
Cybercriminals use a variety of tricks to make a malicious web page appear more “real” in an email that’s supposedly from your bank – one of the most basic is URL-shortening services. Don’t ever click a shortened link, whether in an SMS or an email from your bank. Go to the bank’s website instead (the usual URL you use),, or call them on an official number (ie not the one in the email). A detailed ESET guide to phishing scams can be found here.
Send a courier to pick up your “faulty” bank card
The courier scam is a new one – your phone rings, it’s your bank, and they need to replace a faulty bank card. One of the new services they offer is courier replacement – and the bank tells you that a courier will arrive shortly to collect the faulty card.  A courier turns up, asks for your PIN as “confirmation”  – and your money magically vanishes. This scam has targeted thousands of people in some countries, especially the UK. If your card is faulty, a real bank will instruct you to destroy it, and send you a replacement by post.
Call your landline and “prove” it’s the bank by asking you to call back
A common new scam is a phone call from either “the police” or “your bank”, saying that fraudulent transactions have been detected on your card. The criminals will then “prove” their identity by “hanging up” and asking you to dial the real bank number – but they’ve actually just played a dial tone, and when you dial in, you’re talking to the same gang, who will then ask for credit card details and passwords.
Email you at a new address without warning
If your bank suddenly contacts you on your work address (or any other address than the one they usually use), this is not usually because they’ve thought, “Oh, it’s the working day, this is probably the best email to get him on.” Banks  will not add new email addresses off their own bat. If you want to be ultra-secure, create a special email address just for your bank, don’t publish it anywhere, or use it for anything else – that way, emails that appear to be from your bank probably ARE from your bank. As ever, stay cautious.
Use an unsecured web page
If you’re on a “real” online banking page, it should display a symbol in your browser’s address bar to show it’s secure, such as a locked padlock or unbroken key symbol. If that symbol’s missing, be very, very wary. This is one reason why it’s best to browse an online banking page from your PC – on a smartphone browser, it can be more difficult to see which pages are secure.
Address you as “Dear customer” or dear “youremail@gmail.com”
Banks will usually address you with your name and title – ie Mr Smith, and often add another layer of security such as quoting the last four digits of your account number, to reassure you it’s a real email, and not phish. Any emails addressed to “Dear customer” or “Dear [email address]” are instantly suspicious – often automated spam sent out in vast quantities to snare the unwary.
Send  a personal message with a blank address field
If you receive a personal message from your bank, it should be addressed to you – not just in the message, but in the email header. Check that it’s addressed to your email address – if it’s blank, or addressed to “Customer List” or similar, be suspicious.
Email you asking for your mother’s maiden name
When banks get in touch – for instance in a case of suspected fraud – they may ask for a password, or a secret number. What they won’t do is ask for a whole lot more information “to be on the safe side”. If you see a form asking for a large amount of information, close the link and phone your bank

Yahoo chief Marissa Mayer incurs wrath of white hats for iPhone 5S passcode dismissal

Yahoo chief executive and generally smart person Marissa Mayer has made a rare slip-up, publicly admitting she doesn't have a passcode on her smartphone due to being too busy.
Mayer made the revelation during an interview at the TechCrunch Dispute conference, gleefully admitting her security no-no when asked for her thoughts on the new Apple iPhone 5S fingerprint scanner.
"It's funny because you mocked me once at TechCrunch, maybe it was at LeWeb, because Mike was making fun of me because I don't have a passcode on my phone," she said.
"And Mike was like ‘Are you crazy?', and I was like 'Look, I just can't do this passcode thing, like 15 times a day,' and then when I saw the fingerprint thing I thought now I don't have to. I was excited about that and think building some of these smart sensors into the phone is really exciting."
Following the admission the security community is up in arms, with many bemoaning the ex-Google vice president's apparent ignorance about even the most basic smartphone security. Independent security expert Graham Cluley went so far as to call the Yahoo chief a "twerp".
"Colour me unimpressed. There's really not any excuse for having even the weakest four-digit passcode on your iPhone (longer, more complex passwords are better and surprisingly easy to remember), and yet lots of people have none in place," he wrote.
"What's alarming is that Mayer is the CEO of a major internet company, who have a responsibility for protecting the privacy of hundreds of millions of net users. What kind of example is she setting by not having any form of login security on her smartphone? What a twerp."
However, the accusation may be slightly over the top. As Tim Cook noted during the iPhone launch event on Tuesday, many iPhone users follow Mayer's example in not bothering to turn on the passcode, hence Apple adding the fingerprint scanner.

F-Secure's security advisor Sean Sullivan also took a more lenient approach to Mayer's admission. "It seems to me that the 'blame the user' tech crowd is a bit too eager to pile on the abuse for her habits. Perhaps they just don’t want to admit their advice is a failure, which doesn’t really meet everybody’s real-world needs," he said.
"Context matters. Regular people are careless with their phones, so regular people should really consider using a password. Internet company CEOs who live in the penthouse of the Four Seasons aren’t regular folks, so the same advice just doesn’t apply."
We think if polled, most chief executives around the world would give the exact same – albeit slightly less gleeful – answer. As such, while it's fair to bemoan Mayer's security mishap, we should avoid reverting to finger pointing and instead take it as a sign we need to do more to educate people about the importance of robust cyber security, as the UK government is doing with its ongoing Cyber Strategy. To watch the video click:http://www.youtube.com/watch?v=9g1DpjA5jbg&feature=player_embedded

In Pakistan, the Cyberwar has only just begun

In a dingy Internet cafe, Abdullah gets round the censors with one click and logs onto YouTube, officially banned for a year and at the heart of Pakistan's cyberwar for control of the web.
On September 17, 2012 Islamabad blocked access to the popular video-sharing website after it aired a trailer for a low-budget American film deemed offensive to Islam and the Prophet Mohammed.
Pakistan summoned the most senior US diplomat in the country to protest against the "Innocence of Muslims", demanding that the film be removed and action taken against its producers.
A year later, the film is barely mentioned but YouTube, whose parent company is US multinational Google Inc, is still banned in Pakistan, as it is in China and Iran.
Pakistan is no stranger to censorship. Foreign television programmes deemed offensive are blocked. Films shown at cinemas are stripped of scenes considered too daring.
But the YouTube ban is in name only.
Internet users like Abdullah Raheem, a university student in Pakistan's cultural capital Lahore, can easily access the site through a simple proxy or Virtual Private Network (VPN).
"Most people who go to school or university know how to access YouTube, but not the rest of the population," says Abdullah.
Only 10 percent of Pakistan's estimated 180 million people have access to the Internet, one of the lowest rates in the world.
"This ban has no impact," says Abdullah, who still feels bad about logging onto YouTube. "As a Muslim, I'm ashamed... because the 'Innocence of Muslims' defiled Islam."
Pakistan blocked the site only after Google was unable to block access to the film because it has no antenna in the country.
Although Google's executive chairman Eric Schmidt defended hosting the film, the company did have the technology to block access to it in countries such as Egypt, India and Saudi Arabia.
But the Pakistani government didn't stop there. It then ordered that websites be monitored for "anti-Islam content".
The Citizen Lab at the University of Toronto, which specialises in Internet censorship, says Pakistan has used Canadian company Netsweeper to filter websites relating to human rights, sensitive religious topics and independent media.
The researchers say that pornographic content and political websites from Baluchistan, Pakistan's southwestern province gripped by separatist insurgency, are among those blocked.
Shortly after Pakistan's former military ruler Pervez Musharraf was arrested in April, Pakistan shut down access to a satirical song posted on YouTube's rival Vimeo that poked fun at the army.
But the song "Dhinak Dhinak" performed by the Beygairat Brigade, which is Urdu for Shameless Brigade, quickly went viral as Pakistani Internet users went through proxy VPNs to watch it.
"It is still creating waves. So I think they helped our popularity by banning that song," said the Brigade's lead singer Ali Aftab Saeed, 29.
Saeed believes that the authorities are bent on a wider campaign of Internet censorship, not just restricting access to items considered blasphemous in the conservative Muslim nation.
"We thought that they would try to ban just the link to that particular video ('Innocence of Muslims') but they instead banned the whole website (YouTube) and then they extended it to satire and people who discuss the role of military groups.
"So yes, it is a worrying situation," he told AFP.
Shahzad Ahmad, director of Internet rights campaign group, Bytes For All, also says that online censorship serves a wider political agenda than just shutting down blasphemous content.
"The government is trying to curtail, limit and curb citizen freedom of expression," Ahmad told AFP.
He says citizens are waging a "cyberwar" against Pakistani institutions who are blocking and filtering the Internet.
"There is a very clear defiance from users, particularly from the youth on government filtering," he told AFP.
Bytes For All has gone to court in Lahore, demanding an end to "illegal and illegitimate" censorship of the Internet.
The fight is vital to stop the government developing tools of censorship that threaten "the security and private live" of individuals, says Farieha Aziz, a member of the Bolo Bhi advocacy group that is closely following the case, which encompasses the YouTube ban.
Software surveillance FinFisher, developed by British company Gamma and able to access content on personal computers, has been detected recently on Pakistani servers.
Although it is unclear whether it has been deployed by Pakistan's own intelligence agencies or foreigners, the NSA scandal in the United States has heightened suspicions.
In Pakistan, the cyberwar has only just begun

Fake Chinese ticket scam Fears Louvre Museum in Paris

French police are investigating a possible scam involving thousands of fake tickets for Paris's Louvre museum.
The museum was alerted after it found fake tickets were used on several occasions by Chinese tourists and guides during August, a source told Agence France Presse.
The same source said Belgian customs had, around the same time, found 3,600 fake tickets for the Louvre hidden in a package sent from China.
The Louvre is a top tourist attraction.
Housing famous art works such as the Mona Lisa and the Venus de Milo, it is one of the French capital's most visited sites and attracts some nine million people a year.
The first counterfeit tickets to be found on 12 August were quickly found to be forgeries.
"The ticket's texture was strange to touch and the general quality of the paper used wasn't good. The ink appeared to have run," a museum source told the Parisien newspaper.
But then some seized two days later were found to be of "very good quality, perfect clones of our tickets".
A criminal complaint was filed with the police on 15 August.
"We uncovered several more fake tickets in the following days, but we have not intercepted any since 26 August," a source told AFP.
"We are being very watchful because these tickets are valid for a year."
A judicial official was quoted as saying that several tour guides had been questioned in connection with the case but that no charges had been filed.

Vodafone Data Server Hacked, Access to master data of 2 million customers

Unknown computers have downloaded from the mobile phone provider Vodafone names, addresses and account details German customers.An Insider suspect has been identified.
Two million customers of the telecommunications company Vodafone are victims of data theft. The cybercriminals had stolen information on name, address, date of birth, gender, bank routing number and account number, Vodafone said.
Vodafone regrets the incident and her customers being informed by letter.
Only with high criminal energy and insider knowledge" have been possible to gain access to data,said Vodafone.
This case concerns only Vodafone Germany, other countries are not affected. The authorities had initially Vodafone asked to provide any information to the public in order not to jeopardize the investigation. Meanwhile, they have identified a suspect and a search made ​​for him. In coordination with the authorities Vodafone Germany informed now all those concerned fully and helps them to avoid possible damage.

Take care of your server, or it will be hacked and sold



Have you ever had a server open to the internet with SSH service running? Then you know how common it is to receive break in attempts against your servers produced by automated bots that scan wide ranges of hosts trying weak combinations of user/password to log into remote machines.

But what happens next? What is the business behind these activities?

We have been investigating a criminal underground store dedicated to selling access to hacked (rooted) servers. Their customers can buy an administrator (root) account in a hacked server, and then perpetrate criminal activities from it, distribute malware, install a botnet CnC, upload illegal contents, send spam, etc ...

We are going to study the store and their business following this index:

- The criminal underground store.

- How do they break into the servers.

- Who is behind this business?

The store seems to be quite profitable. The domain was registered on 07 April 2013 and the store website was probably made available some days after that. At the time of this research, they had around 400 customers, increasing day by day.

The site is behind CloudFlare to be protected against attacks and keep the real location of the server hidden.

The logo and the welcome screen where the website is described looks like this:

In the screenshot we can see they had 13 rooted servers to be sold at that time, with different prices, locations and technical details.

You can even see the technical details of each server to check if it fits your needs.

As we have been able to see, most of the rooted servers were outdated, running pretty old software.

At first, the site accepted Liberty Reserve for the payments, but as it is closed now, they accept Perfect Money and WebMoney.

But, how did they break into the servers?

We have managed to get access to their tools and procedures to crack and collect servers. They were not using sophisticated methods to achieve their goals.

The bad actors were mainly bruteforcing user accounts for SSH and Plesk with a wordlist of common combinations of username/password.

Firstly, wide ranges of IPs were scanned using this fast and portable port scanner (named fever). It will look for 8443 and 22 open ports. The scanned ranges belonged to hosting companies.

At the time of our research, they were scanning the range 72.10.32.0/19, property of Media Temple, Inc, a hosting company located in California.

After that, they will try to break into the servers using SSH and Plesk bruteforce. To attack Plesk, a tool to automatically log in was used.

$ strings -a top

[...]

easy init

passwd=%s&login_name=admin

://%s:8443/login_up.php3

top.location=

%s:admin:%s

%s Eu imi bag pula in perl can’t open %s

[...]

After we have seen their business and technical internals, who is behind it?

We have found evidences that the shop administrators were Russian speakers. Some software installed in the server was set to Russian language.

We have also found that they are or were involved in carding in the past, selling hacked PayPal accounts and credit cards, as a shop for this kind of stuff is hosted in the same server.

This is a good example of what can happen to a server if it is not properly protected, or has a weak password.

System administrators should know what to do to avoid this: keep unnecessary services filtered, update your software and use strong passwords (or even better, authentication keys)!

And do not forget to monitor all communications on the network, this can help you to prevent attacks or study post-compromise forensics.
Have you ever had a server open to the internet with SSH service running? Then you know how common it is to receive break in attempts against your servers produced by automated bots that scan wide ranges of hosts trying weak combinations of user/password to log into remote machines.
But what happens next? What is the business behind these activities?
We have been investigating a criminal underground store dedicated to selling access to hacked (rooted) servers. Their customers can buy an administrator (root) account in a hacked server, and then perpetrate criminal activities from it, distribute malware, install a botnet CnC, upload illegal contents, send spam, etc ...
We are going to study the store and their business following this index:
- The criminal underground store.
- How do they break into the servers.
- Who is behind this business?
The store seems to be quite profitable. The domain was registered on 07 April 2013 and the store website was probably made available some days after that. At the time of this research, they had around 400 customers, increasing day by day.
The site is behind CloudFlare to be protected against attacks and keep the real location of the server hidden.

The logo and the welcome screen where the website is described looks like this:

In the screenshot we can see they had 13 rooted servers to be sold at that time, with different prices, locations and technical details.
You can even see the technical details of each server to check if it fits your needs.
As we have been able to see, most of the rooted servers were outdated, running pretty old software.
At first, the site accepted Liberty Reserve for the payments, but as it is closed now, they accept Perfect Money and WebMoney.
But, how did they break into the servers?
We have managed to get access to their tools and procedures to crack and collect servers. They were not using sophisticated methods to achieve their goals.
The bad actors were mainly bruteforcing user accounts for SSH and Plesk with a wordlist of common combinations of username/password.
Firstly, wide ranges of IPs were scanned using this fast and portable port scanner (named fever). It will look for 8443 and 22 open ports. The scanned ranges belonged to hosting companies.
At the time of our research, they were scanning the range 72.10.32.0/19, property of Media Temple, Inc, a hosting company located in California.
After that, they will try to break into the servers using SSH and Plesk bruteforce. To attack Plesk, a tool to automatically log in was used.
$ strings -a top
[...]
easy init
passwd=%s&login_name=admin
://%s:8443/login_up.php3
top.location=
%s:admin:%s
%s Eu imi bag pula in perl can’t open %s
[...]
After we have seen their business and technical internals, who is behind it?
We have found evidences that the shop administrators were Russian speakers. Some software installed in the server was set to Russian language.
We have also found that they are or were involved in carding in the past, selling hacked PayPal accounts and credit cards, as a shop for this kind of stuff is hosted in the same server.
This is a good example of what can happen to a server if it is not properly protected, or has a weak password.
System administrators should know what to do to avoid this: keep unnecessary services filtered, update your software and use strong passwords (or even better, authentication keys)!
And do not forget to monitor all communications on the network, this can help you to prevent attacks or study post-compromise forensics.