Thursday, 21 November 2013

What becomes of the broken hearted? Dating website leaked 42 million usernames and passwords

Dating site Cupid Media left personal details and plain text passwords for 42 million users exposed after an attack earlier this year. The details included names, emails and birthdays for users of the dating service, according to Brian Krebs of Krebs on Security.
The data was discovered on the same server containing records for tens of millions of Adobe users leaked in a recent breach, according to Krebs.
The attack appeared to have been committed by the same group of hackers responsible for the Adobe hack and other attacks on companies including PR Newswire, according to The Register’s report.
Darknet’s report on the attack points out that no public announcement was made at the time of the intrusion – thought to be January 2013. Darknet also points out that 1.9 million users used the password, “123456”, which would have offered, the site says, no protection even if the passwords had been encrypted.
Krebs points out that a further 91,000 users employed, “iloveyou” as their password.
“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Andrew Bolton, Cupid Media’s MD told Krebs. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”
Bolton said that many of the records referred to “old, inactive or deleted” accounts.
“Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords,” Bolton told Krebs. “We have also implemented the need for consumers to use stronger passwords and made various other improvements.”
Adobe admitted around 38 million active users may have had IDs and encrypted passwords accessed in a breach earlier this year, which were discovered on the same server as the data from Cupid Media.
ESET Researcher Stephen Cobb described the breach as “unprecedented” at the time, due to the fact that attackers also appeared to have accessed source code for Adobe’s Acrobat software – and the company now admits that source code for other products such as Photoshop also leaked.
ESET researcher Stephen Cobb says, “Access to the source code could be a major asset for cybercriminals looking to target computing platforms such as Windows or mobile operating systems such as Android.”

Chronology of a Skype attack

Massive malware attacks have a huge impact on users. First of all, such attacks leave them vulnerable and unprotected. Secondly, they show the ability of cybercriminals to re-use old techniques that continue to ensnare thousands of users. By the middle of May, users around the world started to receive messages from their contacts through different instant-messaging applications, such as Skype and Gtalk.
With respect to malware propagation, there is a life cycle from one campaign carried out by the attacker to the next. During this variable period of time, the effectiveness of the attack usually changes, reaching a maximum effectiveness level, either due to the volume of infected victims or the number of people who received the threat.
When the volume of potential victims who receive the same threat through the same propagation channel over a short time period rises over a certain threshold, we can see chain reactions that exceed the attacker’s target and start to reach people outside the group of users who were chosen as possible victims.
Many of these factors came together on May 20th, when, as well as notifications from the ESET Early Warning System, we got queries from affected computer users and even received messages from contacts that members of the ESET Latin America’s Laboratory had associated with their Skype accounts. This behavior was one of the first indicators that analysis of the threat was necessary, so that we were able to alert users in the region about the appearance of a new worm which was spreading massively throughout the area and, most likely, into the rest of the world.
On May 20th, the Internet was flooded with messages propagated through Skype, which invited users to see a photograph that had been uploaded to different social networks. The links redirecting the user to the threat had been shortened with the Google URL-address shortener, so those who followed them would be tricked into downloading an archive with the malicious code.
This threat was detected by ESET Smart Security as a variant of Win32/Kryptik.BBKB, and it managed to lure more than 300,000 users into clicking on the messages and unexpectedly downloading the threat.
The impact in the first hours of the attack and the high volumes of users taken in by social engineering were reflected in the URL-address shortening system statistics, as can be seen in the following image:
Figure 1 – Propagation of malicious links during May 20th.
Figure 1 – Propagation of malicious links during May 20th.

Moreover, what had initially been detected by the advanced heuristics of ESET’s products, was identified after the initial analysis in the Laboratory as a variant of Win32/Gapz, a powerful bootkit previously analyzed by ESET’s Labs and having the ability to inject itself into the explorer.exe process in order to gain control of the system. After a more thorough analysis, it was determined that the threat was in fact the PowerLoader dropper .
Out of the total number of clicks, 27% came from a Latin American country: the first three are Mexico (27,023), Brazil (37,757) and Colombia (54,524). Regarding other affected countries, particularly noteworthy are Russia, with a total of 41,107, and Germany, which is in the first place globally with 84,817 clicks during this first wave.
The message used by the infected computers varied from time to time, but all the victims’ contacts received a similar message to the one shown in the image below:
Figure 3 - Propagation message spread by a user infected with Win32/Rodpicom
Figure 3 – Propagation message spread by a user infected with Win32/Rodpicom
In the days following the first wave of messages, the cybercriminals responsible for this attack kept on using different messages and new variants of their malware. This did not increase the number of users becoming victims of the deception, as was expected, but it did generate new and different messages.
By looking at the propagation graphics and statistics, it was almost certain that the most affected countries are not Latin American:  however, thousands of users were being deceived by messages that were not even meant for them and who were becoming infected with a single click, thus spreading the malware to all their contacts.
The “Skype worm” proved to have a high propagation rate, spreading almost exponentially during the first days of operation, unsurprisingly since as each new person became a victim, all his or her contacts on Skype, Gtalk and other instant messaging systems received these same malicious links.
Figure 6- Geographic spread of the clicks on bit.ly links.
Figure 6- Geographic spread of the clicks on bit.ly links.
The two main threats involved corresponded to variants of Win32/PowerLoader, which infects the system and reports back to the C&C (Command and Control Panel), and Win32/Rodpicom, a worm that is able to spread through different instant messaging applications. If you would like to find more details about the threats used in this attack, we suggest you to take a look to the full article.
The combining of multiple threats into one single attack is not a novelty, but once again it proved to be extremely effective. Furthermore, each component of the pieces of malware involved had a specific function.
The events that took place between May 20th and the first days of June showed that techniques that are many years old can still be effective enough to cause damage. Different organizations found out that their security solutions were vulnerable, receiving warnings in large quantities but having no understanding of what was going on until the picture gradually cleared and the threats were identified. We’ve put all the information we gathered during our analysis into an article than you can download from here.
Cybercriminals do not need to reinvent the wheel for every attack: unfortunately they only need to combine malicious pieces of code in the right way and to trick the average user into double-clicking on it.

Graham Cluley: AV shouldn’t just be something on your hard drive – it should be part of a global immune system

Graham Cluley has worked in the AV industry for two decades. He currently works as an independent analyst, and offers news and views on AV issues at his blog. This is the first in a series of guest blog posts by experts, analysts and researchers at We Live Security.

When I first started working for an antivirus company in 1992, you’d get your software updates on floppy disks. They were sent out every three months. If you were really paranoid, you went for the monthly updates. Viruses took months to spread around the world – via floppy disk. There were 200 new viruses a month – and we thought that was pretty bad.
There was actual serious discussion over what was going to happen to antivirus programs when there were 10,000 viruses. People predicted disaster. People worried that the AV programs would be too big, they’d take up too much memory and be too slow. Now, of course, we see 100,000 new variants of malware a day. As soon as money became involved, it became industrialized – and I have to say, some of the fun went out of being a virus researcher.
Back in the old days viruses weren’t made to make money – they were just graffiti. They could cost you money – but the “point” would be the letters falling down your screen, or a graphic of an ambulance driving across. There was an artistry there – something I blogged about a while ago.
Many viruses were also unique – even if they were destructive. I remember a polymorphic infection from the early days – it completely changed its spots every time – but it stood out because the writer was so keen to make a British piece of malware. The SMEG Pathogen virus, named after a swearword used in the British TV comedy show Red Dwarf, was written by this English chap Christopher Pile. It stood for Simulated Metamorphic Encryption Generation. When it wiped your hard drive, it said, “Smoke me a kipper, I’ll be back for breakfast… but your data won’t.”
The media had been guilty of presenting malware as largely Eastern European in origin, and Pile wanted to prove them wrong.  He worked hard, on his own, to make his virus hard to detect.
With the commercialization of malware, that’s all gone. They don’t care about the quality – just the money. I saw it first with attacks targeting AOL users. They were stealthy – just stole password details and credit cards.
There wasn’t any attempt to be clever. There were enough people who didn’t update Windows that it would spread anyway. Now, it’s more than that. It’s “Let’s write computer programs to write more malware for us.” Counting malware has always been like counting butterflies – is that particular strain really new? Is it just an old one? There’s a lot of long arguments over that – and there always have been.
But now, most of what we see is not entirely new and unique, it’s based on malware we’ve seen before. Each new variant has been written by a computer – and is usually spotted by a computer.
Even if you have 100 researchers, you can’t keep up with the volume of detections. Expert systems do the detection – customers want protection very, very quickly, and you don’t want to flag up “false positives”. That just annoys people – and makes them turn off the software that’s protecting them. Humans can’t provide that level of protection. Expert systems can.
An expert system can, for instance, look inside a piece of code, and make a guess about whether it’s a banking Trojan very quickly. They’ll scan for banking URLs – or related ones. They’ll look for other markers – is there any Portuguese?  A lot of today’s banking Trojans come from Brazil – and the code’s compiled with Delphi. So the system will look for a Delphi copyright message – but of course, the cybercriminal knows it will, so he’ll write that it was done in Microsoft C. A clever expert system will look at that, and know that here we have a piece of code that’s in Portuguese, is pretending to have been compiled in C – hiding its origin – and has banking URLs in it. Even if you’ve never seen it before, you’ve already got a good idea it’s bad.
That’s a very simplified take, of course – but this proactive defense is the future. Not in labs, but in home PCs. You have to look at the behavior of malware in real time, and when you think, “This is suspicious,” either turn it off, alert the user, or report back to base. You need to be careful about alerting the user – they don’t like too many alerts – so for everything to work, it’s all about that report back to base. Your PC has to be part of a bigger system.
Antivirus software isn’t a program in your hard drive – it’s a communication system. Done right, it works like an immune system, but a global one. Sending information isn’t always something we like to do. Those windows asking you to share information, often without any measurable benefit to you, are something we’ve seen for decades – I suppose it’s a thorny issue, and some people don’t like to feel their privacy is invaded – but it’s needed now more than ever.
Those proactive programs help to provide information that allow AV companies to react faster – feeding back data turns every PC user into part of the team, the immune system. The box which says, “Enable feedback” on AV products – but also on Windows, say, is a pretty important box to tick.
We’re all on the internet – we’re all related. It’s a family – the odd black sheep, the odd dodgy uncle – but we should look after it. If it is computer fighting computer, with us somewhere in the middle, you should at least let your computer fight. I think most of us would like to look after the community. Feedback is your way of giving something back. It’s your way of being proactive. That, I suppose, and preventing people in your real family running Windows XP when the plug gets pulled next year, and the patches stop. Buy them a Mac – it’s nearly Christmas, after all.

PC gaming service fined $1m for serving up Bitcoin-mining malware

A popular PC gaming service which “hijacked” its users PCs to mine Bitcoins by serving up malware alongside its official PC software has paid out $1m in an official settlement.
“These defendants illegally hijacked thousands of people’s personal computers without their knowledge or consent, and in doing so gained the ability to monitor their activities, mine for virtual currency that had real dollar value, and otherwise invade and damage their computers,” said New Jersey’s acting attorney general John Hoffman, according to the BBC’s report.
The company, E-Sports Entertainment (ESEA), served up malware which used PCs to mine Bitcoins, an attack which earned $3,602. The malware was delivered surreptitiously alongside the company’s official client. The company said that the incident was the work of one former employee, whose contract was terminated in the wake of the incident, according to The Inquirer.
“The press release issued by the Attorney General about our settlement represents a deep misunderstanding of the facts of the case, the nature of our business, and the technology in question,” ESEA said on its blog.
“Moving forward, it is our intent to provide our community with confidence that ESEA will be taking every possible step to protect your privacy,” the company said, “The employee who was responsible for the Bitcoin incident was terminated, and we are taking steps to ensure that nothing like this can happen again.”
The hidden Bitcoin-mining process was discovered by users after they noticed PC graphics cards were still working while the machines were idle.
“In the past two days I’ve noticed when my computer was idle, my GPU usage was hovering 90%+ with temps in the high 60s low 70s (hot for my card),” one gamer wrote in a post on the company forums, as reported by We Live Security here.
“Turns out for the past 2 days, my computer has been farming bitcoins for someone in the ESEA community.”
The company initially dismissed the incident as an April Fool’s joke gone wrong. But in a later post, co-founder Eric Thunberg admitted that “this is way more shady than I originally thought.” A client update was released which removed the Bitcoin-mining software.
David Harley, Senior Research Fellow at ESET said at the time, “I remember a time when distributed processing was a pretty specialized area that was sometimes used for volunteer initiatives like SETI@home and various medical research projects.” .
“Along came malicious botnets that harnessed the capabilities of virtual networks for resource-intensive attacks like DDoS and captcha-breaking. I suppose it was inevitable that the bad guys would try harnessing the spare (and not so spare) processing capacity of victim machines as a way of exploiting the much-abused Bitcoin currency.”
ESET Malware Researcher Robert Lipovsky wrote in an earlier We Live Security post that Bitcoin and other crypto-currencies are being targeted by cybercriminals this year.
“There are numerous malware families today that either perform Bitcoin mining or directly steal the contents of victims’ Bitcoin wallets, or both,” Lipovsky writes.

10 Worst Password Ideas (As Seen In The Adobe Hack)

If you’re a registered Adobe client, change your passwords now. They have been stolen and published on the Internet, someone even made a crossword puzzle out of them. This is a good occasion to examine which passwords are better NOT to use.
passwords
A recent Adobe breach involved customers’ data theft and will definitely have long-term consequences. Initially, Adobe stated that the hack affected about 3 million users. It turned out that the leaked database contained about 150 million records; moreover, stored passwords are poorly protected and could be recovered in their original form in many cases. As a result, Facebook required affected users to change their password if they use the same password for the social network.
Using a single password for different online services is a serious security issue. Even worse, millions of users make the same mistake when inventing a new password. Let’s learn from these mistakes, taking the most popular passwords from the Adobe database as a recent example.

1.  “Password”, “qwerty” and “123456”

Astonishingly, these very obvious passwords still top the popular passwords list after all these years. In the Adobe database, password “123456” takes first place with over 2 million users out of 150 using it.  Second to it is the much more complicated password “123456789”, followed by the word “password” itself. 345 thousand users selected “password” as a password. Also popular was the keyboard sequence “qwerty” which holds 6th place.

2. Company or site name or its variations

You might think that login “John” and password “Facebook” are original. They are not. Of course, a service name might not be present in the dictionaries being used by hackers to bruteforce a password. However, an experienced hacker will definitely add such passwords to his database (as we’ve seen in the Adobe case). This principle is used in passwords ranked #4, #9, #15 and #16 in the Adobe top-100: “adobe123”, “photoshop”, “adobe1” and “macromedia”.

3. Name=Password and other hints

Even though other providers might encrypt stored passwords much better than Adobe did, it’s quite probable that a hacker will see accompanying fields in the database without extra effort. They have proven to be quite useful for password recovery. The fields in discussion are user name, email, password hint, etc.  The biggest hit is a password, which is exactly the same as a user name. Other “smart” tricks are quite impressive as well. Some people write their passwords down in a password hint field, or provide such obvious hints as “1 to 6” or “Last First”.

4. Obvious facts

Facebook is a favorite hacker tool. Having the email and user name of a victim, it’s very easy to make a Facebook search and solve such password hints as “dog”, “son’s name”, “birthday”, “work”, “mother’s maiden name”, “favorite band” and so on. About one third of all hints refer to family members and pets with an additional 15% quoting a password directly or almost directly.
If you discovered some letter and digit sequence, which is very easy to memorize, abandon it – it’s also convenient for hacking and most likely present in password dictionaries.

5. Simple sequences

It seems that letters or digit combinations are endless. However, people use this power in a very limited way. They have very strong “hints” in the form of the alphabet and keyboard in front of them. This way passwords like “abc123”, “00000”, “123321”, “asdfgh” and “1q2w3e4r” are born. If you discovered some letter and digit sequence, which is very easy to memorize, abandon it – it’s also convenient for hacking and most likely present in password dictionaries.

6. Basic words

According to various researchers, from one third to one half of all passwords are simple words from the dictionary and they typically belong to 10 thousand of the most frequently used words of a language. Modern computers are able to try 10,000 passwords in a few seconds, that’s why these passwords are totally unreliable. In the Adobe top list there are a lot of passwords of this kind: “sunshine”, “monkey”, “shadow”, “princess”, “dragon”, “welcome”, “jesus” “sex”, “god”.

7. Obvious modifications

To make dictionary-based bruteforce attacks harder, most services require users to set their password according to specific rules. For example: at least 6 characters, obligatory mixing of upper- and lower-case letters, plus digits and characters. As I wrote before, these measures are from the 20th century and we must reconsider them today, but users made their way around those requirements already. Most certainly the first letter will become the only uppercase, while most popular number-based modification is an addition of “1” at the end of the password.  In the Adobe database, these tricks are combined with obvious words, resulting in quite bad passwords like “adobe1” and “password1”. The most popular characters are exclamation marks and underscores.

8. Obvious modifications-2 (1337)

leetspeek Thanks to the “Hackers” movie and other pop culture artifacts, a wider audience is now aware of “hacker speak” LEET (1337), which features some letters being replaced by similarly looking numbers or characters and other basic modifications. Making such replacements seems to be a good idea and passwords like “H4X0R” or “$1NGL3” are looking impressive. Unfortunately, they are not much more complicated than the obvious “hacker” and “single”, because special password bruteforcing apps feature a so-called mutation engine, which tries all the obvious modifications on each dictionary word.

9. Energetic sentences

In the modern world, longer passwords are always better, thus a passphrase is considered a better protection than a password.  However, there are multiple exceptions – very short and extremely predictable phrases. On the Adobe top-100 you can find “letmein”, “fuckyou” and “iloveyou”. Nothing to add.

10 (en) Social security and other important numbers

Those passwords are harder to guess. However, hackers will definitely spend additional effort on finding such numbers, when they see a “my social security number” type of password hint. When combined with a user name, birthdate and other Facebook-provided data, a SSN is usable for identity theft, making this kind of password very easy to monetize.

Hors concours – identical passwords

We can’t find it in a single (Adobe’s) database, but this mistake is as popular as using “123456”. I am talking about using the same password for multiple online services. It’s quite obvious why it’s very bad. If your (adobe) password becomes known to hackers, they can try your email/password combination to all popular sites like Facebook/Gmail and compromise not one, but many of your accounts. According to a survey, conducted by B2B international for Kaspersky Lab, 6% of users use a single password for all of their accounts, while 33% use only a handful of passwords. If the Adobe site was amongst the ones they use, now those users are at risk of hacking into their entire digital life.
Obviously, all aforementioned mistakes are made because of one simple reason – today we typically use 5-10 online services and it’s very challenging to remember 5-10 unique and complicated passwords. Luckily, there is a simple technical solution for this problem.
Here is our solution:
  • Don’t use the same password for multiple sites.
  • Use long and strong passwords.
  • Check your password reliability using special services.
  • Use a special password manager to store all your passwords in an encrypted form and don’t waste your time trying to memorize all of them. This way you can have unique, extremely complicated and strong passwords for each site without the risk of forgetting any of them.

MS Silverlight 5 flaw exposes 40M Netflix users to security risk

Users of Netflix, the provider of on-demand Internet streaming media, must beware of Silverlight exploit that could allow attackers to hack their systems.

A vulnerability in Microsoft Silverlight 5 exposes to the risk of cyber attacks nearly 40 million Netflix streamers, the flaw is being exploited to execute arbitrary code on victim’s systems without any user interaction. The risk is high and considering the wide audience of Netflix, during last weeks many popular web portals have been hacked including php.net , MacRumors and vBulletin with serious consequences for visitors, the websites in fact were used to serve malware and syphon members’personal information.
A few days ago Inj3ct0r Team of Exploit Database website 1337Day claimed the responsibility for the hack of the Macrumors official website based on vBulletin CMS, it announced to have exploited a Zero Day flaw for the attack.
Macrumors.com was based on vBulletin CMS. We use our 0day exploit vBulletin, got password moderator. 860000 user data hacked too. The network security is a myth
During the conversation, team leader told that he has discovered a Zero Day Remote Code Execution vulnerability in vBulletin v4.x.x and 5.х.x, that allows an attacker to execute arbitrary code on the server end remotely.
Netflix, Inc. is an American provider of on-demand Internet streaming media, a vulnerability in Silverlight could expose to hacking attacks those customers that watch Netflix via PC. Streaming functionality are implemented with Microsoft Silverlight application framework.
The attack scenario is very simple, a prompt asks Netflix members to download a plug-in:
“If you do not already have Microsoft Silverlight plug-in installed, you will be prompted to download and install the free plug-in for your web browser,”  “Just follow the instructions to get started.”
The attackers try to exploit a vulnerability (CVE-2013-0074) patched by Microsoft on March 12th, 2013, if the targeted machine is not up-to-date it is able to compromise the machine.
Malware.dontneedcoffee.com, aka Kafeine,  revealed that the Silverlight exploit has been integrated into the Angler exploit kit, so for the attacker it is just necessary to lure to an infected page the victim.
Kafeine reported that the Silverlight vulnerability is being used by the same cybercriminal gang behind the Reveton ransomware:
“Angler EK is definitely on the move. It’s not a huge surprise when we can speculate that the team behind is the same that was first using Cool EK (Paunch VIP customer) and is behind the Reveton threat.”
The Angler kit is a recent tool appeared in the underground as condequence of the arrest for the alleged creator of Blackhole exploit kit .
If a user is entice to an malicious page, the Angler exploit will determine if Silverlight is installed and what version is running. If the machine is a potential target, a specially crafted library is triggered to exploit the Silverligh vulnerability to serve a malware.
silverlight exploit in Angler Exploit Kit
“Those that already have and older version of Silverlight can still watch Netflix and may not be aware that their computers are at risk,” “We can expect this CVE to be integrated into other exploit kits soon, so it is important to make sure you patch all your machines now. Even if you don’t watch Netflix, you may have installed Silverlight in the past and forgotten about it. If you don’t need Silverlight (or other plugins), simply remove it altogether as that will help to reduce your surface of attack.” wrote Jerome Segura, researcher at Malwarebytes.
Fortunatelly Netflix users, and more in general any internet user with Silverlight are invited to keep up to date their systems, this is necessary to avoid other data breaches considering that other exploit kit authors will integrate soon the code to exploit the vulnerability in their products.
Users are alerted and there will be no excuse in case of accidents.

British blogger discovered LG Smart TV spying on users

British blogger revealed that his LG Smart TV collects and sends details about the owners’ viewing habits even if the users have activated a privacy setting.

Exactly one year ago we discussed about the possibility to exploit a vulnerability in Samsung Smart TV to penetrate our domestic network to spy on us or to serve a malware.
The British Developer and blogger DoctorBeet, announced to have discovered that his LG Smart TV is sending data about his family’s viewing habits back to the South Korean manufacturer.
It seems that the Smart TV, model LG 42LN575V, sends data back to LG servers even if the blogger has disabled the option “Collection of watching info” in the TV settings menu.
Smart TV LG spying
The Smart TV sends back to a non-functional URL information on channels being watched and time of vision, but the most concerning thing is that the device also collect and send to LG filenames of some media on a USB device connected to the TV.
To test the anomalous behavior DoctorBeet created a mock video file which he transferred to a USB stick, he named the file Midget_Porn_2013.avi that couldn’t possibly be confused with the TV set’s firmware. Once connected the USB to the Smart TV he verified that the filename had been transmitted in clear text to GB.smartshare.lgtvsdp.com.

Smart TV LG spying traffic

Not all filenames present on USB devices were transmitted but DoctorBeet wasn’t able to find out the principle that governs the practice.
“Sometimes the names of the contents of an entire folder were posted, other times nothing was sent. I couldn’t see what rules controlled this.”
DoctorBeet noted that the URL contacted by the Smart TV with a POST requests doesn’t exist, for this reason he received HTTP 404 responses from LG’s server after the ACK.
Even if the URL doesn’t reply it could be used by LG in the future to enable the collection of users’habit for commercial use, for example to provide customized content and ad.
LG Smart Ad collects and analyzes users’ favorite programs, online behavior, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances for women.
“Note in particular that it means *nothing* that the script returns a 404: The information may still be in their logs – collecting information this way without actually having anything at the endpoint is an old practice, and more efficient on server resources than making the web server execute anything.”
“However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored. It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites.” reported the blog post.
DoctorBeet decided to contact LG that replied that the behavior respects the Terms and Conditions for the Smart TV, the company also suggested that he take up the issue with the retailer who sold him the set.
Thank you for your e-mail.
Further to our previous email to yourself, we have escalated the issues you reported to LG’s UK Head Office.
The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer.  We understand you feel you should have been made aware of these T’s and C’s at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.
We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.

Kind Regards

Tom
LG Electronics UK Helpdesk
Tel: 0844 847 5454
Fax: 01480 274 000
Email: cic.uk@lge.com
UK: [premium rate number removed] Ireland: 0818 27 6954
Mon-Fri 9am to 8pm Sat 9am-6pm
Sunday 11am – 5pm
The Information Commissioner’s Office declared to the BBC it is investigating on the issue.
“We have recently been made aware of a possible data breach which may involve LG Smart TVs,” said a spokesman.
“We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
LG clarified to the BBC , saying that the company is investigating the complaint:
As for why this particular LG Smart TV is collecting data in the first place, DoctorBeet cites a corporate video aimed at potential advertising partners. The lengthy clip includes claims such as:
“Customer privacy is a top priority at LG Electronics and as such, we take this issue very seriously,” 
“We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.” ”LG offers many unique Smart TV models which differ in features and functions from one market to another, so we ask for your patience and understanding as we look into this matter.” 
DoctorBeet closes the post suggesting how to stop data trasmission, he has identified and blocked 7 domains used to collect users’ data:
  • ad.lgappstv.com
  • yumenetworks.com
  • smartclip.net
  • smartclip.com
  • smartshare.lgtvsdp.com
  • ibis.lgappstv.com

HP Data Protector 8.1 released with SAP HANA integration

Concept image of data backup with life preserving floating on background of binary data
HP has announced the latest update to its Data Protector service, which focuses on data backup and integration with other storage and data protection products on the market.
The Data Protector 8.1 update was unveiled by the HP Autonomy division and touted as an “adaptive backup” tool that can be fine-tuned to businesses' requirements for how and where data can be stored.
HP said this would enable firms to move from the old method of "set and forget" data backup and instead allow more real-time operational decision-making on how and where data should be stored, and the policies that govern its access.
David Jones, general manager of Data Protection at HP Autonomy, said the update marked "the end of backup as we know it" by helping to "transform" how businesses manage their data.
Furthermore, the tool has been given a number of integration improvements, most notably with SAP HANA to provide a backup and recovery option for any data logs used in HANA, and offers the ability to return to the data sets at a specific point in time.
The Data Protector 8.1 tool also includes integration with other storage tools from HP, including StoreOnce and 3Par StoreServ to offer encryption and compression capabilities and better recovery support.
HP has also added integration with Microsoft Active Directory and VMware vCenter 5.5, and certification of both VMware vSphere 5.5 and vCloud Director 5.5. HP Data Protector 8.1 is expected to be available in January 2014, the firm said.
HP Autonomy also announced that it now has over 60,000 customers using the Data Protector, LiveVault and Connected Backup suite of tools. Notable firms referenced by HP Autonomy included DreamWorks Animation, Spar, Telefonica and UPS.
HP will be hoping this entices more firms to its offerings and proves it is making a success of the Autonomy division, despite ongoing controversy over accounting practices at the firm.

Jboss Application Server flaw exploit allows web shell code injection

Imperva experts detected a surge in the exploitation of Jboss Application Server as result of the public disclosure of an exploit code.

The cybercrime no stops and this time the alarm is related to a vulnerability in JBoss Application Servers that enable an attacker to remotely get a shell on a vulnerable web server.
The concerning aspect of the story is that the flaw in the JBoss Application Servers is in reality a two-year-old vulnerability, but recently the Imperva security firm had noted a surge in the exploitation of web servers powered by the JBoss AS, probably as a resultant of the disclosure of an exploit code named pwn.jsp(Oct. 4) that abuse this bug.
pwn.jsp shell isn’t the unique exploit available, Imperva’s Barry Shteiman confirmed the availability of another more sophisticated shell available to attackers.
“In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities,” .
In an interesting threat advisory Researchers at Imperva revealed that a number of government and education websites have been hacked, exploiting the JBoss Application Servers vulnerability an attacker can obtain a remote shell access on the target system to inject code into a website hosted in the server or steal files stored on the machine.
“The vulnerability allows an attacker to abuse the management interface of the JBoss AS in order to deploy additional functionality into the web server. Once the attackers deploy that additional functionality, they gain full control over the exploited JBoss infrastructure, and therefore the site powered by that Application Server.”
As said the JBoss Application Servers flaw is not now,  on 2011 during a security convention, researchers demonstrated that JBoss AS is vulnerable to remote command execution via the ‘HTTP Invoker’ service that provides Remote Method Invocation (RMI) /HTTP access to Enterprise Java Beans (EJB).
On Sept. 16th, the National Vulnerability Database issued an advisory warning of a critical remote code execution bug affecting HP ProCurve Manager, it assigned to the flaw the Common Vulnerability Enumeration code CVE-2013-4810 , on October 4th 2013, a security researcher has disclosed the code of an exploit for the JBoss Application Server vulnerability. As consequence the security community had witnessed a surge in Jboss AS hacking, the malicious traffic originated from the compromised servers was detected by Imperva’s honey pots.
In a few weeks an exploit was added to exploit-db that successfully gained shell against a product running JBoss 4.0.5.
JBoss Application Server is an open-source Java EE-based application server very popular, it was designed by JBoss, now a division of Red Hat. In late 2012, JBoss AS was named as “wildFly, since disclosure of the exploit code many products running the affected JBoss Application Server have been impacted, including some security software.
As explained in the post published by Imperva the vulnerability lies in the Invoker service that enables applications to access the server remotely. The Invoker improperly exposes the management interface, “Jboss Application Server is vulnerable to remote command execution via the ‘HTTP Invoker’ service that provides Remote Method Invocation (RMI) /HTTP access to Enterprise Java Beans (EJB)”.
Imperva confirmed that the number of web servers running Jboss Application Server exposing management interfaces has tripled since the initial vulnerability research was public disclosed passing from 7,000 to 23,000.
Jboss Application Server vulnerable
I have just run the following Google Dork retrieving more than 17000 results:
 intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”
It is possible to note that Google reconnaissance enables the attacker to identify also governmental and educational websites, some of them also result infected.
“Many of the deployed web shells utilize the original pwn.jsp shell code that was presented with the original exploit, as can be seen in a blog entry posted by one of the attack’s victims. On other cases a more powerful web shell was deployed. In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities.”
The concerning aspect of the story is that once again an a two-year-old vulnerability could be easily exploited to compromise a huge quantity of information, the situation is analogue to the Silverlight flaw that manaces users of Netflix, the provider of on-demand Internet streaming media.

Monitoring IT chiefs online is commonplace for sales deals

Facebook Retargeting
SAN FRANCISCO: Monitoring IT leaders on social media channels to find out what makes them tick is often key to securing sales, according to Carlos Zamora, vice president of BT Conferencing in North America.
Zamora explained that the practice was widely used and accepted as part of the modern way in which business is done, during an interview with V3 at Dreamforce 2013.
"As we look at how an opportunity is being progressed, we have a number of teams [to] work through a process. This begins with questions like 'Can we win?' 'Is it the type we want?' 'Is our solution the best?' and 'What extras would we need to provide?' Then we map it from the point of contact and find who the decision makers are," he said.
"When you identify your relationship map and plot the influencers, sponsors and contractors involved you then have to find the best way to engage with those individuals. Nowadays this is done in a variety of ways including social media – what they like, what they do, how they think."
Zamora said the trend is a known and accepted practice within the enterprise space. "If they are not comfortable I have not seen it. We engage with businesses at different levels, but in the engagements I have had our customers understand the information we manage is needed to work with them," he said.
The BT vice president said Salesforce tools have made it quick and easy for non-technical sales personnel to do the research. "To do what we do we have to innovate and train a team and also enable them with the tools they need. Salesforce is at the core of how we are managing this," he said.
"I have been engaged in sales management for quite some time and have to say, the way in which these tools are being utilised and the way they are being embraced is amazing."
Expanding its mobile offering has been a central part of Salesforce's strategy for many years. Salesforce unveiled its new mobile-focused Salesforce1 platform earlier this week. The platform is designed to make it quicker and easier for customers to create or utilise existing applications for mobile.

Yahoo breaks 400 million monthly app users milestone

Yahoo building in silhouette
SAN FRANCISCO: Nearly 400 million people use Yahoo mobile applications every month, according to CEO Marissa Mayer.
Mayer confirmed that the company has seen a significant increase in the number of people regularly using Yahoo mobile applications since she joined the company, during a keynote session at Dreamforce 2013.
She said the increase is a consequence of a strategic shift within Yahoo to become a mobile-first company. "At first I think mobile caught a lot of people by surprise, and when you look at the history of Yahoo it wasn't clear at first how they were going to move to it," she said.
"But then we thought about it and took a group working on it that had originally only been between 30 to 60 people, and increased it to 400. This helped us get serious about mobile applications and now we have almost 400 million monthly mobile users."
It is currently unclear how large an increase the 400 million figure represents. At the time of publication Yahoo had not responded to V3's request for comment on what its mobile user base was before Mayer joined the company.
Mayer said the move to mobile in many cases saw the Yahoo team redesign every application and service from the ground.
"I think we have an amazing design team at Yahoo. They've done a fantastic job redesigning every product over the last year," she said. "We've fixed 100,000 things in the space of a year and created apps people want to use."
The Yahoo chief said the shift saw the company redesign its applications' interfaces to be as user friendly as possible. "You shouldn't design for the expert users. You should make products that only take a couple of days to completely understand and use. You need to break it down to the core essence of what the users need and design it around that," she said.
"When you design for the expert users, it becomes too sophisticated and puts new users off. If you design for the experts you're going to get a confusing interface."
Mayer said she expects the mobile shift to help Yahoo regain some of its overall market share from key competitors such as Google.
"We think of ourselves as mobile first. We think of ourselves like this as if you look at mobile in the context of our industry, it's a wave big enough to ride. With Yahoo we're doing a platform shift to mobile to take advantage of this," she said.
Mayer joined Yahoo in 2012, and the company has seen a marked turnaround since. As well as helping to improve Yahoo's financial fortunes Mayer has also made her efforts to be more transparent about the company's involvement in the notorious PRISM scandal.
Yahoo was one of the companies the US National Security Agency (NSA) gathered web user data from during its PRISM campaign. Since news of PRISM broke, Yahoo has taken several measures to help protect its customers' data. Most recently Yahoo confirmed it will begin encrypting all information that moves between its data centres from the first quarter of 2014.

The Internet of Things will be more like a can of worms


V3's Dan Robinson
Much has been written about the concept of the Internet of Things lately. And as with most other nascent technologies, there is a fair amount of hyperbole being spouted by self-styled industry experts and vendors alike, who all seem to vaguely sense that this could be the Next Big Thing and that there might be large sums of money to be made from it.
But let's take a step back and consider what exactly the Internet of Things is supposed to be all about. In many ways, it is just an extension of the way the internet works already, but with more and more devices beyond computers connected up. The idea is that the internet could be turned into a universal conduit to allow any and all devices to communicate together.
In fact, if you listen to some proponents of the idea, absolutely everything in the entire world will be connected, from kettles to clothing to street lights. We are often told that this will lead to some sort of global utopia, where lights come on when you enter a room, your shopping gets ordered and delivered automatically and your domestic appliances all work together in harmony to use less energy.
"The fridge might talk to the washing machine and they will together decide which will consume energy at that moment," said an EDF executive at the Teradata Partners conference covered by V3 in October.
Just how all of this is supposed to work is noticeably absent from any discussion of the Internet of Things, which I see as a fundamental problem with the notion. Anyone who has tried to pair up a Bluetooth peripheral to a computer or phone, or who has utterly failed to get their computer to stream video to their wireless-enabled TV, will know that getting two or more devices talking to each other can be a frustrating and time-consuming process.
Stories about consumers being unable to even set the time on domestic appliances such as video players have passed into urban legend, yet we are expected to believe that these same users will be able to configure network settings, privacy controls and security policies for their washing machine, fridge and TV? The potential mess doesn't bear thinking about.
And just who will ultimately have control over the connected devices in your home? It has been suggested during related discussions about smart metering in the UK that the power companies would be able to remotely shut off appliances in homes to save energy during times of peak demand. I can't speak for anyone else, but I'm not at all comfortable with the idea of the electricity company being able to turn off devices in my house when it suits them.
Then there is the question of security. Having all these devices connected to the public internet opens up a Pandora's Box of horrendous possibilities. You only have to consider the havoc wreaked by malware such as the Stuxnet worm to imagine what could happen if every electronic device is exposed via the internet for hackers to work away at.
Did I mention privacy? Imagine what information could be gleaned about you when data could be surreptitiously gathered from every device you own. Your central heating status and which lights are on in your house could track when you are at home and even which room you are in, not to mention whether your TV is on and what content you like to watch. The surveillance possibilities go far beyond the privacy violations exposed as part of the PRISM spying scandal.
But all of this is conjecture at the moment, and may not even be feasible, let alone desirable. For now, the most immediate application for the Internet of Things is in gathering data from networks of sensors for analysis. Applications such as measuring traffic flow or temperature are fairly simple to implement and do not call for complex configurations or too much intelligence in the nodes, which only really have to feed data back to a central point.
However, we are clearly at a very early stage in the development of the Internet of Things, and who knows where it could ultimately lead? After all, the internet itself started out as a decentralised way to allow US military computers to exchange information, and its inventors could hardly have foreseen today's highly connected world.
But it has taken about 50 years to get from the first beginnings of the internet to where we are today. Don't expect the Internet of Things, which is going to be vastly more complicated, to be delivered tomorrow, or next week, or even next year.

PRISM is unfortunate but irrelevant, says Salesforce CEO

Salesforce logo
SAN FRANCISCO: US cloud service supplier Salesforce claims the National Security Agency (NSA) never touched its data while running its PRISM spy campaign.
Salesforce CEO Marc Benioff said the PRISM debate and campaign is not relevant to the company, during a Q&A session at Dreamforce 2013, attended by V3.
"In regards to PRISM, obviously there has been a huge amount of PR around it, but this is outside of our world. It's not what we do and not the sort of thing we'd be involved in. We manage a different type of information," he said. "It hasn't been an issue for us. I understand what's happened and view it as an unfortunate situation."
PRISM is a cyber-spying campaign by the NSA to gather web user data from numerous technology companies including Google, Facebook and Microsoft. News of the campaign broke earlier this year when whistleblower Edward Snowden leaked confidential documents to the media.
The scandal is believed to have damaged the cloud industry and has led many businesses to rethink their use of US-based services. In October Deutsche Telekom confirmed it is exploring ways to alter its systems to only run information on its network through local data centres and servers.
Executive vice president of Salesforce Platform Mike Rosenbaum reiterated Benioff's comments, saying that even though PRISM didn't impact the company, it is taking measures to allay European customers' concerns.
"We work with customers in Europe to make sure they trust us. For example, we're actively working to build a data centre in the UK. When it comes to the trust and security of customers' data, there's nothing more important than that for us," he said. "We are working with some of the biggest brands in Europe to build a platform they continue to trust."
Many other US-based cloud service providers have reported a downturn in business since PRISM. The Information Technology and Innovation Foundation estimates that PRISM will cost US cloud companies $35bn. Despite the forecast Salesforce reported posting its first $1bn quarter on Monday.

State-run cyber attack threatened London 2012 Olympics

london-olympics-torch-and-rings-new
A state-run cyber attack threatened the London 2012 Olympic Games, and was one of six "serious incidents" that took place during the event, according to the former CIO of the London Olympics.
Speaking at the Datacenter Dynamics Converged conference, Gerry Pennell, who is now the IT director at the University of Manchester, detailed some of the issues his team had to deal with during the games, only one of which had an impact to the running of their network.
Pennell described "something which looked suspiciously like a state attack" that occurred six days into the games. "We'd been advised in advance that something like this might happen, so we made some configuration changes to field that, but other agencies were affected."
Pennell did not give details on which country the state-run attack came from.
Elsewhere, an automated botnet attack from 90 IP addresses across Europe and North America caused concerns, but ultimately did not affect the running of the London 2012 systems, Pennell said.
However, a "much more serious" threat, which involved a 300,000 packet per second denial of service (DoS) attack, brought down internet access for the Olympic press agencies. "We had to failover and lost approximately two seconds of service," Pennell said.
He also explained how hacktivist groups grew on publicly available social media sites such as Twitter. "The fascinating thing was watching how these informal groups operate," he said. "We watched them on social media and we knew they were coming. It didn't cause us any impact, but we were live and watching that very closely."
Despite media speculation putting overall cyber attack attempt figures in the millions, nobody knows how many attacks occurred, according to Pennell. "It's all rubbish, it's nonsense," he said, clarifying that the majority of the attacks were fielded at the edge of their networks and never made even the slightest dent in their operations.

Google adds Android and Apache to open source security rewards programme

bug malware virus security threat breach
Google has extended its Patch Reward Program to include a raft of new platforms and technologies including its own Android system as it looks to improve the securiry of open source software.
The firm announced an overhaul to its security patch policies last month, offering white hats up to $3,133 for fixes.
Google said this would be extended to more platforms before the end of the year and information security engineer for Google Michal Zalewski confirmed the new areas covered by the programme in a blog post.
"The goal is very simple: to recognise and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire internet," he wrote in the post. “We started with a fairly conservative scope, but said we would expand the program soon.”
Zalewski listed the new areas covered as: Android, Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, GCC, binutils, llvm, and OpenVPN.
This is almost identical to the original list set out by Google, although it includes some additional platforms. These are: "Network time: University of Delaware NTPD", "Additional core libraries: Mozilla NSS, libxml2" and "Toolchain security improvements for GCC, binutils, and llvm".
The announcement comes at a busy time for security reward programmes after Yahoo was humbled into improving its own service by offering $15,000, rather than t-shirts and caps. Microsoft has also improved its programme to provde payments of up to $100,000 for early alerts about active cyber incidents.
This allows security professionals to benefit from spotting attacks in the wild, rather than finding their own methods for breaking into systems.