Wednesday, 28 May 2014

Registry hack enables free Windows XP security updates until 2019

winxppro
Microsoft ended its support for Windows XP officially more than a month ago on April 8, 2014. This made a large number of users to switch to the latest version of Windows, but still a wide portion of users are using Microsoft oldest and most widely used operating system, despite not receiving security updates.
While some companies and organizations who were not able to migrate their operating system’s running Windows XP to another operating system before the support phase ended, are still receiving updates by paying Microsoft for the security patches and updates.
Now a relatively simple method has emerged as a trick for the XP users which makes it possible to receive Windows XP security updates for the next five years i.e. until April 2019.
It makes use of updates for Windows Embedded POSReady 2009 based on Windows XP Service Pack 3, because the security updates which are being released for POSReady 2009 are inevitably the same updates Microsoft would have rolled out for its Windows XP, if it was still supporting XP Operating System.
Windows Embedded POSReady 2009 is the operating system installed in “point-of-sale” (POS) systems such as restaurant machine, ticket machines or other customized version of Windows Embedded systems. POS machine most likely uses the XP operating system, therefore receives the same updates that are delivered by Microsoft for the officially unsupported version of Windows XP.
You are not allowed to directly install these Windows updates for your OS. In order to download new security updates for your Windows XP, you just need to perform a simple intervention into the Windows registration database.
STEPS TO FOLLOW:
  • Open Notepad and create a new file.
  • Add Below given code to it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
“Installed”=dword:00000001
  • Save file as .reg extension and run it by double clicks.
  • Once executed, you will find lots of pending updates in your Windows Action Center.
Because the extended support for Windows Embedded POSReady 2009 systems ends after 5 years, Microsoft will continue to deliver new security updates and patches for this version of its embedded operating system till April 9th, 2019, so users can use this trick to get security updates of Windows XP for another five years.
Important Note for our Readers - Despite receiving security updates for Windows XP by using such tricks, it is not possible to secure the complete system appropriately. So we highly recommend all of you to upgrade your operating system to the latest versions, i.e. Windows 7 or 8 or any Linux Distro.

Cookies flaw lets hackers steal WordPress accounts

wordpress-hacking-exploit
Yan Zhu, a researcher at the Electronic Frontier Foundation (EFF) noticed that the blogs hosted on WordPress are sending user authentication cookies in plain text, rather than encrypting it. So, it can be easily hijacked by even a Script-Kiddie looking to steal information.

When WordPress users log into their account, WordPress.com servers set a web cookie with name “wordpress_logged_in” into the users’ browser, Yan Zhu explained in a blog post. He noticed that this authentication cookie being sent over clear HTTP, in a very insecure manner.
One can grab HTTP cookies from the same Wi-Fi Network by using some specialized tools, such as Firesheep, a networking sniffing tool. The cookie can then be added to any other web browser to gain unauthorized access to the victim’s WordPress account and in this way a WordPress.com account could be easily compromised.
Wordpress hacking cookies
Using stolen cookies, an attacker can get access to the victim’s WordPress account automatically without entering any credentials and fortunately the vulnerability does not allow hijackers to change account passwords, but who cares? as the affected users would have no knowledge that their wordpress account has been hijacked.
Hijacking cookie on WP gives you login for 3 years. There’s no session expiration for the cookie, even when you log out.” Yan tweeted.

Using this technique, one can also see blog statistics, can post and edit articles on the hijacked WordPress blog and same account also allows the attacker to comment on other WordPress blogs from the victim’s profile. Sounds Horrible! Isn’t it?
But, an attacker “couldn’t do some blog administrator tasks that required logging in again with the username/password, but still, not bad for a single cookie.” she explained.
She recommends that WordPress ‘should set the “secure” flag on sensitive cookies so that they’re never sent in plaintext.’
The Good news is that, if you own a self-hosted WordPress website with full HTTPS support, then your blog is not vulnerable to cookies reuse flaw.

LulzSec informant Sabu helped FBI stop 300 cyber attacks

LulzSec logo
Former LulzSec leader Hector Xavier Monsegur, aka "Sabu", helped the FBI prevent more than 300 cyber attacks following his arrest in 2011, court documents have revealed.
Monsegur's role combating cyber attacks from the Anonymous hacker collective and LulzSec group was revealed during his sentencing hearing on Tuesday.
During the hearing, prosecutors praised Monsegur for his "extraordinary" contributions combating the threats and recommended he receive a sentence of time served.
"Through Monsegur's co-operation, the FBI was able to thwart or mitigate at least 300 separate hacks. The amount of loss prevented by Monsegur's actions is difficult to fully quantify, but even a conservative estimate would yield a loss prevention figure in the millions of dollars," read the document.
"In light of the foregoing facts, the government respectfully requests that, pursuant to Section 5K1.1 of the guidelines, the court grant the defendant a substantial downward departure at sentencing."
Monsegur was exposed as an informant for the FBI in 2012, when law enforcement agents arrested key members of the LulzSec hacker group, including Ryan Ackroyd, aka "Kayla"; Jake Davis, aka "Topiary"; Darren Martyn, known as "pwnsauce"; Donncha O'Cearrbhail, called "palladium"; and Jeremy Hammond, aka "Anachaos".
During its heyday, LulzSec successfully mounted cyber attacks on numerous high-profile targets, including the UK Serious Organised Crime Agency (SOCA), Fox Television, Nintendo and Sony.
The documents revealed Monsegur's co-operation with the Feds led to threats on himself and his family from within the hacker community.
"Monsegur repeatedly was approached on the street and threatened or menaced about his co-operation once it publicly became known," read the document.
"During the course of his co-operation, the threat to Monsegur and his family became severe enough that the FBI relocated Monsegur and certain of his family members."
Monsegur originally pleaded guilty to multiple counts of computer misuse and fraud on 15 August 2011. Monsegur's final sentencing was delayed in February 2013 for an unknown reason.
He is yet to receive his final sentence, though he has already served seven months for his involvement in cyber attacks.

That Snowden chap was SPOT ON says China

China is ramping up its war of words with the USA over online espionage, releasing a report by its Internet Media Research Center that – surprise! - concludes Uncle Sam does a lot of spying online.
There's lots of pompous language in the report, such as this opening paragraph:
“As a superpower, the United States takes advantage of its political, economic, military and technological hegemony to unscrupulously monitor other countries, including its allies. The United States' spying operations have gone far beyond the legal rationale of "anti-terrorism" and have exposed its ugly face of pursuing self-interest in complete disregard of moral integrity. These operations have flagrantly breached International laws, seriously infringed upon the human rights and put global cyber security under threat. They deserve to be rejected and condemned by the whole world.”
China's specific allegations suggest the USA conducted the following activities against it and other nations:
  • Collecting nearly 5 billion mobile phone call records across the globe every day
  • Spying over German Chancellor Angela Merkel's cell phone for more than 10 years
  • Plugging into the main communication networks between Yahoo's and Google's overseas data centers, and stealing data of hundreds of millions of customers
  • Monitoring mobile phone apps for years and grabbing private data
  • Waging large-scale cyber attacks against China, with both Chinese leaders and the telecom giant Huawei as targets
The document goes on a bit, mostly repeating Snowden allegations and throwing in a few other incidents reported by other nations. Expressions of outrage about NSA activities voiced by the United Nations and privacy groups others are given a new airing, as is just about every report from any newspaper anywhere about Snowden-sourced NSA activities.
That China has put this all on letterhead is significant inasmuch as it shows the nation is very, very grumpy indeed and wants the USA to know it. That the document doesn't miss a chance to paint the USA as a declining imperial power unfairly seeking to nobble its likely new superpower successor will also go down well with local audiences.
Actions like China's new vetting program for imported IT products and possible ban on IBM servers are likely to have more impact on the US because they hit it in the wallet.
And of course let's also note that there's colossal hypocrisy on both sides: if China could do the things the NSA is accused of, would it really back off? Or would it decline the grubby practice of same “pursuing self-interest in complete disregard of moral integrity” just like it did in Tiananmen Square?

I saved Pinterest's business and all I have to show for it is a t-shirt

Pinterest is gearing up a bug bounty programme which will pay security researchers to plug holes in the popular kittens'n'cupcakes site.
The programme today launched in an early phase where researchers could report bugs through managed bounty service BugCrowd although cash rewards are not yet on offer.

The digital scrapbook has also updated its own vulnerability reporting guidelines offering t-shirts in place of cash that have seen 13 researchers report bugs to the site.
Security engineer Paul Moreno said the site valued in May at $5 billion hosted events where its in-house dedicated teams competed to crush bugs.
"We even host internal fix-a-thons where employees across the company search for bugs so we can patch them before they affect Pinners," Moreno said in a post.
"Even with these precautions, bugs get into code ... starting today, we’re formalising a bug bounty programme with Bugcrowd and updating our responsible disclosure, which means we can tap into the more than 9000 security researchers on the Bugcrowd platform."
The BugCrowd deal was a "first step" which would evolve into a paid cash programme that Moreno expected would result in a more efficient disclosure process.
Detailed public Pinterest bug reports appear to be scarce. In February 2012 security researcher Shadab Siddiqui disclosed to Softpedia cross-site scripting, iframe injection and SQL injection flaws that he said could allow user accounts to be hijacked. Pinterest plugged the holes shortly after.

Saturday, 24 May 2014

China to start cyber security vetting on computer systems

China will begin checking computer systems used in government departments to protect "sensitive data". The state internet information office announced the measures amidst rows of cyberspying between China and the United States.
New checks will be the norm for computer systems used by government departments and businesses here in China. According to the State internet Information office, a handful of foreign governments and businesses have taken advantage of their technological monopolies, collecting sensitive data on a large scale from the Chinese government, businesses and institutions.
"In recent years, Chinese government departments, institutions, businesses, university and key telecom networks have been intruded into and spied on. The Snowden incident last year have given a warning to countries all over the world. It’s certainly true that without cyber security there would be no national security.” State Internet Information Office spokesman Jiang Jun said.
The office says it’s a measure long overdue, and comes at time when fingers are pointed at China with groundless accusation.
China finds these charges baseless and provocative as the United States holds a track record of cyber spying, the most conspicuous case shown by the Snowden incident.
"It’s really amazing to see that some people still believe they have the moral high ground and credibility to accuse others." Chinese Ambassador To the US Cui Tiankai said.
This particular incident won’t likely be the last spat of cyber espionage between the two countries. Even corporates have been caught in the fray. Just last November, Chinese telecoms giant Huawei decided to pull out of the US market amidst claims of spying. A spokesperson for the State Internet Information Office said that China may initiate countermeasures if the U.S. keeps up its cyber spying activities.

Cybercrime is big money for hackers

STORY HIGHLIGHTS
  • Hackers take electronic info from eBay employees to steal customers' data
  • James Lewis: Cybercrime is a growth industry and breaches won't stop
  • He says cybercrime is risk free, hard to stop, and big money for hackers
  • Lewis: The least that companies can do is to put in more safeguards
Editor's note: James Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies. The opinions expressed in this commentary are solely those of the author.
(CNN) -- In the early days of the Internet boom, some thought we would enter an era where there would be one integrated world economy with no borders, where we would share similar democratic values, and where governments would be less important and civil society could pick up many governmental tasks.
But that turned out not to be the case. Many countries don't share our values. There are conflicts, and the Internet has become a good place for these conflicts to play out.
One outcome is espionage, whether it is the National Security Agency listening to foreign leaders or China's People's Liberation Army stealing trade secrets. Another outcome is cybercrime.
It seems every month there is a story about a giant retailer being hacked and the personal data of hundreds of thousands of people being stolen by faceless cybercriminals. The last big story was Target. This week it's eBay, where hackers stole electronic credentials from eBay employees and used the credentials to access and steal customers' data.
According to one estimate, more than 800 million records were stolen in 2013. Fortunately, that doesn't actually mean all 800 million people suffered financial loss. Only a small fraction of people who have their data taken become victims of fraud or theft, because it is hard for criminals to "monetize" data -- to turn your personal information into cash. But the cleanup costs for the victimized company can be gigantic. After Target's hack, its CEO was fired for not doing enough.
Cybercrime is a growth industry and online security breaches are not going to stop any time soon.
The Internet was designed to ensure easy, reliable connectivity and in this it has been an immense success. When the Internet was commercialized in the 1990s, the U.S. government thought it was better to immediately start using an imperfect technology and get the economic benefits rather than wait for a completely safe Internet.
That was the right decision. The Internet has drastically changed all facets of our lives, including the way we communicate and do business. It has brought us immense economic benefits.
But the downside is that the Internet is not a secure place. Cybersecurity would not be as big a problem as it is today if the pioneers had paid more attention to security issues.
For example, encryption (software that scrambles your data into unintelligible patterns) was decontrolled in 1999. But many encryption products turned out to be hard to use, slowing computers and adding cumbersome steps to simple transactions. Encryption is still not widely used. Many companies don't encrypt the data of their customers and rely on passwords, which are very easy to hack for many transactions.
Cybercrime is an issue that needs more attention. According to one European intelligence service, there are 20 to 30 criminal gangs in the former Soviet Union that have hacking skills as good as most nations. There are many other groups with lesser skills. These criminals are nimble and inventive, and there are thriving cybercrime black markets where you can buy the latest hacking tools. This means there are highly skilled criminals who live in safe havens but can use the Internet to commit crimes that can earn millions of dollars, for which they will never be arrested or tried. Why would they stop? While there is good cooperation among Western countries against cybercrime, Russia has little interest in stopping these groups.
Eventually, the Internet will become less risky. There are basic things that companies can do to make sure their networks are more secure -- at least from all but the high-end criminals and big intelligence agencies.
Many companies are now taking cybersecurity seriously in a way different from even a year or two ago. The United States can work with other governments to improve law enforcement cooperation and to close down criminal networks.
The question is whether there will be enough progress before hackers get better at using what they steal. Right now, cybercriminals can steal millions of records but only be able to "monetize" a few thousand of them. If cybercriminals get better at monetizing the personal data they steal, there will be a spike in losses. And if countries like China continues to hack U.S. businesses to steal trade secrets and make competing products, American companies will lose sales and jobs.
The eBay hack reminds us that cybercrime is risk free, hard to stop, and big money for hackers. Even the best defenses may have holes in them. The least we can do is to try to put in the safeguards.

China Cyber Spying Indictment Reveals Hacking Techniques

Part of the building of 'Unit 61398', a secretive Chinese military unit accused of cyber espionage in Shanghai
Part of the building of 'Unit 61398', a secretive Chinese military unit accused of cyber espionage in Shanghai
— The alleged hacking of U.S. corporate computers by elements of China’s military wasn’t in and of itself all that unique.

As cyber attacks go, it was moderately sophisticated in technique.

But that raises a more troubling question.

How could major international corporations - such as U.S. Steel, Alcoa and others with millions of dollars of intellectual property - get robbed by a small, low-cost group of hackers working from China?

The answer:  it’s surprising it doesn’t happen much more often.

Over its 48 pages and 31 counts of criminal misconduct, the U.S. Justice Department’s indictment unveiled this month details how five Chinese army officers – with Internet identities such as “Ugly Gorilla”, “Kandygoo” and “WinXYHappy” – went about infiltrating the computer networks of six large U.S. corporations.

Sections of the indictment are so detailed that they read like a primer – a virtual ‘how-to manual’ for anyone interested in how hackers do what they do.

Social engineering

While some of the terms such as “spearphishing”, “beacon” or “hop-points” may need a little technical explaining, it’s clear from the indictment that the defendants generally employed something security analysts call social engineering.

In essence, social engineering is a tactic where hackers pretend to be somebody else to try and trick the target into trusting them.

The aim is getting them to reveal information directly (such as a password) or infect their computers by clicking on malicious links and attachments. Social engineering, in the end, is just a fancy label for little more than a con job.

There are many different tricks a hacker might employ to earn their target’s trust.

But once they have it, it’s relatively easy to fool unsuspecting targets into releasing sensitive information.

A common example: if someone you believe is a trusted co-worker sends you an email urgently asking for a password they’ve forgotten, you’re probably much more likely to send it to them without thinking twice than someone you don’t know, analysts say.

“Given that these types of attacks can be attempted with very little consequence if they don't succeed,” said Mike Auty, senior security researcher at the firm MWR Infosecurity,

“It allows the attacker to launch a number of attacks, over a long period of time, and the chances are high that there will be a mistake, and someone will grant them access,” he said.

Which, as the indictment details, is  what the Chinese are alleged to have done.

One particular social engineering trick allegedly used by the defendants was “spearphishing” - sending links or attachments via email that, if clicked, would infect the target’s computer system without them knowing.

Once infected, the malware would create what’s called a “back door” or secret entrance into the system that could likely go undetected for prolonged periods.

In the recent indictment papers, U.S. prosecutors say that, defendant “SUN” - short for Sun Kailiang - “sent spearphishing e-mails purporting to be from two U.S. Steel e-mail accounts to approximately eight U.S. Steel employees, including U.S. Steel’s Chief Executive Officer.

“The e-mails had the subject line “US Steel Industry Outlook” and contained a link to malware that, once clicked, would surreptitiously install malware on the recipients’ computers, allowing the co-conspirators backdoor access to the company’s computers,” the indictment said.

“Further...an unidentified co-conspirator sent approximately 49 spearphishing e-mails to U.S. Steel employees with the same subject, “US Steel Industry Outlook,” according to the indictment.

But it didn’t stop with basic spearphishing.

Researcher Auty said successful social engineering hacks often require more than just bad emails.

And the indictment lays out another, more sophisticated attack strategy that required much greater planning, research and patience.

Persistence over technology

Throughout the document, the Justice Department describes how the defendants would first try to gain lists of current and former employees at each of the six targeted companies and then went about researching who they were.

The defendants then went about purchasing a variety of web site domain names, such as ‘arrowservice.net’ or ‘hugesoft.org’ (readers are advised NOT to visit these sites) and populating them both with content that appeared legitimate, but also contained hidden Trojan-horse malware.

These websites both served to create an appearance of trust and also to serve as “hop-points” between the infected computers and the main attack servers in China to coordinate and control all the malware-infected computers in the U.S.

In the indictment, attorneys detail how these hop-points could surreptitiously allow the hackers to grab documents and “exfiltrate” – a computer term that basically means stealing – the data back to China.

As the indictment put it: “Between intrusions, the co-conspirators used the domain accounts to reassign the malicious domain names to non-routable or innocuous IP addresses, (e.g., IP addresses for popular webmail services, like Gmail or Yahoo), which would obscure any beacons their malware sent during that period.”

“Bad guys want my stuff”

Technologically speaking, it wasn’t anywhere near the sophistication of something like the Stuxnet virus.

But for sheer persistence and imagination, it was quite a clever operation.

“People need to realize: the bad guys are persistent, they’re organized,” said Stephen Cobb, a senior security researcher at the cyber security firm ESET North America. “Maybe this would help: it’s not an individual who’s trying to break into your web server every five seconds.”

“Let’s face it: every company today has information on their computers that they need to protect,” Cobb said. “If you’ve got a website, there’s an attempt to break into it every five, six seconds. It’s automated programs.

"So people from all around the world who want to get into somebody else’s computer are running automated script looking for holes," he said. "There’s a constant probing of systems.”

Still, it’s hard for most people to understand cyber security, analysts say.

“If you work for a bank, you should be fairly aware that people might want to rob you, that’s where the money is,” Cobb said. “But if you’re a doctor, or an engineer designing a product, you’re not necessarily thinking ‘there are bad guys who want my stuff.’‘”

But security expert Auty said that’s not a cause to lose hope.

“People will always be a weak element, but given that organizations have learnt to harden their perimeter, the next area of improvement required within the industry is ensuring internal visibility and appropriate segregation,” he said.

For both Auty and Cobb, the segregation of data into specific areas with different levels of security is key.

“You can’t protect what you don’t know about,” Cobb told VOA. “One of the very first things on my list for remediation or security programs for small business or big business is know what you’ve got.”

Microsoft promises fix for Internet Explorer zero day flaw

Microsoft Internet Explorer
Microsoft has confirmed it is working on a fix for a critical vulnerability in its Internet Explorer 8 web browser, following the flaw's public disclosure by researchers at the Zero Day Initiative (ZDI).
The flaw came to light after the researcher who found it revealed Microsoft had not patched the problem within 180 days of being informed, thereby allowing ZDI to make information public under its own guidelines.
Despite the lengthy wait for a fix, a Microsoft spokesperson told V3 the company is aware of the flaw and is working to fix it, but added it is yet to uncover any evidence it is being actively exploited.
"We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers. We build and thoroughly test every security fix as quickly as possible," said the spokesperson.
"Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers."
The vulnerability was disclosed by the ZDI earlier this week and could theoretically be exploited by hackers to infect machines running the web browser with malware. The researchers claim they privately reported the bug to Microsoft on 10 November 2013.
Microsoft added that while the company is going to fix the bug, to remain truly secure users should upgrade to a newer version of Windows and IE.
"We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which includes further protections," said the spokesperson.
Microsoft has been calling for users to upgrade to new Windows versions since it officially ceased support for its 13-year-old Windows XP operating system in April. The cut-off means Microsoft will not officially issue security fixes for newly found vulnerabilities on XP.
Microsoft was forced to issue an emergency XP fix, despite the official cut-off, when a separate zero-day vulnerability was discovered in IE earlier in May.
Meanwhile, the researcher who originally found the flaw defended Microsoft for taking its time on the fix, saying there could well be a good reason for the delay.
"The fact that the vulnerability was reported back in October 2013 and still has not been patched may sound disconcerting, but I’m sure there must be a very good reason," he wrote in a blog post.
"Everybody agrees that 180 days is a very long time, but I don’t believe this is an indication that Microsoft is ignoring bug reports or doesn’t care about security at all, so let’s not exaggerate things.
"In fact, Microsoft is doing an excellent job in handling vulnerability reports, issuing patches and crediting researchers."

eBay faces investigations over massive data breach

eBay eBay is facing several investigations into its data breach
The UK's information commissioner is working with European data authorities with a view to taking action against eBay over its recent data breach.
Three US states are also investigating the theft of names, email addresses and other personal data, which affected up to 145 million eBay customers.
The online marketplace has begun the process of notifying its customers about the need to reset passwords.
However some customers reported problems when attempting to do so.
EBay told the BBC that it was not aware of any technical problems with the password reset function on the site.
"The site is busy, but our secure password reset tool is working," a spokesman said.
The firm has been criticised for its slow reaction in informing customers about the theft of personal data.
"We are sending out millions of emails, and it will take some time. The process is certainly well under way," the firm told the BBC.
It warned though that its official password reset email contained no links and that customers should be wary of messages that did.
"Any email with links is a phishing attempt," it said.
Serious breach Meanwhile the fallout from the data breach was beginning to kick in.
In the US, Connecticut, Florida and Illinois said they were conducting a joint investigation.
Speaking on BBC Radio 5 live, the UK's information commissioner said that the eBay breach was "very serious" but that outdated and complex data protection laws meant the ICO could not begin an immediate investigation.
He said the watchdog would have to first liaise with the Luxembourg data protection, where eBay has its European headquarters.
"There's millions of UK citizens affected by this, and we've been clear that we're monitoring it, but by taking the wrong action under the law now we risk invalidating any investigation," an ICO spokesman told the BBC when pressed on why the watchdog had not yet launched any action.
Identity theft Questions are starting to be asked about how well eBay safeguarded its customers' data.
Hugh Boyes from the Institution of Engineering and Technology questioned why eBay stored so much data in the first place.
"The Information Commissioner makes the point that organisations should keep the minimum information necessary so why do eBay need to hold and store dates of birth and addresses?"
"As an occasional eBay user, I am concerned that not only have they lost my email, username and password, but according to their website the loss includes home address, phone number and date of birth.
"This is serious from an identity theft perspective. The only item they are missing is the mother's maiden name and they have sufficient information to impersonate an individual when dealing with many financial organisations."
Reports that large numbers of eBay customer details have begun appearing for sale in Pastebin - a site where hackers publicise their attacks - have been denied by eBay.
Lysa Myers, a security research at ESET agreed that the data was unlikely to have originated from the auction site.
"The users that are shown in the sample would represent an odd subset of users for an international company like eBay. And the price asked (1.45 Bitcoin) would seem to be astonishingly low for the data of 145 million users," she said.
"Even if the sample is not in fact from the eBay breach, it could potentially be data from another company's leak."

eBay says database leak dump offers are fake

Cybercrooks are offering to sell "stolen copies" of the leaked eBay database through an advert posted through Pastebin.
However eBay says the sale is fake. "We have checked all published data and so far none are authentic eBay accounts," eBay's press office told El Reg.
Security experts, although far from certain, seem inclined to agree.
The dodgy seller is offering to sell the "full eBay database dump" with 145 million records on a non-exclusive basis for 1.453 BTC (or $750).
A sample lump purporting to contain the compromised details of more than 12,000 users from the APAC region has been uploaded through Mega. The validity of the data on sale is unverified.
The Mega sample contains name, email address and postal addresses. Passwords are hashed and not revealed.
Security expert Kenn ‪White reported finding several of the leaked email ‬addresses in existing dumps. Other security experts are also wary.
"It’s not yet been verified that these are legitimately eBay credentials, and it’s possible that a criminal has just spotted an opportunity to cash in on the attack with some other credentials dump they have," said Trey Ford, global security strategist at Rapid7.
"That said, during initial analysis of 12,663 of the records which have been provided as a free sample, we were able to find some matches between email prefixes and eBay profile name where people are using the same handle."
“This doesn't necessarily mean these credentials are from the eBay attack – it could be that people use the same handle across multiple sites including one that was previously compromised, and the creds are actually from that. In fact, we also found matches between these email addresses and a popular Malaysian web forum, which may point to the true source of these credentials. We have no way to confirm how statistically representative the leaked APAC sample is of the broader eBay dataset," he added.
If genuine the leaks were hashed using a strong algorithm and attempts to find hashes corresponding with the simplest passwords have failed to come up with anything, which is in itself suspicious.
The credentials set is using PBKDF2 (Password-Based Key Derivation Function 2) SHA-256 hashes. "This means they employ a strong hash function and also intentionally make cracking them more difficult and slow by individually salting and using a high number of hash iterations," Ford explained.
Security consultant Per Thorsheim is also skeptical. "PBKDF2 with 12K iterations takes a looooong time to crack. No hashes cracked yet, 123456 should have been found among 12K," he said in a Twitter update. "it looks like we call FAKE on the ‪@KbcdPfA‬ alleged eBay leak up for sale."

Cyber threats to critical energy projects up sharply over five years


Cyber threats to critical energy infrastructure in Canada have risen significantly in the past five years, with the most advanced attacks coming via state-sponsored cyber espionage, federal records show.
A briefing memo to the deputy minister of Natural Resources Canada says terrorist use of the Internet and cyber crime by organized groups are also on the rise and that the trend is a major worry for governments and businesses.
Canada, the U.S. and private companies in both countries have partnered to try to meet these threats. However, the memo explains that cyber threats are a “growing concern” to critical energy infrastructure systems in Canada, such as power grids and oil and gas pipelines, and that incidents have risen significantly over the past half-decade.
The Citizen obtained the briefing material using access to information law.
“The most sophisticated cyber threats come from the intelligence and military services of foreign states. In most cases, these attackers are well resourced, patient and persistent. Their purpose is to gain political, economic, commercial or military advantage,” says a presentation to the deputy minister.
“All technologically advanced governments and private businesses are vulnerable to state sponsored cyber espionage. These attacks have succeeded in stealing industrial and state secrets, private data and other valuable information.”
The briefing material, from fall 2013, explains that terrorist networks also are moving to incorporate cyber operations into their own strategic doctrines, and are using the Internet to support recruitment, fundraising and propaganda.
“Terrorists are aware of the potential for using the Western World’s dependence on cyber systems as a vulnerability to be exploited,” says the briefing material.
Earlier this week, the U.S. charged five Chinese military officers with stealing trade secrets from six U.S. nuclear, steel and clean-energy companies. It marks the first time the U.S. has charged specific foreign government officials with criminal cyber hacking. China denies the charges, calling them absurd.
The Canadian Security Intelligence Service (CSIS) has warned that some state-owned foreign companies have been pursuing “opaque agendas” in Canada and that attempts by some state-owned firms to acquire control over strategic sectors of the Canadian economy pose a threat to national security.
Canada remains an attractive target for economic espionage, CSIS has warned, because the country is a world leader in areas including mineral and energy extraction.
“I do believe that cyber espionage is on the same plane today, on the same level of national security threat, as is terrorism and the public safety question,” Ray Boisvert, former assistant director with CSIS, told the Citizen.
“It’s much bigger than we all really knew and understood and now it’s starting to emerge more and more,” added Boisvert, president of I-Sec Integrated Strategies, a company specializing in countering cyber threats.
The federal government is working closely with Canadian energy and utility companies, and with U.S. federal agencies to monitor and address cyber security threats to critical energy infrastructure, says the briefing material.
Canada has created a national cyber security strategy and action plan to protect critical infrastructure. Energy companies also have an agreement with the RCMP to share information through the Suspicious Incident Reporting System.
According to the briefing notes, the most common types of cyber incidents between July and September 2013 were “malicious code/compromise,” which accounted for 55 per cent of the incidents (no total number of incidents is provided), and “phishing/targeted” emails, at 28 per cent.
Boisvert said the charges this week by the U.S. against Chinese officials are meant to help fight state-sponsored cyber attacks by publicly shaming countries. The number of cyber threats has been dramatically rising because hostile countries have realized how valuable cyber attacks are in obtaining economic advantages, he said.
“The West really had its guard down and we were very much focused on terrorism because that was the issue, and companies as well were not thinking about cyber (security),” he said.
jfekete@ottawacitizen.com
Twitter.com/jasonfekete

Canada’s cyber security strategy focuses on three areas:

1. Securing government systems.
2. Partnering with the private sector to secure vital cyber systems outside government.
3. Helping Canadians be secure online

Types of cyber threats to Canada’s critical energy infrastructure

1. State sponsored cyber espionage and military activities:
“The most sophisticated cyber threats come from the intelligence and military services of foreign states,” according to Natural Resources Canada. “Their purpose is to gain political, economic, commercial or military advantage.”
2. Terrorist use of the Internet:
“Terrorist networks also are moving to incorporate cyber operations into their strategic doctrines. Among many activities, they are using the Internet to support their recruitment, fundraising and propaganda activities.”
3. Cybercrime:
“Organized criminals have expanded their operations into cyberspace. The more sophisticated among them are turning to skilled cyber attackers to pursue many of their traditional activities, such as identity theft, money laundering and extortion.”

What is a Man-in-the-Middle Attack?


There’s a reason why most people feel uncomfortable about the idea of someone eavesdropping on them—the eavesdropper could possibly overhear sensitive or private information. This is exactly the risk that computer users face with a common threat called a “Man-in-the-Middle” (MITM) attack, where an attacker uses technological tools, such as malware, to intercept the information you send to a website, or even via your email.

Just imagine you are entering login and financial details on an online banking site, and because the attacker is eavesdropping, they can gain access to your information and use it to access your account, or even steal your identity.
There are a variety of ways that attackers can insert themselves in the middle of your online communications. One common form of this attack involves cybercriminals distributing malware that gives them access to a user’s web browser and the information being sent to various websites.
Another type of MITM attack involves a device that most of us have in our homes today: a wireless router. The attacker could exploit vulnerabilities in the router’s security setup to intercept information being sent through it, or they could set up a malicious router in a public place, such as a café or hotel.
Either way, MITM attacks pose a serious threat to your online security because they give the attacker the ability to receive and request personal information posing as a trusted party (such as a website that you regularly use).
Here are some tips to protect you from a Man-in-the-Middle attack, and improve your overall online security:
  • Ensure the websites you use offer strong encryption, which scrambles your messages while in transit to prevent eavesdropping. Look for “httpS:” at the beginning of the web address instead of just “http:” which indicates that the site is using encryption.
  • Change the default password on your home Wi-Fi connection so it’s harder for someone to access.
  • Don’t access personal information when using public Wi-Fi networks, which may, or may not, be secure.
  • Be wary of any request for your personal information, even if it’s coming from a trusted party.
  • Protect all of your computers and mobile devices with comprehensive security software, like McAfee LiveSafe™ service to protect you from malware and other Internet threats.

Wednesday, 21 May 2014

Behind Blackshades: a closer look at the latest FBI cyber crime arrests

The FBI made big headlines yesterday with its announcement of a high profile malware takedown related to a RAT called Blackshades (of which more in a moment). Hopefully this move, involving 97 arrests in 16 countries, will discourage the use of spyware by criminals. RAT stands for remote access tool and Blackshades is not unlike the DarkComet RAT that I wrote about in 2012. You can see DarkComet accessing a webcam in the illustration above, with a big hat tip to my colleague Cameron Camp, whose hand that is, captured during a live demonstration of how to defeat hacking tools during Interop Las Vegas in 2012.
[Note: All ESET products protect against Blackshades, detected as Win32/VB.NXB since February 2009, and also as Win32/AutoRun.VB.ANQ since October 2011. See “What is BlackShades and does ESET protect me from it?” in the ESET Knowledgebase.]

Bad RAT, good RAT?

Nobody wants a stranger spying on them, particularly when that spying includes surreptitiously watching them via their own web camera, hence the immediate public applause for this FBI operation. There were also cheers from people like myself and my colleagues in the security industry who are dedicated to keeping spyware and other malicious code off computers, including tablets and smartphones.
However, we do need to be careful when we talk about remote access tools as malware as they are a classic case of malice being in the intent of the user. Spying on an innocent person by sneaking a remote access tool onto their computers is clearly a malicious act, not to mention uber-creepy and generally despicable. Used for this purpose, a remote access tool is malware. But there are also positive and legitimate uses for remote access tools, such as remote computer support. And of course, a lot of spyware used by both state and non-state actors falls into the RAT category (part of a class of code that I like to call “righteous malware” because those who use it believe they are right to do so, whereas the owners of computers onto which it is secretly placed tend to see it differently).
Many RAT packages have appeared over the years and been put to use by criminals, but they are not all treated the same way, as my colleague David Harley points out: “There’s a difference here between BlackShades and more ‘professional’ malware like Zeus and Citadel. Its users constituted a relatively easy target by operating within an area seen as legally ‘grey’. Apparently, some of those involved were often less scrupulous about covering their tracks and their malicious intent than the career criminals associated with more heavyweight malware.” One indication of this says Harley: “There was an awful lot of chatter about Blackshades on forums, whereas conversations about more sophisticated tools used for criminal activity tended to be far more discreet.”
The implications? I think people pushing Blackshades might have been an easier target for law enforcement than some other players. However, I don’t think there’s any call for headlines like the one used by the Daily Beast (“FBI’s Huge Hacker Bust Could Be Bogus“). That said, Quinn Norton’s article does raise some important points about RAT deployments in conflict zones, citing Morgan Marquis-Boire and Seth Hardy of Citizen Lab in Toronto who, along with the EFF, reported that Blackshades was used by the Syrian government to target anti-government activists (research article is here in PDF and EFF article, with Eva Galperin, is here). Norton also makes the very important point that, in terms of criminality, using a RAT for malicious purposes is way different from simply possessing it.

Maintaining perspective

I am firmly on the record when it comes to applauding law enforcement efforts to stem illegal abuse of computers and information systems, and I have previously predicted that such efforts will be stepped up (although that article from 2012 was as much wishful thinking as prediction). However, given limited law enforcement resources, it is vital that the right criminals are targeted. I’m not sure that the creators of Blackshades are as much criminals as the folks who broke into Target and stole tens of millions of credit card records. And there are clearly some non-criminals among those who purchased, acquired, or simply possessed the Blackshades codes. I hope to see prosecutions proceed with these distinctions in mind.
Where I do think we could see a welcome effect from the FBI Blackshades crackdown is at the margins and in the markets, discouraging those who are currently contemplating cybercrime or dabbling in the purchase of cybercrime tools on the underground markets. Seriously people, there are some very cool and potentially lucrative things you can do with coding and network skills that don’t involve serious risk of a heavy knock on your front door,
Finally, it is clear that public needs to do its homework to fully understand stories like these. After all, the FBI itself has been using surreptitious access to webcams to pursue criminals and terrorists “for years” using remote access tools. And this Powerpoint slide from “No Place to Hide“, Glenn Greenwald’s bestseller about the Snowden revelations, purportedly shows the NSA’s efforts to “implant” malware on some 50,000 computers. Malware that would probably fall into the RAT category of “righteous malware”.
nsa-malware-slide

Bitly hackers stole user credentials from offsite database backup

Bitly has shed a little more light on the serious security breach it suffered 2 weeks.
As you may recall, the URL-shortening service announced last week that it believed the account credentials of Bitly users could have fallen into the hands of hackers, but it fell short of answering how it determined customer privacy had been breached, how securely passwords had been stored, or – indeed – what had actually gone wrong.
Now some of those questions are being answered.
In a follow-up post entitled “More detail”, Bitly explains that it believes the hackers did *not* manage to access its production network or servers, but instead accessed the customer database from an offsite backup.
Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts.
And how did the hackers manage to access that offsite backup? They broke into an employee’s account at an unnamed hosted source code repository where they stole the login credentials for the backup of Bitly’s database.
We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.
What’s worrying about this is that – for a while at least – not only did the hackers have access to a backup of Bitly’s customer database, but they also could have compromised the company’s source code.
Bitly says it is sending an email to “all users from the domain bitlysupport.com outlining the steps to secure your account”. The fact that they have named the domain they are planning to send the warning email from underlines their concern that the hackers might attempt their own malicious campaigns, targeting customers who have had their accounts exposed through the hack.
Ironically, Bitly’s announcement of the domain name they intend to use may not actually make it trickier for any attackers to exploit the situation – as it will be child’s play for them to forge email headers and pretend the messages are coming from bitlysupport.com.
My advice? Be very careful about *any* messages that you receive which claim to come from Bitly, and be wary of clicking on any links in the emails. Much better to visit the Bitly website directly, and access your account that way.
According to Bitly, the passwords stored in the exposed database were salted and hashed. Unfortunately, users who have not changed their passwords in the last few months may be at greater risk of having had their passwords cracked as Bitly strengthened the way it stored passwords in January:
If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5.
No wonder then that the firm is recommending that users change their passwords as a precaution.
In case you’re worried about your own account, here is what Bitly says you need to do:
Following are step-by-step instructions to reset your API key and OAuth token:
1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the ‘Profile’ tab and reset your password.
5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
Many Bitly users are believed to have connected their accounts to their social media presences on the likes of Facebook and Twitter, but users will not be able to publish via Bitly to those sites until their profiles have been reconnected following the advice above.
Two factor authentication – are you using it?
It’s good to hear that Bitly has now enabled two factor authentication for all of its employees using the source code repository, but an organisation serious about protecting its crown jewels like its source code, would have done that long ago.
I’ve explained the perils with passwords in the past, including the problems with users re-using the same password in multiple places, choosing easy to guess passwords, falling victim to spyware which hoovers up passwords as they are typed on infected computers, or having their login credentials phished from them via convincing emails.
Two-factor authentication (2FA) helps reduce these risks, requiring users to enter a unique one-time-password alongside their regular credentials.
How authentication works
Everytime you login, a new one-time-password is required.
Even if your regular password is guessed, cracked or stolen by hackers, it won’t be any use to the bad guys because they won’t know what your one-time-password is.
Furthermore, if something like a mobile phone app is generating your one-time password for you then it’s extremely unlikely it will be in the clutches of the hackers trying to break into your account.
So, I strongly recommend that whenever an online service or website offers you the option of hardening your account using two-factor authentication you should turn it on.
Furthermore, if you are an organisation running an online service or providing mechanisms for your staff to access company information remotely, it also makes sense for you to consider offering two-factor authentication to reduce the risks.
Two-factor authentication isn’t a magical solution which will stop all online criminal activity, but it certainly makes life harder for the hackers who want to break into your accounts.
Oh, and in case you were wondering, Bitly says it is “accelerating” its efforts to provide two-factor authentication for its customers account as well. That means, if users’ passwords fall into the wrong hands in future – they will be an awful lot harder for the bad guys to exploit.

Smart TVs can be infected with spyware – just like smartphones

‘Smart’ televisions with built-in microphones could be used as bugging devices by corrupting them with malware, according to software specialists NCC Group, as reported by The Register.
An attacker would not even need physical access to the television to launch an attack, security experts from the group warned.
Fooling a user into installing a malicious app is one way to gain control of the microphone – but models of televisions with built-in storage and microphones can be set to auto-update, so an attacker could feasibly create an app, then release an update containing it.
Software escrow specialists NCC recently released a white paper examining potential solutions for the problems posed by so-called “Internet of Things” devices.
‘Smart TVs’ seem to have been particularly soft targets. LG admitted that one of its models had been sending information during shows watched by their owners without informing them. After a successful hack of a Samsung Smart TV, Senator Charles E Schumer, a Democrat from New York addressed a letter to television manufacturers urging them to improve security.
“Many of these smart televisions are vulnerable to hackers who can spy on you while you’re watching TV in your living room. You expect to watch TV, but you don’t want the TV watching you.”
The latest hack was demonstrated by NCC near the Infosec conference in London last week, with journalists from The Register shown how Smart TVs can be hacked in much the same way as using a malicious app against an Android phone.
“Malicious apps could be downloaded from the manufacturer’s app store. The TV does have the option for auto-updating, so releasing a legitimate app, then releasing a malicious update, is another attack vector,” a researcher said.
“The devices contain microphones and cameras that can be utilised by applications, Skype and similar apps being good examples.”
“The TV has a fairly large amount of storage, so would be able to hold more than 30 seconds of audio – we only captured short snippets for demonstrations purposes. A more sophisticated attack could store more audio locally and only upload it at certain times, or could even stream it directly to a server, bypassing the need to use any of the device’s storage.”

Snapchat “lied to users” about privacy of vanishing photos

The photo-sharing app Snapchat, popular with youngsters for its photos which would exist briefly then “disappear forever” has admitted that the photos did not, in fact, disappear, in a settlement with the U.S. government’s FTC.
As reported by Yahoo News, the company is to be monitored for privacy for the next 20 years by independent privacy professionals. Violations could lead to fines for the company.
Time Magazine pointed out that the app’s 4.6 million users had been misled into thinking that videos sent via the app could not easily be captured – whereas they could be seen simply by plugging a smartphone into a PC. Snapchat also violated its own privacy policies by tracking geolocation information for Android users.
In a blog post, the company said, “While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community.”
Technology sites were quick to point out just how imprecise Snapchat had been about the privacy offered to its users. CNET pointed out that there were “numerous” ways to capture the supposedly “private” files.
The site wrote, “The most obvious is an easy two-button screen capture on a smartphone. The most discrete involves third-party apps that let users record onscreen behavior or log directly into the app to work around its limited privacy protections. There are also ways to dig up files in a device’s directory when the device is plugged into a computer.”
The FTC said in a statement, “Such third-party apps have been downloaded millions of times. Despite a security researcher warning the company about this possibility, the complaint alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap.”

Former Royal reporter: “I hacked Kate Middleton’s phone 155 times”

The former Royal Editor of the now-defunct News of the World tabloid newspaper has admitted that he hacked into Kate Middleton’s mobile phone voicemail a staggering 155 times in order to snoop upon private messages.
And Clive Goodman didn’t stop there. He has also told a court in London that aside from intercepting the future Duchess of Cambridge’s private messages, he also hacked Prince William on 35 occasions and Prince Harry nine times.
It can’t have been a barrel of laughs and festive fun at Goodman’s house over Christmas 2005, as the News of the World‘s Royal Editor first accessed Kate Middleton’s voicemail on 21st December, and then continued to do so on Christmas Eve, Christmas Day and Boxing Day in his search for tabloid stories.
The first hack by Goodman against Prince William’s voicemail, meanwhile, took place at the end of January 2006.
Presumably driven by the tabloid’s thirst for news about Prince William’s then girlfriend, Goodman continued to regularly hack Miss Middleton’s mobile phone voicemail until the day before his arrest in August 2006.

How phone hacking works

Unlawful access to voicemail messages was made possible by many mobile phones using well-known default PINs as their solitary defence.
Chances are that you don’t even realise that your mobile phone voicemail has a PIN, because most mobile phone networks recognise that it is your phone ringing the voicemail service, and therefore skirts around the request for a PIN to make life more convenient for you.
However, many phone operators provide a number that you can ring to access your voicemail remotely. If your voicemail was protected by an easy-to-determine default PIN, or if operators could be tricked into resetting a PIN, then the voicemail messages could be unlocked.
Thankfully, default PINs for mobile phone voicemail systems are no longer used in the United Kingdom, making life that little more difficult for journeys hungry for a celebrity scoop.
But that doesn’t mean the problem has completely disappeared.
Another way of breaking into a mobile phone’s voicemail system might be to fake the phone number you are ringing from, tricking the voicemail system into believing it was the genuine handset collecting the messages.
As recently as last month, a journalist with The Register showed that at least two UK mobile networks remained vulnerable to having their customers’ voicemail inboxes hacked, without the attacker needing to guess a PIN.
For the highest level of security, set your voicemail up to always ask for PIN whenever you access it. Yes, it’s a pain – but it’s only four digits worth of nuisance for a greater level of privacy.

Royal revelations

Clive Goodman, of course, was jailed in 2007 on charges of hacking royal aides. But up until now he has never claimed that the snooping was also being conducted against the Duchess of Cambridge and the royal princes.
When Goodman was asked why he had not previously told police or prosecutors about the true extent of the hacks, he said that he was simply never asked about it:
“I’ve never been asked before. The Metropolitan police, Crown Prosecution Service did not ask me these questions in 2006 and 2007. I’ve never been asked by any inquiry any time about this”
Which makes me think, maybe someone should now ask him about other Royals, and individuals romantically associated with the Royal Family.
Chelsy? Cressida? Are you confident your mobile phones’ voicemail systems are properly secured?

FBI plans worldwide crackdown on cybercrime

The FBI is gearing up for a major crackdown on cybercrime, and says that arrests of major criminals will follow in weeks.
Speaking at the Reuters Cybersecurity Summit, the FBI’s executive assistant director of cyber enforcement Robert Anderson said, “There is a philosophy change. If you are going to attack Americans, we are going to hold you responsible.”
Anderson’s speech said that the FBI’s dealings with cybercrime would now show “a much more offensive side,” and made it clear that this involved extraditions, referring to a foreign national detained at an airport in Spain for running a botnet that targeted Americans, according to Deep Dot Web’s report.
Prior to working in cyber enforcement, Anderson worked in espionage and counter-intelligence.
Anderson said, “If we can reach out and touch you, we are going to reach out and touch you.” Previously, the FBI has held back from pursuiing extradition in certain cases.
“There’s a lot of countries that will not extradite. That will not stop us from pressing forward and charging those individuals and making it public,” he said, according to Russia Today’s report.
He also said that arrested hackers could expect long jail sentences, rather than reduced terms for cooperating or becoming informants, according to the Voice of Russia.
He said that the only circumstances in which reduced sentences would be considered would be those affecting “national security”, according to Reuters.
Politico.com reported that the FBI was also setting up “online and in-person” cyber training courses for America’s 17,000 police forces.

Biometrics pioneer now “wary” of monster he has created

Dr Joseph Atick, a pioneer in biometrics, who co-founded early facial recognition companies such as Visionics, now fears that large companies could use new versions of his technologies for electronic surveillance – and warned of “unexpected consequences” unless the industry changed its habits.
Speaking at the Connext ID Explo, Atick, who founded several companies instrumental in turning biometrics into a $7.2 billion per year industry (figure from analysts Frost and Sullivan) said that the tecchnology has evolved so far it is now “basically robbing everyone of their anonymity,” according to the New York Times.
Speaking about a demonstration app for Google Glass which allowed users to identify people by looking at them, known as Nametag, Atick said, “We are basically allowing our fellow citizens to surveil us.”
Atick, who has served as a technical advisor to NATO, made millions from selling one of his companies, L-1 to a French military contractor. The Verge reports that he said, “Some people believe that I am maybe inhibiting the industry from growing. I disagree. I am helping industry make difficult choices, but the right choices.”
Concern has grown over companies’ such as Facebook’s use of biometric data. Facebook has invested heavily in artificial intelligence software – which can recognize if two human faces are the same person with near-human accuracy.
Atick warned that the widespread use of fingerprint and facial recognition systems could lead to uncontrollled surveillance – not only by companies and ‘data brokers’, but also goverments. “I think that the industry has to own up  If we do not step up to the plate and accept responsibility, there could be unexpected apps and consequences,” he said.
One AI company, Vicarious Software, bought by Facebook, whose software specialises in “deciphering” photographs, described its software as “like a human that doesn’t have to eat or sleep.”
For users, biometric protection has become a premium feature, available on the most expensive gadgets – for instance, iPhone’s 5S and Samsung’s Galaxy S5. Speaking to We Live Security, Phil Zimmermann, inventor of email encryption system PGP, whose company is to sell an encrypted voice phone, Blackphone, this year, said, “We are in the golden age of surveillance. Whoever wants it can enjoy total information awareness – from cameras which read number plates automatically, to who calls who, and what they say. If a politician is seen in a hotel with an attractive woman, facial recognition can pick him out.”

Car-Hacking Goes Viral In London

The days when thieves used clothes hangers to break into cars may soon be a thing of the past.
Nearly half the 89,000 vehicles broken into in London last year were hacked with electronic gadgets, according to London’s Metropolitan Police.
The hackers appear to be targeting higher-end cars, which commonly have more than 50 low-powered computers installed on board.
“Car crime is no longer the preserve of the opportunist but a more targeted activity towards prestige brands which are stolen to order,” said Andrew Smith, managing director at Cobra UK.
Thieves are hacking into these on-board computers using cell-phone-sized electronic devices originally designed for locksmiths.
One of the most prevalent of these devices can trick a car – “spoofing” – into thinking the owner’s electronic key is present by using radio transmitters that intercept key signals. Another type of hacking device can gain access to a car’s on-board diagnostic unit remotely, which allows thieves to program a blank key to control the engine control unit.
The whole operation takes less than 10 seconds.
The devices can apparently be purchased on the internet, primarily from websites located in Bulgaria, according to Sky News.  Video tutorials for using the device are also available online.
car-hacking-device
Picture of an electronic car-hacking device.
Meanwhile, in February, security experts in Spain created a device that can bypass any encryption on a car before running malicious code through the vehicle’s system.
The so-called “CAN Hacking Tool (CHT)” allows hackers to control lights, locks, steering and brake systems.  The price tag: $20.b

Police and FBI arrest 100 hackers over BlackShades malware case

blackshades-fbi-hacker
Today, the UK’s National Crime Agency announced that the raids took place in more than 100 of countries and they have arrested more than 100 people worldwide involved in the purchasing, selling or using the Blackshades malware.
More than half million computers in more than dozens of countries were infected by this sophisticated malware that has been sold on underground forums since at least 2010 to several thousands people, which cost between 40 and 100 dollars.
The Investigation involved the law enforcement coordination agencies Europol and Eurojust said Monday that authorities raided a total of 359 houses in 13 different European countries, including Austria, Belgium, Britain, Croatia, Denmark, Estonia, Finland, France, Germany, Italy, Moldova, the Netherlands and Switzerland, as well as in the United States, Canada and Chile, and seized cash, firearms, drugs and over 1,100 data storage devices including computers, laptops, mobile phones, routers etc.
This case is a strong reminder that no one is safe while using the internet, and should serve as a warning and deterrent to those involved in the manufacture and use of this software,” said Koen Hermans, an official representing the Netherlands in the European Union’s criminal investigation coordination unit, Eurojust. “This applies not only to victims, but also to the perpetrators of criminal and malicious acts. The number of countries involved in this operation has shown the inherent value in Eurojust’s coordination meetings and coordination centres.”
the Blackshades website (http://bshades.eu/) has now been seized by the FBI,‘ Blackshades’ is a remote administration tool (RAT) and is sold legally around the world but bad intention actors are using the tool as a malware for collecting private information of innocent users, including usernames and passwords for email and Web services, instant messaging applications, FTP clients and lots more.
In worst cases, the malicious program even allows hackers to take remote control of users’ computer and webcam to take photos or videos without the knowledge of the computer owner.
The infected PCs can also be hijacked by the attackers to perform DDoS attacks and other illegal activities without any knowledge of its owner. The program modifies itself in such a way so that it remains elusive for antivirus software.
In 2012, while a very serious and bloody internal war between the government and the opposition forces, the BlackShades RAT was also used to infect and Spy on Syrian activists. However, in 2012, a developer of the Blackshades team was reportedly arrested and during same time the source code of the tool was also leaked on the Internet.
BlackShades tool was actually developed by an IT surveillance and security-based company, who promoted it as a tool for parents to monitor their Children activities and for finding the cheating partners in relationship. But, as usual every weapon could be used for both purposes, killing and saving lives.

China denounces US cyber-theft charges

FBI wanted poster. 19 May 2014  
The FBI issued a "Wanted" poster for the five army officers
China has denounced US charges against five of its army officers accused of economic cyber-espionage.
Beijing says the US is also guilty of spying on other countries, including China, and accuses the US of hypocrisy and "double standards".
China has summoned the US ambassador in Beijing over the incident. It says relations will be damaged.
US prosecutors say the officers stole trade secrets and internal documents from five companies and a labour union.
The BBC's John Sudworth in Shanghai says it is extremely unlikely that any of the accused will ever be handed over to the US.
China's defence ministry put out a strongly-worded statement on its website on Tuesday saying that China's government and its military "had never engaged in any cyber espionage activities".
It also took aim at the US, saying: "For a long time, the US has possessed the technology and essential infrastructure needed to conduct large-scale systematic cyber thefts and surveillance on foreign government leaders, businesses and individuals. This is a fact which the whole world knows.
"The US' deceitful nature and its practice of double standards when it comes to cyber security have long been exposed, from the Wikileaks incident to the Edward Snowden affair."
line break
Analysis: Carrie Gracie, BBC China editor
US Defense Secretary Chuck Hagel (L) and Chinese Minister of Defense Chang Wanquan gesture to members of the media prior to their meeting at the Chinese Defense Ministry headquarters in Beijing on April 8, 2014. The two countries' defence ministers met just last month
China always insists it is a victim of hacking, not a perpetrator. And when US intelligence contractor Edward Snowden appeared in Hong Kong a year ago with evidence of US hacking into Chinese networks, Beijing felt vindicated.
The US acknowledges that it conducts espionage but says unlike China it does not spy on foreign companies and pass what it finds to its own companies.
Beijing typically shrugs this off as a smear motivated by those who find its growing technological might hard to bear. But to see five named officers of the People's Liberation Army indicted by a US grand jury is not something that can be brushed aside so easily.
China has already announced the suspension of co-operation with the US on an internet working group. And once it has had time to digest this loss of face, it is likely to consider more serious retaliation.
line break
The defence ministry added that China's military had been the target of many online attacks, and "a fair number" of those had been launched from American IP addresses.
It said the arrest of the five Chinese army officers had "severely damaged mutual trust".
A Xinhua report on Tuesday stated that between March and May this year, a total of 1.18 million computers in China were directly controlled by 2,077 machines in the United States via Trojan horse or zombie malware.
Chinese Assistant Foreign Minister Zheng Zeguang lodged a "solemn representation" with US ambassador Max Baucus on Monday night, Xinhua reported.
'US losses' On Monday US Attorney General Eric Holder said a grand jury had laid hacking charges against the Chinese nationals, the first against "known state actors for infiltrating US commercial targets by cyber means".
He identified the alleged victims as Westinghouse Electric, US Steel, Alcoa Inc, Allegheny Technologies, SolarWorld and the US Steelworkers Union.
"The alleged hacking appears to have been conducted for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States," Mr Holder said.
In the indictment brought in the western district of Pennsylvania - the heart of the US steel industry - the US named Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, all officers in Unit 61398 of the Chinese People's Liberation Army (PLA), as the alleged conspirators.
FBI officials said the hacking - between 2006 and 2014 - caused "significant losses" at the companies and that there were likely to be many more victims.
Last year, cyber-defence company Mandiant published a report on a Chinese military unit the firm said was behind the vast majority of significant attacks on American federal agencies and companies.
In March, Defence Secretary Chuck Hagel said the Pentagon planned to more than triple its cyber-security capabilities in the next few years to defend against such internet attacks.
line break
What is Unit 61398?
A file picture taken on February 19, 2013 shows a person walking past a 12-storey building alleged in a report by the Internet security firm Mandiant as the home of a Chinese military-led hacking group after the firm reportedly traced a host of cyberattacks to the building in Shanghai"s northern suburb of Gaoqiao.
• A unit of China's People's Liberation Army, to whose Shanghai address US cyber security firm Mandiant says it traced a prolific hacking team
• The team was said to have hacked into 141 computers across 20 industries, stealing hundreds of terabytes of data
• Mandiant says the team would have been staffed by hundreds, possibly thousands of proficient English speakers
• China said Mandiant's report was flawed and lacked proof