Sunday, 9 March 2014

Thieves Jam Up Smucker’s, Card Processor

Jam and jelly maker Smucker’s last week shuttered its online store, notifying visitors that the site was being retooled because of a security breach that jeopardized customers’ credit card data. Closer examination of the attack suggests that the company was but one of several dozen firms — including at least one credit card processor — hacked last year by the same criminal gang that infiltrated some of the world’s biggest data brokers.
Smuckers's letter to visitors.
Smucker’s alerts Website visitors.
As Smucker’s referenced in its FAQ about the breach, the malware that hit this company’s site behaves much like a banking Trojan does on PCs, except it’s designed to steal data from Web server applications.
PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.
The malware that tore into the Smucker’s site behaved similarly, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers were submitting the data during the online checkout process.
What’s interesting about this attack is that it drives home one important point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session. With Zeus, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).

IN GOOD COMPANY
When a reader first directed my attention to the Smucker’s breach notice, I immediately recalled seeing the company’s name among a list of targets picked last year by a criminal hacking group that plundered sites running outdated, vulnerable versions of ColdFusion, a Web application platform made by Adobe Systems Inc.
According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:
-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion, Adobe Reader/Acrobat/Photoshop);
-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.
-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.
TOO MANY VICTIMS
Not all of the above-mentioned victims involved the exploitation of ColdFusion vulnerabilities, but Smucker’s was included in a list of compromised online stores that I regrettably lost track of toward the end of 2013, amid a series of investigations involving breaches at much bigger victims.
As I searched through my archive of various notes and the cached Web pages associated with these attackers, I located the Smucker’s reference near the top of a control panel for a ColdFusion botnet that the attackers had built and maintained throughout last year (and apparently into 2014, as Smucker’s said it only became aware of the breach in mid-February 2014).
A tiny portion of the ColdFusion botnet panel.
A tiny portion of the ColdFusion botnet panel.
The botnet control panel listed dozens of other e-commerce sites as actively infected. Incredibly, some of the shops that were listed as compromised in August 2013 are still apparently infected — as evidenced by the existence of publicly-accessible backdoors on the sites. KrebsOnSecurity notified the companies that own the Web sites listed in the botnet panel (snippets of which appear above and below, in red and green), but most of them have yet to respond.
Some of the victims here — such as onetime Australian online cash exchange technocash.com.au — are no longer in business. According to this botnet panel, Technocash was infected on or before Feb. 25, 2013 (the column second from the right indicates the date that the malware on the site was last updated).
technocash
It’s unclear whether the infection of Technocash’s secure portal (https://secure.technocash.com.au) contributed to its demise, but the company seems to have had trouble on multiple fronts. Technocash closed its doors in June 2013, after being named in successive U.S. Justice Department indictments targeting the online drug bazaar Silk Road and the now-defunct virtual currency Liberty Reserve.
SECUREPAY
One particularly interesting victim that was heavily represented in the botnet panel was SecurePay, a credit card processing company based in Alpharetta, Ga. Reached via phone, the company’s chief operating officer Tom Tesmer explained that his organization — Calpiancommerce.com — had in early 2013 acquired SecurePay’s assets from Pipeline Data, a now-defunct entity that had gone bankrupt.
At the time, the hardware and software that powered Pipeline’s business was running out of a data center in New York. Tesmer said that Pipeline’s servers had indeed been running an outdated version of ColdFusion, but that the company’s online operations had been completely rebuilt in CalpianCommerce’s Atlanta data center under the SecurePay banner as of October 2013.
Tesmer told me the company was unaware of any breach affecting SecurePay’s environment. “We’re not aware of compromised cards,” Tesmer said in an email. This struck me as odd, since the thieves had clearly marked much of the data they had stolen as “SecurePay” and listed the URL “https://www.securepay.com/” as the infected page.
Following our conversation, I sent Tesmer approximately 5,000 card transaction records that thieves had apparently stolen from SecurePay’s payment gateway and stashed on a server along with data from other victimized companies (data that was ultimately shared via third parties with the FBI last fall). The data on the attacker’s botnet panel indicated the thieves were still collecting card data from SecurePay’s gateway as late as Aug. 26, 2013.
Tesmer came back and confirmed that the card data was in fact stolen from customer transactions processed through its SecurePay payment gateway, and that SecurePay has now contacted its sponsoring bank about the incident. Further, Tesmer said the compromised transactions mapped back to a Web application firewall alert triggered last summer that the company forwarded to its data center — then located in New York.
Several servers from credit card processing firm SecurePay were compromised by the ColdFusion botmasters.
Several servers from credit card processing firm SecurePay were hacked by the ColdFusion botmasters.
“That warning showed up while the system was not under our control, but under the control of the folks up in New York,” Tesmer said. “We fired that alert over to the network guys up there and they said they were going to block that IP address, and that was the last we heard of that.”
Turns out, SecurePay also received a visit from the FBI in September, but alas that inquiry also apparently went nowhere.
“We did get a visit from the FBI last September, and they said they had found the name SecurePay on a list of sites that they were pursuing some big hacker team about,” Tesmer said. “I didn’t associate one with the other. We had the FBI come over and have a look at that database, and they suggested we make a version of our system and set that one aside for them and create a new system, which we did. They said they would get back in touch with us about their findings on the database. But we never heard from them again.”
Tomorrow, we’ll look at Part II of this story, which examines the impact that this botnet has had on several small businesses, as well as the important and costly lessons these companies learned from their intrusions.

Sally Beauty Hit By Credit Card Breach

beauty products chain Sally Beauty appears to be the latest victim of a breach targeting their payment systems in stores, according to both sources in the banking industry and new raw data from underground cybercrime shops that traffic in stolen credit and debit cards.

On March 2, a fresh batch of 282,000 stolen credit and debit cards went on sale in a popular underground crime store. Three different banks contacted by KrebsOnSecurity made targeted purchases from this store, buying back cards they had previously issued to customers.
The card shop Rescator advertising a new batch of cards. 15 cards purchased by banks from of them from this batch all were found to have been recently used at Sally Beauty stores.
The card shop Rescator advertising a new batch of cards. 15 cards purchased by banks from this batch all were found to have been recently used at Sally Beauty stores.
The banks each then sought to determine whether all of the cards they bought had been used at the same merchant over the same time period. This test, known as “common point of purchase” or CPP, is the core means by which financial institutions determine the source of a card breach.
Each bank independently reported that all of the cards (15 in total) had been used within the last ten days at Sally Beauty locations across the United States. Denton, Texas-based Sally Beauty maintains some 2,600 stores, and the company has stores in every U.S. state.
Asked about the banks’ findings, Sally Beauty spokeswoman Karen Fugate said the company recently detected an intrusion into its network, but that neither the company’s information technology experts nor an outside forensics firm could find evidence that customer card data had been stolen from the company’s systems.
Fugate said Sally Beauty uses an intrusion detection product called Tripwire, and that a couple of weeks ago — around Feb. 24 — Tripwire detected activity. Unlike other products that try to detect intrusions based on odd or anomalous network traffic, Tripwire fires off alerts if it detects that certain key system files have been modified.
In response to the Tripwire alert, Fugate said, the company’s information technology department “shut down all external communications” and began an investigation. That included bringing in Verizon Enterprise Solutions, a company often hired to help businesses respond to cyber intrusions.
“Since [Verizon's] involvement, which has included a deconstruction of the methods used, an examination of network traffic, all our logs and all potentially accessed servers, we found no evidence that any data got out of our stores,” Fugate said. “But our investigation continues, of course with their assistance.”

In any case, the stolen cards mapping back to Sally Beauty appear to have been pilfered quite recently, roughly matching the intrusion timeline noted by Sally Beauty: All of the banks reported fraud occurring on cards shortly after they were used at Sally Beauty, in the final week of February and early March.
The advertisement produced by the criminals who are selling these cards also holds some clues about the timing of the breach. Stolen cards fetch quite high prices when they are first put on the market, but those prices tend to fall as a greater percentage of the batch come back as declined or canceled by the issuing banks. Thus, the “valid rate” advertised by the fraudsters selling these cards acts as an indicator of the recency of the breach, because as more banks begin noticing fraud associated with a particular merchant, many will begin proactively canceling any cards used at the suspected breached merchant.
In this batch of cards apparently associated with the Sally Beauty breach, for example, the thieves are advertising the cards as “98 percent valid,” meaning that if a buyer were to purchase 100 cards from the store, he could expect that all but two would still be valid.
Cards stolen in the Target breach have become much cheaper as more of them come back declined or cancelled by issuing banks.
Cards stolen in the Target breach have become much cheaper as more of them come back declined or cancelled by issuing banks.
In the weeks prior to December 18 — the day that the world learned Target had been breached in a similar card compromise —  the thieves running this very same card shop had been advertising several huge batches of cards at 100 percent valid. In the days following Target’s admission that malicious software planted by cyberthieves at its store cash registers had siphoned 40 million credit and debit card numbers, the “valid rates” advertised for those stolen cards began falling precipitously (along with the prices of the stolen cards themselves).
The items for sale are not cards, per se, but instead data copied from the magnetic strip on the backs of credit cards. Armed with this information, thieves can simply re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
Interestingly, this batch of stolen card data was put up for sale three days ago by an archipelago of fraud shops that is closely affiliated with the Target breach. In my previous sleuthing, I reported that a miscreant using the nickname Rescator (and an online card shop by the same name) was among the first — if not the first — to openly sell cards stolen in the Target breach. Further tying the Target breach to Rescator, forensic investigators also found the text string “Rescator” buried in the guts of the malware that was found on Target’s systems. According to additional reporting by this author, Rescator may be affiliated with an individual in Odessa, Ukraine.

End of Windows XP could compromise computer security

Local residents are being urged to ensure their computer software is up to date, with technical support and security updates for one of Microsoft’s most popular systems to shut down in April affecting almost 30 per cent of computer users worldwide.
On April 8, 2014, support and updates for Windows XP will no longer be available.
An unsupported version of Windows will no longer receive software updates from Windows Update. These include security updates that can help protect your PC from harmful viruses, spyware, and other malicious software.
Windows Update also installs the latest software updates to improve the reliability of Windows—new drivers for your hardware and more.
Microsoft recommends that all users upgrade their machines to its latest version, Windows 8.1, or purchase a new computer with the new operating system pre-installed.
On its website Microsoft states: “If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses. Also, as more software and hardware manufacturers continue to optimise for more recent versions of Windows, you can expect to encounter greater numbers of apps and devices that do not work with Windows XP.”
Microsoft also points out:  “Very few older computers will be able to run Windows 8.1, which is the latest version of Windows. If your current PC can't run Windows 8.1, it might be time to consider shopping for a new one.”

Hackers churning out 55,000 malware variants every day

malware virus security
Cyber criminals and state-sponsored hackers have streamlined their malware-creation processes to churn out a staggering 55,000 new malware variants per day, according to Dell SonicWall.
The security team reported the spike in its latest Dell Network Security Threat Report 2013. "We collected about 20.1 million unique malware samples in 2013, which is an increase compared to 16 million in 2012. That averages to about 55,000 new samples coming in each and every day," Dell SonicWall said.

The data was collected by the Dell SonicWall Global Response Intelligent Defense (GRID) Network, which uses over one million sensors across the globe to collect data on emerging threats.
The SonicWall team reported that the malware variants had been alarmingly successful, confirming it had detected 78 billion infections during the period. The team prevented 1.06 trillion intrusion prevention system (IPS) related incidents and blocked more than 1.78 billion malware downloads.
The report highlighted the high number of software and hardware vulnerabilities uncovered over the year as a key reason for the high infection rates.
"There were approximately 4,429 new vulnerabilities reported from CVE [common vulnerabilities and exposures] and 3,644 related with network attacks. Web-related vulnerabilities such as browsers or applications continued to occupy the top position," read the report.
Disturbingly 14 of the flaws were zero-day vulnerabilities. These were found in popular services such as Adobe Flash Player, Oracle's Java platform and Microsoft Internet Explorer.
There was an increase in the sophistication and the volume of threats targeting Dell customers. It highlighted a new version of the CryptoLocker ransomware as a key example of the trend, warning that it uses advanced technologies to dodge traditional cyber defences.
"The PGP [Pretty Good Privacy] key pair is generated dynamically on the command and control server and the private key is destroyed if payment is not received in 72 hours. It also used a custom domain generation algorithm to hide the command and control server," explained the report.
Executive director of product management for Dell Security Products Patrick Sweeney highlighted the advanced malware as proof that businesses need to bolster their security defences. "Our threat researchers are unearthing unprecedented growth and threat patterns as cyber criminals steadily enhance [their] speed and effectiveness," he said.
"Even tried-and-true crimeware has evolved in the last year, becoming much more rigorous and sophisticated. These and other forms of threats are causing more financial and data theft to enterprises than ever before, prompting organisations of all sizes to take action against the next surge of threats with re-architected IT and processes."
Dell SonicWall's research mirrors that of numerous other security firms. F-Secure reported a similar boom in cybercrime levels in its most recent threat report

'Bitcoin creator' denies involvement

A pile of Bitcoins 
 The name Satoshi Nakamoto has been linked with Bitcoin, but a Californian man says it was not him
The man named by a magazine as the inventor of Bitcoin earlier this week has denied any involvement.
Dorian Prentice Satoshi Nakamoto said he had not even heard of the virtual currency until a few weeks ago.
Nakamoto was singled out as the man who wrote the code underpinning Bitcoin by Newsweek.
But he said that quotes attributed to him that seemed to suggest his discontinued involvement with the project had been "misunderstood".
"I got nothing to do with it," Nakamoto told a reporter on Thursday.
He was identified as the "face behind Bitcoin" in an article published online this week. A reporter spent about two months investigating the claim and tracking him down.
When the reporter - flanked by two police officers - found the 64-year-old former physicist at his home in California and asked him if he was involved with Bitcoin, he is reported to have said: "I am no longer involved in that and I cannot discuss it."
But he told an Associated Press reporter on Thursday: "I'm saying I'm no longer in engineering, that's it. And even if I was, when we get hired, you have to sign this document, contract, saying you will not reveal anything we divulge during and after employment. So that's what I implied.
"It sounded like I was involved before with Bitcoin and looked like I'm not involved now. That's not what I meant. I want to clarify that," he said.
'Unregulated and unstable' Nakamoto said he was born in Japan and moved to America in 1959 and that English was not his first language.
The value of Bitcoin has fluctuated as knowledge of and interest in what was until recently a little-known currency has increased. It is used to bypass financial institutions, making it attractive to people who want to trade directly. That has led to a level of adoption by speculative investors and some criminal enterprises.
The BBC's Rory Cellan Jones explains how Bitcoin works
In 2012, a leaked FBI report showed that the the agency was concerned that Bitcoin could become widely used by criminals.
The report said that the virtual currency was an "increasingly useful tool for various illegal activities beyond the cyber realm".
And, in August the following year, it was announced that the "scale of the risk posed by" Bitcoin was to be investigated by the FBI on behalf of a US Senate committee.
The entity behind it has always been known as "Satoshi Nakamoto", although it is unknown whether or not that is a pseudonym. Nakamoto insisted he had never heard of Gavin Andresen, a leading Bitcoin developer.
The latter told Newsweek he had worked closely with the person or entity known as Satoshi Nakamoto in developing the system, but that they never met in person or spoke on the phone.
Nakamoto told the AP that he would have had the technical ability to come up with Bitcoin. He said: "Capability? Yes, but any programmer could do that."
He also admitted that elements of the Newsweek story were correct. He said that he did once work for a defence contractor.
He added that he also worked on missile systems for the US Navy and Air Force and, consequently, it was necessary to keep many details of his work confidential.
Newsweek writer Leah McGrath Goodman, who spent two months researching the story, told the AP: "I stand completely by my exchange with Mr Nakamoto. There was no confusion whatsoever about the context of our conversation - and his acknowledgment of his involvement in Bitcoin."

Phisherman's friend: Confused hacktivists deface FAKE BANK SITE

Anon hackers have been caught boasting about defacing a counterfeit Yorkshire Bank website.
Hacktivist crew Anon Ghost earned coverage on underground security blogs for defacing “Yorkshire Bank, one of the largest United Kingdom bank (sic)”.
However, the hackers actually hit "ybs-bank.com", a Malaysian imitation of the real Yorkshire Bank website – which can be found at ybonline.co.uk – as security researchers at Cambridge University point out.
The real website and that of a similarly named banking institution, Yorkshire Building Society (http://www.ybs.co.uk), were both unharmed and unaltered.
Ybs-bank.com, on the other hand, remains defaced as of late morning on Thursday with a message "We are watching you: Don't close your eyes" and a Japanese horror movie-themed clip complete with ominous music. Evidence from Google's cache suggests before this Ybs-bank.com was probably a phishing site.
"The pages appear to be an imperfect copy of www.cbmarkets.co.uk (a Clydesdale bank website) and this copy was was made some time in 2011, judging from the age of the news stories in the copy," writes security researcher Dr Richard Clayton, in a blog post on the Cambridge University Computer Laboratory's Light Blue Touchpaper blog.
"I have no reason to believe that anything good would happen to a Yorkshire Bank user (or a Yorkshire Building Society) user who used their credentials at the Malaysian-owned website,” he added.
According to Whois, the ybs-bank.com domain didn’t exist before 2011, Clayton adds. The whole incident illustrates the difficulty banks face in identifying and seeking the takedown of counterfeit sites, some of which rely on exploiting confusion about a bank's genuine online location.
The defaced domain has to be considered potentially harmful since malware might easily be served from the compromised site. This is unlikely to be Anon Ghost's intention, but why take the risk?
In any case, the article about their exploits is not one for Anon Ghost's scrapbook. Yet it is arguably a lot less embarrassing than an incident where hacktivists mistakenly attacked a French rugby fansite instead of their intended target, the German stock exchange. That misdirected assault meant the allezdax.com website, a fan site for French second division side rugby club Dax, was unavailable for two weeks back in 2011.
Pretty lame but for a complete fail try an incident the year before, when geographically mixed-up Algerian hackers defaced the site of Belvoir Castle, home of the Teddy Bears' picnic, instead of their intended target, Belvoir Fortress – a Christian outpost during the Crusades.

Botnet masters using Tor to hide control tools for ZOMBIE SLAVES

The Tor anonymisation network is being used to hide 900 botnet and cybercrime-related hidden services, according to Kaspersky Lab.
Kaspersky security researchers report that the Tor network is playing host to the ChewBacca point-of-sale keylogger and the ZeuS banking malware control infrastructure, as well as the first Tor Trojan for Android.
Many Tor network resources are command-and-control servers, admin panels and other malware-related resources. “Carding” forums are also flourishing on the darknet.
Using darknet resources offers various advantages to cybercriminals, who are increasingly moving towards the technology, according to Kaspersky Lab.
“Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate," explained Sergey Lozhkin, a senior security researcher at Kaspersky Lab, "although creating a Tor communication module within a malware sample means extra work for the malware developers.”
Lozhkin added: “We expect there will be a rise in new Tor-based malware, as well as Tor support for existing malware.”
It's difficult, if not impossible, to identify the user’s IP address in Tor, which offers a cloak of anonymity that can be used by anyone from human rights activists to cybercrooks. Moreover, this darknet resource utilises so-called pseudo-domains which frustrate efforts to identify the resource owner’s personal information.

Twelve million hit as Korea suffers ANOTHER massive data breach

The South Korean government was forced to launch an inquiry today after another massive data breach rocked the country, time the theft of account information belonging to 12 million customers of telco KT Corp.
The Incheon Metropolitan Police said on Thursday it arrested two hackers and the CEO of a telemarketing firm last week on suspicion of infiltrating the telco giant’s servers and stealing the data, according to Yonhap.
The data grab apparently went undetected by KT for an entire year with the suspects allegedly snatching up to 300,000 records in a single day. The nabbed details included names, registration numbers and bank account info.
The South Korean telecoms ministry has now launched a probe, apparently ordering KT to inform customers about what happened and to allow them to check if they’ve been affected on a special website.
This is the third time in two years that the country’s second biggest carrier has been hit with a major data breach.
In March 2012 internal employees at KT and SK Telecom sold data on 200,000 customers to telemarketers, while in July that year hackers grabbed info on 8.7 million punters and sold it on after breaching a customer sales system.
After the last incident, KT promised to tighten up its security to avoid a repeat.
The news comes just a couple of months after an insider at the Korea Credit Bureau made off with 20 million cardholders’ details.
Even this breach, however, pales in comparison with the megahack of SK Telecom’s Cyworld social networking site and the Nate web portal which exposed data on 35 million Koreans – nearly three-quarters of the population.

comiXology's Phantom Zone breached by villainous Haxxor

E-comics outfit comiXology has written to customers advising them to change their passwords after “recent review and upgrade of our security infrastructure … determined that an unauthorized individual accessed a database of ours that contained usernames, email addresses, and cryptographically protected passwords.”
Just how many people are affected is not known, as comiXology doesn't reveal how many customers it has. But a September 2013 report in Crain's New York Business suggests its apps have been downloaded 200 million times. If even a quarter of those downloads became customers this is a significant breach.
The good news is that comiXology says “Payment account information is not stored on our servers”, which chimes with your correspondent's experience of the service: Apple provides its payment mechanism on the iPad and the service uses Google Play for in-app purchase for its Android incarnation.
The company is spinning the password change request as sensible, not urgent. Its email to customers says “Even though we store our passwords in protected form, as a precautionary measure we are requiring all users to change their passwords on the comiXology platform and recommend that you promptly change your password on any other website where you use the same or a similar password.”
That's probably decent advice, at least if your iTunes or Google Play passwords are similar to your comiXology code. Get to it, readers, faster than a speeding bullet, before HAXXOR SMASH!

ChewBacca and Zeus malware found on Tor

cyber-security-man
Kaspersky Lab researchers have detected a boom in criminal activity on the anonymous Tor network.
Senior security researcher at Kaspersky Lab Sergey Lozhkin reported the spike in a blog post, revealing that an average of 900 hidden, criminal services are running on Tor.
"Over the last few months I have been closely monitoring so-called dark net resources, mostly the Tor network. And one thing that is immediately obvious is that the cyber criminal element is growing," read the post.
"We managed to find approximately 900 hidden services online at the current time. There are also approximately 5,500 nodes in total and 1,000 exit nodes, but the possibility of creating an anonymous and abuse-free underground forum, market or malware command and control (C&C) server is attracting more and more criminals to the Tor network."
Tor is a free service designed to let people hide their internet activity. It does this by directing internet traffic through a volunteer network of relays that conceal the user's location and web activity.
David Emm, Kaspersky Lab's senior regional researcher, told V3 that the hidden operations included a number of malicious criminal enterprises.
"They're using Tor to host malicious infrastructure and to sell malware services – botnets, malware toolkits, credit cards, carding and skimming equipment – and to launder money," he said
Lozhkin highlighted campaigns such as the recently discovered Zeus Tor Trojan and ChewBacca malware as key threats hiding in the Tor network and proof that criminals are investing more resources to develop their attacks.
"A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc. Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate," read the post.
"Cyber criminals have started actively using Tor to host malicious infrastructure. We found Zeus with Tor capabilities, then we detected ChewBacca and finally we analysed the first Tor Trojan for Android."
Security firm RSA discovered the ChewBacca malware stealing customer card details and personal information from "several dozen" retailers in January.
Emm said the success of Tor-based malware, such as ChewBacca, means criminals will inevitably continue to invest in the network.
"The anonymity offered by Tor is attractive to cyber criminals, so it's likely that its use will grow in the future – notwithstanding the greater work required to create a Tor communication module within malware," he said.
Combating crime on the anonymous Tor network has been an ongoing battle for law enforcement and security vendors. The FBI had some luck with its anti-Tor crime efforts in August 2013, when it successfully exploited a flaw in Tor to shut down a child pornography ring.

Twitter backs Encrypt All The Things campaign to beat government spies

Digital security padlock red image
Twitter has joined a raft of internet companies promoting the importance of encryption tools in the light of government spying revealed last year.
The firm has given its backing to a campaign launched by digital rights group Access Now called Encrypt All The Things. Other firms such as DuckDuckGo and the Electronic Frontier Foundation have also lent their names to the initiative.
The aim is to raise the importance of implementing strong security measures to stop any attempts to monitor or siphon data.
Access Now said: “In the wake of the continued disclosures regarding government mass surveillance, the majority of the reform conversation has revolved around the need for increased transparency.
“It’s time to expand the public discourse about how to properly secure data and defend privacy. Robust encryption is the next step toward protecting our networks and data from unauthorised surveillance.“
The campaign centres around the Data Security Action Plan, which covers seven areas that firms, especially those operating online, should take to protect their data:
  • Implement strict encryption measures on all network traffic.
  • Execute verifiable practices to effectively secure user data stored at rest.
  • Maintain the security of credentials, and provide robust authentication safeguards.
  • Initiate a notification and patching system to promptly address known, exploitable vulnerabilities.
  • Use algorithms that follow security best practices.
  • Enable or support use of client-to-client encryption.
  • Provide user education tools on the importance of digital security hygiene.
“These protections will help prevent unauthorised access, and move state actors toward using proper, legal channels to obtain personal information,” it added.
The campaign comes amid the ongoing fallout from the PRISM spying revelations that started last summer when Edward Snowden released a raft of documents outlining the scale of government surveillance.

ICO fines abortion charity £200,000 for website hack

Security threats - password theft
The Information Commissioner’s Office (ICO) has fined the British Pregnancy Advisory Service (BPAS) £200,000 in a stark example of the perils organisations face when collecting and storing personal data.
The incident occurred in March 2012 when hacker James Jeffery infiltrated the charity’s content management system (CMS) and defaced its website in a protest at the work BPAS does.
Jeffery then threatened to publish the names, dates of birth, addresses and telephone numbers of 9,900 people who had contacted the charity asking for guidance on a raft of serious issues such as abortion and vasectomy treatments.
However, the police were able to arrest Jeffery before any information was released. He was given a two-and-a-half year prison sentence.
The subsequent investigation by the ICO underlines the issues IT managers face when it comes to security and the need for constant checking of the processes in place for data-gathering and hosting.
BPAS gathered the data on 9,900 members of the public via a ‘call back’ form, which requested their name, date of birth, address and telephone number. This data was then stored within the CMS.
When it had contracted an IT company to build its website in 2007, it had decided against storing this data within the CMS, due to security concerns. But this was not properly communicated to the IT company, so the feature was built in anyway. BPAS had no knowledge it was collecting personal data in an unsecured manner.
The ICO said BPAS’s failure to properly secure its data and have contracts in place with IT partners about the requirements of the tools it commissioned was deeply concerning and merited a sizeable fine.
“BPAS failed to take appropriate technical and organisational measures against the unauthorised processing of personal data stored on the BPAS website,” it said in its report.
It also said the charity failed to carry out any security testing on its website, which could have brought the issues to light.
ICO deputy commissioner David Smith said the incident underlines the need for vigilance and respect towards data that is being collected and stored.
"BPAS didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure. But ignorance is no excuse," he said.
"It is especially unforgiveable when the organisation is handling information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."
BPAS chief executive Ann Furedi said the charity was “horrified” by the scale of the fine and would be appealing to the ICO.
"This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime," she said. "It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way."
The fine will be reduced to £160,000 if BPAS pays by the end of March

Microsoft plans full fix for Internet Explorer zero-day SnowMan exploit

Snowman zero day uncovered by FireEye targeting Internet Explorer
Microsoft has detailed plans to release a full fix for a vulnerability in Internet Explorer 9 and 10 that was being targeted by so-called Operation SnowMan hackers.
The issue first came to light in mid-February when it was uncovered by security firm FireEye. Microsoft did release a rush fix for the issue given its severity, as several organisations, such as veterans charity VFW.org, were hit by attackers using the exploit.
Now the firm has given more details of plans for a full fix to be released in its latest Patch Tuesday update, scheduled for 11 March.
Dustin Childs, group manager for Microsoft’s Trustworthy Computing division, wrote: “The update provided fully addresses the issue first described in Security Advisory 2934088 [the Internet Explorer issue]."
“While we have seen a limited number of attacks using this issue, they have only targeted Internet Explorer 10. Customers using other versions of Internet Explorer have not been impacted.”
Other fixes being released include a “critical” fix for Windows and three “important” fixes, two for Windows and one for Silverlight.
Microsoft has not disclosed specifics on the issues being patched here, in order not to give away any information that could be used by criminals prior to the patch release.
The firm also said it would release an updated version of its Windows Malicious Software Removal Tool via Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
The updates come amid ongoing security concerns being raised about Microsoft's Windows XP platform, which is now just one month from reaching its support cut-off date.

ICO in tricky predicament with £200,000 fine for pregnancy charity

tightrope
For years data protection watchdog the Information Commissioner’s Office (ICO) was regarded as a toothless tiger.
It sounded big and scary and delivered stern warnings about the importance of data protection, but it could do very little about any data breaches, except perhaps wag its finger.
Then in 2010 everything changed. It was given fining powers to the tune of £500,000 and since then it has levied over £4m against organisations. But some may now consider it something of a heartless hound.
The latest to fall foul of the ICO’s desire for justice is the British Pregnancy Advisory Service (BPAS). The charity provides help and guidance for women with an unplanned pregnancy, from abortions to counselling and more besides.
For some its work is contentious and in March 2012 an anti-abortion hacker used his computing skills to wreak havoc on its website, defacing it and stealing details about those who had contacted the charity for help.
The hacker – James Jeffrey – got almost three years in prison as a result of the incident.
As the hack affected personal details of members of the public, the ICO got involved and its investigation found several technical lapses at the BPAS that made the incident worse than it should have been.
The long and short of it is that the BPAS now faces a fine of £200,000 for an incident which, as its CEO Ann Furedi understandably points out, was caused by a hacker who is now almost seeing his actions rewarded.
“We accept that no hacker should have been able to steal our data, but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do,” she said.
“It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way."
Furedi also said the fine was “out of proportion” when compared with others the ICO has handed out, especially when those organisations’ breaches were not caused by criminal behavior.
A trawl back through recent fines suggests this claim is not without merit:
- Glasgow City Council fined £150,000 after losing 74 unencrypted laptops, including one containing more than 6,000 people's bank records.
- Aberdeen City Council fined £100,000 after a member of staff inadvertently posted data relating to the care of vulnerable children online.
- Islington Council fined £70,000 after details of over 2,000 residents were released online due to a basic misuse of Excel by a staff member.
Even if the BPAS pays its fine early – by the end of March – it still faces paying £160,000, more than any of those listed above.
None of this is to say the ICO has acted unreasonably though: it has to enforce the law and if it encounters incidences of poor data protection – as in this case – it must take a stand so others sit up and take notice. If other firms and charities up their game after seeing a fine being levied, the public are better protected.
Conversely, if it does not issue a fine, it will be seen as weak and unwilling to take a stand, while any organisation that is fined can make a claim to being harmed. A council delivers vital frontline services and a fine will hamper its efforts to do this, it could be argued.
Clearly, this is a controversial case, driven by the scale of the fine. The fact this money will end up in government coffers – having been given to charity – is also questionable, as noted by Stewart Room, partner at law firm Field Fisher Waterhouse.
“The users of the BPAS charity services have high expectations of privacy and any security weakness that could expose them is bound to trouble the regulator,” he said.
“But the financial penalty regime here is moving money from the collection jar direct to The Treasury. Perhaps the cash could be better spent on improving security and data protection at the charity?"
The BPAS is now appealing the fine in what could prove a fascinating case to see if the ICO's desire to fine can be tamed.