A listing of non-technical reference material that I occasionally call upon.
A listing of non-technical reference material that I occasionally call upon.
Twitter accounts run by the Daily Telegraph were hijacked by pro-Assad hacktivists from the Syrian Electronic Army briefly on Monday evening.
The UK broadsheet’s Facebook account was also purloined by group in the latest in a growing line of similar attacks against high-profile media outlets including the FT, The Guardian, Associated Press, CBS, the BBC, Al Jazeera and even satirical magazine The Onion.
The hijacked @TelegraphNews Twitter account was used to punt pro-Assad propaganda as well as to brag about the reported takeover of other accounts including @TelegraphArt, @TelegraphFilm, @Tele_Comedy, @TelegraphSport, and @TelegraphBooks.
The offending messages were quickly purged after control of the affected accounts was wrested away from the hackers. However, a record of the offending messages can be found on the personal blog of veteran infosec expert Graham Cluley here.
We don’t know how the @TelegraphNews Twitter feed was hacked, although a determined multi-stage phishing campaign akin to that successfully performed by the same group against The Onion is the most likely explanation.
The SEA’s attack on The Onion ultimately succeeded in extracting passwords for email accounts charged with running social media feeds, at which point hackers would obviously have gained complete control over these profiles, allowing them to post whatever they wanted.
Twitter has told media organisations to be wary of this type of attack but until it introduces two-factor authentication, experience suggests this sort of account-hijacking assault will continue to be a useful outlet for propaganda for hackers affiliated with the SEA, who appear to have cornered the market for this sort of thing. ®
Security researchers have uncovered what appears to be a sophisticated targeted attack launched from India and designed to steal information from a range of government and private enterprise victims in Pakistan, China and elsewhere.
What began as an investigation into an attack on Norwegian operator Telenor soon uncovered evidence to show attackers probably hailing from India had been lifting info from business, government, poltical organisations for as long as three years.
Norwegian anti-malware firm Norman AS claimed in its Operation Hangover (PDF) report that although the attack infrastructure appeared “predominantly to be a platform for surveillance against targets of national security interest (such as Pakistan)”, as well as industrial espionage, there is no direct evidence to link it to state-sponsored players.
Attackers used spear phishing techniques, exploiting known Microsoft software vulnerabilities – no zero days – to drop info-stealing malware dubbed “HangOver” onto victims’ machines.
Finding readable folders on a number of CC servers, the researchers dug deeper to discover several malicious executable digitally signed with a certificate which had been revoked in 2011.
Domains registered by the attackers were almost all privacy protected, while “almost all websites belonging to this attacker has their robots.txt set to ‘disallow’ to stop them from being crawled”, the report continued.
However, the attack is far from advanced, according to security firm Eset, which has also been investigating.
“String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks,” the vendor said in a blog post.
The researchers at Norman explained how the initial Telenor attack allowed them to widen the investigation, as follows:
We have direct knowledge of only one attack – the one against Telenor. During this investigation we have obtained malware samples and decoy documents that have provided indications as to whom else would be in the target groups. We have observed the usage of peculiar domain names that are remarkably similar to existing legitimate domains. We have also obtained sinkhole data for a number of domains in question and found open folders with stolen user data in them; enough to identify targets down to IP and machine name/domain level.
These IP addresses hail from a large range of countries globally including China, Russia, France and the US but the vast majority correspond to Pakistan.
Aside from Telenor the report listed other attack targets as energy companies the Eurasian Natural Resources Corporation (ENRC) and Bumi; Porsche Informatik; and Chicago Mercantile Exchange.
“The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin,” the report concludes.
Interestingly, an analysis of the project paths for malware creation revealed a highly organised operation in which “multiple developers are tasked with specific malware deliverances”:
There are many diverging project paths which points towards different persons working on separate sub-projects, but apparently not using a centralised source control system. The projects seem to be delegated into tasks, of which some seem to follow a monthly cycle.
The report also points out that the word “Appin” crops up in various contexts and cases, including malware file names, speculating some actor may be deliberately trying to implicate Indian security company Appin Security Group in the attacks.
The company has now issued a warning notice on its home page urging the public “not to be misled by any communication received through fictitious domains which are purportedly being made by, or on behalf of, our company”.
It also sent a strongly worded statement to The Hacker News claiming the reference to Appin in the report was a “marketing gimmick on the part of Norman AS” and that it has already initiated legal proceedings against the Norwegian firm. ®
The Stuxnet worm may have actually pushed forward Iran’s controversial nuclear programme over the long term.
That’s according to a report published by the Royal United Services Institute, an influential defence think tank in the UK.
The infamous worm infected systems at Iran’s uranium enrichment facility at Natanz in 2009 and 2010, hobbling high-speed centrifuges after infecting computers connected to SCADA industrial control systems at the plant.
The sophisticated attack, seen as an alternative to a military strike against the facility, is credited with putting Iran’s nuclear programme back by between 18 months to two years. The malware worked by infiltrating the SCADA systems used to run the high-speed gas centrifuges. It then randomly, and surreptitiously, speeded them up and slowed them down to induce seemingly random, but frequent, failures.
However, a journal article published by the Royal United Services Institute (RUSI) claims that Iranian authorities redoubled their efforts after Stuxnet was discovered, so that production of fissile material went up – rather than down – a year after the SCADA-busting worm was discovered.
The malware acted as a wake-up call that prompted the Iranians to throw more resources at the nuclear project, bonded personnel together and prompted security audits that uncovered vulnerabilities that might otherwise have gone unnoticed, the Daily Telegraph also noted.
The Obama administration last year leaked its role in developing Stuxnet as part of a wider US-Israeli effort, codenamed Operation Olympic Games, that began under the presidency of George W. Bush. Public revelation of this suspected role thwarted the slim possibility of a diplomatic resolution to Iran’s nuclear ambitions, while acting to put the country closer towards a war footing with Israel.
The Washington-based Institute for Science and International Security claimed in February 2011 that Stuxnet likely destroyed about 1,000 IR-1 centrifuges, out of 9,000 deployed at Natanz.
Yet Ivanka Barzashka, an academic at King’s College, London, who penned the RUSI article, reckons the initial impact of the worm has been overestimated by those left somewhat awestruck by the effect of the world’s first cyber-weapon.
“While Stuxnet may have had the potential to seriously damage Iranian centrifuges, evidence of the worm’s impact is circumstantial and inconclusive,” she wrote in the RUSI journal. “Related data shows that the 2009 version of Stuxnet was neither very effective nor well-timed and, in hindsight, may have been of net benefit to Tehran.”
Iran decommissioned and replaced about 1,000 high-speed IR-1 centrifuges at its fuel enrichment plant (FEP) at Natanz over just a few months starting late in 2009. But since August 2010 the number of operational machines at Natanz has been “steadily growing”, as Barzashka claimed in her piece:
Iran began enrichment to 20 per cent in one IR-1 cascade at the Pilot Fuel Enrichment Plant at Natanz in February 2010, ostensibly to manufacture its own fuel for the Tehran Research Reactor, which is used to produce medical isotopes. This development shows that Iran was able to successfully install and operate new machines in early 2010, between the first and second Stuxnet attack waves. If Stuxnet was the cause of the drop in machine numbers at block A26, it had no effect on Iran’s ability to operate and install new IR-1 centrifuges several months later.
The Natanz FEP began operation in February 2007, but prior to Stuxnet could only produce enrichment levels of 3.5 per cent, which is suitable only as low-grade reactor fuel. Barzashka explained that IAEA physical inventory data on the number of centrifuges installed at the Iranian facility are potentially misleading because machines have constantly been installed and upgraded over time.
“Calculations show that performance at the FEP – measured as separative capacity – has increased every year since the beginning of operations in 2007,” she writes. “Data for the 2010 reporting period – from 22 November 2009 to November 2010 – are no exception. In fact, uranium-enrichment capacity grew during the time that Stuxnet was said to have been destroying Iranian centrifuges.”
Iran produced more enriched uranium, more efficiently: the entire plant’s separative capacity per day increased by about 40 per cent, despite the fluctuations in centrifuge numbers.
In January 2010, Iran was running 1,148 centrifuges fewer than it had operating seven months earlier, in May 2009. In August 2010, IAEA inspectors counted the same number of machines as in August 2008, giving rise to the probable source of the claim that Stuxnet set back Iran’s enrichment programme by two years.
Both of these raw figures are misleading, according to the defence analyst.
Barzashka reckons that while Stuxnet might have temporarily slowed Iran, at least in 2009, its operations emerged from the aftermath of the worm leaner and meaner. Its technicians improved centrifuge performance before achieving higher concentrations and greater volumes of enriching uranium than before.
Worse yet, the Iranians are far more wary about – and better prepared to defend against – future cyber-attacks against their nuclear facilities by possible successors to Stuxnet.
“Iran’s uranium-enrichment capacity increased and, consequently, so did its nuclear weapons potential,” Barzashka wrote. “The malware – if it did in fact infiltrate Natanz – has made the Iranians more cautious about protecting their nuclear facilities,
“The malware did not set back Iran’s enrichment programme, though perhaps it might have temporarily slowed down Iran’s rate of expansion. Most importantly, Stuxnet or no Stuxnet, Iran’s uranium enrichment capacity increased and, consequently, so did its nuclear weapons potential.” she concludes.
Former Foreign Secretary Sir Malcolm Rifkind criticised Barzashka’s report before stressing that bilateral diplomatic talks between the US and Iran remain the best way to address Iran’s nuclear ambitions.
“Part of the objective of many people in the international community has been to stop, or if you can’t stop, to slow down the Iranian nuclear programme,” Rifkind, chairman of Parliament’s Intelligence and Security Committee told the Telegraph. “In so far as Stuxnet may have done that, and I emphasise may have done that, it was a plus.”
“What is undoubted is that it [Stuxnet] significantly slowed down the enrichment process,” he added. ®
Heavyweights of the cryptographic world have lined up behind a campaign against proposed US wiretapping laws that could require IT vendors to place new backdoors in digital communications services.
Technical details are vague at present, but the planned law could mandate putting wiretap capabilities in endpoints to cover everything from instant messaging and chat to services such as Skype, Google Hangouts and even Xbox Live.
The plan to update the Communications Assistance for Law Enforcement Act (CALEA) comes as part of proposals to update US wiretapping laws drafted in the 1990s, which were designed to apply to telephone exchanges and switching equipment.
Critics of the proposed law – including cryptographer Bruce Schneier and Phil Zimmermann, the creator of email encryption package PGP – argue that any backdoor would be open to abuse by hackers, including foreign governments. Any such system would necessarily make software both more complex and harder to secure, as well as posing a privacy risk.
Advocates of updating CALEA say it should apply to encrypted VoIP channels, P2P and instant mobile messaging services to help fight organised crime and terrorism. The FBI argue the net is “going dark” to them, thanks to encryption technologies which render valid wiretapping warrants useless.
Computer scientists argue that the opposite is closer to the truth: information about people’s movements and communications is more freely available than ever before, thanks to social networking and smartphones. Through moves such as the proposed “CALEA II” law, US agencies are getting closer to achieving their goal of real-time tapping of online communications. We are, therefore, living in a golden age of state surveillance.
In addition, critics point out that CALEA-mandated systems have been abused. For example, eavesdroppers tapped the mobile phones of the then Prime Minister of Greece, Kostas Karamanlis, his cabinet ministers and security officials for about nine months between June 2004 and March 2005 around the time of the Athens Olympics.
The spies used CALEA backdoors on Vodafone Greece switches to illegally plant spyware so that conversations were relayed to 14 “shadow” pay-as-you-go mobile phones.
The Greek newspaper Kathimerini on Sunday revealed in 2011 that four of those phones were originally purchased by the US embassy, although the eavesdroppers were never traced. In a similar case, ATT’s CALEA controls went through a Solaris machine that was rooted by hackers, giving crooks the ability to tap into calls.
Critics of CALEA also point out that if endpoint wiretaps were mandated in the US there would be nothing to stop software developers creating non-compliant software elsewhere, and then releasing it as open source code. There would be no way of preventing this technology from being imported into the US and rendering the whole proposal largely pointless – at least, when applied against criminals and terrorists.
In this scenario, the general population and corporate users would be using technology that is easier for hostile parties to wiretap, the crypto boffins warn (PDF, 7 pages).
The FBI’s desire to expand CALEA mandates amounts to developing for our adversaries capabilities that they may not have the competence, access, or resources to develop on their own. In that sense, the endpoint wiretap mandate of CALEA II may lower the already low barriers to successful cybersecurity attacks.
We believe that on balance mandating that endpoint software vendors build intercept functionality into their products will be much more costly to personal, economic and governmental security overall than the risks associated with not be ing able to wiretap all communications.
Weakening device security makes users more vulnerable to criminals and spies without really inconveniencing terrorists or fraudsters, even for those who trust US government agencies not to abuse increased wiretap powers.
Ed Felten, one of the computer scientists opposed to wiretapping endpoints – be they on smartphones or PCs – summarises the reservations of crypto-boffins in a blog post here.
“The plan would endanger the security of US users and the competitiveness of US companies, without making it much harder for criminals to evade wiretaps,” Felten explains. ®
Analysis High-street socks’n'frocks chain Marks and Spencer is accused of quietly taking money from shoppers’ contactless bank cards at the tills.
The accusations come from Radio 4′s Money Box listeners, who called in to report that MS had billed cards in purses and handbags over the air, unbeknownst to customers who had intended to pay for stuff another way.
It seems the money was unexpectedly taken from bank cards that can do pay-by-wave with compatible tills using Near Field Communications (NFC). One simply has to wave the card near the machine – within a few centimetres – for the transaction to take place over the air by radio wave.
But customers complained this was happening over a much greater distance with the tills that MS recently installed in its UK stores.
The retail chain refunded the disputed payments – even those that went unnoticed until the customer’s bank statement turned up weeks later – while pointing out that its NFC system was well tested prior to deployment. With a million transactions a month, one might expect more than couple of complaints if there was a significant problem.
The technology used by MS is supplied by Visa. While neither company has responded to The Register‘s enquiries, we do know that several of the scenarios described by Money Box listeners should not be possible if the equipment is programmed to the NFC standard.
It’s certainly possible for a till to debit the wrong card. However, doing so from several feet away beggars belief, in El Reg‘s opinion, as the induction coil that powers the NFC card has a very limited range: you effectively have to bonk your card against the machine.
However, one can imagine a wallet or purse being held beside an NFC reader in the same hand which is placing the preferred card onto the terminal, which could result in the wrong card being debited.
But the EMV (Europay, Mastercard, Visa) standard to which NFC terminals are supposed to conform requires the contactless circuit to be disconnected as soon as a chip’n'PIN card is slotted in. This is necessary as most chip cards also have NFC embedded, these days, and cards in the slot are perfectly positioned for the contactless reader; so the decision was made that the insertion of the card should indicate a preference for PIN.
One of the two callers who complained to Money Box said that a contactless transaction was made despite her debit card being in the Chip-and-PIN slot. Indeed, “Paula from London” claimed to have paid twice for the same goods, once using her PIN and once again using a contactless card which was 40cm away in her bag. MS apparently refunded the money, but the BBC reckons other people may not have noticed.
Billing twice certainly shouldn’t be possible. The process flow of a payment is well known, and the till shouldn’t issue multiple receipts any more than it would accept two successive Chip-and-PIN payments for the same goods.
It is possible that the terminals used by MS were hugely overpowered if they were reading cards at 40cm, or that they fail to implement the EMV standard properly. Equally, it’s also possible that the tills are apparently running software which allows multiple billing for the same transaction. The two complaints to MS, plus a similar complaint made to Pret a Manger, could well be the tip of an extensive iceberg.
That said, it’s more likely that a customer placing a contactless card on a terminal accidentally had their wallet in the same hand, or an improperly inserted card resulted in the terminal contacting the NFC bank card in the shopper’s purse instead.
Contactless payments are a bit scary, and one should probably keep an eye on one’s credit card bills while the technology beds in, but on this particular scandal we’ll side with Occam. ®
Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers.
Infosec researchers have uncovered SafeNet in as many as 100 countries.
SafeNet targets potential marks using spear-phishing emails featuring a malicious attachment that exploits a Microsoft Office vulnerability that was patched last year (CVE-2012-0158).
The operation appears to involve two campaigns linked together by the use of the same strain of malware and differentiated by the use of different command-and-control infrastructures.
One strand of the operation uses spear-phishing emails with subject lines related to either Tibet or Mongolia. The topic of emails in the second part of the campaign is yet to be identified but appears to have broader appeal since this strand of the operation has claimed victims in countries ranging from India to the US, China, Pakistan, the Philippines, Russia and Brazil. Entities in India appear to have been hit hardest by the malware.
Sloppy coding on one of the campaign’s command servers allowed researchers to extract reams of information about the attack, as Trend Micro researchers explain in a white paper (PDF) on the attack.
One of the CC servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the CC server and the C code they used to generate the malware used in attacks.
It seems like nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (CC) infrastructures related to the SafeNet malware.
Trend’s researchers reckon the average number of actual victims remained at 71 per day, with few if any changes from day to day. “This indicates that the actual number of victims is far less than the number of unique IP addresses,” according to the security researchers.
The people behind the attack are connecting to command servers using VPN technology and the Tor anonymiser network. This means that little evidence about where the attackers are based can be obtained from the command nodes running the campaign. However clues in the coding have led Trend’s researchers to speculate the malware at least was brewed in China.
“While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China,” writes Trend Micro threat researcher Nart Villeneuve in a blog post on the campaign.
“However, the relationship between the malware developers and the campaign operators themselves remains unclear.” ®
Trend Micro notes that there is no link between the the attack and SafeNet, Inc, a reputable information security firm. The “SafeNet” name comes from references within the malware itself.
Four individuals accused of being members of Anonymous and participating in “Operation Tango Down” have been arrested in Italy.
According to AFP, the four are being accused of various attacks in Italy, including a DDoS against the Vatican and the parliamentary Website.
The Postal Police – responsible for enforcement of communications law – carried out 12 raids across Italy, according to this report in Gazetta del Sud.
The police also claim the group “carried out a series of attacks agains the computer systems of critical infrastructure, institutional sites and important companies”.
The four men arrested are a 20-year-old from Bologna, a 43-year-old from near Lecce, a 28-year-old from the province of Venice, and a 25-year-old from the province of Turin.
Attacks reported in Italy include downing the home page of the country’s interior ministry, the police, and the Carabinieri.
In 2011, Italian and Swiss police arrested 15 Anonymous suspects. ®
EMC has warned a flaw in the Control Station software for its VNX and Celerra arrays could allow just about anyone logged into them to do just about anything.
EMC’s described the fault as stemming from “Script files in affected products exist with ownership permissions for the nasadmin group account.”
The nasadmin group is designed as a group of general users, while the user with the same name “has system-wide management capabilities for the box and is authorized to make extensive changes to the storage system.” The flaw means folks in the group get the same privileges as nasdmin, the user.
That means mere sysadmins allowed to log into to VNX and Celerra devices and “exploit this vulnerability to run arbitrary commands as the root user.”
Which may get storage admins more than a little jumpy, lest those less familiar with their arrays’ operation
Celerra owners know their boxen are already obsolete, but nonetheless have been urged by EMC to upgrade “at the earliest opportunity” by getting their hands on this download. VNX users are urged to do likewise, with their download available here.
EMC has tipped its hat to Doug DePerry of iSEC Partners for finding the flaw. ®
Yahoo! Japan has told its 200 million customers to change their passwords after revealing that 22 million user IDs may have been exposed in a suspected intrusion last week.
The attack was detected at around 9:00 PM local time on Thursday night, with the internet giant apparently cutting access while it checked what had happened.
Reports suggest it discovered an attempt to steal User IDs, with a file containing 22 million potentially exposed.
“We don’t know if the file was leaked or not, but we can’t deny the possibility, given the volume of traffic between our server and external terminals”, Yahoo! Japan said in a statement sent to AFP.
Although the data which may have been compromised apparently doesn’t include passwords and the kind of user data needed to reset passwords, the firm is taking no chances.
Hackers also tried to breach Yahoo! Japan last month in a similar raid on user data, although their motives remain unclear.
Yahoo! Japan is a joint venture between the internet pioneer and Japanese mobile and broadband operator SoftBank, which remains one of the US giant’s few remaining success stories.
In the first quarter of 2013, it was Yahoo!’s Japan JV – in which it has a 33 per cent stake – as well as its 20 per cent investment in China’s Alibaba, which helped the firm to record a 36 per cent year-on-year increase in net income to $390 million (£253.9m). ®
The Financial Times website and its Twitter accounts were this afternoon hijacked by pro-government hackers from the “Syrian Electronic Army”.
The posh broadsheet’s Tech Blog – at http://blogs.FT.com/beyond-brics – was compromised to run stories headlined “Syrian Electronic Army Was Here” and “Hacked by the Syrian Electronic Army”.
Meanwhile, the Technology News (@FTtechnews), FT Media and FT Markets Twitter feeds were seized by miscreants, who posted web links to disturbing YouTube videos of jihadis executing men by firing squad.
The blog has been cleaned up, but the Twitter accounts remain compromised.
Breaking news, literally … the compromised Pink ‘Un‘s tweets
The takeover is the latest in a series of high-profile attacks against media organisations by hackers apparently in favour of Syrian president Bashar al-Assad. The so-called electronic army has knackered the online operations of the The Guardian, Associated Press, the BBC and even satirical newspaper The Onion.
Techies at The Onion published an informative postmortem after the attack, revealing its email accounts were infiltrated following a multistage phishing expedition – a raid that gave the hackers control of the magazine’s social networking pages. The techniques used against the FT are unclear at the time of writing.
Computer security biz Arbor Networks said Twitter’s anticipated introduction of two-factor authentication ought to curtail, if not eliminate, this sort of account hijacking. Dan Holden, director of research at Arbor, commented: “Twitter recently announced plans to introduce two factor authentication, which is a big step forward from a security perspective. As this particular event shows the human element is often the weakest link in any security solution.”
“Given similar attacks in recent weeks against the Guardian in the UK and The Onion in US these attacks seem to be very targeted. Organisations should put processes in place to ensure that their staff are trained on best practices and have the support and training needed to allow them to follow these practices easily during their normal working routine. Ideally network monitoring solutions should also be put in place to alert an organisation when a user system connects to a known bad actor on the internet as this may indicate a compromise, allowing remedial action to be taken before there is any business impact,” he added. ®