ste williams

Analysis High-street socks’n'frocks chain Marks and Spencer is accused of quietly taking money from shoppers’ contactless bank cards at the tills.

The accusations come from Radio 4′s Money Box listeners, who called in to report that MS had billed cards in purses and handbags over the air, unbeknownst to customers who had intended to pay for stuff another way.

It seems the money was unexpectedly taken from bank cards that can do pay-by-wave with compatible tills using Near Field Communications (NFC). One simply has to wave the card near the machine – within a few centimetres – for the transaction to take place over the air by radio wave.

But customers complained this was happening over a much greater distance with the tills that MS recently installed in its UK stores.

The retail chain refunded the disputed payments – even those that went unnoticed until the customer’s bank statement turned up weeks later – while pointing out that its NFC system was well tested prior to deployment. With a million transactions a month, one might expect more than couple of complaints if there was a significant problem.

The technology used by MS is supplied by Visa. While neither company has responded to The Register‘s enquiries, we do know that several of the scenarios described by Money Box listeners should not be possible if the equipment is programmed to the NFC standard.

It’s certainly possible for a till to debit the wrong card. However, doing so from several feet away beggars belief, in El Reg‘s opinion, as the induction coil that powers the NFC card has a very limited range: you effectively have to bonk your card against the machine.

However, one can imagine a wallet or purse being held beside an NFC reader in the same hand which is placing the preferred card onto the terminal, which could result in the wrong card being debited.

But the EMV (Europay, Mastercard, Visa) standard to which NFC terminals are supposed to conform requires the contactless circuit to be disconnected as soon as a chip’n'PIN card is slotted in. This is necessary as most chip cards also have NFC embedded, these days, and cards in the slot are perfectly positioned for the contactless reader; so the decision was made that the insertion of the card should indicate a preference for PIN.

One of the two callers who complained to Money Box said that a contactless transaction was made despite her debit card being in the Chip-and-PIN slot. Indeed, “Paula from London” claimed to have paid twice for the same goods, once using her PIN and once again using a contactless card which was 40cm away in her bag. MS apparently refunded the money, but the BBC reckons other people may not have noticed.

Billing twice certainly shouldn’t be possible. The process flow of a payment is well known, and the till shouldn’t issue multiple receipts any more than it would accept two successive Chip-and-PIN payments for the same goods.

It is possible that the terminals used by MS were hugely overpowered if they were reading cards at 40cm, or that they fail to implement the EMV standard properly. Equally, it’s also possible that the tills are apparently running software which allows multiple billing for the same transaction. The two complaints to MS, plus a similar complaint made to Pret a Manger, could well be the tip of an extensive iceberg.

That said, it’s more likely that a customer placing a contactless card on a terminal accidentally had their wallet in the same hand, or an improperly inserted card resulted in the terminal contacting the NFC bank card in the shopper’s purse instead.

Contactless payments are a bit scary, and one should probably keep an eye on one’s credit card bills while the technology beds in, but on this particular scandal we’ll side with Occam. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/20/marks_and_spencer_nfc/

Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers.

Infosec researchers have uncovered SafeNet in as many as 100 countries.

SafeNet targets potential marks using spear-phishing emails featuring a malicious attachment that exploits a Microsoft Office vulnerability that was patched last year (CVE-2012-0158).

The operation appears to involve two campaigns linked together by the use of the same strain of malware and differentiated by the use of different command-and-control infrastructures.

One strand of the operation uses spear-phishing emails with subject lines related to either Tibet or Mongolia. The topic of emails in the second part of the campaign is yet to be identified but appears to have broader appeal since this strand of the operation has claimed victims in countries ranging from India to the US, China, Pakistan, the Philippines, Russia and Brazil. Entities in India appear to have been hit hardest by the malware.

Sloppy coding on one of the campaign’s command servers allowed researchers to extract reams of information about the attack, as Trend Micro researchers explain in a white paper (PDF) on the attack.

One of the CC servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the CC server and the C code they used to generate the malware used in attacks.

It seems like nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (CC) infrastructures related to the SafeNet malware.

Trend’s researchers reckon the average number of actual victims remained at 71 per day, with few if any changes from day to day. “This indicates that the actual number of victims is far less than the number of unique IP addresses,” according to the security researchers.

The people behind the attack are connecting to command servers using VPN technology and the Tor anonymiser network. This means that little evidence about where the attackers are based can be obtained from the command nodes running the campaign. However clues in the coding have led Trend’s researchers to speculate the malware at least was brewed in China.

“While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China,” writes Trend Micro threat researcher Nart Villeneuve in a blog post on the campaign.

“However, the relationship between the malware developers and the campaign operators themselves remains unclear.” ®

Bootnote

Trend Micro notes that there is no link between the the attack and SafeNet, Inc, a reputable information security firm. The “SafeNet” name comes from references within the malware itself.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/20/safe_cyber_espionage/

Four individuals accused of being members of Anonymous and participating in “Operation Tango Down” have been arrested in Italy.

According to AFP, the four are being accused of various attacks in Italy, including a DDoS against the Vatican and the parliamentary Website.

The Postal Police – responsible for enforcement of communications law – carried out 12 raids across Italy, according to this report in Gazetta del Sud.

The police also claim the group “carried out a series of attacks agains the computer systems of critical infrastructure, institutional sites and important companies”.

The four men arrested are a 20-year-old from Bologna, a 43-year-old from near Lecce, a 28-year-old from the province of Venice, and a 25-year-old from the province of Turin.

Attacks reported in Italy include downing the home page of the country’s interior ministry, the police, and the Carabinieri.

In 2011, Italian and Swiss police arrested 15 Anonymous suspects. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/19/anon_arrests_italy/

EMC has warned a flaw in the Control Station software for its VNX and Celerra arrays could allow just about anyone logged into them to do just about anything.

EMC’s described the fault as stemming from “Script files in affected products exist with ownership permissions for the nasadmin group account.”

The nasadmin group is designed as a group of general users, while the user with the same name “has system-wide management capabilities for the box and is authorized to make extensive changes to the storage system.” The flaw means folks in the group get the same privileges as nasdmin, the user.

That means mere sysadmins allowed to log into to VNX and Celerra devices and “exploit this vulnerability to run arbitrary commands as the root user.”

Which may get storage admins more than a little jumpy, lest those less familiar with their arrays’ operation

Celerra owners know their boxen are already obsolete, but nonetheless have been urged by EMC to upgrade “at the earliest opportunity” by getting their hands on this download. VNX users are urged to do likewise, with their download available here.

EMC has tipped its hat to Doug DePerry of iSEC Partners for finding the flaw. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/19/emc_vulnerability/

Yahoo! Japan has told its 200 million customers to change their passwords after revealing that 22 million user IDs may have been exposed in a suspected intrusion last week.

The attack was detected at around 9:00 PM local time on Thursday night, with the internet giant apparently cutting access while it checked what had happened.

Reports suggest it discovered an attempt to steal User IDs, with a file containing 22 million potentially exposed.

“We don’t know if the file was leaked or not, but we can’t deny the possibility, given the volume of traffic between our server and external terminals”, Yahoo! Japan said in a statement sent to AFP.

Although the data which may have been compromised apparently doesn’t include passwords and the kind of user data needed to reset passwords, the firm is taking no chances.

Hackers also tried to breach Yahoo! Japan last month in a similar raid on user data, although their motives remain unclear.

Yahoo! Japan is a joint venture between the internet pioneer and Japanese mobile and broadband operator SoftBank, which remains one of the US giant’s few remaining success stories.

In the first quarter of 2013, it was Yahoo!’s Japan JV – in which it has a 33 per cent stake – as well as its 20 per cent investment in China’s Alibaba, which helped the firm to record a 36 per cent year-on-year increase in net income to $390 million (£253.9m). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/20/yahoo_japan_user_id_breach/

The Financial Times website and its Twitter accounts were this afternoon hijacked by pro-government hackers from the “Syrian Electronic Army”.

The posh broadsheet’s Tech Blog – at http://blogs.FT.com/beyond-brics – was compromised to run stories headlined “Syrian Electronic Army Was Here” and “Hacked by the Syrian Electronic Army”.

Meanwhile, the Technology News (@FTtechnews), FT Media and FT Markets Twitter feeds were seized by miscreants, who posted web links to disturbing YouTube videos of jihadis executing men by firing squad.

The blog has been cleaned up, but the Twitter accounts remain compromised.

Breaking news, literally … the compromised Pink ‘Un‘s tweets

The takeover is the latest in a series of high-profile attacks against media organisations by hackers apparently in favour of Syrian president Bashar al-Assad. The so-called electronic army has knackered the online operations of the The Guardian, Associated Press, the BBC and even satirical newspaper The Onion.

Techies at The Onion published an informative postmortem after the attack, revealing its email accounts were infiltrated following a multistage phishing expedition – a raid that gave the hackers control of the magazine’s social networking pages. The techniques used against the FT are unclear at the time of writing.

Computer security biz Arbor Networks said Twitter’s anticipated introduction of two-factor authentication ought to curtail, if not eliminate, this sort of account hijacking. Dan Holden, director of research at Arbor, commented: “Twitter recently announced plans to introduce two factor authentication, which is a big step forward from a security perspective. As this particular event shows the human element is often the weakest link in any security solution.”

“Given similar attacks in recent weeks against the Guardian in the UK and The Onion in US these attacks seem to be very targeted. Organisations should put processes in place to ensure that their staff are trained on best practices and have the support and training needed to allow them to follow these practices easily during their normal working routine. Ideally network monitoring solutions should also be put in place to alert an organisation when a user system connects to a known bad actor on the internet as this may indicate a compromise, allowing remedial action to be taken before there is any business impact,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/ft_twitter_hijacked_by_sea/

A Romanian man serving a five-year jail sentence for bank-machine fraud says he’s come up with a device that can be attached to any ATM to make the machine invulnerable to card skimmers.

Valentin Boanta was arrested in 2009 and charged with supplying ATM skimmers – devices that can be attached to ATMs to surreptitiously copy the data from unwitting users’ cards – to a local organized crime gang.

It was during his subsequent trial and sentencing that Boanta saw the light and traded in his black hat for a white one, Reuters reports.

“Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction,” Boanta told reporters from his jail cell in Vaslui, Romania. “So that the other part, in which I started to develop security solutions, started to emerge.”

Boanta’s solution, known as the Secure Revolving System (SRS), is an ingenious one that uses mechanical rather than digital security.

ATM skimmers work by installing a second, concealed card reader over the one that’s built into the ATM. When an unsuspecting bank customer inserts a card into the slot, the card’s magnetic stripe first runs past the read head of the skimmer, allowing it to copy all of the card’s data. The transaction then proceeds as normal and the ATM returns the card to the customer, who is none the wiser.

With Boanta’s device installed on the ATM, however, that all changes. Customers insert their cards into the slot long side first, so that the magnetic stripe is parallel to the face of the machine. The device then rotates the card 90 degrees into the ATM, where the legitimate card reader scans the magnetic stripe, then rotates it back out again to return it to the customer.

That rotation makes it impossible for an add-on skimmer to read the card, because the magnetic stripe never moves in a straight line until it is secure inside the ATM.

Obvious, yet ingenious: You don’t need to understand Romanian to get the idea

While awaiting the outcome of his trial, Valentin pitched his idea to Mircea Tudor and Adrian Bizgar of Bucharest-based technology firm MB Telecom, who helped him to patent his idea and funded development of the SRS device.

The design would go on to win the International Press Prize at the 41st International Exhibition of Inventions in Geneva, Switzerland, in April. Boanta, however, wasn’t available to accept the award. He’s currently just six months into his sentence and won’t see freedom for another four and a half years. Still, his partners at MB Telecom say all credit for the SRS design should go to him.

“He fully deserves such recognition,” Tudor told Reuters. “He’s taking part in improving Romania’s image abroad and he’ll surely join our team when released.”

MB Telecom is currently finalizing details of the commercial version of the device and expects to bring it to market in the second half of the year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/romanian_hacker_atm_security/

The US Department of Defense has welcomed Apple’s iDevices into its secure networks, and has announced that that it is “taking bold steps to provide sound information and proper analysis as it fortifies its cloud computing, acquisition and data processes.”

On Firday, the DoD set the stage for a three-way smackdown among Apple, Samsung, and BlackBerry for some military love by approving the security technical implementation guide (STIG) for iOS 6 devices, thus allowing them to be used when connecting to DoD networks.

BlackBerry passed muster earlier this month, and Samsung’s KNOX hardware-software security combo is expected to gain approval soon.

For Apple and Samsung, DoD approval is important to their bottom lines, but hardly critical. BlackBerry, on the other hand, is struggling to remain relevant in what was once an enormous market for it. BlackBerry can ill-afford the competition when attempting to sell the DoD on the advantages of its Z10 and Q10 handsets.

According to Reuters, the DoD currently has 470,000 BlackBerrys, 41,000 of Apple’s mobile devices, and a mere 8,700 Android-based items in its arsenal. Those numbers, however, are relatively inconsequential, seeing as how the DoD plans to open its own mobile store and build its own system to handle as many as eight million devices.

There’s a lot of purchasing to be going on, and with Apple and Samsung as its competitors, BlackBerry’s sales team will have its work cut out for it.

In a separate but related announcement, Mark Krzysko, the DoD’s deputy director for acquisition resource analysis and enterprise information – who may very well be referred to as ARAAEI in military-minded acronym-speak – said that the Pentagon is taking “bold steps” in its adoption of cloudy infrastructure.

“The technology, architecture framework and data management constructs the cloud can bring to us create ‘app-like’ thinking that [enables us to] move faster and forward more data sources out,” Krzysko said, apparently using “forward” as a verb.

The challenges that the DoD faces is not unknown among the less-armed general public: not only figuring out how to get cloudy tech and data working together, but also accomplishing the move from desktop to mobile while ensuring security.

“It is pretty much a known … intractable problem, so it gives us the opportunity to experiment … [and] create an organization to manage data and delivery in support of the decision-makers,” Krzysko said.

The Reg knows of three major manufacturers who would love to help in the mobile-device part of Krzsko’s chore – but only one of them is an American company. It will be interesting to see whether the DoD’s relationship with our close neighbor Canada or its active security partnership with South Korea play a political role in the upcoming business tussle among Apple, BlackBerry, and Samsung. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/department_of_defense_approves_apple_discusses_cloud/

The crooks behind the Pushdo botnet agent have developed variants of the malware that are more resistant to take-down attempts or hijacking by rival hackers.

Dell SecureWorks and Damballa warned (PDF) on Wednesday that the latest variant of Pushdo comes packed with a fallback mechanism for cases where zombie clients are unable to contact the main command-and-control server for whatever reason.

The malware starts by using a Domain Generation Algorithm (DGA) to come up with a list of 1,380 unique domains to poll on any particular day. Bot-herders can thus restore control of compromised hosts by leaving updated malware and instructions available for download at any of these domains.

However after the first DGA involved was exposed, security researchers began to work hard at developing countermeasures that block communication to the generated .COM domains. But it seems the nimble cybercrooks behind Pushdo were alive to that possibility and have already adapted, according to Aviv Raff, CTO of Seculert.

“The group behind Pushdo probably figured out that they are being investigated by the security vendors, because it didn’t take them too long to adapt to this new reality and change their Domain Generation Algorithm,” Raff explains in a blog post.

“This new DGA now generates .KZ domains instead of .COM domains. Not only that but there are now at least two new variants of Pushdo that are being pushed to victims from several different hijacked websites.”

This latest development is likely to kick off a further round of cat-and-mouse games between Pushdo’s cybercrooks and security researchers.

Pushdo has been used to distribute other malware such as ZeuS and SpyEye, as well as conduct spam/phishing campaigns with its Cutwail module. Despite four takedowns in five years of Pushdo command-and-control servers, the botnet (believed to be run by a single Eastern European hacker group) endures.

The malware is responsible between 175,000 and 500,000 active bots on any given day. The botnet is typically used to deliver malicious emails with links to websites that foist banking Trojans upon unsuspecting victims. Sometimes, the messages are made to look like credit card statements or they contain an attachment disguised as an order confirmation.

As well as applying new secondary recovery techniques, the unknown crooks behind Pushdo have begun masking command and controller traffic using a fake JPEG image file, said the researchers. They have also made greater use of encryption.

A blog post by Damballa giving more background on Pushdo and how the latest variants were uncovered can be found here. David Dagon of the Georgia Institute of Technology worked together with three researchers from Damballa and one from Dell SecureWorks Counter Threat Unit in researching the latest form of the malware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/pushdo_extra_stealth/

Analysis Thursday’s sentencing of three core members of hacktivist crew LulzSec and an accomplice hacker who gave them access to a botnet closes an important chapter in the history of activism. But it also leaves a number of important questions unanswered.

One of the most interesting of these puzzlers is the identity of the mysterious sixth member of the group.

LulzSec was a constant feature of the information security headlines in May-June 2011 during its “50 days of Lulz” when it attacked Fox, PBS, Sony, Nintendo, Sega, FBI-affiliated security outfits such as Infragard and HB Gary Federal, the US Senate, the Arizona State Police, the CIA and the UK’s Serious Organised Crime Agency.

Most of its targets were entertainment firms opposing file-sharing, information security outfit, or law enforcement agencies. Tactics ran from basic website-flooding attacks to defacement and site redirection. In several cases the group published stolen data from compromised websites.

The motive of the group was described by prosecutors during a London sentencing hearing this week as “anarchic self-amusement” rather than anything profit-motivated. In truth filthy lucre does play a part in the story of LulzSec, even though the overriding driver appeared in several cases to be the chance for the accused to play rock-star black-hat hackers on a global stage, sticking two fingers up to The Man.

Consequences

LulzSec had six core members: The first four were Topiary aka Jake Davis (@aTopiary), UK; T-Flow, aka Mustafa Al-Bassam (@let_it_tflow), UK; Kayla, aka Ryan Ackroyd (@lolspoon), UK; Sabu, aka Hector Monsegur (@anonymouSabu), US.

The final two, at least according to the US Attorney’s Office and the FBI indictment, were Pwnsauce, named as Darren Martyn (@_pwnsauce), Ireland; and finally the mysterious AVunit (@AvunitAnon), whose identity is unknown.

The first three of these suspects were sentenced in London’s Southwark Crown Court on Thursday. Jake Davis, 19, of Lerwick, Shetland received a 24-month sentence in a young offenders’ institute, of which he’ll serve half.

Ryan Ackroyd, 26, of Mexborough, Doncaster, received a 30-month sentence. Providing he behaves himself, he’ll serve only 15 months. Mustafa Al-Bassam, 18, from Peckham, south London, got a 20-month sentence, suspended for two years, as well as 300 hours of community work. Al-Bassam avoided jail because of he was underage and still at school at the times of his offences.

Ryan Cleary (AKA Viral), 21, of Wickford, Essex, was found to have supplied a botnet of around 100,000 compromised computers that acted as a platform for LulzSec to blitz targeted websites. He was not a core member of the group but was prosecuted in the same case and ultimately received the most severe punishment of all the accused: a 32-month prison sentence.

Extradition ‘not anticipated’

The quartet were investigated in a joint operation by the Metropolitan Police’s Central e-Crime Unit and the FBI. In a statement welcoming the sentencing, Scotland Yard explained that each member of the group had a clearly defined role.

Ackroyd was responsible for researching and executing many of their hacks, Cleary assisted by allowing the use of his botnet – a system of malware-infected computers he controlled – to coordinate DDoS attacks. Al-Bassam assisted in discovering and exploiting online vulnerabilities, and also created and controlled LulzSec’s website. Davis was their spokesperson, managing their Twitter account and press releases.

Karen Todner, Cleary’s solicitor (and the law firm who represented McKinnon, issued a statement on Thursday saying they “do not anticipate” that he will become the subject of a US extradition request. Davis has also been indicted in the US but early reports suggest its unlikely that US authorities will seek his extradition.

The alleged ringleader of LulzSec, US-based Hector Xavier Monsegur – known online as “Sabu” – agreed to act as an informant following his arrest in June 2011, according to the FBI. The Feds said that Monsegur had helped them to identify other members of the group and other hackers.

Monsegur frequently acted as the group’s ideologue as well as directing attack campaigns. He was the midfield play-maker in a group that was at least nominally leaderless. He has already pleaded guilty to 12 counts of hacking, bank fraud, and identity theft and will be sentenced in August.

Darren Martyn (Pwnsauce) 26, of Galway, Ireland, was indicted in March 2012 for conspiring with other LulzSec members to attack Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service. He also allegedly hacked into the website of Fine Gael, a political party in Ireland. He’s yet to be tried.

That all means that while four of the six core members of LulzSec have been caught, and police have indicted a fifth man whom they suspect of being number five, the identity of Avunit remains a mystery, presumably even to Sabu or other members of the group who might have given him up in the hope of receiving a lesser sentence.

“We have no idea who Avunit is,” writes Mikko Hypponen, CRO at Finnish anti-virus firm F-Secure. “We have no identity. We don’t even know which continent he is from.”

Next page: Tradecraft

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/lulzsec_analysis/