ste williams

Four individuals accused of being members of Anonymous and participating in “Operation Tango Down” have been arrested in Italy.

According to AFP, the four are being accused of various attacks in Italy, including a DDoS against the Vatican and the parliamentary Website.

The Postal Police – responsible for enforcement of communications law – carried out 12 raids across Italy, according to this report in Gazetta del Sud.

The police also claim the group “carried out a series of attacks agains the computer systems of critical infrastructure, institutional sites and important companies”.

The four men arrested are a 20-year-old from Bologna, a 43-year-old from near Lecce, a 28-year-old from the province of Venice, and a 25-year-old from the province of Turin.

Attacks reported in Italy include downing the home page of the country’s interior ministry, the police, and the Carabinieri.

In 2011, Italian and Swiss police arrested 15 Anonymous suspects. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/19/anon_arrests_italy/

EMC has warned a flaw in the Control Station software for its VNX and Celerra arrays could allow just about anyone logged into them to do just about anything.

EMC’s described the fault as stemming from “Script files in affected products exist with ownership permissions for the nasadmin group account.”

The nasadmin group is designed as a group of general users, while the user with the same name “has system-wide management capabilities for the box and is authorized to make extensive changes to the storage system.” The flaw means folks in the group get the same privileges as nasdmin, the user.

That means mere sysadmins allowed to log into to VNX and Celerra devices and “exploit this vulnerability to run arbitrary commands as the root user.”

Which may get storage admins more than a little jumpy, lest those less familiar with their arrays’ operation

Celerra owners know their boxen are already obsolete, but nonetheless have been urged by EMC to upgrade “at the earliest opportunity” by getting their hands on this download. VNX users are urged to do likewise, with their download available here.

EMC has tipped its hat to Doug DePerry of iSEC Partners for finding the flaw. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/19/emc_vulnerability/

Yahoo! Japan has told its 200 million customers to change their passwords after revealing that 22 million user IDs may have been exposed in a suspected intrusion last week.

The attack was detected at around 9:00 PM local time on Thursday night, with the internet giant apparently cutting access while it checked what had happened.

Reports suggest it discovered an attempt to steal User IDs, with a file containing 22 million potentially exposed.

“We don’t know if the file was leaked or not, but we can’t deny the possibility, given the volume of traffic between our server and external terminals”, Yahoo! Japan said in a statement sent to AFP.

Although the data which may have been compromised apparently doesn’t include passwords and the kind of user data needed to reset passwords, the firm is taking no chances.

Hackers also tried to breach Yahoo! Japan last month in a similar raid on user data, although their motives remain unclear.

Yahoo! Japan is a joint venture between the internet pioneer and Japanese mobile and broadband operator SoftBank, which remains one of the US giant’s few remaining success stories.

In the first quarter of 2013, it was Yahoo!’s Japan JV – in which it has a 33 per cent stake – as well as its 20 per cent investment in China’s Alibaba, which helped the firm to record a 36 per cent year-on-year increase in net income to $390 million (£253.9m). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/20/yahoo_japan_user_id_breach/

The Financial Times website and its Twitter accounts were this afternoon hijacked by pro-government hackers from the “Syrian Electronic Army”.

The posh broadsheet’s Tech Blog – at http://blogs.FT.com/beyond-brics – was compromised to run stories headlined “Syrian Electronic Army Was Here” and “Hacked by the Syrian Electronic Army”.

Meanwhile, the Technology News (@FTtechnews), FT Media and FT Markets Twitter feeds were seized by miscreants, who posted web links to disturbing YouTube videos of jihadis executing men by firing squad.

The blog has been cleaned up, but the Twitter accounts remain compromised.

Breaking news, literally … the compromised Pink ‘Un‘s tweets

The takeover is the latest in a series of high-profile attacks against media organisations by hackers apparently in favour of Syrian president Bashar al-Assad. The so-called electronic army has knackered the online operations of the The Guardian, Associated Press, the BBC and even satirical newspaper The Onion.

Techies at The Onion published an informative postmortem after the attack, revealing its email accounts were infiltrated following a multistage phishing expedition – a raid that gave the hackers control of the magazine’s social networking pages. The techniques used against the FT are unclear at the time of writing.

Computer security biz Arbor Networks said Twitter’s anticipated introduction of two-factor authentication ought to curtail, if not eliminate, this sort of account hijacking. Dan Holden, director of research at Arbor, commented: “Twitter recently announced plans to introduce two factor authentication, which is a big step forward from a security perspective. As this particular event shows the human element is often the weakest link in any security solution.”

“Given similar attacks in recent weeks against the Guardian in the UK and The Onion in US these attacks seem to be very targeted. Organisations should put processes in place to ensure that their staff are trained on best practices and have the support and training needed to allow them to follow these practices easily during their normal working routine. Ideally network monitoring solutions should also be put in place to alert an organisation when a user system connects to a known bad actor on the internet as this may indicate a compromise, allowing remedial action to be taken before there is any business impact,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/ft_twitter_hijacked_by_sea/

A Romanian man serving a five-year jail sentence for bank-machine fraud says he’s come up with a device that can be attached to any ATM to make the machine invulnerable to card skimmers.

Valentin Boanta was arrested in 2009 and charged with supplying ATM skimmers – devices that can be attached to ATMs to surreptitiously copy the data from unwitting users’ cards – to a local organized crime gang.

It was during his subsequent trial and sentencing that Boanta saw the light and traded in his black hat for a white one, Reuters reports.

“Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction,” Boanta told reporters from his jail cell in Vaslui, Romania. “So that the other part, in which I started to develop security solutions, started to emerge.”

Boanta’s solution, known as the Secure Revolving System (SRS), is an ingenious one that uses mechanical rather than digital security.

ATM skimmers work by installing a second, concealed card reader over the one that’s built into the ATM. When an unsuspecting bank customer inserts a card into the slot, the card’s magnetic stripe first runs past the read head of the skimmer, allowing it to copy all of the card’s data. The transaction then proceeds as normal and the ATM returns the card to the customer, who is none the wiser.

With Boanta’s device installed on the ATM, however, that all changes. Customers insert their cards into the slot long side first, so that the magnetic stripe is parallel to the face of the machine. The device then rotates the card 90 degrees into the ATM, where the legitimate card reader scans the magnetic stripe, then rotates it back out again to return it to the customer.

That rotation makes it impossible for an add-on skimmer to read the card, because the magnetic stripe never moves in a straight line until it is secure inside the ATM.

Obvious, yet ingenious: You don’t need to understand Romanian to get the idea

While awaiting the outcome of his trial, Valentin pitched his idea to Mircea Tudor and Adrian Bizgar of Bucharest-based technology firm MB Telecom, who helped him to patent his idea and funded development of the SRS device.

The design would go on to win the International Press Prize at the 41st International Exhibition of Inventions in Geneva, Switzerland, in April. Boanta, however, wasn’t available to accept the award. He’s currently just six months into his sentence and won’t see freedom for another four and a half years. Still, his partners at MB Telecom say all credit for the SRS design should go to him.

“He fully deserves such recognition,” Tudor told Reuters. “He’s taking part in improving Romania’s image abroad and he’ll surely join our team when released.”

MB Telecom is currently finalizing details of the commercial version of the device and expects to bring it to market in the second half of the year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/romanian_hacker_atm_security/

The US Department of Defense has welcomed Apple’s iDevices into its secure networks, and has announced that that it is “taking bold steps to provide sound information and proper analysis as it fortifies its cloud computing, acquisition and data processes.”

On Firday, the DoD set the stage for a three-way smackdown among Apple, Samsung, and BlackBerry for some military love by approving the security technical implementation guide (STIG) for iOS 6 devices, thus allowing them to be used when connecting to DoD networks.

BlackBerry passed muster earlier this month, and Samsung’s KNOX hardware-software security combo is expected to gain approval soon.

For Apple and Samsung, DoD approval is important to their bottom lines, but hardly critical. BlackBerry, on the other hand, is struggling to remain relevant in what was once an enormous market for it. BlackBerry can ill-afford the competition when attempting to sell the DoD on the advantages of its Z10 and Q10 handsets.

According to Reuters, the DoD currently has 470,000 BlackBerrys, 41,000 of Apple’s mobile devices, and a mere 8,700 Android-based items in its arsenal. Those numbers, however, are relatively inconsequential, seeing as how the DoD plans to open its own mobile store and build its own system to handle as many as eight million devices.

There’s a lot of purchasing to be going on, and with Apple and Samsung as its competitors, BlackBerry’s sales team will have its work cut out for it.

In a separate but related announcement, Mark Krzysko, the DoD’s deputy director for acquisition resource analysis and enterprise information – who may very well be referred to as ARAAEI in military-minded acronym-speak – said that the Pentagon is taking “bold steps” in its adoption of cloudy infrastructure.

“The technology, architecture framework and data management constructs the cloud can bring to us create ‘app-like’ thinking that [enables us to] move faster and forward more data sources out,” Krzysko said, apparently using “forward” as a verb.

The challenges that the DoD faces is not unknown among the less-armed general public: not only figuring out how to get cloudy tech and data working together, but also accomplishing the move from desktop to mobile while ensuring security.

“It is pretty much a known … intractable problem, so it gives us the opportunity to experiment … [and] create an organization to manage data and delivery in support of the decision-makers,” Krzysko said.

The Reg knows of three major manufacturers who would love to help in the mobile-device part of Krzsko’s chore – but only one of them is an American company. It will be interesting to see whether the DoD’s relationship with our close neighbor Canada or its active security partnership with South Korea play a political role in the upcoming business tussle among Apple, BlackBerry, and Samsung. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/department_of_defense_approves_apple_discusses_cloud/

The crooks behind the Pushdo botnet agent have developed variants of the malware that are more resistant to take-down attempts or hijacking by rival hackers.

Dell SecureWorks and Damballa warned (PDF) on Wednesday that the latest variant of Pushdo comes packed with a fallback mechanism for cases where zombie clients are unable to contact the main command-and-control server for whatever reason.

The malware starts by using a Domain Generation Algorithm (DGA) to come up with a list of 1,380 unique domains to poll on any particular day. Bot-herders can thus restore control of compromised hosts by leaving updated malware and instructions available for download at any of these domains.

However after the first DGA involved was exposed, security researchers began to work hard at developing countermeasures that block communication to the generated .COM domains. But it seems the nimble cybercrooks behind Pushdo were alive to that possibility and have already adapted, according to Aviv Raff, CTO of Seculert.

“The group behind Pushdo probably figured out that they are being investigated by the security vendors, because it didn’t take them too long to adapt to this new reality and change their Domain Generation Algorithm,” Raff explains in a blog post.

“This new DGA now generates .KZ domains instead of .COM domains. Not only that but there are now at least two new variants of Pushdo that are being pushed to victims from several different hijacked websites.”

This latest development is likely to kick off a further round of cat-and-mouse games between Pushdo’s cybercrooks and security researchers.

Pushdo has been used to distribute other malware such as ZeuS and SpyEye, as well as conduct spam/phishing campaigns with its Cutwail module. Despite four takedowns in five years of Pushdo command-and-control servers, the botnet (believed to be run by a single Eastern European hacker group) endures.

The malware is responsible between 175,000 and 500,000 active bots on any given day. The botnet is typically used to deliver malicious emails with links to websites that foist banking Trojans upon unsuspecting victims. Sometimes, the messages are made to look like credit card statements or they contain an attachment disguised as an order confirmation.

As well as applying new secondary recovery techniques, the unknown crooks behind Pushdo have begun masking command and controller traffic using a fake JPEG image file, said the researchers. They have also made greater use of encryption.

A blog post by Damballa giving more background on Pushdo and how the latest variants were uncovered can be found here. David Dagon of the Georgia Institute of Technology worked together with three researchers from Damballa and one from Dell SecureWorks Counter Threat Unit in researching the latest form of the malware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/pushdo_extra_stealth/

Analysis Thursday’s sentencing of three core members of hacktivist crew LulzSec and an accomplice hacker who gave them access to a botnet closes an important chapter in the history of activism. But it also leaves a number of important questions unanswered.

One of the most interesting of these puzzlers is the identity of the mysterious sixth member of the group.

LulzSec was a constant feature of the information security headlines in May-June 2011 during its “50 days of Lulz” when it attacked Fox, PBS, Sony, Nintendo, Sega, FBI-affiliated security outfits such as Infragard and HB Gary Federal, the US Senate, the Arizona State Police, the CIA and the UK’s Serious Organised Crime Agency.

Most of its targets were entertainment firms opposing file-sharing, information security outfit, or law enforcement agencies. Tactics ran from basic website-flooding attacks to defacement and site redirection. In several cases the group published stolen data from compromised websites.

The motive of the group was described by prosecutors during a London sentencing hearing this week as “anarchic self-amusement” rather than anything profit-motivated. In truth filthy lucre does play a part in the story of LulzSec, even though the overriding driver appeared in several cases to be the chance for the accused to play rock-star black-hat hackers on a global stage, sticking two fingers up to The Man.

Consequences

LulzSec had six core members: The first four were Topiary aka Jake Davis (@aTopiary), UK; T-Flow, aka Mustafa Al-Bassam (@let_it_tflow), UK; Kayla, aka Ryan Ackroyd (@lolspoon), UK; Sabu, aka Hector Monsegur (@anonymouSabu), US.

The final two, at least according to the US Attorney’s Office and the FBI indictment, were Pwnsauce, named as Darren Martyn (@_pwnsauce), Ireland; and finally the mysterious AVunit (@AvunitAnon), whose identity is unknown.

The first three of these suspects were sentenced in London’s Southwark Crown Court on Thursday. Jake Davis, 19, of Lerwick, Shetland received a 24-month sentence in a young offenders’ institute, of which he’ll serve half.

Ryan Ackroyd, 26, of Mexborough, Doncaster, received a 30-month sentence. Providing he behaves himself, he’ll serve only 15 months. Mustafa Al-Bassam, 18, from Peckham, south London, got a 20-month sentence, suspended for two years, as well as 300 hours of community work. Al-Bassam avoided jail because of he was underage and still at school at the times of his offences.

Ryan Cleary (AKA Viral), 21, of Wickford, Essex, was found to have supplied a botnet of around 100,000 compromised computers that acted as a platform for LulzSec to blitz targeted websites. He was not a core member of the group but was prosecuted in the same case and ultimately received the most severe punishment of all the accused: a 32-month prison sentence.

Extradition ‘not anticipated’

The quartet were investigated in a joint operation by the Metropolitan Police’s Central e-Crime Unit and the FBI. In a statement welcoming the sentencing, Scotland Yard explained that each member of the group had a clearly defined role.

Ackroyd was responsible for researching and executing many of their hacks, Cleary assisted by allowing the use of his botnet – a system of malware-infected computers he controlled – to coordinate DDoS attacks. Al-Bassam assisted in discovering and exploiting online vulnerabilities, and also created and controlled LulzSec’s website. Davis was their spokesperson, managing their Twitter account and press releases.

Karen Todner, Cleary’s solicitor (and the law firm who represented McKinnon, issued a statement on Thursday saying they “do not anticipate” that he will become the subject of a US extradition request. Davis has also been indicted in the US but early reports suggest its unlikely that US authorities will seek his extradition.

The alleged ringleader of LulzSec, US-based Hector Xavier Monsegur – known online as “Sabu” – agreed to act as an informant following his arrest in June 2011, according to the FBI. The Feds said that Monsegur had helped them to identify other members of the group and other hackers.

Monsegur frequently acted as the group’s ideologue as well as directing attack campaigns. He was the midfield play-maker in a group that was at least nominally leaderless. He has already pleaded guilty to 12 counts of hacking, bank fraud, and identity theft and will be sentenced in August.

Darren Martyn (Pwnsauce) 26, of Galway, Ireland, was indicted in March 2012 for conspiring with other LulzSec members to attack Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service. He also allegedly hacked into the website of Fine Gael, a political party in Ireland. He’s yet to be tried.

That all means that while four of the six core members of LulzSec have been caught, and police have indicted a fifth man whom they suspect of being number five, the identity of Avunit remains a mystery, presumably even to Sabu or other members of the group who might have given him up in the hope of receiving a lesser sentence.

“We have no idea who Avunit is,” writes Mikko Hypponen, CRO at Finnish anti-virus firm F-Secure. “We have no identity. We don’t even know which continent he is from.”

Next page: Tradecraft

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/lulzsec_analysis/

The Financial Times website and its Twitter accounts were this afternoon hijacked by pro-government hackers from the “Syrian Electronic Army”.

The posh broadsheet’s Tech Blog – at http://blogs.FT.com/beyond-brics – was compromised to run stories headlined “Syrian Electronic Army Was Here” and “Hacked by the Syrian Electronic Army”.

Meanwhile, the Technology News (@FTtechnews), FT Media and FT Markets Twitter feeds were seized by miscreants, who posted web links to disturbing YouTube videos of jihadis executing men by firing squad.

The blog has been cleaned up, but the Twitter accounts remain compromised.

Breaking news, literally … the compromised Pink ‘Un‘s tweets

The takeover is the latest in a series of high-profile attacks against media organisations by hackers apparently in favour of Syrian president Bashar al-Assad. The so-called electronic army has knackered the online operations of the The Guardian, Associated Press, the BBC and even satirical newspaper The Onion.

Techies at The Onion published an informative postmortem after the attack, revealing its email accounts were infiltrated following a multistage phishing expedition – a raid that gave the hackers control of the magazine’s social networking pages. The techniques used against the FT are unclear at the time of writing.

Computer security biz Arbor Networks said Twitter’s anticipated introduction of two-factor authentication ought to curtail, if not eliminate, this sort of account hijacking. Dan Holden, director of research at Arbor, commented: “Twitter recently announced plans to introduce two factor authentication, which is a big step forward from a security perspective. As this particular event shows the human element is often the weakest link in any security solution.”

“Given similar attacks in recent weeks against the Guardian in the UK and The Onion in US these attacks seem to be very targeted. Organisations should put processes in place to ensure that their staff are trained on best practices and have the support and training needed to allow them to follow these practices easily during their normal working routine. Ideally network monitoring solutions should also be put in place to alert an organisation when a user system connects to a known bad actor on the internet as this may indicate a compromise, allowing remedial action to be taken before there is any business impact,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/ft_twitter_hijacked_by_sea/

David Strickland, Administrator of the USA’s National Highway Traffic Safety Administration (NHTSA), has told that nation’s Senate Committee on Commerce, Science, and Transportation that he plans to research the security requirements of automated cars and vehicle-to-vehicle (V2V) networks.

Strickland appeared before the committee this week and gaped with appropriate metaphorical awe at the likes of Google’s self-driving vehicles and V2V network proposals that would see one car radio another to tell it when heavy braking is required. Such systems, Strickland said, could “potentially address about 80 percent of crashes involving non-impaired drivers once the entire vehicle fleet is equipped with V2V technology.”

He’s also worried about what he called “vehicle cybersecurity”, because he believes more technology in cars creates ”growing potential for remotely compromising vehicle security through software and the increased onboard communications services”

NHTSA has asked for an extra $US2m to research the problem, with the aim of “of developing a preliminary baseline set of threats and how those threats could be addressed in the vehicle environment”. Standards for car-makers are also on the agenda.

Strickland detailed other objectives as follows:

For the V2V program, our research is evaluating a layered approach to cybersecurity. Such an approach, if deployed, would provide defense-in-depth, managing threats to ensure that the driver cannot lose control and that the overall system cannot be corrupted to send faulty data. In partnership with the auto companies and other stakeholders we have developed a conceptual framework for V2V security. We are also developing countermeasures to prevent these security credentials from being stolen or duplicated. Additionally, we are developing protocols to support a V2V security system that is designed to share data about nefarious behavior and take appropriate action.”

Just what that last sentence means is anyone’s guess. Here in Vulture South we imagine privacy groups might imagine liberty-challenging driver tracking, or at the very least cars letting it be known when someone’s tickling their digital innards in suspicious ways.

Strickland’s testimony (PDF) also signalled his agency has started work on a policy framework to allow self-driving cars. He offered the Committee an interesting hierarchy of vehicle automation that’s too long to re

• Level 0—No Automation. At the initial Level 0, the driver is in complete control of the primary vehicle controls (steering, brake, and throttle) at all times, and is solely responsible for monitoring the roadway and for safe operation of all vehicle controls.
• Level 1—Function Specific Automation. Level 1 automation involves one specific control function that is automated. The driver still maintains overall control, and is solely responsible for safe operation, but can choose to cede limited authority over a primary control.
• Level 2—Combined Function Automation. Level 2 automation means that under some circumstances “the driver can disengage from physically operating the vehicle by taking hands off the steering wheel and feet off the pedals at the same time.”
• Level 3—Limited Self-Driving Automation. Level 3 automation enables the driver to cede full control of all steering, brake, and throttle functions to the vehicle while remaining “available for occasional control, but with a comfortable transition time that will enable the driver to regain situational awareness.”
• Level 4—Full Self-Driving Automation. The vehicle is designed to perform all safety-critical driving functions and monitor roadway conditions for an entire trip.

Strickland also said the agency is looking into whether guidelines are needed for how voice-activated in-car technology is designed, with an eye to possible future guidelines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/17/usa_car_network_security_research/