STE WILLIAMS

Malicious adverts spreading malware managed to make their way onto popular French video streaming site Dailymotion. The infection involved a rogue ad and JavaScript that ultimately directs surfers to sites harbouring the Angler Exploit Kit (EK).

The practical upshot was that Windows users running out-of-date software, such as older versions of Adobe Flash, would be infected with either the Bedep trojan or ad fraud malware, or maybe both.

The attack was spotted by security software firm Malwarebytes, which reports that the bogus advertiser behind the attack took great pains to disguise its origin and purpose. It said:

This malvertising incident happened via real-time bidding (RTB) within the WWWPromoter marketplace. A decoy ad from a rogue advertiser initiates a series of redirections to .eu sites and ultimately loads the Angler exploit kit.

The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per (genuine) victim.

In addition, Angler EK also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler.

Malwarebytes contacted Atomx, the online media exchange platform used in the ad call, which confirmed an issue and traced it back to a malicious buyer (the rogue advertiser) on its network. The attack was rapidly detected and neutralised once the culprit was identified.

Nonetheless, the incident serves to illustrate the ongoing problems posed by the abuse of legitimate ad networks by cybercriminals. These attack are becoming stealthier and harder to detect, Malwarebytes reports.

“Threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment,” explains Jérôme Segura, a senior security researcher at Malwarebytes. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/dailymotion_malvertising_malwarebytes/

Members of UK’s academic community from freshers to senior academics are facing more connection issues today as a persistent and continuous DDoS attack against the academic computer network Janet continues to stretch resources.

Janet first came under a Distributed Denial of Service (DDoS) attack yesterday, and the same attack has continued through to today forcing much of the academic community offline.

Initially, Jisc’s engineers and security teams identified the cause as a DDoS attack and worked to identify the source of the assault and implement blocks. However, after some suggestions of network stabilisation, further problems were seen.

Janet reported that it would cease providing updates on its Twitter page following the attack, as the information seemed to be providing the attackers with hints about how to adjust their attacks.

For those who find Janet’s DNS services sluggish to respond, it may be possible to work around the issue by switching to Google Europe’s DNS.

Boffins from various field have somehow managed to take to Twitter to share their woes about the outage.

I feel so tech savvy now that @martin_costello @benjiisnotcool have explained to me what a DDOS is who Janet is. https://t.co/ucIqzbgKH3

— Matt Jay (@mattjaywhy) December 8, 2015

Someone DDoS attacking JANET, the network for universities across the UK, is fairly serious. https://t.co/zgZ7otCNBc https://t.co/dB1Fm0Qp6N

— Christopher Kissane (@ChrisKissane) December 8, 2015

I am in a law library and have to consult a hard copy of the law reports for the first time ever because of the DoS attack on UK Unis

— Harry Langford (@HarryLangford) December 8, 2015

Vision and Office 365 are also being reported as offline.

The Register understands no ransom notice has been delivered to Jisc as of writing. DDoS-for-ransom attacks are almost always preceded by the ransom request, as an early payment saves the attackers money. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/uk_research_network_janet_ddos/

Many of the 65,000 ATMs in the UK will become less secure once Microsoft ends extended support for the embedded version of its Windows XP operating system next month, according to security experts.

From January 2016, Microsoft will be issuing no further security patches or updates for flavours of Windows still used by the majority of ATMs in the UK (and in many other countries around the world).

Support has already been wound down but next year it will be discontinued unless banks upgrade or bridge the gap with expensive custom support contracts.

“The desktop version of Windows XP ceased to be supported by Microsoft in July 2014 and while the embedded version was given extended support until January 2016, most ATMs still rely on the old operating system,” said Kerry Davies, chief exec at Abatis, a security software firm that is promoting its technology as a means for banks to protect cash machines.

Abatis warns that the lack of security updates puts the ATM network at greater risk from hacker attacks and malware infection. This warning comes from a firm touting security technology for embedded systems, so there’s a clear self-interest at play, as experts have noted.

Nonetheless, it would be unwise to dismiss the issue of cash machine security on those grounds, not least because malware has already been used to infect ATMs and steal money through various scams.

Many of the cons have cropped up in hotspots such as Mexico and Russia and some have involved assistance from corrupt insiders. Few, if any, have relied on exploiting operating system vulnerabilities, although lack of anti-malware protection has arguably been a factor in some frauds.

Banking customers may still be able to pay for custom premier support from Microsoft, we’re told.

UK startup Abatis is marketing what it promotes as a cheaper alternative to defend ATMs, based on its Host Integrity Technology, as a means to defend against malware. The technology is designed to block unauthorised modifications or unwanted write operations or executables in real time, preventing either hacking or malware infection in the process.

Curtain call

El Reg asked Microsoft to comment on Abatis’s warning on Friday. By Monday lunchtime, the best its PR reps could offer was to point us towards a microsite offering general information to customers about Windows XP Embedded on its retirement plan.

This site explains that the curtain comes down on the Extended Support Cycle for Windows XP Embedded on 12 January 2016, 21 months after the desktop version of XP was retired.

Any machine still running Windows XP Embedded Service Pack 3 (SP3) from mid January onwards is therefore at greater risk because software updates and support have been withdrawn. The plug gets pulled on Windows Embedded for Point of Service SP3 slightly later on 12 April 2016.

Windows Embedded Standard 2009 – which is based on Windows XP, and originally released in 2008 – will be supported for three years until January 2019 but running that would require an operating system upgrade for cash machines running the older software.

Other security experts counsel against alarm while urging action to update ageing systems. “The end of support for Windows XP Embedded does not mean that the next day these machines will be hacked into or taken down,” said Ben Herzberg, security research manager at Imperva.

“For any bank that follows information security guidelines, ATMs are behind a layered protection architecture, where the OS is only one of the layers. But the ATMs are on a separate network, with strict firewall rules and several security controls stopping any attacker long before they get to those systems.”

Herzberg compared the situation faced by unpatched ATMs to that faced in industrial control systems environments, where running obsolete operating systems has been common practice for many years.

“A similar situation exists on many ICS (Industrial Control Systems) where old and unsupported operating systems are still being used in production environments, and are not replaced because the cost would be very high,” Herzberg explained.

Despite ATMs having additional layers of protection, even absent of operating system software updates, “having an outdated and unsupported operating system on a machine that is able to hand out cash to clients is still a considerable risk,” Herzberg concluded.

“Bottom line: Don’t panic, but try to update ATMs to a supported OS as soon as possible,” he added. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/xp_embedded_atm_security_cutoff_panic/

A 47-year-old who posed as a 13-year-old girl in order to extort more than £40,000 from paedophiles was sentenced to nine years in prison earlier this year.

Lee Philip Rees, of Marlborough Road in Roath, Cardiff, was found guilty at Cardiff Crown Court of 31 counts of computer hacking, distributing indecent photographs of children and blackmail. He was sent down in June.

Rees had been placed on probation for possessing of indecent photographs of children back in 1989. He was arrested in 2011 after his wife, from whom he was separated, and her new partner passed his laptop – along with their suspicions that it contained indecent images – to the police.

The scam, as Rees admitted, involved pretending to be a teenage girl in chat rooms to bait paedophiles. A remote access tool was payloaded into an video Rees shared with his victims. Through this, he planted obscene images on their machines and took screencaps of it before threatening to forward their personal details to local schools and the media. He also maintained a website where he published his victims’ details.

Although he was arrested in connection with the scam in 2014, Rees went on to blackmail a further victim while on bail, according to the South Wales Evening Post.

Police reportedly found conversations in which Rees had boasted of his extortion and encouraged others to “paedo hunt” – despite, according to Wales Online, a psychiatric assessment having concluded that Rees himself was a paedophile.

Rees described the extortion money as a “fine” but shunned the cybercrim currency of choice by opting for Amazon vouchers instead of Bitcoin. He would demand payments of between £25 and £100. Additionally, he described himself as being very close to a family in Thailand, to whom he would send roughly £500 a month.

Sentencing Rees, Judge Eleri Rees – who is not related to the convict – said: “Having read all of the evidence and, in particular, the chat logs, I have reached the conclusion that you derived much enjoyment and satisfaction in controlling and manipulating these individuals, preying on their fears and extracting for yourself significant financial gain.” ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/blackmail_paedo_hunter_jailed/

Security professionals often complain that people are the weak link in the data security system. But in reality, they could be your biggest asset and ally.

When I joined Baylor University in 1995, the job I have now did not exist. In 2003, I took on the role as coordinator of IT security at the university, but it wasn’t until a few years later that the Chief Information Security Officer (CISO) role formalized into what it is today – a high visibility position that touches every aspect of the organization.

Today, 44 percent of organizations employ a CISO and full-fledged information security team, which has increasingly become a necessity in protecting against data breaches. Cyberattacks are more persistent and sophisticated, and as a result, CISOs are rethinking the most fundamental aspects of IT strategy and infrastructure. This new security paradigm is no longer just about using technology to protect against the next data breach; it lives at the intersection of technology and people.

Corporate data has shifted from behind corporate firewalls and servers; data now lives on the edge of the network on user devices, where it is more vulnerable to threats. With this shift comes new CISO challenges and. To be effective, IT and security teams need visibility into where information is stored, what type of information is on devices, and the ability to apply appropriate data controls. In today’s BYOD world, what matters is how and where employees are taking the data. And it is not about implementing more and more security protocol, it is about educating employees on the responsible choices they can make to avoid data loss and mitigate risk. We’re all in this together.

With a centralized security approach where operations are unified rather than siloed, teams can integrate security into every aspect of their organization and be proactive and strategic together. As technology changes, it is vital to get the entire organization on board. Here are four steps to help you focus on the people in your security strategy:

1. Drive home the personal benefits of security
Employees often have trouble understanding the importance of a security policy; they do not want to be inconvenienced unless they see a true benefit. To ensure the value of security resonates within the workforce, make it personal by informing people how a data breach would impact them personally. For example, students at Baylor might be more concerned about data protection and security policies if they knew  the schoolwork in their laptop— including book-length theses — was protected from theft, hard drive crashes or attacks on the network. 

2. Teach users the value of security
It is easy to tell employees to sign a security policy, back up their data, and be wary of potential scams or breaches but simply telling them what to do doesn’t teach anything about the benefits or risks. When people understand the “why behind the what” and the value of a security strategy, they’ll be more invested in it. Sharing examples of how security threats have impacted organizations is a great way to demonstrate the potential consequences of their behavior. If someone opens a phishing email with a hyperlink infected with malware, that attack could threaten an organization’s entire network.

3. Create security policies that are easy to enforce
Having structure and processes around security is key to gaining buy-in. . It is not enought to deploy the latest and greatest advanced threat detection and anti-malware software. You must also introduce basic steps that will hedge against human error. Data loss by malware, hardware failure or accident is the one of the most common and preventable threats. By continuously backing up your organization’s data, data availability can be integrated into your organization’s infrastructure and processes. Another example of baking security into the organization is Baylor’s approach to software acquisition. Faculty and staff must submit forms for software approval through the information security team. This allows risk analysis to take place before software is purchased for the campus environment. Failure to follow the process results in delays or cancellation by the purchasing team.

4. Leverage relationships with key stakeholders
CISOs are responsible for advising and consulting key stakeholders within their organizations to help them understand their respective roles and responsibilities within security. As part of this give and take,  the CISO needs to quantify the risk and explain how it applies to their respective domain. As with general employees, department managers will take more ownership when they see understand how security maps to compliance requirements.

CISOs should also show employees how security extends beyond endpoints, networks and datacenters. Any technology that is connected via an IP address today can expose an entire network. At Baylor we recently built a new stadium with the audio system, elevators and fire alarms all connected and dependent on the network. With all of those connected devices, significant planning helped to ensure that proper security measures were in place to protect the school.

The conversation around information security has been reframed. It is no longer strictly about the technical aspects; now, it is about engagement and relationship building. CISOs must learn a new set of skills to incorporate everyone in the security strategy – not just their security team. Security professionals often complain that people are the weak link in the data security system, but, in reality, they could be your biggest asset and ally.  

Jon Allen is the assistant vice president and Chief Information Security Officer at Baylor University where he has built the information security group from a one-person shop to an integrated organization. Jon has more than ten years of experience in information and network … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/how-cisos-can-reframe-the-conversation-around-security-4-steps-/a/d-id/1323464?_mc=RSS_DR_EDT

Two groups have been using backdoor threats to spy on targeted individuals, Symantec says.

Two groups, most likely based out of Iran, have been conducting a sophisticated cyber surveillance campaign targeting individuals and entities inside Iran and abroad since July 2014, and possibly as early as 2011, according to Symantec.

Symantec, which issued an alert on the campaigns this week, stated the groups were exploiting custom-made backdoors to steal information from the devices of specific targets.

Symantec has named the groups Cadelle and Chafer. According to the company, the two groups — which appear to have five to 10 members apiece — are likely connected to each other or may be working for the same entity. Their victims may be of interest to a nation-state actor, Symantec said.

Cadelle has been observed using a Trojan dubbed Cadelspy, while the Chafer group has been using Trojans dubbed Remexi and Remexi.B.

Most of the targets of these two campaigns are individuals located inside Iran, Symantec researchers state, based upon the fact that the targets are customers of Iranian service providers and cloud hosting providers. Many of the victims are individuals using anonymous proxy services to access the Internet. Often, the people who use such services are dissidents, researchers, and activists trying to access sites that are blocked by the Iranian government, Symantec said.

The two groups have also targeted airline companies and telecommunications companies in the Middle East and nearby countries, presumably in a bid to monitor the communications and movements of the targeted individuals. Most of the targeted organizations have been based in countries like Saudi Arabia and Afghanistan, but at least one victim organization is located in the U.S.

It’s unclear what infection vector the Cadelle group uses, Symantec said, but Chafer has been using SQL injection attacks on web servers to compromise the computers of its victims and drop the Remexi Trojan on their systems to steal usernames, passwords, and other data.

One reason why the two groups appear to be connected is that their respective malicious tools of choice show up in the same places.  “A number of computers experienced both Cadelspy and Remexi infections within a small time window,” said Symantec. “In one instance, a computer was compromised with Backdoor.Cadelspy just minutes after being infected with Backdoor.Remexi.”

The kinds of systems the two groups have infected include file and database servers and systems belonging to web developers. One of the targeted systems ran a SIM card editing application.

Both groups appear to be in the same geography and have the same working hours. So far though, there has been no sharing of command-and-control infrastructure between them.

This is not the first time that security vendors have observed sophisticated surveillance campaigns being conducted by Iranian groups against Iranian individuals and organizations both inside and outside the country.

Last December, security vendor Cylance warned about an Iranian hacker group dubbed Operation Cleaver that it believed had infiltrated computers at some 50 critical infrastructure organizations in 16 countries.

According to Cylance, the group’s victims included entities in the energy sector, oil and natural gas industry, transportation sector, technology firms, and telecommunications companies. About 10 of Operation Cleaver’s victims were based in the U.S.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/-iranian-groups-conducting-sophisticated-surveillance-on-middle-eastern-targets/d/d-id/1323468?_mc=RSS_DR_EDT

Users of Honeywell’s Midas and Midas Black gas detectors are being urged to patch their firmware to protect against a pair of critical, remotely exploitable vulnerabilities.

These extremely serious vulnerabilities, found by researcher Maxim Rupp and reported by ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team) in advisory ICSA-15-309-02, are simple enough to be exploited by an “attacker with low skill”:

Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes.

…These vulnerabilities could be exploited remotely.

…An attacker with low skill would be able to exploit these vulnerabilities.

The affected devices are the Midas product with all firmware versions up to and including version 1.13b1 and the Midas Black product with all firmware versions up to and including version 2.13b1.

Patches are available to download from Honeywell’s website under the banner of Honeywell’s Security Notification SN 2015-10-14 01.

Midas and Midas Black gas detectors are used worldwide in numerous industrial sectors including chemical, manufacturing, energy, food, agriculture and water to:

…detect many key toxic, ambient and flammable gases in a plant. The device monitors points up to 100 feet (30 meters) away while using patented technology to regulate flow rates and ensure error-free gas detection.

The vulnerabilities could allow the devices’ authentication to be bypassed completely by path traversal (CVE-2015-7907) or to be compromised by attackers grabbing an administrator’s password as it’s transmitted in clear text (CVE-2015-7908).

In other words, the devices affected might be sophisticated and highly specialised but their bugs aren’t. These are basic, workaday flaws that are well understood, easy to avoid and easy to test for.

It’s shocking that such basic flaws should be present in software with such an important job to do but they wouldn’t be nearly so serious if they weren’t remotely exploitable.

Because these devices can be connected to the internet, the people they protect are at risk from anyone who can find a connected device (and if you’re wondering if that’s difficult, remember that the Internet of Things has its own search engine).

But perhaps we shouldn’t be surprised because in many ways that’s the story of the Internet of Things so far – a collection of interconnected devices from the future exhibiting vulnerabilities from the past.

The rush to attach kettles, TVs and baby monitors to the internet in the hope that it might be useful flies in the face of that bastion of security common sense; the principle of least privilege and it seems to me that it isn’t going all that well so far.

The advisory offers the following pointers for minimising the risk of these flaws being exploited, although I suggest we’d all do well to follow them no matter if we’re running industrial control systems or overly-clever thermostats:

• Minimise devices’ network exposure and physical access
• Isolate devices from the internet and business networks
• Put devices behind a firewall and connect over a VPN if you need remote access

Or, put another way, treat the Things in the Internet of Things like computers, because they are.

Follow @NakedSecurity
Follow @MarkStockley

Image of Gas Mask courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Mw0YpNFP800/

Drunk Brits lose 138,000 devices a year in bars but get most of them back, according to a pub poll by security firm Eset.

The mobile security vendor pinged 600 establishments across the country and extrapolated the results to come up with the 138,000 approximation.

Mobile devices were often dropped in watering holes across the nation, with most lacking security controls to prevent finders snooping through photos and messages.

Hacker mouthpiece Mark James says 60 percent of those claiming to have found a lost phone have poked through it, though some may have done so purely to dig up a contact number.

“As we head into the festive season, offices will be preparing for Christmas parties, which will inevitably involve alcohol consumption and people dropping their guard more than usual,” James says in a statement.

“While the majority of the devices in our study do get returned to their owners, there is still a high chance that those with no security protection are accessed by intruders.

“As our laptops and mobile phones begin to carry more and more sensitive information and are linked to bank and work accounts, there is a greater need to protect them because the risks are much higher should the devices ever fall into the wrong hands.”

The survey also recorded a lost [human] ash-filled urn, an inflatable sheep, and an equine portrait.

Freedom of information figures covering the 12 months to February last year found that some 180,000 devices were reported lost or stolen to UK police, a figure that would be much higher if it included unreported losses.

Research revealed last year by Imation dubiously claimed 93 percent of senior executives had lost a device or had one stolen over the previous 12 months. ®

Sponsored:
Improve app performance in the hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/brits_lose_138000_devices_a_year_eset/

As part of an ongoing shift to more-open security systems, IBM will be making the APIs for its QRadar security platform available in a bid to out-innovate the online criminals.

“We’re up against more and more organized threats,” Kevin Skapinetz, director of IBM Security, told The Register.

“The industry has a massive talent shortage and we’re looking at under-resourced security teams trying to fight a collaborative group of attackers. To combat that you want a more open and collaborative approach to security.”

Along with the release of the APIs and software development kits that allow integration with QRadar, IBM is setting up a security marketplace for any developer to add security apps that are compatible with the platform. IBM has already taken delivery of the first apps from security firms like Resilient and Exabeam, and added its own in as well.

The move follows Big Blue’s decision to open up its 700TB threat database for third parties to access and add to. The company said it’s making an ongoing commitment to opening its security systems in an effort to get others to do the same.

As with access to the database, any apps submitted to the QRadar site will have to be carefully checked by IBM, but are the property of the creator. The firm also wants resellers with ideas to try out the system and see what can be added and licensed directly to buyers. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/ibm_qradar_apis_to_developers_and_resellers/

Shaun Bridges, the light-fingered Secret Service agent who pleaded guilty to scamming SilkRoad while he was investigating the online drugs-and-vulnerabilities marketplace, has copped a six-year sentence for his trouble.

US district court judge Richard Seeborg called Bridges’ actions, which netted him around US$820,000, a “breathtaking abuse of trust” while handing down the sentence in a San Francisco court.

As Bloomberg reports, the judge said Bridges hijacked a SilkRoad admin’s account for the theft.

Since the now-jailed SilkRoad kingpin Ross Ulbricht assumed the admin, Curtis Green, was responsible for the theft, Bridges’ actions put him in danger of his life, so the crime deserved a sentence near the top of the scale, calling it “an extraordinary breach of public trust that could have gotten a person killed.”

After his arrest, Green provided his admin logins to investigators. As The Register reported in May, he used that access to move the money – around 20,000 Bitcoins – from SilkRoad sellers to his own wallet, which he then converted to cash at the now-defunct MtGox exchange.

Bridges entered his guilty plea in September. Another scamming investigator, former DEA agent Carl Force, had already taken a plea deal in July and was sentenced to six and a half years in prison in October 2015. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/six_years_for_silkroad_skimming_secret_agent/