STE WILLIAMS

The FBI-scuppered Darkode crime forum appears truly dead after a promised resurgent site failed to surface and a recent spin-off has proven horribly insecure.

Darkode was the white-hat-infested crime den for English-speaking carders and VXers who bought and sold software and services that plundered the pockets of corporations and internet users.

The service was annihilated in one of the most successful anti-crime efforts to date after the FBI, Europol and other national police agencies arrested dozens of hackers, coders, and other net scum, including some Darkode admins.

Forum boss “Sp3cial1st” slipped the sting and claimed to be building a new and more secure version of the site. That sequel now appears to have disappeared after initially opening with an under construction page holder.

Damballa’s senior threat researcher Loucif Kharouni says the new site is poorly configured running the Jetty and the Openfire Jabber software, and allows the entire site to be searched without even needing to login.

“The criminal community has low trust in the new Darkode forum,” Kharouni says.

“The lack of security and misconfiguration shows that Darkode can’t be trusted and will never regain its former glory.

“Another Darkode fail.”

Kharouni says it was not “just not worth anyone’s time” to provide the link because of the site’s pathetic state of security.

El Reg has spotted the site (on the Tor hidden service) and has found it had thrown up a login requirement likely made after Kharouni’s disclosure.

Former admin and Darkode co-founder Daniel Placek, previously known as Nocen, Loki, or Juggernaut, for the first time spoke publicly last month with NRP’s RadioLab program.

Placek says he named the forum after a discussion with members of the BotTalk chat room in which he proposed creating a site free of script kiddies and home only to competent hackers.

He left the site in 2009 and was arrested. Placek says he has cooperated with police and become a professional consultant since then. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/darkode_30_is_so_lame_its_not_worth_your_time_reading_this_story/

Brocade is reminding users of some of its storage area networking (SAN) kit to shoot down default diagnostic accounts.

A note on Full Disclosure posted by Karn Ganeshen pointed out a swag of worrying things, such as the fact that diagnostic accounts built into Brocade kit come with default passwords set, and offer both telnet and SSH access.

The issue applies to Brocade Fabric OS v6.3.1b.

However, Brocade told The Register the issue’s not regarded as a critical vulnerability, because the diagnostic accounts can be blocked or have strong passwords set.

“As part of basic Storage Area Networking (SAN) switch configuration, Brocade has documented procedures for customers to set up strong passwords for diagnostic accounts,” John Chesson, Brocade’s director of corporate security incident response advised us.

“The regular switch management and administration framework makes use of pre-defined Fabric OS (FOS) commands and does not require access to diagnostic accounts or files. In addition, customers can disable the diagnostics accounts.

“We will continue to investigate and improve the security mechanisms including behaviours of default diagnostic accounts,” he concluded.

There are other details in the Full Disclosure post that users should check off, such as world-writable Unix files and users with excessive permissions and scripts that run as root, which attentive sysadmins will want to tick off. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/brocade_admins_check_your_privilege/

Botconf One of the world’s most successful, oldest, and largest botnets is an underestimated and largely-unknown threat that has over time infected 15 million machines and made millions plundering bank accounts.

The findings from a team of eight Fox IT researchers say the ‘Ponmocup’ botnet controlled 2.4 million infections at its peak in 2011 and now holds about half a million machines under its power.

Lead author Maarten van Dantzig presented the work at the BotConf conference this week in the paper Ponmocup: A giant hiding in the shadows [PDF].

In it he and researchers Danny Heppener; Frank Ruiz; Yonathan Klijnsma; Yun Zheng Hu Erik de Jong; Krijn de Mik, and Lennart Haagsma say how the malware first described in 2006 has a strong focus on stealth and has made its likely Russian authors millions of dollars.

“Compared to other botnets, Ponmocup is one of the largest currently active and, with nine consecutive years, also one of the longest running [but it] is rarely noticed as the operators take care to keep it operating under the radar,” van Dantzig says .

“Although it is difficult to quantify the exact amount of money earned with the Ponmocup botnet, it is likely that it has already been a multi-million dollar business for years now.

“Firstly, their infrastructure is complex, distributed and extensive, with servers for dedicated tasks.”

Van Dantzig says the attackers maintain comprehensive infrastructure that is quality tested, and updated to improve robustness stealth, and can quickly mitigate risks.

They are he says technically sophisticated with a deep access of Windows and some 10 years malware development experience.

So far the team has found some 25 unique plug-ins and a whopping 4000 variants that indicate continuous development.

The malware includes anti-analysis tricks such as heuristic checks for network and host-based analysis tools, debuggers and virtualised environments. It also drops clever fake payloads to throw off analysts, the researcher team says.

One of the payloads injects an obvious executable into running processes that serves as an annoying advertising injector commonly found in horrid software bundlers. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/ponmocup_is_the_15_million_machine_botnet_youve_never_heard_of/

It’s no secret that people are getting increasingly jumpy about poor security within the Internet of Things.

No one likes it when a website is hit by a flood of junk traffic from thousands of compromised computers – but that’s nothing compared to what may happen when billions of IoT devices embedded all over our homes and in our supply chains get compromised.

Stand up, Iran, which this week told the Secretary-General of the International Telecommunication Union (ITU) Houlin Zhao that the UN agency needs to start work on designing “appropriate regulations” for the Internet of Things.

“Currently, the ICT is facing new and challenging issues,” noted the president of Iran’s telecoms regulator, Aliasghar Amidian, “such as the Internet of Things (IoT), 5G, and OTTs which require appropriate regulations.”

In and of itself, it’s actually not a bad idea for the ITU to design security protocols for IoT. It is clear that a universal, global standard would be extremely useful in such an important but massively diverse eco-system. And the ITU does have 150 years of experience is doing just that.

Whoah there

The problem is where to draw the line – especially when Iran suggests that 5G mobile networks and “over-the-top” (OTT) services such as VoIP should be in the same bucket.

The ITU and certain, largely authoritarian governments have been fighting a decade-long battle with Western governments and internet organizations over who should design protocols and standards for the internet.

Very broadly, one side feels very strongly that the fact that governmental organizations have not been in charge of the internet’s evolution thus far is a major reason why it has been as successful as it has been.

On the flip side, other governments and some organizations argue that the internet is becoming so meshed into our daily lives that the “running code” approach that has made the internet what it is today has limited usefulness when it comes to issues like security.

On the industry side, this September, a non-profit foundation, the IoTSF, was created by Intel, Vodafone, Siemens, and BT and more than 25 other companies that will be dedicated to improving IoT security.

It will be holding a conference this month in December and will draw up best practices and knowledge sharing. Which is great, but as standard developers know all too well, if you want a solid standard, you need somebody with a little more authority than an industry-funded non-profit. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/iran_to_the_rescue_over_iot_security_nightmare/

Cellular modems from four vendors have been popped by security researchers, who have documented cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE) and integrity attacks on the products.

The research published by Positive Technologies and carried out by the SCADA Strangelove team looked at modems from Huawei, Gemtek, Quanta and ZTE.

The tests tell some old, old stories: for example, code appearing in multiple devices suggests too many vendors base their firmware on silicon vendors’ reference designs without doing enough work themselves.

The researchers say all of the devices they tested – two from Gemtek, two from Quanta (one of which was a rebadged ZTE), and three from Huawei – are vulnerable to remote code execution, and all except the Huawei devices are vulnerable to malicious firmware.

For example, it was common for firmware to be encrypted using buggy home-grown RC4 implementations and signed with SHA1/RSA – neither of which is ideal.

Because so many of the vulnerabilities – whether it’s via firmware or XSS/CSRF forgery attacks – allow remote code execution, the paper states, it’s easy to track devices. An attacker can read out the Cell ID or the connected WiFi base station.

Fail everywhere: why bother at all? Source: SCADA Strangelove’s slideshow

The vulnerabilities also enabled a range of traffic interception attacks:

• Devices could have their DNS redirected to an attacker-controlled domain.
• Attackers can plant their own certificates into the devices’ trusted root list.
• Some devices allow command-line access (via AT commands) to SMSs.

Other possibilities the research explored included using devices as PC attack vectors, attacks on SIM cards via binary SMS messages, and even upstream attacks directed at carrier networks.

The researchers conclude that the Huawei kit they tested was the least-worst.

The SCADA Strangelove group has published a slideshow here. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/3g4g_data_dongles_vulnerable/

Rapid 7 security man Todd Beardsley says new firmware released to patch hardcoded SSH keys in Advantech EKI industrial control system gateways contains known brutal flaws including Shellshock, Heartbleed, and buffer overflows.

A module for the Metasploit hacking box has been published to help attackers hose the zero day holes in systems reachable through the internet.

The EKI-122X series hardware last month was found to contain hardcoded SSH keys that mean remote attackers could eavesdrop on the devices.

Fixed software crushed that vulnerability but opened the hardware up to the very public and dangerous Shellshock vulnerability revealed in September last year to be affecting great swathes of the internet.

Heartbleed graced the internet in April that year revealing a devastating hole in the OpenSSL library allowing easy access to vulnerable systems from banking platforms to VPNs. It remains a current threat to some 200,000 devices.

The gateways are also vulnerable to various lesser known holes including DHCP stack-based buffer overflows (CVE-2012-2152).

All three issues require an update from the vendor in order to update the shipping software to versions patched against the named issues,” Beardsley says.

“End users of these devices are advised to ensure that these devices are not reachable by untrusted networks such as the internet.”

Advantech was first contacted about the flaws 11 November. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/industrial_control_system_gateway_fix_opens_heartbleed_shellshock/

Kiwicon Hipsters and selfie addicts beware: infosec man Steve Lord has crafted a tool designed to sever your line of addiction to Instagram by quietly blocking it over public Wi-Fi.

The British security bod built the Raspberry Pi Zero-powered “hipster slayer” out of nothing more than off-the-shelf components and “questionable life choices.” The gizmo will continually deny people’s attempts to connect to Instagram and other social media vanity sites.

It works by sniffing for DNS lookups on open wireless networks, and when it detects someone trying to access a hated website, special networking frames are sent to the person’s PC or handheld instructing it to immediately leave the network. The vast majority of devices comply with these orders.

It is exceptionally effective at selfie-drenched “music” festivals and coffee shops.

Lord (@stevelord) says the tool will feature in his presentation at the Kiwicon conference in Wellington, New Zealand, next week. The Wi-Fi-blocking gadget is among a bunch of gizmos he’s crafted and dubbed the Internet of Wrongs; they are designed “solely to antagonise people.”

“It powers up from a battery and looks for DNS records on open wireless networks that meet target keywords and deauths the client when it finds a match,” Lord said.

“In this case it’s Instagram, things like political Islam, men’s wedges, and rugby.”

(Vulture South did not query whether the inclusion of the latter is a response to his home nation’s World Cup crushing.)

It could be used for more serious attacks, of course, but the focus is crushing hipster vanity.

Lord does not expect any trouble from the authorities during his journey from the UK to Wellington, in light of the party-pooping Wassenaar Arrangement on the export of security tools, because his gadgets are the “pettiest, shittiest cyber weapons imaginable.”

Lord says his presentation is a crack at the cyber-war hype. He says humans are exceptionally poor at judging risk and are inclined to respond to the primal fear of things like terrorism rather than to evaluate threats with reasoned calculation. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/british_hacker_turns_raspberry_pi_zeros_into_selfie_slayers/

Washington Post: Arrests made in late September were Chinese officials’ way of easing tensions with U.S.

Hackers arrested by Chinese authorities in September are suspected of carrying out the massive data breach at the U.S. Office of Personnel Management (OPM), according to a report at the Washington Post today.

The identities of those arrested still have not been released. The Post had previously reported the arrests, but believed they were in association with attacks on U.S. corporations, not with the OPM breach that exposed personal information of 14 million current and former federal employees. 

According to the report: “The arrests took place shortly before a state visit in late September by [Chinese] President Xi Jinping, and U.S. officials say they appear to have been carried out in an effort to lessen tensions with Washington.”

Shortly after the arrests, President Xi and President Obama agreed that neither China nor the U.S. would engage in cyber espionage against the other for economic gain.

This week, more official meetings on cybercrime are taking place in Washington between Chinese and American officials, including China’s Public Security Minister Guo Shengkun and U.S. Secretary of Homeland Security Jeh Johnson. 

Read the full story at the Washington Post.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/report-hackers-arrested-by-chinese-government-suspected-of-opm-breach/d/d-id/1323387?_mc=RSS_DR_EDT

Irreplaceable honeymoon photos!

15 years worth of contacts!

A favorite honeymoon video taken in the Seychelles, showing a giant tortoise biting him on the hand!

All this, gone in the blink of an eye when a bungling Apple store employee deleted the contents of a man’s iPhone, faster than you can say “You backed up your phone, right?”

Actually, it would have helped if the employee at Apple’s flagship store, on Regent Street in London, had in fact asked that question before trying to fix the phone of 68-year-old London pensioner Deric White.

Unfortunately, the Apple employee did not ask that question.

White had gone to the store in December 2014 to complain to Apple when he kept receiving text messages, twice daily, during his honeymoon, telling him to reset his password.

The employee wiped the phone without warning, White said.

People told him to let it go. “You can’t take on Apple,” they said.

But White had other ideas.

He took the tech giant to court, battling for nearly 12 months until at last, on Monday, he scored what he called a “monumental” victory for the “common man.”

That victory includes being rewarded nearly £2,000 (about $2,800) for his loss: £1,200 as compensation and £773 in court costs, according to the Telegraph.

A judge in Central London County Court ruled that Apple had been “negligent.”

According to the Daily Mail, White had this to say during his hearing:

My life was saved on that phone. I lost my favorite video of a giant tortoise biting my hand on honeymoon in the Seychelles.

I was absolutely livid and my wife had been in tears.

We had beautiful pictures of the Seychelles and other pictures as well, of African rhinos.

All my contacts had gone and they had vandalized my phone. They knew they had done this and sent me on my way. This is where my anger is, they sent me on my way like an imbecile.

David and Goliath stories are nice, but that £2K isn’t going to get back any tortoise video.

Of course, there would have been no story at all if Mr. White had backed his information up, as many have noted.

Any day is good for that – not just World Backup Day! – particularly if you’re taking your phone, or any device, to the shop.

But the fact that an employee at Apple’s so-called Genius bar didn’t ask White if his data was backed up?

Well. Even geniuses make sub-genius mistakes, and I agree with the judge: it’s not fair to pin this one on an unsuspecting Apple store visitor like Mr. White.

May he and his wife use the award to make more beautiful memories on more lovely trips – memories that I’m sure nobody has to remind him to back up!

Follow @NakedSecurity

Follow @LisaVaas

Image of Apple Genius Bar courtesy of pio3 / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M6yshTM12UI/

Whether you’re taking your laptop on holiday, or sticking at home with your faithful desktop this festive season…

…we’d like to remind you of a chore we all know we’re supposed to do regularly, but that many of us put off, sometimes until it’s too late.

Backup!

Think of all the things that could go wrong with your hard disk and your data.

Lost, stolen, ruined by beach sand (less sympathy there!), dropped in Sydney Harbour on New Year’s Eve (same), covered in Christmas pudding sauce, misused by a well-meaning toddler, “reconfigured” by teenaged IT “expert” trying to show off Linux to grandma, deleted by mistake, hardware failure, and so on.

Or, perhaps most odiously of all, held for extortion by ransomware.

Ransomware, as we’re sure you know, is the punch-in-the-face malware that scrambles your files, sends the only copy of the decryption key to the crooks, and then offers to sell the key back to you.

With a decent, recent backup you can recover from most of the situations listed above, including ransomware.

Remember: the crooks who create ransomware are banking on the fact that the local copies of your file are the only ones.

Three quick tips:

• Keep at least one backup offline and offsite, e.g. on a removable disk in a safe deposit box or at a trusted friend’s house.
• Use a backup program that encrypts your data securely so only you can restore it. Bitlocker on Windows can automatically encrypt removable disks; on a Mac, Time Machine can create encrypted backups.
• The only backup you’ll ever regret is the one you left for another day.

Follow @duckblog

Follow @NakedSecurity

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p4Ee8HwXWcM/