STE WILLIAMS

Ten auditors from the lauded Fraunhofer Institute for Secure Information Technology have given TrueCrypt a security tick after completing a comprehensive six-month audit under contract from the German Government.

The 77-page report dug up extra vulnerabilities in the once-popular encryption platform but say none are sufficient to undermine the jettisoned software.

The unknown and mysterious authors of TrueCrypt abandoned the platform in May last year, leaving behind what appears to many to be a sly warrant canary warning users that it is not secure.

Since then a separate team of researchers under the Open Crypto Audit Project in April found TrueCrypt to be “well-designed”.

In September Google’s James Foreshaw found privilege escalation holes that the former audit missed and have since been fixed in the VeraCrypt spin off.

Now boffins Germany’s Federal Office for Security in Information Technology have shed more light on the software in the staid Security Analysis of TrueCrypt (PDF) paper, revealing new flaws in the process but giving the platform a security tick.

“Our general conclusion is that TrueCrypt is safer than previous examinations suggest,” wrote Research lead and Technische Universität Darmstadt professor Eric Bodden.

“I would say that the TrueCrypt code base is probably alright for the most parts.

“The flaws we found were minor, and similar flaws can occur also in any other implementation of cryptographic functions. In that sense TrueCrypt seems not better or worse than its alternatives.”

Bodden says code could do with some refactoring and better documentation, however.

The paper expands on Bodden’s thoughts but gives the same ‘mostly harmless’ verdict, as follows:

“Overall, the analysis did not identify any evidence that the guaranteed encryption characteristics are not fulfilled in the implementation of TrueCrypt. In particular, a comparison of the cryptographic functions with reference implementations or test vectors did not identify any deviations. The application of cryptography in TrueCrypt is not optimal. The AES implementation is not timing-resistant, key files are not used in a cryptographically secure way and the integrity of volume headers is not properly protected.”

They point out that TrueCrypt cannot protect against active attacks like keyloggers and other malware which requires things like Trusted Platform Modules or smartcards. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/truecrypt_anlaysis/

Kaspersky investigation unit boss Ruslan Stoyanov says a Russian cyber scum group of just 20 professional hackers have have made a tidy US$790 million in three years by emptying the world’s bank accounts.

Stoyanov says some $509 million is thought to have been ripped from the wallets of individuals and businesses from the US, and across the European Union since 2012. The remainder was plundered within former Soviet Union states.

In the same time police have arrested more than 160 Russian cybercriminals from small to large criminal gangs who are accused of stealing cash using trojan.s

Stoyanov says the figures are based on crime data and are therefore likely to be very conservative.

“This estimate is based both on the analysis of public information about the arrests of people suspected of committing financial cybercrime in the period between 2012 and 2015 and on Kaspersky Lab’s own data,” Stoyanov says.

“Of course, this figure only includes confirmed losses, the details of which were obtained by law enforcement authorities during the investigation. In reality, cybercriminals could have stolen a much larger amount.”

Stoyanov, formerly with the Kremlin’s cyber crime unit, says the Russian underground has recruited more than a thousand members since 2012.

Yet only 20 in the Russian cybercrime scene are thought to be top flight professional hackers who are regulars on underground forums.

Kaspersky Labs has a lot of data on those individuals and says it knows of five major cybercrime groups that are right now ripping cash from consumers. Here’s what the white-hat Russians have to say about the situation:

“We can calculate fairly precisely the number of people who make up the core structure of an active criminal group: the organisers, the money flow managers involved in withdrawing money from compromised accounts and the professional hackers.

Across the cybercriminal underground, there are only around 20 of these core professionals. They are regular visitors of underground forums, and Kaspersky Lab experts have collected a considerable amount of information that suggests that these 20 people play leading roles in criminal activities that involve the online theft of money and information.

The crime gangs have skill sets that mirror legit tech shops, including web designers, programmers, and BOFHs, along with “cryptors” who obfuscate malware in ways that help it to evade security software.

System admins perform “near-identical tasks to their counterparts in legitimate businesses” Stoyanov says, building and maintaining IT infrastructure.

“Cybercriminal system administrators configure management servers, buy abuse-resistant hosting for servers, ensure the availability of tools for anonymous connection to the servers (VPN) and resolve other technical challenges, including the interaction with remote system administrators hired to perform small tasks,” he says.

Employees can be paid as freelancers or permanent staff, and are recruited through forums or in brazen public advertisements that often target underprivileged techs in areas like war-torn Ukraine.

Stoyanov says small groups will buy crime kit like exploit kits and traffic services, while large criminal outfits with a dozen or more heads will do it themselves and target businesses, not just individuals.

“To a certain extent, the structure reflects that of an ordinary, average-sized company engaged in software development,” he says of the larger groups.

Kasperksy has investigated more than 300 online financial attacks since 2013. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/790_million_russian_financial_cybercrime/

Four researchers have found two thirds of the most popular Android apps indulge in seemingly-useless covert chatter with remote servers.

Top developers including Gameloft, Unity3d, and grillgames are implicated to varying degrees.

The chatter has no use to users. About half of the traffic is related to analytics, such as that used by Twitter and Pandora, with the rest of unknown purpose.

They make the findings in the paper Covert Communication in Mobile Applications (PDF)

“Analytics services collect information about application performance, crash and usage data, as well as the exact actions the user performs within the app. While this information has a clear value to the developer, no apparent description specifying the nature and frequency of the data collection is presented to the user.

In fact, some applications start collecting analytics information even before they get activated. For example, twitter, Walmart and Pandora start their data collection as soon as the phone is booted and continue, periodically, during the phone’s entire up time, even if the applications themselves were never used. In most cases, the user cannot opt-out from such data sharing without uninstalling the application. “

Five apps died when the covert chatter was killed off after the code in question was manipulated by the research team.

The team of Massachusetts Institute of Technology’s Julia Rubin, Michael I. Gordon, and Martin Rinard, and Global InfoTek’s Nguyen Nguyen, found the component com.google was used in three quarters of covert chatter starting nearly 2000 calls or about half of all measured. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/mit_covert_apps/

Feature The exploitation of online advertising networks by malware-flingers is expected to cause up to $1bn in damages by the end of this year, but despite ongoing regulatory efforts, it is not clear to whom the liability for these enormous losses will fall.

The increasingly sophistication with which online advertisers profile users has allowed those exploiting ad networks to hit victims with extraordinary cost-effectiveness. The way that ad networks sell impressions targeted to browser types, that identify whether anti-virus solutions are active, and display recipients’ earnings profile, alongside the low barrier to entry for new customers, allows for criminals to reap high returns on their investments.

Delivering a presentation on the mechanics behind malvertising attacks, Malwarebytes’ senior security researcher Jérôme Segura noted how advertising networks’ mechanics were an important aspect of the return on investment for miscreants, allowing the the attack vector to expand.

Feature: Malware menaces poison ads as Google, Yahoo! look away

In particular, it is real-time bidding (RTB) – enabling advertisers to purchase and sell advertising inventory through a programmatic and automated auction process – that provides criminals with their economic platform. With RTB, customers need only pay for the auctions which they win. This has obvious efficiency benefits for the advertisers, whose business provides much of the finance behind online businesses, however it also provides an opportune environment for threat actors to elbow their way in.

Malvertising campaigns can thus effectively target only those who will be vulnerable to the attack, which means that such attacks are “very cost-effective,” according to Malwarebytes’ CEO Marcin Kleczynski, to the degree that their “pay-per-impression rate is essentially pay-per-infection”.

According to Malwarebytes, one malvertising campaign that ran from January to February this year was able to expose 6,000 web browsers to malware for an investment of just $5. Responsibility for the damages caused through this expanding attack vector, which are expected to reach $1bn this year, remains difficult to attribute.

Talking to The Register, Jérôme Segura stated that: “As security researchers, we are more accustomed to hearing accounts being ‘suspended’ or ‘terminated’ for malicious behaviour, rather than ‘paused’ when we deal with hosting companies or registrars. But things are a little different in the ad industry.”

Often, the advertisers involved in a malvertising incident may not be the malicious actor themselves. Segura stated: “They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not ‘knowingly’ participate in the malvertising”

“Advertisers bring in money and it would be going against business sense to terminate them at their first offence,” Segura noted, but acknowledged that there is no standard reaction from advertising networks when it comes to customers who have been implicated in malvertising. “Some networks will ‘inform’ their customer,” stated Segura, “others will issue more severe warnings, but at the end of the day it’s a business decision – especially when it comes to large customers bringing in a lot of revenue.”

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/liability_chain_malvertising_advertising/

Damballa researchers Willis McDonald and Loucif Kharouni say the attackers who flayed Sony Pictures with disk-cleansing malware may have stayed hidden using newly-uncovered anti-forensics tools.

The pair found the updated weaponry in the latest version of the Destover malware, best known as the malware that in November last year erased data across workstations at Sony Pictures.

North Korea was blamed by the United States for the attack, a claim Pyongyang denies.

Now McDonald and Kharouni say Destover attackers which may include the Sony hackers are using tools to change file time stamps and erase logs.

“The Destover trojan is a wiper that deletes files off of an infected system, rendering it useless … for ideological and political reasons not for financial gain,” the pair of researchers say.

“Much was revealed In the weeks and months following these breaches, except for how attackers were able to stay undetected within the network long enough to expand their presence and exfiltrate Terabytes of sensitive information.”

The tools include the timestamp-stomping setMFT, which manipulates timestamps to throw off investigators unless files are checked against logs and dates.

The afset tool can wipe Windows logs based on time and identity, and alter PE build time and checksum. The utility is valuable to attackers and would allow attackers to erase their tracks while they move laterally through corporate networks.

“A full forensic analysis of a system would reveal the presence of afset and missing log activity but it’s likely this activity would go undetected initially creating high-risk infection dwell time,” they say.

Sony Pictures went into lockdown after the breach in which terabytes of sensitive data was stolen, most of which ended up online. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/sony_malware_destover/

United Airlines’ frequent flier points for bugs plan has come in for criticism from a researcher who says the airline didn’t respond to news of a critical bug report for five months, and then only after he threatened to go public.

Randy Westergren, whose assessment of Subway’s impressively-secure app graced our pages last July, says he found a bug that means “an attacker could completely manage any aspect of a flight reservation using United’s website.”

“This includes access to all of the flight’s departures, arrivals, the reservation payment receipt (payment method and last 4 of CC), personal information about passengers (phone numbers, emergency contacts), and the ability to change/cancel the flight.”

Mindful of United’s bug bounty program, he reported it and then waited for the airline to acknowledge the report, fix the bug and send points.

Westergren says the airline’s response was … nothing. For five months.

“I understood they were probably overwhelmed with the number of vulnerability submissions, I expected a delayed acknowledgment/response — I didn’t expect, however, for the issue to remain unpatched five months later,” he blogged on Sunday.

Even though the terms of United’s bug bounty program mean anyone who discloses a bug won’t be given any frequent flyer points, Westergren decided the bug was dangerous enough that he needed to up the ante. The researcher therefore told United he’s go public on November 28th, in a Tweet.

That Tweet was picked up by media, things escalated and United eventually told him it had stayed silent because Westergren wasn’t the first to report the problem.

Westergren’s not so sure: he thinks the media exposure pressured United into fixing the flaw.

Either way, he doesn’t think United’s doing a very good job of communicating with folks who submit to its bounty program, or of keeping its website secure. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/yknow_how_airlines_never_explain_delays_uniteds_bug_bounty_works_the_same_way/

Security types impatient for gifts under the Christmas tree may find that major upgrades to the popular Nmap and Wireshark infosec tools sate their appetite for new toys.

Apple fans will have access to a much-improved Wireshark as version two of the network sniffing tool dropped last week.

The immensely popular network protocol analyser tool now comes native for Mac, sports dozens of new bug fixes, and a new interface.

“Wireshark 2.0 features a completely new user interface which should provide a smoother, faster user experience,” Wireshark developers wrote in the release notes.

“The new (QT) interface should be familiar to current users of Wireshark but provide a faster workflow for many tasks.”

The release precedes by days the publication of version seven of the popular Nmap security scanner.

That upgrade is the latest since version six was dropped in 2012 and contains some 3200 code commits, authors say.

“It is the product of three and a half years of work, nearly 3200 code commits, and more than a dozen point releases since Nmap six,” the authors write in the release notes.

“Nmap turned 18 years old in September this year and celebrates its birthday with 171 new Nmap Scripting Engine scripts, expanded IPv6 support, world-class SSL/TLS analysis, and more user-requested features than ever.”

Wireshark on Mac.

Top of the fixes are the scripting engine expansions including slowloris denial of service, mature IPv6 support, infrastructure upgrades like a bug tracker and SSL, faster scans, and better Ncat.

AHHHHH NMAP 7 IS OUT. IT’S BETTER BECAUSE THE NUMBER IS HIGHER! (But also because of this: https://t.co/RaoU9FlMZZ )

— Johnny Xmas (@J0hnnyXm4s) November 19, 2015

Authors have also made the scanner run on Windows XP, by popular demand, with a note that security types should upgrade their ancient operating systems. Those XP boxes may just be virtual machines, however. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/wireshark_20_nmap/

Persons using the name and iconography of online activist collective “Anonymous” (PUTNAIOOACA) are appealing to recently-dethroned world leaders to help them in a fight against Japan’s dolphin slaughter program.

PUTNAIOOACA operatives are currently running #opkillingbay, an effort to draw global attention to the annual dolphin hunt in the Japanese town of Taiji. #opkillingbay suggests nations boycott Tokyo’s 2020 summer olympics over the hunt, apparently a bloody and cruel affair. There’s also a health angle to the protest: dolphin’s apparently very high in mercury.

The operation’s seen PUTNAIOOACA peeps conduct DDOS attacks on Japanese airports and, over the weekend, use the same tactic to take down the web site of the nation’s ministry of health.

Which is where El Reg started looking into the matter and found the @OpKillingBay twitter account.

That feed shouts out to world leaders about the Taiji dolphin hunt, urging them to work for its cessation.

But there’s just one problem: some of the world leaders to whom PUTNAIOOACA pleads have recently lost their jobs.

The tweet below, for example, appears to be directed at Canadian prime minister Stephen Harper … who lost his job after the nation’s October 19th election. The account @pmharper no longer exists.

.@pmharper Calling on Canada and the world to boycott 2020 Tokyo Olympics as long as the Taiji Japan Dolphin slaughters occur #JPOlyBoycott

— OpKillingBay (@OpKillingBay) November 22, 2015

Another tweet calls out to former Australian prime minister Tony Abbott, who was voted out by his own party on September 14th.

.@TonyAbbottMHR Calling on Australia world to boycott 2020 Tokyo Olympics as long as Taiji Japan Dolphin slaughters occur #JPOlyBoycott

— OpKillingBay (@OpKillingBay) November 22, 2015

While Abbott and Harper remain members of parliament, both have greatly diminished influence. If PUTNAIOOACA are serious about the cause, they really need to get up to speed and target @turnbullmalcom and @JustinTrudeau instead.

The PUTNAIOOACA operatives behind #opkillingbay do hit their targets with US president Barack Obama, UK prime minister David Cameron, Spanish prime minister Mariano Rajoy Brey and Beverley Hills 90210 actress Shannen Doherty. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/clueless_anonymous_asks_the_powerless_to_save_dolphins/

Newly revealed documents (not from Snowden this time) show that the NSA has continued to collect Americans’ email traffic en masse using overseas offices to get around curbs introduced domestically.

Shortly after the September 11 attacks, President Bush authorized the NSA to collect bulk metadata on emails sent by Americans (although not the content) to help The War Against Terror (TWAT). The surveillance was authorized by the US Foreign Intelligence Surveillance Court, which mostly rubberstamped such requests.

But the collection was stopped in 2011, the NSA said, although it still monitored emails from Americans to people outside the nation’s borders. However, a Freedom of Information Act lawsuit started by The New York Times against the NSA’s Inspector General has uncovered documents showing that the NSA carried on collecting domestic data.

To get around the restrictions on operating in the USA, the NSA simply started using its overseas offices to do the collection. Stations like RAF Menwith Hill in Yorkshire were tasked with collecting the metadata and feeding it back to the NSA headquarters in Maryland.

There’s no evidence that the content of emails was being examined by NSA analysts. Instead the metadata was used to try and divine linkages between individuals the agency was looking to monitor. But that metadata is very useful.

“We have known for some time that traffic analysis is more powerful than content analysis,” said Dan Geer, chief information security officer of the CIA’s venture capital firm In-Q-Tel.

“If I know everything about you, about who you communicate with, when, where, with what frequency, what length, and at what location, I know you. The soothing mendacity of proxies from the president that claim that it is only metadata, is to rely on the profound ignorance of the listener.”

The NSA has declined to comment on the documents. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/remember_mass_email_slurping_nsa_stopped/

Add Starwood – owner of the Sheraton, Westin, W hotel chains – to the ranks of resorts infiltrated by credit card-stealing malware.

The luxury hotel chain said on Friday that 54 of its North American locations had been infected with a software nasty that harvested banking card information from payment terminals and cash registers.

Starwood said the 54 compromised hotels [PDF] were scattered throughout the US and Canada, and were infected from as early as November of 2014 to June 30 of this year. Malware was found in payment systems in gift shops, restaurants, and sales registers.

Data stolen by the software could include customer names, credit card numbers, card security codes, and expiration dates. Starwood said that customer addresses, reservation data, and reward card information were not exposed in the breach.

Starwood Hotels and Resorts include the Sheraton, Westin, and W Hotel brands as well as the Palace Hotel in San Francisco and the Walt Disney World Dolphin resort in Orlando.

Any customers who visited the breached hotels are advised to keep a close eye on their bank statements for any suspicious charges. As we’ve come to expect in these sorts of situations, Starwood said it would offer one year of free identity protection and credit monitoring services to those who were affected by the breach.

The malware has since been isolated and removed from the system, and Starwood said it has put additional safeguards in place to prevent the attack from recurring. Little consolation for those whose card data was stolen.

This is certainly not the first time, and likely will not be the last, that a hotel chain has fallen victim to a POS malware infection. Similar attacks have been uncovered in recent months at Hilton and Trump resorts, as well as at casinos in Las Vegas and Michigan. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/starwood_hotels_resorts_pwned/