STE WILLIAMS

Android mobile malware samples have increased more than five-fold since July alone, according to a study by Juniper Networks.

The ability of anyone to develop and publish an application to the Android Market – in contrast to the more restrictive model applied by Apple for iOS – is at least partly to blame for the huge increase of 472 per cent in little over three months, according to Juniper. The network infrastructure firm also blames the absence of an “adequate code-review mechanism” for the rise.

A blog post by Juniper explains:

These days, it seems all you need is a developer account, that is relatively easy to anonymise, pay $25 and you can post your applications. With no upfront review process, no one checking to see that your application does what it says, just the world’s largest majority of smartphone users skimming past your application’s description page with whatever description of the application the developer chooses to include.

Applications can be removed from the Android marketplace following complaints, but by then any rogue application would have hit hundreds or perhaps thousands of victims. In addition to increased volumes of Android malware (growing exponentially, according to Juniper), the firm is also seeing a growth in the sophistication of malware sample for the smartphone platform. One increasingly popular tactic is establishing a backdoor on compromised devices that can later be used to push secondary infectors or updates onto pwned smartphones, as Juniper explains.

In the early spring, we began seeing Android malware that was capable of leveraging one of several platform vulnerabilities that allowed malware to gain root access on the device, in the background, and then install additional packages to the device to extend the functionality of the malware.

Today, just about every piece of malware that is released contains this capability, simply because the vulnerabilities remain prevalent in nearly 90 per cent of Android devices being carried around today. Attackers know this, and they’re using it to gain privilege escalation on the device in order to gain access to data and services that wouldn’t otherwise be available.

More than half (55 per cent) of known Android malware samples bundle spyware functionality. Malware strains that send text messages to premium rate numbers – netting cyber-crooks a commission fee in the process – are also commonplace. Most malicious applications target communications, location, or other personal identifying information.

Talk of exponential malware growth is alarming – and justified – but needs to be put into context: that this growth started from a low base dwarfed in volumes by the quantity of windows malware. Specialist mobile security firm Lookout, for example, estimates mobile malware instances have more than doubled to nearly 1,000 over the last four months alone. Windows malware estimates routinely exceed 5 million and above.

Juniper reckons that bad guys who used to write malware for Symbian and Windows mobile devices have moved over to Android as Google’s platform has increased in popularity. Android malware instances have increased as a result. In the meantime strains of iOS malware have been limited to the infamous rickrolling worm and a similar banking Trojan a couple of years back, and limited to unlocked devices. Apple’s app store polices – rather than inherent features of either smartphone platform – explain why Android malware is abundant while Apple smartphone malware is almost unheard of, according to Juniper.

The main reason for the malware epidemic on Android is because of different approaches that Apple and Google take to police their application stores. Android’s open applications store model, which the lacks code signing and an application review process that Apple requires, makes it easy for attackers to distribute their malware.

Famed researcher Charlie Miller managed to get a malicious application into Apple’s App Store, so Apple is not immune to problems in this area, as Juniper acknowledges. However, in the case of Android, no such restrictions even exist. Juniper concludes:

There is still no upfront review process in the official Android Market that offers even the hint of a challenge to malware writers that their investment in coding malware will be for naught… which means Android will remain the target of mobile malware writers around the world.

Juniper’s malicious mobile threats report can be downloaded here (registration required). A commentary of its main findings, alongside an infographic, can be found here.

Some security watchers have described Android as the new Windows because of the security problems that are beginning to congregate around the platform. Some operating systems attract malware writers while others are largely avoided for reasons that don’t have much to do with the inherent security of an operating system. Widespread adoption, knowledge among VXers on how to write malware, documentation, and virus creation tools are more important factors.

Android ticks all of these boxes, just as Windows did before it. Unless the lessons of the past are learned, and learned quickly, we risk repeating the same pox-plagued history of Windows desktops on smartphones. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/android_malware_surge/

Julian Assange has ditched his Swedish legal counsel and lined up a new defence team in readiness for a likely return to the country to face allegations of sexual molestation and rape against two women.

His new lawyers include Per Samuelson, who in 2009 represented Carl Lundström – one of the co-founders of notorious BitTorrent tracker website The Pirate Bay.

At the start of November, WikiLeaks founder Assange was ordered by a High Court judge in London to return to Sweden.

He was arrested by Scotland Yard police 11 months ago and was granted bail earlier this year, after his lawyers secured funds of around £200,000 from a number of celebrity friends.

Swedish prosecutors have repeatedly requested that Assange make himself available for questioning. They issued a warrant for the WikiLeaker’s arrest, however they are yet to file charges in the case.

Assange is still fighting that extradition order. Lawyers acting for him in the UK filed appeal papers with the Supreme Court earlier this week.

But that really is his final chance to appeal against being banished from Blighty to Sweden.

Assange reportedly confirmed in a petition lodged with the Stockholm District Court yesterday that he wanted to work with attorneys Per E Samuelson and Thomas Olsson, according to the Local.

He ditched his previous lawyer, Björn Hurtig, who had represented the WikiLeaker-in-chief in Sweden since September last year.

Olsson told TT news agency that he has had only limited contact with Assange so far. “He’ll have to explain his motivation behind changing defenders,” the lawyer said, who is now reviewing Assange’s case.

Hurtig said there was no conflict between him and Assange over the legal team switch.

“You’ll have to ask him why he’s decided to change. But it’s not unusual that someone change lawyers and he’s chosen two superb new representatives. I wish him the best of luck,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/assange_hires_pirate_bay_lawyer/

UK cybercops have claimed credit for preventing attempts to blast the official Royal Wedding website offline in April, following the arrest of a teenager suspected of masterminding the attack.

Detective Superintendent Charlie McMurdie said that preemptive action was taken to keep the site, dedicated to the marriage of Prince William and Kate Middleton on 29 April, up and running despite the connection onslaught. McMurdie declined to go into further details, other than to say that the Met had been asked to investigate the threat.

However a Scotland Yard spokesman told AP that a 16-year-old was arrested and questioned last month on suspicion of attempting to incite others into joining in with a distributed denial of service attack against the site. The teenager was released on police bail pending further inquiries, which El Reg can safely guess will involve the forensic examination of seized computer equipment.

McMurdie made her comments in passing during a conference on cybercrime organised by the Royal United Services Institute, a defence industry think tank. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/royal_wedding_ddos_thwarted/

The grids of white lines in China’s Gobi desert that have got the world’s conspiracy theorists in a lather for a week, are actually calibration targets used to help China’s spy satellites, says a NASA researcher.

Since the 65ft-wide white line patterns were spotted on Google Earth, it has been speculated that they were anything from missile testing sites to alien writing.

Now believed to be a satellite calibration target

But they are almost definitely images used to calibrate satellites according to Jonathon Hill, a research technician and mission planner at the Mars Space Flight Facility at Arizona State University who spoke to site LifesLittleMysteries.

Satellite cameras will focus on the grids to orient themselves in space. The large size of the grids discovered suggests that the cameras have relatively poor resolution according to Hill.

And they look like they’re paint too he says, explaining that the surface has little cracks in it which means it’s unlikely to be reflective metal. Chalk or dust would go streaky.

Another feature photoed by Google showed abandoned planes in a circular “Stonehenge” style pattern of bumps – and that’s most likely to be a radar test to see how visible military equipment is from the air. It could also allow the Chinese insights into picking out other countries’ hidden military bases.

Like the US and Britain, China has spy satellites in orbit around the earth so the discovery of these orientation and testing sites is no huge surprise. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/chinese_desert_mystery_sites_are_satellite_targets/

Plans to extend the London 39 bus route from Putney Bridge Station to Kabul are reportedly on hold after the number of shame caused a bit of a rumpus at a gathering of Afghan elders.

President Hamid Karzai convened the “loya jirga” to chew the fat over US-Afghan relations, but made the mistake of dividing the shindig into 40 committees.

Delegates assigned to committee 39 refused point-blank to take their chairs, lest they be tainted by association with the “pimp” number.

Regular readers will recall that 39 scuppered Kabul car sales earlier this year, as buyers shunned registration plates beginning with the numerals. Legend has it that the whole numerical kerfuffle began with an Iranian pimp nicknamed “39”, whose own number plate declared as much, and ever since the conservative Afghans have associated 39 with whoremongering.

A loya jirga participant explained to the Beeb: “I don’t want to return to my area and be called a pimp. I don’t care if it is true or not, but people out there believe in it. Look no one wants to have a vehicle with number plate 39. And yet, you want me to be in 39?”

Another delegate was less than impressed. He said: “It is sad to see delegates raise such issues at such an important meeting. We have more important things to deal with.”

In order to get the elders back to their important business, officials were obliged to formulate a cunning plan, and simply renumbered the offending committee to “41”. ®

Bootnote

El Reg spoke earlier today a 39-year-old man, who lives at 39 Chicken Street, Kabul. On condition of anonymity, he told us he was looking for a new house to lock himself in until his next birthday, and that he “certainly wouldn’t be listening to Queen’s A Night at the Opera for the foreseeable future”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/afghan_rumpus/

Oil, gas and defense data has been boosted from computers in Norway, in what the country fears is its largest-ever data espionage case.

Details are still slim, but according to AP, phishing e-mails were sent with viruses designed to “sweep entire hard drives for data”.

Norway’s National Security Authority, NSN, which coordinates the country’s CERT activities, says attackers have sent industrial secrets from the targeted companies out of the country.

It’s not the first time Norway has suffered serious breaches of security. In March, shortly after its F-16s were involved in air strikes on Libya, a data-stealing trojan was e-mailed to military employees.

NSN spokesperson Kjetil Berg Veire told the Associated Press that more than one person appeared to have been involved in the attack. The NSN is also quoted in an AP running in The Australian as saying that “attacks often occurred when companies were negotiating large contracts”.

Norway has experienced repeated attacks this year, with the NSN identifying at least ten similar attacks targeting the same industries, and the number could be higher, since some victims may not be aware their systems have been compromised.

The Washington Post notes that the Nobel Institute has also been a target, after it gave Chinese activist Liu Xiabo the 2010 Nobel Peace Prize. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/17/noway_data_theft_attack/

Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said.

Joe Weiss, a managing partner for Applied Control Solutions, said the breach was most likely performed after the attackers hacked into the maker of the supervisory control and data acquisition software used by the utility and stole user names and passwords belonging to the manufacturer’s customers. The unknown attackers used IP addresses that originated in Russia.

Weiss cited an official government report from the state where the regional water district was located. It was dated November 10, two days after the hack was discovered. The document indicates that the utility had been experiencing unexplained problems with its computerized system in the weeks leading up to the breach.

“Over a period of two to three months, minor glitches had been observed in remote access to the water district’s SCADA system,” Weiss said during an interview, in which he read a verbatim portion of the document to The Register. He said that the attackers were able to burn out one of the utility’s pumps by causing either the pump or the SCADA system that controlled it to turn on and off “repeatedly.”

Weiss said he obtained the report on the condition that the water utility and the state where it’s located aren’t disclosed. He published bare-bones details of the hack on Thursday because he wanted to bring attention to an incident he said raised serious concerns about the ability of the US government to secure critical infrastructure.

“This is really a big deal, and what’s just as big a deal is what isn’t being said or isn’t being done,” Weiss said. “What the hell is going on with DHS? Why aren’t people being notified?”

He said he’s unaware of any water utilities or other SCADA operators who know about the attack.

The Register was unable to verify the claims in the report, and Department of Homeland Security officials didn’t immediately respond to a request for comment. A security researcher with no affiliation to Weiss said there was no obvious reason to doubt the attack took place as described.

“It’s not surprising,” said Rick Moy, President and CEO of NSS Labs. “These things are connected to the internet in ways they shouldn’t be. It’s very plausible.”

Over the past few years, the vulnerability of the control systems used to operate power plants, gas refineries, and other industrial systems has been underscored by a variety of events. Chief among them was the Stuxnet computer worm that infiltrated SCADA systems in Iran and disrupted that country’s nuclear program. Earlier this year, security researcher Dillon Beresford disclosed bugs in widely used control systems that he said were “far reaching and affect every industrialized nation across the globe.”

More recently, researchers discovered highly sophisticated malware dubbed Duqu had infiltrated at least eight industrial facilities throughout the world by exploiting a previously unknown vulnerability in Microsoft Windows. Some researchers say it was created by people with close ties to Stuxnet.

Weiss said the possibility that attackers of the water utility obtained passwords for multiple customers of the SCADA manufacturer left open the possibility that other industrial facilities are also susceptible or may already have been breached. Many industrial control systems rely on passwords that are hard-coded, making it difficult to change stolen passcodes without causing serious problems.

Weiss said the objectives and identities of the attackers remain a mystery. Possibilities could include a nation state doing reconnaissance, recreational hackers looking for laughs, or a criminal gang setting up an elaborate extortion scheme.

“Until you find who did it, there’s no way to know what the motive is,” he said. ®

Follow @dangoodin001 on Twitter.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/17/water_utility_hacked/

A security researcher said that he has developed malware for Microsoft’s forthcoming Windows 8 operating system that’s able to load during boot-up when its run on older PCs.

Peter Kleissner said Stoned Lite, as the latest version of his bootkit is called, doesn’t bypass defenses that will be available to people using Windows 8 on newer machines. Specifically, he said in a series of Twitter messages, it doesn’t bypass a protection known as UEFI, short for Unified Extensible Firmware Interface, which scans boot drives for malware prior to starting up. Stoned Lite also doesn’t attack a low-level security feature know as Secured Boot that will also be available in the upcoming OS.

A previous boot kit – which Kleissner called Stoned – works on Windows 2000 through Windows 7 and is able to load before Windows starts by attaching itself to the master boot record of a targeted PC’s hard drive. Stoned Lite is able to do the same thing for Windows Server 2008 and Windows 8, the Vienna-based developer and researcher said. It works by bypassing the Windows User Account Control, and with a footprint of just 14KB, it can easily be unleashed from a USB or CD drive.

Kleissner said he plans to release further details at next week’s Malcon conference in India.

Microsoft’s announcement in September that it planned to use UEFI was almost immediately met with suspicion from open-source boosters, who claimed the feature could make it impossible to run Systems such as Linux and FreeBSD on computers that adopted the alternative to the BIOS ROM firmware. Microsoft has denied such claims, but many critics still aren’t convinced.

Whatever the merits are of that argument, the inability of Stoned Lite to penetrate UEFI and Secured Boot are the strongest endorsements to date that the features work as advertised. At least for now. ®

Follow @dangoodin001 on Twitter.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/windows_8_bootkit/

Visa USA has launched its new logo, with service to follow next year, securing online payments by hosting your wallet in the Visa cloud.

The idea is that you upload details of your payment cards to Visa, even if they’re not Visa-branded, and Visa will process the payment without ever revealing your card details to the merchant. Basically it’s like using PayPal, only merchants have to be registered with Visa and there’s no stored value, but it also maintains the protection inherent in using a credit card.

Just stare at the logo… don’t you feel more secure already?

The “V.me” service won’t launch until next year, but the website is up and accepting enquiries from merchants and developers. Merchants who register with the service just add a line or two of JavaScript and the V.me logo will appear on their site. Users who have already uploaded their card details then click on the logo to make the payment and enter a username and password in the (Visa-served) window which pops up.

The point here is that the merchant just gets a message from Visa’s server saying the transaction has been approved; they don’t get to see the card details or even know what card was used.

RBS WorldPay already offers something very similar, with a UK offering costing £75 in setup fees plus a monthly subscription of £15 as well as a few per cent of every transaction depending on the volume of traffic, and that still requires the user to type their card details in every time. V.me is trying to get those card details entered once, and then secured with a username and password within its cloud.

That’s much closer to the PayPal model, which links accounts to email addresses but stores credit card details in much the same way. But working through PayPal removes much of the consumer protection that paying by credit card provides: the payment is made to PayPal, not to the final merchant, so any dispute must be resolved with PayPal rather than the credit-card issuer.

V.me isn’t acting as an intermediary, so should maintain one’s fraud protection, though to what extent we won’t know until the service launches next year. We do know that the whole V.me is just a precursor to Visa’s planned electronic wallet – something akin to Google Wallet which will allow cards to be installed into an NFC handset and used at every Visa-PayWave-equipped till, probably using the same logo. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/17/v_me_logo_visa_online_shopping/

Malware operators are once again trying to generate profits from the cloud, this time by stealing the resources of infected computers and selling them to a new distributed-computing network, researchers from Kaspersky said.

After infecting a computer, the malware downloads and installs the MetaTrader 5 Tester Agent, software that uses spare CPU cycles to test custom-written software used in financial trading systems. Operator MetaQuotes Software Corp. has more details about how to participate in its MQL5 Cloud Network here. Trojan-Downloader.Win32.MQL5Miner.a, as Kaspersky has christened the malware, sets up an account controlled by the attackers that gets credited.

With hundreds of millions of computers sitting idle on desktops around the world, there’s an untold number of petaflops worth of resources that go unused each day. Legitimate software developers, such as those behind the SETI Project, have been tapping these spare CPU cycles for years. Botnet operators do much the same thing when they use infected computers to send spam or wage denial-of-service attacks.

Over the past few months, crooks have expanded the revenue potential of infected machines by using their spare resources to perform legitimate tasks. A variety of titles, including Infostealer.Coinbit,, use a hijacked PC’s GPU and other resources to mine the digital currency known as Bitcoin.

“When it comes to making money, cybercriminals don’t miss a trick,” Kaspersky Lab Expert Vyacheslav Zakorzhevsky wrote. “That includes exploiting the resources of infected computers without their owners’ knowledge or consent.”

The malware appears to spread through email attachments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/17/malware_milks_cloud/