STE WILLIAMS

The Indian government is stepping up its cyber security capabilities with plans to protect critical national infrastructure from a Stuxnet-like attack and to authorise two agencies to carry out state-sponsored attacks if necessary.

Sources told the Times of India that the government’s National Security Council, headed by prime minister Manmohan Singh, is currently finalising plans which would give the Defence Intelligence Agency (DIA) and National Technical Research Organisation (NTRO) the power to carry out unspecified offensive operations.

India is also hoping to co-ordinate its defensive capabilities better, in the event of an attack which could debilitate its critical infrastructure.

The country was reportedly hit by Stuxnet, although it doesn’t appear to have caused any serious damage and was unlikely to have been a deliberately targeted attack.

With this in mind, the NTRO is likely to be called on to create a 24-hour National Critical Information Infrastructure Protection Centre (NCIPC) to monitor threats, while sector-specific Computer Emergency Response Teams (CERTs) will also be recommended, the report said.

The NTRO and Intelligence Bureau (IB) will be given responsibility for the security of various government networks, it added.

The Indian government is some way behind the US and UK in its formulation of a coherent national cyber security policy, and has been criticised in the past for its slow response to denial of service and web defacement attacks.

Most recently it has been under fire from hacktivist collective Anonymous in retaliation for it stance on illegal file sharing, while hackers from neighbouring rival Pakistan are thought to represent a constant threat.

Last month Symantec warned that the lack of security know-how among the country’s growing urban population and small and medium sized businesses is being exploited with increasing ruthlessness by criminals. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/11/india_state_sponsored_attacks/

The European Data Protection Supervisor has warned that smart meters are a significant privacy threat and wants limits on the retention and use of customer data before it’s too late.

The EDPS is an independent authority figure tasked with identifying where EU policies might represent a risk to privacy. He reckons next-generation meters, which precisely monitor electricity use within homes, are a very likely candidate unless his concerns are addressed ahead of time.

Peter Hustinx, who fills the role with the assistance of Giovanni Buttarelli, admits there are advantages of smart metering, but warns that the technology will “also enable massive collection of personal data which can track what members of a household do within the privacy of their own homes”. He pulls up examples of baby monitors and medical devices, which have identifiable patterns of energy consumption and could therefore be used to monitor what people are doing.

That might sound fanciful, but researchers have already demonstrated that the pattern of energy consumed by a decent flat-screen TV can be used to work out what programme is being watched, and Hustinx is probably right that this isn’t information most of us would wish to share with our electricity providers.

Smart meters need to collect all that data in order to reduce our reliance on power – it’s now an article of faith that once we know how much energy we’re using we’ll magically reduce that consumption, so the EU is committed to mandating smart meters by 2020. Therefore the EDPS thinks we need legislation now, before it’s too late, stating what the data can be used for and how long it can be retained.

The real way to reduce power consumption is by using smart appliances – such as a washing machine that can be configured to run during the night – at the behest of electricity suppliers and with a suitably discounted rate. But this scenario is still a long way off from reality for the majority of us, so energy targets remain pinned to the idea we’ll voluntarily wash less.

The UK’s Department of Energy and Climate Change has taken some steps in this direction, promising that collected data won’t be shared with third parties, and requiring decent security to prevent it being stolen, but even that stops short of the limitations suggested by the EDPS.

The European Commission is preparing a document on the impact of all this new data, but as planned it’s limited to vague objectives rather than specific requirements, which is what the EDPS thinks will be necessary. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/11/smart_meter_privacy/

Federal authorities will not seek a further extension to a DNSChanger safety net, meaning an estimated 360,00 security laggards will be unable to use the internet normally unless they clean up their systems before a 9 July deadline.

DNSChanger changed the domain name system (DNS) settings of compromised machines to point surfers to rogue servers – which hijacked web searches and redirected victims to dodgy websites as part of a long-running click-fraud and scareware distribution racket. The FBI dismantled the botnet’s command-and-control infrastructure back in November, as part of Operation GhostClick.

In place of the rogue servers, a bank of duplicate machines was set up to resolve internet look-up queries from compromised boxes. This system was established under a court order, which has already been extended twice. The move meant users of compromised machines could use the internet normally – but the safety net by itself did nothing to change the fact that infected machines needed to be cleaned.

At its peak as many four million computers were infected by DNSChanger. An estimated 360,000 machines are still infected and there’s no sign that further extending the safety net will do any good, hence a decision to try other tactics while withdrawing the DNS safety net, which has served its purpose of granting businesses with infected machines time to clean up their act.

Last week Facebook joined Google and ISPs in notifying DNSChanger victims‎ that they were surfing the net using a compromised machine.

“The warnings are delivered using a ‘DNS Firewall’ technology called RPZ (for Response Policy Zones),” Paul Vixie, chairman and founder of Internet Systems Consortium, told El Reg. “This allows infected users (who are using the ‘replacement’ DNS servers) to hear different responses than uninfected users (who are using ‘real’ DNS servers). We can control how an infected user reaches certain websites by inserting rules into the RPZ,” he added.

More information – along with clean-up advice – can be found on the DNS Changer Working Group website here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/10/dnschanger/

A British company who offered “iPhone 5s” to punters has been slapped with a £10,000 fine by regulator PhonePayPlus, which ruled that the adverts for the non-existent phone were misleading.

According to the judgment published today, the Bumbalee service run by Mobile Minded BV used “prizes” such as the iPhone 5 to lure punters into signing up to a premium subscription service that charged them £2 every time they received a message.

In the adverts investigated by PhonePayPlus, the regulator for the UK’s premium phone line industry, Mobile Minded offered £150 of “free” Morrisons vouchers in adverts put on Facebook in September/October 2011 – which turned out to be as illusory as the iPhone 5.

Morrisons disclaimed any knowledge of a vouchers deal with Bumbalee and the monitors found that it was impossible to claim the vouchers. Punters clicking on the offer were asked to fill in a survey, before being taken to the subscription site and offered the opportunity to win an iPhone 5.

Entrants paid to do surveys or quizzes and were charged £2 a message with five messages sent a week.

PhonePayPlus estimated that the scammers made between £50,000 and £100,000 out of the service.

As well as the £10,000 fine, the company have two weeks to make all their advertising compliant and have been commanded to refund all complainants for the full amount of money spent by them on the service.

Mobile Minded BV have not responded to our request for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/08/iphone_5_offer_attracts_regulator_fine/

CyCon 2012 Germany has confirmed that its military maintains an operational cyberwarfare unit with offensive capabilities.

The admission, which appeared in parliamentary documents published on Tuesday, gave no details of the size of the unit much less any operations that it might have run. However documents delivered to the German federal defence committee did reveal that the unit has been operating for six years since 2006, a year before the cyber-attack on Estonia and four years before the discovery of the infamous Stuxnet worm.

“The initial capacity to operate in hostile networks has been achieved,” the papers explain, adding that the Computer Network Operations Unit had carried out “simulations” of attacks in a “closed laboratory environment”, German press agency DPA reports.

The unit reports to the joint forces strategic intelligence command. Legislators reportedly expressed surprise at the existence of the unit and questioned whether military commanders had the legal authority to launch attacks on foreign networks.

Prof Dr Wolff Heintschel von Heinegg, a professor of law at European University Viadrina Frankfurt in Germany, told El Reg that the armed forces of many nations are probably building up an offensive cyber capability. The only difference is that Germany and (also recently) the Obama administration is the US are publicly talking about it.

“The German MoD see a potential in having an offensive cyber-op capability as well as an ability to defend critical infrastructures”, most notably military systems, Dr Heintschel von Heinegg explained.

The broader category of information warfare can be divided into “electronic warfare” – such as jamming enemy radar – and cyber-warfare, attacking a target’s cyber-infrastructure. “There is no clear dividing line between the two,” the prof explained, adding that cyber-espionage activities are not prohibited by codes of international law but only national criminal laws. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/08/germany_cyber_offensive_capability/

LinkedIn has turned to the FBI for help after 6.5 million of its users’ passwords were dumped online by hackers.

The business network said “a small subset” of the hashed data had been deduced and revealed, but the rest is “hard to decode”. Security biz Sophos estimated that as much as 60 per cent of the leaked list had been cracked.

It is relatively trivial to work out the original passwords from the unsalted SHA-1 hashes, and LinkedIn has tacitly reiterated that it is upping its database security by sprinkling in some cryptographic salt.

The social network for suits is still silent on what other information the hackers may have lifted. It gave a somewhat slippery statement to the effect that punters’ email addresses have not been revealed – as far as it knows – which doesn’t answer the question of whether or not that information was stolen.

“To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorised access to any member’s account as a result of this event,” the company stated in a blog post.

Yesterday, members reported that they were being inundated with spam and phishing emails pretending to originate from LinkedIn, which would suggest that their email addresses had been stolen or that the hackers still had access to the network’s databases.

LinkedIn has yet to return today’s or yesterday’s requests from The Register for comment on the spam. The company said on its blog that users whose passwords were leaked had had their accounts locked down for now, but also said it was going to cancel other passwords as well.

“As a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected,” it said, without giving the criteria for how LinkedIn will figure out which accounts might be in trouble.

Any members who need to come up with yet another new password will be told to do so by email, but there will be no links in the email to click – just the instructions of what to do next.

LinkedIn said it was still looking into things and was also helping law enforcement with its investigation of the breach.

Meanwhile, dating site eHarmony and music site Last.fm have also reported hack attacks in which user passwords were nicked. eHarmony users say they are being spammed as well, although again only passwords have been confirmed stolen by the site. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/08/law_investigates_linkedin_breach/

LinkedIn users are being bombarded by spam emails after the social network was hacked and hashed passwords of users dumped online.

Members of the business network told The Register that they had received scores of invitations to “link in” with new connections, often flagged with warnings from their email provider that the missive couldn’t be verified as coming from LinkedIn.com.

One user, consultant Peter Baston, told El Reg that he was receiving invitations in groups, which isn’t normal, and was frustrated by the lack of advice on LinkedIn’s front page.

While the network has put up two blog postings about the data breach, which saw a list of 6.5 million hashed passwords posted on a Russian Dropbox-alike, there isn’t any information on its actual website.

LinkedIn admitted that at least some of the passwords on the list were genuine and told people who were affected that their old passwords would be deleted and that they’d get an email prompting them to reset.

Unfortunately some of the emails urging people to input a new password by clicking on a link have turned out to be phishes. The real LinkedIn password-reset email has no links in it.

Although many companies of at least a half decent size seem to get hacked these days, LinkedIn has come in for criticism because the passwords were only hashed and not salted, a weak encryption process.

“For eons we have reminded companies that security and connectivity are opposites and the more you move in one direction the other is affected… and when you have an enforced connectivity regardless model pushed to the master revenue plan added to antiquated security systems and zip due diligence like LinkedIn – that’s a FUBAR train wreck waiting to happen,” said Baston, who runs his own quality assurance consultancy.

In the same blog posting that told users about the password reset, LinkedIn said that its databases were now salted as well as hashed.

About two thirds of the hashed passwords dumped online have now been cracked, according to estimates from security biz Sophos.

Passwords alone are not enough to give hackers the chance to spew spam, meaning fears that the cyber-crims have lifted email addresses as well are well-founded. Alternatively, the hackers, or the people to whom they flogged the info, may still have access to LinkedIn’s databases.

The social network for suits had not responded to a request for comment at the time of publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/07/linkedin_spam_emails_data_breach/

Last.fm users are the latest internet community to get the “change your password” message as the music streaming site investigates a “leak of some user passwords”.

However, unlike LinkedIn or eHarmony, Last.fm has jumped on the suspicion that something’s wrong, rather than waiting for user passwords to appear on the Internet. In this post, the service tells all users to change their passwords.

“We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously,” the company said.

Further updates will be made available on Twitter “as we get to the bottom of this”, Last.fm added.

On its Naked Security blog, Sophos notes that Last.fm is giving the same advice to all users at login.

The service also emphasises that it will not ask for passwords or send direct links to users’ settings in emails.

Password-reset frenzy

This follows recent hack attacks on business networking platform LinkedIn and dating site eHarmony, where user passwords were published online.

LinkedIn users are now suffering a spam deluge following the attack, including phishing messages directing users to fake password-reset links.

In the case of LinkedIn, a Russian hacker posted 6.5 million users passwords on a Russian Dropbox-type site and users have since complained of being swamped by spam emails.

As for eHarmony, around 1.5 million users passwords were stolen and published.

The Register is also receiving reports from eHarmony users that the spam messages are arriving, indicating that the attackers have accessed user IDs as well as the password file.

One user has told The Register the spam has arrived to an email account, only used for eHarmony, that “remained spam-free until the last 36 hours”.

“Not surprisingly, eHarmony haven’t answered my requests for more information,” the user told us. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/07/last_fm_passwords_may_have_leaked/

The controllers of the Flame malware have apparently reacted to the publicity surrounding the attack by sending a self-destruct command.

According to Symantec, some command-and-control machines have sent a command designed to wipe Flame from compromised computers.

The command, which Symantec has dubbed “urgent suicide”, was captured on honeypots (since an ordinary machine would have the malware removed without the user noticing).

The CC server shipped a file called browse32.ocx, which acts as a Flame uninstaller, complete with a list of files and folders to be deleted. After deletion, the module overwrites the disk with random characters. As Symantec notes, the uninstaller “tries to leave no traces of the infection behind”, in an attempt to thwart anyone capturing and analyzing the malware.

The module is instructed to remove more than 160 files and four folders. Symantec says Flame had originally shipped with a suicide module, and they don’t know why a new suicide module was used.

“The version of this module that we have was created on May 9, 2012,” Symantec’s post notes, which was “just a few weeks” before the malware became known. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/07/flame_suicide_command/

A riot broke out at a Foxconn workers’ dormitory in Chengdu after hundreds of workers got involved in a clash with security guards, according to reports from Chinese human rights website Molihua [English version in the Want China Times here].

The incident at the dorm started at about 9pm on Monday and escalated into a full-scale riot involving three to four male dormitories, and up to 1,000 employees, reports claimed.

Bottles, trash cans, chairs and fireworks were thrown from the upper floors of the male dormitory that housed workers from the Foxconn Chengdu plant. It lasted for two hours before local police quelled the disturbance, say reports.

The disturbance broke out after two security guards “tried to stop a thief”, according to the story on Molihua, and then escalated after workers took advantage of the trouble to air long-held dissatisfaction with the guards.

Apparently dozens of arrests have been made.

In a statement to The Reg, Foxconn distanced itself from the disturbance, saying that the Chengdu police had informed it that the riot had been caused by a dispute with a local restaurant owner.

We were informed by local law enforcement authorities that late Monday night, several employees of our facility in Chengdu had a disagreement with the owner of a restaurant located in that city.

Foxconn also said that the dormitories were run by a third party and that the security guards were not Foxconn employees.

We were also informed that the employees subsequently returned to their off-campus residence, owned and managed by third-party companies, at which time a number of other residents also became involved in the disagreement and local police were called to the scene to restore order. Foxconn is cooperating with local law enforcement authorities on their investigation into this incident.

The Foxconn Chengdu factory manufactures electronic parts for various vendors, including iPhone and iPad components for Apple. Foxconn is one of the biggest electronics manufacturers in China and also makes kit for Sony, Microsoft, Nokia and many, many more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/07/foxconn_workers_riot/