STE WILLIAMS

LCC Businesses need to ‘fess up when they’ve been the victims of cyber attacks, experts at the London Conference on Cyberspace (LCC) said today.

Government and biz bosses said that even though companies didn’t really want to own up to having been breached, they needed to start sharing information with officials to protect critical infrastructures.

Erik Akerboom, president of the Cyber Security Council in the Netherlands, said that his government needed to know about the DigiNotar hack when it happened, not later on.

“We needed information at the time that DigiNotar was hacked; it was hacked in June but we didn’t find out then,” he said.

Digital certificate firm DigiNotar was hacked in June this year and forged Google.com SSL credentials were then used to spy on 300,000 Iranian internet users. The incident was notorious over the summer when it was discovered that the firm’s security was wholly inadequate, and because it took so long for the company to come clean.

DigiNotar only started to revoke certificates in mid-July, and didn’t go public with the security issue until August. The company subsequently filed for bankruptcy, having lost all the trust its business relied upon.

Akerboom said that the Netherlands was considering making it compulsory for firms to inform the government when their networks were attacked, but the government would then keep the information confidential to protect the companies’ business.

Matthew Kirk, group external affairs director at Vodafone, said it would be tough to make businesses disclose attacks without a better trust relationship between companies and governments.

“Our instinct as a company is much more self-regulation rather than compulsory on almost everything. But I think there’s a critical role for government, which is not so much compulsion but creating… trust,” he said.

“I think it needs to be done in an atmosphere where it’s actually in the companies’ interest to disclose,” he added.

Harry van Dorenmalen, chairman of IBM Europe and also a member of the National Security Council in the Netherlands, was more forceful about what should be expected of the private sector.

“I think the private sector in general needs to step up much more than they do,” he said, adding that if businesses found it difficult to go to the government individually, they should consider presenting issues to the government through business groups.

“That’s an appeal to the private sector to step up, be vocal and be connected,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/business_need_to_confess_cyber_attacks/

Asian countries collectively relayed more than half (50.1 per cent) of the world’s spam last quarter.

Although the USA remains the single worst offender, lax security in Asian nations meant many of the botnet drones spewing junk mail were located in countries such as South Korea and India. Asian countries disgorged 50.1 per cent of the world’s junk mail last quarter, compared to 30 per cent of all spam, according to latest junk mail stats from net security firm Sophos.

A ‘Dirty Dozen’ of spam-relaying countries for Q3 2011 blames South Korea for 9.6 per cent of all global spam emails, second behind only the US in the list of shame. Several other Asian nations – Indonesia, Pakistan, Taiwan and Vietnam – have joined the Dirty Dozen since Q3 2010. Meanwhile India, a longer-term fixture on the list, dropped to third place behind South Korea while still being responsible for relaying 8.8 per cent of the world’s spam.

By contrast, Europe contributes over 10 per cent less spam in Q311 than it did during the same period last year, a development that meant several European nations exited the Dirty Dozen. For example, the UK dropped from fifth place in the list in Q3 2010 to 16th place overall in Q311 as its spam relaying output fell from 5 per cent of global total to just 1.6 per cent over the intervening 12 months.

What hasn’t changed over recent years is that vast majority of spam emails continue to be distributed via botnets.

Sophos reckons greater availability of internet access in Asia is fuelling the increase in spam from the continent. “These latest statistics suggest that, as more people get online in Asia, they are not taking the right measures to protect their computers from infection, which results in the growth of botnets,” said Graham Cluley, senior technology consultant at Sophos. ®

Top 12 spam-relaying countries for July to September 2011, according to Sophos

1. United States – 11.3 per cent
2. S Korea – 9.6 per cent
3. India – 8.8 per cent
4. Russia – 7.9 per cent
5. Brazil – 5.7 per cent
6. Taiwan – 3.8 per cent
7. Vietnam – 3.5 per cent
8. Indonesia – 3.3 per cent
9. Ukraine – 3.1 per cent
10. Romania – 2.8 per cent
11. Pakistan – 2.0 per cent
12. Italy – 1.9 per cent

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/asian_spam_deluge/

Google has begun telling users of its Gmail service exactly why it is serving up specific ads that creepily refer to the content detailed in individual email correspondence.

“Our advertising system is designed to show the right ad to the right person at the right time,” said the world’s largest ad broker in a blog post penned by the company’s advertising veep Susan Wojcicki yesterday.

“Over the coming weeks, we’re making improvements to provide greater transparency and choice regarding the ads you see on Google search and Gmail. Soon, you’ll be able to learn more about these ads by clicking the ‘Why these ads’ link next to ads on Google search results and Gmail.”

There’s a little more to it than that, however. The new feature will also allow Gmailers to see information about search ad targeting as well as opt out of being fed ads from certain advertisers.

Google added so-called “personalised ads” to its Gmail service in early 2010.

Since then, the company is now subject to regular privacy audits under the supervision of the Federal Trade Commission in the US after Google’s epic fail with the stealth bolt-on of Buzz to Gmail.

More generally, regulators in Europe and the US are increasingly gently poking internet businesses to be more transparent about how they serve up targeted ads.

No wonder then that Google wants to be seen to be doing the right thing by adding the “Why these ads” functionality to Gmail. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/google_ads_gmail/

A chronic gambler from the ACT has been denied bail over charges that he stole money from ATMs in late October.

The 23-year-old, Luke Angus McLaren, is facing charges of theft and unauthorised modification of data, after posing as a technician, opening machines at the Belconnen Westfield mall, and according to police, triggering a software error that allowed him to withdraw more money than he had in his account.

He pleaded guilty to the latest charges after stealing more than $AU10,000 and spending more than $AU50,000 at Canberra Casino. He then made another attempt at an ATM but found it locked, called the machine’s owner pretending to be a technician, and was caught by police while still on the phone.

McLaren had already been placed on bail over similar charges, having been arrested in June after a session at Sydney’s Star casino. He had been charged with similar offenses over 14 separate ATM attacks in July, and again in September when he faced six charges of unauthorised modification of data and passing bad cheques.

The Canberra Times reports that he had already pleaded guilty to 29 charges (in addition to the most recent spree), however he had pleaded not guilty to other fraud charges.

Although his family, from Cowra in NSW, gave evidence that he could be cared for and employed in that community, ACT magistrate Peter Dingwall has refused bail and remanded McLaren in custody until December. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/atm_cracker_refused_bail/

The Duqu malware used to steal sensitive data from manufacturers of industrial systems exploits at least one previously unknown vulnerability in the kernel of Microsoft Windows, Hungarian researchers said.

The zero-day vulnerability was triggered by a booby-trapped Word document that was recently discovered by researchers from the Laboratory of Cryptography and System Security, or CrySyS. The security consultancy provided bare-bones facts on its homepage, and researchers from Symantec elaborated on them here. The Word document was phrased in a way to “definitively target the intended receiving organization,” Symantec researchers said.

Duqu generated intrigue almost immediately after its discovery was announced two weeks ago because, according to CrySyS and Symantec, its source code was directly derived from the Stuxnet worm used to sabotage Iran’s nuclear program. Tuesday’s update begins to answer some of the key gaps contained in the initial reports, including how the malware infected computer networks, whom it targeted, and exactly what it was programmed to do.

It also provides new details that reinforce claims that it’s a highly sophisticated piece of malware that was designed for a very specific purpose.

According to Symantec, the Duqu installer file is a Microsoft Word document that exploits a previously unknown kernel vulnerability that allows code execution. Opening the file installs the Duqu remote access trojan that conducts surveillance on the infected networks.

This graphic published by Symantec shows how the Word document exploited Windows systems

Microsoft researchers are working with partners to protect Windows users against the attack, including through the release of a security update, the company said in a statement. There are currently no workarounds users can follow to insulate themselves against the threat, other than to follow standard safe practices, such as not opening suspicious files attached to emails.

Interestingly, the code contained in the Word document ensured that Duqu would be installed during a single eight-day window in August, most likely in a bid to conceal the attack or to minimize the damage it might cause. As previously reported, the main binaries of the trojan were configured to run for 36 days and then automatically remove it from the infected system.

In at least one organization that was infected, evidence suggests Duqu was able to spread across networks through SMB connections used to share files from machine to machine. Even when some of the newly infected computers had no access to the internet, the malware on them was still able to communicate with attacker-controlled servers by using file-sharing code to route the connection through an infected computer that did have internet access.

“This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies,” Symantec researchers wrote.

The researchers also said Duqu appears to have infected six organizations in eight countries, including France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, and Vietnam. It’s possible the number may be smaller. Some of the organizations were traceable only to the ISP they used, so some of the six organizations counted in fact may not be separate.

Symantec researchers also discovered a second command and control server that some versions of Duqu used to communicate with their operators. It was located in Belgium and used the IP address 77.241.93.160. Previously, Duqu was known to use only a control server located in India. Both servers have been taken offline.

While CrySyS and Symantec researchers both say Duqu contains technical signatures proving it was designed by the same developers who spawned Stuxnet, investigators from Dell SecureWorks disagree. All of the perceived similarities are contained only in the component used to inject code into the Windows kernel, they said in a report published last week. The actual payloads, they concluded, are “significantly different and unrelated.”

Their ultimate conclusion: “The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.”

Symantec has revised one key detail since publishing its findings last week. Previously, it said Duqu infected organizations involved in the manufacture of industrial control systems, such as those used in gasoline refineries, nuclear power plants, and other industrial facilities. In an update, the researchers said that term, and the previous use of the term SCADA (short for supervisory control and data acquisition) wasn’t technically accurate. The firm now says Duqu targeted “industrial industry manufacturers.”

Researchers continue to search for files that might have been used to install Duqu on infected machines, so it’s possible the attackers may have exploited other zero-day vulnerabilities. Stuxnet targeted at least four zero day bugs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/duqu_exploits_windows_zero_day/

A small array of scripts programmed to pass themselves off as real people stole 250 gigabytes worth of personal information from Facebook users in just eight weeks, researchers said in an academic report to be presented next month.

The 102 “socialbots” included a name and picture of a fictitious Facebook user and used programming interfaces from ihearthquotes.com to automatically embed pseudo-random quotes into status updates. They also used Facebook interfaces to send connection requests to about 5,000 randomly selected profiles. They then sent connection requests to the friends of those who accepted the initial invitation, and with each acceptance, they scraped whatever information was available.

At the end of the eight-week experiment, the researchers made off with 250 gigabytes of personal data, much of it configured to be available only to people on the user’s list of friends.

A defense known as the Facebook Immune System, which is designed to automatically flag fake profiles, did little to thin the army of socialbots used in the study. While about 20 percent of them were blocked, the closures were the result of feedback from other users who reported spam, the researchers said. Their socialbot network targeted Facebook, but they said similar ones could penetrate virtually any OSN, or online social network.

“As socialbots infiltrate a targeted OSN, they can further harvest private users’ data such as email addresses, phone numbers, and other personal data that have monetary value,” the researchers, from the University of British Columbia Vancouver, wrote in the paper (PDF), which is scheduled to be presented at next month’s Annual Computer Security Applications Conference in Orlando, Florida. “To an adversary, such data are valuable and can be used for online profiling and large-scale email spam and phishing campaigns.”

During the initial “bootstrapping” phase of the experiment, the socialbots sent friendship requests to 5,053 randomly selected Facebook users. To prevent the triggering of fraud detection systems, each fake account sent only 25 requests per day, a constraint that required two days for all of them to be processed. Within two weeks, 976, or about 19 percent of the requests, were accepted.

Over the remaining six weeks, the bots sent requests to the Facebook friends of those who accepted the initial invitations. Of the 3,517 users who received the second round of requests, 2,079, or about 59 percent, accepted. With further refinements, the socialbots could achieve a large-scale infiltration with a success rate of about 80 percent, the researchers said.

The significant jump exhibits what researchers call the “triadic closure principle,” which predicts that the likelihood of someone accepting a connection request in a social network is about three times higher when the pair has mutual connections. This principle proved to be a boon to the socialbots in another respect: they received 331 requests from Facebook users in the socialbots’ extended neighborhoods.

A Facebook spokesman declined to comment on the report.

“However, we always remind our users to only accept friend requests from those they know and trust,” he wrote in an email to The Register. “We use a combination of three systems here to combat attacks like this – friend request and fake account classifiers, and rate-limiting techniques. These classifiers block and disable inauthentic friend requests and fake accounts while rate-limiting truncates the damage that can be done by any one entity.”

Besides stealing gigabytes worth of pictures, phone numbers, and other data, socialbots could be used to generate comments that are designed to appear as if they spontaneously came from thousands of individuals, when in fact they are an astroturf campaign that’s the work of a single actor. The computer worm known as Koobface already uses compromised Facebook accounts to trick friends into installing malware on their computers. Other socialbots are sold online for about $29 apiece, the researchers said.

The researchers behind the army of socialbots include Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, and Matei Ripenu. In an email, Boshmaf said their objective was to improve the security of privacy of social networks.

He said: “Overall, our research goal is not to expose Facebook Immune System’s vulnerabilities per se, but to help Facebook and the wider community to build more secure systems that are less vulnerable to both human exploits (i.e., social engineering) and technical exploits (i.e., platform hacks).” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/facebook_infiltration_bots/

Security researchers have unearthed a flaw in Amazon Web Services that created a possible mechanism for hackers to take over control of cloud-based systems and run administrative tasks.

The flaw, which affected Amazon’s EC2 cloud and has already been plugged, could have been abused to start and stop virtual machines or create new images in an EC2 virtual environment, for example. The root cause of the security weakness stemmed from poor cryptographic practices.

A team of researchers from Germany’s Ruhr University found that an XML signature-based attack can be used to manipulate SOAP messages in such a way that EC4 authentication systems fail to detect that they have been doctored – and thus action them as authentic.

The approach applies a class of security shortcoming, involving the modification of partially signed XML documents, that was first uncovered in 2005 as affecting cloud-based systems, H Security reports.

The attack was possible because application signature verification and XML interpretation were handled separately by Amazon’s SOAP interface, a security shortcoming that allows unsigned code to be smuggled through gateways onto management systems via maliciously modified messages. “Attackers can move the signed partial tree and then inject specially crafted elements in the original location,” H Security explains.

Eucalyptus, an open source-based framework for creating private cloud installations, was similarly vulnerable, according to the Ruhr team.

In an academic paper, the researchers suggest a fix for these so-called signature-wrapping attacks that involves using a “subset of XPath instead of ID attributes to point to the signed subtree”, an approach they reckon is both more efficient and secure.

The researchers said Amazon was also vulnerable to cross-site scripting (XSS) attacks that could have allowed users logged onto its online store to hijack an AWS session, using injected JavaScript code. The researchers demonstrated the vulnerability, only possible because signing into Amazon store automatically creates a concurrent AWS cloud service session automatically, at an ACM workshop on cloud security during a presentation entitled All Your Clouds are Belong to us.

The researchers informed both Amazon and Eucalyptus developers of the security flaws prior to their presentation. Both Amazon and Eucalyptus have reportedly fixed the flaws.

More details on the cloud security aspect of their research can be found in a statement by the Ruhr team (in German) here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/27/cloud_security/

LCC Police forces need to be better equipped to deal cybercrime and online misbehaviour, a couple of web grandees have declared.

Lord Richard Allan, director of European policy for Facebook, said that firms providing services online had some ways to tackle bad behaviour on their websites, but needed a hand from law enforcement.

“From the point of view of a service provider, we’re clear that there are certain things we can do, like ban them, but there are limits,” he said.

He added that it was a problem on both sides and, as such, internet firms and police needed to work better together. However, he said that “there is still a gap between online providers and police in terms of knowledge”.

According to Allan, web firms need to be able to go to the police when their own remedies aren’t enough and know that offenders will “face the full force of the law”.

Jimmy Wales, co-founder of Wikipedia, agreed, saying that his website could ban abusive users, but if trolls were determined and web-savvy, they could get back in – for example by using different IP addresses.

He added that internet companies had to spend a lot of time and resources chasing down the small number of users who were offensive. He also said that police lacked the necessary skills to be helpful with online problems.

“Often when we contact law enforcement, they don’t know what to do,” he said. “They need more training and need to know more about how it works.”

Wales and Allan were speaking at the London Conference on Cyberspace (LCC) where governments and businesses have gathered to try to come up with agreements on the future of global cyberspace. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/police_lack_cyber_knowledge/

French nuclear power group Areva may have fallen victim to an operating system-level electronic attack, which was first detected in September.

Conflicting French media reports suggest hackers had access to Areva’s network as far back as two years (Slate France, here) or that the problem only affected “non-critical” data and systems (France Info, here). French business mag L’Expansion reports the hack affected Areva’s operations outside France and blamed Asian (read Chinese or North Korean) hackers for the attack.

Local reports are consistent only in terms of talking about cyber-espionage, perhaps involving malware rather than some kind of terrifying Stuxnet-style nuclear kit sabotage caper.

Staff reportedly learned that all might not to be well with Areva systems in mid-September, following a weekend security upgrade that left some systems out of action for three days. The National Security Agency Information Systems (ANSSI) reportedly assisted the security upgrade.

We invited Areva to comment in the hopes of clarifying what happened, but had yet to hear back by the time of publication on Tuesday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/french_nuke_firm_mystery/

Butter-fingered civil servants are continuing to hurl away their personal tech devices, figures released to the House of Commons yesterday show, with BlackBerrys particularly prone to going walkies.

Labour’s Gareth Thomas MP asked tabled questions to a number of ministers about whether their departments had “lost any (a) computers, (b) mobile telephones, (c) BlackBerrys and (d) other IT equipment since May 2010”.

The Department for Energy and Climate Change managed to mislay eight computers in that period, including laptops, as well as three mobile phones and 11 BlackBerrys.

But Climate Change Minister Gregory Barker reassured Thomas: “All computers and BlackBerrys lost were encrypted to protect government information.” No word though on how secure the trio of missing mobes were.

But the Climate Department’s trashing of its tech resources paled into insignificance next to that of the Justice Department .

Justice Department Minister Jonathan Djangoly reported the “lost or theft of” 127 computers or hard drives, no less than 71 BlackBerrys and “293 other items of IT equipment between 1 May 2010 and 30 September 2011”.

The toll could be even higher, as Djangoly added, “Information on the number of (b) mobile telephones lost is not held centrally, and can be obtained only at disproportionate cost.” Presumably because they’d have to hunt down the tea leaf who’d swiped the server with the data.

But Djangoly reassured Thomas, “All Ministry of Justice laptops and BlackBerrys are encrypted and protected with a complex password; and all BlackBerrys that are registered as lost or stolen are blocked remotely, making it impossible for them to be used.” No further details on the security status of the other kit swiped then.

He added that, “The Ministry also implements security incident management procedures to ensure that the impacts of incidents are risk-managed and investigations are undertaken to seek, where possible, to retrieve lost/stolen assets.

“The Ministry adopts government security policy framework requirements to protect its assets securely.”

Perhaps they could all learn a thing from the frugal occupants of the Northern Ireland office, where Minister Hugo Swire assured Thomas yesterday, “The Northern Ireland Office has not lost any computers, mobile telephones, BlackBerrys or other IT equipment since May 2010.”

In July, the Scottish Office said it had lost just one item, worth £125, in the previous 12 months, while the Welsh Office also lost “nil” in the 12 months to July.

Which proves something about devolution, though we hesitate to guess what. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/blackberries_whitehall/