STE WILLIAMS

A devastating attack that exposed the personal information of 35 million South Koreans was perpetrated after hackers breached the security of popular software provider ESTsoft and planted malicious code on one of its update servers, it was widely reported Thursday.

Attackers with Chinese IP addresses uploaded malware to a server used to update ESTsoft’s ALZip compression application, South Korean news outlets said. The upgrades eventually caused the compromise of 62 PCs at SK Communications that used the program. Attackers then tapped the machines to steal the names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and street and email addresses contained in a database connected to the same network.

It was South Korea’s biggest theft of personal information ever. With about 49 million people living in South Korea, the breach is believed to have affected the majority of the nation’s population.

After hijacking the SK Communication PCs with the fake ALZip update, the attackers used the machines to access databases containing user information for the telecom’s Cyworld social networking website and the Nate web portal. The publications cited investigators from Korea’s National Police Agency.

“As a general-purpose software company, we deeply apologize for being involved in the hacking,” ESTsoft CEO Kim Jang-joon said in a statement, according to The Korea Joongang Daily. “We respect the results of the police’s analysis and investigation. To prevent further hackings, we will strengthen the security system of our programs.”

Kim said other software titles offered by ESTsoft, including its Alyac antivirus application, weren’t affected in the breach.

Koreans have been dumbstruck at the news. NHN, the operator of Korea’s No. 1 web portal, ordered its employees to delete ESTsoft programs, The Korea Joongang Daily reported in an earlier article. At least one lawsuit has already been filed against SK Communications.

More coverage here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/12/estsoft_korean_megahack/

A “Stalkers app” doing the rounds on Twitter is actually a phishing scam, security watchers warn.

The Stalkers app, which purports to be officially sanctioned and to track people who are “stalking your Twitter”, is promoted via messages linking to the application, which does nothing except coax victims into handing over their usernames and passwords to crooks.

Although the jump page for the app might appear at first to be a legitimate Twitter page, a closer inspection of its URL reveals that the page has no relationship with the micro-blogging service. The scam is ultimately designed to gain access to compromised accounts that can then be abused either to further promote the rogue app or to send spam-related or malicious site links to a compromised user’s followers.

Victims who make the mistake of reusing their Twitter passwords elsewhere, such as on banking or webmail sites, also expose these more sensitive accounts to attack.

Details of the latest Twitter password scam, along with plenty of helpful advice on improving password security, can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/12/twitter_stalker_app_phishing_scam/

Facebook has been forced to stamp out a silly rumour doing the rounds on, well, Facebook, that wrongly suggests the company will share any user’s telephone list with their contacts on the social network.

Wrong, wrong, wrong, said the Mark Zuckerberg-run firm.

“Rumors claiming that your phone contacts are visible to everyone on Facebook are false,” it said yesterday.

“Our Contacts list, formerly called Phonebook, has existed for a long time. The phone numbers listed there were either added by your friends themselves and made visible to you, or you have previously synced your phone contacts with Facebook. Just like on your phone, only you can see these numbers.”

So there you have it. Those people who have, perhaps unwittingly, made their phone number visible on Facebook are indeed sharing those digits with their contacts on the world’s largest social network.

Why the sudden nervousness, you may wonder?

Perhaps it has something to do with the launch of Facebook’s Messenger service, which arrived in North America this week. “Very soon” it will be rolled out to Europe.

So presumably, individual Facebook users have been playing around with their settings on the site only to discover the seemingly creepy but actually somewhat benign contacts list.

Meanwhile, Facebook has confirmed to us that when Messenger – which is a separate app linking messages embedded in the social network with texts, chats and emails on a mobile phone – does land on this side of the pond, related data will be fed via its servers in the US.

The company, of course, farms all the data it gathers back to its spiritual homeland.

But we were interested to know how its Messenger info would be handled given, for example, the recent unrest during England’s riots.

Blackberry’s BBM service, which offers group messages via a closed network, was allegedly used by some of the troublemakers to quickly assemble thugs at hot spots throughout London and other parts of the country.

As we noted earlier this week, Blackberry’s archives that are located on servers in the UK could potentially be scrutinised by UK police authorities to pinpoint baddies involved in the riots.

Facebook has repeatedly said it “works closely” with data protection authorities in Europe. But EU commissioner Viviane Reding recently expressed concern to this reporter about how the firm currently operates.

On a European level, Facebook isn’t currently breaching data protection law when it makes stealth tweaks to its technology without first informing its users of the change.

Reding told me that Brussels hopes to close that loophole with new legislation that’s coming in the autumn.

“You cannot hide anymore by saying ‘my server is in Honolulu and my other server is in Kiev and…’ I don’t care,” she warned in June.

“The law is for everyone who does business on the territory of Europe, whatever the origin of the business might be. So you cannot hide anymore by saying ‘I do not have my headquarters in Europe’.”

Facebook, meanwhile, is at pains to point out that it is not in the business of selling personal information.

“Advertisers on Facebook get aggregate anonymous data to show the demographics of those people that have interacted with an advert,” it told The Register.

“You have control over what information others can see on your Facebook profile. Information like the phone numbers in your phonebook are personal to you (none of your friends can access your phonebook on Facebook, only you see it) and are not linked to someone’s account unless they have made information available on their own profile.”

And for those who want to kill the contacts list, there’s this handy tool. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/12/facebook_contact_list_stirs_rumour_pot/

An error message on once dominant but now almost defunct social networking site MySpace early on Friday has been confused with a hack.

Surfers visiting the Myspace.com home page were confronted with a title bar saying “All is wrong :(” where “MySpace” would normally appear and a message about puppies and kittens (extract below).

We messed up our code so bad that even puppies and kittens may be in danger. Please turn back … now.

The blogosphere, and even news outlets, such as CNet, quickly concluded that MySpace had been defaced, probably by Anonymous. Rumours of a hack snowballed after a Twitter group affiliated with Anonymous noted the apparent defacement, without admitting responsibility.

However – as The Next Web points out – the quirky error message in question has been used by MySpace for the last two years, so the whole thing is more than likely to be a false alarm.

MySpace has returned to its quiescent (seaside town that’s seen better days) state. The error message, in all its glory, can be viewed on a “ready for when something goes wrong” static error page on MySpace’s site here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/12/myspace_outage_hack_confusion/

Claims that both CDMA and 4G networks were compromised at the recent Defcon security event in Las Vegas have raised little surprise, but the vulnerability of handsets is hotly debated.

The claim was made by coderman, a stalwart of security conferences, who reports that he witnessed an advanced man-in-the-middle attack operating on both CDMA and UMTS networks and masterminded by an amalgam of Anon and Lulz. This attack was apparently able to identify connected devices and run through known exploits before falling back to ask the user’s permission to install.

The symptoms of infection include “3G/4G* signal anomalies”, “Android [device] at full charged plugged in, but dropping to 50% charge once unplugged”, “Android services that immediately respawn when killed” and “a hard freeze, and then take[ing] a long time to reboot”.

Android users might recognise that as SNAFU, but according to coderman it indicates the user has fallen prey to hackers from the usually-desperate groups Anon and Lulz.

Other attendees are less certain, with many asking for more evidence (we did too, with equal lack of success). While it’s hard to see if the attack happened as described much of it is plausible and follows a steady erosion of the security around cellular networks, which have stood the test of time well but are now recognised as weakening.

Critically the 2G networks do not authenticate both ways – the handset authenticates to the network, but not the other way round – so it’s relatively easy for an attacker to set up a femtocell and intercept communications. Handsets will also drop the encryption level on request by the network, which is required for use in countries where strong encryption is still verboten but provides an opportunity for the attacker to simply switch off the encryption.

Handsets are supposed to display such a change of status to the user, but they don’t.

Faking a call is still very hard, the secret shared between the SIM and the network authentication centre remains secure and hard to crack as ever, but once the encryption is off then data can be intercepted and false updates can be pushed out to smartphones.

In most cases such updates will require user permission to install, and will need to be signed or present additional dialogs, but users will generally agree to anything they’re presented with. The Defcon attendees might be more cautious, but the technique should be expected elsewhere.

Certainly there are numerous reports of strange cell sites popping up during the conference.

Our man on the ground, Dan Goodin, didn’t see any himself, but as handsets automatically connect to the nearest base station with the right operator code there’s no obvious notification and little to stop calls and data being intercepted.

3G networks, including HSPA, are a lot more secure and authenticate in both directions. That makes interception harder, but not impossible. Interception is then dependent on the encryption being used; A5/3 is mandated in Europe and really hard to break, but not widely used. The USA still seems to be using A5/2, at best, for some reason.

So interception of cellular data is eminently plausible, and faking updates is also plausible, but when it comes to inserting malicious code into handsets one is just as dependent on the mobile OS as if one were connecting over a Wi-Fi connection.

Which is rather the point: we’ve already seen network intercept equipment coming down in price, and suggestions that mobile networks are about as secure as Wi-Fi, so it’s not surprising that Defcon saw a lot of people trying out this new vector of attack. Whether they managed to insert malicious code into nearly every device they saw, as coderman claims, is more open to question, but mobile OS vendors need to be aware that they can’t rely on the network to protect them anymore. ®

* The United States calls HSPA “4G”; there’s no suggestion of LTE networks being attacked.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/12/defcon_handsets/

Mozilla’s Firefox will soon start blocking browser add-ons installed by other programs until users explicitly approve them, a move that’s designed to give people more control over their web surfing experience.

The feature will debut next week in the Firefox Aurora prebeta, Justin Scott a Mozilla product manager for add-ons said Thursday. It will be activated each time the browser is started. If it detects a new add-on that’s been installed by another program, it will disable it and present the user with a dialog box. The add-on will be unblocked only after the user approves the add-on.

“Third-party applications frequently install bundled add-ons into Firefox as part of their own installation process,” Scott wrote. “While some of these applications seek the user’s permission beforehand, others install add-ons into Firefox without checking to make sure the user actually wants them.”

The new Firefox version will also present users with a one-time dialog box the first time it’s run that prompts the user to approve previously installed add-ons. By default, all those installed by another application will be disabled unless approved by the user.

The move comes after Mozilla has blocked several individual add-ons deemed to degrade browser stability and user security. In January, it was a Skype toolbar add-on that Mozilla said caused 40,000 crashes in one week and last year it was a Java plugin with security flaw.

Many Firefox users have also protested add-ons Microsoft silently installed in the open-source browser on at least two separate occasions.

“Unfortunately, the extent of unwanted add-ons installed through these methods has caused us to take action, but we’re confident that users who truly want such add-ons to be installed with opt in when Firefox prompts them,” Scott wrote. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/12/mozilla_addon_blocking/

A Brooklyn man has pleaded guilty to aggravated identity theft for his role in an operation that defrauded credit card issuers of almost $800,000 in bogus charges.

Jonathan Oliveras, 26, also pleaded guilty to wire fraud and admitted to managing scheme to purchase stolen credit card information from people in Russia and then passing it along at a profit or using it to make illegal purchases himself.

Oliveras frequented online bazaars where credit card fraudsters gathered to buy and sell stolen account information, according to a statements of facts filed this week in US District Court in Alexandria, Virginia, that bears his signature. His ring typically received $500 to $2,000 for a sale of stolen data.

He also emailed co-conspirators detailed instructions on how to use the stolen account data to make fraudulent purchases, an enterprise that typically paid 50 percent of the total fraud. To cover his tracks, he used a voice over IP phone with an overseas number and multiple online identities.

When his residence was raided in July 2010, FBI and Secret Service agents recovered data for 2,341 stolen accounts on his computer and on the magnetic stripes of cards, according to court documents. Credit card issuers reported $770.674.76 in fraudulent charges.

Sentencing in the case is scheduled for October 28. Oliveras faces a maximum of 20 years in prison and $1.5 million in fines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/12/identity_theft_guilty_plea/

A support blog for alleged Pentagon hacker Gary McKinnon had its domain name hijacked on Friday morning.

Serial defacer TurkGuvenligi posted an image of an old fella spinning a plate (which looks a bit like a flying saucer) on his finger on the FreeGary support blog. An image of the domain hack can be found here. We notified FreeGary.org’s site administrators of the problem.

A separate support blog maintained by Gary’s mum, Janis Sharp, is alive and well here.

TurkGuvenligi is a serial website defacer whose previous victims include Secunia. An archive of his work can be found here.

Defacers typically use search engines to search for vulnerable sites before setting on victims and uploading digital graffiti on these sites. Such hacks, by themselves, are normally trivial and seldom expose more sensitive systems.

The FreeGary.org site was restored to normal by Friday lunchtime. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/12/mckinnon_website_defaced/

Ukrainian authorities charge four in huge carder ring

• 
• 
• 
• 

$20 million in alleged harm

By Dan Goodin in San Francisco • Get more from this author

Posted in Crime, 22nd August 2011 23:30 GMT

Free whitepaper – Power and Cooling Capacity Management for Data Centers

Ukrainian authorities said they arrested four people who were part of organized hacking gang that caused about $20 million in damages through the use of fraudulent payment cards.

The individuals were seized earlier this month, along with data stored on a computer for about 100,0000 cards, according to a statement (Google translation here) from the Ukrainian security service SBU. They were part of a gang that made unauthorized transfers from private bank accounts.

“Members of the group have created an extensive, well hidden network throughout Ukraine, consisting of more than 20 people from among citizens of Ukraine and foreigners,” the statement alleged./p“Using specialized software and hardware devices, and modern computer technology, members of the group carried out unauthorized copying of confidential information about bank cards needed for making fake plastic payment means of international payment systems with their subsequent use to steal money from bank accounts of citizens of different countries.”

US agents assisted in the investigation. The four unnamed suspects were charged under Ukrainian Criminal Code for various offenses involving computer and network breaches. ®

Free whitepaper – Data Center Projects

• Be the first to post a comment!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/ukrainian_credit_card_fraud_arrests/

Updated The latest version of Skype for Windows contains a security vulnerability that allows attackers to inject potentially dangerous code into a user’s phone session, a German security researcher has reported.

The XSS, or cross-site scripting, vulnerability in Skype 5.5.0.113 is the result of the voice-over-IP client failing to inspect user-supplied phone numbers for malicious code, researcher Levent Kayan said. As a result, attackers might be able to exploit the bug to inject commands or scripts that hijack the machine running the program.

“An attacker could for example inject HTML/JavaScript code,” Kayan wrote in an advisory published on Wednesday. “It has not been verified though, if it’s possible to hijack cookies or to attack the underlying operating system.” An attacker might also exploit the vulnerability to remotely execute malicious JavaScript files on external websites, he said.

A screen shot from Kayan’s website showing the injection bug in action

A Skype spokeswoman disputed Kayan’s account.

“We have had this reported to us by various media outlets and have confirmed that the person is mistaken, this is not a web window and while it does cause a phone number to be underlined, does nothing other than this,” spokeswoman Brianna Reynaud wrote in an email.

In an email to The Register, Kayan stood his ground, insisting that at a minimum, the flaw allows an attacker to create a hyperlink on a victim’s client that leads to a site of the attacker’s choosing.

“According to Skype’s spokeswoman, I wanted to tell you, that this is not really true what she said, because the entries in (home, office and mobile phone and even in “city”) are embedded via HTML,” he wrote.

Kayan said the unsafe content is displayed when users view a booby-trapped profile. The malicious profile is created by inserting a JavaScript command or web address where a phone number is expected. The reported vulnerability is eerily reminiscent of an XSS bug Kayan reported in an earlier version of Skype last month.

Such vulnerabilities open the possibility of creating self-replicating attacks if they can be used to target users contained in each victim’s contact list. As each new user is exploited, the worm spreads virally by attacking a whole new set of people. A vulnerability reported in May for Mac versions of Skype was described as wormable, though there are no reports it was ever exploited in the wild. It’s unclear if the current vulnerability is also self-replicating.

Microsoft is in the process of acquiring the popular internet-based phone service. ®

This article was updated to add comment from Skype spokeswoman and a response from Kayan.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/skype_security_bug/