STE WILLIAMS

Hong Kong Stock Exchange Hacked

Hackers took down a website belonging to the Hong Kong stock Exchange, prompting Asia’s third-largest securities exchange to suspend trading in the shares of London-based HSBC and six other companies.

“Our current assessment is that this is the result of a malicious attack by outside hacking,” HKEx Chief Executive Charles Li, said, according to The Financial Times. Li added it was unclear who the hackers were or what they hoped to gain from their actions.

“We’re digging into that particular question right now,” he said.

The attack crashed a website that locally listed companies used to announce price sensitive news, the FT reported. HKEx responded by suspending trading of seven companies that were scheduled to make announcements during the lunch break. Among them was HSBC, which on Wednesday confirmed the sale of its US credit card business and retail services unit to Capital One Financial. Trading was also suspended for stocks of China Power International, Cathay Pacific, and HKEx itself.

HKEx is at least the second major exchange to be targeted by hackers this year. In February, Nasdaq admitted attackers planted malware on one of its portals. Nasdaq was quick to say that none of its trading systems were affected and no customer information had been accessed. HKEx officials gave almost identical assurances on Wednesday.

After the HKEx website came down, officials instructed market participants to use an older bulletin board to obtain announcements being released by listed companies. If the website isn’t restored by market opening on Thursday, the stock exchange plans to rely on the legacy system again, but has no plans to suspend trading of any shares.

Additional coverage is here and here.

SOURCE

NotW Hacked Milly Dowler’s Voicemail

Pressure on the News of the World over phone-hacking allegations intensified still further on Tuesday after allegations surfaced that journalists at the paper intercepted the voicemail messages of murdered schoolgirl Milly Dowler.

Hacks working for the NoTW allegedly deleted voicemail messages sent to Dowler at the time she went missing in March 2002, interfering with police inquiries into her disappearance in the process. The deletion of phone messages, an action apparently taken to free up space for extra messages, gave her family false hope that she might be alive in addition to hampering a police investigation, The Guardian reports.

Police would be interested in preserving voicemail messages to murder victims not least because of the possibility that the murderer themselves might leave a message in an attempt to cover their tracks.

Scotland Yard is investigating the allegations as part of its re-opened inquiry into phone hacking by the paper. Previously these allegations have largely centred on charges that hacks at the paper used private investigators to hack into the voicemail messages of celebrities and public figures in a hunt for gossip.

The Dowler hack allegations are, to put it mildly, far more serious and are likely to place renewed pressure on senior managers at the paper at the time including then-editor of the paper, Rebekah Brooks, now Rupert Murdoch’s chief executive in the UK. Her deputy at the time, Andy Coulson, resigned as the prime minister’s media adviser in January at the same time police re-opened an investigation into phone hacking at the News of the World. Brooks ran a controversial name-and-shame child abusers campaign during her stint editing the paper.

In the days after Milly’s abduction, the Dowler family spoke of their hope that their daughter might still be alive in an exclusive interview with the News of the World.

The Dowlers’ family lawyer, Mark Lewis, described the News of the World‘s alleged activities as “heinous” and “despicable”. The family intends to sue the paper for damages.

Dowler, 13, was abducted on her way home to Walton-on-Thames, Surrey, on 21 March 2002. Police initially thought that she might have run away from home. The deletion of mobile family messages gave substance to this suggestion and served to cloud the picture about what happened to her in the crucial first few days after she was abducted. Levi Bellfield, 43, was jailed for life for murdering Dowler last month. Former bouncer Bellfield was previously convicted of murdering two other young women, Marsha McDonnell and Amelie Delagrange: both crimes happened in the two years after Dowler’s murder.

Evidence that News of the World hacks may have intercepted and deleted messages sent to Dowler comes from a collection of notes kept by Glenn Mulcaire, the disgraced PI jailed for hacking into the voicemail messages of royal aides at the behest of the News of the World.

The paper made little attempt to hide its activities at the time of Milly’s abduction. For example, it ran a story in early April that year about a woman allegedly pretending to be Dowler who left her number as a point of contact when she applied for a job with a recruitment agency. Police at the time realised that tabloid hacks must have had access to Dowler’s voicemail in sourcing the story but saw it as an isolated incident and decided to do nothing, The Guardian reports.

In a statement over the latest mobile phone hacking allegation, News International (which publishes the NotW) said: “We have been co-operating fully with Operation Weeting since our voluntary disclosure in January restarted the investigation into illegal voicemail interception. This particular case is clearly a development of great concern and we will be conducting our own inquiry as a result.”

SOURCE

Travelodge Customer Data Stolen

Travelodge UK is investigating an apparent hacking attack on its customer database.

The hotel chain issued a warning to users of its online service to be on the lookout for spam e-mails.

Full details of the security breach were not immediately available. A spokesperson said it seemed that a limited number of people were affected. (more…)

UC Gov Gmail Phishers Stalked Victims for Months

Spear phishers who targeted the personal Gmail accounts of senior government officials painstakingly monitored incoming and outgoing email for almost a year, a researcher who helped uncover the campaign said.

In some cases, the attackers sent the victims emails designed to originate from friends or colleagues in hopes of getting responses that detailed the targets’ schedules, contacts, and job responsibilities, Mila Parkour, a Washington, DC-based system administrator who does security research on the side, told The Register. The attackers also employed web-based scripts that caused earlier versions of Microsoft’s Internet Explorer browser to divulge detailed information about the software used by the compromised account holder. (more…)

Second Defence Contractor Targeted in RSA SecurID-Based Hack

Defence giant L-3 Communications has become the second victim of an attempted hack attack that relied on the RSA SecurID hack that took place earlier this year.

A leaked internal memo, obtained by Wired, said that L-3’s Stratus group had been actively targeted with attacks based on “leveraging compromised information” from the SecurID keyfob two-factor authentication system. It’s unclear whether these attacks succeeded or how L-3 came to pin the blame on RSA’s SecurID system. L-3, which supplies command and control systems to the US military, would only say that it takes security seriously and that this particular incident had been resolved, without saying how.

News of the attempted L-3 breach comes days after LockHeed Martin suspended remote access and began re-issuing keyfob tokens following the detection of hacking attacks also linked to the high-profile breach against RSA back in March. The manufacturer of F-22 and F-35 fighter planes confirmed the attempted hack, first reported by tech blogger Robert Cringely, which took place on or around the weekend on 21 May. In a statement, Lockheed confirmed the attempted hack but said that its “systems remain secure; no customer, program or employee personal data has been compromised”.

Unidentified hackers broke into RSA network back in March before extracting unspecified information related to SecurID, possibly the seed used to generate one-time codes supplied by its tokens and their associated serial numbers. Armed with this information, an attacker would need only to obtain the PIN a user logs in with in order to gain the same rights to access sensitive information, highly valuable blueprints and more. PIN numbers might be extracted using keylogging Trojans, possibly punted via targeted emails (ie spear phishing).

It may be that Lockheed Martin and L-3 responded after detecting just this type of attack but this is just an educated guess on our part. Pending a clearer statement from RSA on what was taken during the original hack, we can be forgiven for assuming the worst.

RSA has said how it was attacked but not what data was extracted, aside from saying that this “information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”. EMC’s security division added at the time that it was working with customers to make sure their systems remained secure.

Source

NATO Members Warned About Anonymous

NATO leaders have been warned that the Anonymous “hacktivist” collective might have the capability to threaten member states’ security.

A report for the alliance by Lord Jopling, UK general rapporteur and Tory peer, provides a general (mostly factual) overview of the changing nature of the internet.

One key section deals with the use of social media tools to exchange information by people on the ground during the ongoing Arab Spring protests; another deals with the ongoing WikiLeaks affair and its fallout – and also covers the hack by Anonymous in solidarity with the whistle-blowing site.

Anonymous is becoming more and more sophisticated and could potentially hack into sensitive government, military, and corporate files. According to reports in February 2011, Anonymous demonstrated its ability to do just that. After WikiLeaks announced its plan of releasing information about a major bank, the US Chamber of Commerce and Bank of America reportedly hired the data intelligence company HBGary Federal to protect their servers and attack any adversaries of these institutions. In response, Anonymous hacked servers of HBGary Federal’s sister company and hijacked the CEO’s Twitter account.

Today, the ad hoc international group of hackers and activists is said to have thousands of operatives and has no set rules or membership. It remains to be seen how much time Anonymous has for pursuing such paths. The longer these attacks persist, the more likely countermeasures will be developed, implemented, the groups will be infiltrated and perpetrators persecuted.

Lord Jopling’s report is essentially a policy backgrounder and not a call to action. The document leaves it open as to how exactly members of the hacktivist collective might be “persecuted”, but the general thrust seems to be that this ought to be an extension of previous law enforcement crackdowns. NATO’s role if any in all this seems to be in locking down government and military servers rather than spearheading some military cyber-offensive, much less “taking out” Anonymous-affiliated chat channels.

Only a few years ago, cyberwar barely got a mention in NATO conferences, even in the wake of high-profile cyberattacks on Estonia in April 2007. The ongoing WikiLeaks saga along with the arrival of the industrial-control plant sabotaging Stuxnet worm have changed the game, and this is the real significance of Jopling’s report.

Source

Hackers pwn PBS in Revenge for WikiLeaks Documentary

Hackers aligned with WikiLeaks broke into and defaced the website of US broadcaster PBS over the weekend shortly after it had aired a less than flattering documentary about the whistle-blowing site.

LulzSec took particular offence at the portrayal of presumed WikiLeaks source Bradley Manning during of an episode of PBS’s Frontline news magazine programme. In response, the hackers broke into PBS website before swiping passwords and other sensitive information.

The hacker pranksters uploaded usernames and hashed passwords for the PBS database administrators and users onto Pastebin.com. Even more embarrassingly, the prankster also posted the logins of PBS local affiliates, including plain-text passwords.

Just so everyone would know the hack had happened, LulzSec also defaced PBS’s website, posting a bogus story (cached here) that claimed dead rapper Tupac Shakur was alive and well in and living in the same New Zealand town as nemesis Biggie Smalls. PBS posted a statement on the hack but that was defaced as well with an abusive message posted against Frontline.

Hacks of this type are normally carried out using SQL injection attacks. Flaws in content management systems are also a popular target. However LulzSec said that it had used a zero day exploit in Movable Type 4 on Linux servers running outdated kernels. That in itself would only have allowed LulzSec to deface the PBS website, but the use of the same password across multiple systems within PBS allowed the hackers to pull off a far more deeply penetrative attack.

Since the hack, LulzSec has turned it attention towards patriot hacker Jester, the most prominent member of the anti-Wikileaks cyber-militia, who attacked WikiLeaks after the release of US diplomatic cables. Unsurprisingly, LulzSec claimed his hacks were “lame” before threatening an attack against long-running hacker magazine 2600

Source

NEW Sony Playstation Hack Affects User Accounts

Four days after the PlayStation Network reopened, Sony has taken down login and password recovery pages for the service following reports they contained a serious flaw that was actively exploited to hijack user accounts.

The vulnerability, which was first reported by UK-based gaming news site Nyleveia.com, required only that an attacker know the date of birth and email address associated with a targeted user’s account, Daniel Pilkington, the site’s founder, told The Register. He said he observed internet chat relay discussions that showed a small number of people exploiting the flaw “to take control of an unknown number of accounts.”

“It had the potential to be used maliciously, but we think Sony acted soon enough,” Pilkington said.

Once Sony disabled the login pages, the attacks were no longer possible, he explained.

After this article went live, the company published a blog post that said:

“We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.”

Pilkington said he stood by his account. Sony didn’t elaborate on the URL exploit or say when the web-based pages would be restored. Password reset features that use the PlayStation console continue to work normally.

The blunder raises new doubts about Sony’s ability to secure the PlayStation Network just as the company is trying to regain the confidence of dubious government officials and its 77 million account holders. Sony took down the service on April 20, following the discovery that core parts of its network had suffered a criminal intrusion that stole names, user names, passwords, birth dates, addresses, and other sensitive details of all its users. Company executives have said they can’t rule out the possibility that credit card data was also taken.

Pilkington said he was initially skeptical of the vulnerability claims until one of the participants in the IRC chat demonstrated the attack on a test account Nyleveia had set up.

“The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to,” the website reported. “It was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method. This was additionally confirmed when a Twitter user provided us with his data and requested that we change his password as proof.”

Pilkington said he emailed the details to a Sony public relations official, and the login pages were disabled about 15 minutes after a representative sent a response.

Pilkington described the exploit process this way:

The exploit involved the bypass of a digital token system that Sony used when users reset their PSN password. Attackers could carry out the attack by visiting https://store.playstation.com/accounts/reset/resetPassword.action?token and then, in a separate browser tab, opening a different page on us.playstation.com and following Sony’s reset procedure, which required only the date of birth and email address associated with the account.

The attacker would then return to the original tab and, armed with the browser cookie just issued by Sony’s servers, complete an image verification on the page. The attacker would then proceed to a scree allowing him to change the victim’s password.

“The page https://store.playstation.com/accounts/reset/resetPassword.action?token, acts as though you had clicked the unique link sent to you via Sony for completing the second page’s password reset,” Pilkington said during a discussion over instant message. He said it’s “highly unlikely” the exploit technique was discovered until Tuesday evening.

Sony has yet to issue any confirmation of the flaw, which Pilkington said has affected PSN users since Monday, when it was reopened following 24 days of continuous outage. On the company’s European blog it said only that PSN sign-in services were down for PlayStation.com, PlayStation forums, the PlayStation blog, and complementary services including Qriocity.com, Music Unlimited via web browsers, and all PlayStation game title websites.

“Unfortunately this also means that those who are still trying to change their password password via Playstation.com or Qriocity.com will be unable to do so for the time being,” the Sony blog said. “This is due to essential maintenance and at present it is unclear how long this will take.”

Sony is requiring all PSN users to change their password before they can use the reopened service. The removal of the reset webpages means users for the time being can reset their pass phrases only through their PlayStation consoles, which remain unaffected by the outage.

The PSN was restored to most of the world but has remained unavailable in Japan because of doubts that country’s government had about its security.

 

Source

Skype Vulnerability Gives Remote Access to Mac OSX Systems

Mac users running Skype are vulnerable to self-propagating exploits that allow an attacker to gain unfettered system access by sending a specially manipulated attachment in an instant message, a hacker said.

“The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim’s Mac,” Gordon Maddern of Australian security consultancy Pure Hacking blogged on Friday. “It is extremely wormable and dangerous.”

The vulnerability, which Maddern said isn’t present in the Windows or Linux versions of the popular VoIP program, was confirmed by Skype spokeswoman Brianna Reynaud, who said a fix will be rolled out next week. Its disclosure comes the same week that researchersdiscovered a new crimekit that streamlines the production of Mac-based malware. It also comes as new malware surfaced for Apple’s OS X that masquerades as a legitimate antivirus program.

Reynaud said there are no reports that the Skype vulnerability is being actively exploited.

Maddern said he stumbled on the critical flaw by accident.

“About a month ago I was chatting on skype to a colleague about a payload for one of our clients,” he wrote. “Completely by accident, my payload executed in my colleagues skype client. So I decided to test another mac and sent the payload to my girlfriend. She wasn’t too happy with me as it also left the her skype unusable for several days.”

He then set out to write proof-of-concept attack code that used payloads borrowed from theMetasploit exploit framework. The result: a Skype exploit that allows him to remotely gain shell access on a targeted Mac. Because it’s sent by instant messages, it might be possible to force each infected machines to send the malicious payload to a whole new set of Macs, causing the attack to grow exponentially.

Maddern didn’t say what interaction is required on the part of the victim, and he didn’t immediately respond to an email seeking clarification. His blog post says he notified Skype of the vulnerability more than a month ago, and that he will withhold specific details until a patch is released to prevent malicious attacks.

According to a post on the Skype Security blog that was published a few hours after this story went live, a hotfix for the vulnerability was released in mid April.

“As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week,” Skype’s Adrian Asher wrote.

He added:

This vulnerability, which they blogged about earlier today, is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype’s default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.

 

Websites should notify European users about privacy breaches

Europe-wide laws which require telecommunications companies to notify users if their data is at risk should be extended, the European justice commissioner has said.

Privacy rules created under the EU’s Electronic Communications Framework should be extended to cover online banking, video games, shopping and social media, Viviane Reding said in a speech (in German).

Current rules, which are being implemented in the UK as part of amendments to the Privacy and Electronic Communications Regulations, require telecommunications companies and internet service providers to notify their customers and national regulators of personal data breaches immediately.

“I think it is important that users are notified if someone has unlawful access to their data,” Reding said. “It is essential for consumer confidence that they know what happens to their data.”

Reding said that in the upcoming review of data protection laws in Europe she would investigate the extension of the data breach notification process to more than just telecoms companies.

Addressing German privacy experts, including Germany’s Data Protection Commissioner Peter Schaar, at a discussion in Brussels, Reding expressed her concern at a “veritable wave” of data-security incidents over the last two weeks.

Her comments came shortly after Sony apologised for a security breach involving 77 million PlayStation Network account holders, and a week after Apple said that it would update the software that logs the location of users of its mobile devices.

She spoke of five cornerstones to solid data protection laws to restore consumer confidence: the right to be forgotten, data transparency, corporate responsibility, independent data monitoring systems and “privacy by design” – ensuring that data protection safeguards are built into information systems from the start.

In her speech, Reding said that she could understand if Apple and Sony had eroded “the trust of our citizens” in technology in the face of the high-profile data security lapses.

This trust had to be reinstated, she said, through good legislation, independent data protection authorities and responsible company policy.

She stressed the importance of letting customers know immediately when their personal data had been put at risk. “Seven days is much too long,” she said, referring to the delay between when Sony’s security breach occurred – between 17 and 19 April – and when the company notified its customers on 26 April.

She urged that new EU data protection laws must be “clear and legible” and meet “current and likely future challenges” to the fundamental right to privacy.

“A social network with more than 200 million users in the EU must stick to EU law, even if it is based in the US and its data is stored in a so-called cloud,” she said.

“European citizens care deeply about protecting their privacy and data protection rights,” she added in a later statement to the International Herald Tribune.

“Any company operating in the EU market or in any online product that is targeted at EU consumers should comply with EU rules.”