STE WILLIAMS

The UK defence secretary has accused Russia of using hacking to destabilise the West.

Sir Michael Fallon said the Kremlin is “weaponising misinformation” as part of a sustained campaign that goes beyond alleged meddling in the 2016 US presidential election. NATO needs to do more to combat the threat, the senior cabinet minister warned in a speech at St Andrews University, Scotland, on Thursday.

The defence secretary cited various sources in accusing Russia of nearly knocking France’s TV5Monde television station off the air in April 2015, as well as cyber-assaults on Germany’s lower house of parliament (the Bundestag) also in 2015, in addition to hacks against the US Democratic and Republican parties and Bulgaria last year.

Fallon went on to warn of possible Kremlin interference in the forthcoming German elections as well as the disruption of elections in Montenegro and an upcoming Dutch referendum on an EU-Ukraine treaty.

The warning came hours before the release of a report by Parliament’s spending watchdog, the Public Accounts Committee, which agreed that government needs to raise its game in combatting cyber threats more generally, as previously reported.

In other news Wikileaks revealed this week it had 3,630 documents from its archives on French presidential candidate François Fillon, as well as 1,138 documents on far-right candidate Marine Le Pen. The whistle-blowing outfit was a key conduit for the release of material obtained from the hack of the DNC and Hilary Clinton aides during the US presidential elections.

Late last year US intelligence agencies publicly blamed units of Russian military intelligence (GRU) and state security (FSB) for the hacks and subsequent leaks, a theory supported by most private cybersecurity firms.

John Bambenek, threat intelligence manager at Fidelis Cybersecurity, commented: “Hacking of political figures in an attempt to influence elections is likely to be the new normal. The US presidential election showed the world that it’s possible to attack large targets with relatively minimal resources and have a huge impact for which the victim state has no good response strategies. This latest move by Wikileaks may – but not necessarily – mean that it anticipates having more pertinent documents to release on these political figures in the coming weeks.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/03/k_defense_secretary_warns_over_russian_cyberattacks/

Chinese state-sponsored hackers are targeting military and aerospace interests in Russia and Belarus.

Since the summer of 2016, a group began using a new downloader known as ZeroT, spear-phishing emails to install the PlugX remote access Trojan (RAT), according to security researchers at Proofpoint.

In previous campaigns, the group used spear-phishing emails with Microsoft Word document attachments utilising CVE-2012-0158, or URLs linking to .rar-compressed executable nasties. These attacks have continued alongside the deployment of ZeroT, a previously unknown malware strain, from June 2016 onwards.

China’s People’s Liberation Army (PLA) units are notorious for running campaigns aimed at stealing intellectual property as well as intelligence from western governments, NGOs and Chinese dissident groups. Aerospace firms in the US and Europe have long been high up on this extensive target list. An alleged Chinese knock-off of Lockheed Martin F-35 Joint Strike Fighter is the most frequently cited example, not least because a Chinese national was convicted and jailed over stealing its blueprints, but this is just one example of what military analysts allege is general theft and copying by Beijing.

Proofpoint’s research shows that Russian firms, a previously under-publicised target (at least in the tech or business press), are also on the hit list. Chinese jets that look uncannily similar to Russian or US counterparts are documented in a story by US Naval Institute News here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/03/china_russia_aerospace_apt/

UPDATE The Australian Nuclear Science and Technology Organisation (ANSTO) is investigating a computer security breach at the Australian Synchrotron that saw hackers steal scientists’ usernames and passwords Friday.

Hackers of as yet unknown origin hit systems hosting the web portal where researchers from ANSTO and third parties can request time to use the Victorian atom-smashing facility. We’re told miscreants stole brainiacs’ email addresses and scrambled passwords.

The facility is used for a broad array of scientific and defense applications, from studying sub-atomic particles to biomedicine, pharmaceuticals, and manufacturing.

An email sent at 1am today to users of the Australian Synchrotron User Portal, seen by The Register, says the digital break-in occurred Friday, January 27 via an undisclosed vulnerability.

“The Australian Synchrotron apologises to users of the Australian Synchrotron User Portal for an incident that occurred on Friday the 27th of January whereby the email address and encrypted password of registered users were obtained by unauthorised persons though the exploitation of a security vulnerability,” the email says. Immediate action has been taken to address this vulnerability and a comprehensive security review of the Australian Synchrotron User Portal is now underway, we’re told.

The portal also requires users to fill out their names, academic qualifications, organisation, department, and position, and offers fields for street addresses, phone numbers, citizenship, and gender.

The Register has asked the Australian Synchrotron to comment on the scope of the security breach. A spokesperson for the lab was not immediately available to respond.

Boffinry nerve centre … the Australian Synchrotron (click to enlarge)

Youtube Video

It is not known which hashing algorithm was used to one-way encrypt the passwords: let’s hope it’s not the outdated but tragically popular MD5, and instead something like bcrypt, PBKDF2, or bleeding edge Argon2. The facility has asked that members reset passwords anyway out of precaution.

Form filling … a page to apply to use the facility (click to enlarge)

If the passwords can be cracked, any eggheads who have reused the same password and email combination on other websites face losing control of those accounts too. ®

UPDATE: A spokesperson for the Synchrotron’s been in touch to the hacked network is isolated from the rest of the agency and that ANSTO can rule out other systems beyond the user database having been compromised.

The database is also entirely isolated from the home of Australia’s sole nuclear reactor, on ANSTO’s Lucas Heights campus.

“As a precautionary measure, all users have been required to reset their passwords,” the spokesperson said.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/03/australian_synchrotron_hacked/

Popular offensive hacking toolkit Metasploit now works on hardware, including cars, after a major update to the 13-year old platform.

The free-or-paid modular hacking machine now sports plenty of CVE-specific exploitation components that security professionals have long-used for penetration tests and research.

An update to the Hardware Bridge API means the platform will now work on variety of hardware including vehicles’ CAN buses, one of the main entry points through which cars can be hacked.

Rapid7 transportation security research director Craig Smith says Metasploit can be trained to work with almost any vehicle interface.

“Metasploit condensed a slew of independent software exploits and tools into one framework and now we want to do the same for hardware,” Smith says.

“The Hardware Bridge API extends Metasploit’s capabilities into the physical world of hardware devices.

“Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware.”

Smith says hackers says Metasploit will offer several interactive vehicle-related commands for cars that sport CAN buses.

It is he says designed so that exploit developers can focus on writing automotive tools and less on the attached hardware.

Common automotive calls are also easier, including obtaining car speed or gaining security access tokens from engine control units.

Metasploit will also be upgraded over time to cover more hardware hacking including internet-of-things devices, software defined radio, and even industrial control systems. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/03/metasploit_hardware_upgrade/

Usenix Enigma 2017 The chief technical director of GCHQ’s National Cyber Security Centre has rebuked infosec companies for spreading fear, uncertainty and doubt about hackers to sell products.

At the Enigma 2017 conference this week, Dr Ian Levy said world-plus-dog were trying to flog security defenses to tackle “advanced persistent threats,” usually using photos of hoodie-cloaked blokes poised over a keyboard with Matrix-style green lettering in the background. But such figures – seen as untouchable, unbeatable, and untraceable – are chimeras, and it’s just “adequate pernicious toe-rags” who are doing the hacking, he argued.

“We are allowing massively incentivised companies to define the public perception of the problem,” he said.

“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘you lot are too stupid to understand this and only I can possibly help you – buy my magic amulet and you’ll be fine.’ It’s medieval witchcraft, it’s genuinely medieval witchcraft.”

He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it. That’s not advanced by any stretch of the imagination, he said.

Part of the job of the NCSC is to take action against these very threats, he noted. The agency is the merger between six different government departments and wants to develop security systems that work, and offer them to companies for real-world deployment.

In November, the agency published its National Cyber Security Strategy 2016 to 2021 detailing these plans, and Levy suggested people take a read because “for a government strategy review it’s not completely crap.” The NCSC wants to promote “active security” – not active as in attacking but active as in “getting off your arse and doing something.”

One aspect of this was instituting a domain-based message authentication, reporting and conformance (DMARC) system for a gov.uk department that shunted spoofed emails into a discard folder. On the first day this system slurped up 50,000 emails and identified the domains they were coming from, enabling the agency to block them.

Within four days, the supply of spoofed emails had dried up and the system is now going to be rolled out for the Inland Revenue service and other UK government departments that ask for it. It’s also going to be offered to ISPs in the UK and those operators, like BT, who have foreign business arms can use it there too.

The agency also now acts as a central hub for getting rid of malware or phishing that’s being hosted on domains. By working with ISPs, it has cut the average time to take down general phishing sites from 27 hours in March to one hour this past month.

Over the same time period, the takedown time for sites hosting malware has been cut from 525 hours to 48 hours, and domains hosting UK government-branded phishing sites now remove the pages in around five hours, down from 45.

Levy’s talk was interrupted by a rather irate conference attendee who accused the agency of setting up a system that could possibly be used for censorship, similar to the UK’s infamous anti-porn firewall.

Levy said any such system would be voluntary, just like the anti-smut systems. But the attendee disputed this, saying that several of his friends have tried to turn off the anti-porn filter with no joy. Levy offered to have a chat with him afterwards and see if he could lend a hand. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/03/security_threat_solutions/

A county in Ohio, US, has had to shut down its entire IT infrastructure due to a ransomware outbreak.

Licking county has turned off all phones and computers on its government network in order to stop the spread of malware that had been locking down infected PCs and demanding payments.

According to local news station WBNS, the move was made Tuesday evening when officials found that more than one thousand county PCs had already been infected with the ransomware.

All county offices remain open for people walking in and doing business the old fashioned way using pen and paper forms, and the 911 call center and dispatch continues to operate in “manual mode.” The county treasurer’s office is unable to process checks, but is still accepting payments for property taxes.

The news station reports that the outage is expected to continue through the week as county staff work to scrub the malware from the infected machines. The FBI has also been called in to assist.

The Newark Advocate reports that the infection has been spreading in city government networks around the state in recent months, prompting the Ohio state auditor to issue a warning on the matter last summer.

Licking county officials can at least take solace in knowing they are hardly alone in falling victim to a ransomware attack. Last week, a police department in Texas said it lost eight years worth of records after refusing to pay a ransom demand, and in Washington DC, a ransomware infection knocked out most of the city’s CCTV cameras ahead of inauguration day. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/02/ohio_county_licking_shut_down_by_ransomware/