STE WILLIAMS

The Road to Enterprise PaaS

Hackers have defaced more than 3,000 .me websites in a web graffiti attack carried out on Sunday.

Pakistani defacement crew TeaM MaDLeeTs pulled off the attack after breaking into the systems of domain.ME, the organisation responsible for the registration of Montenegro (.me) domain names.

Surfers visiting any one of 3,110 compromised sites were redirected to a defacement page in the aftermath of the attack. The site featured boasts about the hack and greetings to other hacking crews, as is typical of this type of attack.

Domain.ME restored the affected websites shortly after the attack, which was more than a nuisance than a cause for any serious concern for “victims”. Most of the affected domains appears to be parked sites that aren’t being actively used which happened to be sitting on a compromised Linux server.

El Reg invited both the attackers and the domain registrar to comment on the incident but has yet to receive any reply. The defacements were grouped together are recorded by defacement archive zone-h.org here. (Example defacements are reproduced here and in the screen grab below.

Despicable .me

Some .me domains attract a great deal of traffic, for example free-tv-video-online.me, which is among the web’s top 1,000 websites, according to stats from DomainTyper. It doesn’t appear that well-trafficked websites were affected. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/mass_defacement/

The Road to Enterprise PaaS

A convicted terrorist will serve additional time in jail after he was found guilty of refusing to supply police with the password for a memory stick that they could not crack.

Syed Farhan Hussain, 22, from Luton, was handed a four month sentence at the Old Bailey on Tuesday after a jury took just 19 minutes to deliver the guilty verdict.

Judge Richard Marks QC sentenced him for not complying with a notice to give up his password. The refusal was contrary to section 53 of the Regulation of Investigatory Powers Act 2000, the UK’s wiretapping law.

Police had issued Hussain with the notice under section 49 of RIPA to force him to let the cops into his USB stick.

The judge said Hussain’s deliberate refusal to comply with a police notice and hand over his password was a very serious matter because it served to frustrate a police investigation, the BBC reports.

Hussain was jailed for five years and three months last April for the far more serious offence of conspiring to take part in a planned attack on a Territorial Army base in Luton. Along with three other men, Hussain pleaded guilty to plotting to use a remote-control toy car to plant a homemade bomb at the TA centre. The suspects were arrested before any preparations for an attack were put together.

At the time Hussain was arrested in April 2012, police recovered a number of USB sticks and external storage devices. Another USB device, reportedly found during a later search, was encrypted and the security protection was strong enough to frustrate attempts to receiver the information the device contained even after the police brought in experts from NTAC (the National Technical Assistance Centre) at GCHQ.

Hussain told investigators that he was unable to remember the password because of the stress he was under in prison. Even being served with the section 49 notice, along with a deadline that expired last January, failed to jog his memory.

However, after police told Hussein’s lawyers they had launched a fresh investigation into alleged credit card fraud by Hussain late last year, his memory suddenly improved. Hussain revealed that the memory stick’s password was “$ur4ht4ub4h8”, a play on words relating to a chapter of the Koran.

Curiously the password “turned out to be the same phrase from the Koran that Hussain had used before on other devices”, according to a reports on the sentencing by the Luton Dunstable Express.

At this point the police were able to access the memory stick, discovering it contained evidence useful for their inquiry into the alleged financial fraud rather than anything directly related to terrorism or national security.

Bootnote

*The circumstances of the case raise several unanswered questions, as security and privacy watchers at Spy Blog note: “Why didn’t authorities try the same password on the 3rd USB device, which NTAC had found for first 2 USB devices? So “$ur4ht4ub4h8″ is too strong to brute force, but surely there are Koran Bible phrase attack dictionaries?”

Other security experts have expressed surprise that GCHQ was supposedly unable to brute-force a 12 character alpha-numeric password, given the resources at its disposal. UK IT professional and security blogger Quentyn Taylor writes:

https://t.co/1C8q5HYOXl claims that “$ur4ht4ub4h8” will take 2k years for a desktop PC… err were GCHQ even trying to crack it?

— Quentyn Taylor (@quentynblog) January 15, 2014

I find it amazing that given all the #snowden revelations that a 12 character password of “$ur4ht4ub4h8” defeated GCHQ ?

— Quentyn Taylor (@quentynblog) January 15, 2014

Others have noted that perhaps GCHQ made a strategic decision not to expose its capabilities in this area. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/password_refusal_earns_terror_suspect_extra_jail_time/

5 DNS security risks that keep you up at night

Amazon’s public cloud is the largest haven of malware spreaders in the US, according to security company Solutionary.

The claims are in the outfit’s “Quarterly Threat Intelligence Report” [PDF], which uses data from Solutionary’s ActiveGuard Security and Compliance Platform. It was published on Wednesday.

“Malware and, more specifically, its distributors are utilizing the technologies and services that make processes, application deployment and website creation easier. Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy,” said Rob Kraus, director of research in Solutionary’s Security Engineering Research Team (SERT).

The company claimed that the United States provides 4.6 times more software nasties to the world than Germany, the next leading country. Solutionary also reckons Amazon Web Services, web host biz OVH and Google are preferred by malware-slinging crooks.

“The cloud has become a preferred mode for malicious actors who are using cloud computing for many of the same reasons that legitimate customers are,” the report stated.

It claimed that ease of website development, the low costs of hosting, and that Amazon and Google-provided IP addresses tend to be trusted on the internet, made the pair’s pools of computers an excellent foundation for malware.

“Attackers are leveraging services like Amazon and GoDaddy by either buying services directly or by compromising legitimate domains,” the report stated. “These providers are likely targets due to the transient nature of many of their users and the lack of formal hardening.”

All cloud providers worth their salt have stringent security policies that give crooks the boot as soon as they’re discovered. However, the scale of the clouds operated by the larger companies – tens of thousands to hundreds of thousands of servers with millions of ephemeral jobs per month – means it’s a tough gig to spot and shoot down nasties running on the gear.

This isn’t the first time Amazon has come in for criticism over what’s held in its cloud: in July 2011, security firm Kaspersky said the S3 storage service had been caught hosting the nasty SpyEye banking trojan.

Solutionary’s advice for companies wishing to protect themselves from threats served off of the mega-clouds is simple: hire better staff.

“It is possible for an untrained analyst or IT staff member who does not normally handle security to overlook an event or alert because the associated IP address belongs to Google, Amazon or some other well-known provider,” the firm wrote. “Over the past few months, SERT has observed an increase of malicious domains being hosted on major hosting providers.”

Alongside the cloud research, the report comes with some typical antivirus-vendor scarification: some malware samples gathered late last year were undetectable by at least 40 antivirus engines, and of the files obtained, 26 percent were plain old executables (as opposed to documents that exploit holes in software, we presume).

At the time of writing neither Amazon or GoDaddy had returned to an El Reg request for comment on the report. Companies that think they’ve spotted malicious activity on AWS can email ec2-abuse at amazon do com. ®

2014 predictions: Top technology trends

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/amazon_cloud_security_nightmare/

The Road to Enterprise PaaS

Microsoft has capitulated to the legions of users who are still running Windows XP once again, by extending support for its antimalware software for the aging OS into 2015.

In the past, Redmond has warned that it would discontinue support for Microsoft Security Essentials, Forefront Client Security, Forefront Endpoint Protection, System Center Endpoint Protection, and Windows Intune running on Windows XP on the same day that support for the OS itself ends – April 8, 2014.

That would mean that Windows XP users would immediately stop receiving new malware signatures and engine updates on that date, even though Microsoft would still be providing updates for the same software running on Windows Vista and later.

In a blog post on Wednesday, however, Microsoft’s Malware Protection Center group said the software giant has decided to give XP users one more reprieve – but not too long a one.

“To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015,” the post explained, which gives customers just 14 more months to upgrade.

XP users shouldn’t breathe too easy, though. Those 14 months are expected to be dangerous ones, with hackers descending upon XP’s final, never-to-be-patched vulnerabilities like a swarm of identity-thieving locusts. And each new security update that Microsoft releases for Windows Vista or later could potentially become a how-to manual for new exploits, should the same flaws exist in XP.

“Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited,” Microsoft’s malware mavens write. “Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.”

Plenty of people have yet to heed that advice, however. Although the New Year saw a surge of upgrades, as we go to push the big, red Publish button on this story, Windows XP is still thought to be running on just under a third of the world’s PCs. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/microsoft_xp_security_updates_extended/

The Road to Enterprise PaaS

Microsoft has finally admitted that an attack on two of its Twitter accounts and an official blog by a pro-Assad hacking group last weekend also compromised internal emails.

The Syrian Electronic Army posted to its Twitter feed several screenshots of emails purportedly belonging to Microsoft employees including Steve Clayton, the man in charge of the blog and Twitter accounts that were breached.

At the time it wasn’t sure if the SEA, never ones to shy away from publicity, had faked the emails.

However, Microsoft has now come clean, releasing the following statement, which El Reg got its hands on:

A social engineering cyberattack method known as phishing resulted in a small number of Microsoft employee social media and email accounts being impacted. These accounts were reset and no customer information was compromised. We continue to take a number of actions to protect our employees and accounts against this industry-wide issue.

Redmond declined to provide details regarding the roles or responsibilities of the staff whose accounts were compromised.

The SEA posted emails from only three Microsoft employees on its Twitter feed so at first sight that’s a reassuringly small number who failed the phishing test – assuming the attack was aimed at a wide range of Redmondians.

However, the news is still likely to raise questions about Microsoft’s internal security posture, and there could be more embarrassment ahead.

An SEA Tweet from Wednesday warned the computing giant to “stay tuned for more”.

With the official Skype Twitter account and blog hacked earlier this month, it’s shaping up to be a torrid start to 2014 for Microsoft.

Perhaps now would be a good time for staff to reacquaint themselves with some security best practices.

It hasn’t all been going the SEA’s way in 2014, of course.

Earlier this week the hacktivists got a taste of their own medicine when a Turkish group breached their hosting provider and defaced their official sea.sy site. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/sea_microsoft_email_compromised/

S4x14 CONFERENCE –Miami – A well-known and prolific ICS/SCADA vulnerability researcher here today revealed a zero-day flaw in a Web server-based system used for monitoring, controlling, and viewing devices and systems in process control environments.

Luigi Auriemma, CEO of Malta-based zero-day vulnerability provider and penetration testing firm ReVuln, showed a proof-of-concept for executing a buffer overflow attack on Ecava’s IntegraXor software, which is used in human machine interfaces (HMIs) for SCADA systems.

The ICS-CERT responded later in the day with a security alert on the zero-day vulnerability, and requested that Ecava confirm the bug and provide mitigation. Ecava as of this posting had not responded publicly, nor had it responded to an email inquiry by Dark Reading.

The IntegraXor line is used in process control environments in 38 countries, mainly in the U.K., U.S., Australia, Poland, Canada, and Estonia, according to ICS-CERT.

Auriemma says the stack buffer overflow bug causes the system to crash, but could in some cases allow an attacker to run malicious code remotely. “It was quite simple to find and even simpler to exploit,” he says.

Ecava is no stranger to the SCADA research community. The Malaysia-based software company in July announced a controversial bug bounty program that gives away points towards its software license rather than the standard cash reward that other such vendor vulnerability programs offer researchers. “It’s already difficult for a vendor to attract researchers with offers like money, and it’s even more difficult in this case because the researcher needs to spend time for points or the license,” Auriemma says.

He says he decided to disclose the buffer overflow bug in IntegraXor he had found because it was “a perfect example of a stack overflow vulnerability.”

[Cyberattacks could have real-world economic consequences in the oil and gas markets, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call .]

Auriemma and Donato Ferrante, co-founder and security researcher with ReVuln, here also gave an update on their SCADA Shield prototype product, which provides an alternative to applying ICS/SCADA vendor patches. SCADA Shield is basically hot-patching utility that performs in-memory patching without having to power down the systems. Traditional patching typically requires a shutdown of the system and thus poses an unpalatable option for many plants.

“It’s a proactive solution that combines information from our internal vulnerability [research] and exploit prevention techniques,” Ferrante says. It’s built to mitigate specific classes of vulnerabilities, including stack and heap overflow, directory traversal, file inclusion/overwrite, use-after-free, and injection flaws. SCADA Shield is still under development.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/applications/scada-researcher-drops-zero-day-ics-cert/240165420

As more CISOs begin to lean on data scientists to discover new threats in security feeds and increasingly more IT security departments institute security analytics programs, infosec pros have started to reap the obvious benefits of security analytics. Most evident among them is a broader and deeper visibility into IT security data sources, which in turn in offers a better understanding of security risks and faster response times.

But as security programs mature their analytics practices, they often find themselves surprised at the discrete benefits they start seeing from programmatic exploration of security-related data feeds. Here are just a few of the top positive surprises.

1. Uncover Data Leaks You’d Never Guess You Had
One of the first jolts that security analytics programs may give your organization is concrete evidence of data leaks it never before suspected were happening.

“The one that comes up regularly is that they discover leaks that have been ongoing for some time,” says Matthew Gardiner, senior product marketing manager for RSA.

As he explains, this may not even necessarily be a leak at the hands of some kind of complicated nation-state spying or even a data that’s being stolen by a crime syndicate.

“They’re just leaks caused by data moving out of the enterprises to places the organization didn’t know about, didn’t expect and maybe doesn’t like,” he explains. “The question then is figuring out what to do about that flow of data at that point.”

[Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]

2. Sniff Out Questions You Didn’t Know Needed Asking Before
The huge amount of unstructured data pumped out by IT infrastructure and security tools makes it difficult for security analysts to even begin to start querying data for answers to common questions about its risk posture. The simple act of organizing analytics programs to answer those obvious questions may turn up unexpected returns as other patterns emerge to answer questions that the team may never have even thought to ask.

“Often companies may not know exactly what they are looking for or what exact problem they want to solve before the data is stored and made accessible,” says Dan Hubbard, CTO of OpenDNS. “Analytics can uncover security intelligence and capabilities that we would otherwise have no way of knowing is possible.”

What’s more, the visualization of those trends can also help better communicate risks to the business and start collaboration with business leaders who may start to come up with their own important questions to be answered based on data that was never as accessible without analytics.

“They start to ask good questions, so it gives a different perspective on not only what you should be looking at but how you should be looking at it,” says Ron Schlecht, managing partner for security service provider BTB Security. “It’s a good way to collaborate with different business leaders and it starts to pull together why security is important to the overall organization.”

3. Make Connections Between Data Sources You Might Not Have Made Before
Often times security analytics programs will start making associations between data sources that a security team may have never uncovered on its own.

” Most security analytics programs require feeding data from multiple sources in to a single engine for processing to look at patterns and anomalies,” says Corey Lanum, general manager for North America at Cambridge Intelligence. “When I’m working with customers who are loading in data from disparate sources, they will often immediately see connections between individual data elements that were previously stored in different databases and had no connection.”

For example, one police agency his firm worked with extended his security analytics engine out toward information sources about offenders and crime, with everything from 911 call information, jail records and the like.

“After loading in their crime reports and pawn shop records, we immediately started to see connections,” Lanum says. “It was immediately obvious that stolen property was being sold at pawn shops in the same general neighborhood of the theft. We generated leads on several burglaries on the first day we were using the software.”

This kind of modeling can easily translate to find connections between disparate parts of the network, different departmental information and so on.

4. Discover operational IT issues you never knew were there

The benefits of security analytics programs may well extend beyond IT security and bleed into IT operations as well. In many cases, the modeling and dot-connecting performed on security data can uncover IT operational problems that could impact availability, workflow and efficiency department-wide.

“One benefit that has surprised many companies is that the security analytics have also helped find operational IT issues, likely due to the sheer volume of information and depth of insight that can be gained with a proper analytics program,” Schlecht says.

For example, when he worked in-house years ago he found that a new analytics program not only helped identify security issues but was also able to pinpoint development issues in the company’s applications that were draining many hours of troubleshooting from its dev team. A look at application and security event logs for something completely unrelated ended up helping to spot the root cause of the development frustration.

5. Find policy violations you didn’t know were happening
Another beneficial surprise offered up from analytics–one that can often be a bit of a double-edged sword–is the discovery of policy violations across the organization. They won’t always necessarily be malicious, but they’re there and the difficult thing about it is that once the team has seen these violations, it can’t unsee them no matter how inconvenient response may be.

“You hear about rogue cloud services and with analytics you’ll see they’re very real,” Gardiner says. “It’s beneficial because you have better visibility, but you can’t be an ostrich once you see it. You have to do something about it and make the determination of whether it’s important and whether you have to investigate it and respond.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/5-surprising-security-gains-achieved-fro/240165463

The Road to Enterprise PaaS

Video A smartphone that tries to thwart eavesdroppers will be launched this summer by Spanish smartphone maker Geeksphone and Silent Circle – the secure chat firm started by the inventors of PGP encryption.

Dubbed Blackphone, and featured in the video above, the handset runs a hardened version of Android called PrivatOS that has been developed by Phil Zimmermann and Jon Callas, formerly of PGP. The mobe can make standard phone calls, but will include Silent Circle’s apps to encrypt messages and voice and video chat, plus secure file sharing and anonymized VPN sessions.

“Phil always wanted to do encrypted voice – he did PGPfone over 15 years ago – but that was before mass-market mobile phones,” Callas told The Register. “Now we’re doing a security enhanced phone that in price will be competitive with high-end smartphones and less expensive than an iPhone or Samsung Galaxy.”

The full details of the new phone will be revealed at the trade show Mobile World Congress in Barcelona next month, and available to order from February 24. The final handset will launch in late spring or early summer. The company itself will be based in Switzerland due to that country’s strict privacy rules.

Hidden in the shadows … The Blackphone

Callas said the phone will have cellular and Wi-Fi connectivity, and have a top-of-the-range processor to handle the cipher workloads, plus codecs tuned to ensure encrypted voice quality doesn’t suffer. The mobe will use a custom encryption algorithm designed by PGP guru Zimmermann and his team.

Certain parts of the hardware will be manufactured and assembled in the Far East, but the more specialized parts will be built by the team at Geeksphone. The phone will have Silent Circle’s apps built in, as well as extra third-party privacy applications that have been approved by the Blackphone team.

The handset will have plenty of competition. Even before the leaks from NSA whistleblower Edward Snowden, businesses were growing concerned about the security of mobile chatter and now the demand for protected communications has grown to a clamor.

Boeing announced that it was getting into the game in 2012, and at Mobile World Congress last year others in the military-industrial complex showed off their offerings. No doubt the NSA will be watching the new company very carefully indeed. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/15/encrypted_blackphone/

The Road to Enterprise PaaS

Systems administrators who decided it would be a quiet week were wrong: Oracle has flicked out more than a hundred security patches, and when you’re finished, it’ll be time to round up any Blackberry users in the company and apply some patches for them.

Let’s start with Oracle, which among other things is taking another stab at securing Java, fixing 36 vulnerabilities of which 34 are “remotely exploitable without authentication”. All but one are client-side vulnerabilities, and ten of them are rated by Oracle at 9.3 or 10 on its vuln scale.

Once they’ve finished dealing with the Java fixes, weary sysadmins can then work on five database server patches (only one remote-without-authentication); 22 Fusion Middleware patches (19 remotely exploitable); two for Hyperion; four for the E-Business Suite (one remotely exploitable); 16 for the Supply Chain suite (six remotely exploitable); 17 for PeopleSoft (ten remotely exploitable); two for Siebel (one remotely exploitable); one each for iLearning and Financial Services (both remotely exploitable).

There are also eleven Solaris operating system patches, nine virtualisation patches, and 18 MySQL server patches.

The wearying list, along with links to patches, is here.

To complete this unexpectedly busy patch Thursday, Blackberry Q10, Z10 and PlayBook owners need to get busy patching their devices, after the struggling smartphone maker issued a fix for a year-old Adobe Flash vulnerability.

The original vulnerability reports, here, here, here and here, allowed attackers to craft Flash content that would let them execute code in the browser.

“Successful exploitation of these vulnerabilities could potentially result in an attacker executing code in the context of the application that opens the specially crafted Flash content (typically the web browser). Failed exploitation of this issue might result in abnormal or unexpected termination of the application,” the Blackberry advisory says.

“If the requirements are met for exploitation, an attacker could potentially execute code with the rights of the application that opens the specially crafted malicious Flash content,” (for example, the browser) the advisory states, adding that its sandboxing should prevent an attacker from getting beyond the browser’s context.

This is a separate fix to last September’s set of patches, which addressed Flash vulnerabilities among others. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/16/blackberry_oracle_ship_vuln_patches/

Beware Java-based malware that’s been used to exploit at least three US-based organizations.

That warning of a new advanced persistent threat (APT) attack campaign came via Kaspersky Lab, which said that it’s traced a malicious Java archive (a.k.a. JAR) file to eight infected systems inside three US-based organizations, which it declined to name. “Based on the IP address, one of the victims was identified as a very large American independent oil and gas corporation, with operations in many other countries,” Kaspersky Lab researchers Costin Raiu, Vitaly Kamluk, and Igor Soumenkov said in a joint blog post Tuesday. “As of today, all victims have been notified about the infections. Two of the victims have removed it already.”

The attacks have been tied to the Icefog APT attack campaign, which historically has used Windows Preinstallation Environment files to infect targets.

What’s unusual about the latest attacks is that the “Javafog” malware used by attackers was, as the name implies, written in Java. Furthermore, it includes only basic functionality, such as the ability to upload files to a designated server, as well as change the command-and-control (CC) server to which it reports. “The backdoor doesn’t do much else,” according to Kaspersky Lab. “It allows the attackers to control the infected system and download files from it. Simple, yet very effective.”

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/java-icefog-malware-variant-infects-us-b/240165459