STE WILLIAMS

Crybercrooks are beefing up the infrastructure behind the delivery of botnets, a move that is leading towards more potent and numerous threats, say researchers.

Botnet infections are commonly spread though compromised websites seeded with malicious scripts and promoted via black hat SEO tactics such as link farms. These malware networks, or malnets, pose a growing threat, according to a new study by web security firm Blue Coat.

Malnets largely deal in mass market malware and as such are different from advanced persistent threats (APTs) associated with cyber-espionage attacks targeting large corporations and Western governments. Attacks will be updated and changed, but the underlying infrastructure used to lure in users and deliver these attacks is reused. The ease with which cyber criminals can launch attacks using malnets creates a vicious cycle, a process by which individuals are lured to malware, infected, and then used to infect others.

First the malnet drives a user to the malware. Then the user’s computer is infected with a Trojan. Once the computer is compromised it can be used by the botnet to lure new users into the malnet by using the infected machine to send spam to email contact lists, for example. A compromised system can also be used to steal the victim’s personal information or money, and, in some cases, can also function as a jumping-off point for attacks on neighboring machines.

“Their [malnet] infrastructure is comprised of several thousand unique domains, servers and websites that work together to funnel users to a malware payload,” Tim Van Der Horst, a senior malware researcher at Blue Coat, explained. “This infrastructure of relay and exploit servers allows malnet operators to quickly launch new attacks that can be tailored to attract large groups of potential victims.”

Blue Coat expect malnets to account for more than two-thirds of all malicious cyber attacks in 2012. The firm is currently tracking more than 1,500 unique malnets, a 200 per cent (four-fold) increase from just six months ago.

The biggest malnet, dubbed Shnakule by Blue Coat, not only communicates frequently but also changes hostnames frequently, as the web filtering firm explains.

Shnakule is a wide ranging malnet that engages in a variety of malfeasant activities, including fake AV, codec, Flash and browser updates, pornography, gambling and work-at-home scams. To scale the nfrastructure to accommodate attacks associated with these activities, Shnakule operators bring new domains and servers online. Over the course of six months Shnakule used anywhere from 50 to 5,005 unique domain names per day.

Other malnets are more focused on specific malicious activities. Rubol, for example, is a spam ecosystem that operates in bursts. When it is actively launching attacks, the malnet will use as many as 476 unique domain names but this can drop to a single domain during inactive periods.

Search Engine Poisoning (SEP) continues to be the leading entry point into malnets, driving users to malware more than 35 per cent of the time. However, cyber criminals have moved away from targeting breaking news or big events. For example, of more than 28,000 successful search engine poisoning attacks in the weeks around the Olympics, only 0.18 per cent were related to the Olympics.

Email and pornography drive roughly 11 and 4 per cent, respectively, of malnet attacks. The biggest change in the last eight months had been the decline of social networking – from 6.5 per cent of all attacks to just over 1 per cent. “The full reasoning for this drop is not fully known, but part of it is attributable to greater awareness of social networking users and more robust policing of malicious content on the part of the social networks themselves,” Blue Coat explains.

Looking at malware delivery infrastructures rather than infected zombies, Blue Coat has reached the conclusion that the infamous ZeuS banking Trojan toolkit is on decline.

Over the last six months a new botnet, Aleuron, has risen to take its place. Activity from the Aleuron botnet increased 517 percent, surpassing Zeus and making it the most active botnet in the wild, according to Blue Coat.

The ease with which this infrastructure can be shifted to avoid detection or target a new group of users, makes it especially tricky to eradicate malnets. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/03/malnets/

Exclusive An organisation that attempts to recruit Westerners to carry out terrorist attacks on their home soil was backed by the Iranian state, according to an unlikely source of information: leased telephone line records.

Security researcher Michael Kemp found a list of the Middle East nation’s leased lines that use the packet switching protocol X.25, and discovered that it included a line allocated to Ansar Al-Mujahideen – a popular hangout for Islamic militants.

“In the course of doing some research on X.25 – the network that existed before there was the internet – I stumbled across a document detailing all the X.25 network user addresses for the country of Iran,” Kemp told El Reg.

“In Iran all connections have to be approved by an organisation called DCI: the Data Communications Company of Iran.

“I found a network user address that appears, if the document is genuine, to pertain to Ansar Al-Mujahideen. Ansar Al-Mujahideen are lovely people who are very much supportive of Jihad as a concept, and have been linked to al-Qaeda. And they have a state-licensed leased line in Iran,” the co-founder of UK-based Xiphos Research added.

Checking the validity of the paperwork by attempting to access the leased line would violate the UK’s strict anti-hacking laws – specifically the Computer Misuse Act. Kemp said he was unable to rule out the possibility that the list was planted as some sort of disinformation campaign, but argues that the circumstances make this unlikely.

“It’s not an ‘internal’ document but a result of some X.25 walking a student was doing a while ago – about four years ago – but X.25 data network identification codes (DNICs) and their network user addresses (NUAs) are pretty much fixed so that really doesn’t matter,” Kemp said. “There is nothing to prove the doc is legit, but if it is someone pissing around, they have spent a lot of time making the file appear genuine, and it should probably be treated accordingly.”

The spreadsheet, compressed and scrambled using a passcode, is in Arabic and Farsi, and features about 2,800 records. The surprising entries are at lines 92 and 93 of the document:

X25 scene Khorasan Razavi 51,133,113 Ansar al-Mujahideen scene

Kemp called on a Farsi-speaking friend in Syria, as well as Google Translate, to make sense of the document. “Khorasan Razavi” refers to a province in north-east Iran, close to the Afghan border.

“It doesn’t necessarily mean that Ansar Al-Mujahideen are using the line,” Kemp said. “The reason why I suspect that they are, rather than a techie twatting about, is that all leased lines in Iran have to be approved by the Iranian government in conjunction with the Telecommunication Company of Iran (TCI), which runs the Iranian x.25 backbone. And I suspect a creative techie may get into a bit of bother with that naming convention – it’s a bit more contentious than calling your file server Frodo.

“To the best of my knowledge, X.25 is still really widespread in Iran as unlike TCP/IP it’s a shedload easier to control. Additionally according to numerous sources most of the network backbone is X.25, and the Iranians have yet to jump on TCP proper. This may have to do with state control than anything technical.”

Kemp explained how he came across the document, which was put together by a black-hat hacker of Arab extraction living in Sweden.

“I fell across the doc while researching X.25 connectivity,” he said. “I did a talk on legacy tech at Grrcon and as X.25 is a lovely old and grizzled protocol, so I thought I’d cover that for the TCP/IP generation.

“X.25 is still used as a backbone for ATMs, and SMS bulk services, but Iran is a bit of a weird one from what I know. They never really made the jump to TCP proper and I think much of the ISP space over there is X.25 via XOT or similar. As to why Ansar would have a leased line, if it is them, my supposition would be that it’s used to access the internet. Although that said, there could be bloody anything on there, and I have no great desire to breach the Computer Misuse Act and find out.”

This legal restriction wouldn’t hold back intelligence agencies, of course, and finding out the kind of traffic the line carried would not be particularly difficult.

“There’re no passwords but X.25 doesn’t work like that,” Kemp explained. “Basically if you have a country’s DNIC (as mandated by the lovely people at ITU) and the NUA, and access to a X.25 leased line or X.28 pad, you can dial up the number. Because X.25 is not IP, IPv4 and v6 protections will not work, e.g. traditional intrusion detection systems and firewalls, so you can brute force any authentication that may be in place to your heart’s content.”

Iran and web jihadis – unlikely bedfellows?

Ansar Al-Mujahideen – which maintains a Hungarian-hosted website at ansar1.info – is a forum for jihad-related propaganda and recruitment. The group has posted links to videos showing “Islamic fighters in France” and its site features the pictures of prominent members of al-Qaeda, including its post-Osama leader Ayman al-Zawahiri.

A curious twist to this story is that al-Qaeda, which Ansar Al-Mujahideen is so closely linked to, is a radical Sunni Muslim movement – whereas Iran is overwhelmingly a Shi’ite nation. These two denominations of Islam are so strongly split on their beliefs that it has led to conflict and strife across the Middle East for centuries.

Ansar Al-Mujahideen is apparently trying to radicalise Westerners and persuade them to mount attacks at home as well as recruit them for action in Kashmir. An academic paper on the group and other e-jihadists can be found here.

If the evidence from the leased-line file is to be believed then Ansar Al-Mujahideen has some sort of base in Iran – there’s no other good reason to have a government-allocated leased line.

Kemp, an expert in computer security rather than global politics or terrorism, is unsure what this might mean: “Why would they have an office in Iran, who knows? My speculation would be that it’s a ‘friendly’ state thing, in as much as they probably get less hassle there than elsewhere. Direct Iranian involvement in terrorism, which is unequivocally technically provable, may be interesting.”

The researcher is putting together a talk for the Deepsec conference in Vienna, Austria next month about the supposed threats posed by computer-armed terrorists. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/04/iran_leased_line_e_jihadi/

Microsoft has reached a settlement with the Chinese site linked to the Nitol DDoS botnet.

The emerging Nitol botnet was hosted by the 3322.org domain. In order to stem the threat, Microsoft filed a suit to take control of the 70,000 malicious subdomains hosted on 3322.org, gaining control of the domain in mid September.

Redmond uncovered the scam during an investigation (PDF) into insecure supply chains. It seems that corrupt (but unnamed) computer resellers in China were planting malware on victims’ machines as a means to make extra money from pay-per-install malware affiliate programs and similar scams.

The 3322.org played host to a multitude of backdoors, Trojans and other strains of malware as well as Nitol prior to the Redmond-initiated enforcement action.

The operator of 3322.org, Peng Yong, recently agreed to work in cooperation with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to fight cybercrime. Based on this settlement agreement, Redmond allowed the 3322.org domain to resume operations, on condition that that any sub-domains linked to malware are placed on a “block-list” and redirected to a sink-hole managed by Microsoft. 3322.org also agreed to help identify computer users in China left infected by the earlier spread of the Nitol botnet and other malware strains tied to 3322.org.

“We’re very pleased by this outcome, which will help guarantee that the 70,000 malicious subdomains associated with 3322.org will never again be used for cybercrime,” Richard Domingues Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, writes in a blog post announcing the settlement.

In the 16 days since we began collecting data on the 70,000 malicious subdomains, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious 3322.org subdomains. In addition to blocking connections to the malicious domains, we have continued to provide DNS services for the unblocked 3322.org subdomains. For example, on Sept 25, we successfully processed 34,954,795 DNS requests for 3322.org subdomains that were not on our block list.

Microsoft has passed on its data of infected IP addresses to the Shadow Server Foundation, which is working with Computer Emergency Response Teams (CERTs) and ISPs across the world to clean-up the remnants of the Nitol botnet.

Operation b70 – against the Nitol botnet and other strains of malware previously distributed via the 3322.org domain – was Microsoft’s fifth disruptive action against malware as part of Redmond’s ongoing Project MARS (Microsoft Active Response for Security) initiative. Previous botnet takedown operations by Redmond have targeted the Waledac, Rustock, Kelihos and Zeus botnets over the last two-and-a-half years. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/04/nitol_botnet_settlement/

Review A car passes through a foggy, forest. In the back seat, memories wash through a floppy-haired teenaged boy’s mind. He recalls another night drive, one on which his mother spirited him away before a stepfather could despatch him to live on a creepy cult’s hidden commune.

Years later the family emerges from the same car and unpacks its belongings in a house the mother proclaims “cannot be seen from the road”. The teenager opens his suitcase and removes his prize possession: a Commodore 64.

Thus opens UNDERGROUND – The Julian Assange Story, an Australian dramatisation of Julian Assange’s early life that debuted at the Toronto Film Festival and will go to air for the first time this Sunday. The Reg was offered access to a preview by Channel Ten, the Australian network that commissioned the film.

Assange is quickly revealed as adept at phone phreaking, illegally logging on to banks, Commodore 64 repair and acquiring amorous attention from members of the opposite sex. Australia’s Federal Police, by contrast, aren’t sure they even have a computer with which to begin to track Assange, or Mendax, as he prefers to be known online.

Motivated by the fall of the Berlin Wall and his mother’s anti-nuclear activism, Assange starts to find online expressions outlets for his emerging radicalism. Those pursuits prove more interesting than his pregnant girlfriend, to her understandable chagrin. The arrival of a son can’t divert him from his nocturnal online activities, as with Iraqi tanks rolling into Kuwait and the US responding Assange feels he can influence global events by exposing truths he has found online.

Jordan Raskopoulos as Trax, Alex Williams as Julian Assange

and Callan Mcauliffe as Prime Suspect

The resulting exploits make his online footprints easier to follow, the cops bumble less and the film evolves into a reasonably predictable thriller.

Based partly on the book Underground: Tales of hacking, madness and obsession on the electronic frontier, to which Assange contributed research, the film is a little heavy-handed. Parts of the plot seem to project facts about the Assange we know today onto the teenaged Assange. The film’s early moments in which the family dodges the cult, for example, are used to portray Assange as someone who knows only life on the run. It’s understandable that writers wanted to reference current events, but the device still feels forced.

Overall, Underground is a slick production by the standards of Australian television, which means it’s a little clunkier than a cinematic cousin, the BBC’s Sinclair telemovie, Micro Men. It replicates that film’s knowing and respectful homage to computers of past ages, throwing in some delectable references to Australian alternative culture in the late 1980s along the way.

If you’re within the film’s Australian broadcast footprint this weekend and want to watch some telly, a glance at the schedule suggests you’ll do worse than dedicate a couple of hours to the program. We’ve no word on when, or if, the film will make it to the rest of the world or what sort of outlet might make it available. If you find yourself able to access the film where you reside, you’ll find the film gently entertaining but far from enlightening. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/04/assange_movie_review/

Australian, US and Canadian authorities have jointly proclaimed a victory over scammers who call punters and offer unsolicited and unnecessary tech support.

The scam has been running for years and involves a call from someone claiming to be an employee of Microsoft or another tech titan. If you answer, the caller explains that malware has been detected on your PC and helpfully offers to remove it. One remote desktop session and hefty credit card charge later – some charge up to US$450 for the service – the scammer either does nothing whatsoever or installs free anti-virus software.

The USA’s Federal Trade Commission (FTC), Australia’s Communications and Media Authority (ACMA) and Canada’s Radio-television and Telecommunications Commission (CRTC) have each emitted near-simultaneous statements proclaiming the success of operations directed at sources of the scam. Canada has named and fined two firms it deems responsible, the USA has frozen the assets of six operators and initiated legal action against 16 companies and 17 individuals.

Australia is claiming credit for the bust, with ACMA saying it received complaints from Australians listed on the Do Not Call register that prohibits unsolicited telemarketing calls. As it investigated those complaints, ACMA passed on details to the FTC, setting in motion a process that concluded with a joint announcement by the three nations.

CRTC Chief Compliance and Enforcement Officer Andrea Rosen summed up the attitude of all three nations in saying “The coordinated actions taken by our agencies today send a strong message that telemarketers cannot use national borders to evade detection or pursuit by enforcement agencies.”

Fine sentiments, but ones that don’t mean it’s Game Over for these scammers, as the FTC notes they’ve also targeted punters in the UK, Ireland and New Zealand.

One of the firms named by the FTC is ‘Pecon Software UK Ltd’, an entity Companieshouse.co.uk says has a registered office on London’s Regent Street.

The FTC says some of the scammers “… hoped to avoid detection by consumers and law enforcers by using virtual offices that were actually just mail-forwarding facilities, and by using 80 different domain names and 130 different phone numbers.” Pecon’s website is registered in the .in domain and was down at the time of writing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/04/tech_support_scam_crushed/

Review A car passes through a foggy, forest. In the back seat, memories wash through a floppy-haired teenaged boy’s mind. He recalls another night drive, one on which his mother spirited him away before a stepfather could despatch him to live on a creepy cult’s hidden commune.

Years later the family emerges from the same car and unpacks its belongings in a house the mother proclaims “cannot be seen from the road”. The teenager opens his suitcase and removes his prize possession: a Commodore 64.

Thus opens UNDERGROUND – The Julian Assange Story, an Australian dramatisation of Julian Assange’s early life that debuted at the Toronto Film Festival and will go to air for the first time this Sunday.

Assange is soon revealed as adept at phone phreaking, illegally logging on to banks, Commodore 64 repair and acquiring amorous attention from members of the opposite sex. Australia’s Federal Police, by contrast, aren’t sure they even have a computer with which to begin to track Assange, or Mendax, as he prefers to be known online.

Motivated by the fall of the Berlin Wall and his mother’s anti-nuclear activism, Assange starts to find online expressions outlets for his emerging radicalism. Those pursuits prove more interesting than his pregnant girlfriend, to her understandable chagrin. The arrival of a son can’t divert him from his nocturnal online activities, as with Iraqi tanks rolling into Kuwait and the US responding, Assange feels he can influence global events by exposing truths he has found online.

Jordan Raskopoulos as Trax, Alex Williams as Julian Assange

and Callan Mcauliffe as Prime Suspect

The resulting exploits make his online footprints easier to follow, the cops bumble less and the film becomes a reasonably predictable cop thriller.

Based partly on the book Underground: Tales of hacking, madness and obsession on the electronic frontier, to which Assange contributed research, the film is a little heavy-handed. Parts of the plot try to project facts about the Assange we know today onto the teenaged Assanage. The early moments when the family dodges the cult, for example, are used to establish Assange as someone who only knows life on the run. The device feels forced.

Overall, Underground is a slick production by the standards of Australian television, which means it’s a little clunkier than the BBC Sinclair telemovie, Micro Men. It replicates that film’s knowing and respectful homage to computers of past ages, throwing in some delectable references to Australian alternative culture in the late 1980s along the way.

If you’re within the film’s Australian broadcast footprint this weekend, you’ll do worse than dedicate a couple of hours to the program. We’ve no word on when, or if, the film will make it to the rest of the world or what sort of outlet might make it available. If you find yourself able to access the film where you reside, you’ll find the film gently entertaining but far from enlightening. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/04/assange_movie_review/

Crybercrooks are beefing up the infrastructure behind the delivery of botnets, a move that is leading towards more potent and numerous threats, say researchers.

Botnet infections are commonly spread though compromised websites seeded with malicious scripts and promoted via black hat SEO tactics such as link farms. These malware networks, or malnets, pose a growing threat, according to a new study by web security firm Blue Coat.

Malnets largely deal in mass market malware and as such are different from advanced persistent threats (APTs) associated with cyber-espionage attacks targeting large corporations and Western governments. Attacks will be updated and changed, but the underlying infrastructure used to lure in users and deliver these attacks is reused. The ease with which cyber criminals can launch attacks using malnets creates a vicious cycle, a process by which individuals are lured to malware, infected, and then used to infect others.

First the malnet drives a user to the malware. Then the user’s computer is infected with a Trojan. Once the computer is compromised it can be used by the botnet to lure new users into the malnet by using the infected machine to send spam to email contact lists, for example. A compromised system can also be used to steal the victim’s personal information or money, and, in some cases, can also function as a jumping-off point for attacks on neighboring machines.

“Their [malnet] infrastructure is comprised of several thousand unique domains, servers and websites that work together to funnel users to a malware payload,” Tim Van Der Horst, a senior malware researcher at Blue Coat, explained. “This infrastructure of relay and exploit servers allows malnet operators to quickly launch new attacks that can be tailored to attract large groups of potential victims.”

Blue Coat expect malnets to account for more than two-thirds of all malicious cyber attacks in 2012. The firm is currently tracking more than 1,500 unique malnets, a 300 per cent (four-fold) increase from just six months ago.

The biggest malnet, dubbed Shnakule by Blue Coat, not only communicates frequently but also changes hostnames frequently, as the web filtering firm explains.

Shnakule is a wide ranging malnet that engages in a variety of malfeasant activities, including fake AV, codec, Flash and browser updates, pornography, gambling and work-at-home scams. To scale the nfrastructure to accommodate attacks associated with these activities, Shnakule operators bring new domains and servers online. Over the course of six months Shnakule used anywhere from 50 to 5,005 unique domain names per day.

Other malnets are more focused on specific malicious activities. Rubol, for example, is a spam ecosystem that operates in bursts. When it is actively launching attacks, the malnet will use as many as 476 unique domain names but this can drop to a single domain during inactive periods.

Search Engine Poisoning (SEP) continues to be the leading entry point into malnets, driving users to malware more than 35 per cent of the time. However, cyber criminals have moved away from targeting breaking news or big events. For example, of more than 28,000 successful search engine poisoning attacks in the weeks around the Olympics, only 0.18 per cent were related to the Olympics.

Email and pornography drive roughly 11 and 4 per cent, respectively, of malnet attacks. The biggest change in the last eight months had been the decline of social networking – from 6.5 per cent of all attacks to just over 1 per cent. “The full reasoning for this drop is not fully known, but part of it is attributable to greater awareness of social networking users and more robust policing of malicious content on the part of the social networks themselves,” Blue Coat explains.

Looking at malware delivery infrastructures rather than infected zombies, Blue Coat has reached the conclusion that the infamous ZeuS banking Trojan toolkit is on decline.

Over the last six months a new botnet, Aleuron, has risen to take its place. Activity from the Aleuron botnet increased 517 percent, surpassing Zeus and making it the most active botnet in the wild, according to Blue Coat.

The ease with which this infrastructure can be shifted to avoid detection or target a new group of users, makes it especially tricky to eradicate malnets. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/03/malnets/

A US government agency has selected cryptographic hash function Keccak as the new official SHA-3 algorithm.

The National Institute of Standards and Technology’s decision to pick the nippy system as the replacement for SHA-1 and SHA-2 marks the end of a six-year competitive process. Five algorithms were left in the running at the end, including crypto-guru Bruce Schneier’s Skein.

Keccak was put together by cryptographers Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche, who work for STMicroelectronics and NXP Semiconductors. The NIST team praised the algorithm for its “elegant design and its ability to run well on many different computing devices”. The system is said to take 13 processor cycles on a 2.4GHz Intel Core 2 Duo to process each byte of data, and can be implemented in hardware.

SHA-2 is used in various security technologies, from SSL and SSH to PGP and IPsec, and must be used by law in certain US government applications. Like its predecessor, Keccak converts data into a shortened “message digest” from which it is hopefully impossible to recover the original information. The technique is used for digital signatures, verifying that the contents of software downloads have not been tampered with, and many other cryptographic applications.

Last month Schneier called for the competition to be left open, arguing the longer-bit SHA-2 variants remain secure and that the wannabe SHA-3 replacements do not offer much improvement in terms of speed and security. Getting crypto functions to work on smartphone processors and the like without pulling too much power and draining batteries has become a key design consideration in the design of cryptographic algorithms.

But Schneier accepted NIST’s decision to select Keccak with good grace.

“It’s a fine choice. I’m glad that SHA-3 is nothing like the SHA-2 family; something completely different is good,” he said.

“Congratulations to the Keccak team. Congratulations – and thank you – to NIST for running a very professional, interesting, and enjoyable competition. The process has increased our understanding about the cryptanalysis of hash functions by a lot.

“I know I just said that NIST should choose ‘no award’, mostly because too many options makes for a bad standard. I never thought they would listen to me, and – indeed – only made that suggestion after I knew it was too late to stop the choice.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/03/sha-3/

Hackers have attacked the world’s top 100 universities in a protest against tuition fees and what’s deemed to be a falling quality of education.

Anonymous-affiliated Team GhostShell dumped information from 120,000 user accounts and student records after raiding servers at institutions including Princeton, Harvard, Cambridge and Imperial College London. Universities in Moscow, Rome and Tokyo were also hit in a string of database breaches that spanned three continents.

The leaked data includes email addresses, passwords, the names of students and faculty members, event schedules, and information best kept private. The sensitive records, obtained in a campaign dubbed Project West Wind, were uploaded to the web and linked to from a lengthy manifesto published on Pastebin. Curiously, the miscreants chose to use trendy source-code vault GitHub to host a collection of the snaffled databases.

The hacking crew said many of the university systems it infiltrated were already riddled with malware, a claim that is unfortunately all too believable. The dumped files contain URLs to PHP-scripted pages on the targeted institutions’ websites, along with the contents of SQL tables, suggesting that SQL injection attacks were used to extract information from the systems.

GhostShell previously surfaced with the leak of documents and data lifted from government agencies, banks and consulting firms back in August. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/02/university_hacking_ghostshell/

Hackers reportedly attempted a brazen attack on a White House military network in charge of the president’s nuclear football.

US officials familiar with the incident said unidentified hackers launched an attack early last month on the network used by the White House Military Office (WHMO), an military office in charge of sensitive communications, including systems to send and authenticate nuclear strike commands. The office is also responsible for arranging presidential communications and travel. However it seems only less significant systems were targeted by an assault that was, in any case, ultimately unsuccessful.

An unnamed Obama national security official said: “This was a spear phishing attack against an unclassified network.”

“In this instance the attack was identified, the system was isolated, and there is no indication whatsoever that any exfiltration of data took place,” the official said, the Washington Free Beacon (a Conservative blog that broke the story) reports.

Follow-up reports suggest that a dodgy email with a malicious attachment made it past perimeter defences and onto someone’s desktop, where it might have been opened, and a machine infected. But this machine was quickly identified and isolated before any damage was done.

Rob Rachwald, director of security strategy at Imperva, said the attempted attack should nonetheless act as a wake up call.

“Yet again traditional security software has failed to keep the bad guys out. Enterprise needed to assume that they have been compromised which means we need to detect abnormal access to data and Intellectual Property. This is yet another example of why we need to rethink the current security model and implement a new one that puts cameras on sensitive information.”

The attack was launched from Chinese networks, which by itself doesn’t mean much. However some officials seem to reckon the Chinese military cyber warfare specialists, working as part of a unit called the 4th Department of General Staff of the People’s Liberation Army, or 4PLA, are the most likely suspects behind the attack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/01/white_house_hack/