STE WILLIAMS

While budget constraints are crimping its overall military spending, Taiwan is going to increase its outlays on cyberwar, according to the Taipei Times.

The newspaper says the Ministry of National Defense has published plans to expand its Communication Electronics and Information Bureau, CEIB, adding a specialist “electronic and Internet warfare” group.

The new group is being launched in response to a Ministry assessment that China is increasing its offensive and defensive cyberwar capabilities.

The National Security Bureau has told AFP (syndicated at Phys.org here) that more than a million attacks were launched against its Websites in the six months to June, although “all the attacks were detected and blocked”.

The Ministry’s report also accuses China’s government and military of “using Internet viruses to attack Taiwan’s government, economic and military Websites”. Attacks are more common during disputes between Taiwan and China, the Ministry says.

The report also echoes America’s belief that attacks on “government networks across the globe … have almost all been traced back to China”, chiefly concentrating on information theft.

Taiwan also states that China is deploying jamming systems in Peoples’ Liberation Army bases, fielding aircraft for early warning of jamming attacks, and deploying missiles designed to home in on enemy sources of radio emissions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/02/taiwan_ramp_up_cyberwar/

China’s dominant telco vendors ZTE Corp and Huawei will take part in US congressional hearings next month regarding investigations of alleged Chinese spy threats to US telecommunications infrastructure.

The House of Representatives Permanent Select Committee on Intelligence has invited both ZTE chairman Hou Weigui and Huawei deputy chairman Ken Hu to testify.

ZTE’s US arm confirmed its participation in the upcoming congressional hearing but Huawei has yet to publicly comment on whether any of its executives would take part.

US House of Representatives Intelligence Committee chaired by congressman Mike Rogers, has been investigating allegations of close ties between the Chinese government and both Huawei and ZTE since November and discussing the possible introduction of legislation that would deal with any related national-security threat.

In June, the panel issued letters to senior executives at Huawei and ZTE requesting detailed disclosure about Chinese government relations and their international pricing strategies. The letters included requests for deeper detail about the companies’ history, strategy, connections to the government of China and the Chinese Communist Party, and whether they can truly act as private companies.

Australian and New Zealand government officials have also been part of the panel’s investigations looking into how the vendors operate in foreign markets, according to Rogers.

Earlier this year in Australia, Huawei was excluded from bidding for any National Broadband Network contracts due to concerns over national security issues.

But last week Australia’s opposition communications spokesman Malcolm Turnbull made a vow that a coalition government would review the government’s decision to ban Huawei from the national broadband network roll out.

“We will review that decision in the light of all the advice in the event of us coming to government,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/03/huaweu_zte_in_us_spotlight/

Two security researchers have found new evidence that legitimate spyware sold by British firm Gamma International appears to be being used by some of the most repressive regimes in the world.

Google security engineer Morgan Marquis-Boire and Berkeley student Bill Marczak were investigating spyware found in email attachments to several Bahraini activists. In their analysis they identified the spyware infecting not only PCs but a broad range of smartphones, including iOS, Android, RIM, Symbian, and Windows Phone 7 handsets.

The spying software has the capability to monitor and report back on calls and GPS positions from mobile phones, as well as recording Skype sessions on a PC, logging keystrokes, and controlling any cameras and microphones that are installed.

They report the code appears to be FinSpy, a commercial spyware sold to countries for police criminal investigations. FinSpy was developed by the German conglomerate Gamma Group and sold via the UK subsidiary Gamma International. In a statement to Bloomberg, managing director Martin Muench denied the company had any involvement.

“As you know we don’t normally discuss our clients but given this unique situation it’s only fair to say that Gamma has never sold their products to Bahrain,” he said. “It is unlikely that it was an installed system used by one of our clients but rather that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere.”

Parallel research by computer investigators at Rapid7 found command and control software servers for the FinSpy code running in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, and the United Arab Emirates, with another server in the US running on Amazon’s EC2 cloud systems. Less than 24 hours after the research was published, the team noted that several of these servers were shut down.

Gamma and FinSpy gained notoriety last year when documents apparently from the company were found in the Egyptian security service headquarters when it was ransacked by protestors after the fall of Hosni Mubarak. These appear to be a proposal that the Egyptian government buy a five-month license for the software for €287,000. Again Gamma denied involvement.

But Marquis-Boire and Marczak told The New York Times that they appear to have found a link to Gamma in these latest code samples. The malware for Symbian phones uses a code certificate issued to Cyan Engineering, whose website is registered to one Johnny Geds.

The same name is listed as Gamma Group’s sales contact on the FinSpy proposal uncovered in the raid on Egypt’s security headquarters. Muench has confirmed they do employ someone of that name in sales but declined to comment further.

Commercial spyware is an increasingly lucrative racket, as El Reg has pointed out, and there’s growing evidence that Britain is one of the leading players in the market. Privacy International has formally warned the British government that it will be taking legal action on the issue and this latest research only adds weight to the issue. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/31/finspy_gamma_polcie_spying/

The crew behind last year’s “Nitro” industrial espionage attacks are among hackers exploiting the two potent Java security vulnerabilities patched this week.

The team, which attempted to lift sensitive blueprints from companies by compromising workers’ computers, is now using holes in Oracle’s software to install Poison Ivy on victims’ Windows machines, Symantec reports. A malicious Java applet is used to bypasses security checks to execute the Poison Ivy malware that opens a backdoor on infected PCs to allow a remote malicious user to gain control of the system.

The latest wave of attacks rely on the same command servers and involve components with the same file names as last year’s assault, which targeted chemical industry giants and defence contractors. A 20-something Chinese bloke dubbed Covert Grove was accused by Symantec [PDF] of being involved in that 2011 campaign as the attacks were traced back to his server. There’s more on the Nitro attack in this analysis by Trend Micro.

Now that source code exploiting the new Java vulnerabilities is in the wild, it won’t just be the Nitro team seizing upon it to execute arbitrary software on victims’ machines. For example, code taking advantage of the holes has been added to the BlackHole exploit tool kit, which infects vulnerable computers when a punter visits a bobby-trapped web page.

In addition, Sophos has intercepted spam emails purporting to be from the Dutch branch of the accountancy firm BDO Stoy Hayward that attempt to trick marks into running the Java attack code. The dodgy emails, which unusually include the exploit script in the body of messages, pose as communiques in Dutch about a rise in tax rates. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/31/nitro_hackers_abuse_java_exploit/

Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday.

The company would not disclose specific details on the nature of the new vulnerability because it does not release such information to the public – a reasonable precaution.

However, Security Explorations founder and CEO Adam Gowdiak was able to confirm that the defect does affect Java SE 7 Update 7, which Oracle released this week as a rare out-of-band patch.

“The bug is related to some of our previous bugs reported to Oracle in April 2012 (and not yet patched) in such a way so that it allows to exploit them again,” Gowdiak told El Reg in an email.

As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.

Unlike the earlier vulnerabilities, no known exploit of the new flaw has yet been found in the wild, but Gowdiak says he included proof-of-concept code with the report to demonstrate that an exploit is indeed possible.

Oracle has not acknowledged that the new vulnerability actually exists, but it has confirmed that it has received Security Explorations’ vulnerability report and is analyzing it.

Assuming Oracle does agree that the flaw exists, however, when it will be patched is anybody’s guess. The next scheduled Java Critical Patch Update (CPU) isn’t due until October 16 – and when Oracle released its last Java CPU in June, it had only patched two of the 31 flaws Security Explorations reported in April.

Oracle could release another emergency patch as it did this week, but such occasions have been rare for the database giant. It may be reluctant to do so again, given that the new flaw isn’t known to be under active attack.

That’s likely to happen soon, though. Now that the black hat community knows that a vulnerability exists, creating an exploit will only be a matter of locating it.

For the time being, given the apparent similarity of this flaw to the ones previously reported, users are advised to either disable Java in their browsers or uninstall it completely to avoid falling prey to any future exploits. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/

Electronics giant Philips has been hacked for the second time in a month and its databases raided.

Usernames and encrypted passwords were leaked after the breach. It is not clear at this moment whether email addresses or the actual contents of corporate emails were included in the records dumped from the company’s SQL databases. The lifted data was uploaded to various file hosting sites by hacktivists, who used blogs (since taken down by Google’s Blogspot service) and social networks, using the hashtag labels “AntiSec” and “LulzSecReborn” to spread the word.

“All together there is [sic] well over 200,000 emails with at least 1,000 of them have further vital credentials that could allow others to use the users personal information,” according to a website run by hacktivism network Anonymous. The site reports that Anon-affiliated hackers in Sweden announced the raid.

The latest attack follows a smaller leak of a few thousand records from Philips by r00tbeersec, another hacktivist crew, about a week ago.

The motives of both hacks appear to stem from a desire to expose the security shortcomings of large firms. Philips has yet to respond to our requests to comment on the matter, but we’ll update this story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/31/philips_anon_hack/

A UK police website has been hacked, exposing usernames, unencrypted passwords and other sensitive login details for more than 90 serving officers.

The miscreant who raided the Hertfordshire force’s database also lifted and leaked workplace phone numbers, email addresses, warrant numbers and PINs of the county’s Safer Neighbourhood Team.

The hacker claims to be a sympathiser of Julian Assange, who is holed up in Ecuador’s embassy in London to avoid extradition to Sweden, and the digital break-in is seen as a protest against efforts by UK police to arrest the Wikileaker-in-chief.

The home county’s top cops have suspended part of the knackered website as a precaution while tech sleuths investigate the breach, as this statement explains:

Hertfordshire Constabulary is currently investigating following the publication on the internet of information stored on a database linked to the public Safer Neighbourhoods pages of the external constabulary website.

As a precaution these pages have been temporarily disabled whilst the circumstances as to how this information was obtained is investigated.

There is absolutely no suggestion that any personal data relating to officers or members of the public has been, or could have been compromised. Nevertheless matters of IT security are extremely important to the constabulary and an investigation is already under way.

The black hat hacker who claimed responsibility for the breach leaked what looks like records from the Hertfordshire Police website database along with a quote from Assange and an “OpFreeAssange” banner. The miscreant involved dissociated himself from Anonymous by saying he was not a member of the hacktivist collective.

He stated: “I am not a member of Anonymous. Do whatever the fuck you want with this information, I don’t give a fuck! This is nothing big not some l33t h4x shit… but this tells how insecure the web is.”

Anonymous has run a number of operations in support of Wikileaks and Assange over recent months, including attacking banks and PayPal for blocking the whistle-blowing website’s online fundraising efforts.

Cops are poised outside the Ecuadorian embassy in west London ready to cuff Assange should he attempt to make a break for it. The UK authorities have agreed to extradite Assange to Sweden for questioning over sexual assault allegations made by two women. The Wikileaks founder preempted his arrest by legging it to the embassy and successfully applying for asylum. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/31/herts_police_website_hack/

In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits.

“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday.

Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers. According to Oracle’s official advisory on the flaws:

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.

That certainly matches the description of the vulnerabilities first spotted on a rogue website by security firm FireEye on Sunday. Exploits for the flaws have since been incorporated into the notorious Blackhole malware toolkit and the Metasploit penetration testing tool.

On Wednesday, Adam Gowdiak of Polish startup Security Explorations revealed that his company had disclosed details of the vulnerabilities in question – along with 29 others – to Oracle in April of this year, but that the database giant still had not fixed the flaws as of its June Critical Patch Update (CPU).

Oracle told Security Explorations that it had developed fixes for most of the other vulnerabilities it had submitted and that they would be ready for the next Java CPU. Unfortunately, however, that patch kit wasn’t scheduled to be released until October 16.

Now, in an apparent capitulation to growing public concern over the exploits, Oracle has issued a rare out-of-band update for Java 7 that it says should ameliorate the threat.

According to Maurice, Java users who run Windows can use the Java Automatic Update feature to get the latest, patched version, which is officially dubbed Java SE 7 Update 7. Users on other platforms can visit the official Java website to download and install it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/30/oracle_issues_java_0day_patch/

A mystery virus has infected the network of Qatar’s natural gas pumper RasGas, prompting bosses to pull the plug on the biz’s internet connection. Office systems have been unusable since the malware struck on 27 August, according to local reports.

In a fax to suppliers, the company reportedly said: “RasGas is presently experiencing technical issues with its office computer systems. We will inform you when our system is back up and running.”

The RasGas website, rasgas.com, remains unreachable at the time of writing on Thursday afternoon. A spokesman for the firm told Arabian Oil and Gas that the malware outbreak was not affecting gas extraction and processing.

The virus infection follows a strikingly similar attack against Saudi Aramco on 15 August, which hit 30,000 workstations and forced the world’s largest oil company to suspend access to its internal and remote networks for 10 days. Oil production activities were not affected by that outbreak either.

A hacktivist group called Cutting Sword of Justice claimed responsibility for the Saudi Aramco attack, characterising it as payback after the Saudi royal family moved to quell Arab Spring-style revolts in neighbouring countries. Circumstantial evidence suggests that Saudi Aramco was hit by Sahmoon, a data-wiping strain of malware that’s also capable of swiping passwords and other sensitive information from infected Windows PCs.

RasGas is a joint venture between Qatar Petroleum and ExxonMobil that operates in Qatar, and annually exports as much as 36.3 million tonnes of liquefied natural gas. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/

Software used by Microsoft’s New Zealand outpost to register attendees for next week’s TechEd conference has exposed delegates’ passwords to unwelcome scrutiny.

Cross Kiwis have contacted The Reg to point out that emails from a third-party events management company offered a URL which they can click to print a barcode that will offer swift entry to the event.

But the URLs being distributed include passwords that delegates used to create accounts to register for the event. The emails also include a value called “ID” that a sharp-eyed Reg reader messed with and discovered, as said reader told us, “The id=673 appears to be the event (TechED NZ) a quick change of the key= part of the URL to ‘password’, ‘passw0rd’, etc gave access to other people’s registration details!”

That meant the passwords were almost certainly not encrypted in the database and, as our reader pointed out, also logged in browser history.

To make matters worse, delegates’ passwords were also printed as part of the barcodes on their tickets.

Microsoft acknowledged the problem on Thursday, New Zealand time, tweeting from the @techedlive account that speaks for the New Zealand event, that it is “aware of a security issue with our #tenz delegate barcode email” and is “… working towards resolving it.”

Microsoft New Zealand has since confirmed the issue and emitted a canned statement:

Unfortunately, the system used an incorrect field to populate the link URL. The system should have used a globally unique identifier (GUID) to authenticate a user, as opposed to their password. The site was quickly updated to prevent people from guessing userID-password combinations, but delegates with common passwords (such as “password”) could have had their barcodes discovered.

The statement went on to say that “All delegates were emailed a new link to their barcodes, which authenticates a user using a GUID. Microsoft New Zealand apologises for the inconvenience, but assures that this will not cause any issues at check-in, as all delegates are authenticated with photo ID.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/30/microsoft_new_zealand_exposes_teched_passwords/