STE WILLIAMS

Two suspected Taiwanese drug smugglers have been accused of an ambitious plot to smuggle some pretty serious military technology including a US drone out of the States and into China.

Hui Sheng Shen and Huan Ling Chang, who have been in custody since February for allegedly smuggling methamphetamine into the US, will be formally charged with conspiracy to violate the Arms Export Control Act, according to an AP report.

The two were caught in an undercover FBI sting which caught them on tape claiming that their clients in the Chinese government were keen on acquiring US drones as well as stealth technology, anti-aircraft systems and even an E-2 Hawkeye early warning aircraft.

The two reportedly ignored the undercover Feds’ repeated cautioning that they would not like to profit from any kit which would harm US interests, with Shen saying, “I think that all items would hurt America.”

“The people we met, they come from Beijing. … They work for Beijing government … some kind of intelligence company for Chinese government — like C.I.A,” Shen reportedly told the agents. “They are spies.”

Shen also boasted that he could use scuba divers to transport parts of the kit underwater from Port Newark-Elizabeth Marine Terminal to a ship waiting offshore – a similar technique to that which he allegedly used to smuggle drugs.

The two had been under surveillance for a year and were arrested a couple of months back for a rather less headline-grabbing investigation into counterfeit UGG boots being smuggled into New Jersey. From small acorns and all that…

The news will be of minor embarrassment to the Chinese authorities given that, as usual, there is apparently no concrete proof linking any official involvement in the plot.

However it does come just days after a Pentagon report accused the People’s Republic of “economic espionage” facilitated by widespread hacking and designed to accelerate the development of its military and space technology.

China was forced to strongly deny the allegations in the report, which claimed to have identified 26 separate occasions since 2006 on which China tried to get hold of space launch data and sensitive info on cruise missiles and other military equipment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/26/taiwan_spies_smuggle_us_military_tech/

Infosec 2012 The UK’s Information Commissioner’s Office is looking to spend around £3m on its IT, with an invitation for tenders expected at the end of next month.

Information commissioner Christopher Graham told vendors at Infosec during his keynote speech that the ICO hoped to publish its procurement notice in the Official Journal of the European Union, seeking a vendor to provide his office with IT services.

Graham said the office would be spending about 20 per cent of its £15m budget on IT.

The commissioner also said that the ICO had handed out 14 civil monetary penalties (CMPs), the office’s fancy name for fines, for data protection breaches in the 18 months since he was given the power to do so.

Graham was keen to prove that the ICO wasn’t just a toothless watchdog, but the fact that the majority of the penalties had gone to local authorities and other public bodies raised questions about the office’s authority in the private sector.

However, Graham said that public bodies simply had more personal data than businesses so their breaches were often more serious. The penalties were only meant to be used when there had been a serious breach and if the offenders quickly fixed the problem and put in policies to make sure it would never happen again, they may not be fined, he said.

Data protection breaches were also taken more seriously by the ICO when the data controller wasn’t up to scratch or the business hadn’t taken steps to ensure their staff handled private information carefully.

He cited the example of one local authority where child protection papers were faxed off to the wrong place.

“[The authority] said that all the policies were in place, everybody was trained, it was all fine, nothing to see here,” he said.

“But my people said, “Certainly not, this could happen again tomorrow”.

“It happened that afternoon, exactly the same stupid faxing error and that’s one of the reasons why a CMP was appropriate.”

The commissioner was also asked by an Infosec attendee what he thought of the proposed web-snoop law and how that fit in with his mandate to protect people’s privacy .

“You’re referring to something that’s called the Communications Capability Directive. We believe there’s going to be something in the Queen’s speech, whether it’s going to be a bill or a draft, I don’t know,” he said.

“I would prefer to wait and see what’s in the bill, but… I think if you’re going to justify this invasion of privacy, you’ve got to make your case for it and you’ve got to mitigate any threats by showing that you’ve got limitations in place… and safeguards to make sure this honey-pot is not accessed by just anyone.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/26/ico_it_services_tender/

Facebook has formed a two-faceted relationship with five prominent players from the security industry.

The first facet will be invisible to most, as it will see the social network share its URL blacklists with those generated by Microsoft, McAfee, TrendMicro, Sophos, and Symantec. Facebook says pooling resources in this way will make it less likely that its users are sent to known sources of malware or other online nasties.

The second part of the deal is expressed at the new Facebook AntiVirus Marketplace, a page where the five vendors above now offer their security wares for sale. Software downloaded from the page is free, but only updates with new antivirus signatures for six months. Microsoft’s Security Essentials is Redmond’s offering and usually offers free updates in perpetuity. It’s not clear if the version offered through Facebook limits the free update period.

The five vendors will also blog on Facebook’s security blog, where the new deal was announced. reg

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/26/facebook_av_marketplace/

British web hosting outfit UK2.NET was on the business end of a distributed denial-of-service attack last night that took down customers’ websites.

The company’s chief operating officer, Martin Baker, told The Register that UK2 had never seen a DDOS attack on this scale before.

“There was a botnet attack last night on our DNS servers. It was intermittent for people so they might see some sites up or down depending on when they’re making the requests for pages,” he explained. “We saw around 10 million apparently unique IPs attack us.”

UK2 saw the peak of the attack at around midnight although customers first started seeing problems with their websites yesterday afternoon.

“We took various actions to trace this back to the IP addresses that they were attacking from so once we identified that we were able to put in mitigating activities to reduce it down and managed to get it off our network by about 3am,” Baker said.

“The scale [of the attack] just took us longer than usual to mitigate,” he added.

This isn’t the first time UK2 has fended off a DDoS attack as the company is seen as a prospective target due to its size, Baker said. He added that customer websites might still be having problems today, but it should all be cleared up by late tonight.

“The way that DNS works is that it’s cached elsewhere across the internet so it will take the time that it takes those servers to get refreshed by the internet [to totally clear up], so it could take up to 24 hours for it to refresh all the way through,” he said.

Punters had, of course, taken to Twitter to express their outrage as their websites fell off the net, although not in large numbers. Some complained that UK2’s service status page wasn’t kept up to date.

While the firm’s status site did mention that some domains “may be experiencing slow DNS lookups at the moment”, the last update was given at 4.51pm yesterday. One tweeter mildly put it: “@UK2 are you at least going to update your service status page to apologise for the downtime? even a statement on twitter would help!!!” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/26/uk2net_outage_in_ddos_attack/

VMware has confirmed that software posted online is part of the source code for its ESX hypervisor and has warned that more code could be released.

The code was posted by a hacker calling himself Hardcore Charlie and may come from military contractor China National Import Export Corp (CEIEC), which he claimed to have successfully breached earlier in the month and downloaded over a terabyte of information. The CEIEC has denied that its servers were breached.

An excerpt of the stolen code

“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” said Iain Mulholland, director of VMware’s Security Response Center in a blog posting.

“VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources to thoroughly investigate.”

While the admission is embarrassing for VMware there may be more code to come from other vendors. Hardcore Charlie has said on his Twitter feed that he also has EMC code that will be put up online at a later date.

“Because of this success, virtual infrastructure is a prime target for attack – so the theft of VMware ESX source code, similar to RSA’s breach last year, is no surprise,” said Eric Chiu, president of cloud vendor HyTrust. “Platform security for virtual infrastructure is a must — without securing the virtual infrastructure, enterprises are leaving a huge area of their datacenter open to attack.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/25/vmware_source_code_leak/

The White House has said that the Cyber Intelligence Sharing and Protection Act (CISPA), currently before the US House of Representatives, lacks enough privacy protections in its current form and will probably be vetoed if passed.

A statement from the White House Office of Management and Budget said that, while the importance of protecting the national infrastructure from online attacks is paramount, it “strongly opposes” the bill because it lacks proper oversight, could seriously damage individuals’ privacy and hands over responsibility for domestic cybersecurity to the NSA, rather than to a civilian body.

“Legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security,” the statement reads.

“The Administration looks forward to continuing to engage with the Congress in a bipartisan, bicameral fashion to enact cybersecurity legislation to address these critical issues. However, for the reasons stated herein, if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill.”

The bill as it stands sets up a mechanism for government cybersecurity agencies to share threat data with commercial companies, and sets up a mechanism whereby companies can share user information with the government on a voluntary basis. It includes full legal immunity for those companies that participate from any legal action brought by consumers who would like their data to remain private.

This legal shield is a major sticking point with the White House. The statement points out that CISPA would allow companies to dodge any legal action from consumers over data protection, if it could be shown that cybersecurity was involved.

CISPA was introduced in November by introduced by representatives Mike Rogers (R-MI) and “Dutch” Ruppersberger (D-MD) and has 112 co-sponsors, indicating strong support. The White House has obliquely warned against the legislation but now appears to have taken the gloves off and is actively trying to discourage it.

The bill has a lot of cheerleaders from the technology industry, with IBM, Intel, Facebook, Microsoft, Oracle, EMC and others sending in letters of support for the legislation, although none of them would comment when El Reg called. Facebook did issue a general statement that is supported the bill because any information sharing would be voluntary, and so would allow Facebook not to participate.

The bill’s sponsors have been meeting with privacy groups to try and hammer out a compromise, and the Center for Democracy and Technology (CDT) announced significant progress has been made in tightening up privacy controls.

“The House Intelligence Committee has agreed to support certain amendments that will improve CISPA in terms of privacy and civil liberties,” blogged CDT senior counsel Greg Nojeim. “However, the Committee-supported amendments leave two key issues unresolved – the flow of information to the super-secret National Security Agency and the broad purposes for which that information can be used.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/25/white_house_cispa_veto/

Efforts by Apple and anti-virus vendors to kill the vast botnet assembled by notorious Flashback Mac Trojan may be much less successful than previously thought.

Symantec last week suggested the Mac botnet shrank from a peak of 670,000 to 140,000 following the release of clean-up tools.

But the Russian anti-virus firm Dr. Web says the figures are wrong because infected machines that contact a particular server freeze up and do not contact vendor-established sinkholes. These machines are not counted, even though they are still infected.

Dr. Web thinks 570,000 systems are still infected by the Flashback Trojan. Symantec concedes that Dr. Web has a point and in response has revised figures upwards, albeit to the more modest figure of 185,000.

“A recent Dr. Web blog post reveals our sinkholes are receiving limited infection counts for OSX.Flashback.K,” Symantec explains in an updated advisory. “A sinkhole registered at IP address 74.207.249.7 is causing Flashback connections to hang as it never closes the TCP handshake, in effect preventing Flashback from hitting subsequent domains.”

The Flashback Trojan created a zombie army of 650,000 Apple Macs, or more, by exploiting a Java security vulnerability that Apple patched is early April, some six weeks after a patch for Windows machines became available. Mac users only needed to visit an infected site to get hit – no user interaction was required.

The initial success of the worm has spawned a series of copy-cat attacks. Flashback-S. Mac security specialist Intego reports that Flashback-S cleans itself from the Java cache to avoid detection. Flashback-S spreads by taking advantage of the same Java vulnerability as the original Trojan.

Analysts from Kaspersky have traced the initial spread of Flashback from somewhere between 30,000 to 100,000 vulnerable WordPress blogs. It thinks a Russian cyber-criminal partner programme is behind the distribution of the malware.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/25/flashback_mac_trojan_update/

Budding chief information security officers (CISOs) would be better off boning up on business, communication, and risk management skills than getting bogged down in detailed discussions about technology, according to a panel of senior security professionals.

The overwhelming message from the InfoSecurity Summit 2012 in Hong Kong, was that CISOs need to be trusted and they need to add value, but most importantly they must understand risk in all areas of the business and then manage that risk proactively.

“The days of the CISO being technology-focused are over; the role is much more transversal now,” argued Jerome Walter, chief security officer Asia Pacific at French bank Natixis. “You should build relationships. Each department has different risk, different issues and you need to create an image of trust so they’ll come to you.”

Thomas Parenty, MD of fraud prevention firm Parenty Consulting, agreed, adding that security should never be approached out of context of the business.

“You need to deeply understand what the business does to be effective,” he said. “You need to better understand how the business operates more than you need to know about the security technology – that can be handled by someone else.”

This is not to say that CISOs should have no competence in technology, however, according to Dale Johnstone, who heads up security and risk management at the Hong Kong Hospital Authority.

“The fundamental principles of security have stayed the same over the years and a good CISO has to have enough understanding of technology to communicate with the tecchie people and the higher level management,” he explained.

“However, today they’re very reactive: fire-fighting and waiting for problems to happen rather than putting together an overall strategic plan.”

Trying to protect all the organisation’s information all the time can be challenging, especially when the bad guys can put all their resources into nabbing just one bit of it.

Thus, being able to discern “the pythons from the cockroaches” – or those attacks which could seriously damage a firm and those which aren’t so dangerous – is also a key skill, according to Vikalp Shrivastava, info security boss at casino group Melco Crown Entertainment.

There was one final piece of important advice for budding CISOs from Steve Tunstall, head of corporate risk at Cathay Pacific Airways: beware the regulators.

“What scares me is that data moves so fast. For many years our data was in mainframes, but over the past few years that shoe box has not only become porous, now it’s disappeared,” he argued.

“I don’t know where half the stuff is now. Regulators are slow to catch on but when they do the penalties are getting worse and worse. If you’re not alive to the latest changes in penalties you will be when a writ arrives on your desk.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/25/ciso_advice_risk_management/

Malware discovered at an Iranian oil terminal forced Iran to disconnect key oil facilities on Sunday.

Authorities said an unnamed data-deleting virus prompted them to disconnect the main oil export terminal on Kharg Island in the Persian Gulf. The websites of the Iranian oil ministry and the National Iranian Oil firm went dark for two days after the virus first struck on Sunday. The sites were back up on Tuesday.

Hamdolah Mohammadnejad, Iran’s deputy oil minister, who is leading a response committee, told the official IRNA news agency that rapid action had limited the virus’s spread.

“We shut computers connected to these servers temporarily and fortunately we were able to stop its spread. Thus no information or data were harmed,” he said.

“We are investigating the causes of these cyber problems and in the next two to three days we hope the problems will be solved,” he added.

David Harley, senior research fellow at anti-virus firm ESET, commented: “At present, it is difficult to say exactly how the virus (if it was, in fact, a virus) was able to infiltrate Iran’s systems.

“Iran’s computing environments are a little unusual, in that there are no legitimate channels for directly supplying and maintaining standard operating systems and apps. This may result in greater [than] usual exposure to all kinds of exploits.”

Although details are sketchy, it seems like the malware is unrelated to Stuxnet, a sophisticated worm that sabotaged control systems running uranium enrichment centrifuges at Iran’s Natanz nuclear facility.

Harley added: “The Stuxnet payload is very hardware-specific, whereas this malware appears to have stolen and/or destroyed data. It may be related, of course, especially if it turns out that it is targeted.

“Without knowing the capabilities of the Iranian ‘Cyber Crisis Committee’, its usefulness depends on who is on it, their understanding of cyber attacks, and how much influence and authority they wield. It makes sense to have a proactive crisis management team. On the other hand, a team that is over-influenced by political or self-serving considerations may do more harm than good,” the researcher said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/25/iran_oil_industry_malware/

Infosec 2012 Secure Shell (SSH) certificate management – a key internet protocol used for remote access and file transfer for nearly 20 years now – can become quite a tangled issue if there isn’t a clear management policy in place, and SSH Communications Security, one of the security exhibitors at Infosec, claims it has a solution.

SSH is a key internet protocol used for remote access and file transfer in countless organisations. The tech has been around since 1995 and has become a ubiquitous component in network systems in the 17 years since then. The protocol is used for the secure transfer of product and price lists, banking data and other classes of information. Often the technology comes bundled as a component of other software tools.

Typically organisations create a new key pair for every new application, authorised users and automated service account. Over time this has left organisations with sometimes hundreds of thousands of SSH key ‘pairs’ but without a clear idea what they are used for or on which system. Key pairs ought to be updated at least every two years but there is easy way to do this and organisations are wary of retiring keys in case the process breaks the legacy system. Applications, user and service accounts each have public and private key pairs to communicate securely with target SSH servers.

SSH Communications Security is punting a management platform to help combat this.

“Enterprises’ most critical data and applications are often transported and housed on SSH and OpenSSH servers,” said Tatu Ylönen, chief exec of SSH Communications Security and inventor of SSH-1. “Those enterprises using public key authentication to manage access to those servers are faced with a significant challenge today in terms of knowing who and what may access those servers. This is not only a major security and compliance risk, however it is also a cost issue. Many organisations manage this function manually with little or no oversight.”

Enterprises sometimes approve access to key pairs through permissions in Active Directory, but that wouldn’t stop a rogue employee who had access to key pairs at any time from abusing unrevoked access to key systems to cause damage. In addition, PCI-DSS auditors are beginning to take a closer interest in how firms manage their SSH key infrastructure, according to Ylönen. “As the scale of SSH deployment grows you get more problems because organisation have no visibility into who has access to what,” Ylönen added. “Organisations might install thousands of new key pairs every year. More than half of their SSH keys would still be in use but organisations often don’t know which they are.”

SSH Communications Security is aiming to untangle this crypto key hairball through a User Key Management Tool. The module, which bolts into SSH’s Information Integrity Platform, automates the process of identifying, organising and recycling SSH keys within a user’s environment. It was launched at the RSA Conference in San Francisco back in February. It has gone though a number of trails since prior to its European showcase debut at this week’s Infosecurity Europe Conference.

The key management tool comes as either software, a virtual appliance or a hardware appliance. All three form factors of the technology are capable of handling both SSH and OpenSSH keys. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/25/ssh_key_management/