STE WILLIAMS

Sophos has shut down its portal for partners after finding two software packages on its servers designed to allow access to them – and possibly to user data stored there, as well.

The security software firm posted a statement on the portal explaining that it had spotted suspicious behavior on some of its servers this Tuesday. An investigation revealed two dodgy applications, which a preliminary examination suggests are designed to harvest login information. Sophos shut the portal down, just to be on the safe side.

“We don’t believe anything was stolen, but are proceeding with an abundance of caution,” Chet Wisniewski, senior security advisor at Sophos told The Register. “It will remain offline while we are completing our investigation. We will bring it back online once we are sure it is safe to do so.”

Sophos says that the system stored partners’ names and business addresses, email addresses, contact details, and hashed passwords, and that only its old portal, and not the latest SFDC, system was breached. When it’s back up and running (which, given the Holy Week holiday, is unlikely to be before next week) users will be asked to reset passwords as a precaution.

“We realize that the site’s downtime and the forced password resets may be an overreaction and are sorry for the disruption this will cause, but we would rather cause some inconvenience at this stage than delay as we wait for further information,” the advisory reads.

While this kind of thing is embarrassing for any security firm, Sophos isn’t alone in having its systems breached recently. A leak from Microsoft’s Active Protections Program (MAPP) last month saw attack code released onto the web, and Symantec has also admitted that some of its source code has gone missing at the start of the year, following a leak at a third-party supplier. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/05/sophos_partner_site_infected/

The Mac-specific Flashback Trojan created a zombie army of 550,000 Mac machines by exploiting a Java hole that Apple only patched on Tuesday, six weeks after Microsoft plugged it up on Windows machines.

This is according to Russian anti-virus firm Dr Web, which arrived at the figure after it successfully managed to sinkhole one of the command-and-control servers used to control Mac machines hit by the latest attack. The legions of compromised zombies were mostly located in the US (56.6 per cent, or 303,449 infected hosts), Canada (19.8 per cent, or 106,379 infected computers) and the UK (12.8 per cent or 68,577 cases of infection).

The Flashback malware was capable of installing itself on unprotected Mac machines without user interaction, a factor that goes a long way in explaining the success of its spread. Users become infected simply by visiting a site loaded with exploit code, in drive-by-download-style attacks.

“Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit,” Dr Web explains.

The malware establishes a back door on compromised systems for the subsequent download of additional cyber-bugs.

Additional payloads downloaded by the malware included a data-stealing Trojan that attempts to lift passwords and banking information from Safari as well as a search-hijacking tool.

The later utility was probably designed to power click-fraud scams or to redirect victims towards scareware portals, net security firm Sophos notes.

Attackers first began to exploit two earlier Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353) to spread malware in February 2012, before switching to another exploit (CVE-2012-0507) on 16 March – to devastating effect. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/05/flashback_trojan_botnet/

Hacktivist group Anonymous has finally turned its attention to the People’s Republic of China, claiming to have defaced more than 480 web sites over the past few days including government sites, whilst urging Chinese hackers to join its cause.

The group apparently began its campaign in the region with the launch of its AnonymousChina Twitter account, which seems to have begun tweeting on 30 March.

In a list posted to Pastebin, the group claimed to have defaced over 480 sites, including several belonging to regional Chinese government organisations in areas such as Chengdu and Dalian.

In several separate posts Anonymous also claimed to have hacked and leaked user names, password details, phone numbers and emails from various government sites.

All the sites on the list we tried now appear to have been taken down, although the Wall Street Journal managed to take a screen grab showing the following message in English:

Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall. So expect us because we do not forgive, never. What you are doing today to your Great People, tomorrow will be inflicted to you. With no mercy.

According to the WSJ, the message also contained a link to an Anonymous site detailing how Chinese web users can bypass the Great Firewall, although at the time of writing this site appears to have been killed.

Not content with that, the group also posted another message to Pastebin, urging the Chinese people to revolt.

“So, we are writing this message to tell you that you should protest, you should revolt yourself protesting and who has the skills for hacking and programming and design and other ‘computer things’ come to our IRC,” the note read.

This is the first major Anonymous campaign targeting China, which is somewhat strange given the government’s hardline stance on web censorship and human rights – two issues guaranteed to get the group’s attention.

In fact, the hacking of several minor regional government sites is unlikely to cause much consternation at Communist Party headquarters, and the group’s messages on Pastebin and posted on the defaced sites will largely have failed to reach their audience given that they were written in English.

Anonymous seems to be working on the latter issue, however, having sent a tweet out calling for help from would-be translators.

Given China’s strict web controls on social media, it’s unlikely that the group will be able to broadcast its message on platforms such as Sina Weibo and Tencent Weibo, so for the time being it’ll have to stick to Twitter – banned in China – and defacing web sites. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/05/anonymous_china_hacks/

Security firms are warning about a rash of police-themed ransomware attacks.

The Reveton Trojan warns victims that illegal content has supposedly been detected on infected machines, displaying a message supposedly from local police agencies demanding payment to unlock machines.

To unlock an infected machine, marks are invited to purchase a Paysafecard and pay €100 to obtain an unlock code. But in reality users need not hand over any dosh to regain control of their PCs. Control of infected machines can be established by following a few simple steps, as outlined in a blog post by F-Secure here. Similar recovery instructions from Microsoft can be found here.

Cybercrooks are obviously hoping that victims will be panicked into complying with their demands without seeking external help.

“Even when somebody is savvy enough to recognise the message is a fake, the malware’s accusations of offensive materials having been discovered on the user’s hard drive creates a chilling effect, which has likely prevented some folks from seeking outside help,” the Finnish security firm notes.

Trend Micro reckons some of the people peddling the Reveton Trojan were also involved in the high-profile DNSChanger Trojan scam, the target of a successful Microsoft takedown operation last November.

“The same people peddling this Trojan are also heavily involved in other malware and are very invested in this business,” writes David Sancho, a senior threat researcher at Trend Micro. “For instance, we have found that they were affiliates of the DNSChanger Trojan program called Nelicash that Rove Digital was sponsoring for a few years.

“The main persons behind Rove Digital were arrested on November 8 2011 after a two year investigation by the FBI, the NASA Office of the Inspector General and Estonian police in collaboration with Trend Micro and other industry partners. So we might have found an important clue who is behind the police Trojan.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/05/police_themed_ransomware/

Apple released a security update for OS X Java on Tuesday, plugging a security vulnerability exploited by the latest Flashback Trojan.

The latest variant of the Mac-specific malware appeared on Monday and targeted a vulnerability in Java (CVE-2012-0507) which was patched on Windows machines more than six weeks ago.

Apple’s new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion) offers Mac users equivalent protection.

Java is not needed to surf the net, with the exception of applications on some e-banking websites. Security firms – including F-secure, Sophos and others – have begun advising users to disable the technology in their browsers as a largely unnecessary security risk. More discussion on the Apple Java security update, and the reasons users may want to disable Java in their browsers, can be found in a blog post by Chester Wisniewski on Sophos’s Naked Security blog here.

In related news, Mozilla introduced changes in Firefox on Monday that will block older versions of Java that harbour critical vulnerabilities, specifically the increasingly infamous CVE-2012-0507 security flaw. “Blocklisting” forbids outdated plugins from running, unless specific approval is given. Mozilla has only introduced the technology into Windows versions of its open-source browser software, leaving Mac users without the added safety net.

Commentary on both the Apple update and the Mozilla plugin changes can be found in a blog post by Wolfgang Kandek, CTO at vulnerability scanning firm Qualys, here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/04/apple_java_update/

Exclusive Google is getting the public to identify house numbers and signs from Street View photos as part of its reCAPTCHA anti-spam technology – and feeding the data into its online mapping service.

Reg reader Jim Allen was first to notice that photos began appearing in the reCAPTCHA tests over the last week or so. These images are obviously numbers on doors, either on apartments or houses, and words from signs. Google has confirmed as much.

reCAPTCHAs collected on 29 and 30 March

The web giant bought the reCAPTCHA system in September 2009 after it was spun off from research on CAPTCHAs* at Carnegie Mellon University.

One long-standing feature of reCAPTCHA is its ability to help decode passages from scanned printed pages: one of the words shown is generated by software and known to reCAPTCHA, while the other image is of an unrecognised word from a difficult scan that a web visitor must identify.

While reCAPTCHA blocks spammers and other miscreants, Google benefits from human-powered optical character recognition.

Many sites including Facebook, TicketMaster and Twitter use Google reCAPTCHA technology as part of their sign-up process. reCAPTCHA has been applied to digitise the archives of The New York Times and tomes for Google Books.

A spokesman from the ad-broking giant confirmed our reader’s theory that the images are from Street View photos – which are captured from cameras on roving Google cars and fed into the web giant’s online map service. The spokesman said:

We’re currently running an experiment in which characters from Street View images are appearing in CAPTCHAs. We often extract data such as street names and traffic signs from Street View imagery to improve Google Maps with useful information like business addresses and locations.

Based on the data and results of these reCAPTCHA tests, we’ll determine if using imagery might also be an effective way to further refine our tools for fighting machine and bot-related abuse online.

The statement confirms that Google is using the general public to “read” house numbers on Google Street View photos in an extension to its declared purpose of digitising “books, newspapers and old-time radio shows”.

Nicholas Johnston, an anti-spam expert at Symantec MessageLabs, said the application of the reCAPTCHA technology to identify building numbers in Street View may impact its effectiveness as an anti-spam tool, though this is far from clear.

“Whether this impacts the security of reCAPTCHA — used on many websites to prevent abuse — depends on exactly how this feature is implemented,” Johnston explained.

“reCAPTCHA works by presenting a CAPTCHA image consisting of two words: a known control word and an unknown word. To solve the CAPTCHA, only the control word must be entered correctly. The unknown word gradually gets a higher confidence rating as more users submit the same text for it. reCAPTCHA users don’t know which word is which.”

Johnston added: “If we assume Google’s objective is to get reCAPTCHA users to determine building numbers from Street View images, these ‘number images’ would be the unknown part of the CAPTCHA, so users would not have to solve that part. Instead, they would just have to solve the control word.

“However, if the ‘number images’ are always used as the unknown part of the CAPTCHA, and as the number images are easily distinguishable from the normal words (normal words have a plain white background, building numbers have a complex, photographic background), it could reduce the complexity of programmatically defeating the CAPTCHA, as just an easy-to-determine part of the CAPTCHA would have to be solved.

“If the ‘number images’ are always the control part of the CAPTCHA, then it would be easier still to solve the CAPTCHA programmatically, as the numbers (at least in the examples we’ve seen) are shorter and use a much smaller set of possible characters.”

Much depends on the implementation of number recognition within reCAPTCHA, Johnston cautioned.

“It’s likely that instead of either only the ‘number images’ or normal words always being used as the control, sometimes number images are used as the control, and sometimes words are used as the control.

“Without knowing which part of the CAPTCHA is the control, anyone trying to defeat it programmatically would have to guess, and would probably have a pretty low overall CAPTCHA solving rate. This change to reCAPTCHA means that anyone attempting to defeat it programmatically must develop specialist OCR for the ‘number images’ as well,” he said. ®

Bootnote

* CAPTCHAs are a way of proving that a human is visiting a website or online service as opposed to automated software. Two distorted words are shown and punters have to type both of them back into a box to pass through; robots tend to be stumped by this verification process. CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”. The tech is mostly used as a challenge-response test to frustrate the automated sign-up to web mail accounts and similar services.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/04/google_recaptcha_street_view/

Doubts have arisen over claims that credit card numbers and other personal information can be recovered from used Xbox 360 consoles – even after users take the precaution of restoring their kit to its factory settings.

Researchers at Drexel University in Philadelphia bought a refurbished Xbox 360 from a Microsoft-authorised reseller, and accessed files and folders on the box’s hard disk after using widely available “modding” software, which is normally used to run home-brew or pirated software on the consoles. The academics claimed they were subsequently able to extract a previous owner’s credit card details and other private information.

However Microsoft and an independent security expert have said credit card details are not held locally on the console. In a statement, Microsoft said it was in the process of investigating the allegations. In the meantime it defended the general security offered by its Xbox gear:

We are conducting a thorough investigation into the researchers’ claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims.

Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.

Taken at face value, the Drexel exercise appears to illustrate that the risk of residual data on computer hard disks and mobile phones also applies to gaming consoles. Information lingers on disk surfaces after files are deleted from file system records, for example, unless extra effort is made to sufficiently overwrite or simply physically destroy the data.

Researcher Ashley Podhradsky said Microsoft was doing a disservice to gamers in not highlighting the potential risk, consumer technology site Kotaku reports.

Podhradsky advises privacy-conscious gamers to remove the hard drive from an XBox and wipe it using a data-scrubbing program before giving away or sell their old console.

Chris Boyd, senior threat researcher at GFI Software, and an expert in gaming security, disputed the researchers’ conclusions that credit card data might be lifted from used XBox consoles.

“At present there’s a lack of information from both the university where the research took place and also from Microsoft who are continuing to investigate the claims,” Boyd told El Reg.

“Credit card data isn’t stored locally on the console, and there are so many console hacking and modding forums around that if a method did exist to pull this information then I’d be surprised it isn’t already public knowledge.

“However, it also seems unlikely the researchers simply recovered an Xbox account from an incorrectly formatted drive then used that to access stored payment details, given the precise nature of their claims. Console owners should use prepaid cards wherever possible with set limits attached, and only buy Microsoft points when they’re about to redeem them – having large amounts of points sitting against any account for a long period of time is always a risky move.”

We asked Podhradsky for a clearer explanation of the methodology applied by the Drexel team but are yet to receive a reply. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/04/xbox_refurbed_console_security_risk/

A UK cybercrook has been jailed for 26 months following his conviction for stealing millions of banking and PayPal identities, the Southwark Crown court confirmed to the Reg.

Edward Pearson, 23, from York, used information-stealing malware to harvest eight million personal identities between January 2010 and August 2011, the court heard. The vast majority of the information covered only names, addresses and dates of birth. However he also apparently managed to get his hands on compromised Paypal accounts and 2,700 bank cards.

The Daily Mail‘s report said Pearson had written a Python script to download the details of 200,000 PayPal accounts, obtaining names, passwords and balances in the process. He was said to have used variants of the ZeuS and SpyEye Trojans to steal personal information from PCs he managed to infect.

Pearson might have been able to cash out the compromised accounts and make hundreds of thousands in ill-gotten gains. But in the event he actually only made £2,400 before his 21-year-old student girlfriend, Cassandra Mennim, used stolen credit cards to book rooms at two upmarket York hotels, transactions that put police of the trail of the pair. Investigators then linked Pearson’s email address to an online identity, G-Zero, which he was purported to have used on underground hacking forums.

After pleading guilty to fraud, Pearson was jailed for 26 months at a hearing at Southwark Crown Court. Mennim, from Newcastle, who admitted two counts of obtaining services by deception, has been placed on probation for 12 months, the York Press reports.

Pearson also is also allged to have hacked into Nokia’s network back in August 2011, prompting the telecoms giant to shut down its internal network for two weeks, the Daily Mail adds. The incident is not reckoned to have resulted in any incidents of fraud and did not form part of the charges against Pearson.

In sentencing Pearson, Judge Ms Recorder Ann Mulligan accepted that his primary motivation was not financial gain while roundly condemning his actions.

“This was a very sophisticated crime, in which you managed to access highly confidential information and put many many individuals at risk of attack,” she said.

“I accept that you didn’t sell this information, but you shared it with other computer programmers, and you had no way of knowing how they might use this information. This stupendous criminality was not about financial gain, but about an intellectual challenge,” she added.

A spokesman at Southwark Crown court listing’s office confirmed the sentences. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/04/cybercrook_jailed/

Exclusive Facebook’s iOS and Android clients don’t encrypt users’ logon credentials, leaving them languishing in a folder accessible to other apps or USB connections.

A rogue application, or two minutes with a USB connection, are all that’s needed to lift the temporary credentials from either device – a problem compounded by Facebook’s idea of “temporary” as lasting beyond the year 4000. In the case of iOS, one can even lift the data from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications for fun and profit.

That’s according to Reg reader Gareth Wright, who stumbled across the file and tested it to see if it really was that easy to pretend to be someone else. Turns out it is, and after knocking out a proof of concept (a high-score editor for jailbroken iOS devices) which lifted “several thousand” IDs, Gareth deleted the collected data and dutifully reported the matter to Facebook.

Turns out Facebook was already aware of the problem and working on a fix – though it won’t say how long that’s going to take or what customers should do in the meantime.

iOS won’t allow applications to read data stored by other applications, and so offers a slightly higher level of protection than Android, which relies on the user’s discretion. That’s why the proof of concept ran on a PC and connected over USB; a local application would only work on jailbroken devices. But it seems that any Android application granted permission to “modify/delete SD Card” could do the same thing.

iOS games often store their high scores in plaintext, and rely on the OS for protection, and some are clearly storing Facebook-connection tokens in the same place. Those tokens are only valid for 60 days, but it turns out that the Facebook application itself stores a similar token – which lasts until the first of January 4001. Copy that token onto another device, and you’re in.

It’s worth remembering that Facebook isn’t just about social networking these days, get into someone’s account and you can use their credits to vote on Big Brother, and with Facebook snatching an increasing share of personal communications there are numerous opportunities for identity theft.

Sticking an unknown USB cable into your device is always risky, and those who download dodgy software from unreliable sources sometimes deserve what they get, but Facebook really shouldn’t be storing unencrypted credentials in accessible memory unless they’re locked to the device or otherwise secured, and hopefully that’s what they’ll be doing really soon. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/03/facebook_security_weak_logon/

Teenage LulzSec suspect Ryan Cleary is back behind bars after breaching his bail conditions by going online, it has emerged.

Cleary, 19, from Wickford in Essex, who was charged with participating in denial of service attacks against the Serious Organised Crime Agency and the British Phonographic Industry last June, violated an order to stay off the internet, his solicitor said.

According to cops, the breach occurred when Cleary allegedly contacted Hector Xavier “Sabu” Monsegur – whom the FBI has fingered as the leader of the LulzSec hacktivist collective – several times over the Christmas period. Monsegur had allegedly been acting as an FBI informant since at least last August.

The alleged interaction led to Cleary’s re-arrest on 5 March, the day before the FBI dropped the veil on Monsegur’s alleged role as a supergrass against Anonymous and LulzSec activists.

Cleary’s solicitor Karen Todner confirmed that Cleary is being held in Chelmsford Prison, northeast of London. Cleary, who was diagnosed with Asperger’s Syndrome while in custody last year, is scheduled to reappear before a judge in May. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/03/lulzsec_suspect_back_in_jail/