STE WILLIAMS

Pro-China hackers have started spoofing security firm AlienVault’s email address in spam messages in an attempt to infect pro-Tibetan recipients with malware.

The move follows days after the security tools firm warned that AlienVault about spear phishing attacks against a number of Tibetan organisations.

The spear-phishing messages relate to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The closely targeted messages – sent to organisations such as the Central Tibet Administration and International Campaign for Tibet – carry an infectious Office file attachment with a malware payload, a digitally signed variant of Gh0st RAT (remote access Trojan).

AlienVault reckons the attacks originate from the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defence companies late last year, which also featured the Gh0st Trojan.

Jamie Blasco, head of labs at AlienVault, a Security Information and Event Management (SIEM) tools specialist, commented: “The fact that the pro-Chinese sympathisers have taken our research seriously enough to start trying to blacken our name indicates that our message about the Chinese cyber attackers has hit home – and the cybercriminal activists are not happy.”

Pro-China supporters are attempting to tarnish AlienVault’s reputation via the attack, which targets both Windows and Mac users, but Blasco points out that their actions are trivial compared to the magnitude of events in Tibet.

“We have seen Tibetan sympathisers turn to self-immolation in their quest to bring their plight to the attention of Western governments, so any effect on our reputation pales into significance alongside their sacrifices,” he said.

In a possibly related developments, pro-China hackers are using automated bots to drown out discussions on Twitter about human rights in Tibet and related issues with a flood of meaningless tweets. Security blogger Brian Krebs reports that Tibetan activists have noticed that several Twitter hash tags related to the conflict – including #tibet and #freetibet – are now being inundated with junk tweets from automated Twitter accounts, which the Tibetan activists say are controlled by either the Chinese government or its supporters.

However the crude tactic may have misfired by refocusing the attention of sections of the global media on the plight of the native Tibetans, who have lived under Chinese rule since the annexation of their country in the 1950s.

The propaganda war between China and Tibet, which has been going on for decades, has spilled into cyberspace before, with alleged hack attacks against the Dalai Lama and targeted malware featuring in the mix. The latest skirmish in cyberspace can therefore be viewed as a flaring up of long-simmering tensions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/china_tibet_malware_attacks/

US federal agencies are still struggling to roll out mandated technology that would make it much harder for attackers to spoof their websites.

The Federal Information Security Management Act set a December 2010 deadline to deploy DNSSEC, or DNS Security Extensions, on federal domains. However a survey by Domain Name System vendor Secure64 found that only 57 per cent of the federal agencies (205 out of 359) have introduced DNSSEC technology into their environments, defined as DNS digital signing happening on at least one of their name servers.

Of the 205 agencies who are now signing, 81 per cent (161) have established a chain of trust to their parent domain, meaning they have gone live with the technology. Secure64 carried out the same exercise last year, just after the mandate came into force, when it found that less than half of federal domains had begun signing.

“It’s progress but we would have liked to see a bigger leap,” Mark Beckett, VP of marketing at Secure64, told El Reg.

Most of the higher-profile agencies and departments now appear to be signed, with the unsigned ones comprised mostly of lesser known agencies with fewer resources, according to Beckett. However many military and intelligence agencies have not begun deploying the technology. Three of the agencies that had gone live with DNSSEC had made mistakes in their implementation that, if unresolved, would mean users would not be able to read their websites or send email as normal, once their ISPs rely on DNSSEC to validate domains.

DNSSEC uses public key encryption and digital authentication to guard against the cache poisoning attack highlighted by researcher Dan Kaminsky back in 2008. Cryptographic checks make it a hell of a lot more difficult for attackers to spoof the address look-up servers that translate domain names into numerical IP addresses.

Beckett said the perception – that introducing DNSSEC is difficult – is wrong and that Secure64 and its competitors have tools to make the migration easy. Introducing DNSSEC “got serious” after the discovery of the Kaminsky vulnerability, according to Beckett. In the four years since progress to introduce the technology has still only been gradual, even among commercial organisations, because the benefits of the technology will only really bear fruit once ISPs introduce DNSSEC resolvers, a vital component in the overall next generation domain name system. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/dnssec_roll_out/

Sysadmin blog QR codes are everywhere. They have completely overrun Japan and are becoming well-established in the rest of the world as well. There are plenty of convenient uses for this technology, as well as several less carefully considered uses.

QR codes were created in 1994 by Toyota subsidiary Denso Wave. There was a need for a machine-readable visual information format with a greater information density than traditional bar codes. Denso originally saw use for typical industrial tasks such as inventory management and tracking car parts through the manufacturing process.

Successful use of QR codes relies on an understanding of the underlying technology. The largest defined QR code standard can hold 7,089 characters of numeric data, 4,296 of alphanumeric data or 2,953 of binary data. They can use error correction that allows for up to 30 per cent of the original QR code to be damaged while still being readable.

Those are or course theoretical limits, and real world applicability varies. High-end industrial code readers won’t have a problem with the high-density version-40 codes. Smartphones are another matter. The 8 megapixel camera on a Samsung Galaxy S II can read a 50mm x 50mm v-40 QR code. The 5 megapixel camera on an HTC Desire struggles, but can accomplish the task at a closer range. The 2MP camera on a Blackberry Bold 9000 doesn’t make the cut.

The medium matters as well; QR codes work best as black ink on white paper. They are far less readable as images presented on even the best computer or smartphone screen. The combination of camera ability and media variability places a real world upper limit on the information density you can expect to be able to present with a QR code of a given physical size.

Standards have emerged as a result. Consider the embedding of contact information. The ISO standard is vcard, however the QR code world has chosen instead to embrace mecard.

Only losers still have their vcards…

The QR code world is sticking with the mecard

Most QR code applications will offer to add vcard or mecard information into a smartphone’s contact list, however contact details embedded as a mecard require fewer bits of data than embedding the same information in vcard format. This results in less complex QR codes which in turn increases readability for the same display size and resolution. Thus meecard as a de-facto standard.

QR codes are fairly simple to generate. If you are looking for a one-off for advertising purposes, there are introductory guides, simple tools and even websites to sell you your QR code printed on virtually every object imaginable.

For those looking for a little bit more of an automated generation process, QR codes can be easily generated from the command line, or programmatically.

Every information transmission medium has its dark side, and QR codes are no different. “Garbage in, garbage out” applies here: a QR code can easily contain a link to a scam or a blob of malicious binary information.

If you plan on an enterprise deployment of this technology, make sure you use readers that can’t be compromised by malicious code. In the consumer space, pay close attention to the apps (iOS, Android) you choose. Ensure the permissions are tightly locked down.

The machine-readable display space continues to evolve. While we are just now adapting to the use of QR codes in daily life, the Japanese are already struggling against QR code’s limitations. The requirement exists to pack more information into something a standard smartphone camera can read.

Denso Wave has already put out a successor, while another Japanese outfit has latched on to the idea of using colour to increase information density. Microsoft’s HCCB also uses colors, Nokia has Mobile Codes, and Google is pushing NFC as an alternative.

All of these next generation technologies face an uphill battle. The replacement technology must achieve greater information density. It must also cope with the ubiquity of extant QR codes. The existing design offers instant recognition. It is open (as in source) and free (as in both speech and beer). Denso Wave has formally declined to pursue any patent claims it has on QR codes and this has seen them flourish.

Eighteen years have seen this small industrial tracking format grow into an advertising sensation. It is used by governments as an encrypted stamp on passports to speed travelers through airports, on train tickets, and as unique identifiers on everything from club cards to bus stops. What innovations will the next 18 years bring? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/qr_codes_are_taking_over/

A Florida man has admitted hacking into the email accounts of celebrities including Mila Kunis and Scarlett Johansson.

Christopher Chaney, 35, of Jacksonville, Florida, agreed on Monday to plead guilty to nine felony charges including computer hacking and wiretapping, AP reports.

The plea follows Chaney’s arrest in October following a year-long police probe codenamed Operation Hackerazzi, which was sparked by the unauthorised publication of nude pics of female stars on the net.

Prosecutors suspect Chaney broke into the email accounts of more than 50 entertainment luminaries, including Christina Aguilera and Johansson. Nude self-portrait photos of Johansson, which were meant only for her for her then-husband Ryan Reynolds, were leaked online following the hacks.

It seems Chaney guessed the security reset questions of celebrity accounts using publicly available information, the same tactic used to hijack the webmail account of Sarah Palin at the time the former Governor of Alaska was running for vice-president.

Having gained privileged access to a star’s email account, Chaney changed the settings so that every email received by the account was forwarded to an address under his control. Chaney subsequently forwarded the celeb photos he received to two gossip websites and another hacker. There is no suggestion that he profited financially from his celebrity hacking hobby, a factor that may count as mitigation when it comes to sentencing.

“Chris has been very cooperative with prosecutors, he’s remorseful for any of the harm caused to the stars, and just looks to a resolution of the case,” defence attorney Christopher Chestnut told the news agency. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/operation_hackerazzi/

Boffins at Fujitsu and Japan’s Nagoya university are claiming to have successfully developed technology designed to prevent phone scammers by recognising certain keywords and detecting changes in voice pitch and level.

The technology was developed as part of the “Modelling and Detecting Overtrust from Behaviour Signals” research area led by Kazuya Takeda.

It focuses on the notion of “overtrust”, the situation that occurs when a human is overwhelmed with distressing information and loses the capacity to objectively evaluate whether they are being lied to or not.

The technology analyses the pitch and volume of the potential victim’s voice to detect when a situation of overtrust is occurring. Typically a person’s voice flatens out in the high frequency range when they are put under psychological stress, and from this Fujitsu said it can can infer a situation of overtrust with over 90 per cent accuracy.

Bolstering the detection capabilities is keyword detection functionality which uses a list provided by the National Police Academy and counts the number of times any of those keywords are spoken, ignoring any other words.

The tech will then make a decision on whether the potential victim is being scanned by assessing the number of keywords in the conversation and whether their voice indicates a situation of overtrust, said Fujitsu.

This may seem like a lot of bother to be going to for a crime which rarely hits the front pages in the UK, however phone scams are a big problem in Japan and deemed particularly reprehensible in a country where crime is rare as it is usually targeted at the elderly and infirm.

Typically the scammer will pretend to be either a member of the victim’s family, friend or someone in a position of authority. They will usually impart some distressing information about a crime committed by an acquaintance of the victim and urge them to send money to sort the problem out.

Fujitsu now plans to work with the National Police Academy and The Bank of Nagoya to test the technology embedded in mobile phones. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/japan_phone_scam/

The Student Loans Company (SLC) has apologised after inadvertently leaking the email addresses of about 8,400 students this week.

Anyone who had got half-way through filling in an application form on the SLC site was sent a motherlode of personal data on Monday: emailed reminders to complete the electronic paperwork included an attachment listing the details of the 8,400 other recipients.

A spokesperson told The Reg that the money lender quickly realised its mistake and sent out a subsequent email asking all recipients to delete the previous email and attachment.

The SLC (an arm’s length quango attached to the Department of Business and Skills) said:

We are sorry that a number of student email addresses have been included in an email which has been sent to other customers. The information was sent in error and only included email addresses, no other personal student data was shared. We have contacted all customers affected to let them know about this issue.

Chris Andrew, company secretary of the Student Loans Company, has said bosses have launched an internal investigation into the cause of the breach. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/student_loan_email_leak/

Hacktivism had a massive effect on the overall data breach scene last year.

More than half (58 per cent) of data stolen last year can be attributed to hacktivism – hacking to advance political and social objectives – according to the latest edition of the Data Breach Investigations report from Verizon.  The figures contrast sharply with findings from previous years, when the majority of attacks were carried out by cybercriminals, whose primary motivation was financial gain.

Seventy-nine per cent of attacks covered by Verizon’s report were opportunistic. Only 4 per cent of the overall total were rated as particularly challenging for hackers to carry out. In addition, an estimated 97 per cent of breaches might have been avoidable without recourse to difficult or expensive countermeasures.

Image via Verizon

Wade Baker, director of risk intelligence at Verizon, told El Reg that 44 per cent of the attacks exploited default or easily guessable credentials. However he qualified this remark by saying that default passwords were a far greater problem in hacks involving smaller organisations.

Breaches originated from 36 countries around the globe, an increase from 22 countries during 2010. Nearly 70 per cent of breaches originated in Eastern Europe and less than 25 per cent originated in North America.

The report covers 855 data breaches that collectively spilled 174 million records, the second highest number since Verizon began collating this type of data back in 2004. External attacks were blamed for the vast majority (98 per cent) of data breaches. This external attacker group includes organised crime, activist groups, former employees, lone hackers and organisations sponsored by foreign governments.

Hacktivism by groups like Anonymous and LulzSec figured in many data breaches last year. Wade reckons recent arrests might reverse this trend, but he’s far from sure on this point.

“Anonymous is a movement. It’s hard to stop a movement by taking out individuals,” he said.

Image via Verizon

Attacks were overwhelming led by outsiders of one type or another. Only 4 per cent of attacks relied on the involvement of internal employees. Business partners were a factor in than 1 per cent of data breaches.

Hacking appeared in 81 per cent of breaches (compared with 50 per cent in 2010) and malware featured in 69 per cent of breaches last year (also up from the 49 per cent recorded in 2010).

The increase is easily explained: hacking and malware offer outsiders an easy way to exploit security flaws and gain access to confidential data. The ready availability of easy-to-use hacking tools also contributes to this effect.

Social engineering (tricking end users into doing something stupid or handing over information to attackers) and SQL injection attacks against vulnerable webservers also figured as a factor in many attacks.

Another important factor in attacks is the slow speed at which organisations patch up vulnerable systems and the length of time between a successful compromise and its discovery, which is most often measured in months or even years. Third parties continue to detect the majority of breaches (92 per cent).

Industrial espionage revealed criminal interest in stealing trade secrets and gaining access to intellectual property. “This trend, while less frequent, has serious implications for the security of corporate data, especially if it gains steam,” Verizon warns.

Wade said that attacks involving intellectual property theft were an “undercurrent in [the] data set”. Industrial espionage was the prime motive in around 5 per cent of attacks, he said. In such cases insider involvement was more common.

While compliance programmes, such as the Payment Card Industry Data Security Standard, provide sound steps to increasing security, being PCI compliant does not make an organisation immune from attacks.

The US Secret Service and the Met Police’s Central e-Crime Unit collaborated with Verizon in preparing the report, which this year also involved input from other police agencies in the Netherlands and Australia. Verizon’s annual study, now in its fifth year, is considered among the best of its type in the infosec business.

Verizon’s report, which includes separate recommendations for enterprises and small businesses on guarding against cyber attacks, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/verizon_security_breach_trends/

Filthy-minded scammers wasted little time latching onto the news that Jenna-Louise Coleman will join Doctor Who in the TARDIS later this year.

The BBC announcement on Wednesday unsurprisingly made the name of the 25-year-old actress a trending topic on Twitter. Porno spammers latched onto this trend by mentioning “Jenna-Louise Coleman” in messages containing links references to supposed sex videos. In reality, users are been tricked through the combination of a smutty lure and a clickjacking exploit into unwittingly following a Twitter account, as explained in a post by Graham Cluley on Sophos’s Naked Security blog here.

“The webpage you are taken to doesn’t have any content (pornographic or otherwise) related to the Time Lord’s latest sidekick. Instead, you’ll find what appears to be a portal for an Asian hardcore porn video website,” Cluley explains.

“Clicking on the video thumbnails is definitely ill-advised. When I examined the page, I found that each of the videos were masking a secret Twitter follow button.”

While this lure promotes an Asian grumble flick portal, the same trick might have been used to direct surfers towards a malware portal or a survey (AKA hand over all your details in exchange for the supposed chance to win an iPad) scam. Browser plugins such as NoScript help defend against clickjacking. Surfers, even those that use NoScript as a defence, should also be cautious about which links they click on. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/dr_who_clickjacking_scam/

The IP address of a computer used to view a motorbike sales ad posted by an early victim of the Toulouse gunman played a vital role in narrowing down Mohamed Merah as the main suspect in a series of attacks that have horrified France, it has emerged.

French soldier Imad Ibn-Ziaten posted a video of the motorbike he wanted to sell online. The paratrooper was killed on killed on 11 March after he invited someone who posed as a prospective buyer to his house.

Le Monde reports (Google translation here) that the ad was viewed by about 500 people. Cyber police narrowed down the list of likely suspects on this list to those who lived in and around Toulouse in south-west France. This search was intensified after Ibn-Ziaten’s assassination was linked to the slaughter of three children and a rabbi at a Jewish school in Toulouse on Monday, 19 March.

In addition, Le Monde added, a motorcycle dealer had reported a suspicious conversation with someone who wanted to know whether it was possible to remove a anti-theft tracking device from a Yamaha scooter days before the vehicle was stolen on 6 March – just days before the first attacks, against French soldiers. The twin strands of evidence allowed police to compile a short list. Merah was already ready under surveillance by French authorities and the use of an IP address tied to his brother’s house in viewing the Ibn-Ziaten motorcycle video made him a prime suspect in the case.

A French anti-terrorist unit surrounded a block of flats where the reportedly heavily-armed Mohamed Merah lived in the early hours of Wednesday leading to a siege that ended after police stormed his flat on Thursday morning. Merah jumped out of a Window, reportedly while a href=”Le Monde reports”still firing back at police. He was subsequently found dead on the ground, though it is as yet unclear whether the fall or police snipers killed him.

During the siege, Merah reportedly proclaimed allegiance to al Qaida and admitted responsibility for shooting dead of three French soldiers in two ambushes last week as well as the attack on the Jewish school. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/toulouse_manhunt/

CA Technologies has found a nasty flaw in flagship backup software ARCServe.

The flaw goes all the way back to version 10 of the product, which has just reached v.16.

CA says the problem “can allow a remote attacker to cause a denial of service condition“ and “ … occurs due to insufficient validation of certain network requests. An attacker can potentially use the vulnerability to disable network services.”

Many versions of ARCserve can fix the bug with a patch, but CA’s advisory says the solution for ARCserve Backup for Windows r12.0 is to “Update to CA ARCserve Backup for Windows r16 SP1.”

We’re sure ARCserve users will appreciate the forced upgrade and happily set aside other work to make it happen. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/arcserve_ddos_flaw/