STE WILLIAMS

The government and industry ought to do more to promote online safety, according to an influential panel of MPs.

Politicos on the Science and Technology Select Committee called for the expansion of Get Safe Online and similar efforts, and for more prolonged awareness campaigns geared towards dispelling fears and encouraging common sense.

The committee wants a single place where punters can get basic security advice, stripped of confusing technical jargon, plus television campaigns.

It also wants public services to be convenient and secure by design, rather than focused on cost-savings, because the government’s “digital by default” policy will require citizens to access services, including benefit payments, online.

Finally, and most controversially, MPs want to see “safety standards on software sold within the EU, similar to those imposed on vehicle manufacturers”. Industry self-regulation is the preferred route towards achieving that goal but the panel said that if that fails then legislation ought to be considered.

In a statement, Andrew Miller MP, chairman of the committee, said:

Despite the increasing use of malware, the internet is still a reasonably safe place to go about one’s business, provided users take a few sensible precautions. Government departments need to realise that better public information about computer safety could save huge numbers of people the hassle of having their personal details stolen.

Knowledge is the best defence against fear, so the Government should focus on raising awareness of how to stay safe online – rather than scaring people about the dangers of cyber crime.

The group’s recommendations follow a series of hearings on malware and cybercrime that resulted in the publication of a formal report last week.

Graham Cluley, senior technology consultant at Sophos, welcomed the report while emphasising the need for better cybercrime reporting mechanisms to properly scope the extent of the problem.

“We strongly believe that greater awareness and education regarding internet threats is a key element in fighting cyber crime, and it’s encouraging to see the committee’s report not only back this idea, but also to recommend that messages need to be customised carefully for the different generations of people using the net,” he said.

“Simple, easy-to-understand language is by far the best way to help computer users understand how to protect themselves online, and we are keen supporters of the government-backed GetSafeOnline website.

“We need an independent way of measuring the cyber-threat that’s out there.  Much of the data used by the report is supplied by security vendors, who – one can argue – could have a vested interest in hyping up the internet threat.  To avoid such accusations, proper systems must be put in place to make it easy for citizens to report internet crimes and malware attacks,” he added, while suggesting the first place to start would be teaching cops how cyber-criminals work. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/02/mps_cyber_security_report/

Symantec has said its pcAnywhere remote control software is once again safe to use, following the release of its latest security patch.

The security giant made the highly unusual move last week of advising customers to avoid using older but still widely used versions of pcAnywhere as a precaution, after it emerged that the product’s source code was swiped by Anonymous-affiliated hackers.

The “Lords of Dharmaraja” bragged that they had obtained copies of Symantec’s source code and threatened to publicly disclose it in order to facilitate the hunt for unpatched vulnerabilities. Source code for pcAnywhere was put up as the first candidate for this bug hunt, hence the heightened security concern over this product.

After initially blaming the leak on a security breach by an “unnamed third party”, Symantec eventually admitted the breach was the result of a previously undisclosed theft of source code from its systems dating back to 2006. Older versions of the source code of a range of enterprise and consumer security products from Symantec was exposed.

At this point – a fortnight ago – Symantec issued a statement warning that “customers of Symantec’s pcAnywhere product may face a slightly increased security risk as a result of this exposure if they do not follow general best practices.”

These best practices can be found here (PDF).

Pitches about patches

Symantec released a patch for pcAnywhere versions 12.0 and 12.1 on Friday 27 January – just days after patching vulnerabilities in the latest (pcAnywhere 12.5) version of the software on Monday 23 January. In the days in between, Symantec advised users of older versions of its remote-control software to suspend the use of the technology of their environments pending the availability of a fix, which it has now delivered.

The initial version of Symantec’s best practice white paper reportedly advised customers to disable pcAnywhere, unless it was required for business-critical purposes (surely the last thing you’d want to do with it).

“At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein.”

This content has now been removed from Symantec’s white paper. Descriptions of possible man-in-the-middle attack scenarios created by the vulnerabilities and contained in the initial version of the white paper have also been “disappeared” but are detailed in a blog post by Sophos here.

Symantec explained how to disable pcAnyWhere in an advisory published on 19 January and updated on 24 January – the day after it patched the latest version of the software. The security giant also published an updates series of statements on its response to the “Anonymous” source code theft.

The security giant has tried to keep customers in the loop about what’s going on. Even so, its advice has occasionally been hard to easily digest and occasionally been buried in the small print of security notice. Frankly the whole thing has been more than a little confusing.

The latest line from Symantec, kindly forwarded to El Reg by its local representatives on Thursday lunchtime, can be found below.

At this time, Symantec recommends that customers ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow general security best practices.

If customers are unable to adhere to this guidance and have not installed the latest version with current patches, we recommend that they contact [email protected]:[email protected] for additional assistance.

On Monday, January 23, 2012, Symantec released a patch that eliminates known vulnerabilities affecting customers using pcAnywhere 12.5. On Friday, January 27, 2012, Symantec released a patch that eliminates known vulnerabilities affecting customers using pcAnywhere 12.0 and pcAnywhere 12.1.

Symantec’s rivals, such as Netop, have seized on the confusion over the safety of using pcAnywhere to offer customers trials of their alternative technology, Netop Remote Control.

In a statement, Netop’s CEO Kurt Bager said: “Symantec’s announcement highlights the risks of having varying levels of security in your remote access setup. The theft of its old source code by a hacking group could potentially open up companies across the world to key vulnerabilities within the remote access program. We hope that by offering Netop Remote Control at no charge for thirty days – Symantec will have time to fix the issue.”

Netop is also offering special terms for enterprises that switch from Symantec before the end of February. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/02/pcanywhere_source_code_leak_sheanigans/

Devious cybercrooks have developed a Trojan that is capable of redirecting calls your bank has made to verify suspicious transactions – straight into the waiting handsets of professional criminal caller services.

The capability comes bundled in a modified configuration of Ice IX, a Trojan developed using the infamous ZeuS cybercrime toolkit. In addition to stealing bank account data from infected machines, these Ice IX configurations are capturing sensitive information on telephone accounts belonging to the victims who happen to be customers of BT, TalkTalk and Sky. US banking customers have also been targeted by the scam.

By gaining control of phone lines, the crooks are able to divert calls from banks querying suspicious transactions to hacker-controlled phone numbers.

Redirecting bank’s post-transaction verification calls to professional criminal caller services gives crooks more chance of abusing stolen card data for longer, maximising their ill-gotten profits in the process.

Security researchers at transaction security firm Trusteer discovered a strain of malware used in the attack that steals a victim’s user ID and password, memorable information/secret question answer, date of birth and account balance from a compromised machine. Victims are then asked to update their phone numbers of record (home, mobile and work) and select the name of their service provider from a drop-down list. Automated dialogue boxes generated by the malware further attempt to trick victims into handing over their telephone account number, private data that is used by phone firms to authorise account modifications such as call forwarding.

Victims are falsely told the sensitive data is required as part of a verification process caused by “a malfunction of the bank’s anti-fraud system with its landline phone service provider”.

In reality that data is used by fraudsters to redirect and fob-off post-transaction verification checks by banks, circumventing an important security check in the process. Victims will find it harder to contest disputed transactions as a result of the ploy, designed to give fraudsters and their accomplices more time to bleed cash from compromised accounts.

Image via Shutterstock

Amit Klein, CTO of Trusteer, explained, “Fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user.”

A full write-up of the attack, complete with screen-shots, can be found in a blog post by Trusteer here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/02/ice_ix_trojan_social_engineering_trickery/

Microsoft is launching a three-day advertising campaign in the US, offering itself as the privacy-respecting alternative to Google.

Last week Google decided to pool personal user information across 60 of its products with no opt out available to users. The ad campaign’s slogan is: “Putting people first” [JPG here].

“Every data point Google collects and connects to you increases how valuable you are to an advertiser,” the campaign notes. In fact, so does everyone else, something Microsoft acknowledges in the ad copy:

To be clear, there’s nothing inherently wrong with wanting to improve the quality of an advertising product. But that effort needs to be with continuing to the needs and interests of users.

“The changes Google announced make it harder, not easier, for people to stay in control of their own information,” writes Microsoft’s chief spinmeister Frank X Shaw, on the company’s blog.

Microsoft makes hay

Google has responded to Congress’s concerns about the data-sharing policy by claiming the changes had been “misunderstood”. We analysed that here yesterday. It’s worth comparing Google’s explanation with the caveats. ®

Bootnote

Readers with long memories will remember how Microsoft was once seen as the creepy data-mining uberlord – not so long ago.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/01/ms_attack_ads_google_privacy/

Two Fairfax sites remain offline this morning after they were apparently compromised, with the possible loss of credit card information.

As reported in Australia’s SC Magazine, the intruders claimed to have obtained 10,000 unencrypted credit cards. The sites impacted are Herald Education and the Young Writer of the Year.

Since the attack, the Australian Privacy Commissioner has stirred, opening an investigation into the incident.

“My investigation will be looking at the site’s compliance with the Privacy Act and in particular whether appropriate data security practices were in place at the time of the alleged hack,” the Commsioner, Tim Pilgrim, stated.

Fairfax told SC Magazine the attack related to “a small number of sites that are hosted by external providers”, and denied any impact on the company’s major Sydney Morning Herald or The Age mastheads.

The two affected sites resolve to IP addresses apparently administered by Bulletproof Networks Hosting (this does not, however, identify who was responsible for administering the security of the affected servers).

The Register has asked Fairfax’s company secretary, Gail Hambly, why the company has apparently not considered it necessary to advise the Australian Securities Exchange of the apparent attack.

SC Magazine also claims that CCV (card code verification) numbers were stored in the databases accessed by the intruders – something which would breach normal security practices for credit card merchants. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/01/fairfax_site_compromised/

Romanian police have arrested a man suspected of breaking into the websites of NASA and the Pentagon in a series of high-profile hack attacks.

Razvan Manole Cernaianu, 20, from Timisoara, is accused of publishing details of the SQL injection vulnerabilities discovered on the targeted websites under the hacker handle TinKode. The Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) further alleges that Cernaianu, an IT student, sold hacking tools from his personal site.

TinKode bragged about breaking into the Royal Navy’s official website in November 2010 and making off with site passwords. Other attacks claimed by TinKode include breaking into the MySQL site (using a SQL injection vulnerability) and the European Space Agency. These alleged targets fail to appear on the rap sheet, which concentrates on the NASA hack and an assault of US Army systems that allegedly resulted in the extraction of confidential data.

Investigating officers from the FBI and NASA took part in the investigation that led to Cernaianu’s arrest.

The motive for all the attacks was all about claiming high-profile scalps, obtaining bragging rights in the process, plus a heady mix of intellectual curiosity and pure devilment, rather than any form of money-making scam.

A statement by Romanian police on the case can be found here. Security commentary on the arrest can be found in a post on Sophos’s Naked Security blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/01/tinkode_nasa_hack_suspect_cuffed/

A US card cloner forced would-be gang members to take part in group sex sessions as part of an initiation ceremony designed to weed out undercover cops, according to a detective.

Vikas Yadav – an Indian national resident in Athens, Georgia, at the time of his crimes but has since been deported – used chat rooms frequented by sadomasochists to recruit would-be cybercrooks, before staging video-taped sex sessions he participated in as both performer and producer.

“Anyone who wanted in with [Yadav] would have to have three-way sex, either with other men or women, but Vikas had to be involved and he would record it all and save the recordings so he could watch it on his big flatscreen TV,” Athens-Clarke Police Detective Beverly Russell told local paper the Athens Banner-Herald.

“This took one of the most bizarre turns in any case I’ve ever come across,” the flabbergasted cop added.

Yadav used a widescreen TV linked to home entertainment gear capable of holding 12 terabytes of data in order to review the resulting amateur grumble flicks. The fraudster turned to crime after he was kicked out of his doctoral programme at the University of Georgia’s College of Pharmacy after he was caught plagiarising back in 2005.

He started capturing PINs and card details to create counterfeit cards in order to supplement his income as a liquor store clerk. Using the cloned cards he bought high-price ticket items such as flat-screen TVs, Wired reports.

The scam continued for about three years before a tip-off from an alert store manager led to his arrest outside a WallMart in Mississippi back in August 2008. Police subsequently arrested Yadav in his van, which was packed with luxury TVs, gaming consoles and laptops. Officers also recovered credit card forgery kit during the bust.

A subsequent search of Yadav’s residence in Georgia coincided with the arrival of one of his alleged accomplices, Dwight Riddick, a former New York City police officer, with a rental van load of fraudulently bought TV sets.

Yadav was charged with credit card fraud and spent a year in prison prior to his deportation in 2010. Riddick, together with two other alleged members of Yadav’s crew – Dashun McQuiller and Shaun Grittner – were convicted and sentenced last month.

Court documents don’t mention Yadav’s “bizarre initiation tests”, which were reportedly related by his accomplices to Det Russell. Grittner said he wasn’t subjected to the loyalty test because McQuiller had vouched for him.

Riddick was sentenced to two years of probation after he pleaded guilty to interstate transportation of stolen property. McQuiller and Grittner pleaded guilty to conspiracy to defraud, earning jail terms of 30 months and 10 months respectively. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/01/smut_initiation_carder/

Vid So-called ‘smart meters’ will not be mandatory, the energy minister has confirmed. The pledge was made by Charles Hendry last Thursday, and confirmed to us by the Department of Energy and Climate Change today.

The energy minister in the previous Labour government, one Ed Miliband, introduced legislation to make smart meters mandatory for homes and small and medium-sized businesses by 2014 as part of the condition for licensing energy companies. The electronic devices must collect information every 30 minutes, and use wireless chips to phone home. The cost per household, including installation, was estimated at £340 per household, or £9bn countrywide, with customers footing the bill.

The advantages for suppliers are considerable: laying off thousands of employees, including meter readers and call centre staff, introducing per-minute variable pricing, and cutting off the energy supply remotely. It also promised a boom for the IT sector.

But Hendry told the House of Commons that:

We believe that people will benefit from having smart meters, but we will not make them obligatory. If people are concerned about the electromagnetic issues, they will not be required to have one. We have been willing to give assurances to Hon Members on that account.

A DECC spokesman told us:

This is not actually new. While smart metering brings significant benefits, it will not be an offence for householders to refuse to accept a smart meter and we have made it clear that we do not expect suppliers to seek an entry warrant simply to fit smart metering equipment.

Until the licensing conditions for energy utilities change, however, we must assume it’s full-speed ahead.

“We are determined to take the scheme forward, with ministerial oversight and safeguards for consumers built in,” Hendry said last month.

And it’s not just the suppliers who stand to gain from the installation of smart meters. Earlier this week the Wi-Fi Alliance teamed up with the ZigBee crowd at DistribuTECH to demonstrate how marvellously their respective technologies can deliver Smart Grid applications, based on the recently published Smart Energy Profile 2.0.

ZigBee is a low-power mesh-radio technology which has been looking for a killer application for a few years now. It has had some success in industrial settings, but is a prime contender for IP-addressable smart meters.

Voluntary smart meters might not be so compelling, despite this jolly video which would surely convince the most adamant sceptic to sign up:

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/01/smart_meters_yesno/

MasterCard has published its roadmap for getting Americans to use chip-and-PIN cards in stores, following Visa’s lead in proposing to replace swipe cards by April 2013.

Over the next year, Americans will have to get used to entering a PIN number when using a credit card, rather than scrawling a name (any name) as they do today. That’s because MasterCard has joined Visa in pushing an April 2013 date on the implementation of chip-and-PIN terminals in US retailers.

Shops will be encouraged to install chip-and-PIN kit with a combination of carrot and stick. MasterCard promises “true financial benefits for merchants as they implement EMV-compatible terminals”, while NFC World reminds us that Visa is already threatening that “liability for counterfeit fraud may shift to the merchant’s acquirer” if EMV isn’t supported.

EMV stands for Europay, MasterCard Visa, and is the standard to which chip cards conform. When presented to a reader, the EMV chip takes part in a cryptographic exchange which makes the cards prohibitively expensive to forge. EMV chips – contact or contactless – are infinitely more secure than the basic RFID payment systems which got Forbes magazine into such a tizzy last week.

But while the cards are much harder to forge, the PINs are harder to keep secret as they’re used in every shop visited.

The worst combination results from cash-point machines (ATMs) which haven’t been upgraded to use the EMV chip, so are still dependent on the easily-copied magnetic stripe. Once such a machine has been located (just fry your own chip and then try to use different ATMs until you hit one that works), the fraudster can install a skimmer in any store, collecting the magnetic-stripe data, and then watch the customers entering their PINs.

The solution is to upgrade all the cash points, but that takes time and money. Despite those issues, the introduction of chip-and-PIN has reduced fraud in Europe massively. The vast majority of fraud is now conducted over the internet through retailers who are prepared to deliver to somewhere other than the card-holder’s address.

So American retailers have 13 months to upgrade their terminals, and as just about every new EMV terminal now supports contactless (NFC) payments as well, it means every retailer will be able to start accepting Google Wallet payments too, just in time for the iPhone 5… ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/01/mastercard_visa/

Security watchers have uncovered a new highly targeted email-borne attack that uses a supposed conference invitation as a lure – and disguises extracted data as Microsoft Update traffic.

The spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed security flaws in Adobe software to implant a Trojan on compromised machines – ultimately opening a backdoor for hackers to take over systems.

Once loaded, the malware also cunningly attempts to escape detection by posing as a benign Windows Update utility. The attack was independently discovered by security researchers from Seculert and Zscaler, who issued a joint warning about the so-called MSUpdater Trojan assault on Tuesday.

“We were able to track similar attacks, from the same group of attackers, back to 2009,” Aviv Raff, CTO at Seculert told El Reg.

“The method of operation of many of the attacks is similar – a spearphishing email is sent with a PDF attachment of a fake industry related ‘Conference Invitation’. The PDF file exploits zero-day vulnerabilities in Adobe Reader, and then installs the RAT [Remote Access Trojan] malware. The malware tries to stay under the radar of security products by pretending to be a ‘Microsoft Windows Update’ – hence the name ‘MSUpdater’ Trojan.”

“One variant is using Windows Update-like HTTP requests to communicate with the command-and-control server. The other drops a file named msupdate.exe,” he added. “The attacks’ purpose was indeed industrial espionage, mainly for stealing intellectual property. One of the main functions of a variant of this malware was to steal specific files and upload them to the CC server.”

Analysis of the attack is ongoing, and Raff is yet to form a clear opinion on the likely perpetrators of the assault.

“We don’t have information about the people behind those attacks, however as all of them are targeting government-related organisations, it is highly reasonable to suspect that the attackers are high profile, maybe even a country,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/01/spear_phishing_rats/