STE WILLIAMS

5 ways to reduce advertising network latency

Anonymous hacktivists have claimed they used laptops to launch cyber attacks against the British government whilst attending a protest in Parliament Square last week, The Register has learned.

The group claimed that over 1,000 masked protesters had gathered in the centre of London last week as part of a worldwide event called the Million Mask March.

But even as the street activists waved banners and banged bongos, a group of hackers said they stood in Parliament Square and attacked the seat of British Parliamentary democracy – using its own Wi-Fi network.

Anonymous hacktivists found the Wi-Fi password by looking at a publicly available website set up during a parliamentary conference. The Register has verified the password is available on the conference website but won’t be linking to the password details, for obvious reasons.

An Anonymous member told us: “This was an easy takeover with a wide range, because most of the credentials were given up online. We took over many pig-bought, taxpayer-iPads [sic] and many machines, including Dell computers.

“It was like taking candy from a baby. Many of the machines were unsecured, with default security options. Our Eastern European brothers also attacked the Parliament website, causing slowness all day.”

Once inside Parliament’s Wi-Fi, the hacktivists said they used Westminster’s own Wi-Fi network to access email servers and were able to download the log-in details of an undisclosed number of users. They also launched a DDoS attack aimed at Parliament.

However, our Anonymous source was keen to stress that the attack was simply aimed at highlighting Parliament’s poor security.

“This is not malicious, it is for lulzcats. People in glass houses should secure themselves better. What if we were bad people? They should know [about the poor security].”

Although we could not confirm Anonymous’ claims that it hacked MPs’ fondleslabs, a government spin doctor confirmed that Parliament had experienced higher levels of traffic than usual during the protests.

“We did experience heavier than usual traffic to our internet site on 5th Nov but our defences were appropriate and the Parliamentary internet site remained available. Neither our secure Parliamentary network nor applications were penetrated by unauthorised users.

“For obvious reasons Parliament does not comment on the measures we take to ensure the security of our network.” ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/12/anonymous_hacked_government_sites_using_parliament_wifi/

A new security vulnerability in Microsoft’s Internet Explorer has been discovered, and attackers have already used it to create a sophisticated exploit, according to researchers at FireEye.

In a blog posted Monday, FireEye researchers disclosed a memory access vulnerability that works on Windows XP with IE 7 and 8, as well as Windows 7 with IE 9. The vulnerability enables attackers to compromise IE machines that access a malicious website.

“The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution,” the blog states. The attack infects cracks in a Windows machine at the DLL level, enabling it to infect the machine with a large, multistage shellcode payload, the researchers say.

In a separate blog, the researchers describe a sophisticated exploit found in the wild that uses the newly discovered vulnerability.

“Specifically, the attackers inserted this zero-day exploit into a strategically important website known to draw visitors that are likely interested in national and international security policy. We have identified relationships between the infrastructure used in this attack and that used in Operation DeputyDog,” an attack that infected a number of organizations in Japan in September, the researchers say.

“Furthermore, the attackers loaded the payload used in this attack directly into memory without first writing to disk — a technique not typically used by advanced persistent threat [APT] actors,” the blog says. In-memory attacks generally cannot be detected by traditional anti-malware tools, FireEye notes.

“This technique will further complicate network defenders’ ability to triage compromised systems using traditional forensics methods,” the blog states.

John Prisco, CEO of security vendor Triumfant, agreed. “In-memory attacks steal your intellectual property faster than the response time of a manual technique relying on signatures and prior knowledge,” he said.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/new-ie-vulnerability-found-in-the-wild-s/240163814

The US immigration agent had a hunch.

So while he was taking part in a warrant sweep in the Oceanside neighborhood of the US city of San Diego, in California, he whipped out his Android smartphone and snapped a quick photo.

He didn’t have to ask his subject’s name. He didn’t need to check the man’s identification. And he certainly didn’t need a warrant.

The facial recognition software on the mobile phone confirmed the agent’s suspicion about the immigration status of a neighbor of the person he was pursuing: the neighbor was in the country illegally and had been convicted in 2003 of driving under the influence in San Diego.

It’s easy to see why law enforcement agents rave about this new, mobile facial recognition technology – called the Tactical Identification System (TACIDS) – which has been quietly rolled out in a pilot program in San Diego this year, according to a report published on Thursday by The Center for Investigative Reporting.

Here’s what the agent said about the episode in his testimonial for the Automated Regional Justice Information System – a vast data-sharing program that underlies the project, coordinated by the San Diego Association of Governments:

The subject looked inquisitively at me not knowing the truth was only 8 seconds away. I received a match of 99.96 percent. This revealed several prior arrests and convictions and provided me an FBI #. When I showed him his booking photo, his jaw dropped.

Oh, snap. Yes, you can see where the law would eat this right up.

Without this type of facial recognition software, which taps into databases of convicted or other persons of interest, “Uncooperative Persons Are Not Easily Identified, Wanted And Persons Of Interest Evade Detection, and Outstanding Warrants Remain Unexecuted,” as outlined in the TACIDS materials.

As Ali Winston writes in the Center for Investigative Reporting story, the facial recognition program was rolled out without any public hearings or notice.

Its secrecy has alarmed privacy experts and raised questions about whether this program is the harbinger of a future that sees government databases cataloguing most people, all in spite of a raging international debate over the US’s National Security Agency’s (NSA’s) and other goverments’ surveillance agencies’ collecting and sharing mind-boggling amounts of data on the public.

Law enforcement officials told Winston that the facial recognition software has built-in privacy safeguards.

It doesn’t retain a central database of people who are stopped by police and questioned, they said.

After an image taken in the field is run through the system, it is discarded by the central database, they said. No database is created of photos of people who are stopped and questioned by police.

The devil’s in the details, however.

Winston reports that during field tests with police, images taken in the field were stored within individual tablets that weren’t set up to automatically delete photos that don’t match a record in a criminal database.

“It’s up to police to delete those photos on their own,” Winston writes.

Meanwhile, as officers rave about the precision of facial recognition, the Electronic Privacy Information Center (EPIC) has obtained documents that show that the Federal Bureau of Investigation’s (FBI’s) facial recognition program failed to identify the right person 1 out of 5 times.

That alarming error rate translates into a 20% chance of an innocent person getting misidentified.

This imprecise technology is set to spread across the country like a pestilence.

The program’s goal is, in fact, to develop open-source software that “will be made available as part of a repeatable national model,” the program proposal states.

Tim Dees, a retired police officer and criminal justice college professor who now writes about technology as it’s used in law enforcement and corrections, suggested to me that there’s nothing, really, to stop the spread of the technology, at least from a financial or technological standpoint:

These facial recognition systems will get cheaper as time goes on. It’s mainly software. The hardware already exists on smartphones and tablets.

As far as civil liberties go, Dee argues that facial recognition actually serves as a safeguard against false arrest based on a similar name, date of birth, government tax number, etc.

The flip side of the coin, Dees said, is if the police start using facial recognition as the sole element of probable cause for a stop:

Your day could be ruined because you looked like a wanted felon.

Still, Dees says, the facial recognitions systems aren’t quite as Big Brother as most people think:

The faces are run against local files only, as bad guys don’t often stray that far from home. It’s not a system like on TV, where the face image from a surveillance cam goes into the software and the good guys have the owner’s complete pedigree in seconds. A system that ran nationally would take far too long and come up with too many false positives.

But, as a safeguard for ‘Is this Lisa Vaas?’ it works fine.

Even if San Diego’s pilot program isn’t yet hooked into national databases doesn’t mean it won’t be, eventually.

FaceFirst, a military contractor spinoff and the vendor behind the program, certainly has lofty, federal-level ambitions.

Winston reports:

The $126,800 contract for the San Diego system is the company’s first public contract in the United States. … Rosenkrantz would not say whether the company’s products are used by federal law enforcement, but the company has had talks with the Pentagon, Border Patrol and Navy.

What do you think? Would you be relieved to have your photo snapped and thereby avoid possible false arrest if police confuse you with a criminal?

Or is there something somewhat criminal about facial recognition being rolled out in this stealthy fashion, without the moderating influence of public debate?

Please share your thoughts in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Image of facial recognition courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MBj4zWswFEI/

A New York City police detective from the NYPD pleaded guilty on Friday to paying $4,000 for email hacking services that got him into at least one colleague’s email account and one mobile phone.

According to a statement put out by the Attorney General, the detective, Edwin Vargas, used PayPal to hire someone to hack login details for at least 43 personal email accounts and one mobile phone belonging to at least 30 individuals, including 20 current or former NYPD officers and one administrative employee.

Vargas, 42, of Bronxville, NY, was arrested in May for ordering up the hacking between March 2011 and October 2012.

He could be looking at up to a maximum of two years in prison: one year each for a count of conspiring to commit computer hacking and another count of computer hacking.

At the time of his arrest, the Attorney General said that when law enforcement checked out the hard drive on Vargas’s NYPD computer, they found that his Gmail account Contacts section included a list of at least 20 email addresses, along with what looked like telephone numbers, home addresses, vehicle information corresponding to those email addresses, and email account passwords.

Vargas also allegedly accessed the federal National Crime Information Center (NCIC) database to get information about at least two NYPD officers.

Manhattan US Attorney Preet Bharara said in the statement that being on the NYPD doesn’t give police any special dispensation to break the law that taxpayers pay them to uphold:

He accessed a law enforcement database without authorization and paid hackers to illegally obtain e-mail login information for his fellow officers and others. Vargas’s guilty plea today and his forthcoming punishment make clear that those who illegally invade others’ privacy, including members of law enforcement, will not escape prosecution.

Vagas was a bad apple, but his guilty plea brings to light more than one crooked cop.

The A.G. didn’t go into detail about how the email hacking services managed to steal login details, but phishing and social engineering are tried and true methods to go about this slimy work.

As it is, such services advertise techniques including brute-force attacks, keylogger installation, dictionary attacks, sniffing (if the hacker and the victim share the same wireless network, such as in a workplace or cyber cafe), and/or social engineering techniques.

An in-depth defence strategy can help lower the risk from those vectors within organizations.

For example, let’s hope that since Vargas’s arrest, the NYPD has laid down the law about not clicking on phishy links or opening phishy email attachments, and not using overly simple passwords and/or using passwords on multiple sites.

Let’s hope they’ve ramped up training on:

• Questioning and reporting suspicious behavior.
• Refraining from sharing work-related details on social networks.
• Not using work devices for personal activities.
• Protecting access to different types of data with strong and separate passwords.
• Segmenting the network so that if attackers compromise an employee with access to one network segment they can’t access more sensitive ones.
• Not letting attackers go undetected as they work their way through the organizational phone book until they hit pay dirt. Employees should have one point of contact to whom they can send all reports of phishing expeditions, whether those attempts come via phone or email.

For more thoughts on hardening an organization’s defences, whether you’re talking about a widget maker or a police department, check out Sophos’s Practical IT guide to planning against threats to your business.

Follow @LisaVaas

Follow @NakedSecurity

Image of NYPD detective badge by Flickr user Scoutnurse.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/g8dQnHwHka0/

5 ways to reduce advertising network latency

Chinese Bitcoin exchange GBL has shut down, taking with it over 25 million yuan (£2.5m, $US4.1m) of investors’ money, in another warning to those who don’t look before they leap with the digital currency.

Users first suspected something was up on October 26th when they could no longer access the site of Global Bond Limited (GBL), according to Coindesk.

On closer inspection, the office address in Hong Kong was found to be empty, its QQ instant messaging contact unresponsive and customer-facing phone lines silent.

GBL only appeared on the Bitcoin scene back in June, after it claimed to have been granted a license by the Hong Kong government to operate a virtual currency exchange business.

However, while it had registered with the authorities, they apparently did not grant it a license to operate as a financial services company.

It was discovered that the firm was using its Hong Kong status merely to appear more legit to investors, and that in fact its servers were located Beijing.

This info was posted to the Bitcoin Forum as far back as May, when the firm seems to have been set up.

Depending on which reports you believe, the exchange managed to attract between 500-1000 investors, all keen to jump on the Bitcoin bandwagon.

Only after the site closed at the end of last month did the majority suspect anything – apparently attracted to the platform by fee waivers and other financial inducements.

The demise of GBL will certainly do the reputation of Bitcoin no favours, especially since regulators across the globe seem uncertain how to respond to the digital currency.

However, potentially of more damage are reports like the one last week, which claimed the platform could be hijacked by “selfish” Bitcoin miners. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/12/bitcoin_gbl_hong_kong_collapse/

5 ways to reduce advertising network latency

An unpatched flaw in Internet Explorer that become the topic of a high-profile warning over the weekend will be patched later on Tuesday, Microsoft promises.

The CVE-2013-3918 vulnerability, affecting an Internet Explorer ActiveX Control, shipped up in active attacks detected by net security firm FireEye, sparking a high-profile warning.

The flaw has already been abused in a variety of attacks by a group linked to the Operation DeputyDog assaults against targets in Japan and China.

However by a happy coincidence Redmond already has the latest IE issue in hand and plans to release a fix as part of a cumulative update to IE (bulletin MS13-090) already scheduled as part of the November edition of Patch Tuesday.

The vulnerability exists in various versions of Internet Explorer 7, 8, 9 and 10, running Windows XP or Windows 7.

Sysadmins concerned about protecting against the vulnerability pending their ability to deploy the critical fix are advised to follow workarounds detailed in a security advisory by Microsoft’s Security Response Team that involves either blocking ActiveX Controls and Active Scripting or rehiring user prompts before running the technology. Even Microsoft admits these workarounds might cause usability problems.

Microsoft is lining up eight bulletins for the November edition of Patch Tuesday, including three critical fixes. However there’s no relief in sight for a separate zero-day vulnerability involving how Office handles .TIFF graphics files. The flaw is being actively exploited in attacks, predominately in India and China, by both profit-motivated cybercrooks and cyberspies. Fortunately Microsoft has issued a workaround that acts by disabling TIFF rendering in the affected graphics library.

TIFF is a format used frequently when scanning documents and in the publishing industry – and is desirable to design types because it is a lossless format in which vector-based clipping paths can be included. It’s not that popular outside of the design world, however, as it is not the most compatible of extensions. So for most corporates, applying the workaround isn’t going to be any inconvenience. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/12/ie_0day_relief_at_hand/

5 ways to reduce advertising network latency

Security researchers at Trend Micro reckon that Blackhole, cybercrooks’ preferred tool for running drive-by download attacks from compromised websites, is no longer being updated. This means the utility – which was available for rent at around $50 a day – has quickly gone stale.

Nature abhors a vacuum, though, and malware-flingers have quickly latched onto the infamous CryptoLocker ransomware.

Trend Micro and others said they quickly noticed a significant reduction in spam campaigns using Blackhole exploit kits in early October, creating a vacuum in the spam-sending world.

The Upatre exploit kit has become one of the preferred replacements for Blackhole, which had been a common tool of cybercrooks since 2010. The move is bad news for those interested in internet hygiene, because Upatre is a significant vector for the spread of CryptoLocker.

“We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying Upatre (which ultimately leads to CryptoLocker) right around October,” Maria Manly, an anti-spam research engineer at Trend Micro explains in a blog post. “In fact, we have monitored multiple IPs involved in the transition – [from] sending Blackhole Exploit Kit spam [to] sending CryptoLocker spam.”

She adds: “The Cutwail-Upatre-ZeuS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker.”

The Cutwail botnet has the capability to send very high numbers of spam messages, a factor that might go a long way towards explaining the sudden recent upsurge in CryptoLocker malfeasance.

CryptoLocker is a particularly aggressive ransomware Trojan. It normally arrives in an email as an executable file disguised as a PDF file, packed into a zip attachment. If opened, the malware attempts to encrypt the user’s documents across both local and any mapped network hard drives. The malware uses an encryption key that is generated on a command-and-control server and sent to the infected computer. If successful, CryptoLocker will encrypt users’ files using asymmetric encryption, featuring a public and private key pair.

The owner then receives a ransom demand, payable within 72 hours, of around $300 or more.

The reaction to Blackhole’s removal from play “highlights, somewhat perversely, how resilient cybercrime can be,” according to Manly.

A suspect was recently arrested by Moscow cops in connection with the Blackhole Exploit Kit case, although El Reg notes there is not necessarily a link between the two events. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/12/cryptolocker_rise_blackhole_demise/

5 ways to reduce advertising network latency

Security researcher Cédric “Sid” Blancher has reportedly been killed in a skydiving accident in France.

At the time of writing, details of the accident remain sketchy. However, the Courrier-Picard says he died instantly after “a heavy fall on the landing zone” at the Frétoy-le-Chateau airfield.

Among other things, the 37-year-old Blancher was a sought-after speaker on WiFi security, and in 2005 published a Python-based WiFi traffic injection tool called Wifitap.

In 2006, while working for the EADS Corporate Research centre, he also put together a paper on how to exploit Skype to act as a botnet.

Cedric Blancher, from

his Vimeo profile

In addition to his corporate employment, Blancher had held lecturing posts in computer security at ESIEA and Limoges University.

The president of the Picardy Skydiving League, Marcel Hénique, says Blancher seems to have made an error attempting a maneuver which translates from the French as a “turn down”. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/12/cdric_sid_blancher_dead_at_37/

5 ways to reduce advertising network latency

Entities using the name and iconography of Anonymous’ Indonesian branch claim to have successfully disrupted web sites operated by Australia’s security services.

Anonymous Indonesia, and much of the rest of the nation, is upset with Australia after Edward Snowden revealed the latter country spied on the former.

Australia and Indonesia have a volatile relationship, in part because criticism of the other plays well in each nation’s domestic politics. The spying revelation has given Indonesia a chance to get huffy and Anonymous Indonesia joined in, initially by hitting the websites of Australian small businesses. Anonymous Australia, or entities using its iconography and name, made some kind of retaliatory threat in the Tweet below.

Indonesians: If You DO NOT Stop attacking Innocent websites, we will be forced to fight back. Stop, This is your last warning.

— OperationAustralia (@Op_Australia) November 9, 2013

Folks using the iconography and name of Anonymous Australia also suggested a “cyberwar” could be the result if Anonymous Indonesia didn’t start to attack Australian government targets instead of small businesses.

Anonymous Indonesia seems to have heeded that warning and advice, claiming to have taken down the site of the Australian Security Intelligence Organisation (ASIO) and the more secretive Australian Secret Intelligence Service. Vulture South observed both organisations’ sites went down during various parts of Monday and Tuesday.

Neither site has operational significance, other than for recruitment advertising, so Anonymous Indonesia has not landed a telling blow against Australia. Nor does it appear to have swayed either nation’s foreign policy or enhanced the liberty of their citizenry. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/12/anonymous_indonesia_remembers_who_enemy_is_attacks_australian_government/

5 ways to reduce advertising network latency

Over 30 anti-nuclear grass roots groups in Japan have been deluged with millions of spam emails over the past two months in what appears to be a co-ordinated campaign to disrupt and obstruct them.

More than 2.53 million emails were sent to at least 33 activist groups since mid-September, with 430,000 sent to just two groups between October 24 and November 4, according to The Asahi Shimbun.

The groups include Women’s Active Museum on War and Peace, the Metropolitan Coalition Against Nukes and Fukushima Genpatsu Kokusodan – a body dedicated to filing complaints about the stricken Fukushima plant.

One email apparently read: “Unless we kill all of the anti-nuclear believers, world peace will be never achieved.”

However, the main purpose of the attack appears to have been denial of service.

Using Tor to hide their IP address, the attackers apparently obtain the contact email addresses of the groups and then register them with other like-minded groups – using a special program to register up to hundreds of times per minute.

The responses from said sites then deluge the groups’ inboxes in a classic DoS style.

There’s talk that the attackers may be trying to create discord between the groups, but at the moment there are apparently no leads.

Japanese police don’t have a great track record when it comes to solving computer crime.

The National Police Agency (NPA) famously lost face at the start of the year after arresting four innocent suspects whose PCs had been taken over and used to post threatening messages on the net – even extracting false confessions from some of them.

The innocents were only let go after the Tor-using “Demon Killer” continued the posts while they were in custody.

The NPA has since proposed what amounts to a ban on the Tor anonymiser network in the country. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/12/tor_npa_nuclear_groups_dos_japan/