STE WILLIAMS

Supercharge your infrastructure

Scammers are punting a strain of ransomware that puts compromised PCs to work mining Bitcoins after blocking all other activity on infected Windows computers.

A new variant of the Reveton ransomware, spotted by researchers at Malwarebytes, locks a user out of their computer before running a Bitcoin miner. This means the criminals are no longer dependent on payment of the “ransom” to make a profit – hijacking a computer by itself will yield a return for the cybercrooks.

Reveton is a widespread piece of ransomware. Typically, it falsely accuses marks of downloading images of child abuse or downloading copyright-protected content before demanding a fine to unlock computers. Payment is normally requested in the form of an voucher from an anonymous prepaid cash service, such as Ukash or Paysafecard.

Internet pondlife have previously used ransomware to peddle survey scams and fake anti-virus products (“scareware“). Viewed in this contact, co-opting PCs compromised by ramsomware into Bitcoin mining botnets is the next logical step.

Making money mining Bitcoins for practical gain involves running arrays of GPUs solving the ever more complex algorithms needed to generate Bitcoins. Of course, if it’s not your own resource that’s been turned over to number crunching, this is less of a consideration. Perhaps crooks have realized that marks are dithering when it comes to caving into ransomware demands, and there’s profit to be made mined from their indecision.

“Ransomware is most commonly spread via drive-by downloads and Reveton especially has been seen working with some of the most notorious exploit kits available today,” writes Malwarebytes researcher Adam Kujawa in a blog post on the threat.

Kujawa advises consumers to update browser software and plug-ins to guard against the most common types of threat exploited by Reveton-peddling gangs. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/19/bitcoinmining_ransomware/

Supercharge your infrastructure

Network-polishing tech firm Riverbed is still honking away at its great Glacier front end story, with three new Whitewater cloud storage backup appliances and an operating system upgrade to WWOS v3.0.

Cloud Storage gateways are local converged server and storage appliances that provide a dedicated on-ramp to the cloud. This ramp stores and prepares data for delivery to their cloud storage destination. With the new Whitewater boxes software users get more local storage, faster data ingest and additional replication choices.

Whitewater appliances store recent data in local disk cache for fast access and shunt other data off to the cloud, deduplicating it before transmission, with Amazon’s Glacier archive featuring as a prominent destination. Many other clouds are supported as well, though:

Whitewater’s supported clouds and applications

The existing 510 and 710 products stay on Riverbed’s list and the three new Whitewater boxes are these:

• 730 – 8TB of usable cache, targeted at larger small and medium businesses
• 2030 – 16-48TB of usable cache, aimed at enterprises with medium data sets
• 3030 – with 32-96TB of usable cache this has three times the data caching capacity of the previous range-topping 3010. For enterprises with large data sets it can support backup and archive datasets of up to 14.4 petabytes in the cloud

Ten gig Ethernet support has been added so you can access the boxes faster, specifically meaning faster ingesting of data. This also means Amazon Direct Connect can be used to move datasets up to Glacier faster.

Users can pin specific backup datasets in their Whitewater appliance to guarantee recovery at local disk speed rather than slower cloud recovery speed, which, in Glacier’s case, can take hours.

Avoid squinting by clicking image to get bigger version.

A previous product range table can be found here.

The new software provides “pairwise replication that enable enterprises to replicate to an additional Whitewater appliance at a secondary location.” This means recovery from a failed Whitewater is much faster than recovering all of its data from the cloud.

WWOS 3.0 is available now, as a free upgrade to supported users. The three appliances are also available now. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/20/whitewater_rapids_speed_data_flow/

Supercharge your infrastructure

Leaked documents provide evidence that GCHQ planted malware in the systems of Belgacom, the largest telecommunications company in Belgium.

According to slides obtained by NSA whistleblower Edward Snowden and supplied to German newspaper Der Spiegel , the attack targeted several Belgacom employees and involved planting an attack technology called “Quantum Insert”, which was developed by the NSA. The attack technique surreptitiously directs victims to spook-run websites where they are exposed to secondary malware infection.

The ultimate goal of “Operation Socialist” was to gain access to Belgacom’s Core GRX routers in order to run man-in-the middle attacks against targets roaming with smartphones.

The documents shows that spooks in Cheltenham were particularly interested in BICS – a joint venture between Belgacom, Swisscom and South Africa’s MTN – which provides wholesale carrier services to mobile and fixed-line telcos around the world, including trouble spots such as Yemen and Syria. BICS is among a group of companies that run the TAT-14, SEA-ME-WE3 and SEA-ME-WE4 cables connecting the United States, UK, Europe, North Africa, the Middle East and Singapore to the rest of the world.

Early goals for the spies included mapping its network to understand Belgacom’s infrastructure as well as investigating VPN links from BICS to other telecoms providers. The leaked slides describe the exercise as already being a success and close to achieving its ultimate goal of compromising enough of Belgacom’s infrastructure to run man-in-the-middle attacks. One slide explains spooks had successfully compromised “hosts with access” to Belgacom’s Core GRX routers, leaving them just one step away from their objective. The slides themselves aren’t dated but other leaked documents date the compromise of Belgacom’s systems to around three years ago in 2010.

In a statement issued earlier this week, Belgacom admitted its internal systems were compromised but played down the impact of the breach, saying the intrusion did not compromise the “delivery” of communications. It added that the intrusion is under investigation by Belgian law enforcement.

If GCHQ was indeed the agency concerned then this investigation is unlikely to go anywhere and the most that can be expected is some sort of diplomatic complaint from Belgium to the UK, its EU and Nato partner. We’ve asked Belgacom if it has any comment on Der Spiegel‘s revelations.

In response, a spokesman supplied the following short statement which clarifies that Belgacom filed a criminal complaint in July shortly after detecting the hack, and long before going public with the problem on Monday:

We have filed on July 19 a complaint against an unknown third party and have granted since then our full support to the investigation that is being performed by the Federal Prosecutor.

Background on GRX (GPRS Roaming Exchange), a tasty target for signals intelligence types, can be found in a presentation put together by Philippe Langlois, founder and chief exec of P1 Security, from the Troppers security conference in Germany back in 2011, and available here in PDF. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/20/gchq_belgacom_hack_link/

Supercharge your infrastructure

UK police have arrested eight men after a gang fitted remote-control hardware to a Barclays bank branch computer and stole £1.3m.

Money was slurped from the bank after crooks hooked up a KVM (keyboard, video and mouse) switch and 3G dongle to a terminal in the branch, officers said.

The suspects, aged between 24 and 47, were cuffed by cops from the Metropolitan Police’s Central e-Crime Unit during a series of raids on Thursday and Friday. The Met said the men had been arrested “in connection with an allegation of conspiracy to steal from Barclays Bank, and conspiracy to defraud UK banks”.

Police said that “cash, jewellery, drugs, thousands of credit cards and personal data” are were recovered in a series of raids across London and Essex.

“The arrests are the result of a long-term intelligence-led operation by the Metropolitan Police’s PeCU, in partnership with Barclays Bank, who have been investigating the theft of £1.3 million from the Swiss Cottage branch of Barclays in April 2013,” a Met Police statement explains.

Barclays reported the missing money to Scotland Yard, and a subsequent search revealed a 3G mobile internet dongle attached to a KVM switch that was connected to a computer in a London branch. KVM switches, which can cost as little as £10, are used legitimately for remote working; the keyboard, video and mouse signals can be routed over the internet to another keyboard, monitor and mouse.

In this case, it seems the device was allegedly used to remotely control the compromised computer in a Barclays branch in London’s Swiss Cottage district. Bank accounts were looted shortly after an individual posing as an IT worker installed the device on 4 April, cops said.

“A male purporting to be an IT engineer had gained access to the branch, falsely stating he was there to fix computers,” the Met police statement explains. “He had then deployed the KVM device. This enabled the criminal group to remotely transfer monies to predetermined bank accounts under the control of the criminal group.”

Barclays have since been able to recover a “significant amount” of the stolen funds.

Detective Inspector Mark Raymond of the Met’s PCeU said: “These arrests were achieved working in partnership with the Virtual Task Force (VTF), an unique information sharing cyber collaboration between the PCeU and the UK Banking sector.

The detective added: “Those responsible for this offence are significant players within a sophisticated and determined organised criminal network, who used considerable technical abilities and traditional criminal know-how to infiltrate and exploit secure banking systems.”

David Emm, senior security researcher at Kaspersky Lab, commented: “KVM devices have been around for some time now. They allow the use of multiple devices through one keyboard or mouse. The successful fitting of such a device, combined with specific software, would give the hackers remote access to that particular computer and any network or information it had access to.”

Planting hardware hacking devices to enable cyber-crime is becoming something of a trend. The latest arrests come after four men appeared in court earlier this month charged with conspiracy to steal after a KVM was placed on a Santander branch in Surrey Quays, southeast London. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/20/barclays_cyber_cops_make_arrests/

Supercharge your infrastructure

RSA, the security division of EMC, has confirmed plans to restructure its business, a move than means an unspecified number of long-term staffers will be shown the door.

Details are scarce, for now, but RSA said that it plans to make new hires that will more than offset job losses by start of 2014.

It wrote in an email:

While details remain confidential, I am able to tell you that RSA realigned resources this quarter, which resulted in some RSA employee reductions and identification of new roles to be hired. RSA intends to end 2013 with more employees than the business had at the beginning of the year.

EMC acquired RSA Security for $2.1bn in 2006. In its latest quarterly figures (released in July), EMC said its RSA Information Security business had increased revenue three per cent year over year – as a component of “sales and other revenues” at EMC that came out at $5.6bn for Q2 2013. Overall revenue was up 6 per cent, which means EMC’s security division is slightly behind the overall growth curve.

RSA’s SecurID hardware tokens have been an industry standard for many years, but the market is diversifying and moving towards forms of two-factor authentication based on software agents running on smartphones and other methods.

This change in a mature market has been predictable, and RSA has been planning for its for several years by developing – partially through acquisition, meaning it now has a more diversified portfolio featuring governance and compliance – network monitoring and security management products alongside the authentication technology that made it famous.

Some argue that the change has been accelerated by the infamous 2011 breach by state-sponsored hackers from China against core systems associated with RSA SecurID, an attack later used in unsuccessful attacks against military contractors that, like so many, made use of RSA’s technology to secure remote access connections.

Whatever the reasons, and RSA isn’t saying, it looks like the firm is offloading those with expertise tied to its legacy token business while making new hires that align it better with new strategies, among them a focus on Big Data. Big Data can improve security strategy, an approach that provides a more natural fit between RSA and its owner, storage giant EMC. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/20/rsa_restructuring/

Supercharge your infrastructure

Intel has apparently turned up one of the holiest of holy grails in the tech sector, accidentally creating an zero-power-consumption on-chip 3G communications platform as an NSA backdoor.

The scoop comes courtesy of tinfoil socialist site Popular Resistance, in this piece written by freelance truther Jim Stone, who has just discovered the wake-on-LAN capabilities in vPro processors. He writes:

“The new Intel Core vPro processors contain a new remote access feature which allows 100 percent remote access to a PC 100 percent of the time, even if the computer is turned off. Core vPro processors contain a second physical processor embedded within the main processor which has it’s own operating system embedded on the chip itself. As long as the power supply is available and and in working condition, it can be woken up by the Core vPro processor, which runs on the system’s phantom power and is able to quietly turn individual hardware components on and access anything on them.”

A little background: Popular Resistance was formed in 2011 and was part of the ‘Occupy’ movement, having done its bit in Washington DC. It now promotes an anti-capitalist agenda.

Back to Stone, who says Intel can do all the stuff vPro enables thanks to an undocumented 3G radio buried on its chips apparently extends wake-on-LAN to wake-on-mobile:

“Core vPro processors work in conjunction with Intel’s new Anti Theft 3.0, which put 3g connectivity into every Intel CPU after the Sandy Bridge version of the I3/5/7 processors. Users do not get to know about that 3g connection, but it IS there,” he writes, “anti theft 3.0 always has that 3G connection on also, even if the computer is turned off” (emphasis added).

No evidence is offered for the assertions detailed above.

And with that, El Reg will now happily open the floor to the commentards … ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/23/intel_stuns_world_with_wakeon3g/

Supercharge your infrastructure

Well, that lasted a long time: the Chaos Computer Club has already broken Apple’s TouchID fingerprint lock, and warns owners against using biometric ID to protect their data.

As the group explains here, it seems that the main advance in Cupertino’s biometrics was that it uses a high resolution fingerprint scan. The post states:

A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days.

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking.

All the CCC needed to defeat the scanner was an image of a user’s fingerprint at 2,400 dpi resolution. That scan was “cleaned up”, inverted, and printed into a transparent sheet. The image of the print is then lifted from the sheet using latex milk or woodglue.

“After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone,” the post states, adding that this technique can be used against “the vast majority” of fingerprint scanners.

At the time of writing, the CCC hadn’t announced whether it will claim any of the prizes on offer for a successful attack.

The video below demonstrates the attack. ®

Watch Video

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/22/iphone_5_touchid_broken_by_chaos_computer_club/

Supercharge your infrastructure

Security researchers have spotted two new targeted attack campaigns aimed at organisations in Japan, China and elsewhere in Asia, one of which exploits a zero day exploit in Internet Explorer revealed only last week.

Operation DeputyDog is targeted at “entities in Japan”, using the IE vulnerability CVE-2013-3893 which Microsoft released an emergency patch for last Tuesday, according to security firm FireEye.

The payload for the attack, first detected by FireEye at the end of August, was hosted on a server in Hong Kong disguised as a .jpg file. The malware was then observed connecting to a host in South Korea.

FireEye also claimed the group responsible for DeputyDog is the same one that compromised security firm Bit9 back in February 2013, thanks to a connection with the IP address 180.150.228.102.

It explained in more detail as follows:

According to Bit9, the attackers that penetrated their network dropped two variants of the HiKit rootkit. One of these Hitkit samples connected to a command and control server at downloadmp3server[.]servemp3[.]com that resolved to 66.153.86.14. This same IP address also hosted www[.]yahooeast[.]net, a known malicious domain, between March 6, 2012 and April 22, 2012.

The domain yahooeast[.]net was registered to [email protected]. This email address was also used to register blankchair[.]com – the domain that we see was pointed to the 180.150.228.102 IP, which is the callback associated with sample 58dc05118ef8b11dcb5f5c596ab772fd, and has been already correlated back to the attack leveraging the CVE-2013-3893 zero-day vulnerability.

Researchers at Symantec last week claimed that the Bit9 attacks could have been carried out by a sophisticated Chinese hacking group, Hidden Lynx, which is also implicated in the infamous Operation Aurora raid on Google and over 30 other technology firms back in 2009.

Meanwhile, threat analysts over at Trend Micro highlighted a new malware family being used in targeted attacks against mainly government organisations in Asia.

EvilGrab is so-named because it has been designed to grab audio and video files, take screenshots and log keystrokes from infected machines before uploading them to a remote server.

The malware has been spotted targeting mainly Chinese (36 per cent) and Japanese (16 per cent) organisations, with 89 per cent of victims hailing from the government sector.

Interestingly, EvilGrab has also been specially crafted to steal info from popular Chinese instant messaging app Tencent QQ, according to Trend Micro.

The discovery is part of the security vendor’s first quarterly report on targeted attacks. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/23/apt_deputydog_evilgrab_target_asian_firms/

Supercharge your infrastructure

Security researchers have spotted a surge in attacks against online banking customers, thanks to a new strain of Java-exploiting Trojan Caphaw (aka Shylock).

Over the last month or so the malware has targeted customers in at least 24 financial institutions, including Bank of Scotland, Barclays Bank, First Direct, Santander Direkt Bank AG and Capital One Financial Corporation, according to security researchers at cloud security firm Zscaler. There’s no word on whether or how successful its attacks have been and which bank’s customers have been affected. Caphaw (Shylock) is most active in the UK, Italy, Denmark and Turkey.

“We have detected hundreds of infections, but there is no way to calculate the losses,” Zscaler researcher Chris Mannon told El Reg.

The Trojan hooks itself into the browser processes of victims before using a self-signed SSL certificate to trigger encrypted “phone home” communication with remote command and control servers. This encryption is designed to keep the malware under the radar of corporate and ISP-level network security tools. Detection by endpoint security scanners is also low, according to Zscaler.

Caphaw appears to be spreading using a Java exploit from compromised websites as part of a drive-by download attack. However evidence for this theory remains circumstantial, as an advisory from Zscaler explains.

“At the time of research, we were unable to identify the initial infection vector,” Mannon and fellow Zscaler researchers Sachin Deodhar explain in a blog post.

“We can tell that it is more than likely arriving as part of an exploit kit honing in on vulnerable versions of Java. The reason we suspect this is that the User-Agent for every single transaction that has come through our Behavioral Analysis (BA) solution has been: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_07.”

Mannon added: “We suspect it is coming from a Java exploit on the version listed in the blog. Other vectors this threat has used in the past include Skype, social media, and email spam.”

Caphaw features a domain generation algorithm that generates a large number of quasi-random domain names that are then used to “dial home” and receive/send commands/data. This is far from a new tactic in botnet administration but it’s still a successful approach in making life difficult for law enforcement.

“The large number of potential rendezvous points with randomised names makes it extremely difficult for investigators and law enforcement agencies to identify and ‘take down’ the CnC [command and control] infrastructure,” said Mannon. “Furthermore, by using encryption, it adds another layer of difficulty to the process of identifying and targeting the command and control assets.” ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/23/caphaw_banking_trojan/

Supercharge your infrastructure

The New York Police Department’s motto, Fidelis Ad Mortem – or “faithful unto death” – could easily pass as the utterance of a fanboi pleading lifelong allegiance to the late Steve Jobs.

And it would seem that New Yorkers also keep faith with the Jesus phone – judging by the police force’s latest crime-prevention campaign which directly targeted them. Officers hit the streets over the weekend to hand out leaflets calling on iPhone owners to download iOS7, which comes with beefed-up security measures.

The pamphlets say “Attention Apple users” and point out that iOS 7 “brings added security to your devices”. Cops said the iOS update was “avaialble” [sic] right now. Let’s hope the cops are better at chasing down perps than they are at spelling.

Twitter user Michael Hoffman posted a picture of the leaflet along with with the tweet:

Four uniformed NYPD officers were at my subway stop tonight asking me to upgrade to iOS 7. Not a joke! pic.twitter.com/CGdR2RqtKJ

— Michael Hoffman (@Hoffm) September 21, 2013

Apple’s updated mobile OS features an improved version of Find My iPhone, which makes it impossible for anyone to switch it off without an Apple ID and password, as well as Activation Lock, which requires an Apple ID and password to be entered before a user can perform a remote wipe or reactivate the phone.

The iPhone 5S also features a fingerprint sensor, although this has already been hacked. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/23/nypd_wants_new_yorkers_to_download_ios_7/