STE WILLIAMS

Win a Samsung 40-inch LED HDTV with The Reg and HP!

The US hacker caught after trying to sell Department of Energy supercomputer logins to an undercover FBI agent has pleaded guilty in a deal that could see him go to jail for up to 18 months.

The 24-year-old hacker, Pennsylvania man Andrew James Miller, pleaded guilty to charges of conspiracy and computer fraud to cut his potential sentence down from 15 years in prison.

According to court filings, Miller said he had accessed a number of corporate and government systems, including ones at American Express and Google, by hacking employee computers and stealing their logins.

He started out peddling lists of usernames and passwords to the undercover agent for payments of between $500 and $1,000 and then tried to get $50,000 for access to a supercomputer at the DoE’s National Energy Research Scientific Computing Centre, according to court transcripts.

Miller, whose handle was “Green”, was part of the hacker group Underground Intelligence Agency (UIA). According to the unsealed indictment, he was set up with the undercover Fed after the FBI turned fellow member Robert “Intel” Burns into a witness in 2010.

Following his jail time, Miller will be on supervised release for three years and is also required to pay a fine and restitution to victims, which has yet to be calculated by the court. His sentencing is scheduled for 19 November. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/28/hacker_plea_deal/

Win a top of the range HP Spectre laptop

Updated Hacktivist collective the Syrian Electronic Army (SEA) – or someone using its name – has claimed responsibility for hijacking the Twitter.co.uk, NYTimes.com and HuffingtonPost.co.uk web addresses.

At the time of writing, many of the domain names the SEA claimed to have seized were back under their owners’ control. In some cases, only the contact details for the domains were altered.

However, the records for nytimes.com and Twitter.co.uk pointed to addresses of nameservers operated by the SEA: effectively allowing the miscreants to redirect tweeters and NYT online readers to any site of the hackers’ choosing.

The internet’s domain name system (DNS) works by converting human-readable addresses, such as www.theregister.co.uk, into network IP addresses that computers use to talk to each other. By altering the DNS records, attackers can cause havoc by ushering potentially sensitive web traffic to malicious systems (which is why using HTTPS is important).

Below are the hijacked DNS records for nytimes.com and twitter.co.uk last night:

The attack actually hit an Australian domain registrar of which both Twitter and the Times were clients: Melbourne IT.

The New York Times attributed an outage last night to malicious activity; its workaround made it clear that a domain redirect was the problem since it pointed readers at its IP address to get directly to its site, sidestepping the domain-name system.

Twitter users were quick to blame the problems to domain-name registrar MelbourneIT, which is common to many of the hijacked domains. HD Moore of Metasploit Framework fame told Mashable that “if the attackers have found a weakness in the MelbourneIT system”, then other domains would also be at risk.

The New York Times also attributed the attack to MelbourneIT:

“The New York Times website was unavailable to readers on Tuesday afternoon following an attack on the company’s domain name registrar, Melbourne IT. The attack also required employees of The Times to stop sending out sensitive emails”, it has told employees.

The Register has tried to contact MelbourneIT, so far without success. ®

Updated to add

While MelbourneIT has yet to return calls from Vulture South, it has apparently told Business Insider a reseller was responsible for the hijack blunder.

Theo Hnarakis, chief executive of the web hosting biz, told Australian Broadcasting Corp radio today that hackers had modified the New York Times‘ domain using a partner’s username and password.

“They came in through the front door,” AP reported Hnarakis as saying. “If you’ve got a valid user name and password … the assumption from our systems is that you are the authorised owner and user of that domain name.”

Its statement is below.

The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems.

The DNS records of several domain names on that reseller account were changed – including nytimes.com.

Once Melbourne IT was notified, we:

• changed the affected DNS records back to their previous values
• locked the affected records from any further changes at the .com domain name registry
• changed the reseller credentials so no further changes can be made

We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies.

We will also review additional layers of security that we can add to our reseller accounts.

For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com – some of the domain names targeted on the reseller account had these lock features active and were thus not affected.

The Register will post further updates as required. There are more technical details about last night’s DNS hijack over on the CloudFlare blog. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/27/twitter_ny_times_in_domain_hijack/

Win Spectre Laptop with HP and The Register

The Australian Customs and Border Protection Service (ACBPS) has gone live with IBM-delivered passenger analytics which it says will help identify risky passengers before they enter Australia.

In a rather coy canned statement, Big Blue says the system will check Passenger Name Records (PNRs) against “other relevant material” to provide an on-the-spot risk assessment of individual arrivals. With around 30 million airline passenger arrivals annually, speeding up arrival assessments is a priority for the ACBPS.

“The solution eliminates the manual and time consuming process of pulling data from multiple host systems on an “as required” basis. Now ACBPS officials receive real-time data for all departures and arrivals, allowing them to more quickly and accurately zero in on potentially high risk passengers”, IBM claims.

The new system also brings ACBPS in line with the new global PNRGOV standard, used as the basis of information sharing between governments and airlines. While PNRGOV is a global standard, Australia is only the second country behind Canada to get its implementation live.

IBM emphasises that the system is compliant with Australia’s Privacy Act, as well as the Customs Act and “provisions of the European Union-Australia PNR Agreement”. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/28/ibm_gives_oz_customs_real_time_passenger_checks/

Free report : Avere FXT with FlashMove and FlashMirror

Slack authentication in Tesla’s Model S REST API exposes the electric car to a variety of non-safety but non-trivial attacks, according to a Dell engineer and Tesla owner.

In this post over at O’Reilly, Dell senior distinguished engineer and executive director of cloud computing George Reese says the “flawed” authentication protocol in the Tesla REST API “makes no sense”. Rather than using OAuth, Tesla has decided to craft its own authentication, which Reese unpicked.

There’s one small reassurance for owners of the ‘leccy car: none of the vulnerabilities he discusses cause any kind of safety issue – although he creepily notes that an attacker would be able to see everywhere the car goes.

Tesla, it turns out, has broken one of the golden rules of security – the one that says “don’t re-use user IDs and passwords for different functions”. In this case, the e-mail and password used to build the car at the Tesla Website are retained later for customers logging into the car via the Website.

There’s also a persistence issue: when a user logs into the Tesla Website to get to their car, it creates a three-month token for which there’s no revocation mechanism. If the system is compromised, the attacker would have access to the login for three months, and if “an attacker gains access to a website’s database of authenticated tokens,” then all the cars would be visible to the attacker.

While the flaw doesn’t offer access to any “operational” aspects of the car – like steering or brakes – the risks are still significant. An attacker could fool around with configuration settings, the climate control, the sunroof, open the charge port, and anything else supported by the API. Apart from tracking owners’ movements, “there is enough here to do some economic damage both in terms of excess electrical usage and forcing excess wear on the batteries”, Reese notes.

Reese links to an unofficial documentation of the API, which outlines its capabilities, here. ®

Free report : Avere FXT with FlashMove and FlashMirror

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/27/tesla_cars_hackable_says_dell_engineer/

Free report : Avere FXT with FlashMove and FlashMirror

Cracker collective the Syrian Electronic Army – or someone using its name – has claimed responsibility for domain-hijacking Twitter.co.uk, nytimes.com and huffingtonpost.co.uk.

At the time of writing, many of the domains the SEA claimed to have hijacked were back under their owners’ control. In some cases, only the contact records for domains were altered. However, nytimes.com currently returns the SEA as its nameserver.

The New York Times has attributed an outage last Tuesday to malicious activity, and while it didn’t nominate the SEA, its workaround made it clear that a domain redirect was the problem, since it pointed readers at its IP address to get to its site.

So far, the SEA’s threat against the Huffington Post doesn’t seem to have eventuated.

Media is going down…. | http://t.co/Gd1zB70v0g | http://t.co/8NUe7Cs2jm | http://t.co/QDdNdEuuVX | http://t.co/W9nmxo95PQ

— SyrianElectronicArmy (@Official_SEA16) August 27, 2013

Twitter users are attributing the problems to registrar MelbourneIT, which is common to many of the hijacked domains. HD Moore of Metasploit Framework fame has told Mashable that “if the attackers have found a weakness in the MelbourneIT system”, then other domains would also be at risk.

The New York Times also attributes the attack to MelbourneIT:

“The New York Times Web site was unavailable to readers on Tuesday afternoon following an attack on the company’s domain name registrar, Melbourne IT. The attack also required employees of The Times to stop sending out sensitive e-mails”, it has told employees.

The Register has tried to contact MelbourneIT, so far without success. ®

Free report : Avere FXT with FlashMove and FlashMirror

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/27/twitter_ny_times_in_domain_hijack/

Free whitepaper : Supercharge your infrastructure

Sky Broadband has been caught using JavaScript to track every click and shuffle on its support pages, but it’s not alone: other ISPs have also admitted recording every frustrated wobble of the mouse on their support pages.

Readers at ISP Review spotted Sky using a JavaScript tool called SessionCam to record rodent tracks on its support pages, but the Murdoch-owned telly company said it doesn’t think it’s doing anything wrong, while BT also happily told ISP Review that it does the same thing with a similar product called ClickTale.

Sky told the website that data stored by SessionCam is “transferred to a secure environment using SSL encryption and secured using numerous levels of control at an application, data and infrastructure level”.

ISP Review is, of course, only concerned with ISPs, but the practice of logging one’s activity within a website is far from limited to that industry. For example, Crazy Egg – an outfit which promises “The Astonishing Power of Eye Tracking Technology… Without the High Costs” – counts eBay, Amazon and Dell, among others, in its customer list.

Crazy Egg produces heat maps showing where mice hang out, how far down the page visitors scroll and which bits they spend longest reading. It’s not perfect – it can’t tell if you’ve paused to read some text or were interrupted by a human visitor – but it can give a general impression to aid page design.

This is nothing new. Some shopping centres track visitors (as groups) to establish their browsing habits. Companies such as Path Intelligence track every mobile phone in a shopping centre (anonymously, as they have no access to, or – so they say – interest in customers’ details) to see how long a window display grabs one’s attention or the order in which shops are visited.

Websites have always taken a huge interest in users’ behaviour, and gained from the ability to record every click, but is recording every mouse-shuffle a step too far?

Those using the technology don’t think so, and while the dancing of a mouse pointer might not seem important, the ability to track one’s eyes (to see which advert is being viewed) is already available and slipping into mainstream products. Perhaps we should be working out how much we’re prepared to share before we start sharing it. ®

Free report : Avere FXT with FlashMove and FlashMirror

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/27/isps_scramble_to_explain_away_mousesniffing/

Free whitepaper : Supercharge your infrastructure

The Poison Ivy Remote Access Tool (RAT) – often considered a tool for novice “script kiddies” – has become a ubiquitous feature of cyber-espionage campaigns, according to experts.

Research by malware protection firm FireEye has revealed that the tool served as lynchpin of many sophisticated cyber attacks, including the compromise of RSA SecurID data in 2011 and the “Nitro” assault against chemical makers, government offices, defence firms and human-rights groups last year.

A Peeping Tom webcam sextortionist has been jailed for six years in the US after targeting several young women in attacks that relied on a modified version of Poison Ivy, an incident which shows that the tool has malign uses beyond cyber-espionage.

Poison Ivy remains popular and effective eight years after its original release. FireEye has compiled a list of nation state-type attackers making use of the utility. These include a group called admin@338, which specialises in attacks targeting the financial services industry; th3bug, who have been hammering universities and healthcare facilities since 2009, and menuPass, a group that has run cyberespionage attacks against defence contractors over the last four years.

Poison Ivy is the preferred RAT of several threat actors located in China. Over recent months other attackers elsewhere in the world have begun adopting the same methodology.

A campaign by a Middle East hacking group called “Molerats” (AKA Gaza Hackers Team) switched during June and July to using Poison Ivy to attack Israeli government targets. The latest malware was signed with a fake Microsoft certificate, similar to earlier attacks using the XtremeRat trojan.

FireEye has also intercepted Egyptian- and Middle Eastern-themed attacks using decoy content in Arabic whose targets remain uncertain but may include targets in the Palestinian authority.

“The cyber attacks against Israeli and Palestinian targets that were first documented last year are ongoing,” FireEye concludes. “The attackers, which we have called ‘Molerats’, have also targeted government entities in the UK and in the US. In addition to using XtremeRAT, which is popular among Middle Eastern attackers, we have found that Molerats have adopted the use of Poison Ivy RAT, which is traditionally favoured by Chinese attackers.”

“We do not know if this is an intentional attempt by MoleRats to deflect attribution to China-based threat actors, or if they have simply added another, effective, publicly-available RAT to their arsenal. However, this development should raise a warning flag for those who attribute all Poison Ivy attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining positive attribution an increasing challenge,” it adds.

More details on the Molerats’ cyber-espionage campaign can be found in a blog post, featuring diagrams, screen shots and charts, and put together by three FireEye researchers (Nart Villeneuve, Ned Moran and Thoufique Haq) here.

“You can download the default version of Poison Ivy from poisonivy-rat.com,” explained FireEye’s Ned Moran. “However, each of these groups are using a custom version of Poison Ivy. We do not believe these specific custom versions are available for sale.”

RATs such as Poison Ivy require little technical savvy while offering unfettered access to compromised machines, hence their use by even well resourced professional cyber-ninja types. It can be considered as the easy to use front end of attacks that might be actually quite sophisticated when viewed as a whole.

“They [RATs] are often delivered as a key component of coordinated attacks that use previously unknown (zero-day) software flaws and clever social engineering,” explained Darien Kindlund, manager of threat intelligence at FireEye in a blog post. “Attackers can point and click their way through the target’s network to steal data and intellectual property,” using tools such as Poison Ivy, he added.

FireEye released its a white paper on its research into the hacker tool along with Calamine, a set of free tools to help organisations to detect possible Poison Ivy infections. ®

Free report : Avere FXT with FlashMove and FlashMirror

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/27/poison_ivy_rat_apt/

Free whitepaper : Supercharge your infrastructure

Longstanding whistleblower site Cryptome.org is back online after a brief takedown, sparked by its hosting of a list of alleged Japanese terrorists.

The takedown by host Network Solutions came as a result of a complaint signed Sima Jiro, who complained that the 114 documents in a file identified as jp-terrorist-files.zip contained “lots of personal information, such as named, DOBs, family structures, workplaces, phone numbers. And also containing lots of documents which are probably classified or confidential”.

The complainant also hoped not to be identified to Cryptome: “I sincerely ask you to refrain from sending my request forward to your customer or administrator of “Cryptome” or the uploader of the ZIP file.”

Network Solutions initially complied with the request. However – presumably following some discussion between John Young and Network Solutions – it has now been restored.

Young is no stranger to takedowns. His site, an anonymous drop-box for whistleblowers which documents both corporate and government shenanigans, has been variously attacked with notices from Microsoft (taken down and then restored), Yahoo! (taken down and restored), and PayPal (banned then unbanned).

In 2010, Young famously described Wikileaks’ Julian Assange as a “narcissistic individual” who is willing to “sacrifice Bradley Manning* and anyone else to advance their own interests” (*now Chelsea Manning).

The correspondence over the latest takedown is here. ®

Free report : Avere FXT with FlashMove and FlashMirror

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/26/cryptome_suffers_brief_takedown_over_japanese_terror_files/

Free whitepaper : Supercharge your infrastructure

Three men have been charged with pilfering trade secrets from a Wall Street firm after two of them emailed themselves computer code belonging to their former employer from their company email accounts.

Glen Cressman and Jason Vuu, both former employees of Wall Street firm Flow Traders, were each charged with unlawful duplication of computer related material and unauthorized use of secret scientific material after making off with sensitive documents, the Wall Street Journal reports.

The 26-year-old Vuu was charged with 20 counts of each offense, having emailed himself various materials related to Flow Traders’ trading strategies and valuation algorithms over the period from August 2011 to August 2012.

According to Bloomberg, Vuu was aware that he was doing something illicit, because he would sometimes change the file formats of email attachments in an attempt to conceal what it was that he was sending himself.

Vuu, who currently lives in California, allegedly shared the purloined code with a college friend, one Simon Lu of Pittsburgh, Pennsylvania, with the aim of starting a new trading company together. Lu has been charged with three counts each of the same offenses as Vuu.

But although Vuu’s lawyer, Jeremy Saland, admits that Vuu did email himself sensitive code without authorization, he maintains that no real damage was done.

“I’m confident that when the DA’s office has completed their investigation they will find Flow Traders did not suffer any economic loss,” Saland told Bloomberg. “Their algorithms and code weren’t taken or used in any malicious way that damaged or compromised their financial security.”

Meanwhile, Cressman has been charged with two counts each of the same offenses as Vuu, although unlike Vuu, the complaint does not allege that he did so as part of a plan to start up his own firm.

“Glen Cressman is innocent,” the 26-year-old’s attorney told Bloomberg. “He was a great employee for Flow Traders. I am confident that when everything is put on the table, the case against him will completely unravel.”

If convicted of these fairly minor offenses, each of the three men could face a maximum of four years in prison, but experts say it is likely that they wouldn’t have to serve any prison time at all.

The men are next due in court on November 18, when prosecutors will seek a grand jury indictment that would see the case proceed to trial. ®

Free report : Avere FXT with FlashMove and FlashMirror

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/27/wall_street_secrets_stolen_via_email/

Win Spectre Laptop with HP and The Register

The China Internet Network Information Center (CINIC) has reported that on Sunday it suffered the largest ever DDoS attack it has ever experienced against the .cn domain, an assault that took ten hours to knock down.

In a statement, the CINIC said that attacks began around midnight Sunday on Chinese time and intensified a few hours later. There was another surge in denial traffic at 4am, but this has now abated and almost all .cn sites were clear of issues by 10am on Sunday morning local time, the government agency said.

According to Matthew Prince, CEO of web apps and monitoring firm CloudFlare, sites on the .cn domain saw a 32 per cent degradation in traffic during the attack, which peaked at around 6am UTC.

At first it was thought this was a technical error on the part of the hosting firm, rather than an attack, he told The Register, but the CINIC statement shows that someone out there is flexing their muscles.

“The attackers showed they were capable of knocking the .cn infrastructure offline but that doesn’t mean that they could knock .com infrastructure offline – but it may,” he said.

Prince explained that it’s difficult to know the full extent of the attack because that depends on what kind of infrastructure China has devoted to the maintenance of its .cn domain. This doesn’t just come down to the number of servers involved, but how they are setup and operated, he said.

“Fundamentally in a denial of service attack there’s some bottleneck which that the attacker is able to fill with bad traffic, preventing the good traffic from getting through,” he said.

The CINIC has pledged a full review of the incident and said it will be working with the Chinese Ministry of Industry and Information Technology to harden its systems against further assaults, and it apologized to internet users for the issues.

As well as having the largest online population, China also produces more attack code for denial of service attacks than any other county, according to the latest data from Akamai. “I can’t help but see irony in all the news reports,” Bill Brenner, program manager at Akamai said, although the report did note that China has made significant inroads into cutting dodgy traffic on its networks. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/26/chinese_authorities_says_massive_ddos_attack_took_down_cn_domain/