STE WILLIAMS

Cloud storage: Lower cost and increase uptime

Police are powerless to stop super-smart criminals from hacking the world’s biggest companies, a top-ranking security bod has warned.

Juniper Networks’ security chief said there was simply no longer any point in calling the police when hackers and DDoSers came to call, because the cops can’t do anything. He wants to see a world where big firms share information about potential targets and stop them before any damage can be done.

Henrik Davidson, the firm’s director of security, said: “The problem is too big for the authorities to handle, playing into the hands of the cyber criminals. Additionally there are complications with the global complexity that hacking presents. Who is responsible if a hacker based in Asia attacks a European company? We’ve simply reached a stage where the IT security industry needs to be able to protect itself.”

Davidson made the comments while telling El Reg about Juniper’s new “next generation data centre security” system, which now incorporates anti-DDoS defence systems. We visited Juniper’s Dutch testing lab, where they show off their latest data centre and networking technology.

Amsterdam is, of course, famous for two things – and neither were on offer at Juniper Networks’ Dutch outpost. Instead the big data shifting bods wanted to show off their sexy racks, although not in the way that most visitors to the city would understand.

Money is not discussed in the Juniper Proof of Concept lab, where customers – and the nerdier type of journalist – come to coo over various bits of data centre gubbins. Which is just as well, because with prices stretching into the tens of thousands of euros, this is not a place for the casual shopper.

Juniper told us their new data centre security system offers a four-pronged manner of repelling hackers and DDoS assaults.

The system allows companies to collect the “fingerprints” of individual hackers, by building up a picture of the attacker based on 200 characteristics, including browser settings, time zone and even fonts. This allows for the blocking of individual devices, a more sophisticated form of defence than simple IP blocking.

The newest part of this system is called DDoS Secure, which Juniper claims is capable not only of repelling traditional large-scale DDoS attacks, but also the newer “low and slow” attacks, which use slow, small-scale traffic to bypass security and bring down servers.

DDoS Secure monitors incoming and outgoing traffic, learning which IP addresses and devices can be trusted. It can detect unusual activity from a user and then respond by blocking them.

Whenever a threat at one port or other vulnerable point is identified, its details are immediately sent to other access points in order to make sure the attacker is repelled.

Juniper claimed its “Active Defence” system not only worked by fending off attacks, but by identifying threats and stopping them.

Davidson added: “Active Defence allows you to identify the bad guys before they attack. If you know who the bad guys are, and where they are coming from, you can make life difficult for your attackers if they try and break your defences.

“Attackers can be identified by a deception point, of which there are thousands. This allows you to identify the characteristics of their device, what fonts they use, what patches they have installed and their IP address, among others. With that you can push a digital fingerprint to the cloud and share the details with partners and other vendors to ensure that more organisations do not face the same threat.”

According to a Juniper survey of 4,771 IT execs worldwide, 60 per cent said their systems had been attacked in the past 12 months. But the same percentage of execs were unhappy with their current defence systems, including next-generation firewalls and IP blocking.

“For 40 anti-virus systems, there is only a 5% catch rate,” Davidson continued. “According to William Fallon’s book The Cyber-readiness Reality Check the number of organisations under attack is close to 100%. More than a third of cyber security execs at companies with revenues greater than $100 million are unable to see an attack once it finds its way into the perimeter of their system. It’s like leaving your front door wide open when there is a burglar in the neighbourhood.

“Traditional security methods just aren’t passing the test and companies don’t stand a chance as cyber-crime becomes increasingly sophisticated and more frequent.”

Juniper’s bosses stepped down on Wednesday in happy circumstances, with the firm’s profits and sales both up. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/29/hacked_assaulted_by_a_ddoser_dont_call_the_cops/

Cloud storage: Lower cost and increase uptime

Two Russians arrested over their suspected involvement in the largest online fraud in US history were tracked down by analysing photos they posted to social media sites and tracking the location of one suspect’s mobile phone, Reuters reports.

Four Russians and a Ukrainian national were named as suspects in a credit card hacking scam investigation involving 160 million cards and victimising organisation including NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Euronet and Global Payment in an indictment unsealed on Thursday. The gang allegedly acted as wholesale suppliers of stolen credit card data to carding forums resulting in losses of more than $300m to just three of the organisations they targeted.

Two of the suspects – alleged moneyman Dmitriy Smilianets, 29 and alleged hacker Vladimir Drinkman, 32, both from Moscow – were arrested in the Netherlands in June 2012. Smilianets has already been deported to the US while Drinkman continues to fight against expulsion. Three other suspects remain at large.

Alexandr Kalinin, 26, of St. Petersburg, allegedly worked with Drinkman in breaking into the systems of targeted organisations, normally employing SQL injection attacks. The gang subsequently planted trojans to harvest and extract credit card numbers and personal information from compromised systems.

Investigators reckon the duo worked with notorious double-dealing cybercrime kingpin Albert Gonzalez in the notorious 2009 hack of Heartland Payment Systems.

The indictment alleged that Roman Kotov, 32, also from Moscow, specialised in mining the networks allegedly compromised by Drinkman and Kalinin to steal valuable data. Smilianets allegedly acted as a high-tech fence by selling stolen credit details through underground forums. The fifth suspect, Mikhail Rytikov, 26, of Odessa, Ukraine, provided bulletproof hosting services to the gang, the indictment claims.

Smilianets kept a relatively high profile in Russia and an active presence on social networking sites, which was how they tracked him down.

Reuters reports Smilianets founded an electronic gaming team called Moscow 5 that travelled the world for competitions. In this role, Smilianets used a variety of online nicknames including Dima Brave and Dima Bold.

US Secret Service agents received information that Smilianets was travelling to Europe last year along with Drinkman. Investigators quickly realised that Drinkman was one of several people suspected of collaborating with Gonzalez.

“Here’s the world’s biggest hacker,” a person familiar with the case told Reuters. “We got lucky.”

The agents still didn’t know where the two suspects were staying but Drinkman assisted them by posting pictures of his trip, as well as leaving his phone on, transmitting location information and narrowing down the potential locations where he might have been staying. Overnight inquiries were made at the hotels and the location of the suspects was narrowed down. The pair were eventually arrested as they boarded a… tour bus.

Reuters adds that US authorities have acted unusually by publicly naming suspects at large in an ongoing investigation. This may be a sign of frustration at a lack of co-operation from their Russian counterparts. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/29/how_russian_megahack_suspects_got_tracked/

Cloud storage: Lower cost and increase uptime

Here is a tale of two security research presentations, both looking at motor vehicle security in a world in which even the humblest shopping trolley now has more brainpower than a moonshot.

Flavio Garcia, a University of Birmingham lecturer familiar with insecurity in car systems – here, for example, is a paper he co-authored with Roel Verdult and Josep Balasch for 2012 – has been blocked from presenting to Usenix 2013, thanks to a House of Lords injunction requested by Volkswagen.

Volkswagen took exception to Garcia’s intended presentation to the long-running and respected conference, entitled Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer. As The Telegraph in the UK reports, Justice Birss of the Lords decided that publication of the paper would mean “car crime will be facilitated”.

Megamos is the family of RFID chips used by a number of vehicle makers. VW asked Garcia to publish a redacted version of the paper, which he declined to do.

Garcia’s treatment is in stark contrast to the laurels being heaped on America’s Charlie Miller and Chris Valasek ahead of the upcoming Black Hat conference in Las Vegas. Their demonstration of how to interfere with on-board computers was accepted at the Vegas con after being turned down by DefCon.

Miller and Valasek connect a laptop to the diagnostic ports of a Prius and a Ford Escape, and from there, show that the laptop can issue instructions to the vehicles’ ECU (electronic control unit), including steering, acceleration, braking and the horn.

As part of the leadup to Black Hat, snippets of their work are getting previewed left right and centre, without a lawsuit in sight.

Even though the pair promise to release their source code after Black Hat, they have a key advantage over Garcia: America’s First Amendment. The fact that their work was funded by DARPA doesn’t hurt, especially since Miller told the BBC the work involved destroying a few cars. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/28/birmingham_uni_car_cracker_muzzled_by_lords/

Cloud storage: Lower cost and increase uptime

Chinese PC giant Lenovo has been banned from supplying kit for the top secret networks of western intelligence agencies after security concerns emerged when backdoor vulnerabilities were detected, according to a new report.

Unnamed intelligence and defence “sources” in the UK and Australia confirmed to the Australian Financial Review that a written ban was slapped on the firm almost a decade ago in the mid-2000s. The timeframe offered matches Lenovo’s 2005 acquisition of IBM’s PC business.

Serious backdoor vulnerabilities in hardware and firmware were apparently discovered during the tests which could allow attackers to remotely access devices without the knowledge of the owner.

The ban applies to various agencies in the Five Eyes alliance (UK, US, Canada, New Zealand and Australia) where such rules are normally implemented across the board given the interconnected nature of some of their classified networks, AFR said.

GCHQ, MI5, MI6, the Australian Security Intelligence Organisation, the Australian Secret Intelligence Service, and the NSA were all named as participating in the Lenovo ban. However, it only applies to the most highly restricted networks and the Chinese firm remains a significant government IT provider to other government agencies in these countries.

The revelations will be a concern for private businesses just as the US Congressional report on Huawei and ZTE last year which branded these Chinese firms a national security risk.

It’s unclear whether the results of the government testing of Lenovo kit were ever shared with the private sector, although Lenovo’s position as the leader of the global PC market would seem to suggest not.

While the company is a global publicly traded business with headquarters in North Carolina as well as Beijing, its biggest shareholder is Legend Holdings, a firm which itself is part-owned by government body the Chinese Academy of Sciences.

There is also widespread suspicion in the West that even non-state owned businesses have close ties with Beijing through the ubiquitous Communist Party committees which operate within them.

Lenovo’s Hong Kong-based PR couldn’t immediately be reached for comment, although a statement sent to AFR said it was unaware of the ban.

It added:

[Our] products have been found time and time again to be reliable and secure by our enterprise and public sector customers and we always ­welcome their engagement to ensure we are meeting their security needs.

The news comes a week after former NSA and CIA chief Michael Hayden argued in an interview with the AFR that Huawei represents an “unambiguous national security threat to the US and Australia”. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban/

Cloud storage: Lower cost and increase uptime

New Zealanders have mobilised against the country’s “spooks’ charter”, the Government Communications Security Bureau (GCSB) bill that’s been criticised for legitimising formerly-illegal snooping on NZ residents.

Last week, The Register reported that a deal between the country’s minority government and Peter Dunne made it nearly certain that the bill would pass parliament. However, Kiwis are taking exception to the legislation. Over the weekend, protest rallies attracted thousands to 11 locations around the country.

Speaking at the steps of parliament at the Wellington protest, Greens Party co-leader Dr Russel Norman suggested that those attending the rallies could conduct a freedom of information denial-of-service attack on the GCSB. According to the Otago Daily Times, Norman suggested that everyone should file OIA (Official Information Act) requests with the spy agency asking how many people attended the rallies nationwide.

“Maybe if they’re so tied up dealing with 10s of thousands of OIA requests, it might give them less time to go around spying on us with their special powers,” he reportedly said.

The New Zealand Herald reports that more than 2,000 attended the anti-GCSB rally in Auckland, and 500 attended in Wellington.

Prime minister John Key dismissed the protests as small, saying that protesters are either “politically aligned” or “misinformed”.

The controversial legislation was introduced after the arrest of Kim Dotcom and fellow operators of the Megadownload Website in 2012 led to the discovery that the GCSB had intercepted his communications. This turned out to be illegal, since at the time Dotcom was a New Zealand resident.

The subsequent investigation revealed that the spy agency had worked with other agencies to spy on New Zealand citizens 88 times since 2003. The proposed laws would legalise the GCSB’s domestic activities. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/28/kiwis_rally_against_snoops_charter_law/

Magic Quadrant for Enterprise Backup/Recovery

Spooks from GCHQ and MI5 will be given insider access to the UK’s top 350 companies in a bid to reduce any damage caused by hackers wreaking havoc upon Blighty-based businesses.

A letter to the FTSE 350 chairmen – signed by MI5 director general Andrew Parker, GCHQ director Iain Lobban and Universities Minister David Willetts – argues that cyber attacks are causing increasing damage to the UK’s economic well being.

The “Cyber Governance Health Check” is built on the UK government’s existing Cyber Security Strategy, which aims to make the UK one of the best places in the world for e-business, viewed as a key factor in fuelling economic growth.

Company chairmen and chairs of audit committees will be asked to complete a questionnaire to assess the cyber awareness of their businesses.

Firms that agree to participate will be able to review the results of their own efforts against anonymised results from their peers; a move seen as helping big names identify potential flaws in their cyber security procedures. If successful, the voluntary scheme would help to promote best practice across industry as well as setting a benchmark by which individual cyber security programmes might be judged.

The programme, expected to begin in November, aims to push firms towards developing a more comprehensive and better-thought-through risk management strategy. In some ways the scheme resembles the self-assessment audits that smaller retailers are obliged to complete under the credit card industry’s PCI DSS security scheme.

“This seems to be like PCI but with membership of the FTSE 350 as the qualifier,” security blogger and CISO Quentyn Taylor told El Reg

“Cyber security is vital for your business and for the country as a whole. The cyber threat is diverse and continues to grow, from those looking to seize commercial advantage and intellectual property to those looking to destroy critical data and undermine the integrity of systems,” the letter from government and spooks states.

“We very much hope to secure your support for the Cyber Governance Health Check which we believe will be of real benefit both to your company and broader UK interests.”

Malcolm Marshall, global head of information protection and resilience at KPMG, who worked on KPMG’s own research into the cyber vulnerability of the FTSE 350, commented: “The Government’s initiative is an integral part of the fight against cyber crime. By building an understanding of UK plc’s cyber defences, organisations will be in a better position to make the decisions and take the actions necessary to prevent data theft and ensure Britain is not just open, but safe, for business.”

Brian Honan, an experienced infosec consultant, told El Reg that unless the cyber government health checks are regularly carried out they will have little benefit. He pointed out since the scheme is voluntary take up rates remain uncertain.

“On the face of it the proposed scheme may have some merit, however just as in real life a once off health check may not give any long term benefits,” Honan explained. “A point in time health check by your doctor may not necessarily prevent you having a heart attack 12-18 months later if there is not an on-going health regime.”

“Similarly a point in time cyber security health check may give a false impression of security to the board which could prove fatal at a later stage. If there are no on-going checks and subsequent steps to improve security then the exercise may turn out to be a simple tick box exercise for auditors and the board. As a voluntary scheme it will also be interesting to see what level of take up there will be in it, given that many of the FTSE 350 businesses are most likely heavily regulated due to their size and nature,” he added.

The UK government initiative follows a report by management consultants KPMG, released earlier this week, that said every one of the FTSE 350 companies were leaking data that can be used by hackers to gain control of their trade secrets or carry out fraud. Firms across the FTSE 350 are inadvertently leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore able to be used by hackers.

Ironically, KPMG is making exactly the same errors it criticises in others, according to an investigation by security blogger Graham Cluley. Not only are workers’ email addresses exposed but a simple Google search uncovered a number of PDF files and PPTs on KPMG’s own site that are marked as “confidential”.

Quizzed on these findings, a KPMG spokeswoman attempted to sidestep these snafus, arguing that’s reports was designed to raise awareness about the leakage issue.

“KPMG put its own site through the same examination as we did other sites,” she told El Reg. “We recognise that many websites provide some level of data leakage and with this in mind, the purpose of our report is to highlight concerns so they can be dealt with, rather than highlight individual weak spots. We were careful not to reveal specific weaknesses of any company as it would be inappropriate to do so.” ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/26/gchq_teams_with_ukgov/

Magic Quadrant for Enterprise Backup/Recovery

Virus-hunter Symantec says the Android master key vulnerability is being exploited in China, where half-a-dozen apps have showed up with malicious content hiding behind a supposedly-safe crypto key.

The simple, straightforward and utterly stupid vulnerability arises because, as Bluebox Security demonstrated recently, someone with evil intent and hardly any expertise can pack an Android APK package (a Zip file under another extension) with files carrying the same name as those in the archive.

As noted by El Reg here, Android’s crypto system verifies the first version of any repeated file in an APK – but the installer picks up the last version. On 22 July, BitDefender identified a number of apps popping up on the Google Play store.

Now, Symantec has joined the party, identifying apps in China that have been exploited with the vulnerability to plant malicious code. There’s two apps designed for doctor-finding, a news app, an arcade game, and a betting/lottery app.

The good news for Androiders outside the Great Firewall is that all the malicious apps were being distributed on Chinese Android marketplaces rather than Google Play.

Symantec’s post states that the same attacker embedded code in all the compromised apps. The aim of the attack is to remotely control devices, steal data such as IMEI and phone numbers, send premium SMS messages, and on rooted devices, disable some Chinese mobile security apps. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/25/malicious_android_master_key_apps_found_in_china_symantec/

Magic Quadrant for Enterprise Backup/Recovery

Barnaby Jack, the security researcher who demonstrated cash machine hacks live on stage in Las Vegas and later highlighted the insecurity of smart medical devices, has died.

His death was confirmed by staff at his employer, security biz IOActive, and his sister Amberleigh Jack. His passing comes days before the opening of the Black Hat hacking convention in Vegas, where he was due to give a talk on electronic medical implants for humans.

There are no details about the circumstances of his death at the time of writing. It is understood the San Francisco Medical Examiner’s office said he died in the city on Thursday.

His peers took to Twitter to pay tribute, and reminisce about past exploits with Jack. Dave Marcus, a senior threat researcher at McAfee, wrote:

Great memory: Barnaby Jack shooting me in the face with water through a hacked insulin pump whilst doing shots. RIP Barns. You made me laugh

— Dave Marcus (@DaveMarcus) July 26, 2013

Jerry Gamblin, a network security specialist and conference speaker, added:

Sad to learn @barnaby_jack has passed away. He was a much better person than he was a hacker, and that is saying something.

— Jerry Gamblin (@JGamblin) July 26, 2013

Dan Kaminsky, of Cisco, Avaya and IOActive fame, chipped in:

God, the stories. Nobody caused such hilarious trouble like @barnaby_jack. You kids with your lulz are about to learn about a PRO

— Dan Kaminsky (@dakami) July 26, 2013

An IOActive spokesman told El Reg: “We are working with his family to provide a way to celebrate and remember him.”

Back in 2010, to highlight security flaws in selected ATMs, Jack demonstrated his cash machine “jackpotting” technique live on stage, as this video shows:

His bug hunting and research covered all corners of computer security from scrutinising low-level Windows drivers to writing flaw exploitation whitepapers and articles. We’ll update with more details when we have them. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/26/barnaby_jack_dies/

Magic Quadrant for Enterprise Backup/Recovery

This week’s Spanish train disaster, in which at least 80 people were killed after a speeding train derailed, is being exploited by internet pondlife to spread malware.

Security outfit Dynamoo spotted email spam that links to what’s claimed to be to a CNN news story. Marks who click the URL end up on a hacked website riddled with malware to infect the passing web surfer.

The ruse is crude. More sophisticated scams that rely on manipulating search engine results, possibly referencing CCTV footage (see below) of the inter-city train coming off the tracks near Santiago de Compostela in Galicia, are likely to follow.

Back in the real world, Spain is mourning the deaths of 80 people in Wednesday evening’s disaster, while 90 seriously injured passengers are being treated in hospitals.

Any major story, ranging from natural disaster to celebrity deaths, is liable to become the theme of malware-based scams. In the case of human tragedy or natural disaster these are sometimes followed up with fake donation sites designed to enrich scumbags rather than help genuine victims.

Earlier this week we predicted the birth of the first child to the Duke and Duchess of Cambridge was likely to become a theme of such scams. Sure enough, Prince George’s arrival into the world was heralded by malware-flinging scams.

Spam emails supposedly from ScribbleLive with the subject “The Royal Baby: Live Updates” lead to sites loaded with the Blackhole Exploit Kit, designed to exploit vulnerabilities and push the infamous Zeus banking Trojan, Threat Track Security reports.

Malicious attachments in the form of Windows SCR files in scam emails about the royal birth have already been spotted doing the rounds.

The royal baby, like the Spanish train crash, and other significant news stories such as a Barack Obama speech on the US economy and more have all become the themes of fake CNN news story malware scams this week, security firm AppRiver reports. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/26/spanish_train_disaster_scams/

Magic Quadrant for Enterprise Backup/Recovery

This week’s Spanish train disaster, in which at least 80 people were killed after a speeding train derailed, is being exploited by internet pondlife to spread malware.

Security outfit Dynamoo spotted email spam that links to what’s claimed to be to a CNN news story. Marks who click the URL end up on a hacked website riddled with malware to infect the passing web surfer.

The ruse is crude. More sophisticated scams that rely on manipulating search engine results, possibly referencing CCTV footage (see below) of the inter-city train coming off the tracks near Santiago de Compostela in Galicia, are likely to follow.

Back in the real world, Spain is mourning the deaths of 80 people in Wednesday evening’s disaster, while 90 seriously injured passengers are being treated in hospitals.

Any major story, ranging from natural disaster to celebrity deaths, is liable to become the theme of malware-based scams. In the case of human tragedy or natural disaster these are sometimes followed up with fake donation sites designed to enrich scumbags rather than help genuine victims.

Earlier this week we predicted the birth of the first child to the Duke and Duchess of Cambridge was likely to become a theme of such scams. Sure enough, Prince George’s arrival into the world was heralded by malware-flinging scams.

Spam emails supposedly from ScribbleLive with the subject “The Royal Baby: Live Updates” lead to sites loaded with the Blackhole Exploit Kit, designed to exploit vulnerabilities and push the infamous Zeus banking Trojan, Threat Track Security reports.

Malicious attachments in the form of Windows SCR files in scam emails about the royal birth have already been spotted doing the rounds.

The royal baby, like the Spanish train crash, and other significant news stories such as a Barack Obama speech on the US economy and more have all become the themes of fake CNN news story malware scams this week, security firm AppRiver reports. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/26/spanish_train_disaster_scams/