STE WILLIAMS

Crimelords: Stolen credit cards… keep ’em. It’s all about banking logins now

Ensure Ease of Recovery with Asigra’s Agentless Software

Stolen bank login information attracts an even higher price than credit card numbers on underground cybercrime bazaars, and EU logins are worth more than American ones, according to research by McAfee.

The Intel-owned security division’s Cybercrime Exposed paper highlights trends in the thriving digital underground, including the ease with which criminals can buy personal information online. For example, buying credit card details without a PIN costs around £16 apiece, a price that rises to £65 with a PIN or £130 with a PIN and a guaranteed good balance.

European Union online banking logins cost 4–6 per cent of the account balance while US online banking logins cost 2 per cent of the account balances. That means an online banking account with a £3,000 plus balance or an American equivalent with $8,000 is worth more these days than a credit card record even in cases where a crooks is also offering to sell a PIN number.

McAfee researchers also discovered that PayPal logins cost six to 20 per cent of the account balance. Western Union transfer details cost 10 per cent of the transfer amount.

Raj Samani and François Paget of McAfee obtained their figures from the going rate on underground cybercime markets, which the two researchers report are stepping further into the background thanks to various law enforcement crackdowns.

“Such underground platforms are implementing stronger mechanisms to ensure that participants are who they purport to be (or at the very least are not law enforcement officials). Ironically, while the platforms that facilitate the services marketplace for illegal activities are going deeper underground, the trade in zero-day vulnerabilities is more transparent than ever before,” Samani and Paget report.

The technical barrier to getting involved in cybercrime has been lowered thanks to various Cybercrime-As-A-Service offerings. These include cybercrime-infrastructure-as-a-service (renting out botnets to send spam), bulletproof hosting, password cracking and DDoS for hire offers.

It also includes Crimeware-As-A-Service, a domain that includes the identification and development of the exploits used for the intended operation (droppers, downloaders, keyloggers, bots, and more). This category includes the availability of hardware that may be used for financial fraud (for example, ATM card skimming kit, the McAfee researchers explain.

Another category highlighted by the McAfee duo – Research-As-A-Service – covers the grey market involving the sale of zero-day vulnerabilities. “The sale of vulnerabilities has recently become a growth area for researchers and brokers alike,” Samani and Paget conclude.

Back in the day high-minded security researchers reported security problems direct to vendors, sometimes getting a less than thankful response in return. These days security researchers in it purely for the money – so-called green hat hackers from the likes of Vupen Security in France and Endgame System in the US – have risen to the fore. Both organisations shun vendors-run programs instead preferring to sell exploits to Western governments. Independent brokers facilitate the same type of legal but ethically questionable trade and the rewards can be high, as the McAfee team report. One broker was reportedly able the broker to facilitate the sale of an Apple iOS exploit for $250,000 and pocket 15 per cent (or $37,500) in commission.

This is right at the elite end of the market. An Adobe Reader exploit, for example, will fetch a far more modest fee of between $5,000 and $30,000. There’s also a market for Java, operating systems and browser exploits. Browser exploits are second only to iOS pwnage tricks, according to figures cited by McAfee, commanding a fee of $60,000 to $150,000 for Firefox or Safari zero-days and perhaps higher for Chrome or Internet Explorer malfeasance.

More details about the exploit vulnerability marketplace, which is legal, together with the changing landscape of the underground economy, can be found found in McAfee’s Cybercrime Exposed whitepaper here (PDF). ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/02/mcafee_cybercrime_exposed/

Atlassian plugs XML parsing vulnerability

Ensure Ease of Recovery with Asigra’s Agentless Software

Cloud provider Atlassian has moved to patch what a security researcher describes as a backdoor in its enterprise single sign-on Crowd service.

However, the company is disputing Command Five’s assertion that a second, as-yet-unpatched vulnerability remains.


Command Five’s advisory states that XML DTD (document type definition) parsing gave attackers a means to “retrieve files from the target network, make HTTP requests on the target network, or carry out a Denial of Service attack.”

As the advisory explains, “XML can contain entities that are placeholders for other content”, and these could be exploited to replace a URL generated by Crowd with a path to other locations on the target network. The advisory gives various examples of possible attacks, including:

  • HTTP request relay – getting the Crowd server to perform HTTP requests against itself. Since these appear to be requests from localhost, the attacker can bypass Crowd’s trusted proxy and remote address validation rules.
  • Remote file retrieval – an attacker could craft a URL providing access to any file accessible to the Crowd server.
  • Denial of service – using nested XML entities in the DTD header of a SOAP request.

As Command Five noted, Atlassian has released upgraded software that addresses these vulnerabilities. A company spokesperson told The Register “In June, we had already identified and patched the first vulnerability (which the author labeled CVE-2013-3925) in a maintenance release of Crowd.”

What remains at issue, however, is this statement at the end of the Command Five advisory:

“Command Five is aware of at least one other critical vulnerability in Atlassian Crowd (CVE-2013-3926, CVSS 10) which remains unpatched at the time of writing (version 2.6.3). The vulnerability allows unauthenticated remote parties to take full control of any Crowd server to which they are able to make a network connection.”

Atlassian denied this, telling The Register: “We’ve been unable to substantiate the existence of the second alleged vulnerability, designated CVE-2013-3926. The author of the report has not contacted Atlassian, making it difficult to validate the claim.

“While we’ve been unable to confirm the existence of the second vulnerability, we take it seriously and have reached out to the author directly for more details. If we can confirm there is a vulnerability, a patch will be issued and all Crowd customers will be emailed details for how to update.” ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/01/atlassian_plugs_xml_parsing_vulnerability/

Energy sector under increasing attack: DHS

Ensure Ease of Recovery with Asigra’s Agentless Software

The Department of Homeland Security, via its ICS-CERT group, is reporting growing attacks against critical infrastructure with the energy sector leading the way.

Its most recent ICS-CERT Monitor report states that of more than 200 incidents it investigated between October 2012 and May 2013, 53 percent were in the energy sector. This far outstripped attempts to attack “critical manufacturing” facilities at 17 percent, while the transport and communications sectors could only manage to attract 5 percent of attacks each.

It states that the most common attack vectors were watering hole attacks, SQL injection, and spear-phishing attacks.

The 200-plus incidents in six months represents a dramatic increase compared to the 198 incidents reported to ICS-CERT for the whole of 2012. However, this could reflect a greater willingness to report incidents, in addition to a growth in attacks.

The report notes that on five occasions, the ICS-CERT decided to deploy its onsite teams to analyse the victim’s systems and network, three times to energy sector companies and twice to manufacturers.

ICS-CERT complains that its onsite investigations were hampered by “limited or non-existent logging and forensics data” from the target network. ®

ICS-CERT attack data

Energy sector the leading light in network attacks.

Source: ICS-Cert Monitor

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/02/energy_sector_under_increasing_attack_dhs/

Win 8 user? Thought that was a CAPTCHA? R is for ruh roh

Customer Success Testimonial: Recovery is Everything

A security researcher has discovered a sneaky social engineering trick that might be used to disguise the go-ahead to run hostile code on Windows 8 machines.

The so-called keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. However, instead of fooling marks into generating fake Facebook likes, the keyjacking involves disguising a “run executable” dialogue box within a CAPTCHA challenge.


Miscreants cover up the dialogue box with a window that looks like a CAPTCHA, with R as the first character prospective marks are invited to type. This R input authorises the computer to Run a downloadable file on a potential attack page.

Valotta has created a proof-of-concept demo that shows how a supposed sign-up to a movie-streaming site can be loaded with a fake CAPTCHA challenge that executes potentially hostile code, providing users are tricked into pressing “R”.

“The attack technique allows for remote code execution on Internet Explorer and Google Chrome with a minimum user interaction. I’m actually talking of typing one key [on IE] or making one click [on Chrome],” Valotta told El Reg.

“It basically means that visiting a malicious website and pressing one key or one click is enough to download and install malicious executables without any notification for the user.”

Valotta released a paper on his research last week after presenting his findings at security industry events Hack in the Box 2013, PhPdays 2013 and Nuit Du Hack 2013.

The attack works on IE9 and IE10 (Windows 7) and on Chrome for Windows 8, according to Valotta, who added that the approach doesn’t work on IE8 because the browser features pop-up warnings.

The basic ruse behind the attack is not new and, in earlier incarnations, was clarified as a variant of clickjacking. Valotta’s research, however, shows that the approach works on Windows 8 machines and not just in older executable warnings on Win 7 and earlier versions of Windows.

There are a couple of limitations to the technique, even on Win 8 machines with improved clickjacking defences. First, the malign application needs to make it past Microsoft’s Smartscreen Reputation check. This cloud-based security technology is not 100 per cent reliable, so this might not be enough to thwart all attacks.

Even after clearing that hurdle, the prospective VXer would need to defeat Microsoft’s User Access Control, which enforces a warning whenever an application requires administrative privileges. This warning can’t be sidestepped simply using keyjacking but, as Valotta points out, it might be possible to do all manner of mischief with malicious code – even without administrative privileges. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/01/keyjacking_attack_targets_letter_r_captchas/

Feds charge man in $1m ‘Dr Evil’ scam to blackmail Mitt Romney

Customer Success Testimonial: Recovery is Everything

A Tennessee man has been charged over a high-profile extortion and wire fraud scam involving former Republican presidential candidate Mitt Romney’s tax returns.

Michael Mancil Brown, 34, of Franklin, Tennessee faces six counts of wire fraud and six counts of extortion over his alleged involvement in a plot to blackmail Romney with threats to expose his tax records during last year’s presidential campaign.


These tax records were supposedly swiped from the Franklin offices of PricewaterhouseCoopers before Romney was offered the chance to block their publication for $1m, payable in Bitcoins. Demand letters were also sent to Republican Party offices in Tennessee and PwC.

The blackmailer offered to release the mysterious documents if $1m was paid into a separate Bitcoin account.

According to charges contained in the indictment, Brown was behind attempts to auction off the supposed files. The Feds said that the claims made by the blackmailer, whatever their identity, of having compromised the accounting firm’s computer systems before lifting the tax records of Mitt and Ann Romney were all hogwash.

A Department of Justice statement on the case goes on to allege: “Brown devised a scheme to defraud Romney, the accounting firm of PricewaterhouseCoopers LLP and others by falsely claiming that he had gained access to the PricewaterhouseCoopers internal computer network and had stolen tax documents for Romney and his wife, Ann D. Romney, for tax years prior to 2010.”

Boasts posted on Pastebin back in September 2012 claimed that Romney’s 1040 tax returns were copied onto a flash drive after a “team” had sneaked into the Franklin offices of PwC. In a later FAQ on the extortion demands, the “group” adopted the moniker “Dr Evil”, a reference to the antagonist of the Austin Powers films who was also inclined towards making extortionate demands for “one MEEELLLION dollars”, in between demanding “sharks with fricking lasers”.

Romney’s disinclination to reveal his tax affairs was used against him throughout last year’s presidential campaign, which was moving into overdrive at the time of the unsubstantiated record theft claims.

The author of the demand letters included a flash drive supposedly containing encrypted documents related to Romney’s tax records, CNN reports.

PricewaterhouseCoopers said at the time of the initial claim that it had no evidence that its system had been accessed. Political officials turned over packages sent to their offices to Secret Service investigators without opening them, Politico adds. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/01/romney_tax_record_bitcoin_scam_charges/

PRISM leaks: WTF, you don’t spy on your friends, splutters EU

Customer Success Testimonial: Recovery is Everything

Berlin has accused Washington of treating it “like a Cold War enemy” after it emerged that US spooks spied on targets from friendly European countries.

Vice-president of the European Commission, Neelie Kroes, told BBC:


Of course it is a shock and it’s not acceptable at all. It’s not acceptable because it is a friendly relationship… The member states should sit together and make up [our] minds how we are dealing with this. Of course, talking between friends, it should be clear first that it will never, ever happen again…

According to a report published in Der Spiegel over the weekend, American spies bugged the EU embassy in Washington and its offices at the UN in New York, as well as a key building in Brussels.

Der Speigel‘s allegations were based on a 2010 document leaked by PRISM whistleblower Edward Snowden, who is thought to be holed up in Russia and hoping to flee to the nation of Ecuador, which may grant him asylum – although there is currently doubt over whether or not the country will extradite him. The German magazine said it had seen evidence that the NSA boasted of targeting “third party partners”, which do not include second-party countries like Canada, the UK or Australia.

The claims were backed up by an article in The Guardian, which referred to documents released by Snowden that showed US spies targeted 38 missions and embassies worldwide, including allies like Turkey, France, Italy, Japan, Greece, Mexico, India and South Korea.

The newspaper also published details of American surveillance techniques, which include planting bugs into communications gear, tapping into cables, collecting transmissions and using a system called Dropmire to spy on diplomats’ encrypted fax machines. Agents also used a system allowing them to download the entire contents of a hard drive.

The news hit hard in Germany, which remembers the blanket surveillance carried out by the Stasi during the dark days of the Cold War.

Steffen Seibert, spokesman for Chancellor Merkel, said: “If it is confirmed that diplomatic representations of the European Union and individual European countries have been spied upon, we will clearly say that bugging friends is unacceptable. We are no longer in the Cold War.”

Eurocrats have warned the Americans that their surveillance scheme could stymie plans to sign a trans-Atlantic trade treaty, which would create the world’s largest free trade area. Officials in Germany, Italy, France and Luxembourg have lined up to sling mud at the US.

“Partners do not spy on each other,” said EU Justice Commissioner Viviane Reding. “We cannot negotiate over a big trans-Atlantic market if there is the slightest doubt that our partners are carrying out spying activities on the offices of our negotiators. The American authorities should eliminate any such doubt swiftly.”

The European Parliament President Martin Schulz said he was “deeply worried and shocked about the allegations of US authorities spying on EU offices”, while Luxembourg’s foreign minister and deputy prime minister Jean Asselborn said work should begin immediately to rebuild “confidence on the highest level of the European Union and the United States”.

The documents leaked to Der Spiegel suggested the EU’s United Nations office was spied on along with the Washington outpost. Both were named as a “location target”.

American spies were also alleged to be involved in an electronic snooping programme in the heart of Brussels five years ago, striking at the telephone system in the Justus Lipsius building, which houses the EU’s Council of Ministers and the European Council.

Calls made to the phone network’s remote maintenance system were tracked back to NATO headquarters on the outskirts of Brussels, in a part of the building known to be used by the NSA. If true, this would allow NSA agents to listen in on top officials’ calls and monitor internet traffic.

In a statement, the national intelligence director’s office appeared to confirm the allegation. It said that “as a matter of policy, we have made clear that the United States gathers foreign intelligence of the type gathered by all nations” – which includes friendly nations, by the looks of things.

During an appearance on the CBS news show Face The Nation, former NSA and CIA director Mike Hayden said Europeans “should look first and find out what their own governments are doing” before becoming outraged.

However, he told US President Barack Obama that more needed to be done to make sure citizens knew exactly what sort of surveillance the government was carrying out.

“The more they know, the more comfortable they will feel,” Hayden said. “Frankly, I think we ought to be doing a bit more to explain what it is we’re doing, why, and the very tight safeguards under which we’re operating.”

The NSA used codenames for each operation, giving the name “Perdido” to the spying programme at the EU’s offices in New York – a word that means “lost” or “missing” in Spanish and Portuguese.

Snooping on the Greek’s UN mission was called “Powell”, while the operation against its embassy was named “Klondyke”.

The operation against the French embassy in Washington was “Wabash”, while the one aimed at its UN mission was called “Blackfoot”. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/01/german_rage_at_us_surveillance_project/

Secure phone app library vulnerable

Customer Success Testimonial: Recovery is Everything

Users of a number of telephone apps need to upgrade, with a security researcher publishing research identifying serious vulnerabilities in ZRTPCCP, a core security library.

As ThreatPost notes, the compromised library counts PGP luminary Phil Zimmerman’s SilentCircle secure comms application among its users.


Researcher Mark Dowd of Azimuth Security identified a variety of bugs including a remote heap overflow, a number of stack overflows, and information leakage.

The flaws exist in the GNU ZRTPCPP library. As well as SilentCircle, the library is used in LinPhone, CsipSimple, Twinkle, various Ostel clients, and “anything using the GNU ccRTP with ZRTP enabled”, Dowd writes.

The Zimmerman-designed ZRTP protocol is implemented in the library as part of the GNU secure telephony stack. It works by using an established RTP session to establish a cryptographically-protected authenticated session.

The first vulnerability exists in the Zrtp::storeMsgTemp() function, which can be crashed remotely by sending an over-sized packet, “leading to potential arbitrary code execution on the vulnerable host”.

The second vulnerability he identified is a number of functions that can be crashed with a remote heap overflow. However, Dowd was unsure as to whether this gave rise to an exploitable condition.

Finally, the library fails to validate whether a packet is of the expected size. “This can lead to both information leaking and out of bounds data reads (usually resulting in a crash)”, Dowd writes.

The good news is that the library has been updated in github, and a SilentCircle update is available in both the Android and Apple versions (via Google Play and the AppStore). ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/30/secure_phone_app_library_vulnerable/

Facebook slurped phone numbers says Norton

Customer Success Testimonial: Recovery is Everything

Norton has pinged Facebook for slurping Android users’ phone numbers without their consent.

The findings, posted here, were announced along with a new version of the company’s Android security app.


Norton, which once famously blocked Facebook as a phishing site, says the updated Mobile Insight flagged Facebook for Android as leaking the device phone numbers, affecting a “significant portion” of the hundreds of millions of people who have downloaded the app from Google Play.

“Mobile Insight automatically flagged the Facebook application for Android because it leaked the device phone number. The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen,” the post states.

Facebook has advised that it will update the app and, and that it has “stated they did not use or process the phone numbers and have deleted them from their servers,” Norton says.

The security outfit says it will be providing information about other leaky applications “in the coming weeks”.

It’s the second embarrassing privacy slip for Facebook in a fortnight, following the discovery that the company’s Download Your Information was spraying user data to all and sundry. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/01/facebook_slurped_phone_numbers_says_norton/

Flash flaw potentially makes every webcam or laptop a peephole

Cloud based data management

A security flaw thought to have been fixed by Adobe in October 2011 has reappeared thanks to a new vulnerability involving Flash Player browser plug-ins.

The as yet unpatched vulnerability creates a means to seize control of webcams without permission before siphoning off video and audio from victims’ PCs. The clickjack-style flaw was uncovered by security consultant Egor Homakov, who developed a harmless proof-of-concept exploit to underline his concerns and push for an early fix.


“This works precisely like regular clickjacking – you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you,” Homakov explains in a blog post.

Adobe security team spokeswoman Heather Edell confirmed there was an issue but said it was limited to Flash Player for Google Chrome.

“This vulnerability affects users on Flash Player installed with Google Chrome,” Edell told El Reg in an email. “Google is working to resolve the issue and plans to provide a fix this week,” she added.

The vulnerability would be potentially handy for both perverts and NSA-style spies. Tinfoil hatters who tape over webcams when they aren’t in use have been vindicated by the discovery of the problem.

Robert Hansen, director of product management for WhiteHat Security, said the security model adopted by Adobe Flash has contributed to the problem.

“The basic problem with Flash is that it doesn’t have modal dialogues that pop up outside of the browser, which can alert the user to what’s about to happen,” Hansen explained. “Because the dialogues are on the same page as the adversary’s code, they can overlay things, make it opaque, and so on, to effectively hide the dialogue warning.”

Google recently imposed a seven day deadline for vendors to respond to security bug reports. Homakov’s discovery represents the first chance to see whether Google itself can stick to such tight deadlines. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/flash_webcam_flaw/

Retired 4-star general probed over Stuxnet details leak

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

A retired general has been named as the target of a US Department of Justice probe into the release of confidential information about the Stuxnet virus.

An NBC report claimed that James Cartwright, a retired US Marine Corps four star general, was under investigation for allegedly leaking details of the virus.


Unnamed legal sources told NBC that Cartwright, a former vice-chairman of the Joint Chiefs of Staff, had been sent a letter informing him that he under investigation.

The 63-year-old general is the latest public figure to be caught up in the Obama regime’s investigation into the leaks, which has already prosecuted or charged eight people under the Espionage Act.

Stuxnet was specifically designed to target the uranium-enriching centrifuges that are crucial to Iran’s nuclear capabilities. In 2010, the virus caused 1,000 of the devices to spin out of control, temporarily disabling them. However, the worm did not entirely halt the Iranian nuclear programme, which has been widely interpreted as a scheme to produce atomic weapons.

It is thought that Israeli spooks worked with their American colleagues to produce the malware, which was seen as a safer alternative to bombing the Islamic Republic’s nuclear facilities.

Neither the Justice Department or the US attorney’s office in Baltimore have commented on the alleged investigation.

According to the New York Times‘ definitive report into the Stuxnet virus, President Obama made a clear decision to ramp up cyberattacks, building upon a programme called “Olympic Games” that began under George W Bush. It is understood that Cartwright was one of the top military personnel involved in this cyberwar effort.

Obama was reportedly furious at David Sanger’s report in the NYT, promising to root out the people who leaked information. Initially, the focus was on White House sources, but investigators are thought to have turned their attention to high-ranking military figures late last year.

The Stuxnet virus was only identified after escaping from Iranian systems into the wild. Cartwright is said to be the man who told Obama that this sophisticated cyber-weapon had been let loose into the wilds of the internet, although there are still big questions about how it actually got there.

The effectiveness of Stuxnet has been questioned, with some US officials claiming that it actually helped Iran’s nuclear effort and encouraged the country to launch its own cyber-jihad. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/28/stuxnet_general_arrested/