STE WILLIAMS

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The frequency of phishing attacks against UK internet users has tripled over the last 12 months, according to figures from Russian security software firm Kaspersky Lab.

Facebook, Yahoo! Google and Amazon are the websites most targeted by phishers in the UK, indicating a diversification away from the traditional target of phishing attacks – online banks – towards other targets such as social networks.

Together, Yahoo!, Google, Facebook and Amazon accounted for 30 per cent of phishing attacks.

Over 20 per cent of all phishing attacks worldwide mimicked banks and other financial organisations. The top 10 sites targeted in the UK include BT, PayPal and an unnamed bank.

More than half of the targets of phishing attacks (921 names out of 1,739 in the Kaspersky database) were fake copies of the websites of banks and other credit and financial organisations.

The UK is one of the most frequent targets of phishing attacks, along with Russia, the USA, India and Vietnam. The majority of the servers hosting phishing pages were registered in the USA, the UK, Germany, Russia and India.

The figures in Kaspersky Lab’s The evolution of phishing attacks report (PDF) are based on an analysis of data anonymously submitted by 50 million users of Kaspersky’s cloud security services and products.

In the 12 months up to the end of April 2013, phishers launched attacks affecting an average of 102,100 people worldwide each day – twice as many as in 2011-2012. An estimated 3,000 users were attacked each day in the UK – three times as many as in 2011-2012.*

Phishing typically involves creating counterfeit copies of popular websites such as webmail services, internet banking and social networking sites. Cybercrooks try to lure potential victims to these rogue web pages, often under the guise of a security check, in a bid to trick them into entering their login credentials to fake sites.

These account credentials are subsequently abused in various scams, such as spam distribution and electronic banking fraud.

Traditional phishing attacks were spread through spam email messages, but this too is changing. Only 12 per cent of phishing attacks worldwide were launched via spam mailshots, according to Kaspersky Lab, with the other 88 per cent coming from links to phishing pages which people followed while using a web browser or an instant messaging service such as Skype. ®

Bootnote

*The reason that the figures may seem low is because they only include attacks logged on users of Kaspersky Lab products, a rep from the Russian security firm explained.

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/26/phishing_trends/

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

HP is being accused of leaving a serious security vulnerability in its StoreOnce SAN system: a hard-coded administrator account in its management software.

According to this blog post published under the handle Technion, weeks of contact with HP’s Software Security Response Team have failed to elicit a response, so the poster decided to go public.

“My last three weekly requests for an update have gone ignored,” Technion writes.

It’s a simple and all-too-depressing scenario: during product development, someone creates a vendor admin account because nobody wants to waste time with password recovery, and the account stays in the product because nobody remembers to remove it.

It certainly looks like an accident: while Technion didn’t post the password that the HPSupport account uses, he posted the SHA1 hash of it, and H Online writes, “The password is just seven characters long and draws on a ten-year old meme”, suggesting that someone’s already brute-forced it.

As Technion writes, “This hash is out there and it can’t be taken away. Someone will crack it, and they will do so soon.”

HP has previously been bitten by secret backdoors. In 2010, its StorageWorks P2000 G3 MSA was found to have a similar undocumented account. The company’s advisory at that time was that the admin account password could be changed by users through the command line interface. It’s not yet known whether the StoreOnce admin account can be similarly secured.

The Register has sought comment from HP in Australia and the US, and will update this story if a response is received. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/26/hp_storeonce_has_undocumented_backdoor/

What you need to know about cloud backup

Both North and South Korea are under cyber attack from a group of unidentified hackers who blitzed senior government officials’ websites and a group of media companies.

The website of the South Korean presidential office and prime minister’s office were among the sites hit on Tuesday morning.

“The government confirms there was a cyberattack this morning by unidentified hackers that shut down several sites including the presidential Blue House, the prime minister’s office and some media companies,” the South Korean science ministry said in a statement reported by the Wall Street Journal.

North Korea’s Korean Central News Agency, state-owned airline Air Koryo, state-owned newspaper Rodong Sinmun, and official state web portal Naenara were also knocked offline on Tuesday, CBS News reports.

The attack coincides with the anniversary of the start of the Korean War on 25 June 1950, which resulted in the division of the Korean peninsula between North and South Korea.

Most of these sites, targets of previous campaigns by hacktivist group Anonymous, are actually run from servers hosted in China. Elements of Anonymous have claimed responsibility for the attacks against the North but the situation remains confused, the BBC reports.

South Korea has raised its state of alert in response to the attacks, which are minor compared to attacks in March against South Korean banks and broadcasters that disrupted banking services. An estimated 32,000 computers were infected with malware designed to trigger at a pre-set time. The March attacks came at a time of heightened tensions on the Korean peninsula following nuclear tests by the Norks.

South Korea also suffered similar cyber attacks in 2009 and 2011.

Chris McIntosh, chief exec at ViaSat UK and a former Royal Signals officer, said that further attacks are almost inevitable. He added that others can learn from the experiences of the Koreans.

“We know this isn’t the first such attack against South Korea, and it certainly won’t be the last,” McIntosh said. “Put simply, despite such attacks swiftly becoming a fact of life there is still too much evidence of an ‘it couldn’t happen here’ mentality.”

“Organisations need to assume from the very start that their networks have already been breached by cyber criminals or worse and implement people, procedural and technological control measures based on this,” he added.

“Since an attacker will go for the lowest-hanging fruit, every point of weakness and potential interaction with the outside world needs to be identified, whether it is how information is stored; how data is moved; how the network is accessed; and, most simply, exactly what technology people are using.” ®

Update

Rik Ferguson, VP of security research at Trend Micro, said that while the attacks against North Korean targets appear to be routine DDoS assaults, the attacks against South Korean websites appear to be more focused on defacement. These involved apparent attempts to discredit Anonymous by portraying elements of the hacktivist group as responsible for attacks on South Korean websites.

“The attacks on South Korean sites appear somewhat different, less about Denial of Service and more about access, exploitation and defacement,” Ferguson said. “One video posted briefly on YouTube showed an attacker using a tool call w3b_avtix apparently to connect to the website of the South Korean president, exploit a vulnerability, gain access and upload defaced content to the website.”

“Everything has been done to brand the video as an “Anonymous” attack; however, one of the most vocal Twitter users (@anonsj) associated with Anonymous activity in Korea has disavowed any attacks on South Korean web sites.”

We didn’t Hack any #SouthKorea websites. #Anonymous

— Anonymous (@Anonsj) June 25, 2013

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/25/korean_war_anniversary_ddos_attacks/

What you need to know about cloud backup

An eagerly anticipated talk by Charlie Miller on car hacking, rejected by organisers of the Black Hat security conference, will get an airing in Las Vegas this summer after all.

Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of security intelligence at IOActive, are due to present a talk on Adventures in Automotive Networks and Control Units at Def Con 21, it was confirmed on Monday.

The talk (abstract below) promises to lift the bonnet on the security shortcomings of car network systems, including those related to braking and steering. The presentation promises to be standing room only.

Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality.

This presentation will examine some controls in two modern automobiles from a security researcher’s point of view. We will first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus.

Then we will show how certain proprietary messages can be replayed by a device hooked up to an OBD-II connection to perform critical car functionality, such as braking and steering.

Finally, we’ll discuss aspects of reading and modifying the firmware of ECUs installed in today’s modern automobile.

Miller (@0xcharlie), a security engineer at Twitter, is best known for his exploits as the first to break into both the iPhone and the G1 Android phone. He is also a four time winner of the CanSecWest Pwn2Own competition.

Valasek is well known for his research on Windows heap exploits. Miller said their talk builds on previous research into the computer security of networked car systems, with the important difference that the two researchers will “reveal details and release tools”.

Def Con 21 is due to take place between 1-3 August at the Rio Hotel in Las Vegas.

The entry of Miller’s car hacking talk on the Def Con roster follows a surprise rejection of the same talk by Black Hat organisers. He said:

Dam, me and @nudehaberdasher‘s excellent car hacking talk got rejected from blackhat http://t.co/M2qpFh9nMl Needed more cyber-APT presumably

— Charlie Miller (@0xcharlie) May 30, 2013

®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/25/miller_car_hacking/

What you need to know about cloud backup

Erstwhile LulzSec spokesman Jake Davis has been freed from detention, with strict conditions on the 20-year-old’s use of the internet and computers.

Davis (aka Topiary), formerly of Lerwick in Shetland, was convicted of computer hacking over his role in the infamous LulzSec hacking crew in May and banged up for 24 months in May at a hearing in London’s Southwark Crown Court.

However, time served wearing an electronic tag for 21 months was taken into account as part of this sentence, so that Davis spent just 37 days at Feltham Young Offenders’ Institution. Specifically Davis was jailed for “two counts of conspiracy to do an unauthorised act with intent to impair the operation of a computer” involving hack attacks against the UK’s Serious and Organised Crime Agency and Sony Pictures. He was found not guilty of two counts of encouraging or assisting offences.

He will be allowed to use the internet following his release, but is prohibited from contacting any of his former LulzSec cohorts or members of the wider Anonymous collective. He’s also forbidden from setting up encrypted files or folders, securely wiping any data or deleting his internet history.

Davis told the BBC he plans to publish a prison diary about his experiences. There’s even talk of a film.

In the meantime, Davis has returned to the Twitterverse as @DoubleJake, where he has expressed support for Edward Snowden and spoke of his brief time behind bars and future plans.

I was sacked as a prison cleaner for mopping too near a computer. Those deadly, soapy mops are a serious threat to GCHQ, make no mistake!

— Jake Davis (@DoubleJake) June 22, 2013

Despite his time behind bars at Feltham, Davis’ sense of humour seems to be strong and unimpaired.

@DinkYoung1979 Just got out of prison and now working on a film/book/mystery art project around central London. Computers not as fun.

— Jake Davis (@DoubleJake) June 23, 2013

An BBC Newsnight interview with Davis around the time of his sentencing by can be found here. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/25/former_lulzsec_spokesman_davis_released_from_jail/

What you need to know about cloud backup

Security vendor Trend Micro has embiggened its industry collaboration credentials this week after helping Taiwanese police arrest one man in connection with a widespread targeted attack, and teaming up with Interpol on a new cyber crime prevention centre.

The targeted attack in question used the notorious Ghost remote access Trojan (RAT) to steal data from thousands of individuals and SMBs, according to the vendor.

Using classic email spear phishing techniques, the attacker tricked users into clicking on a malicious link in an email pretending to come from the Taiwan Bureau of National Health Insurance.

This would take them to a separate site and automatically download a legitimate looking RAR file.

If the user then clicked to download this file, it would drop the malicious Ghost RAT payload onto their machine, giving the attacker full access to navigate the victim’s system and exfiltrate any valuable looking data, Trend Micro said.

The attacker apparently stole over 10,000 pieces of personal data before being arrested.

In response to such threats, Interpol has announced it is establishing a “Global Complex for Innovation” in Singapore next year.

The centre of excellence for online crime prevention will act as a hub for the body to foster greater multi-stakeholder co-operation and improve law enforcers’ cyber skills.

This is where Trend Micro will help by delivering training programs to Interpol, police and government agencies and CNI firms in participating countries.

It said the training would include “e-learning modules, classroom-based training sessions, workshops and/or professional certifications”. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/25/trend_micro_catches_a_ghost_rat/

Agentless Backup is Not a Myth

A suppressed report from “Britain’s FBI” has revealed that the rich, insurance companies, law firms and telecoms companies hired private investigators to run unlawful hacking and blagging campaigns of the type that brought down Rupert Murdoch’s News of the World, according to The Independent.

The newspaper reports that the UK’s Serious Organised Crime Agency (Soca) was aware about this illegal activity for six years, but did little to disrupt its activity. This comes after the paper apparently saw a leaked copy of a police report into the full scope of criminal activity by private investigators.

Soca had submitted the report covering the use of private investigators to the Leveson Inquiry into press ethics last year, but the issue was neither raised during public sessions nor mentioned in the final Leveson report.

The Independent says the “bombshell report” – codenamed Project Riverside – found that rich individuals and private companies had been hiring unscrupulous private detectives to obtain sensitive information on targets for years.

Tactics used by what the Indy describes as “respected companies” allegedly included bribing police officers, real-time tapping of telephone lines using gadgets planted by ex-BT engineers into street cabinets, computer hacking and perverting the course of justice.

According to “Project Riverside”, clients of corrupt private investigators commonly included law firms, including those involved in marriage break-ups, as well as litigators investigating fraud on behalf of private clients.

One private investigator involved in phone hacking, blagging (obtaining confidential data by fooling companies into handing it over) and worse obtained 80 per cent of his work from law firms, the mega-rich and insurance companies, according to the Riverside report. The secret report said that just 20 per cent of this investigator’s work had come from the media, whose activities in the area led to a public outcry, the closure of The News of the World and ongoing criminal proceedings.

One document unearthed by Soca investigators, dubbed The Blagger’s Manual, explained how to trick “banks, HM Revenue and Customs, councils, utility providers and the NHS” into handing over sensitive information on targeted individuals.

“It is probably a good idea to overcome any moral hang-ups you might have about ‘snooping’ or ‘dishonesty’, the manual explains. “The fact is that through learning acts of technical deception, you will be performing a task which is not only of value to us or our client, but to industry as a whole.”

Labour MP Keith Vaz, chairman of the Home Affairs Select Committee, said: “I will be seeking an explanation from Soca as to why this was not told to the Committee when we took evidence from them about the issue of private investigators. It is important that we establish how widespread this practice was and why no action was taken to stop what amounted to criminal activity of the worst kind.”

Project Riverside, which ran between 2006 and 2007, uncovered widespread evidence of criminal conduct. None of the suspects were charged until the media-related phone-hacking scandal became public four years later.

The Soca report on the investigation contains “sensitive material” that may allow its content to be withheld from public publication under “public-interest immunity” tests even if it becomes part of future legal proceedings, The Independent reports.

A Soca spokesman told the paper: “Soca produced a confidential report in 2008 on the issue of licensing the private investigation industry. This report remains confidential and Soca does not comment on leaked documents or specific criminal investigations. Information is shared with other partners as required.”

The Soca report was supplied to the Leveson Inquiry in March last year by Ian Hurst, a former British Army intelligence officer whose computer was hacked by malware planted by private investigators working for the News of the World.

Hurst attached the eight-page Soca report to his witness statement, alongside leaked Scotland Yard witness statements detailing alleged illegality involving police and private investigators.

Hurst told The Independent: “As a former British Army intelligence officer, I instantly understood the significance of the classified document and it was clear the unlawful collection of personal data was systemic across a broad range of sectors, and not solely confined to the media.

A Leveson Inquiry spokesman said malpractice outside the media industry was outside its brief. “The terms of reference for the inquiry were absolutely about the culture, practices and ethics of the press and how they engaged with the public, the police and politicians. Evidence on other issues would have been considered to have been outside those terms of reference.” ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/24/private_eye_malfeasance/

Agentless Backup is Not a Myth

Attempts to use a mixed-up font that makes machine reading more difficult in order to foil NSA snoopers or hackers are almost certain to fail, according to privacy experts.

Sang Mun, a former South Korean Army man who worked in liaison with the US National Security Agency (NSA) during his service, spent a year creating the ZXX family of fonts, which aim to make it harder for computers to read messages.

ZXX fonts are designed to work in a similar way to Captcha challenges, of the type internet users are often required to go through to register for a new web service, in that they are difficult for computers to solve but straightforward for humans.

ZXX text even looks a bit like a Captcha, as a blog post by independent security watcher Graham Cluley illustrates.

However, as Cluley points out, the modus operandi of intelligence agencies such as the NSA, GCHQ, and the rest involves tapping into internet communications in bulk by running deep packet inspection probes on fibre optic communications or by obtaining stored data.

Scanning letters or printed communications isn’t necessary; making the ZXX font less of a resounding blow for internet freedom and more of a quixotic project of little practical use.

“Regardless of whether you communicate electronically using Sang Mun’s font, Comic Sans or something more traditional, it makes no difference to anyone spying electronically on your communications,” Cluley explains.

“The computers which might be spying on your communications don’t see the font like a human would, they just see a bunch of numbers which they piece together back into characters and ultimately words, phrases and sentences.

So, it makes no difference to these computers if a font, for example, disguises a capital ‘T’ as a capital ‘G’.”

Sang bills ZXX as a disruptive typeface which takes its name from the Library of Congress’ three-letter code, in cases where the language of a book is unknown or not applicable. Code “ZXX” is used when there is: “No linguistic content; Not applicable”.

The ongoing project has been running for some months, but the whole thing has been given a new lease of life by the revelations about uncontrolled internet surveillance over recent weeks by the NSA and GCHQ.

In an update to his blog post on how ZXX is a “Defiant Typeface“, Sang explains that he’s quite well aware that digital text fundamentally relies on binary codes, which can be intercepted and analysed.

“This project/post is focused on raising awareness, which I should’ve articulated better,” he said. “It would be great if further conversations ruminated over the growing surveillance state and how we should act.”

Cluley adds the caveat that ZXX might be useful if you send messages as images. “In those cases, optical character recognition (OCR) technology may find it difficult to decipher the secret message you have placed inside a JPEG, GIF or PNG file,” he said.

The secret services have little need to use OCR (at least, not primarily) to snoop on communications. If the need did arise, then we can be reasonably confident that the likes of the NSA would rapidly come up with a means to decipher something like ZXX from images automatically. Cluley said that for anyone serious about privacy, end-to-end encryption using something like PGP remains the best option.

He concludes: “Quite frankly, if you’re going to all the effort of composing messages in an image editor, why aren’t you using proper end-to-end encryption on your sensitive messages anyway, ensuring that if they do fall into the wrong hands they can’t be deciphered?”

“It’s a nice art project by Sang Mun, but I don’t think anyone serious about keeping their conversations private from the-powers-that-be will be rushing to add it to their portfolio of privacy tools,” he adds. ®

Bootnote

One of the documents relating to the NSA’s PRISM programme released by Snowden suggests those that use encryption technologies such as PGP and TruCrypt are more likely to have their information stored. There’s nothing to suggest that even the NSA can readily break these algorithms, whose security ultimately relies on mathematical proofs on the difficulty of factoring the product of two very large prime numbers. Advances in cryptanalysis or quantum computing might make even the best privacy-protecting technologies we have now crackable in the future.

So the really paranoid need to think ahead.

A combination of carrier pigeons and one-time pads is the best combination El Reg‘s tinfoil-hat desk can think of now. Properly implemented, such a system would foil computer-based cracking. Such systems, although tested by secret agents during World War II, are not very scalable and also suffer from bird shit–related problems.

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/24/freedom_font/

SaaS data loss: The problem you didn’t know you had

The UK Home Office has launched a new £4m information security awareness campaign, designed to educate businesses and consumers about rising hacker threats. The first stage of the campaign is due to get underway in the autumn.

The scheme will sit alongside other more established information security initiatives, such as Get Safe Online as part of the government’s National Cyber Security Programme. The Home Office is inviting bids from media, PR and creative agencies to get the word out on cyber security.

Graeme Stewart, director of public sector strategy at McAfee, called for a consolidation of security training initiatives.

“McAfee applauds the UK Home Office initiative to raise awareness of the seriousness and impact of cyber threat to UK businesses and citizens,” Stewart said. “There are now a number of initiatives spread across HMG and, for our part, we’d like to see a single coordinated campaign that explains the dangers in a straightforward way to board members and directors of organisations both large and small.

“For the Government’s digital transformation programmes to be successful, UK citizens need to take a certain level of responsibility for their own online safety in order for them to take full advantage of the ‘Digital by Default’ mantra currently in play across UK public sector,” he added.

However Mark James, technical director ESET UK, welcomed the focus of the awareness training on small business, a sector that’s often overlooked in security awareness programs.

“SMEs form the backbone of the UK economy and without the resources always available to larger enterprises basic cracks in security measures can appear,” he states. “When breaches in security can cripple a company in terms of both financial and reputational damage, it’s encouraging to see the government taking a lead in helping businesses build up resistance to threats by equipping them with the skills and confidence to adequately educate staff on the ways to spot malware and hacker threats.”

The Home Office released figures on Thursday suggesting that the number of crimes committed against UK businesses has dropped from 21.5m in 2002 to seven million in 2012 as part of a report entitled Crime against businesses: detailed findings from the 2012 Commercial Victimisation Survey. These statistics, however, omit figures related to cyber crime, which are notoriously difficult and unreliable. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/24/home_office_cyber_education_scheme/

Customer Success Testimonial: Recovery is Everything

Facebook’s Download Your Information (DYI) tool has occasionally been criticized for not offering enough transparency into user-account data, but it recently revealed more than it intended when a bug led it to leak the contact information of some six million users.

In an advisory posted on Friday, Facebook’s security team explained that the code the social network uses to make friend recommendations inadvertently caused the email addresses and phone numbers of potential contacts to be associated with other users’ account data.

If those users then used the DYI tool, the wrongly added contact information would be included in the download, whether or not the users were actually friends with the owners of the addresses or numbers in question.

“After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed,” Facebook’s White Hat staff wrote.

In all, the security team has concluded that the addresses or phone numbers of around six million Facebook users were leaked in this way – a figure equivalent to about 0.54 per cent of the social network’s global user base.

Zuck’s security bods have determined that each individual email address or phone number was typically only included in a download once or twice, meaning it was only leaked to one person. In addition, Facebook assures us that only other people could have had access to the data – as opposed to developers or advertisers – and no other financial or personal information was disclosed.

The bug was first brought to Facebook’s attention by an independent security researcher, whom the social site’s security staff say has already been paid a bug bounty for his efforts. In addition, Facebook has notified its regulators in the US, Canada, and Europe of the incident and is in the process of notifying affected users via email.

Equally important, although the social network has downplayed the severity of the leak and it doubts that the bug was ever exploited for malicious purposes, it’s still really, really, really sorry about the whole thing.

“It’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again,” the White Hat team wrote. “Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.” ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/21/facebook_contact_leak/