STE WILLIAMS

It’s been known for some time that “smart TVs” are dumb about security, but a German researcher has demonstrated that the stupidity goes so far as to enable remote snooping or even a takeover of the in-set computer.

Nruns researcher Martin Hurfert has taken work begun at the Darmstadt University of Technology to demonstrate a range of remote attacks on Samsung Hybrid Broadcast Broadband TVs – HbbTVs – that include WiFi eavesdropping, fake analytics, content redirection, fake news tickers, Bitcoin mining and more.

Hurfert’s post describing the attacks, here, credits TU Darmstadt for demonstrating that MAC addresses and packet lengths sniffed from the TV’s WiFi stream allow an eavesdropper to snoop someone’s viewing habits.

More entertaining, however, is the number of ways an attacker could redirect the viewing of a victim, because the smart TVs use an embedded Web browser – in the case of Samsung, complete with Javascript support and WebKit 1.1 compatibility – which among other things reads HTML embedded in DVB streams.

This, Hurfert writes, makes it trivial for an attacker to inject their own URLs into the stream, or use DNS attacks to redirect the TVs to their own content. He also noted that none of the broadcasters using HbbTV capabilities are doing so over SSL, allowing content spoofing.

All of these attacks suggest other, even more malicious, possibilities: “Once attackers managed to redirect the HTTP requests of the TV to controlled sources, many different HTML-/Javascript-based attacks become possible,” he writes.

And yes, those attacks include Bitcoin mining – although The Register presumes you’d need a lot of televisions to get anywhere – because one of Hurfert’s collaborators, Matthias Zeitler, demonstrated dropping the Javascript-based BitcoinPlus onto an attacked TV.

Finally, Hurfert notes, the presence of the Javascript XmlHttpRequest object in the TVs provides a vector for a number of attacks on the LAN the device is attached to. He suggests that TV manufacturers do more work to make the browsers secure and configurable by users. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/06/smart_tvs_riddled_with_dumb_security_holes/

LinkedIn offers lots of chances for its users to hand over credentials so the social business network can suggest new connections. But a new offer to do so for Microsoft Outlook means contacts can be sucked out of Microsoft Exchange and exposed to the world.

Australian sysadmin Adam Fowler noticed the feature and detailed its behaviour in a blog post that explains what happened when he create a test account on the Exchange server he administers:

“I tried this with a test account, entering the username and temporary password. It then asked for further information, which was the address for the Outlook webmail link and then connected and started showing contacts.

LinkedIn on this page says ‘We’ll import your address book to suggest connections and help you manage your contacts. And we won’t store your password or email anyone without your permission’.”

Fowler’s point is that users who innocently expose their contacts to LinkedIn are exposing Exchange Servers to a third party, which isn’t a good idea. That LinkedIn can access the names and details of Contacts stored in a business’ system – and perhaps gathered solely for business purposes – is also a worry as it enables a third party to understand links between two people that may not otherwise be made public.

And as Fowler points out, LinkedIn doesn’t have the world’s greatest security record.

Happily, Fowler has found that some tweaks to Exchange prevent LinkedIn from accessing contacts.

Here’s his advice:

“There are a few settings to check. First, under the Set-OrganizationConfig area, you’ll need to check that EwsApplicationAccessPolicy is set to ‘EnforceBlockList’. If it’s not, it’s going to be ‘EnforceAllowList’ and you’re probably OK, as it’s using a whitelist for access to only what’s listed rather than a blacklist, to only block what’s listed. Next, you need to add LinkedIn into the BlockList. This is done with the command ‘Set-OrganizationConfig -EwsBlockList LinkedInEWS’

The Reg has asked LinkedIn to comment on whether it is appropriate for its Outlook connection service to reach into Exchange servers and will update this story if a response is offered. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/06/linkedin_snarfing_contacts_from_exchange/

The ZeuS-derived Citadel botnet, which rose to public prominence last year, is being progressively disabled by Microsoft and the FBI is on the hunt for its masters.

Microsoft says Citadel was used to raid bank accounts around the world and netted more than $US500m. Redmond’s Digital Crimes Unit says 1,000 of the estimated 1,400 botnets created by Citadel have now been booted offline.

According to Reuters, institutions hit by the botnet include American Express, Bank of America, Citigroup, Credit Suisse, eBay’s PayPal, HSBC, JPMorgan Chase, Royal Bank of Canada and Wells Fargo.

Citadel, whose capabilities include keylogging, emerged after the source code for the infamous ZeuS cybercrime toolkit was released in 2011. The combination of open source code and forums for virus-writers allowed it to evolve quickly, getting features such as encrypted malware configuration files and blacklisting of security vendor Websites.

Citadel was also designed to be invisible to sites tracking ZeuS – which may help explain why it’s had such a long life in the wild.

Microsoft’s post concedes that not all of the botnets have been taken down, but Richard Boscovich of the Digital Crimes Unit believes it will “significantly disrupt Citadel’s operation”.

It was, Boscovich writes, the first time a botnet operation has involved both the private sector and law enforcement, with the FBI taking a hand to execute a civil seizure warrant to help disrupt the botnet. Data and evidence were seized from data centres in Pennsylvania and New Jersey.

Microsoft has also filed a “John Doe” civil lawsuit in North Carolina against the alleged controller of the botnet, who uses the handle Aquabox and is believed to be in Eastern Europe (partly because Citadel leaves machines in the Ukraine and Russia alone).

The FBI is also working with Europol, along with law enforcement in Australia, Brazil, Ecuador, Germany, Holland, Hong Kong, Iceland, India, Indonesia, Spain and the UK. The international effort is seeking to identify the 81 “herders” who helped Aquabox operate the botnet.

Boscovich writes: “… during our investigation we found that Citadel blocked victims’ access to many legitimate anti-virus/anti-malware sites, making it so people may not have been able to easily remove this threat from their computer. However, with the disruptive action, victims should now be able to access these previously blocked sites.

“We also found that cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats. (Of note, Windows Vista, Windows 7 and Windows 8 have measures in place to help protect against this type of misuse of product keys.)” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/06/microsoft_feds_breach_citadel_botnets/

NATO ministers have agreed to step up efforts to protect members’ cyber networks, but are still unsure whether or not to step in and sort out individual hacks.

Secretary General Anders Fogh Rasmussen said in a press conference after the first defence ministers’ meeting devoted to cyber issues yesterday that attacks were “getting more common, more complex and more dangerous”.

“They come without warning. From anywhere in the world. And they can have devastating consequences,” he said.

Rasmussen said that NATO had dealt with over 2,500 “significant” hacks in the last year alone, although its security had not been compromised.

The ministers agreed that NATO’s cyber defence capability would be up and running by the autumn, protecting all the networks of its members.

“We are all closely connected. So an attack on one Ally, if not dealt with quickly and effectively, can affect us all. Cyber-defence is only as effective as the weakest link in the chain. By working together, we strengthen the chain,” Rasmussen said.

The assembled war-politicos also agreed to set up rapid response teams to protect NATO’s own systems, which are a priority because they are used to coordinate military operations among the allies.

However, the ministers weren’t able to agree on whether the organisation should get involved if individual members were asking for help with cyber attacks. They were only able to get as far as agreeing that they needed to talk about it some more.

“We agreed that we will continue our discussion at our next meeting in October on how NATO can support and assist Allies who request assistance if they come under cyber attack,” Rasmussen said. “We will do that on the basis of a detailed report that we have tasked today.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/05/nato_agrees_to_up_cyber_defence/

CyCon 2013 Fears about states’ Big Brother-style invasions of peoples’ privacy are outdated, and citizens should instead be worrying about how social networks and supermarkets are using their private data, says the president of Estonia.

Toomas Hendrik Ilves explained today at the annual International Conference on Cyber Conflict that Estonian law means citizens are the owners of their personal data. By law, citizens are provided with transparency tools showing how their personal information is being used by the Estonian government.

While there have been internal breaches of data held by the state – such as a policewoman accessing information on her boyfriend – there have been no external breaches, according to IIves.

The Estonian president said he was always asked about fears over Big Brother when it came to state-sanctioned data collection, but dismissed these concerns as being based on an outdated question. Most users are sharing far more personal data, quite willingly, with commercial entities.

“No government follows you as much as a social network,” Ilves said. “No government collects as much information about your preferences as a supermarket.”

“Data on smartphones shows how peoples’ weight loss plans or even how many push ups they make every day,” he added.

Ilves also said that many users naively think free smartphone apps and social networks are good Samaritans giving them something for free, rather than making money by selling ads on the basis of harvesting users’ personal data.

“It used to be said that there’s no such thing as a free lunch, but now you can say there’s no such thing as a free app,” he said, adding that in the modern era of social networking and smartphone apps, states can act as “guardians of privacy” rather than invasive snoops.

Estonia is one of the most wired countries in Europe, and the Estonians aren’t shy of delivering government and other public services through the web. The vast majority of banking (98 per cent) is conducted online, a similar number of tax returns (98 per cent) are filed online and 95 per cent of prescriptions are issued online.

Citizens can access e-government services using either an ID card (“which for some reason scares people in the English-speaking world”, according to Ilves) or via the SIM cards in their mobile phones.

Estonia’s love affair with the web even extends to its elections, with a full quarter of votes in the Baltic republic being cast online. President Ilves himself is a regular Twitter user, providing a refreshing alternative to the sanitised, PR-friendly Twitter feeds of most British ministers.

Back in 2007, civil unrest over the removal of Soviet-era memorials spilled over onto the internet, with several government websites knocked offline. A Russian student was later arrested over the attacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/05/big_brother_facebook/

CyCon 2013 Nations swiping intellectual property from rival states and corporations are a much greater threat to economies than private cyber-criminals, America’s spymaster reckons.

General Keith Alexander, National Security Agency (NSA) director and commander of US Cyber Command, made his comments during the NATO-organised CyCon conference in Estonia today.

“Theft of intellectual property has resulted in the greatest transfer of wealth in history,” he said.

The spook boss accused countries of pilfering copyrighted and patent-protected documents, but declining to name the nations involved. However, senior officials in the US’s Obama administration have consistently claimed China rifles through foreign networks, an allegation the Communist state’s officials routinely dismiss.

Gen Alexander said America and its allies are “partly to blame” for this intellectual property theft because they had not sufficiently secured their systems, patched against known vulnerabilities or detected known malware. Estonia, for example, was famously rocked by a country-wide distributed denial-of-service (DDoS) assault that disrupted banks and government services in May 2007.

Since then the world’s cyber-agents have moved from “disruptive to destructive attacks”, according to Gen Alexander who cited the Wiper malware that derailed the computer network of oil giant Saudi Aramco last year. “These attacks are growing in intensity and frequency,” he said, warning that the US and its allies cannot repel them all.

He called for the wider adoption of cloud-like architectures – running everything on a centrally managed server farm – so that patches can be quickly and easily rolled out, and costs cut by more efficient use of computing resources. That’s opposed to networks upon networks of spread out systems riddled with bugs that have to be monitored and maintained.

Gene Alexander added that the issue was partly to do with training. “Malware typically stays on systems for six to nine months before it’s identified because people aren’t trained to find it. Fixing the architecture would not only thwart intellectual property theft but help take care of crime,” he said.

And he suggested it was necessary to pass laws in the US requiring corporations to “tell us when an attack is going on” so that action can be taken to shore up the defences of Uncle Sam’s interests.

“Contrary to what you have heard, the NSA cannot see an attack going into Wall Street unless someone tells us about it,” Gen. Alexander claimed, adding that this intelligence has to supplied to his spooks in real-time. Such information-sharing proposals are a political hot potato in the US.

The general went on to say that situation-awareness in the online world is poor: “We don’t have a good picture of what cyber-attacks look like and without that you don’t have a good framework for policy decisions.”

When a sufficiently large DDoS attack – usually launched from an army of hacker-controlled malware-infected PCs – is detected in a country, the usual response is to alert that nation’s computer emergency response team, which gets in touch with its counterparts in the states hosting the attacking machines to ask for help and a cleanup.

But Gen Alexander argued that approach wouldn’t work if, for example the German stock exchange was under attack and you had “30 seconds to decide what to do and how to do it. Putting a ‘shout out’ is not enough and you might ultimately need to take offensive measures.”

He outlined this scenario in arguing that a policy and legal framework needs to be put in place that would allow US Cyber Command to deal with such a future possible threat. “Otherwise we can expect an investigation and Congressional hearing, following by more Congressional hearing during which I’ll be asked why didn’t we do something,” he said, adding that the US had a great deal of secret intelligence on the sources of cyber-attacks around the world. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/05/nsa_cycon_keynote/

A piece of government-bothering malware called NetTraveler has been active since 2004 – and targets agencies and organisations involved in space exploration, nanotechnology, nuclear power, lasers, medicine, communications and more.

And that’s according to researchers at security biz Kaspersky Lab.

More than 350 high-profile outfits in 40 countries have been hit by strains of NetTraveler, we’re told. Embassies, oil and gas corporations, research institutes, military contractors and activists have been compromised by the software nasty over the years, it is claimed.

Attackers wielding the Windows malware typically infiltrated their targets with a combination of spear-phishing emails and booby-trapped Microsoft Office documents that exploit software vulnerabilities, specifically CVE-2012-0158 and CVE-2010-3333.

Updates to fix the security bugs were available from Microsoft at the time of the attacks, so delayed or incompetent patch rollouts were a big contributing factor in the spread of NetTraveler.

Researchers at Kaspersky Lab obtained and analysed logs of infections from several of the malware’s central command-and-control servers, which remotely control the thing once it is installed on a machine. The files showed that data was harvested from the compromised computers.

The top 10 targeted countries were an odd mix: Mongolia came top of the table, followed by Russia, India, Kazakhstan, Kyrgyzstan, China, Tajikistan, South Korea, Spain and Germany. It is worth noting that the Chinese military has a large training area located in Inner Mongolia, where it practises cyber-warfare techniques.

Six victims were infected by both NetTraveler and Red October, another cyberespionage operation uncovered by Kaspersky Labs. However, no direct links between the NetTraveler attackers and the Red October miscreants was unearthed. More details on NetTraveler can be found in a blog post by threat researchers Securelist. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/05/nettraveler_cyberespionage/

Promo In our first visit to the Reg whitepaper library in some time, we took time out to inspect the security pitches. Here is a couple of vendor papers about SIEM (security information and event management) software that we thought deserved a wider airing. Registration is, as per usual, required.

Data control in the cloud

This whitepaper from Accelops, a fast growing Silicon Vallye SIEM start-up, is based on a February 2013 survey of IT security professionals and how their organisations are responding to the cloud.

Unsurprisingly, they are most concerned about BYOD – and equally unsurprisingly, given the publisher, a large proportion is unhappy with their SIEM monitoring tools.

White paper trail

In this paper, McAfee also mainlines on SIEM. The focus here is on managing the security challenge posed by Big Data, but like Accelops the focus is on the shortfalls of traditional SIEM tools.

The paper delivers a neat history lesson on SIEM tools, argues why they are inadequate for today’s needs, and provides a checklist of the core capabilities of an “ideal SIEM system”.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/05/siem_whitepapers_promo/

The Australian Securities and Investment Commission (ASIC), has told a hearing of the Australian Parliament’s Senate Estimates committee that its attempt to block access to the IP address of one investment scam site could have blocked 250,000 sites in total.

The Commission told Estimates yesterday that it first conceived of the idea of using “section 313 notices” to attack investment scammers in 2012. By the kind of thundering coincidence that would destroy any detective novel, that was also about the time that the Australian Federal Police (AFP) started using the same regime to get Australia’s largest ISPs to filter out content on the Interpol “worst of the worst” list. The AFP did so after Australia backed away from a policy to build a national internet filter.

However, ASIC said the AFP’s actions had nothing to do with its decision, and that it had been considering ways to block investment cold-call scams for some time. The problem ASIC is trying to deal with is mass-calling campaigns launched by scammers who then direct victims to Websites, at which they register and hand over their money.

In its opening statement to the committee (Crikey has a copy here), ASIC said that in addition to the blocking of an IP address that took out 1,200 sites hosted at the same address, a similar request in March blocked 250,000 sites. In its defence, the commission said most of the URLs hosted at the target IP “appear to contain no substantive content” and that fewer than 1,000 “active” sites had been affected (El Reg presumes that the remaining 249,000 were parked domains).

The agency told Estimates its use of requests under Section 313 of the Telecommunications Act to have sites taken down was, in part, conceived because domain registries often responded slowly to its requests to pull scammers’ registrations.

Here’s some of the action from the hearing.

Watch Video

The Estimates session also proved conclusively that fax is not yet dead in Australia: the Section 313 request is in the form of a letter “faxed out to the telecommunications carriers”. ASIC focuses on the largest carriers only, on the basis that any retailers using their wholesale services will also be unable to serve blocked sites. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/05/asic_censorship_scandal_escalates_250k_sites_blocked/

Schneider Electric has begun patching a hard-coded Ethernet credential vulnerability in its kit, a mere 18 months after it was discovered and published.

The original vulnerability, discovered by Rubén Santamarta and published in December 2011, provided access over Ethernet to the telnet, FTP and Windriver debug ports of Schneider Electric’s Quantum Ethernet Modules.

The ICS-CERT advisory states that the vulnerabilities provide remote access and privilege escalation to an attacker, on SCADA systems used in energy, manufacturing and infrastructure environments.

Schneider Electric has now patched at least part of the vulnerability, issuing four patches that remove the Telnet and Windriver services from the affected BMXNOE01x0 and 140NOE771x1 module versions. There’s also a patch to disable FTP and HTTP services on some modules.

Further patches will be required to carry the fixes across all devices.

Santamarta’s original discovery of the hard-coded credentials was made quite simply: he downloaded the Schneider Electric firmware and took a look.

The hard-coded credentials were egregious: some were provided in the scripts used for firmware updates, and another account identified inside a Java comms script. Other admin-level accounts were hidden deeper in the code with hashed passwords that Santamarta was able to crack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/05/schneider_moves_on_ancient_scada_vuln/