STE WILLIAMS

Guantanamo Bay Naval Base, the enclave of Cuban territory leased by the US government, has switched off its WiFi service and cut access to social networks for fear of attack by Anonymous.

The hacktivist group recently set #OpGTMO in train, pledging to “shut down Guantanamo”.

That’s probably not a reference to the whole of the Naval base, which the US intends to keep operating. The detention facilities at the base, where many prisoners have been held for years without trial or charge, is Anonymous’ target. Several prisoners at the facility are currently on hunger strike, protesting their long detention, often without charge or prospect of trial.

US President Barack Obama pledged to shut down the detention facilities during his first presidential election campaign but is yet to do so. The legal contortions used to justify the prisons’ creation and the internees’ detentions have proved hard to undo or remake in a timely fashion. Critics also say it remains useful for the USA to keep the legal black hole that is Gitmo alive.

Associated Press now reports that Anonymous’ threat has seen the prison shut down its WiFi.

It’s unclear why: the naval base does include some housing for military personnel’s families, but civilian access to the base is controlled. It’s hard to know if that housing is within WiFi range of the prisons, but it seems highly unlikely Anonymous operatives could get anywhere near the base’s access points, making an an attack on that vector unlikely.

A ban on social media is easier to explain: who’d want Instagram pics of escaped prisoners roaming the streets if Anonymous does succeed in cracking open a Gitmo prison? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/22/gitmo_wifi_shutdown/

AusCERT 2013 One of the reasons we can’t have nice things like a secure Internet is that vendors of consumer kit can’t be bothered.

That’s the conclusion The Register reaches after listening to a presentation by HD Moore, author of Metasploit and now chief research officer at Rapid7, at the AusCERT 2013 security conference today.

Moore told delegates that while systems administrators might be doing a decent job of protecting their systems (actually, too many aren’t – they leave things like default passwords open, for example), it becomes almost irrelevant in the face of the threats created by modems, routers, phones, because vendors of embedded systems in general just don’t care.

“You can probably own five percent of the total Internet without even blinking,” Moore said.

Without detailing Moore’s entire research methodology, he presented the results of a large-scale scan of the IPv4 address space, looking at TCP and UDP services, and turning up “endemic” vulnerabilities.

While people leaving unauthenticated Telnet open to the world is just stupid, he held his harshest criticisms for the way embedded systems manufacturers seemed happy to sling insecure systems into the world and, even with known vulnerabilities, decline to issue fixes.

UPnP remains, unsurprisingly, a big vector. “Two out of the top three UPnP stacks are exploitable,” Moore said – representing 63 percent of the devices in which UPnP is visible to the outside world. Then there’s Web servers, many of them embedded, and vulnerable SNMP systems.

Of SNMP, he noted that there are 75 million vulnerable systems worldwide (in Australia, oddly, the most common being a Campbell Scientific soil data logger), and he asserted that six percent of all Cisco devices visible on the Internet offered SNMP read access – making user ID and password exposures a cinch.

The length of the supply chain in the embedded/consumer system market is also problematic: the embedded software might ship from one vendor, be turned into a module by a second vendor, integrated into a finished system by a third, and branded by a fourth – none of which seem willing to protect end users who may not even own the vulnerable product (for example because it’s a cable modem).

“We’re going to have some really nasty incident … then there’ll be a knee-jerk reaction” before things are fixed, he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/22/unpatched_embedded_system_threats/

The Chinese hackers involved in the Operation Aurora attacks revealed by Google in 2010 may have accessed top secret information on US surveillance targets in the country including suspected foreign spies and terrorists, it has emerged.

Speaking anonymously to the Washington Post, “US officials” familiar with the infamous data breach said that the hackers may have gained valuable intelligence by accessing a highly sensitive database detailing court orders authorising the surveillance.

Although they said it was unclear how much the attackers managed to find out, such info could theoretically help a foreign power identify which of their operatives were under investigation.

“Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,” one official told the DC-based paper.

The findings echo comments made by Dave Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, at a Washington conference last month.

He revealed that an attempt was also made to breach Redmond’s systems to find out which email accounts “we had lawful wiretap orders on”, according to CIO.

When Google revealed the Aurora breach back in January 2010, the first time a major company had named and shamed Chinese hackers for an attack, chief legal officer David Drummond claimed: “we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.”

The firm even used the attacks, which it was careful never to attribute to the Chinese government, as one of its reasons to largely shutter its China search business, moving its servers to neighbouring Hong Kong.

The Chocolate Factory is offering no comment on these new revelations but if accurate, they don’t reflect too well on the effectiveness of its information security defences at the time.

Former CIA officer and SANS guest editor Christopher Burgess argued that Google should at least have expected something like this to happen:

If the PRC learned that their officers or surrogates were being subjected to official US Government inquiry via review of the Google data stores, they could follow two paths: tone down and extract the individual, or light up and misdirect the US security services. A key point is that any service provider which is subject to lawful intercept inquiries by the US Government (in this case for counter-intelligence purposes) has had fair warning – you are the target of nation states’ CI programs.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/22/google_aurora_hack_spy_data_nabbed/

Twitter accounts run by the Daily Telegraph were hijacked by pro-Assad hacktivists from the Syrian Electronic Army briefly on Monday evening.

The UK broadsheet’s Facebook account was also purloined by group in the latest in a growing line of similar attacks against high-profile media outlets including the FT, The Guardian, Associated Press, CBS, the BBC, Al Jazeera and even satirical magazine The Onion.

The hijacked @TelegraphNews Twitter account was used to punt pro-Assad propaganda as well as to brag about the reported takeover of other accounts including @TelegraphArt, @TelegraphFilm, @Tele_Comedy, @TelegraphSport, and @TelegraphBooks.

The offending messages were quickly purged after control of the affected accounts was wrested away from the hackers. However, a record of the offending messages can be found on the personal blog of veteran infosec expert Graham Cluley here.

We don’t know how the @TelegraphNews Twitter feed was hacked, although a determined multi-stage phishing campaign akin to that successfully performed by the same group against The Onion is the most likely explanation.

The SEA’s attack on The Onion ultimately succeeded in extracting passwords for email accounts charged with running social media feeds, at which point hackers would obviously have gained complete control over these profiles, allowing them to post whatever they wanted.

Twitter has told media organisations to be wary of this type of attack but until it introduces two-factor authentication, experience suggests this sort of account-hijacking assault will continue to be a useful outlet for propaganda for hackers affiliated with the SEA, who appear to have cornered the market for this sort of thing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/21/sea_hijacks_telegraph_twitter_feeds/

Security researchers have uncovered what appears to be a sophisticated targeted attack launched from India and designed to steal information from a range of government and private enterprise victims in Pakistan, China and elsewhere.

What began as an investigation into an attack on Norwegian operator Telenor soon uncovered evidence to show attackers probably hailing from India had been lifting info from business, government, poltical organisations for as long as three years.

Norwegian anti-malware firm Norman AS claimed in its Operation Hangover (PDF) report that although the attack infrastructure appeared “predominantly to be a platform for surveillance against targets of national security interest (such as Pakistan)”, as well as industrial espionage, there is no direct evidence to link it to state-sponsored players.

Attackers used spear phishing techniques, exploiting known Microsoft software vulnerabilities – no zero days – to drop info-stealing malware dubbed “HangOver” onto victims’ machines.

Finding readable folders on a number of CC servers, the researchers dug deeper to discover several malicious executable digitally signed with a certificate which had been revoked in 2011.

Domains registered by the attackers were almost all privacy protected, while “almost all websites belonging to this attacker has their robots.txt set to ‘disallow’ to stop them from being crawled”, the report continued.

However, the attack is far from advanced, according to security firm Eset, which has also been investigating.

“String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks,” the vendor said in a blog post.

The researchers at Norman explained how the initial Telenor attack allowed them to widen the investigation, as follows:

We have direct knowledge of only one attack – the one against Telenor. During this investigation we have obtained malware samples and decoy documents that have provided indications as to whom else would be in the target groups. We have observed the usage of peculiar domain names that are remarkably similar to existing legitimate domains. We have also obtained sinkhole data for a number of domains in question and found open folders with stolen user data in them; enough to identify targets down to IP and machine name/domain level.

These IP addresses hail from a large range of countries globally including China, Russia, France and the US but the vast majority correspond to Pakistan.

Aside from Telenor the report listed other attack targets as energy companies the Eurasian Natural Resources Corporation (ENRC) and Bumi; Porsche Informatik; and Chicago Mercantile Exchange.

“The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin,” the report concludes.

Interestingly, an analysis of the project paths for malware creation revealed a highly organised operation in which “multiple developers are tasked with specific malware deliverances”:

There are many diverging project paths which points towards different persons working on separate sub-projects, but apparently not using a centralised source control system. The projects seem to be delegated into tasks, of which some seem to follow a monthly cycle.

The report also points out that the word “Appin” crops up in various contexts and cases, including malware file names, speculating some actor may be deliberately trying to implicate Indian security company Appin Security Group in the attacks.

The company has now issued a warning notice on its home page urging the public “not to be misled by any communication received through fictitious domains which are purportedly being made by, or on behalf of, our company”.

It also sent a strongly worded statement to The Hacker News claiming the reference to Appin in the report was a “marketing gimmick on the part of Norman AS” and that it has already initiated legal proceedings against the Norwegian firm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/21/hangover_india_apt_discovered/

The Stuxnet worm may have actually pushed forward Iran’s controversial nuclear programme over the long term.

That’s according to a report published by the Royal United Services Institute, an influential defence think tank in the UK.

The infamous worm infected systems at Iran’s uranium enrichment facility at Natanz in 2009 and 2010, hobbling high-speed centrifuges after infecting computers connected to SCADA industrial control systems at the plant.

The sophisticated attack, seen as an alternative to a military strike against the facility, is credited with putting Iran’s nuclear programme back by between 18 months to two years. The malware worked by infiltrating the SCADA systems used to run the high-speed gas centrifuges. It then randomly, and surreptitiously, speeded them up and slowed them down to induce seemingly random, but frequent, failures.

However, a journal article published by the Royal United Services Institute (RUSI) claims that Iranian authorities redoubled their efforts after Stuxnet was discovered, so that production of fissile material went up – rather than down – a year after the SCADA-busting worm was discovered.

The malware acted as a wake-up call that prompted the Iranians to throw more resources at the nuclear project, bonded personnel together and prompted security audits that uncovered vulnerabilities that might otherwise have gone unnoticed, the Daily Telegraph also noted.

The Obama administration last year leaked its role in developing Stuxnet as part of a wider US-Israeli effort, codenamed Operation Olympic Games, that began under the presidency of George W. Bush. Public revelation of this suspected role thwarted the slim possibility of a diplomatic resolution to Iran’s nuclear ambitions, while acting to put the country closer towards a war footing with Israel.

The Washington-based Institute for Science and International Security claimed in February 2011 that Stuxnet likely destroyed about 1,000 IR-1 centrifuges, out of 9,000 deployed at Natanz.

Yet Ivanka Barzashka, an academic at King’s College, London, who penned the RUSI article, reckons the initial impact of the worm has been overestimated by those left somewhat awestruck by the effect of the world’s first cyber-weapon.

“While Stuxnet may have had the potential to seriously damage Iranian centrifuges, evidence of the worm’s impact is circumstantial and inconclusive,” she wrote in the RUSI journal. “Related data shows that the 2009 version of Stuxnet was neither very effective nor well-timed and, in hindsight, may have been of net benefit to Tehran.”

Barzashka’s analysis is primarily based on publicly available data from the International Atomic Energy Agency (a dedicated “IAEA and Iran” microsite is available here).

Iran decommissioned and replaced about 1,000 high-speed IR-1 centrifuges at its fuel enrichment plant (FEP) at Natanz over just a few months starting late in 2009. But since August 2010 the number of operational machines at Natanz has been “steadily growing”, as Barzashka claimed in her piece:

Iran began enrichment to 20 per cent in one IR-1 cascade at the Pilot Fuel Enrichment Plant at Natanz in February 2010, ostensibly to manufacture its own fuel for the Tehran Research Reactor, which is used to produce medical isotopes. This development shows that Iran was able to successfully install and operate new machines in early 2010, between the first and second Stuxnet attack waves. If Stuxnet was the cause of the drop in machine numbers at block A26, it had no effect on Iran’s ability to operate and install new IR-1 centrifuges several months later.

The Natanz FEP began operation in February 2007, but prior to Stuxnet could only produce enrichment levels of 3.5 per cent, which is suitable only as low-grade reactor fuel. Barzashka explained that IAEA physical inventory data on the number of centrifuges installed at the Iranian facility are potentially misleading because machines have constantly been installed and upgraded over time.

“Calculations show that performance at the FEP – measured as separative capacity – has increased every year since the beginning of operations in 2007,” she writes. “Data for the 2010 reporting period – from 22 November 2009 to November 2010 – are no exception. In fact, uranium-enrichment capacity grew during the time that Stuxnet was said to have been destroying Iranian centrifuges.”

Barzashka concluded:

Iran produced more enriched uranium, more efficiently: the entire plant’s separative capacity per day increased by about 40 per cent, despite the fluctuations in centrifuge numbers.

In January 2010, Iran was running 1,148 centrifuges fewer than it had operating seven months earlier, in May 2009. In August 2010, IAEA inspectors counted the same number of machines as in August 2008, giving rise to the probable source of the claim that Stuxnet set back Iran’s enrichment programme by two years.

Both of these raw figures are misleading, according to the defence analyst.

Barzashka reckons that while Stuxnet might have temporarily slowed Iran, at least in 2009, its operations emerged from the aftermath of the worm leaner and meaner. Its technicians improved centrifuge performance before achieving higher concentrations and greater volumes of enriching uranium than before.

Worse yet, the Iranians are far more wary about – and better prepared to defend against – future cyber-attacks against their nuclear facilities by possible successors to Stuxnet.

“Iran’s uranium-enrichment capacity increased and, consequently, so did its nuclear weapons potential,” Barzashka wrote. “The malware – if it did in fact infiltrate Natanz – has made the Iranians more cautious about protecting their nuclear facilities,

“The malware did not set back Iran’s enrichment programme, though perhaps it might have temporarily slowed down Iran’s rate of expansion. Most importantly, Stuxnet or no Stuxnet, Iran’s uranium enrichment capacity increased and, consequently, so did its nuclear weapons potential.” she concludes.

Former Foreign Secretary Sir Malcolm Rifkind criticised Barzashka’s report before stressing that bilateral diplomatic talks between the US and Iran remain the best way to address Iran’s nuclear ambitions.

“Part of the objective of many people in the international community has been to stop, or if you can’t stop, to slow down the Iranian nuclear programme,” Rifkind, chairman of Parliament’s Intelligence and Security Committee told the Telegraph. “In so far as Stuxnet may have done that, and I emphasise may have done that, it was a plus.”

“What is undoubted is that it [Stuxnet] significantly slowed down the enrichment process,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/21/stuxnet_helped_iran_says_boffin/

Heavyweights of the cryptographic world have lined up behind a campaign against proposed US wiretapping laws that could require IT vendors to place new backdoors in digital communications services.

Technical details are vague at present, but the planned law could mandate putting wiretap capabilities in endpoints to cover everything from instant messaging and chat to services such as Skype, Google Hangouts and even Xbox Live.

The plan to update the Communications Assistance for Law Enforcement Act (CALEA) comes as part of proposals to update US wiretapping laws drafted in the 1990s, which were designed to apply to telephone exchanges and switching equipment.

Critics of the proposed law – including cryptographer Bruce Schneier and Phil Zimmermann, the creator of email encryption package PGP – argue that any backdoor would be open to abuse by hackers, including foreign governments. Any such system would necessarily make software both more complex and harder to secure, as well as posing a privacy risk.

Advocates of updating CALEA say it should apply to encrypted VoIP channels, P2P and instant mobile messaging services to help fight organised crime and terrorism. The FBI argue the net is “going dark” to them, thanks to encryption technologies which render valid wiretapping warrants useless.

Computer scientists argue that the opposite is closer to the truth: information about people’s movements and communications is more freely available than ever before, thanks to social networking and smartphones. Through moves such as the proposed “CALEA II” law, US agencies are getting closer to achieving their goal of real-time tapping of online communications. We are, therefore, living in a golden age of state surveillance.

In addition, critics point out that CALEA-mandated systems have been abused. For example, eavesdroppers tapped the mobile phones of the then Prime Minister of Greece, Kostas Karamanlis, his cabinet ministers and security officials for about nine months between June 2004 and March 2005 around the time of the Athens Olympics.

The spies used CALEA backdoors on Vodafone Greece switches to illegally plant spyware so that conversations were relayed to 14 “shadow” pay-as-you-go mobile phones.

The Greek newspaper Kathimerini on Sunday revealed in 2011 that four of those phones were originally purchased by the US embassy, although the eavesdroppers were never traced. In a similar case, ATT’s CALEA controls went through a Solaris machine that was rooted by hackers, giving crooks the ability to tap into calls.

Critics of CALEA also point out that if endpoint wiretaps were mandated in the US there would be nothing to stop software developers creating non-compliant software elsewhere, and then releasing it as open source code. There would be no way of preventing this technology from being imported into the US and rendering the whole proposal largely pointless – at least, when applied against criminals and terrorists.

In this scenario, the general population and corporate users would be using technology that is easier for hostile parties to wiretap, the crypto boffins warn (PDF, 7 pages).

The FBI’s desire to expand CALEA mandates amounts to developing for our adversaries capabilities that they may not have the competence, access, or resources to develop on their own. In that sense, the endpoint wiretap mandate of CALEA II may lower the already low barriers to successful cybersecurity attacks.

We believe that on balance mandating that endpoint software vendors build intercept functionality into their products will be much more costly to personal, economic and governmental security overall than the risks associated with not be ing able to wiretap all communications.

Weakening device security makes users more vulnerable to criminals and spies without really inconveniencing terrorists or fraudsters, even for those who trust US government agencies not to abuse increased wiretap powers.

Ed Felten, one of the computer scientists opposed to wiretapping endpoints – be they on smartphones or PCs – summarises the reservations of crypto-boffins in a blog post here.

“The plan would endanger the security of US users and the competitiveness of US companies, without making it much harder for criminals to evade wiretaps,” Felten explains. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/21/crypto_boffins_oppose_fed_backdoors/

Analysis High-street socks’n’frocks chain Marks and Spencer is accused of quietly taking money from shoppers’ contactless bank cards at the tills.

The accusations come from Radio 4’s Money Box listeners, who called in to report that MS had billed cards in purses and handbags over the air, unbeknownst to customers who had intended to pay for stuff another way.

It seems the money was unexpectedly taken from bank cards that can do pay-by-wave with compatible tills using Near Field Communications (NFC). One simply has to wave the card near the machine – within a few centimetres – for the transaction to take place over the air by radio wave.

But customers complained this was happening over a much greater distance with the tills that MS recently installed in its UK stores.

The retail chain refunded the disputed payments – even those that went unnoticed until the customer’s bank statement turned up weeks later – while pointing out that its NFC system was well tested prior to deployment. With a million transactions a month, one might expect more than couple of complaints if there was a significant problem.

The technology used by MS is supplied by Visa. While neither company has responded to The Register‘s enquiries, we do know that several of the scenarios described by Money Box listeners should not be possible if the equipment is programmed to the NFC standard.

It’s certainly possible for a till to debit the wrong card. However, doing so from several feet away beggars belief, in El Reg‘s opinion, as the induction coil that powers the NFC card has a very limited range: you effectively have to bonk your card against the machine.

However, one can imagine a wallet or purse being held beside an NFC reader in the same hand which is placing the preferred card onto the terminal, which could result in the wrong card being debited.

But the EMV (Europay, Mastercard, Visa) standard to which NFC terminals are supposed to conform requires the contactless circuit to be disconnected as soon as a chip’n’PIN card is slotted in. This is necessary as most chip cards also have NFC embedded, these days, and cards in the slot are perfectly positioned for the contactless reader; so the decision was made that the insertion of the card should indicate a preference for PIN.

One of the two callers who complained to Money Box said that a contactless transaction was made despite her debit card being in the Chip-and-PIN slot. Indeed, “Paula from London” claimed to have paid twice for the same goods, once using her PIN and once again using a contactless card which was 40cm away in her bag. MS apparently refunded the money, but the BBC reckons other people may not have noticed.

Billing twice certainly shouldn’t be possible. The process flow of a payment is well known, and the till shouldn’t issue multiple receipts any more than it would accept two successive Chip-and-PIN payments for the same goods.

It is possible that the terminals used by MS were hugely overpowered if they were reading cards at 40cm, or that they fail to implement the EMV standard properly. Equally, it’s also possible that the tills are apparently running software which allows multiple billing for the same transaction. The two complaints to MS, plus a similar complaint made to Pret a Manger, could well be the tip of an extensive iceberg.

That said, it’s more likely that a customer placing a contactless card on a terminal accidentally had their wallet in the same hand, or an improperly inserted card resulted in the terminal contacting the NFC bank card in the shopper’s purse instead.

Contactless payments are a bit scary, and one should probably keep an eye on one’s credit card bills while the technology beds in, but on this particular scandal we’ll side with Occam. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/20/marks_and_spencer_nfc/

Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers.

Infosec researchers have uncovered SafeNet in as many as 100 countries.

SafeNet targets potential marks using spear-phishing emails featuring a malicious attachment that exploits a Microsoft Office vulnerability that was patched last year (CVE-2012-0158).

The operation appears to involve two campaigns linked together by the use of the same strain of malware and differentiated by the use of different command-and-control infrastructures.

One strand of the operation uses spear-phishing emails with subject lines related to either Tibet or Mongolia. The topic of emails in the second part of the campaign is yet to be identified but appears to have broader appeal since this strand of the operation has claimed victims in countries ranging from India to the US, China, Pakistan, the Philippines, Russia and Brazil. Entities in India appear to have been hit hardest by the malware.

Sloppy coding on one of the campaign’s command servers allowed researchers to extract reams of information about the attack, as Trend Micro researchers explain in a white paper (PDF) on the attack.

One of the CC servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the CC server and the C code they used to generate the malware used in attacks.

It seems like nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (CC) infrastructures related to the SafeNet malware.

Trend’s researchers reckon the average number of actual victims remained at 71 per day, with few if any changes from day to day. “This indicates that the actual number of victims is far less than the number of unique IP addresses,” according to the security researchers.

The people behind the attack are connecting to command servers using VPN technology and the Tor anonymiser network. This means that little evidence about where the attackers are based can be obtained from the command nodes running the campaign. However clues in the coding have led Trend’s researchers to speculate the malware at least was brewed in China.

“While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China,” writes Trend Micro threat researcher Nart Villeneuve in a blog post on the campaign.

“However, the relationship between the malware developers and the campaign operators themselves remains unclear.” ®

Bootnote

Trend Micro notes that there is no link between the the attack and SafeNet, Inc, a reputable information security firm. The “SafeNet” name comes from references within the malware itself.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/20/safe_cyber_espionage/

Four individuals accused of being members of Anonymous and participating in “Operation Tango Down” have been arrested in Italy.

According to AFP, the four are being accused of various attacks in Italy, including a DDoS against the Vatican and the parliamentary Website.

The Postal Police – responsible for enforcement of communications law – carried out 12 raids across Italy, according to this report in Gazetta del Sud.

The police also claim the group “carried out a series of attacks agains the computer systems of critical infrastructure, institutional sites and important companies”.

The four men arrested are a 20-year-old from Bologna, a 43-year-old from near Lecce, a 28-year-old from the province of Venice, and a 25-year-old from the province of Turin.

Attacks reported in Italy include downing the home page of the country’s interior ministry, the police, and the Carabinieri.

In 2011, Italian and Swiss police arrested 15 Anonymous suspects. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/19/anon_arrests_italy/