STE WILLIAMS

More prescriptive regulation of the security posture in industry sectors like banking could have the paradoxical impact of reducing security, according to Andrew Dell, head of IT security services at the National Australia Bank.

“We have to become much more agile and proactive – how we look at, how we react to cybercrime. Our posture is changing from ‘observe and analyse’ to ‘detect and respond’,” Dell told the 2013 Trend Micro Evolve Security Conference.

Banks themselves need to be agile enough to respond to new threats. However, worldwide, Dell says governments are taking an increasingly prescriptive attitude to how important infrastructure is secured. This, he suggested, creates the risk that a focus on regulatory compliance can reduce a company’s ability to respond to security threats. Dell said too much focus on defining the detail of the security a bank has to implement can detract from its ability to respond to new threats.

“Regulation is increasing in its complexity each year, and keeps becoming increasingly prescriptive,” he said. “Government and regulators are getting more interested not only in how secure we are, but how we secure”.

As is so often the case, where prescriptions concentrate too much on what is known, they leave insufficient flexibility and encourage a compliance-based mentality. Dell cited a conversation with a colleague in an American utility, in which an Aladdin’s cave of security kit and software, implemented for compliance reasons, was so understaffed that it was ill-maintained and almost completely unmonitored.

At the same time, Dell said, user desires are increasingly at odds with good security practice.

Banks, he reiterated, have created rules such as “no links in e-mails” and “offer call-back” so as to help protect their customers from having their credentials stolen hijackers sending phishing e-mails. The problem is, this is starting to create friction with customers of the social era who expect to be able to get what they need in a Tweet or from Facebook.

In that context, he emphasised, customer education is a challenge, perhaps even more important than the persistent attention on how nation-state involvement in cybercrime is changing the threats. Dell says NAB is more concerned to know what is going on rather than trying to probe the attacker’s motivations, or work out whether the attack comes from individuals or a state.

“We’re seeing a definite shift in the threat that’s posed to our industry. The DDoS, phishing, malware compromises are still there – but the sophistication, ubiquity and agility are changing.

“Nation-state based activity – there has been a lot of discussion of nation-state attacks. I’m not concerned about whether it’s state-sponsored, I’m concerned about what the attack is.”

The malware itself may be sophisticated, Dell emphasised, but how it’s dropped into corporate networks is still simple: “through an e-mail, or a USB left in the carpark from someone to find”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/14/nab_warning_infosec_regulation/

Crooks hoping to empty company bank accounts are calling up the firms’ bean-counters to chase invoices packed with hidden malware.

Finance staff are tricked into opening the booby-trapped messages in phone calls from con men, who claim to have emailed in legit paperwork that needs urgent attention. The documents instead include a Trojan that, when activated on the victim’s PC, hands control of the Windows machine to the swindlers over the internet.

The social-engineering tactic has been used against staff at French organisations by miscreants posing as employees or business associates of the targeted outfits, reports net security firm Symantec. The scam has been used to spread Shadesrat, a remote access Trojan.

According to Symantec, “the attacks are currently localised to French organisations” and their subsidiaries in Luxembourg, Romania and other nations. The thieves have been distributing the Trojan as bogus invoices since February, but only last month started phoning victims ahead of time to lure them into opening the malware-laden accounting paperwork.

By targeting finance staff, the hackers can infiltrate their computers and swipe corporate banking login credentials and other information crucial to carrying out subsequent fraud.

“The attacker is well prepared and has obviously obtained the email address and phone number of the victim prior to the attack,” a blog post by researchers at the security firm explained. “The victims of these attacks generally tend to be accountants or employees working within the financial department of these organisations. Since handling invoices is something they would do on a regular basis, this lure has the potential to be quite convincing.

“It appears that the attacker’s motivation here is purely financial. Targeting employees who work with company finances likely provides access to sensitive company account information. These employees may also have the authority to facilitate transactions on behalf of the organisation; a valuable target if the attacker gains access to secure certificates that are required for online transactions or confidential bank account information.”

The Shadesrat Trojan can be licensed from underground cybercrime forums for as little as $40 to $100 a year. The software nasty is “under active development and clearly shows no indication of going away any time soon”, according to Symantec. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/14/vxers_phone_ahead/

NBN Co, the company building Australia’s National Broadband Network, has found itself having to refute reports in the finance press that its networks had been “penetrated” by “cyber gangs”.

While attacks and scans are the lot of any and every network administrator, the company says the reported Trojan infections never got past a couple of user desktops.

An Australian Financial Review economist has reported that NBN Co’s “networks” were infected by a Citadel-based Trojan (actually two or three individual machines were infected and discovered).

The report breathlessly says “NBN Co’s internal networks were penetrated by ‘trojans’ created by cyber criminals with “advanced capabilities” that avoided detection by its anti-virus software at least twice in 2012.”

(The AFR says the attacks “only hit NBN Co’s internal networks” rather than the “broadband infrastructure itself”. This is hardly surprising to Vulture South, since we are not currently aware of any trojans, even those written by the most terrifying Russian organised criminals, that are capable of infecting things like optical fibre or the specialised hardware that makes them part of the NBN.)

As an NBN Co spokesperson stated to The Register via e-mail – and without selective editing:

“We don’t believe that NBN Co was specifically targeted by the Trojans. By their nature these incidents tend to be random, and these are the types of events that a range of other companies would be detecting on their networks.

“The point is they were detected. NBN Co takes very seriously the security of its networks and information. NBN Co has adopted extremely high levels of newtork security, and as the response to the FoI indicates, those incidents which have occurred have beem of a low-level nature. The Trojans were detected before they were able to do any harm. They did not result in the release of any confidential information”.

NBN Co told Vulture South the incidents never went beyond individual machines – in other words, users’ desktops or laptops infected when they clicked on the e-mail attachment. The malware was spotted by NBN Co’s security systems when it started trying to contact its command and control servers.

The newsaper has complained that NBN Co heavily redacted its FOI releases stating that publishing its response information “could be used to identify potential weaknesses” in its security setup. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/13/nbn_co_hoses_down_silly_afr_hacker_story/

The Associated Press reports that government investigators seized two months-worth of telephone records from its staff last year and hid that fact until now.

“There can be no possible justification for such an overbroad collection of the telephone communications of The Associated Press and its reporters,” said CEO Gary Pruitt in a letter sent to Attorney General Eric Holder.

“These records potentially reveal communications with confidential sources across all of the newsgathering activities undertaken by the AP during a two-month period, provide a road map to AP’s newsgathering operations and disclose information about AP’s activities and operations that the government has no conceivable right to know,” Pruitt wrote.

Between April and May last year, the Justice Department obtained the outgoing call logs for over 20 work and personal numbers used by AP staff in its bureaus in New York, Hartford, and Washington. The news organization says it doesn’t yet know if data on incoming calls and their duration were also slurped, and says it presumes telephone companies handed over the data.

William Miller, a spokesman for Washington US attorney Ronald Machen, said his office followed “all applicable laws, federal regulations and Department of Justice policies when issuing subpoenas for phone records of media organizations,” while declining to comment on this case in particular. The cause of the investigation hasn’t been made public, but AP suggested it may be linked with a May 7 story last year about the CIA foiling an al-Qaida plot to blow up a plane heading into the US on or around the anniversary of the death of Osama Bin Laden.

The bomb in question was reported to be a more sophisticated version of that used by Umar Farouk Abdulmutallab (aka the failed underpants bomber) who is currently serving life without parole. The new bomb was non-metallic, making it easier to get past airport security.

At the request of the government, AP held off on publishing the story initially, after being warned it was a national security issue, but then declined to wait until the Obama administration had made an official statement on the matter. The FBI is currently investigating the leak.

“The irresponsible and damaging leak of classified information was made … when someone informed the Associated Press that the U.S. Government had intercepted an IED (improvised explosive device) that was supposed to be used in an attack and that the U.S. Government currently had that IED in its possession and was analyzing it,” said CIA Director John Brennan during congressional testimony in February.

AP said that five of the journalists involved in researching and writing the story, and their editor, were all known to have used the phone lines under investigation. In all, over 100 journalists may have used the monitored lines.

“Obtaining a broad range of telephone records in order to ferret out a government leaker is an unacceptable abuse of power,” said the director of the ACLU Speech, Privacy, and Technology Project Ben Wizner. “Freedom of the press is a pillar of our democracy, and that freedom often depends on confidential communications between reporters and their sources.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/14/government_takes_ap_phone_records/

Exclusive Apple is believed to have asked some online shoppers to hand over copies of their driving licence, passport and bank statements to verify their identity.

A concerned Reg reader alerted us to Apple’s data-slurp requests after she received one herself – and was told by her bank that they had never heard of private companies asking for this information.

After ordering an iPad for her young son, our reader – who works in the IT industry and does not want to incur the fruity firm’s wrath by revealing her name – received a suspicious email purporting to be from Apple, but looking like the sort of dodgy call for information we’re all told to strenuously avoid.

It read:

We perform security checks on our customers’ credit card orders due to the fact that the cardholder is not present to sign for transactions. The Apple Online Store’s Terms and Conditions state that Apple reserves the right to verify the identity of the genuine credit card holder by requesting appropriate documentation. Please note these checks are a security measure designed to protect your information.

The email continued:

Please scan a copy or take a photo of the following documentation in jpeg format and email it to [email protected]:

1. Card holders Drivers license or National Identity Card or Passport and 2. Recent Credit Card / Bank Statement showing card holder name, address and card number.

As our reader had scans of the documents to hand, she emailed over copies of them… and then immediately began panicking.

She phoned the police and her bank, who both told her the email was more than likely a fraud. She feared her identity was about to be stolen due to the amount of personal information she had just handed over.

But after Apple wrote back to her and told her they had checked the documents with a notary, she began to realise that it was a genuine, Cupertino-endorsed email. The letter said that Apple understood “her concerns” about sending over bank statements, but asked her to do it anyway, as well as ensuring her passport copy was in colour.

A quick scout through the Apple forum reveals similar complaints – and when we phoned the fruity firm’s customer services branch posing as a fanboi, they confirmed that agents did indeed ask for copies of customers’ driving licence, passport and bank statements.

The ability to do this is written into Apple’s terms and conditions, as mentioned in the letter quoted above.

Our source said: “When I found out this was a genuine Apple request, I immediately cancelled the order. They’ve basically turned me into a future Android user.

“Apple told me they carry out spot checks for security reasons. But I don’t think any private company should have the right to ask you to send over such personal documents by email.

“It’s Apple’s arrogant way of saying: ‘Tell us everything about yourself or we won’t sell you our products’. What’s next? Will they ask for my inside leg measurement or a chest X-ray?

“I’m so angry. After sending that information, I thought I had been hacked and spent days worrying. The police told me I had definitely been phished, whilst my bank told me they had never heard of private companies asking for this information. Then I found it was genuine, because Apple had the cheek to ask for a colour scan of my passport. I’m shocked by what they’ve done.”

El Reg recently wrote about a German court’s decision to make Apple tighten up the way it uses customers’ data. The ruling hinged around Apple’s policy of “global consent” to its terms and conditions over how personal data is gathered and used.

Campaigner Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, believes that Apple is seeking far too much information from consumers under the auspices of combating fraud.

He said:

It’s very concerning that a private company feels entitled to demand and store sensitive identity documents for [users] to purchase something from Apple.

This is a totally over-the-top approach to fraud and I would be astonished if there isn’t a better way of combating fraud than intruding on people’s privacy like this. Customers are apparently allowed to black out “sensitive details” on the copied documents, according to our source. Apple appears to offer no detail on how long the data will be held for, nor offer the customer an alternative way of verifying their identity. This heavy handed approach only undermines consumer confidence that companies respect their privacy and potentially increases the risk of identify fraud or people stealing identity documents to facilitate purchases.

Apple told El Reg it does not comment on individual cases. Apple’s terms and conditions say: “We reserve the right to verify the identity of the credit card holder by requesting appropriate documentation.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/13/apple_passport_privacy/

Analysis The People’s Republic of China has been singled out in increasingly unequivocal language by the US and its allies as one of, if not the greatest, source of online attacks, be they perpetrated by criminals or the Chinese state itself. But amid all the anti-Beijing bluster, has China been given an unfairly bad rep?

At first sight there is obviously a growing amount of evidence pinning the source of state-sponsored espionage activity on the Middle Kingdom. Verizon’s Data Breach Investigations Report – sourcing its data from law enforcement and security agencies across the globe – claimed 96 per cent of state-affiliated attacks came from China. Then there was FireEye’s Advanced Cyber Attack Landscape report, which revealed that 89 per cent of APT callback activities are associated with APT tools either made in the country or associated with Chinese hacking groups. Consultancy Mandiant went further in a high profile February report, alleging a concrete link between notorious hacking group Comment Crew (aka APT1) and the People’s Liberation Army. Most recently, a Pentagon report issued last week claimed: “numerous computer systems around the world, including those owned by the US government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military.”

Broadening the net beyond state-sponsored attacks, the information security industry seems pretty much in agreement that China is a major attack “source”. Symantec’s latest global Internet Security Threat Report for 2013 claimed the country was the number one source of network attacks, accounting for 29.2 per cent of the global number, and second behind the US when it came to “malicious activity” in 2012. Spam blacklist service Composite Blocking List (CBL), meanwhile, placed Chinese IP addresses the world’s worst offenders, accounting for 22.5 per cent of the global list.

The latest stats from China’s Computer Emergency Reponse Team (CNCERT) reported 1.4m infected computers in the country – 0.4m controlled by Trojans or Botnets and 1 million by Conficker. Panda Security earlier this year branded China the most malware-ridden nation, claiming 55 per cent of its computers were infected.

All of which paints China as a very, very, naughty nation indeed.

The nature of the internet, however, means a large number of IP addresses fingered as attack sources or compromised computers is no indication that attacks are actually being launched by actors from within that country. It is more accurately an indication that within that country exist a large number of vulnerable machines and perhaps inadequate law enforcement or industry regulation. In fact, China always claims it is a victim, not a perpetrator, of cyber attacks – many of which it says come from the US.

Attribute this!

The biggest difficulty security researchers face is explaining the true origin of an attack, says Fortinet’s global security strategist, Derek Manky. Attacks can be routed through several compromised machines used as proxies all over the world – finding a command and control (CC) server is definitely not an indication of attack source, he told The Reg.

“In some cases it’s easy enough to trace back one hop but this is never enough because in some cases there are four or five hops and often they encrypt the traffic with VPNs,” Manky explained. “It means that you have to go to every related ISP in each different country, all of which may be subject to different legislation and law enforcement regimes.”

Manky argued that criminals focus their efforts on China because of the large numbers of potentially vulnerable PCs there and regulatory loopholes which allow unscrupulous domain registrars to continue operating. Both of these factors, to an extent, are also true of the United States.

“There are a lot of IP addresses in China and there are a lot of infected systems. Many are XP machines not even running Service Pack 2 so they’re easy pickings,” Manky said. “They’re infected and then brought under the control of operators outside of China – in the US, Latin America, Eastern Europe etc – and used as real estate which can be leased out by the operator.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/13/china_security_victim_or_perpetrator/

XACML doesn’t exactly roll off the tongue or set hearts racing – El Reg has seen fit to mention it one whole time in our web history.

But the standard, which reached version 3.0 in January 2013 and is billed as an authentication-enabler “that describes both a policy language and an access control decision request/response language”, has nonetheless sparked an online brawl between analyst firms Forester and Gartner.

Forester threw the first punch, declaring the standard “dead” and likely to be superseded by the inferior-but-easier-to-use Oauth because the scenarios XACML was designed to serve have either not come to pass or have become irrelevant.

Gartner retorts that XACML is a fine example of an externalized authorization management technology, of which the world needs more. XACML is jolly useful, Gartner argues, declaring it dead is just silly and there’s a list of outraged bloggers named Gerry, Anil, Danny, and Remon who agree that’s the case.

Is XACML going away any time soon? Probably not. Does anyone really care about it? Forester says there’s no commercial support, Gartner says some vendors can “… translate XACML into SDDL for Windows Dynamic Access Control.” Forester says that kind of work requires custom development, which nobody loves. Gartner says RESTful XACML bindings will make the standard relevant again.

Help us out here, readers. Do you use XACML? Is it important to you? Did you look at it and run away screaming, or screw up your face in scorn and use another technology? Do you know which analyst is right, or should we spread a plague on both their houses? Hit the “Comment” button to share your XACML wit and wisdom, before its moment in the spotlight fades forever. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/12/xacml_analyst_brawl/

Crooks allegedly stole $45m in hours from ATMs after hacking into a database of prepaid debit cards.

The gang created counterfeit cards using the data swiped from two Middle Eastern banks, investigators claim, and emptied the compromised accounts of greenbacks as quickly as possible – thus minimising the possibility that the scam would be detected in time to block the cards and foil the plot. As well as lifting the data, the gang is said to have used other hacking techniques to boost their cash-withdrawal limits.

Eight people are accused of being members of the New York cell of the operation, which allegedly withdrew $2.8m in cash from hacked accounts. They were named as suspects in an indictment unsealed on Thursday. All of them, we’re told, live in Yonkers, New York.

Seven of the defendants have been arrested and charged “variously with conspiracy to commit access device fraud, money laundering conspiracy, and money laundering,” according to the Feds.

The first to be cuffed tried to flee from the US to the Dominican Republic on March 27, according to a US Department of Justice statement on the case.

The indictment also charges an eighth defendant, Alberto Yusi Lajud-Peña (aka Prime and Albertico), 25, who was reportedly murdered late last month in the Dominican Republic. It is understood that Lajud-Peña was shot dead at his house while playing dominoes with friends about two weeks after returning home from the US. He was named by US investigators as the leader of the New York cell. Lajud-Peña’s murder by two masked men was allegedly motivated by disputes over how to split the loot from the digital heist, according to local news outlet La Nacion Dominicana.

It is alleged that the e-robbery was known to denizens of the internet underworld as “Unlimited Operation” – prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates, and the Bank of Muscat, Oman, were drained of cash in the hack, according to prosecutors.

We’re told the main hacking phase of the operation ran between October 2012 and April 2013. During this period, cybercrooks as said to have distributed stolen prepaid debit card numbers to trusted associates in 26 countries around the world.

These associates are said to have operated cells – or teams of “cashers” – encoding magnetic stripe cards, such as gift cards, with the compromised debit card data. The subsequent release of PINs for hacked accounts fired the starting gun for a coordinated, international cash out operation involving cash withdrawals from ATMs across the globe, investigators say.

Two separate cash-out operations occurred on December 22, 2012 against RAKBANK, and on 19 February into the early hours of 20 February against Bank of Muscat. Before the pull was spotted by RAKBANK and its unnamed Indian card processor, it had suffered $5m in losses through more than 4,500 ATM fraudulent transactions in 20 countries. Bank of Muscat was hit even harder with $40m in losses through 36,000 fraudulent ATM transactions in 24 countries.

“From 3pm on February 19 through 1.26am on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area,” according to the Feds.

The fraud was carried out against just 12 no-limits compromised accounts at the Bank of Muscat, and prompted an official statement by the bank to the stock exchange in Oman in late February, as we reported at the time.

When the fraud was detected and the cards cancelled, the casher cells are said to have laundered the proceeds, often through the purchase of luxury goods such as expensive watches and sports cars, before keeping a proportion for themselves and kicking money back up to the cybercrime kingpins and hackers masterminding the scam. If the Feds know where the real masterminds of the scam are located, they aren’t saying – at least for now.

US authorities have seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV, and are in the process of seizing a Porsche Panamera, all linked to the scam.

The investigation into the cyberfraud was led by the US Secret Service, which worked with MasterCard, RAKBANK, and the Bank of Muscat in unravelling the scam, as well as law enforcement agencies in Japan, Canada, Germany, and Romania, and authorities in the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, the United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

Prepaid debit cards are used by many employers to pay staff, and by charitable organizations to distribute disaster-assistance funds.

The Unlimited Operations mega-scam may have been the biggest of its type, but it’s not the first time cybercrooks have looted prepaid debit card accounts after hacking into bank databases. Much the same methodology was employed in a ATM fraud against cards issued by RBS WorldPay in November 2009 that netted crooks $9m, for example, as cybercrime blogger Gary Warner noted.

Costin Raiu, director of global research analysis team at Kaspersky Lab, commented: “This is no doubt one of the biggest and quickest thefts we have seen. So far, it seems no customers were affected, because the hackers targeted prepaid cards from certain banks, so the banks are the only victims. Nevertheless, it’s a VERY serious incident and it raises a lot of questions about the security of the current payment systems.”

Raiu added that the success of the attack relied on the use of mag-stripe technology instead of harder-to-forge plastic smartcards in many countries in the world.

“I’d like to draw the attention to the fact that in US, the insecure magnetic stripe is still used when performing payments with cards; this has been mostly abandoned everywhere in Europe and replaced by the more secure chips,” Raiu said.

“The cybercriminals specialised in carding focus on replicating real cards on ‘blank’ cards by reprogramming the magnetic stripe,” he added. “A lot of these attacks would go away by getting rid of the stripe and updating the US payment systems to use the chips. Even then, it’s true that the attacks won’t go away, but they will for sure decrease or become a lot harder. I believe it makes sense for the banks to invest into upgrading the cards in the US and worldwide.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/10/atm_megaheist_arrests/

Techies at satirical news outfit The Onion have posted an informative explanation about how pro-Assad hacktivists from the Syrian Electronic Army hijacked their official Twitter account on Monday.

Previously the Syrian Electronic Army (SEA) has shanghaied its way into the official Twitter feeds of AP and the Guardian, using the former to post a tweet falsely claiming that there had been an explosion at the white House. The tweet caused the Dow Jones to briefly plummet, before stocks recovered after everyone realised it was a hoax.

We don’t know how the keys to the AP or Guardian feeds were purloined, but in Monday’s break-in to @theonion the SEA used a multi-phase phishing attack, techies at “America’s Finest News Source” explained.

The first phase of the assault attempted to trick Onion staff into following a link purportedly to an article about The Onion published by The Washington Post. That link led to a fake site set up by hackers that requested Google Apps credentials. In turn, these credentials allowed the hacktivists to get into the Onion‘s Gmail accounts.

Hackers then used the compromised accounts to send out further phishing emails along the same lines – but this time the emails came from a trusted source. At this point the hacktivists struck gold: one of the two compromised accounts was associated with The Onion‘s social media accounts, allowing the pro-Assad group to hijack @TheOnion. Followers wondered whether or not updates such as “UN retracts report of Syrian chemical weapon use: Lab tests confirm it is Jihadi body odor” were unusually edgy satire or a sign that the feed had been kidnapped.

Th3 Pr0, a member of the SEA, told The New York Times that his crew targeted The Onion because of a recent parody supposedly put together by Syrian President Bashar Al-Assad, entitled: “Hi, In The Past 2 Years, You Have Allowed Me To Kill 70,000 People.”

The attack prompted techies at The Onion to email staff advising them to change their passwords. The hacktivists responded with an attempt to sow confusion by sending out a fake password reset message with links back to their credential-stealing page. Cannily, the SEA ensured none of these phishing emails went to anyone on the Onion‘s tech support team. This fresh assault trapped two new victims, one of whose accounts was subsequently abused to keep control of the seized Twitter profile.

The Onion’s editorial team responded to the hack by posting articles mocking its attackers, such as “Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels“. The SEA briefly (and humourlessly) retaliated by posting editorial email information on Twitter before the account was returned to its rightful owners.

In the aftermath of the hack The Onion‘s techies said user education about phishing is a vital first step against guarding against attacks against corporate social networking feeds.

Taking over a Twitter account is possible through a variety of mechanisms including phishing, password guessing, weak password reset set-ups and use of the same login credentials on Twitter and a site that becomes the victim of a password database compromise.

Isolating Twitter-linked accounts from regular email accounts and other preventive steps can limit the scope for mischief that arises from successful phishing attacks, while having alternative ways to contact employees if anything goes wrong can help resolve the results of any security breach quickly, the Onion tech team further suggests.

Two-step authentication techniques, such as sending a code by SMS to pre-registered phones to confirm password changes or use of tokens, promises to clamp down on account hijacking, which has peaked over recent weeks. Twitter is set to roll out two-step authentication in the near future.

All this sounds fair enough, and far better than the satirical notice that “The Onion Twitter password has been changed to OnionMan77” or its top tips for other media outlets on how to avoid getting hacked.

Additional security-related comment on the incident, alongside screenshots of several fake Tweets put out by the SEA, can be found in a blog post by Sophos. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/10/onion_twitter_hack_redux/

Microsoft has promised to fix a high-profile vulnerability in Internet Explorer 8, among other holes, in this month’s Patch Tuesday rollout of security updates.

In all, next week’s bucket of upgrades will address 33 bugs in a range of Redmond software. The flaws have been grouped into 10 sets of holes: two marked critical and eight important.

The critical updates kill off vulnerabilities in Internet Explorer that allow miscreants to remotely execute malicious code on victims’ machines: one will paper over flaws uncovered during the Pwn2Own hacking competition at CanSecWest in March. This update affects all versions of the web browser from IE6 to IE10 on all Windows operating systems from XP to Win8, including RT.

The other critical update fixes a vulnerability specific to Internet Explorer 8. It is believed computers used by the nuclear weapons research teams at the US Department of Labor were compromised by websites exploiting this browser hole on 1 May. The attack code has since surfaced elsewhere on the web and bundled into the infosec Swiss army knife Metasploit.

Microsoft’s security gnomes developed and tested a fix for the IE8 bug in less than two weeks, which is a much faster turnaround than normal. This speed reflects Redmond’s recognition of the seriousness of the flaw.

Meanwhile, three of the important security updates cover remote code execution vulnerabilities in the Microsoft Office suite – including the widely deployed Word 2003 and Word Viewer, as noted by cloud security firm Qualys.

The other five important patches fix denial-of-service and “spoofing” bugs in Windows and the .NET software framework; improper disclosure of sensitive system information in Office and Windows Essentials; and an elevation of privilege glitch in Windows.

Microsoft’s advanced warning of May’s upcoming patch rollout is here.

And it wouldn’t be a security upgrade article without this special guest…

Next Tuesday will also mark the arrival of Adobe Reader, Acrobat and ColdFusion security updates.

The upcoming Reader and Acrobat security fix is a cross-platform update for users of Adobe’s ubiquitous PDF reading software on Mac OS X, Linux and Windows PCs. The update is only critical for users of Reader/Acrobat 9.5.4 and earlier 9.x versions on Windows PCs. Reader/Acrobat X and XI on Windows still need to be patched, but only to defend against a lesser security threat. The same advice goes for Adobe Reader/Acrobat users on Mac and Linux boxes, whichever version they are running. All this is noteworthy because exploiting Reader/Acrobat vulnerabilities has been a staple of hacking attacks for several years.

ColdFusion, Adobe’s web application development platform, is less often targeted. However, an update for Adobe ColdFusion 10 and earlier versions for Windows, Macintosh and Unix systems addresses a zero-day vulnerability that has reportedly been packed into an exploit – and is therefore more pressing than might otherwise be the case. The vulnerability (CVE-2013-3336) creates a potential means for hackers to remotely retrieve files stored on a ColdFusion server. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/10/ms_ie8_0day_fix_due_tuesday/