STE WILLIAMS

Researchers at Kaspersky Lab are reporting that Tibetan activists are being hit by a highly targeted form of Android malware that seeks to record their contacts, call logs, SMS messages, geolocation, and phone data.

The attack started with the March 24 hacking of an email account belonging to an activist seeking national independence for Tibet. All of the activist’s contacts then received a message urging them to check out details from the forthcoming World Uyghur Congress meeting being held in Geneva to discuss national self-determination in the Middle Kingdom and enclosing an Android Package (APK) file with details.

The malware, dubbed Backdoor.AndroidOS.Chuli.a by the researchers, launches what appears to be a standard Android app that apparently contains a message from “Dolkun lsa, chairman of the executive committee of the Word [sic] Uyghur Congress.” However, the app also installs a bugging program that’s controlled by SMS.

When the correct control message comes in via SMS, the malware sends the information, encoded in Base 64, to a command and control (CC) server running Windows Server 2003 and configured in Chinese. The commands to control the code contain Chinese characters, and the CC servers are located in Los Angeles, but the commands travel via a domain registered to a Chinese firm.

“The current attack took advantage of the compromise of a high-profile Tibetan activist. It is perhaps the first in a new wave of targeted attacks aimed at Android users,” said the Kaspersky Lab research team.

“So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.”

While there’s no direct evidence that the attack code is being run by the Chinese government, it does seem from the evidence that the malware comes from the Middle Kingdom. Additionally, one has to consider who would want to track down and monitor Tibetan and Uyghur activists.

Based on Occam’s Razor, the evidence suggests the Chinese government is up to its old tricks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/27/android_malware_targeting_tibetan/

Hacktivists claim to have published leaked data on more than 30,000 Israeli officials, including members of Israel’s Mossad secret service agency.

The boast by members of Anonymous follows a denial of service attack against the Mossad website (www.mossad.gov.il) over the weekend as part of the ongoing #OpIsrael protest. Previously obscure Anonymous affiliate Sector 404 launched the DDoS attack while elements of Anonymous and a Turkish hacker collective called RedHack carried out the data snatch and dump. Experts are however doubtful that leaked information is kosher.

The leaked data – including names, email addresses and physical addresses – were released in the form of spreadsheets through HackerLeaks, Google Docs and other sites and services. A small percentage of the leaked data include ID numbers and phone numbers.

Middle East Internet expert Dr Tal Pavel told the Times of Israel that the data probably referred to Israeli citizens but is unlikely to be a secret list of spies and members of the Israeli defence forces, as the hacktivists claim.

“There is no doubt that they got some identification information about Israelis, but the claims that they hacked the Mossad site and got a list of Mossad agents is most likely psychological warfare, and not a hack into an important database,” says Pavel, who has downloaded and analysed the leaked documents.

The data contain many duplicate records, list people with homes in Palestinian towns and links to businesses addresses such as schools, show manufacturers and charities. Pavel, a professor at Tel Aviv University and director of the Middle East Internet Monitor website, reckons the information came from earlier breaches involving Israeli citizens, rather than a new attack against Mossad and the military.

Forbes is also skeptical, even going so far as to suggest that parts of the list had already appeared online months before last weekend’s events and noting the implausibility of foreign-based Mossad operatives maintaining Israeli email addresses.

Neither the Israeli government nor Mossad has commented on the claimed breach. ®

Bootnote

#OpIsrael is building up to a planned attack on 7 April that aims at “erasing Israel from the internet” in protest against its treatment of the Palestinian people.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/26/anonymous_mossad_leak_claims/

Network security firm Fortinet has agreed to to acquire application delivery, load balancing and acceleration firm Coyote Point Systems. Financial terms of the deal, structured as a merged and announced on Friday, were not disclosed.

Fortinet is best known for its Unified Threat Management all-in-one security appliances, which are used by SMEs and the branch offices of larger corporates to handle gateway anti-virus, firewall, intrusion prevention and load balancing, among other functions. It also sells high-end firewalls and other security kit. Coyote Point was founded in 1999 and markets the Equalizer ADC (application delivery controller) product line.

There’s some product overlap in the deal but Fortinet is trying to reassure Coyote Point customers that there’ll be no immediate cull.

“No immediate changes will be made to Coyote Point product offerings, customer support and channel programs or any existing ADC products that Fortinet markets,” it said in a statement.

According to latest stats from IDC, Fortinet leapfrogged McAfee in Q4 2012 to reach fourth spot in the overall security appliance market behind Cisco, Check Point and Juniper. The Coyote Point deal will help it to expand its portfolio in competition with the likes of Blue Coat, which also markets application delivery and web acceleration products.

The security appliance market, worth $2.3 billion worldwide in Q4 2012, is highly competitive with market leader Cisco only enjoying a $351 m (15.5 per cent) slice of the pie. Vendors who don’t make the top five account for more than half (53.7 per cent) of the market, according to number crunchers at IDC, which adds that Blue Coat, Palo Alto Networks, Barracuda, Sourcefire, and Dell SonicWALL all enjoyed a strong Q4 2012. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/26/fortinet_coyote_point/

Java security vulnerabilities – exploited to hack Apple and Facebook this month – are rife across business computers worldwide, according to new research.

The overwhelming majority (94 per cent) of PCs and other endpoints running Java software and surveyed by Websense are vulnerable to at least one Java runtime exploit, according to the web security biz. And the exploitable bugs are not just zero-day holes and recently patched vulnerabilities that get all the publicity.

Three in four computers used to browse the web are using a Java Runtime Environment version that is more than six months out of date. More than 50 per cent of machines are two years behind.

Seizing control of systems by slamming malicious code through holes in Java’s security layers is favoured by some state-sponsored hackers and plain old crooks alike, certainly in the last two or three years. For months now, users have been advised to disable Java in their web browsers for exactly this reason, a recommendation echoed in recent alerts from US government’s Computer Emergency Readiness Team. Websites that require Java are now the exception not the rule.

Harmful code capitalising on Java holes has been commoditised and packaged up into readily available exploit kits – including Cool, Blackhole and Gong Da – allowing any miscreant with an internet connection to wield these weapons for his or her own nefarious purposes.

For those on a company intranet and anyone else who absolutely must use Java for a particular website, the best advice is to enable Java execution in one web browser and use it solely for that one site – and have another web browser with the Java runtime disabled for all other internet surfing.

Java 1.6 is officially at its end of life after the latest update, numbered 43. Oracle recommends that users migrate to JDK 7 in order to receive any further enhancements and security fixes.

The means that more than 77 per cent of users, based on requests from Websense’s research, are using a Java engine that is essentially dead and will not be updated, patched or supported by Oracle.

Websense’s stats come from its Java version detection technology added to its ThreatSeeker Network of cloud-based security technology. The figures incorporate real-time telemetry about which versions of Java are actively being used across tens of millions of endpoints, protect by Websense’s technology. A blog post from Websense, featuring a pie-graph based on its figures, and additional security commentary, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/26/java_insecurity/

Sysadmin blog An interesting feature popped up on Ars Technica recently; website journo Nate Anderson discusses how he learned to crack passwords.

The feature is good; good enough for to me to flag it up despite that journalistic competition thing*. That said, the feature gently nudges – but does not explore – a few important points that are increasingly critical to consider in the context of any serious discussion about IT security.

In his feature, Nate describes himself as having learned to become a “script kiddie.” While I won’t dispute the nomenclature, reading the feature left me with the impression that he felt that tool chosen was an important part of what separates the script kiddie from more well versed malefactors.

The difference between a script kiddie and a decent cracker isn’t the tool used. It is the time taken to understand how a tool works, why it works that way, what its limitations are and – ultimately – the effort made to increase the tool’s efficiency and/or likelihood of success. Nate may have started his journey out as a script kiddie, but I suspect he’s put far more thought into this than most script kiddies do. Were he to pursue this “addictive” line of investigation for a few more months, he’d be well on your way to what – in the 80s – we called a cracker.

The terms have been diluted over the years. A cracker was someone who put a lot of time and effort into breaking digital locks. It required a fair amount of knowledge to accomplish but was still a focused pursuit. A hacker – using the old school technology – would take this same iterative experimental approach to hardware. They would see software and hardware as two parts of a single whole.

For an old-school hacker the goal was to learn. The reward was solving another puzzle. These people still exist today; though increasingly underground as curiosity itself seems to be rapidly becoming illegal.

Wave your hands

Google’s Self Driving Car: a security problem waiting to happen?

Computers are not magic. It is simultaneously a simple truth and the hardest element of their operation to intuitively grasp. There are so many layers between today’s users and the underlying transistor logic that the operation of computers legitimately seems like magic, even to those who’ve spent a lifetime in the field. (Be rational all you want, printers were sent from hell to make us miserable.)

The problem with computers today – as with yesteryear – is the abstraction of these operating fundamentals from the usage of the device. Despite evolving existing interfaces, periodically reinventing the wheel and even changing form factors we are actually pretty bad at abstracting away the underlying flaws of computer design such that end users don’t need to know how the widget works.

If you don’t know how the widget works, you are ultimately going to be vulnerable to some security flaw you didn’t even know existed. Despite this, proliferation of computers has trebled; the growth of deployment seems logarithmic with no asymptote in sight. Computers are in everything from our cars to our phones and soon our watches and even our eye glasses. If we can’t secure the mess we have today what hope can we possibly have of locking down the much hyped internet of things?

It’s dead, Jim

Anderson correctly highlights that the fragility of passwords is frightening. Password cracking software is shocking in its ease of use. What should be more frightening – but hasn’t sunk in yet for most – is the ease with which virtually every other security mechanism we employ can also be compromised.

From encryption at rest (via RAM grabs, amongst others) to SSL/TLS (via, apparently, everything) on to nearly every other storage and transmission mechanism we’ve invented; the IT industry seems to birth crypto mechanisms that are really only practically secure for a few years – a decade at best.

More frustrating than this is that we do generate solutions to known vulnerabilities on a regular basis. In many cases they simply remain unimplemented. Consider the shocking lack of support for DNSSEC, or the fact that amongst the mainstream browsers TLS 1.1 is only enabled by default in Safari and Chrome while TLS 1.2 isn’t enabled by default on iOS devices. (There’s a good discussion on why here.)

The economies of most nations depend on the security and trustworthiness of these authentication mechanisms and yet the implementation of newer techniques is constantly held back. The multinationals making the gear we use circle each other and growl; each is looking to exploit the weaknesses that affect us all to their individual advantage.

Ultimately, I don’t think education alone will help here. Some combination of “keeping one step ahead” on the cryptography front has to be combined with a UX that abstracts the “hard stuff” away from end users. As much as I’d love to teach 7 billion people proper password hygiene, I suspect this isn’t the correct path.

Defeating security mechanisms is a challenging puzzle that offers wealth to those who accomplish it. Creating new security mechanisms – or fixing old ones – is hard and few are willing to engage in the activity unless a clear monetary advantage can be gained. We need a fundamental rethink regarding the economics of IT security. The market as it stands today isn’t delivering. That failure promises to be a problem for us all. ®

*Though we’ll put the link down here, eh, Trevor – Ed.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/26/our_crypto_kind_of_sucks/

Analysis Microsoft’s Skype subsidiary didn’t hand over any user content to law enforcement, according to the software giant’s first ever report on how it deals with official requests for data.

As previously reported), Microsoft’s transparency report revealed that Redmond received 75,378 requests from law enforcement agencies worldwide last year, involving 137,424 user accounts.

Microsoft supplied a separate set of figures for its Skype peer-to-peer VoIP subsidiary, which Redmond bought in late 2011 and operated until recently under a separate reporting structure and legal jurisdiction (Luxembourg law). Skype serviced 4,713 requests for data or information from law enforcement during 2012 that involved 15,409 accounts.

“Historically Skype only recorded instances in which it produced some data in response to a valid law enforcement request,” Microsoft explained. “We are making changes to this practice so future disclosures will reflect rejections.”

The UK (1,268) and US (1,154) accounted for a big slice of law enforcement requests handled by Skype globally, none of which are reported to have led to the release of user data. A detailed breakdown of all these figures and more can be found here (PDF).

Redmond plans to publish updated figures every six months, a blog post by Brad Smith, general counsel and executive vice president of legal corporate affairs at Microsoft explains. Its next set of stats will combine figures from Skype with those for other Microsoft services.

Approximately 79.8 per cent of non-Skype related requests to Microsoft (or 56,388 cases) during 2012 resulted in the disclosure of only transactional or account information, while a much smaller number of law enforcement requests (1,558 or 2.2 per cent) resulted in the disclosure of content, such as an e-mail exchange. One in five – 18 per cent – of law enforcement requests to Microsoft resulted in the disclosure of no customer data. This may happen because no data was found, the paper work was not in order or because the request was too broad, among other reasons.

Redmond’s first transparency report covers requests for information about users of services including Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Office 365 and its recently retired Messenger IM service. Enterprise services such as Azure and Exchange Online are also covered by the figures. There’s also a geographic breakdown in requests, so we learn that there were 11,073 requests from US law enforcement agencies involving 24,565 accounts and resulting in account info in 7,200 cases (65 per cent) and content in 1,544 (13.9 per cent) of cases.

There were 9,226 requests from UK law enforcement agencies involving 14,301 accounts and the yielding up of account info in 7,057 cases (76.5 per cent) and no releases of content. The non-release of content but high response rate to account info requests is repeated across other EU countries, such as France, Germany and Spain though not Ireland. Hotmail’s European servers are hosted in Ireland and the 73 law enforcement request in Ireland led to Microsoft coughing up user content in five cases.

Microsoft’s report comes after similar reports from Google and Twitter that covered how these other web giants handled requests for information from police and intelligence agencies. Twitter’s figures also include stats on removal requests (infrequent) and copyright notices (better than three times more common than information requests).

The software giant explained that its practice is to require a valid subpoena or equivalent document before releasing non-content data and a court order or warrant before turning over content. It hopes its report on how it responds to law enforcement requests will inform debates on the topic.

Redmond’s statistics offer only vague figures on so-called National Security Letters. A US District Court in California recently declared NSLs unconstitutional because recipients are prohibited from discussing them. The case against the gag orders was brought by the Electronic Frontier Foundation on behalf on an unnamed telco and may be subject to appeal.

If the ruling stands, then future transparency reports from Microsoft, Google and other may include the number of NSLs received by these web giants instead of simply stating they number is something less than a thousand per year or between a 1,000 and 2,000, the opaque range quoted to in both Microsoft and Google’s recent transparency reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/26/ms_transparency_report/

The brains behind NetBSD have warned a bug in the open-source OS causes it to create weak cryptographic keys that can be cracked by attackers. Users attempting to secure sensitive communications, such as SSH terminal connections, using the dodgy keys could be easily snooped on and decrypted.

The use of a cryptographically flawed pseudo random-number generator in NetBSD 6.0 means that potentially predictable keys were generated. Versions of NetBSD-current older than 26 January 2013 are affected. NetBSD 5.1 and 5.2 do not suffer from the bug, which is due to be fixed in NetBSD 6.1. Until then users need to update their kernels to builds created after 26 January.

Many types of cryptographic keys (including SSH and SSL session keys) generated on affected systems may be weak. A sizeof() blunder introduced data that wasn’t sufficiently random for cryptography.

Sys admins are advised to generate new keys after updating the NetBSD kernel software, as explained in an advisory from the NetBSD Foundation.

“For systems newly set up with NetBSD 6, all SSH host keys are suspect,” the advisory explains. “Other persistent cryptographic secrets (for example, SSH or SSL keys of any type) generated using /dev/urandom on NetBSD 6 systems which may have had insufficient entropy at key generation time may be impacted and should be regenerated.”

The first version of the advisory was published late last month prior to publication of an update with a stronger warning that caught the eye of crypto experts such as Ivan Ristic, an open-source advocate who runs the SSL Labs service. ®

Bootnote

A hat-tip to Reg reader Richard Outerbridge for the heads up on the bug. “Picking random numbers is far too important to be left to chance,” Richard wisely notes.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/26/netbsd_crypto_bug/

One of the arguments in favour of anonymous mobile location tracking, nanely that it doesn’t provide enough information to identify individuals, has been slapped down by a US-Belgian study. An anonymous trace of one phone’s movements, plus a small amount of external data, can pick out one person out of millions.

An analysis of 1.5 million individuals’ interactions with cell towers over 15 months found peoples’ movements are so individual that “four spatio-temporal points are enough to uniquely identify 95% of the individuals” in their analytical dataset, even though it only used the spatial resolution given by carriers’ antennas.

Once an individual’s trace has been singled out from their phone’s location (given by the phone network), it only takes “a few” known locations associated with that person to show who they are.

Yves-Alexandre de Montjoye at MIT in Cambridge, Massachusetts, and Université Catholique de Louvain in Belgium, lead authors of the study, notes that the four points used to identify an individual could come from a variety of sources: a person’s workplace or home address, or locations revealed by their posts on Twitter.

Even decreasing the spatial resolution doesn’t help much, the study found: “the uniqueness of mobility traces decays approximately as the 1/10 power of their resolution,” the researchers write in Nature Scientific Reports. “Hence, even coarse datasets provide little anonymity.”

Even coarse data (centre, right) is enough to reveal your location

Source: Nature Scientific Reports

After examining the data, the researchers found that they were able to derive a single formula expressing the “uniqueness of human mobility”, and that “mobility datasets are likely to be re-identifiable using information on only a few outside locations.”

The 1.5 million users’ traces, the study notes, represent roughly the same number of users of the Foursquare location service. The study would seem to put a big dent in claims by companies like shopper-tracker Path Intelligence that the information they collect “is not personally identifiable”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/26/mobile_movement_identifies_individuals/

South Korea’s data wiping malware that knocked out PCs at TV stations and banks earlier this week may have been introduced through compromised corporate patching systems.

Several South Korean financial institutions – Shinhan Bank, Nonghyup Bank and Jeju Bank – and TV broadcaster networks were impacted by a destructive virus (since identified as DarkSeoul by Sophos and Jokra Trojan by Symantec), which wiped the hard drives of infected PCs, preventing them from booting up upon restart.

Initially it was thought that the malware spread through local telco LG U+ and may have came from a single Chinese IP address. The Korea Communications Commission said it was mistaken when it identified an internet address in China as the source of the mega-hack, The New York Times reports. The IP address involved actually belonged to NongHyup Bank, one of the main victims of the assault.

Late on Friday afternoon security appliance firm Fortinet claimed hackers broke into the servers of an (unnamed) but local antivirus company and planted malware which was then distributed as an update patch. Local researchers at Fortinet’s Threat Response Team working with the Korea Information Security Association came up with the theory before notifying news media about the apparent find. However late on Friday evening Guillaume Lovet of Fortinet called El Reg and stated that the security appliance firm no longer stood by its earlier pronouncement.

By Monday morning things had moved on again with South Korean security software firm AhnLab putting out a release saying hacked corporate patching systems were to blame for the spread of the malware. It said its own security technology was not involved in the distribution of the malware, an apparent reference to the premature and since-discredited theory put up by Fortinet.

Attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were used to gain access to individual patch management systems located on the affected networks. Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates. Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code.

The latest theory suggests hackers first obtained administrator login to a security vendors’ patch management server via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as a normal software update. This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record (MBR) on each Windows PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 14:00 hrs Korea time on the infected PCs, like a time bomb.

The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised network was actually the patching system of the data wiping malware’s victims.

The prevailing theory remains that North Korea may have instigated the attacks, which follows weeks of heightened tension on the peninsula. However there’s no hard evidence to support this conclusion. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/25/sk_data_wiping_malware_latest/

A mobile software developer has turned an popular third party Android mobile keyboard called SwiftKey into a counterfeit package loaded with a trojan as a warning about the perils of using pirated or cracked apps from back-street app stores.

Georgie Casey, who runs a popular Android app-development blog in Ireland, created a modified (backdoored) version of SwiftKey using a tool called apktool combined with basic knowledge of Java and Android. The end result was a backdoored app called Keylogger SwiftKey APK, which Casey made available from his website (along with explicit warnings that it was to be used by interested parties and only to validate the problem).

“Apktool isn’t keylogging software, it’s an Android app dissassembler,” Casey told El Reg.

“You dissassemble a Swiftkey keyboard, code your keylogger code that sends keylogs to my server, re-assemble with Apktool and now you’ve a keylogger. You still have to convince people to install it though.”

Casey added that using pirated Android apps, especially from third-party stories, is a serious security risk. He reckons the threat also extends to iPhone apps on a jailbroken phone, a theme he expands upon in a blog post on his development of Keylogger SwiftKey APK that also provides a detailed explanation of how he pulled off the trick.

“Cracked copies of PC and iPhone apps can have malware as well, of course, but on both those platforms most software is compiled to machine code,” Casey writes.

“Android apps are coded in Java and compiled to byte code that is run on the Dalvik VM and this byte code is not that hard to edit and insert back into an APK.”

The backdoored code would have been capable of uploading any keystrokes entered by unwitting users (potentially credit card details, webmail logins and more) to a remote server. The exercise shows that the threat from pirated malware-laden apps extends beyond games to utilities such as SwiftKey.

Casey told El Reg:

“Should custom Android keyboards even be allowed? We can agree that TLS/SSL is great security against man in the middle attacks but it doesn’t really matter if the custom keyboard you’ve installed is sending your bank PIN or CC numbers to an external server.”

Statistics from Trend Micro show the problem of dodgy Android apps is far from isolated. The security software firm’s Mobile App Reputation service sources and analyses Android apps from around the world, scoring the mobile software apps on the basis of maliciousness, resource utilisation and privacy.

Trend has surveyed some 2 million apps, or around three times the total number of apps on Google Play. More than one in ten of these apps (293,091) were classified as malicious with a further 150,203 classified as high risk, according to the latest figures.

Google Play is as much a part of the problem as unofficial app stores in the developing world.

“Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play,” writes Rik Ferguson, director of security research and communications at Trend Micro.

“It’s not just Chinese and Russian app stores.”

And outright maliciousness is just a start of the problems.

One in five (22 per cent) of the apps were found to inappropriately leak user data over the network, SMS or telephone. The leaked data most often includes IMEI, contact data and telephone number. A few apps were even found to leak data using the microphone and camera. A further third (32 per cent) of the apps were classified as “poor” in terms of battery usage, a quarter (24 per cent) “poor” for network usage and a similar 28 per cent were memory hogs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/25/android_security_omnishambles/