STE WILLIAMS

The former president of transportation logistics firm Exel has been found guilty of hacking into the servers of his former employer to glean secrets for his new business.

A federal jury found Michael Musacchio, 61, guilty of one felony count of conspiracy to make unauthorized access to a protected computer (hacking) and two substantive felony counts of hacking. His two accomplices, Joseph Roy Brown and John Michael Kelly, have already pleaded guilty and the trio will be sentenced in June.

“Trial testimony and exhibits established that between 2004 and 2006, Musacchio, Brown, and Kelly engaged in a scheme to hack into Exel’s computer system for the purpose of conducting corporate espionage,” the FBI said in a statement.

“Through their repeated unauthorized accesses into Exel’s e-mail accounts, the co-conspirators were able to obtain Exel’s confidential and proprietary business information and use it to benefit themselves and their new employer.”

Musacchio was promoted to president of Exel in 2002 and lasted for two years before leaving the firm to set up a rival in the same sector named Total Transportation Services. Over the next two years he and his two associates ran riot though Exel’s servers, harvesting information about clients and operations.

It’s unclear how much hacking Musacchio and his pals actually needed to do in this case, however. Based on this hack’s experience, companies are very lax about shutting down old accounts from staff who have moved on (it took one former employer over six months), and Musacchio may have used this negligence to gain the information he was after.

He is now facing over a decade behind bars and financial ruin as a result of the case, although Total Transportation Services is still functioning, albeit with an entirely new management team. Neither it nor Exel responded to requests for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/exel_president_guilty_hacking/

If you haven’t already run in the latest Java patch (issued yesterday), here’s another good reason to do so: someone has turned up an exploit that uses signed code.

In this post, Eric Romang looks at a malicious applet that comes with a signature using credentials stolen from Clearesult Consulting in the US.

The stolen private key was posted to Pastebin. Even though the applet is using a now-revoked certificate, it seems that it’s up to the user to check the revocation lists. Otherwise, if they trusted the assertion that the applet is signed, they would be well on the way to an infection.

The malicious applet probably had only limited exposure, since it was hosted at a German dictionary (http://dict.tu-chemnitz.de/) site that was infected with the g01pack exploit kit.

However, according to the Twitter message that first raised the alarm, the exploit was spotted on a machine running the version of Java that Oracle made obsolete yesterday (March 4, US time).

It’ll still warrant testing, though. Announcing the patch, Oracle’s Eric Maurice said the new install set Java’s security settings to “High” by default, demanding that users authorize unsigned or self-signed apps before running them.

“In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin,” Oracle advises.

If the applet reported by Romang behaves as he describes, it still seems feasible to El Reg that a user might okay the installation rather than checking a revocation list to make sure the certificate is current.

Alternatively, the remaining Java users could just get rid of it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/java_self_signed_exploit_spotted/

Pwn2Own 2013 Google patched 10 security vulnerabilities in its web browser Chrome on Monday – two days before the start of Pwn2Own, the annual hacking contest in which experts race to compromise software to win prizes.

The latest update fixes flaws in Chrome’s Windows and Linux builds. Six of the 10 holes addressed are rated as “high” risk, the second highest severity rating.

The updates bolster the defences of Chrome ahead of Pwn2Own, which tees off on Wednesday at the CanSecWest security conference in Vancouver, Canada.

Boosting the browser’s fortifications obviously benefits the web giant two-fold: if its product remains intact, it gets bragging rights over its rivals, who will also be targeted in the contest. And Google contributed to the competition’s $560,000 prize fund, but presumably can claw back unclaimed cash.

Microsoft battled to secure all versions of its Internet Explorer browser, including versions 9 and 10, by issuing two updates in February that collectively squashed 14 security bugs. A cumulative IE update is a regular feature of the Windows giant’s monthly Patch Tuesday, but pushing out two is highly unusual. It’s suspected that Redmond’s security gnomes may have been thinking ahead to Pwn2Own.

Meanwhile, Mozilla updated Firefox on 19 February, fixing eight security bugs in the process, again possibly with one eye towards Pwn2Own.

Pwn2Own 2013 expands the focus of the hackathon beyond phones and web browser vulnerabilities to include hacks that exploit vulnerabilities in Adobe Reader, Adobe Flash and Oracle Java. Prizes will be awarded according to a sliding scale of perceived difficulties. Successful hacks against Google Chrome on Windows 7 will earn $100,000, while pwning IE 9 on Windows 7 is worth $75,000 and Apple Safari on OS X Mountain Lion will earn up to $65,000.

By contrast, exploiting Oracle Java web browser plugins in Internet Explorer 9 on Windows 7 earns a maximum of $20,000, five times less than the maximum prize for hacking IE 10 on Windows 8 ($100,000). Tellingly, Java exploits also earn less than a third of the $70,000 prize for exploiting either Adobe Reader or Flash plugins for IE 9 on Windows 7, each of which earns $70,000. In total, $560,000 is up for grabs, a record prize fund.

Upon successful demonstration of an attack, the contestant will be required to provide HP’s Zero Day Initiative (ZDI) a fully functioning exploit and all the details of the discovered vulnerability. HP’s ZDI and Google are the main sponsors of this year’s competition. Successful security researchers also gain possession of the kit they’ve hacked into as part of their prize, hence the Pwn2Own title of the competition. Past winners of the competition include Charlie Miller, serial exploiter of Apple bugs.

Unlike previous editions of the event, a prize for hacking into smartphones will not be a feature of this year’s competition.

The third annual Google-organised Pwnium competition, also taking place at CanSecWest, offers a prize fund of $3,141,590 to researchers who can successfully crack the advertising giant’s Chrome OS. Details of this parallel competition can be found in a blog post here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/google_chrome_pre_pwn2own_update/

British intelligence nerve-centre MI5 is recruiting fluent Chinese speakers to eavesdrop on phone calls – but it got more than it bargained for when its Mandarin comprehension test was ridiculed by Redditors.

Blighty’s Security Service set up an online language exam, which encourages peeps with Mandarin, Russian, Sylheti, Swahili, Somali and Pashto skills to test their suitability for a role with the service.

It explains as follows:

The tests reflect the nature of some of the work of our Foreign Language Analysts, Mandarin Intelligence Analysts and Russian Analysts, who listen to lawfully intercepted phone calls made by the targets of our investigations.

You’ll use your judgement, language skills and cultural knowledge to decide between those calls that are important and those calls that are not, and transcribe your findings in clear and succinct written English to help further investigations.

However, users of the wildly popular social news website Reddit took the Chinese exam – which requires the applicant read or listen to a passage and answer a set of related questions – and were none too impressed with the quality of the language.

One Redditor, willdunz, opined yesterday: “This can’t be the real admission test right? I mean nobody talks like that in China; even those news anchors on CCTV [China Network Television] talk faster than this.”

Another, snackburros, claimed that the “written passage has some grammar, usage and sentence structure awkwardness to it”. One wag, getting his MI6 and MI5 mixed up, added: “Easiest test ever. I’m gonna be the first American James Bond in China.”

To be fair, the test is meant to be a basic first hurdle for those interested in such a role, rather than a green light for Chinese speakers into one of the UK’s most secretive and revered institutions.

MI5 explained as much in the following disclaimer:

The clips do not reflect the full complexity of the challenges offered by our analyst roles but they are indicative of the type of skills successful candidates should be comfortable using on a routine basis.

The Security Service, which mainly tackles major crime and terrorism within the UK, needs more language experts as it makes more requests to telcos than any other body for information on phone calls and internet activities in the UK.

That was according to a parliamentary report last month into a controversial draft communications surveillance law, which calls for much wider snooping powers. Officials claimed there is a 25 per cent “shortfall” in the comms data the authorities want and what they can currently get. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/mi5_reddit_spy_chinese_language_recruit/

MiniDuke, the recently discovered cyber-spy malware aimed at governments and their agencies in Europe and elsewhere, has been operating for at least 21 months.

A sample of the software nasty, discovered by researchers at Romanian antivirus firm Bitdefender, dates back to at least 20 June, 2011. Later variants of the spying tool connect to a US Navy server to fetch the latest time and date rather than looking up the current date in China from a neutral server.

The 2011 vintage MiniDuke sample pulls the location of its command-and-control systems from an active Twitter account – a single encoded URL was tweeted on 21 February, 2012 – and lays dormant on infected computers if it can’t connect to Twitter. The Microsoft Windows malware, essentially an executable embedded in a .dll file, installs itself on the infected computer and opens a backdoor allowing intruders to control and snoop on the PC.

Later variants search Google as a backup technique to discover the whereabouts of its masters’ command-and-control servers; this functionality is absent in the 2011 sample. All builds of the malware use encrypted channels to communicate between compromised machines and the central command systems, which are assumed to be hacked servers.

The latest 2013 variants of the malware are notable for using malicious PDF files that exploit software security holes by successfully bypassing Adobe’s sandbox technology – which is supposed to stop code within documents from harming the underlying system.

Catalin Cosoi, chief security strategist at Bitdefender, said that all versions discovered so far show that MiniDuke was designed to spy on government targets.

“MiniDuke was clearly designed as a cyber-espionage tool to specifically target key sensitive government data,” he said. More details on early versions of BitDefender can be found on BitDefender’s website here.

MiniDuke has infected government organisations in the Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think-tanks, and a healthcare provider in the US were also compromised.

Romania’s intelligence service SRI described MiniDuke as a state-sponsored weapon that had an even bigger impact than the earlier Red October attack, a computer espionage mission that targeted Eastern Europe and former Soviet countries.

Both Red October and MiniDuke operated for many months before they were detected by antivirus vendors, a delay that is all too common when “advanced persistent threat” teams deploy malware against US media giants, human-rights activists, military contractors, energy firms, IT companies and other targets. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/miniduke_early_variant/

The Danish government is reportedly chasing down Microsoft for nearly a billion dollars in missing tax revenue, stemming from its purchase of Viking accountancy software firm Navision.

According to local media outlet DK, the Danish authorities have begun what could be the largest tax case in the country’s history, involving Microsoft’s actions after it bought the accountancy software firm Navision for $1.3bn in 2002 and converted it into Microsoft Business Solutions.

The deal was opposed by accountancy software firm Sage as likely to be harmful for competition, but it was approved nontheless. According to sources in the Danish tax ministry, Microsoft then started work on finding ways around Denmark’s notoriously high taxes.

According to the report, Microsoft sold the rights to Navison’s code to its Irish subsidiary, which in turn is owned by Redmond offshoots in the Virgin Islands and Bermuda. This allowed Redmond to redirect revenues back into its corporate coffers, diverting nearly $11bn in local revenues out of the country and paying a pittance to the Danish authorities.

All this is technically legal, provided it’s done right. But the tax authorities have been investigating, and a source told DK that the government thinks it can prove Microsoft sold the rights to its Irish branch at significantly below market value. It has hit Redmond with a tax bill of 5.6bn Danish kroner ($0.98bn), representing lost taxes and interest.

The case certainly has the potential to be massive. Steve Ballmer reported in 2004 that Danes bought more Microsoft business software per capita than anyone in the world. A year later, Redmond was forced to deny reports that it was threatening to pull jobs out of Denmark over the former Vikings’ opposition to the European directive on Computer Implemented Inventions (CII).

Microsoft has not made any official comment thus far, and the Danish authorities are unlikely to make any statements until they’ve brought home the bacon. But people familiar with the matter said that at the time, Microsoft hired a third-party company to assess a fair price for the technology. For its part, Microsoft disputes the timeline of the report and said the Irish subsidiary wasn’t involved.

When it comes to clawing money from foreign companies, the Danes have something of a history. In the ninth century the Danish king Cnut conquered much of England, taking vast amounts of tribute (or Danegeld) from the hapless Britons.

The Danes have calmed down a lot since then, but the Seattle coast guard might want to be on the lookout for the odd longboat floating offshore. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/danish_tax_bill_microsoft/

Oracle has issued a rare emergency patch to address two vulnerabilities in the Java plugin for web browsers that the company says are being actively exploited.

“Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 ‘in the wild,’ Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the company announced.

The exploits were first reported on Friday by security firm FireEye, which urged all six Java users who have not yet disabled the plugin in their browsers to do so immediately.

The Java web plugin has come under repeated attack via a series of vulnerabilities that have been exposed in recent months, beginning with a flaw discovered by FireEye in August 2012.

Oracle said the flaw currently under attack was reported to it on February 1 of this year, which was too late for the database giant to include a fix in its regularly scheduled Critical Patch Update on February 19.

The next Critical Patch Update isn’t scheduled to arrive until April 16, but Oracle says the fact that live exploits have been discovered prompted it to issue a fix for this flaw and another, related bug outside of its normal patch schedule.

The last time Oracle did something similar was as recent as February 4, when the company rushed out an update that addressed some 50 flaws.

Oracle said both vulnerabilities addressed by the new patch involved the 2D graphics component of Java SE, and that both could be exploited over a network without the need for a username and password.

The company says that, like other recent Java exploits, these are strictly limited to Java running inside a browser window, and that Java applications running on desktops or servers are not vulnerable.

Oracle’s Eric Maurice further noted that a recent Java update has switched the software’s security settings to “High,” which requires users to expressly authorize any applets that are unsigned or that have been self-signed.

“As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet,” Maurice said, and advised users to only authorize applets that they know and whose origins they trust.

Or, as mentioned earlier, they could simply get rid of that buggy plugin altogether. No less than the US Department of Homeland Security has recommended that users disable the Java plugin “unless it is absolutely necessary,” while some security researchers have speculated that it might take Oracle “another two years” to plug all of the holes that currently exist in the technology.

The latest patches bring Java’s version numbers up to Java 6 Update 43 and Java 7 Update 17. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/emergency_java_patch_again/

Anonymous has assumed the unlikely role of peacemaker in a growing dispute between Malaysian and Filipino hacktivists that has seen scores of web sites on both sides defaced over a territorial tussle.

Scores have already been killed in bloody clashes in the east Malaysian state of Sabah after a group of nearly 200 Filipino insurgents landed there three weeks ago.

The group claims to be descended from the sultanate of Sulu in the southern Philippines, which ruled parts of the Sabah region in northern Borneo for many years, and wants some of its land back.

The clashes soon went online, as hacktivists on both sides sought to deface web sites in a bid to promote their cause, according to GMA News.

As is often the case with these incidents, most of the sites hit were pretty minor with the only major impact being an irritating outage for a handful of small businesses. Most, including Philippine operator Globe Telecom, are back online now.

At the weekend, a Facebook post from a group claiming to be the “Anonymous #Philippine Cyber Army” listed 16 web sites it claimed to have hacked.

However, a lengthy statement uploaded to Pastebin by “TheAnonCause” seemed to indicate that the hacktivist group had not yet taken official sides on the dispute and asked members to send over documents to prove their territorial claims.

It called for a peaceful resolution of the dispute and an end to “petty fighting”, adding:

We urge those who are joining this argument over a petty cyber-war to stop for this will only provoke further misunderstandings. We urge the collective to research on historical backgrounds to figure out how we can contribute to the resolution careless fighting. Sorry for the inconvenience of this letter, but we are trying to change the world, not seek to destroy it…

We urge our brothers from both countries to sit and talk. Not blabber out words then fight like kids. We have no place for petty arguments and to surrender to provocative actions that we know we can answer with a larger and bolder approach.

This is by no means the first time the region has seen territorial disputes spill over into online skirmishes.

Chinese and Philippine hacktivists exchanged regular fire last year over the former’s claims to a group of rocks known as Scarborough Shoal, 100 nautical miles off the Philippine coast.

However, it’s one of the first times Anonymous has felt the need to step in as peacemaker … and urge restraint. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/filipino_malaysian_cyber_war_anonymous/

Chinese search giant Baidu has been quietly testing the waters in the security space, with the launch of a free English language AV product for Windows.

Baidu Antivirus 2013 features traditional signature-based AV and cloud-based threat protection and tries to optimise PC performance along the way. Little other information about the new tool is available, although the product is based on proprietary AV engines as well as one from German anti-virus firm Avira.

Baidu claims the offering is “permanent[ly] free”, includes English language support, and has a small system footprint at just 11MB on install and a further 10MB in “resource consumption”. It supports Windows versions from XP to Windows 8.

Baidu Antivirus 2013 is effectively the same product that launched last year in Thailand as “Baidu PC Faster”.

The release is perhaps best-understood as an attempt to improve international awareness of the Baidu brand.

It comes just days after Baidu’s efforts to engage with the global app developer community, for example, with the launch of its Baidu Cloud Developer Center in English.

However, it’s also possible that the Chinese search giant is using the launch of the AV tool in English as a test run in order to make feature or usability enhancements before launching in its domestic market.

If this does eventually happen, old foe Qihoo 360 lies in wait. Qihoo claims over 400 million users for its security tools and has recently launched a search product, which has already grabbed around 10 per cent of the domestic market.

There’s certainly no love lost between the two, with Baidu set to take its new rival to court over a dispute relating to Qihoo’s search technology. Qihoo has also been publicly reprimanded by the government for unfair competition. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/baidu_launches_english_av_tool/

A UK hacker behind bars for computer fraud hacked into his prison’s computer system during an IT lesson.

Nicholas Webber, 21, of Southsea, Hampshire, was able to access the network after being allowed to join the jail’s technology classes.

Webber was sent down for five years in May 2011 for masterminding the infamous GhostMarket.net cybercrime marketplace. Fraudsters used his website to trade stolen credit-card details. GhostMarket, one of the biggest underground bazaars of its type with 8,500 members, even offered tutorials on identity theft for inexperienced and wannabe criminals.

GhostMarket’s treasure trove of information was used to steal £15m from 65,000 bank accounts worldwide, according to some estimates.

Webber, GhostMarket’s founder, used his website’s profits to buy computers, video games, iPhones and iPods worth £40,000. But it was his taste in luxury hotels that proved his undoing: Webber was arrested for using fraudulent credit card details to pay for a penthouse suite at the Hilton Hotel in Park Lane, London, in October 2009.

He was subsequently prosecuted for computer fraud offences, convicted and eventually sent to HM Prison Isis, a category-C young offender institution for males, in southeast London. The hacker managed to sign up for the prison’s IT class before infiltrating part of the institute’s computer system, The Daily Mail reported.

A prison service spokesman confirmed that Webber was involved in a hack on the prison’s systems while downplaying the significance of the compromise.

“At the time of this incident in 2011 the educational computer system at HMP Isis was a closed network. No access to personal information or wider access to the internet or other prison systems would have been possible,” the spokesman told The Reg.

News of the hack emerged during an unfair dismissal case brought to an employment tribunal by Michael Fox, the prison’s IT teacher. Fox, who was employed by Kensington and Chelsea College, gave lessons at HMP Isis, but this ended after he was blamed for the hack and excluded from the prison. College bosses failed to find Fox alternative work even though he was cleared of any wrongdoing at a disciplinary hearing last March.

Fox said he was not aware of Webber’s crimes when the hacker joined the prison’s IT class. Fox also maintained that it wasn’t his decision to admit the lad to the course, which aims to give young offenders skills that will give them a better chance of finding gainful employment once they leave prison.

Fox’s tribunal hearing, which was held in Croydon on Friday, was adjourned until April, according to the Mail. During the proceedings, Fox reportedly said: “The perceived problem [at the college] was there was a tutor who had been excluded by the prison and charged with allowing a hacking expert to hack into the prison’s mainframe.”

Commentary on the security implications of the computer compromise can be found in a post on Sophos’s Naked Security blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/04/convicted_hacker_hack_into_prison/