STE WILLIAMS

A UK hacker behind bars for computer fraud hacked into his prison’s mainframe during an IT lesson.

Nicholas Webber, 21, of Southsea, Hampshire, was able to access the system after being allowed to join the jail’s technology classes.

Webber was sent down for five years in May 2011 for masterminding the infamous GhostMarket.net cybercrime marketplace. Fraudsters used his website to trade stolen credit-card details. GhostMarket, one of the biggest underground bazaars of its type with 8,500 members, even offered tutorials on identity theft for inexperienced and wannabe criminals.

GhostMarket’s treasure trove of information was used to steal £15m from 65,000 bank accounts worldwide, according to some estimates.

Webber, GhostMarket’s founder, used his website’s profits to buy computers, video games, iPhones and iPods worth £40,000. But it was his taste in luxury hotels that proved his undoing: Webber was arrested for using fraudulent credit card details to pay for a penthouse suite at the Hilton Hotel in Park Lane, London, in October 2009.

He was subsequently prosecuted for computer fraud offences, convicted and eventually sent to HM Prison Isis, a category-C young offender institution for males, in southeast London. The hacker managed to sign up for the prison’s IT class before infiltrating the prison’s mainframe computer, The Daily Mail reported.

A prison service spokesman confirmed that Webber was involved in a hack on the prison’s systems while downplaying the significance of the compromise.

“At the time of this incident in 2011 the educational computer system at HMP Isis was a closed network. No access to personal information or wider access to the internet or other prison systems would have been possible,” the spokesman told The Reg.

News of the hack emerged during an unfair dismissal case brought to an employment tribunal by Michael Fox, the prison’s IT teacher. Fox, who was employed by Kensington and Chelsea College, gave lessons at HMP Isis, but this ended after he was blamed for the hack and excluded from the prison. College bosses failed to find Fox alternative work even though he was cleared of any wrongdoing at a disciplinary hearing last March.

Fox said he was not aware of Webber’s crimes when the hacker joined the prison’s IT class. Fox also maintained that it wasn’t his decision to admit the lad to the course, which aims to give young offenders skills that will give them a better chance of finding gainful employment once they leave prison. Fox’s tribunal hearing, which was held in Croydon on Friday, was adjourned until April, according to the Mail.

Commentary on the security implications of the prison computer compromise can be found in a post on Sophos’s Naked Security blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/04/convicted_hacker_hack_into_prison/

Google’s security credentials have taken another hit after the Japanese government warned local Android users to download their apps from third party operator-run stores, and not Google’s own Play, following the discovery of a prolific info-stealing app on the official site.

The Tokyo-based Information Technology Promotion Agency (IPA) alerted domestic Android users last Friday that a rogue app named “sexy porn model wallpaper” had already been downloaded 500,000 times from Google Play before being spotted and removed.

The app, which promises “sexy fresh girls wallpaper”, works like many others of its kind by requesting user permission to access phone information including location details, email address and terminal information before sending it on to a third party server.

While not containing any malware, the app has no good reason to request access to such info, and effectively uses the “sexy girl” content to distract users while lifting this data in the background, said IPA.

The government-backed body warned users off Google Play and instead urged them to visit third party app stores run by mobile operators – such as KDDI’s “au Smart Path”, Docomo’s “D Market” and Softbank’s “Yahoo! Market” – saying that, “in these markets, operators carry out their own checks of the app”.

Google’s Android ecosystem has long been criticised for its lack of in-built security checks, although the Chocolate Factory responded to concerns by launching an app verification service for Google Play recently.

That said, its efficacy has been called into question by researchers, and the security vendor community is claiming threats will continue to snowball on the platform.

Trend Micro, for example, predicted recently that the number of malicious and high-risk Android apps would reach the one million mark this year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/04/android_app_google_play_fraud/

Security watchers are warning of a surge of highly convincing spear-phishing emails sent in bulk.

More than one in 10 recipients of these so-called longlining* messages click on links to compromised websites because the phishing email look utterly plausible, according to cloud-based security services firm Proofpoint.

The combination of tailored emails and mass volume means that cyber-criminals can cost-effectively send 10,000 or even 100,000 individual spear-phishing messages, all potentially capable of bypassing traditional security defences. This approach greatly improves odds of success and the ability to exploit zero-day security vulnerabilities in victims’ PCs, Proofpoint warns.

Unlike conventional mass-mailing phishing lures, the ‘hooks’ (email messages) are highly variable rather than all identical. The body content also includes multiple mutations of an embedded URL, which points to an innocuous website to begin with but is then booby-trapped some time after the email is sent. Attackers can distribute thousands of email-borne malicious URL ‘hooks’ in a matter of hours, according to Proofpoint.

The company said that it has observed, documented and countered dozens of longlining attacks globally over the last six months. Victims are lured into visiting “drive-by downloads” websites that typically exploit browser, PDF and Java security vulnerabilities to install “rootkits” on vulnerable PCs.

No user action is required beyond clicking on the emailed URL and visiting a malicious website. In many cases system compromises were triggered when employees accessed corporate email accounts from home or on the road and sometimes using mobile devices.

One wave originating from Russia last October included 135,000 emails sent to more than 80 companies in a three-hour period. To avoid detection, the attacker used approximately 28,000 different IP addresses for its sending agents, 35,000 different ‘sender’ aliases, and more than twenty legitimate websites compromised to host drive-by downloads and zero-day-exploiting malware.

Because of the different agents, sender aliases, URLs, subject lines and body content, no single targeted organisation saw more than three emails with the same characteristics. All these characteristics meant the attack would fail to register as anything more than background noise and stood an excellent chance of making it past traditional signature and reputation-based anti-spam defences and secure gateway appliances as a result.

In another attack, approximately 28,800 messages were sent in multiple one-hour bursts to more than 200 enterprises. The campaign consisted of 813 unique compromised URLs sent from 2,181 different sending IPs. Again, each organization saw no more than three messages with identical content.

By using a distributed cloud of previously compromised machines and process automation to create high variance, attackers have been able to combine the stealth techniques and malicious payloads of spear-phishing with massively parallel delivery.

“With longlining, cyber-criminals are combining the stealth and effectiveness of spear phishing with the speed and scale of traditional phishing and virus attacks,” said David Knight, executive vice president of product management for Proofpoint.

Proofpoint has published a whitepaper on longline phishing attacks which can be found here (registration required). ®

Bootnote

* Longlining is named after the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/04/longlining_phishing/

As little as $25 will buy you access to a thousand malware-infected PCs, neatly packaged as a botnet army to control or spy on. That’s according to a security researcher studying underground souks of zombie computers.

But the prices increase steeply for the more discerning crook who only wants to use compromised machines in America or Europe for nefarious purposes.

Whereas 1,000 PCs whose whereabouts aren’t known cost 25 bucks, control over confirmed EU-located systems sells on one underground bazaar for $50, $225, and $400 for 1,000, 5,000, and 10,000 compromised hosts, respectively.

Botnets with drones solely located in Canada, Germany and Great Britain cost $80 per 1,000. Prices for top-of-the-line US machines start at 1,000 zombies for $120. By contrast machines located nowhere specifically cost almost five times less.

The figures were put together Dancho Danchev of security biz Webroot from sales prices advertised on a newly established underground cybercrime forum. US machines are more expensive because their owners have greater online purchasing power than their counterparts elsewhere, Danchev explained in a blog post.

Payment for the botnets can be made with various forms of electronic currency including WebMoney, Liberty Reserve and bitcoins.

The e-shop is another example of how hackers have adopted tactics from legitimate businesses, in this case market segmentation, to increase sales. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/04/botnet_price_list/

Credulous punters’ desire to get their hands on Google’s new Project Glass head-mounted display is already being used against them by cyberscammers.

The Chocolate Factory’s augmented reality glasses may be still at the prototype stage, but cybercrooks have latched onto the recent release of a demo video with their own cyber-chaff, combined with the black arts of search engine result poisoning.

As a result the top results for the search term “free Google glasses” is an eye-catching YouTube link with the title [{FREE}] Google Project Glass [[FREE GOOGLE GLASSES].

The video was copied from the original Google Glass YouTube advertisement but features links to a dodgy site in the comments. The site supposedly offers information on how “it’s possible to get similar glasses for free!” or to become a beta tester for Google Glass.

In reality the links on the scamvertised site put users through the hoops of a survey scam, which attempt to trick prospective marks into signing up to deceptively marketing premium rate phone services, Trend Micro warns.

The security firm has added website associated with the scam to its URL blacklist. It notes the re-appearance of similar scams is more than likely, so users should be cautious about implausibly generous offers. the concern that Google Glass is likely to become a theme of survey scams, replacing bogus offers of free iPads as a staple of this type of short con in the process.

“Currently, there’s no way for users to get Google Glass,” Ruby Santos, a fraud analyst at Trend Micro warns in a blog post. “Preorders were only accepted at Google I/O 2012 more than eight months ago, and a campaign asking for ways to use Glass creatively just ended.

“We advise users to avoid clicking on unfamiliar links, particularly those that offer too-good-to-be-true deals. (Considering the pre-order cost $1,500, this would count as too-good-to-be-true.). Users should likewise be cautious of schemes that may abuse the #IfIhadGlass campaign.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/04/google_glass_survey_scam/

Evernote has joined the growing list of companies whose cloud-based services have suffered a serious security breach, announcing over the weekend that it had implemented a service-wide password reset after attackers accessed user information.

Happily, the company’s announcement notes, the passwords accessed were salted hashes, which should mean they last longer than the passwords lifted from the Australian Broadcasting Corporation recently.

The user information accessed by the attackers also included user Ids and e-mail addresses.

All Evernote users were required to reset their passwords in case the attackers are able to recover passwords from the salted hashed list. The password reset will apply not only to Evernote logins, but to all apps that users have given access to their Evernote accounts.

Other major names to be hit in recent attacks include Apple, Facebook, Twitter and Microsoft, with a Java zero-day behind most of the vulnerabilities.

The company says the attack “appears to have been a coordinated attempt to access secure areas of the Evernote Service”.

The usual suggestion, that users choose strong passwords that they don’t re-use, will no doubt be ignored by a small-but-significant number of Evernote’s customers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/04/evernote_password_reset/

Google’s security credentials have taken another hit after the Japanese government warned local Android users to download their apps from third party operator-run stores, and not Google’s own Play, following the discovery of a prolific info-stealing app on the official site.

The Tokyo-based Information Technology Promotion Agency (IPA) alerted domestic Android users last Friday that a rogue app named “sexy porn model wallpaper” had already been downloaded 500,000 times from Google Play before being spotted and removed.

The app, which promises “sexy fresh girls wallpaper”, works like many others of its kind by requesting user permission to access phone information including location details, email address and terminal information before sending it on to a third party server.

While not containing any malware, the app has no good reason to request access to such info, and effectively uses the “sexy girl” content to distract users while lifting this data in the background, said IPA.

The government-backed body warned users off Google Play and instead urged them to visit third party app stores run by mobile operators – such as KDDI’s “au Smart Path”, Docomo’s “D Market” and Softbank’s “Yahoo! Market” – saying that, “in these markets, operators carry out their own checks of the app”.

Google’s Android ecosystem has long been criticised for its lack of in-built security checks, although the Chocolate Factory responded to concerns by launching an app verification service for Google Play recently.

That said, its efficacy has been called into question by researchers, and the security vendor community is claiming threats will continue to snowball on the platform.

Trend Micro, for example, predicted recently that the number of malicious and high-risk Android apps would reach the one million mark this year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/04/android_app_google_play_fraud/

A new Java zero-day vulnerability is being exploited by attackers, and until it is patched everyone should disable Java in their browser.

The vulnerability targets browsers that have the latest version of the Java plugin installed – Java v1.6 Update 41 and Java v1.7 Update 15 – malware researchers FireEye reported on Thursday.

It has been used to attack multiple customers, FireEye said.

“We urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to ‘High’ and do not execute any unknown Java applets outside of your organization,” the researchers wrote.

The exploit attempts to download a McRAT command-and-control executable onto the user’s computer. McRAT ensures its persistence by writing a copy of itself as a DLL and making registry modifications.

Fortunately for web users the world over, the exploit “is not very reliable”, the researchers write. In most cases, the payload fails to execute and leads to a JVM crash.

Oracle has assigned CVE-2013-1493 to the vulnerability, but at the time of writing had not responded to requests for further information or issued a patch.

This vulnerability follows a widespread zero-day Java attack against large tech companies Apple, Facebook, Microsoft, Twitter, and others in January.

Oracle issued a Java Critical Patch Update on February 1 in what now seems to be a response to these attacks, but the patch wasn’t watertight, and the database giant was forced to issue another update on February 19. It seems that fix was not sufficient. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/01/another_day_another_java_zero_day/

RSA 2013 This year’s RSA conference is winding down. The expo hall is closed, most presentations are getting only sparse audiences, and there’s only the jokey keynotes left to run this Friday afternoon.

Once again Dr. Hugh Thompson (a man described by one delegate as “irrepressibly perky and with a face made for punching”) is doing his usual shtick on stage, talking about the latest trends in the business. He’ll be followed by the now-traditional mainstream politician’s slot.

In days of yore the last keynote of the day was traditionally reserved for quirky but relevant speakers, such as reformed ex-hacker Frank Abagnale. But in the last couple of years the choices have been political – and the results haven’t been good. Bill Clinton bored and a smug sermon from Tony Blair wasn’t welcome.

Thankfully this year it’s Condoleezza Rice, who has a wealth of knowledge on the subjects of security and the internet. It’s a good way to end what has been one of the busiest and brightest RSA conferences in ages. Compared to last year’s more somber performance, there was a lot more optimism among attendees.

The San Francisco conference was blessed with sunshine after the torrential downpours (by local standards) of last year, and the Expo hall was packed with vendors who reported a lot more business done without the usual gloomy expressions. Sadly, booth babes are back in force: gentlemen, the 1960s called and want their attitudes back.

But the real meat of the conference is the technical sessions, and entry to most was rationed to a one-in-one-out policy unless you got there early enough. There were a lot of talks on Big Data (understandable, given RSA’s scene-setting), not much on mobile, some interesting ideas on encryption, and everyone mentioned China.

Mandiant’s report accusing China’s People’s Liberation Army the week before the show caused a lot of interest, and El Reg should have some more news for you on that front later. But what’s really scaring people is the possibility of China building the hacking of trade secrets into industrial policy.

Nation states have always stolen secrets from each other, and it’s something that no one should get on too high a horse about. But speaker after speaker warned that unless the industry gets its act together, all the latest research, business plans, and other corporate secrets in the Western world are up for grabs. China’s complaints that it is more sinned against than sinning got short shrift.

White House cybersecurity coordinator Michael Daniel told delegates that the government is here to help. President Obama’s recent executive order showed that the government is firmly committed to both privacy and security, Daniel said, and he called for the industry’s support to tackle the threat. Meanwhile, former DHS czar Michael Chertoff was pushing CISPA, saying it was vital for the national infrastructure.

As in recent years, the Feds were at the conference in force, holding special sessions to brief the security industry and look for new ideas. The NSA expo booth – a concept unthinkable not that long ago – was actively recruiting on the show floor, even luring geeks by having an original Enigma machine on display.

Boeing, a company with a long history of government work, said that it was throwing its hat into the security ring with a new spin-off company, Narus. Its unfortunately named Cyber 3.0 suite promises to use machine learning to lock down threats – expect more details in August.

It’s clear that if you want to get a good-paying job in the industry, security is the way to go. Keeping it, considering all the threats currently out there, might be a very different job, however. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/01/rsa-roundup/

Cryptography is ‘becoming less important’ because of state-sponsored malware, according to one of the founding fathers of public-key encryption.

Turing award-winning cryptographer Adi Shamir (the S in RSA) said the whole basis of modern cryptography is under severe strain from attacks on security infrastructure such as the attack on app whitelisting firm Bit9 and problems with certificate authorities such as Turktrust, two recent examples of trends that have been going on for some years.

“I definitely believe cryptography is becoming less important,” Shamir said. “Intelligence gathering services around the world are going through a phase shift. In the 19th century if you wanted to know the plans of Napoleon you need a CIA-type agent next to him. In the 20th century if you wanted to know the plans of Hitler during the Second World War you had listen to the communication and break the crypto, this was an NSA-type operation.”

In the 21st century these approaches are becoming less useful, with hacking and Advanced Persistent Threat-type attacks featuring spear-phishing and custom malware becoming more important to spies, according to Shamir. The US is quadrupling the size of its cyber-combat unit for a reason, he said.

“In effect, even the most secure locations and most isolated computer systems have been penetrated over the last couple of years by a variety of APTs and other advanced attacks,” Shamir said. “We should rethink the question of how we protect ourselves.

“Traditionally the security industry has thought about two lines of defence. The first line was to prevent the insertion of the APT in a computer systems with antivirus and other defences. The second was many companies trying to detect the activity of the APT once it’s there. But history has shown us that the APT have survived both of these lines of defence and operate for many years.”

Security needs be to rethought along the lines of how it might be possible to protect a system that might be infected by something that might remain undetected. Not everything is lost even if these circumstances, according to Shamir, who argued that any APT would be tightly constrained and unable to extract a large volume of data.

“I want the secret of the Coca-Cola company not to be kept in a tiny file of 1KB, which can be exfiltrated easily by an APT,” Shamir said. “I want that file to be 1TB, which can not be exfiltrated. I want many other ideas to be exploited to prevent an APT from operating efficiently. It’s a totally different way of thinking about the problem.”

Ron Rivest, who teamed up with Shamir to develop the RSA encryption algorithm, asked what could stop the malware from compressing the target data. This led onto a discussion about disguising or obfuscating file names. “Let’s hope that confuses the opponents more than it confuses us,” Rivest said, to laughs from the audience.

Shamir made his comments during the cryptographers’ panel session at the RSA Conference in San Francisco on Tuesday that also featured Rivest, ICANN’s Whitfield Diffie and Stanford University’s Dan Boneh. Diffie took issue with Shamir’s argument that cryptography is becoming less important – arguing it’s like saying that the net is less important in volleyball because the poles keep falling over. “The keys need to be well-supported at either end and that’s where we’re having the problems,” Diffie said, arguing that cryptography remains essential.

Shamir responded: “In the Second World War if you had good crypto protecting your communication you were safe. Today with an APT sitting inside your most secure computer systems, using cryptography isn’t going to give you much protection.

“It’s very difficult to use cryptography in an effective way if you assume that an APT is watching over the computer system, watching everything that is being done, including the encryption and decryption process.”

Shamir’s remarks, the infosec equivalent of Paul McCartney saying guitar bands have had their day, can be found in a video recording of the RSA 13 cryptographers’ panel session on YouTube here. The debate on whether or not we’re moving towards a ‘post-cryptography’ world runs from between around the 10 and 22 minute marks. A discussion of quantum computing and quantum cryptography that runs for about 10 minutes from the 32 minute mark is also well worth watching.

“We shouldn’t worry much about post-quantum cryptography but we should think about post-cryptography security,” added Shamir. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/01/post_cryptography_security_shamir/