STE WILLIAMS

Google has patched a flaw that allowed attackers to circumvent the web giant’s two-factor login system and hijack victims’ accounts.

Researchers at Duo Security said anyone could bypass a Google account’s two-step verification system, reset its master password and gain full control of the profile simply by capturing one of the user’s application-specific passwords.

The flaw was uncovered by Adam Goodman, principal security architect at Duo Security, and the firm’s CTO, Jon Oberheide, who is best known for his research into Android security. The vulnerability, originally flagged up to Google in July 2012, was patched last week, freeing Duo Security to go public with its discovery.

Now for the science

Google generally asks users to create a separate application-specific password (ASP) for each program they use that doesn’t support the two-step authentication process used to log into their accounts from a web browser: typically this two-factor system texts a verification code to a user’s mobile phone that must be typed in along with the username and password.

In practice, users create ASPs for most apps that don’t use or expect this web-based login: this includes email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc); chat clients communicating over XMPP (Adium, Pidgin, etc); and calendar applications that sync using CalDAV (iCal, etc). Even some Google tech initially required the use of ASPs, including Chrome’s sync features or setting up a Google account on an Android device.

But ASPs that do far more than simply access your email over IMAP, Duo Security apparently discovered. An ASP can be used to log into almost any of Google’s web properties and access account settings in a way that bypasses two-step verification.

Google included an “auto-login” mechanism for its users’ accounts in recent versions of Android and Chrome OS. So after a user links their device to a Google account, the web browser will use the device’s existing authorisation to skip Google’s web-based sign-on prompts.

Until late last week, this auto-login mechanism also granted access to the most sensitive parts of Google’s account-settings portal, including the “Account recovery options” page. Attackers could abuse this mechanism to add or edit an account’s email addresses and phone numbers to which Google sends password reset messages.

Thus, with just a username, a swiped ASP and a web request to https://android.clients.google.com/auth, a hijacker could gain access to, and control of, any Google account without a login prompt nor the need to satisfy the two-step verification process. The search giant has now plugged this hole.

A blog post by Duo Security’s Goodman explaining the security flaw, and its resolution, in far greater detail can be found here.

Google stressed to The Reg that an attacker would need to get their hands on a user’s ASP in order to pull off the hijack described by Duo Security:

The threat outlined by Duo Security first required gaining access to an application-specific password (ASP). ASPs are complex strings of characters that are not designed to be written down or memorized, so the phishing risk is very low. A separate, additional vulnerability would likely have been needed. Since last week’s change, the theoretical threat is no longer valid because using an ASP alone is insufficient to access sensitive account settings.

Oberheide said Google was correct to downplay the phishing threat but said this wasn’t the main attack vector for the now resolved security hole: getting a copy of a user’s ASP isn’t impossible.

“The phishing threat isn’t very high,” Oberheide told El Reg. “The risk is stealing an ASP stored on your endpoint (eg. for your instant messaging client, IMAP email client, etc) or intercepted by a thick client application that has insufficient SSL certificate verification (fairly common actually for crappy thick client apps).”

A good start, but…

Google’s fix (which appears to involve maintaining some per-session state to identify how one is authenticated) significantly mitigates the threat of hijacking, according to Duo Security, which specialises in providing cloud-based two-factor authentication to businesses.

ASPs are an interim approach that allows legacy software to dovetail with more advanced security protections, such as two-factor authentication. Reliance on the passwords by Google and others is expected to decline over time.

A compromised ASP could still be used to inflict significant harm on a user’s account, but that user should ultimately retain control over his account – and the ability to revoke the ASP at the first sign something has gone wrong. However Duo would like to see Google go even further and implement some means to further restrict the privileges of individual ASPs.

“Despite the issue being fixed, users of Google’s two-step verification should still treat ASPs with sensitively, since they offer deceptively broad account access if they were to be stolen, sniffed or phished,” Oberheide told El Reg.

Last week Google disclosed that it had reduced account hijacking by 99.7 per cent thanks to improved security controls, such as two-factor authentication, and risk analysis procedures that challenge users to provide additional information in cases where a login attempt is deemed suspicious.

Even though this suggests Google’s strategy is bringing home the bacon, it doesn’t mean the execution is flawless, as Duo’s research shows.

“Obviously, we’re big fans of two-factor in general,” Oberheide said. “Implementing two-factor properly and securely is no easy task though, especially in complex identity ecosystems. Even Google makes mistakes.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/google_plugs_authentication_flaw/

Shanghai hackers APT1 – outed this month in a high-profile report that linked them to the Chinese military – may not be China’s top cyber-espionage team despite its moniker. Security experts say the team is more prolific than leet.

The gang, believed to carrying out orders from state officials, was accused of siphoning hundreds of terabytes of sensitive data from computers at scores of US corporations. China’s government has denied any involvement.

Jaime Blasco, labs director at security tools firm AlienVault, described APT1, aka Comment Crew, as one of the more successful hacking group based on the number of targets attacked – but not necessarily on the skill level of its members.

“APT1 is one of the less sophisticated groups,” Blasco said. “They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the times they don’t use zero-days exploits to gain access.”

Several teams are said to be much more sophisticated, not least because they make extensive use of zero-day security vulnerabilities in Adobe PDF, Flash, Internet Explorer, Microsoft Office and Java to compromise systems: they often roam across domain names, IP addresses and network infrastructures, making them harder to pin down using previous intelligence.

“Their malware and tools has been built to avoid detection and to hide their presence and remain in the networks for years giving access to the compromised companies at any moment,” Blasco said.

Confusingly, there isn’t general agreement among security researchers on how to designate or name APT (advanced persistent threat) groups. Crews tend to be named after their computer espionage campaigns: “As an example you have groups like, Nitro, Aurora, ElderWood, Sykipot, Comment Crew (APT1), NightDragon, FlowerLday, Luckycat, Pitty Panda,” according to Blasco.

Google and other high-tech firms were hit by malware in an attack dubbed Operation Aurora in 2009. Google went public with details of the assault in early 2010, blaming the Elderwood Crew or Beijing Group, another group of hackers allegedly affiliated with the Chinese state’s People’s Liberation Army (PLA). The group has also been linked to attacks against Tibetan activists. Sykipot is associated with the high-profile attacks against RSA Security and linked to the NightDragon attacks.

Joe Stewart, director of malware research at Dell SecureWorks CTU, broadly agreed with Blasco’s assessment, but said that the skill level of Comment Crew’s peeps varied.

“The Comment Crew are, in general, not terribly sophisticated,” Stewart told El Reg. “But there are some people in there who are quite skilled not just in the malware they create but in their ability to hide their tracks. You are always going to get some junior members in any hacking or security group who are less skilled.”

‘Russian crims are milking this attention on China’

Industry experts such as Mandiant – which produced the high-profile dossier on APT1 this month – and Cyber Squared and others reckoned there are anywhere between a handful and 20 groups in China alone as well as a dozen more state-sponsored hacking crews in other countries.

Stewart explained that Dell SecureWork’s research suggested that the Shanghai group was one of two main APT hacking crews based in China; the other main unit is apparently clustered around an ISP in Beijing. The so-called Beijing Group is also affiliated to China’s PLA. In addition, there are four or five anomalous groups, according to Stewart.

“The number of APTs groups is hard to define,” he said. “When you look closely there are more or more links between different sub-sets that make us think that several are part of the same group.”

Policy documents from the Obama administration, published last week, blamed Russia in addition to China for some cyber-espionage. Other spying activities – such as the Red October attack against former Soviet countries and, in particular, the Flame attack against Iran and other countries in the Middle East – don’t fit the PLA-affiliated Chinese hackers narrative. US media reports claim Flame came from the same joint US-Israel operation codenamed Olympic Games that created Stuxnet.

“There is a small amount of APT activity coming out of different countries but none is on the same scale as China,” Stewart told El Reg.

A minority of security researchers reckon the focus on China as the primary source of APT attacks, which commonly feature a combination of spear-phishing and custom malware, is dangerous.

“Now that everyone’s obsessed with China, the Russian underground can continue ‘milking’ its favourite cash cow, the US,” said cybercrime researcher Dancho Danchev. “Anything launched by eastern European cyber-criminals can be described as an APT these days. It’s just that go after the dollar, not the intellectual propery,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/apt1_china_dark_visitor_b_team/

The Twitter feed of news agency AFP’s photo department was hacked yesterday, apparently by supporters of embattled Syrian president Bashar Al-Assad.

The agency’s main Twitter account tweeted that any documents or images posted to the photo-dept feed from 16.45 had not come from Agence France-Presse:

It appears our @afpphoto Twitter account has been hacked. Recent photos posted are NOT ours. Unable to delete but working on it

— Agence France-Presse (@AFP) February 26, 2013

AFP eventually suspended the account, which remains down today.

The pictures on the feed were of graphic images from the conflict in Syria, frequently of low quality and accompanied by captions that accused “Obama backed” rebel armies of killing children and using them as soldiers. The tweets also showed images allegedly of citizens supporting Assad or celebrating the arrival of Syrian soldiers.

The Atlantic saved a number of the tweets here, but some contain graphic images that may be disturbing.

The AFP photo feed doesn’t have a long reach, since it only has around 3,600 followers and was set up less than two weeks ago, so it’s unclear why it was targeted by the hackers – unless it was a case of hacking who you can, rather than who you would like to. The suggestion that the photos were endorsed by the wire service may also have been seen as adding believeability to the message the pics sought to push*.

AFP’s security experts have also said that the wire service has been the victim this week of a phishing attack seeking to steal the IDs and passwords of employees by getting them to log into a fake AFP website. They say the attack has been unsuccessful so far but have not said whether the phishing could be related to the Twitter hack. ®

Bootnote

*At least among people unfamiliar with the frequently rather dodgy nature of some photos supplied even by reputable media outfits, which often show evidence of being at the very least creatively amended or photoshopped. An example can be seen here, of an AFP/Getty image in which a Syrian rebel commander in combat seemingly brandishes a weapon which is – apparently – simultaneously belt and drum fed. – Ed

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/afp_photo_twitter_hack/

Miscreants affiliated with hacking collective Anonymous have dumped online a huge cache of data supposedly lifted from insecure systems at a Bank of America contractor.

The self-styled Anonymous Intelligence Agency (Par:AnoIA) leaked 320MB of emails and other information that suggests the banking giant is running an online intelligence gathering operation against hacktivists.

The cache includes memos from IT contractor TEKsystems to the bank’s security staff, reporting chat room and social network reconnaissance. The data dump also supposedly includes the source code for OneCalais – a natural language processing (NLP) text analytics and data mining package from Thomson Reuters subsidiary ClearForest. The story goes that the software was used to make sense of data harvested from chat rooms.

“We were amused by the fact that there are actually paid analysts sitting somewhere reading the vast amount garbage that scrolls by in large public channels like #anonops and #voxanon,” Par:AnoIA said in a statement accompanying the leak. “Even more amusing is the keyword list that was found, containing trigger words like ‘jihad’ or ‘homosexual’.”

The Anons alleged that the “overall quality of the research is poor and potentially false”.

“The data clearly shows that the research was sloppy, random and valueless. Apparently a keyword list was used to match items of interest on IRC, Twitter and other social media,” it claimed in its announcement [PDF].

The released archives, totalling well over 6GB, apparently also include salary and bonus details on hundred of thousands of executives and employees from various corporations all around the world, including Google supremo Eric Schmidt – although his income is publicly known.

The Anonymous Intelligence Agency claimed the swiped records were lifted from a “misconfigured server” hosted in Israel that was “basically open for grabs” rather than seized using security exploits and conventional hacking. Par:AnoIA claimed it received the info wad via an unnamed source. How this handler got hold of the data – especially the salary information – remains unclear.

The information disclosure, dubbed Operation Keyword, was followed by the release of a rough’n’ready video by Anonymous in which the financial giant is accused of acting against the interests of US homeowners.

Bank of America has previously been linked to attempts to gather intelligence on members of Anonymous and associated organisations, most notably the proposals put forward by former HBGary Federal chief exec Aaron Barr.

Barr proposed a disinformation campaign against WikiLeaks in the run up to the planned publication of Bank of America documents by the whistle-blowing website. He also planed to expose members of Anonymous. In retaliation, members of the collective hacked into HBGary Federal’s systems, defaced its website, took over Twitter accounts and exposed 68,000 emails, including a presentation put together by the company along and two other data intelligence firms for Bank of America in 2010. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/anon_bofa_leak/

Website administration firm cPanel has told The Reg that one of its proxy servers was hacked, potentially exposing customers’ administrator-level passwords.

cPanel discovered that one of its systems, used to handle technical support tickets, was infiltrated nearly a week ago.

The biz, which provides tools for managing Unix-powered websites, has urged anyone who contacted its help-desk within the last six months to change their root passwords – a credential requested in new support tickets. It is understood this information is needed to allow cPanel employees to access bamboozled customers’ web servers.

“If you are using an unprivileged account with ‘sudo’ or ‘su’ for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis,” the company said in an email.

The biz discovered that a proxy server was hacked by “a malicious third party” through a compromised workstation used by one of its support bods.

“Only a small group of our technical analysts used this particular machine for logins, which means that fortunately only some customers who opened a ticket in the past six months would be affected by this compromise,” cPanel said.

It added that there was no evidence that any other sensitive data was exposed, but said the investigation was ongoing.

The company is introducing new processes to stop a similar attack in the future, including changing how servers are accessed, providing unique SSH keys for each new support ticket, and generating single-use username and password credentials for the WebHost Manager that are only valid while staff are logged into customers’ servers.

“It is now possible for our technical analysts to service your support requests without you providing your server’s password for nearly all requests involving machines running our cPanel and WHM product,” the firm said.

Ultimately, cPanel hopes to get rid of the need for analysts to require customers’ superuser passwords, and are testing a solution for that now.

The digital break-in follows the news that help-desk provider Zendesk was hacked last week. Intruders got their hands on email addresses for users of Twitter, Pinterest and Tumblr along with support message subject lines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/cpanel_support_server_hacked/

The inventor who co-founded visual PIN company GrIDsure has become involved with another pattern-based authentication start-up in the hopes that the shoulder-surfer proof technology could replace two-factor authentication.

His new company, Brit firm’s PinPlus, does away with passwords and PINs by combining a method for securely delivering one-time codes to users, with an architecture for storing users’ login “secrets” on servers.

Instead of having to remember vulnerable passwords, users simply need to remember a pattern on a small (6 X 6) matrix of squares. This pattern (created once upon enrollment) guides the user in reading off frequently jumbled numbers from a matrix, each reading creating a unique code for each login. Stored patterns are then coded, segmented and stored in multiple data structures before they are further encrypted.

The difference between this pattern-based security product and others is its cryptographic strength, say its makers.

The idea is that even if a machine is compromised with malware or the login of a user is intercepted by a shoulder surfer, there will not be enough information spilled for hackers to determine the next login.

Steve Brittan, PinPlus chief exec, explained: “This part of the process is protected by three patent applications. The separate segments representing the users’ secrets are indexed using data references which themselves only point to the correct data if the correct one-time code is presented to the pin+ authentication engine, and then encrypted using strongly salted one-way SHA-256 hashing algorithms.

The how-to vid is available here

“Without this, it’s impossible for a hacker to assemble the correct segments, and to then attempt to decrypt the secret information is going to be incredibly difficult for hackers. The net effect is to dramatically enhance the ‘entropy’ or cryptographic strength offered by pin+.”

The pin+ pattern-based authentication system is being positioned as an alternative to the ever-popular two-factor authentication systems – which at present mostly consist of text messages sent to registered mobile phones or the more traditional hardware key-fob tokens from the likes of RSA Security.

The pin+ system works without the user having to carry any kind of device or card, even a mobile phone. The approach also attempts to tackle the problem of hackers stealing large files of passwords or password hashes from insecure websites, as happened with the recent LinkedIn and eHarmony breaches, for example.

The firm’s chairman, Jonathan Craymer, was originally involved in pattern-based authentication pioneer GrIDsure prior to founding PinPlus in 2010. Cryptocard acquired the patents and intellectual property of GrIDsure after the UK-based startup became insolvent in November 2011. Cryptocard was itself acquired by SafeNet months later in March 2012.

Craymer says the industry seems to have been “stuck” for some years, with SMS slowly taking over from tokens. He said the Matrix Pattern Authentication (MPA) technology of pin+ can be used by everyone, not just a few key banking customers or company employees.

“Our vision is to get MPA out there, leveraging a common front end, which can be bolted on to a whole host of back-end solutions created by partner companies,” Craymer explained. “We meanwhile will concentrate on refining the science behind patterns, usability, security etc, and will be registering our own patents. Basically all this will build on, but be far superior to, the original GrIDsure idea.”

Craymer explained the reason why he left GrIDsure in 2009, two years before its business went belly-up.

“GrIDsure simply didn’t have the right team capable of developing a complete product and creating a market – whereas pin+ most definitely has the right team behind it which I am confident will take it forward,” Craymer told El Reg.

“I could see this was the case, so left GrIDsure (which I founded) in 2009, determined to do the job properly. As a result I did a lot of thinking about how to move what is a great concept (Matrix Pattern Authentication) forward, then to take those ideas to market I founded PinPlus Ltd in 2010.

“In my personal opinion the original GrIDsure product needed a great deal of additional development in a number of areas such as entropy, security and look and feel,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/pinplus/

Google has patched a flaw that allowed attackers to circumvent the web giant’s two-factor login system and hijack victims’ accounts.

Researchers at Duo Security said anyone could bypass a Google account’s two-step verification system, reset its master password and gain full control of the profile simply by capturing one of the user’s application-specific passwords.

The flaw was uncovered by Adam Goodman, principal security architect at Duo Security, and the firm’s CTO, Jon Oberheide, who is best known for his research into Android security. The vulnerability, originally flagged up to Google in July 2012, was patched last week, freeing Duo Security to go public with its discovery.

Now for the science

Google generally asks users to create a separate application-specific password (ASP) for each program they use that doesn’t support the two-step authentication process used to log into their accounts from a web browser: typically this two-factor system texts a verification code to a user’s mobile phone that must be typed in along with the username and password.

In practice, users create ASPs for most apps that don’t use or expect this web-based login: this includes email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc); chat clients communicating over XMPP (Adium, Pidgin, etc); and calendar applications that sync using CalDAV (iCal, etc). Even some Google tech initially required the use of ASPs, including Chrome’s sync features or setting up a Google account on an Android device.

But ASPs that do far more than simply access your email over IMAP, Duo Security apparently discovered. An ASP can be used to log into almost any of Google’s web properties and access account settings in a way that bypasses two-step verification.

Google included an “auto-login” mechanism for its users’ accounts in recent versions of Android and Chrome OS. So after a user links their device to a Google account, the web browser will use the device’s existing authorisation to skip Google’s web-based sign-on prompts.

Until late last week, this auto-login mechanism also granted access to the most sensitive parts of Google’s account-settings portal, including the “Account recovery options” page. Attackers could abuse this mechanism to add or edit an account’s email addresses and phone numbers to which Google sends password reset messages.

Thus, with just a username, a swiped ASP and a web request to https://android.clients.google.com/auth, a hijacker could gain access to, and control of, any Google account without a login prompt nor the need to satisfy the two-step verification process. The search giant has now plugged this hole.

A blog post by Duo Security’s Goodman explaining the security flaw, and its resolution, in far greater detail can be found here.

Google stressed to The Reg that an attacker would need to get their hands on a user’s ASP in order to pull off the hijack described by Duo Security:

The threat outlined by Duo Security first required gaining access to an application-specific password (ASP). ASPs are complex strings of characters that are not designed to be written down or memorized, so the phishing risk is very low. A separate, additional vulnerability would likely have been needed. Since last week’s change, the theoretical threat is no longer valid because using an ASP alone is insufficient to access sensitive account settings.

Oberheide said Google was correct to downplay the phishing threat but said this wasn’t the main attack vector for the now resolved security hole: getting a copy of a user’s ASP isn’t impossible.

“The phishing threat isn’t very high,” Oberheide told El Reg. “The risk is stealing an ASP stored on your endpoint (eg. for your instant messaging client, IMAP email client, etc) or intercepted by a thick client application that has insufficient SSL certificate verification (fairly common actually for crappy thick client apps).”

A good start, but…

Google’s fix (which appears to involve maintaining some per-session state to identify how one is authenticated) significantly mitigates the threat of hijacking, according to Duo Security, which specialises in providing cloud-based two-factor authentication to businesses.

ASPs are an interim approach that allows legacy software to dovetail with more advanced security protections, such as two-factor authentication. Reliance on the passwords by Google and others is expected to decline over time.

A compromised ASP could still be used to inflict significant harm on a user’s account, but that user should ultimately retain control over his account – and the ability to revoke the ASP at the first sign something has gone wrong. However Duo would like to see Google go even further and implement some means to further restrict the privileges of individual ASPs.

“Despite the issue being fixed, users of Google’s two-step verification should still treat ASPs with sensitively, since they offer deceptively broad account access if they were to be stolen, sniffed or phished,” Oberheide told El Reg.

Last week Google disclosed that it had reduced account hijacking by 99.7 per cent thanks to improved security controls, such as two-factor authentication, and risk analysis procedures that challenge users to provide additional information in cases where a login attempt is deemed suspicious.

Even though this suggests Google’s strategy is bringing home the bacon, it doesn’t mean the execution is flawless, as Duo’s research shows.

“Obviously, we’re big fans of two-factor in general,” Oberheide said. “Implementing two-factor properly and securely is no easy task though, especially in complex identity ecosystems. Even Google makes mistakes.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/google_plugs_authentication_flaw/

Adobe published a critical Flash Player update on Tuesday to fix three exploits, two of which are under active attack by hackers.

Two of the three vulnerabilities are being used by nefarious folk, Adobe said, and one of these two explicitly targets the Firefox browser.

Adobe introduced the Flash Player sandbox a year ago to protect Firefox users from vulnerabilities in Flash. It appears this is now being targeted for permission escalation attacks.

“Adobe is aware of reports that CVE-2013-0643 and CVE 2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content,” the company wrote in a security bulletin.

Adobe classified the update with a priority rating of 1 (do it now if you value your computer) for Windows and Macintosh systems, and 3 (install at your discretion) for Linux kit.

Google and Microsoft are applying automatic fixes to the integrated Adobe Flash Player code found in Chrome and in Internet Explorer 10 for Windows 8.

The updates resolve a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643), a vulnerability in the ExternalInterface ActionScript feature (CVE-2013-0648), and a buffer overflow vuln in the Flash Player broker service (CVE-2013-0504).

Links to download the fix are available from Adobe’s website, as listed in the security bulletin.

The timing of the patch jars with Adobe’s as-of-November-2012 commitment to try and issue security patches in a more measured pattern that coincides with Microsoft’s Patch Tuesday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/adobe_issues_two_critical_flash_vuln_patches/

RSA 2013 Computer programmers outsourcing their own jobs and pocketing the profit from salary differentials overseas is much more common than first thought.

Last month, Verizon reported that an investigation into a client had revealed that the unnamed company’s star programmer, a chap dubbed Bob, had outsourced his job to a Chinese firm that charged him a third of his salary, while he spent time in the office surfing Reddit and looking at cat photos. He was only caught when his employers checked his usage logs.

“When the story went out we got a bunch of phone calls with companies asking, ‘Are you talking about our situation?'” Bryan Sartin, director of investigative response on Verizon’s RISK team told The Register.

“It turns out this seems to be something of a trend and lots of people are doing it. It’s especially common with contract workers and freelancers who sign up for jobs and then farm out that work in parts of the world where coders are cheap.”

The initial case that sparked the interest was unusual, he said, in that the person involved was a full-time employee, but there have now been many cases of freelancers shipping off their work. On a purely capitalistic front it’s a great idea for the developer, but employers are less than impressed.

In the case of Bob – and other examples Verizon has found – two-factor authentication tokens and passwords were sent to offshore coders to enable them to access corporate systems. While there’s little evidence that the third-party coders have exploited this for hacking profit, the danger is very real, Sartin said, and companies need to be on their guard.

“Our data shows that in 74 per cent of network intrusions, the initial access point is a remote worker’s link,” he said. “In these specific cases there doesn’t have seen to be a problem, but if the hacker’s purpose is espionage rather than profit then they’re going to keep a low profile.”

The easiest way to catch these people out is to check access logs for the location of the worker, Sartin explained. If you’ve hired a coder in California, it’s a dead giveaway if they are logging in from China. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/27/outsourcing_job_common/

RSA 2013 A new report from Symantec claims that Stuxnet is not a recent piece of malware, but was in action trying to cripple Iran’s nuclear program way back in 2005.

“We now have evidence that Stuxnet actually had its command and control servers alive in 2005, that’s five full years than anyone previously thought,” said Francis deSouza, president of products and services at Symantec in his RSA 2013 keynote. “We also have evidence of this early variant of Stuxnet that we captured called Stuxnet 0.5, which behaves very differently from Stuxnet 1.0 found in 2010.”

The 2010 version of Stuxnet attacked the Iranian nuke fuel program at Natanz by varying the speeds of motors in the centrifuges used for preparation of uranium at the plant. But Stuxnet 0.5 was designed for a different form of sabotage, and one that could have had explosive results.

The newly discovered code, which was first active in 2007, was installed via a USB key and lay dormant until the enrichment process began. It then took a series of snapshots of the control screen of the plant with all systems running normally, made an inventory of the system, and then went to work on the valves that feed uranium hexafluoride gas into the centrifuges.

These valves would be opened up to make sure the gas flowed into the centrifuges regardless of the state of the fuel. It would hold them open for six minutes, all the while displaying the normal operations screens it swiped earlier, then would shut itself down and go into hiding again.

As well as damaging both the centrifuges and the fuel, such jiggery pokery could conceivably have caused a pressure buildup that would have caused the highly corrosive and toxic gas to leak out. It is not known what the final damage was to the Iranian facility, but according to data from the Institute for Science and International Security (ISIS) it caused a significant dip in the amount of usable uranium created.

What’s interesting here is the timing. The earlier build of Stuxnet was set up in 2005, well before the Natanz plant was even operational. The plant went live in 2007, and the malware was ready to go once the Iranians started the process. The 0.5 version of the code finally deactivated in 2009, six months before Stuxnet 1.0 was released.

It’s widely reported that the US and Israeli government developed Stuxnet as a counter to Iran’s nuclear ambitions as part of Project Olympic. It was tested on Pakistani-sourced P-1 centrifuges that the Libyans handed over when they ended their nuclear program in 2003, and these same systems are in use by the Iranians.

“These results show we are now close to the end of the first decade of weaponized malware,” deSouza said. “As research continues to show, research and development on these kinds of weapons continues to grow.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/26/early_stuxnet_code_found/