STE WILLIAMS

Chinese military spies, holed up in ho-hum Shanghai tower blocks surrounded by restaurants and massage parlours, have siphoned hundreds of terabytes of data from computers at scores of US corporations.

We’re assured that, rather than being a work of fiction, this is the conclusion of a new study by Mandiant that claims a unit of China’s People’s Liberation Army is masterminding a state-sponsored cyber-espionage hub.

The security consultancy published its report [PDF] today, and linked PLA unit 61398* to hackers who apparently infiltrated American businesses in sectors from high-tech to energy.

The electronic intrusions were allegedly carried out by a group dubbed an advanced persistent threat (APT) and previously codenamed by Western experts as APT1 or the Comment Crew**. Mandiant blamed APT1 for a campaign of espionage waged against 141 corporations in 20 industries since 2006, and accused the team of swiping hundreds of terabytes in data.

Mandiant doesn’t name the supposedly attacked firms, but other reports suggest these include Coca-Cola, RSA Security and Telvent, a firm that supplies power grid control systems and smart meters.

“In seeking to identify the organisation behind this activity, our research found that People’s Liberation Army unit 61398 is similar to APT1 in its mission, capabilities, and resources,” Mandiant wrote in its report. “PLA unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.”

More precisely, according to Mandiant, unit 61398 is housed in a series of nondescript tower blocks on Datong Road in Gaoqiaozhen, in the Pudong New Area of Shanghai, that were built in 2007. The buildings were pictured in a front-page story by the New York Times on Mandiant’s research; the newspaper said China’s alleged cyber-espionage hub is surrounded by diners, massage parlours and a wine importer.

According to a US intelligence agency assessment quoted by the NYT, digital-espionage agents operating in China are either handled by army officers or are contractors working for outfits such as unit 61398. The NYT hired Mandiant to investigate a high-profile breach of the paper’s network security, which the consultants concluded was the work of a Chinese APT group. A US spook grilled by the NYT said Mandiant’s report was consistent with the American government’s own analysis.

The charges that China is carrying out international electronic espionage on an industrial scale are, of course, years old, but Mandiant’s 60-page study is a fascinating read because it goes into considerable detail.

Mandiant claimed APT1 is just one of 20 computer spying crews in operation in China, and is among dozens it is tracking worldwide. APT1’s handiwork is partially identifiable, we’re told, because its members use distinct hacking tools, techniques and resources not used by other groups. Mandiant claimed:

Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures).

According to the security consultancy, the group’s modus-operandi involves gaining access to networks using spear-phishing messages and custom-built malware. It then revisits compromised systems over time to copy intellectual property including technology blueprints, documentation of manufacturing processes, test results, business plans, partnership agreements, emails and contact lists of senior execs.

The industries APT1 targets match industries that China has identified as strategic to its growth.

A video compiled by Mandiant apparently showing APT1’s attacks and intrusions as they happened can be found here or watched below:

Some of those allegedly involved in the corporate spying were personally identifiable because they skirted around the Great Firewall of China to log into Twitter and Facebook accounts.

Malware used in APT-style attacks were apparently created by a character called UglyGorilla, who first appeared on a Chinese military forum in 2004 to ask whether China was planning a response to the formation of a US cyberspace command. The user then appeared years later on IP addresses linked to unit 61398.

Another person called DOTA created email accounts that were used to plant malware from IP addresses also associated with unit 61398’s network. And confirmation messages to set up those mail accounts were sent to a mobile phone number provided by a Shanghai-based operator.

A third person, who uses the nickname SuperHard, was allegedly involved in creating the AURIGA and BANGAT malware families used by APT1. According to Mandiant the trio are soldiers in a unit of dozens if not hundreds of personnel that targets the English-speaking world from IP addresses registered in Shanghai and systems configured to use the simplified Chinese language.

Mandiant also revealed domain names, IP addresses and MD5 hashes of malware associated with APT1. The release includes 13 X.509 encryption certificates used by the team.

The security consultancy concluded: “Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise-scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission, or APT1 is Unit 61398.”

The Chinese government has angrily dismissed the latest charges as another round of China bashing. Officials dismissed Mandiant’s APT1 report as “groundless”, the Asian nation’s official news agency Xinhua reported.

“Groundless criticism is irresponsible and unprofessional, and it will not help to solve the problem,” said Foreign Ministry spokesman Hong Lei, adding that China has also been a victim of cyber-attacks and reiterating the need for international cooperation in addressing the problem.

Mandiant’s detailed and well-written report was well received in security circles. About the only substantive criticism comes from a cogently argued blog post by Jeffrey Carr, who claimed that Mandiant failed to take into account that multiple states are engaged in this activity; not just China. Mandiant did not consider and rule out competing hypotheses on the identity of the hackers, according to Carr. ®

* Unit 61398 was otherwise known as the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department. ** The Comment Crew earned its nickname from its habit of embedding hidden code or comments in web pages.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/19/china_apt_report_mandiant/

The UK’s data protection watchdog has fined the Nursing and Midwifery Council (NMC) £150,000 after it deemed its failure to encrypt sensitive personal data stored on DVDs that were lost to be a serious breach of the Data Protection Act.

The nursing and midwifery regulator had arranged for the DVDs, which contained confidential and “highly sensitive” video files relating to alleged offences by a nurse as well information about two vulnerable children, to be couriered from its offices to a ‘fitness to practise’ hearing in October 2011.

However, upon arrival at the hearing it was discovered that the couriered package did not contain the DVDs and which have to-date still to be recovered.

The Information Commissioner’s Office (ICO) imposed a civil monetary penalty on NMC after discovering that the body had no policy in place to ensure such information was encrypted when either stored at its offices or whilst in transit.

“The Commissioner published guidance on his website in November 2007 about the risks associated with the use of unencrypted portable devices and removable media used to store or process personal data, the loss of which would be likely to cause distress to individuals,” The civil monetary penalty notice served to NMC by the ICO said.

“This guidance states the Commissioner’s view that such devices or media should be encrypted to protect the data, and that failure to do so may lead to enforcement action where these equipment and data are subsequently lost or misused.”

“Further, it should have been obvious to [NMC] whose employees were used to handling sensitive personal data that such a contravention would be of a kind likely to cause substantial distress to the data subjects due to the nature of the data involved,” it said.

Under the Data Protection Act data controllers are required to take “appropriate technical and organisational measures” to ensure against the “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. Deputy Information Commissioner David Smith said data encryption failings were not confined to NMC.

“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again,” Smith said in a statement. “While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.”

“I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty,” he said.

“The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk,” Smith added. “No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.”

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/19/nmc_fined_by_ico/

Prime Minister David Cameron will step up UK co-operation with India on cyber security on Tuesday in a bid to better protect data stored on Indian servers as well as share intelligence on breaking threats.

Cameron is in India as part of a three-day trade trip designed to build stronger business ties with the vast emerging nation.

The deal, set to be signed in New Delhi by Cameron and Indian PM Manmohan Singh will mark “an unprecedented level of co-operation with India on security issues”, Downing Street told the FT.

The joint task force to be announced will apparently see the UK sharing its expertise in tackling cyber threats in order to better secure the increasing amount of business and personal data stored on servers in India.

“Other countries securing their data is effectively helping us secure our data. I think this is an area where Britain has some real competitive and technology advantages,” said Cameron.

It’s unclear whether this sharing of expertise will come with a bill attached – after all, it is primarily a trade mission – or if the need to ramp up the security of outsourcing providers is the main goal.

The risk to UK data stored abroad has been highlighted many times over the years, most recently last year after revelations that Indian call centre staff were selling on the personal details of millions of Britons.

New Delhi-based Forrester analyst, Katyayan Gupta, told The Reg that although the deal should give Indian firms much needed access to advanced security skills and resources from the UK, the insider threat will persist.

“That is why there is a need for stricter SLAs between the Indian outsourcing firms and their international clients. Moreover, its essential that there is a regular audit of these SLAs,” he added

“Plus, Indian outsourcing firms should be pushed to achieve higher/highest levels of information security certifications, including ISO 270001 and others.”

The deal will also apparently see the UK and India sharing threat intelligence to thwart cyber attacks on their systems.

However, India’s attempts to secure its own infrastructure have been less than convincing over the years with government sites often taken offline or defaced by hacktivists.

Most recently, news emerged in December that the government and military had suffered one of its worst ever breaches after 10,000 email accounts belonging to top officials were compromised.

Symantec also warned last year that consumers and SMBs in the country were under increasing risk of targeted threats as attackers looked to exploit piecemeal security and low levels of awareness. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/19/india_uk_cyber_security_agreement/

A Dutch MP has been fined €750 (£650, $1,000) after he was convicted of illegally accessing the systems of a Dutch medical laboratory.

Henk Krol claims he only accessed the systems of Diagnostics for You in order to expose sloppy security practices. The MP, who is the leader of Dutch minority pensioners party, 50plus, used a login and password that he had obtained from a patient at the clinic in April last year to access and download medical files relating to several people. The patient had apparently overheard the login information from a member of staff.

The journalist and politician informed the laboratory about its inadequate security, and presented redacted copies of the medical information he had obtained. He also reported the incident to local TV station Omroep Brabant, carrying out an on-air demonstration of the lab’s lax security practices during which medical records were again accessed.

Krol, former editor-in-chief of the newspaper Gay Krant, hacked into the system just months before he was elected to the Dutch parliament last September. The politician told the court that he had acted as a journalist and ethical hacker at the time of the breach.

A district court in the southeastern region of Oost-Brabant partially accepted the public interest defence of Krol’s legal team, which argued that he was serving the greater good by exposing problems in the protection of confidential, medical data. But the court also considered that he had not given the lab enough time to fix the problem before going public when it issued his sentence. It also took issue with the “disproportionate” amount of records he accessed, saying he had gone “further than necessary” to achieve his aim. The court said it was lenient as it did not believe Krol was likely to repeat the offence.

The patient who initially tipped him off about the problem was fined €250 (£215, $330), IDG reports.

The court’s judgment can be found here (PDF). A Google translation is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/19/dutch_mp_ethical_hacking_fine/

Vulnerabilities in America’s TV emergency alert system – exploited last week by pranksters to put out fake warnings of a zombie apocalypse – remain widespread, it is claimed. And that’s after station bosses remember to change the default passwords on their broadcast equipment.

Mischievous miscreants managed to hack into a television station’s emergency alert system in Montana to broadcast an on-air audio warning about the end of the world.

The attack on KRTC’s equipment was repeated in other three states: two stations were electronically broken into in Michigan as well as several others in California, Montana and New Mexico, according to Karole White, president of the Michigan Association of Broadcasters. “It isn’t what [the pranksters] said,” White said. “It is the fact that they got into the system.”

It is understood the hacks were possible because the TV stations had failed to change the default passwords on kit facing the public internet. An advisory sent by regulators at the FCC to broadcasters urged IT bosses to take immediate action to correct the problem: they were told to change all passwords on equipment regardless of the manufacturer as well as make sure that kit was protected behind a firewall and that hackers had not queued up bogus alerts for later transmission.

Reuters reports that an alert controller box from Monroe Electronics had been abused to carry out at least some of the apocalypse pranks. Monroe responded by publishing an advisory on its web site:

To improve overall security all One-Net R189 users are urged to: 1. Change the factory default password immediately 2. Make sure all network connections are behind secure firewalls

Meanwhile, researchers at IOActive Labs discovered a substantial number of insecure emergency alert system devices directly connected to internet, making it possible for hackers to exploit holes in attacks that go beyond pure mischief.

Mike Davis, a hardware expert at the computer security biz, told Reuters that by using Google he was able to find 30 alert systems across the US that were vulnerable to attack. The security flaws allow attackers to remotely compromise these devices and broadcast official alerts through US radio and TV stations.

Davis discovered weak cryptography and security shortcomings in the firmware loaded into emergency warning systems. He reported the vulnerabilities to the US’s Computer Emergency Response Team about a month ago but is not revealing details of the vulnerabilities nor the names of the manufacturers they affect, pending confirmation of a fix, Kaspersky Lab’s Threatpost blog reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/18/eas_vulns/

Despite the best attempts of security vendors, neither online stores nor the financial industry seem particularly keen to adopt DNSSEC tech – an anti-fraud mechanism that makes it difficult for fraudsters to spoof legitimate websites.

DNSSEC (DNS Security Extensions) uses public-key encryption and authentication to guard against the domain name cache poisoning attack famously highlighted by security researcher Dan Kaminsky back in 2008. The technology works by building up a chain of trust.

The cryptographic checks make it difficult for attackers’ machines to masquerade as the servers that translate domain names understandable by humans, such as amazon.com, into the numerical IP addresses used by computers to talk to each other over networks. These checks could thwart attempts by hackers to redirect people visiting, say, ebay.com, to a malicious website dressed up to look exactly like the real thing. Shoppers tricked into buying stuff from a spoofed web bazaar could unknowingly hand over their payment details to crooks rather than the genuine online shop.

Domain-name-server vendor Secure64 claims it ran checks to discover how many e-commerce companies had addressed DNS security vulnerabilities, and claimed it had discovered that none of the top 100 e-commerce firms – including Amazon and eBay – had fully implemented DNSSEC.

Secure64 also said that none of these 100 largest e-commerce sites showed evidence of even testing deployments of DNSSEC, such as digitally signing their DNS data.

Neither Amazon nor eBay responded to requests by El Reg to comment on Secure64’s findings or to our questions about their positions to DNSSEC more generally.

The banking and financial services industry also appears to be avoiding DNSSEC implementation, said the security firm. Secure64’s researchers examined the name server infrastructure of 384 of the largest banks and financial institutions worldwide, and said that none had fully deployed DNSSEC. Only one organisation showed evidence of even a trial deployment of DNSSEC.

By contrast, US federal agency rollouts of DNSSEC are quite far along, even though many agencies are years behind a December 2010 deadline to deploy DNSSEC which was set by the Federal Information Security Management Act.

Two-thirds of 359 US government agencies and domain-holding sub-agencies are now cryptographically signing their DNS data, according to the latest available figures from Secure64, up 57 per cent year-on-year. Four out of five of the agencies that have signed their domains have gone live with DNSSEC technology after establishing a chain of trust to their parent domain, we’re told.

However six of the agencies (2 per cent of the sample) digitally sign their domains incorrectly, according to Secure64. These configuration problems could lead to problems visiting the websites or sending email to those affected organisations.

“Without DNSSEC’s security protocols in place, website addresses can be hijacked,” explained Mark Beckett, VP of marketing at Secure64. “This means a surfer seeking to visit a site might easily be re-routed to a fake hacker-run site. This is an important concern for e-commerce companies and banking institutions because personal or financial information could be stolen and used for fraudulent purposes. In addition, because our email systems also rely on the DNS to direct emails to the appropriate recipient, an attacker that hijacks the DNS can also intercept email messages for the purpose of conducting espionage or fraud.”

Beckett said the perception that introducing DNSSEC is difficult is wrong and that Secure64 and its competitors have tools to make the migration easy, a factor that makes the slow adoption of the technology in banking in e-commerce all the more puzzling. He argued that the problem addressed by DNSSEC remained both real and pressing.

“The slow DNSSEC adoption in these industries is disturbing because these threats have such a significant downside for banks, e-commerce companies and other organisations that rely on DNS infrastructure for their core business functions. Last year alone, there were a number of highly-publicised examples of vulnerabilities in DNS being exploited by bad guys, which required private companies and government agencies to hastily organise responses. T

“The slow adoption of DNSSEC is puzzling because implementing these DNS security protocols is inexpensive and simple using proven solutions that have been developed for DNSSEC rollouts. The problem is real and the solution is simple and cheap. There’s no reason companies shouldn’t make this a higher priority.”

Other DNS software vendors were not able to comment on Secure64’s figures immediately, but their spokespeople did tell El Reg that enabling DNSSEC is a low priority for corporations more focused on cloud computing and virtualisation projects.

Craig Sprosts, network software biz Nominum’s veep of platforms and applications, said: “DNSSEC provides strong protection against DNS cache poisoning but other defences beyond UDP source port randomisation have become available since the infamous Kaminsky vulnerability. Enterprises have multiple security priorities and will make the move to DNSSEC when the security it delivers aligns with their business priorities.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/18/dnssec/

Singaporean police have warned men in the city state of a five-fold increase in extortion cases in which they are coaxed into a state of undress, secretly filmed and then asked to hand over cash to prevent release of the resulting video.

Cops in the island nation said the number of such incidents has shot up from 11 in 2011 to over 50 last year.

Typically, the women involved contact their victims by sending messages on popular social networking sites, before persuading them to turn things up a notch with a web cam chat.

The extortionists then strip off, encouraging their gullible victims to do the same.

The secretly-filmed clip is then used as blackmail, sometimes uploaded to YouTube and shared with the victim in order to force payment, according to the Straits Times.

The women working the scam are unlikely to be caught, given that most apparently operate out of countries elsewhere in Asia. However, a 22-year old Singapore man was not so lucky after being nabbed by local cops last year for organising a similar cyber scam with his girlfriend.

After blackmailing a student to the tune of $97,000 over a period of nine months, they were eventually busted after their victim cracked and went to the police.

The man was sentenced to five years in prison and five strokes of the cane, Straits Times said.

Police issued a several pieces of blatantly obvious advice for lascivious males in the region including a warning not to perform “compromising acts in front of the webcam or give personal details about yourself when interacting with other internet users”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/18/web_cam_singapore_blackmail/

Law enforcement agencies charged with investigating online crime might actually be sitting at their desks gorging on donuts in Australia, if the nation’s Computer Emergency Response Team’ survey of stakeholders is to be trusted.

The results of that survey, published today, states that “Out of those respondents who did report a cyber security incident to law enforcement, 33% stated that it was their understanding the incident was not investigated … while 8% of matters referred to law enforcement were reported to have resulted in a person being charged.”

Vulture South takes security surveys with the largest available salt crystals, but CERT Australia’s effort is worth more consideration than the endless torrent of vendor-commissioned security surveys inasmuch as it has less need to keep us all scared and therefore primed to buy more stuff. That the survey was “conducted in partnership with the Centre for Internet Safety at the University of Canberra” also gives us more comfort, although the small sample – “of the almost 450 organisations contacted, responses were received from 255” – leaves the study far from representative.

That the CERT “works with the Australian business sector – primarily the owners and operators of systems of national interest” further skews the sample.

If you can still stomach the study after those caveats, it may perturb to know that the report couches its findings in positive terms.

For example, it notes that “More than 90% of respondents reported using antivirus software, spam filters, and firewalls.” How many “operators of systems of national interest do without is not revealed. What is known is that “More than 80% also reported using access control and virtual private networks,” again leaving a few without.

“Almost 60%” run intrusion detection systems (IDS).

Another eyebrow-raiser is the finding that “less than 50% of respondents have plans in place for the management of removable computer media, such as USB memory drives” and 84% practice “user access management.” The latter response makes us uneasy about another element of the study’s methodology, namely the anonymised 24-question online survey, as it seems to your correspondent easy to respond negatively to a query about “user access management” given the term does not have wide currency.

65% of participating organisations had IT security staff with tertiary level IT qualifications.

Another interesting finding, graphed above, is that “Almost 35% of participating organisations had IT security staff with no formal training, although most of these staff had more than five years working in the IT security industry.”

Just 22 per cent of respondents ‘fessed up to a security incident during 2012, a number CERT Australia puts down to an unwillingness to admit to attacks. A further nine per cent admitted ignorance on the matter. Theft of a device was the most common incident reported.

Motives for attacks were “illicit financial gain (15%), hactivism (9%), using the system for further attacks (9%), using the system for personal use (6%), being from a foreign government (5%), personal grievance (5%), and being a competitor (4%).”

The full report is available here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/18/cert_australia_says_eight_percent_of_online_crims_charged/

Computer scientists at the Friedrich-Alexander University of Erlangen-Nuremberg, Germany (FAU) have demonstrated that it is possible for unauthorized parties to recover data from encrypted Android smartphones using cold boot attacks. And when they say cold, they mean it – below 10°C, to be precise.

Android has included built-in full disk encryption since version 4.0, aka “Ice Cream Sandwich”. It comes switched off by default, but once activated it permanently scrambles the device’s storage such that it cannot be accessed without entering the correct PIN or password.

Or so it would seem. But according to a research paper by Tilo Müller, Michael Spreitzenbarth, and Felix Freiling of FAU, cold boot attacks can allow hackers to extract some or all of the data from Android devices, even with encryption enabled.

Technically speaking, cold boot attacks are so called because they involve cold booting a device, meaning you cycle the power without allowing the operating system to shut down properly. Put simply, you pull the plug.

We’ve all been taught that when you cut the power to a device, the contents of its memory are lost. In truth, however, that doesn’t happen instantly. RAM chips exhibit a property called remanence, which means their contents fade over time, rather than disappearing all at once. If you can access the memory before it fades completely, it’s possible to reconstruct the data that was there before the lights went out.

   

Going … going … gone! Once the power’s cut, the contents of RAM fade with each passing second (source: FAU)

Naturally, you have to move fast. You probably have no more than a few seconds to extract the data. But one peculiar thing about the remanence effect is that the contents of RAM fade more slowly at lower temperatures. The colder the chips, the longer their memory – meaning cold boot attacks really do work better at colder temperatures.

Doubtless you can see where this is going. That’s right – the key to cracking the encryption on an Android phone is to stick it in the freezer awhile.

   

An hour in cold storage and your captive will be ready to tell you everything (source: FAU)

How to hack a frozen phone

To demonstrate their method, Müller Co used a Samsung Galaxy Nexus handset. They chose that model because it was one of the first devices to ship with Android 4.0, and because it runs on a stock Android experience, with no modifications from the manufacturer to complicate things.

A full, step-by-step walkthrough of their process, complete with photos, is available on their website. In a nutshell, however, it involves abruptly powering down the device by pulling its battery, then booting it using a custom-built Android recovery image called FROST – short for “Forensic Recovery of Scrambled Telephones” – designed to extract encrypted data from RAM using a variety of methods.

The team first made sure the phone was switched on and had a healthy charge in its battery. Then it was time for the freezer. They found they got their best results by allowing the device to cool to below 10°C, which took about an hour. (As expected, higher temperatures yielded less reliable results.)

Once the phone was sufficiently chilled, they jiggled the battery and popped it out as briefly as they could to shut down the device. Then they immediately rebooted while holding down the combination of buttons that puts the device into “fastboot” mode. Once the device was in this mode, the researchers could use a PC to load their custom FROST module into its recovery partition. After that, one more reboot and the mischief was ready to begin.

 

FROST provides a GUI menu offering several ways to extract data (click to enlarge)

FROST can be used to extract data from encrypted phones in three main ways. The first is to search the device’s RAM for AES encryption keys; recover they keys and it’s possible to decrypt all of the data on the device.

The second method is to use a brute-force attack to guess the user’s PIN, which can also be used to crack the encryption. Brute-force attacks normally aren’t the most efficient way to bypass a security mechanism, but the FAU researchers note that many smartphone owners use weak PINs.

Finally, if the other two methods don’t yield any results, FROST can also download a full image of the device’s memory to a PC, which can then be used to conduct further attacks using additional tools.

In practice, Müller’s team was able to successfully extract a variety of data from encrypted smartphones using these techniques, including photos, recently visited websites, emails and Whatsapp messages, contact lists, calendar entries, and Wi-Fi credentials.

Müller and his team have made all of the source code to the FROST module available on their website, along with a precompiled binary that anyone can experiment with.

If giving away such a potentially dangerous tool seems rash, however, the researchers are quick to point out that similar methods of bypassing encryption have been understood for years. What’s significant is that Android’s implementation of on-device encryption is vulnerable to these known techniques, which means additional countermeasures will need to be developed to more fully harden the OS.

In the meantime, the researchers plan to continue to experiment with their methods, with the aim of bringing them to bear on Android devices other than the Galaxy Nexus. Their next planned target? Google’s Nexus 7 fondleslab. Does anybody need anything from the fridge? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/16/frost_android_encryption_crack/

Facebook has been hacked, but the company has found no evidence that user data was affected.

Facebook’s systems were “targeted in a sophisticated attack” in January after some of the company’s developers visited a mobile-developer website that had been compromised, the company wrote on Friday afternoon.

Malware was installed onto fully-patched Facebook laptops via a Java zero-day vulnerability – a vuln that Oracle patched on February 1.

“As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day,” the company wrote.

Facebook realized that the hack had occurred when its security team found a “suspicious” domain within the company’s corporate DNS logs that was tracked back to a company laptop.

“Upon conducting a forensive examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops,” Facebook reports.

Other companies were targeted in this attack as well, though Facebook did not disclose who. It has formed a working group to share information among the affected parties.

The company is working with law enforcement and other entities to prevent further attacks, it said, and encouraging people to submit security vulnerabilities affecting Facebook to the company’s Bug Bounty Program. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/15/facebook_hacked/