STE WILLIAMS

Updated Adobe published a critical Flash Player update on Thursday that fixes not just one but two zero-day flaws, both under active attack by hackers.

Both Windows and Mac users are in the firing line. One of the vulnerabilities (CVE-2013-0633) is being harnessed in targeted attacks designed to trick marks into opening a Microsoft Word document email attachment that contains malicious Flash (SWF) content. The exploit targets the ActiveX version of Flash Player on Windows.

The second vulnerability (CVE-2013-0634) is designed to attack Safari and Firefox browser users on Macs. The assault involves malicious Flash (SWF) content delivered by a drive-by download-style attack from booby-trapped websites. The second vulnerability is also being abused to hack Windows machines using malicious Word attachments, again featuring malicious Flash content.

Users of Adobe Flash Player 11.5.502.146 and earlier for Windows and Macintosh should update to Adobe Flash Player 11.5.502.149, as explained in an emergency bulletin by Adobe. The updates also cover Flash on Linux and for Android smartphones – although the need to update on those instances is not as pressing.

Users of Google Chrome and Internet Explorer 10 will get built-in Flash components updates automatically from Google and Microsoft, respectively.

Early indications don’t shed much light on who is being attacked in the wild but the seriousness of the flaws and the potential for harm is beyond doubt. Exploitation of flaws in Adobe Flash, along with Java flaws, browser vulnerabilities and PDF exploits are among the most prevalent hacking tactics and have been for at least a couple of years. It’s worth going through Adobe’s irksome update process to apply these fixes. Patch now or risk getting pwned later. ®

Update: Exploit used to target aerospace industry

Security tools firm AlienVault reports that Microsoft Office files containing the exploit have cropped up in an spearphishing campaign targeting businesses in the aerospace industry, among others. One of these files uses an 2013 IEEE Aerospace Conference schedule as a lure.

Another sample containing the exploit is themed around information about an online payroll system that’s primarily used in the US.

In both cases the booby-trapped Word .doc files contain an embedded flash file with no compression or obfuscation.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/08/adobe_flash_update/

Power stations, banks, online shops, cloud providers, search engines, app stores, social networks and governments may soon be required by law to disclose ALL major security breaches.

In a strategy titled An Open, Safe and Secure Cyberspace, the European Commission proposed this new directive for the continent:

Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores, e-commerce platforms, internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.

The strategy also calls for every Euro nation to put together a crack team to tackle big tech security emergencies and share intelligence with neighbours, among other cyber-desires.

Most, but not all, EU member states already have their own Computer Emergency Response Team (CERT) so this major policy push seems to primarily involve forcing companies to notify the authorities of any data breaches or significant security incidents.

The strategy also advocates applying existing international laws to “cyberspace” as well as promoting international cooperation with countries outside the union.

The policy builds on other EU initiatives including establishing a European Cybercrime Centre, proposing laws on attacks against information systems, and the launch of a global alliance to fight child sex abuse. The strategy also seeks to develop and fund training schemes to combat online crime.

In a statement, Cecilia Malmström, EU commissioner for Home Affairs, said: “Many EU countries are lacking the necessary tools to track down and fight online organised crime. All member states should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre, EC3.”

During a 30-minute press conference, Euro bigwigs were grilled on what they were doing to end corporate espionage; Chinese hackers are consistently accused of accessing companies’ private servers and swiping secrets.

Catherine Ashton, high representative of the union for foreign affairs and security policy, refused to comment on investigations by Europe’s spooks into these intrusions, but said the EU was monitoring the situation closely and is in talks with China, India and the US. Officials in Brussels have, we’re told, come to the conclusion that these attacks are increasing and damaging economies.

Last year, 56.8 per cent of businesses in Europe suffered a computer security breach that seriously derailed their operations. Yet only 26 per cent of the union’s enterprises had a formal ICT security policy. That’s according to Eurostat figures from January 2012.

Chinese networking kit giant Huawei, occasionally on the end of a shoeing from Western politicians, put out a statement supporting the EU’s call for greater international cooperation.

“The strategy comes at a crucial moment, providing the public and the private sector with the tools they need to move beyond debating the problem and take concrete steps to tackle security issues,” said Huawei’s global security officer John Suffolk. “The time has come to stop talking about the threat, stop talking about the challenges and start talking about the actions we have taken and will take.”

Jason Hart, VP of cloud solutions at SafeNet, also welcomed the EU strategy but said that it needed to be supplemented with a greater increase of encryption to protect sensitive data.

“This move is a welcome change as past breaches have demonstrated that delays in reporting may have exacerbated the initial problem,” Hart said. “However reporting the breach itself is only a small part of the equation. What is of real importance is preventing the damage that the exposure of unencrypted data can cause in the event of a security breach.

“Therefore, a key solution to tackle cyber security issues lies within pushing for more wide-scale mandatory encryption of all data, including soft data which has been aggressively targeted by cybercriminals over the last few years. New legislations that come into play will need to provide a comprehensive set of measures based on the fundamentals of information security to ensure wider adoption of encryption and authentication as a way of mitigating the damage of a potential security breach.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/08/eu_cybersecurity_strategy/

The Bamital web-search-hijacking botnet has been taken down by security researchers from Microsoft and Symantec with help from the Feds. The crack unit raided a number of data centres where the botnet’s servers were located.

Bamital malware intercepted victims’ search requests – including those sent to Google, Yahoo! and Microsoft’s Bing – and redirected them to websites touting dodgy software and scams, netting the crooks running the botnet revenue from the fraud.

More than eight million Windows-powered computers have been attacked by Bamital over the last two years, according to security researchers at Microsoft and Symantec. Bamital is a Trojan that infects only Windows machines and is distributed under the guise of a useful software app. It’s also been known to appear as the payload of drive by download attacks from compromised websites. Once installed, the Trojan modifies search results on compromised computers.

For example, Microsoft investigators found that Bamital rerouted a search for “Nickelodeon” to a website that distributed spyware. In another case, a search for Norton Internet Security was redirected to a rogue antivirus site that distributes malware.

The takedown operation severed the cybercriminals’ ability to manipulate and control Bamital-infected computers by seizing internet resources associated with the scam. As with previous botnet take-down operations, this involved combined legal and technical operations. Based on findings from security research, Microsoft filed a lawsuit against the botnet’s operators seeking an order to pull the plug on the zombie network. The court granted Microsoft’s request and on 6 February, Microsoft – escorted by the US Marshals Service – seized servers associated with controlling the botnet from web-hosting facilities in Virginia and New Jersey.

Prior to the takedown users of infected machines might have been unaware that anything was wrong, but they will now find that their search function is broken as their search queries will consistently fail. Owners of infected computers trying to complete a search query will now be redirected to an official Microsoft and Symantec webpage, explaining the problem and provides information and resources to remove the Bamital infection and other malware from their computers.

Something broadly similar occurred when the Feds had to set up temporary clean DNS servers for months following the case of the DNSChanger takedown operation in November 2011. But since Bamital was restricted to hijacking search results rather than every internet lookup ,the logistics of running a clean-up are simpler.

The clean-up procedure will make it far harder from the unknown crooks behind Bamital to rebuild their operation.

The Bamital takedown, known as Operation b58, is the sixth botnet disruption operation in three years carried out by Microsoft as part of its Project MARS (Microsoft Active Response for Security) and the second done in cooperation with Symantec. More details on the operation can be found in a blog post by Richard Domigues Boscovich, assistant general counsel at Microsoft Digital Crimes Unit, here.

An animated video illustrating how cybercriminals used Bamital malware to hijack search results and commit click fraud from Symantec can be found here. It’s informative – but the cheesy background music is truly dire. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/07/bamital_botnet_takedown/

Some 55 per cent of Chinese computers are infected with malware, the highest of any country worldwide, according to the latest Annual Security Report from Panda Security.

The Spanish security vendor’s Panda Labs research team reported 27 million new strains of malware in 2012, bringing the total in its database to 125m.

It said around one third of the PCs it scanned globally were infected, with Trojans accounting for three-quarters of new threats.

After China (54.89 per cent), the next-worst countries were South Korea (54.15 per cent) and Taiwan (42.14 per cent).

The stats may lend some credence to the Chinese government’s oft-heard refrain that it is a victim, not a perpetrator, of cyber crime.

In fact, some believe that Chinese hackers are disproportionately blamed for many of the world’s cyber attacks, because the real perpetrators disguise their true origin by using compromised PCs in the People’s Republic.

At the last count, in January 2013, the government-affiliated China Internet Network Information Center (CNNIC) said there were 564 million internet users in the country. No figures were given for the number of desktop PC users, but six month previously they stood at a whopping 380 million.

China certainly has a problem with malware. Last September, Microsoft’s Operation b70 team even discovered corrupt resellers were flogging computers pre-loaded with the stuff.

A study by a Calfornia-based research institute last August reported the online underground economy in the country affected nearly a quarter of the country’s internet users last year and cost the economy over 5 billion yuan (£500m).

It doesn’t automatically follow that just because the country’s machines are flooded with malware, it isn’t also the source of cyber attacks, of which plenty are thought to have originated behind the Great Firewall.

Several major APT-style threats over the years, from Operation Aurora to Night Dragon and Shady RAT, have been pinned pretty conclusively on Chinese perpetrators.

The latest has been revelations by the New York Times, Washington Post and Wall Street Journal that they too have been targeted.

China certainly recognises the problem of cyber criminality, having unveiled information security guidelines last summer designed to protect government and critical infrastructure firms better.

It also periodically rounds up cyber hoodlums and crime gangs in well-publicised swoops.

Its critics will argue, though, that those directing their hacking efforts outside the country will at the very least be left alone, as long as they’re serving the interest of the Party. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/07/panda_china_most_infected_pcs/

The US Federal Reserve has admitted that its systems were hacked during Sunday’s Super Bowl, a breach that led to the leaking of personal data on hundreds of US banking executives.

The breach allowed hacktivist ragtag collective Anonymous to post the names, email addresses, mobile phone numbers and login credentials (password hashes and IDs) of what it said were 4,000 senior US banking executives. The attack and subsequent leak was carried out as part of an ongoing campaign, dubbed Operation Last Resort, calling for reform of the justice system following the suicide of RSS and Reddit co-creator and activist Aaron Swartz. Swartz had been the target of a controversially aggressive federal cybercrime prosecution after he broke into MIT servers in an effort to liberate academic papers onto the internet.

The leaked file was uploaded to the hacked portion of a website of the Alabama Criminal Justice Information Center (acjic.alabama.gov) and a Chinese site, rather than Pastebin. The Federal Reserve admits the leaked data is genuine and came from its systems, the while playing down the significance of the breach.

“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” a spokeswoman told Reuters on Tuesday. “Exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve system.”

Reuters obtained a memo from the Fed to members of its Emergency Communication System (ECS) warning that “mailing address, business phone, mobile phone, business email, and fax numbers had been published,” but playing down the significance of the breach.

“Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised,” the organisation said.

Anonymous’ OpLastResort previously featured attacks on the US Sentencing Commission and the Eastern District of Michigan United States Probation Office website. The Sentencing Commission hack involved embedding a game of Asteroids as an Easter Egg in the site, which is yet to return to normal operation more than a week after the initial assault. ®

Bootnote

The headline event from Sunday’s Super Bowl at the New Orleans Superdome was of course the extended power outage. Some reports suggest that the tripping of an electrical breaker left the the indoor sports arena relying on emergency lighting, suspending play for 34 minutes. The whole incident may, of course, have been designed to allow extra time for advertisers. However, Beyonce’s supposed use of an “Illuminati” symbol (chillingly captured here) during her half time show is bound to excite a few conspiracy theorists towards thinking darker forces were at work.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/06/fed_confirms_downplays_anon_superbowl_hack/

Recent hack attacks on the New York Times and the Wall Street Journal may be simply the most prominent out of a wider series of assaults against western media firms, according to a cyber-security intelligence firm.

Researchers have said that at least six separate Advanced Persistent Threat (APT) groups are likely responsible for targeting US, UK, Australian, Canadian, Korean and Philippine media organisations, newspapers, wire outlets, their affiliates and or customers. Cyber Squared said it has been tracking these groups for more than two years using ThreatConnect.com, its collaborative cyber intelligence exchange whose members include government agencies, banks, non-profits, manufacturers etc. The exchange collects, analyses and shares threat intelligence – akin to a neighbourhood watch scheme.

Adam Vincent, chief exec of Cyber Squared, and a former cyber security specialist with the US government, told El Reg that the APT group that targeted the NYT has likely leveraged similar trade-craft against one other Korean news service.

“Access to news services would provide China State Security personnel insights to the internal news cycles, confidential sources and information that may subject mainland-Chinese journalists and sources to arrest or intimidation,” Vincent explained.

Rich Barger, chief intelligence officer at Cyber Squared, and a former US Army intelligence analyst, said components of the same infrastructure used to attack western media organisations have previously been used to attack an international, multi-language US-based news service that is tied the Chinese spiritual movement Falun Gong (outlawed in China) and has often been critical of Chinese policies and human rights abuses.

Barger also claimed that the same group of hackers had also targeted a popular international publisher of a global metals journal and metals trading news. This was part of a much wider cyber-espionage campaign by the group that cost its mainly US victims millions, he said.

The intelligence chief added that all the 19 APT that his team had tracked are very likely to be Chinese, including the six that were discovered to be targeting Western media outlets. The size of the groups, their internal structure and the degree of co-operation between different groups remains unclear. Barger said that the groups occasionally got in each others’ way, even although they appeared to be directed towards broadly the same aims and use similar techniques (such as custom malware and spear-phishing). “Sometimes the left hand doesn’t know what right is doing,” he said.

Some security commentators have called for more evidence before the conclusion that the NYT was targeted by the Chinese can be accepted. However Barger said that use of related malware strains, the same or similar hacking tools and the same infrastructure (botnet control nodes, drop sites, exploit sites etc) in attacks as well as other factors provides a body of circumstantial evidence that betrays the probable identity of attackers over time.

“It’s not an overnight thing but when you look at the malware, hacking utilities, and infrastructure behind attacks as well as the ways and means and geo-political context it tells a story,” Barger explained. “It’s all additional pieces of the puzzle.

“The attacks are not always advanced but they are aggressive, persistent and well-resourced. When you look at a large number of attacks over a long time, taking data from multiple sources, it removes the fog of ambiguity. There’s a strong likelihood that all these groups are Chinese,” he claimed, adding that the attacks have been running since at least 2009 and possibly before.

Both Barger and Vincent stressed it was important to look at factors such as who benefits from attacks and possible motivations as much as technical factors before deciding on attribution.

Barber added that organisations can guard against attacks not by relying on any technology but rather by adopting sharing best practice and intelligence and adapting security policies to fit the threats as they surface. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/06/apt_media_attacks_tip_of_the_iceberg_analysis/

Updated Thousands of Windows XP users were blocked from accessing the internet this week after they applied a misfiring antivirus update from Kaspersky Lab.

The issue affected both consumer and business versions of Windows XP. Vista or Windows 7 users were untouched by the snafu.

Even so, Kaspersky’s support forums quickly filled up with complaints from frustrated users and hassled sysadmins.

The Russian anti-virus firm said the problem could be resolved if users disabled the “Web AV” component of the software before rolling back problematic update and installing a revised set of virus definition files, which was published within two hours of the problem rearing its ugly head late on Monday. The “Web AV” component can be reapplied once this process is completed.

This is all fairly straightforward, providing you can get online and access these instructions. Misfiring antivirus updates affect all vendors from time to time. Even though quality assurance processes have improved across the industry, the odd bad update still gets through.

The issue is at its most problematic when antivirus components start identifying core operating system components as potentially malign, carrying them off into quarantine and leaving users with machines that won’t run or boot up again properly in the process. The dodgy Kaspersky update wasn’t quite as bad as that, but still posed a major inconvenience for those affected. ®

Update

Kaspersky’s since been in touch to say:

Kaspersky Lab would like to apologise for any inconvenience caused by this database update error. Actions have been taken to prevent such incidents from occurring in the future.

It added:

The problem only affected x86 systems with the following products installed: Kaspersky Anti-Virus for Windows Workstations 6.04 MP4; Kaspersky Endpoint Security 8 for Windows; Kaspersky Endpoint Security 10 for Windows; Kaspersky Internet Security 2012 and 2013; and Kaspersky Pure 2.0.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/06/kaspersky_win_xp_update_snafu/

Updated Security researchers have discovered a banking Trojan that comes with its own built-in digital certificate.

The Brazilian banking password-sniffer was signed with a valid digital certificate issued by DigiCert, MalwareBytes reports. DigiCert responded promptly to inquiries by El Reg to confirm it had a had pulled the offending certificate, which it said had been issued to a legally registered business.

The firm said the crooks behind the banking Trojan used a certificate that had been issued to a real software company called “Buster Paper Comercial Ltda”. DigiCert said that Buster Paper was properly registered and it was only following general industry practice in issuing a digital certificate, as a statement by the firm explains.

DigiCert has conducted a thorough review of this matter and can confirm that the certificate was validated and issued in accordance with industry guidelines.

At the time that the code signing certificate was issued, Buster Paper Comercial Ltda was a legally registered business as confirmed through the Brazilian Ministerio da Fazenda: Cadastro Sincronizado Nacional.

DigiCert’s Terms of Use clearly state that malware is not an accepted type of activity for which our certificates can be used. As soon as DigiCert learned of the misuse of the certificate, it was immediately revoked.

Malware endorsed by a digital certificate is not unprecedented – Stuxnet and Flame were both signed using digital certificates – but the appearance of the same tactic much further down the food chain in more everyday nasties is still very bad news.

Around 15 months ago malware using a private signing certificate belonging to the Malaysian government to bypass warnings displayed by many operating systems and security software when end users attempt to run untrusted applications appeared on the web. The latest threat represents the same sort of problem but features a digital certificate issued to a suspicious company rather than a legitimate government.

Crooks who obtained the Buster Paper Comercial Ltda digital seal used this authority to digitally sign an item of malware that poses as a PDF document supposedly containing an invoice. The trick was designed to fool recipients at targeted firms into opening the document and becoming infected.

The malware is ultimately designed to plant a key-logger that lifts any entered banking login credentials from infected machines. The Trojan, detected as Spyware.Banker.FakeSig by MalwareBytes, is designed to download additional components from egnyte.com. The abuse of the cloud storage firm’s systems appears to be entirely incidental*.

Three months ago last November, the same type of Trojan was found, this time signed by “Buster Assistencia Tecnica Electronica Ltda” using a certificate also issued by DigiCert. How that would have appeared in a victim’s inbox is illustrated in a contemporaneous write-up of the attack by Threat Expert.com here.

Both of the offending certificates have been revoked but this still leaves a number of questions outstanding, according to MalwareBytes.

“What we have here is a total abuse of hosting services, digital certificates and repeated offences from the same people,” writes Jerome Segura, a security researcher at Malwarebytes. “Clearly, if digital certificates can be abused so easily, we have a big problem on our hands.

“Even if a file is digitally signed, it does not guarantee that it’s safe to use. A lot of potentially unwanted applications can use a digital certificate and, of course, malware can too (with a valid or revoked certificate),” he adds.

A full write-up of the attack – including screenshots of the offending digital certificates – can be found on Malwarebytes blog here.

Brazil is something of a global hotspot for banking Trojans and related malware, so innovations by local VXers presumably trying to gain an edge over competitors isn’t wholly surprising. ®

Update

Kris Lahiri, Egnyte’s security chief, contacted El Reg to say:

* It was recently brought to our attention that a customer of Egnyte had a piece of malware hosted on our system that may have been shared publicly. We take these situations very seriously… we followed the standard process of suspending the account, locking access and filing a report with the IC3 (a partnership between the FBI and NWCCC).

Even though a user may upload an infected file to their account in Egnyte, it is completely prevented from infecting any other file within that account.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/05/digitally_signed_banking_trojan/

The organisation that administers the industry standard for classifying computer system security vulnerabilities wants to prepare its classification system for a world with an even greater number of bugs.

Mitre Corp is considering adding a 100 times more CVE (Common Vulnerabilities and Exposures) slots each year to accommodate bug reports.

The current syntax CVE-YYYY-NNNN supports up to 9,999 vulnerabilities. However the increasing number of software flaw reports means Mitre is considering extending this range up to 999,999.

In a call for public feedback explaining the proposed changes, Mitre explains that a system that only tracks 10,000 vulnerabilities or possible bugs is no longer enough. The move is due to be discussed at the upcoming RSA conference before a decision is made in early March.

Three options are on the table.

• Option A (year + six digits, with leading 0s)

  Examples: CVE-2014-000001, CVE-2014-009999, CVE-2014-123456

• Option B (year + arbitrary digits, no leading 0s except in IDs 1 to 999)

  Examples: CVE-2014-0001, CVE-2014-54321, CVE-2014-123456

• Option C (year + arbitrary digits + check digit)

  Examples: CVE-2014-1-8, CVE-2014-9999-3, CVE-2014-123456-5

Any change would only come into effect at the start of next year.

The greater volume of software applications out there is probably the greatest factor in annual bug count inflation but an increase in the number of security researchers looking for flaws as well as a growth in vulnerability reward programmes are also playing a role.

The absolute number of bugs varies but normally runs into the low thousands. The historic trend over many years is towards a greater number of bugs, hence a desire to rethink the numbering system. At the moment, it is only early February and we’re already up to 462 CVEs this year already. Last year the total reached 5,373. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/05/bug_index_increase/

Personal information on several hundred employees at the the US Department of Energy has been compromised as the result of a hack attack, according to media reports.

The FBI is reportedly investigating the attack, which was detected around two weeks ago. According to officials quoted in the Washington Free Beacon, the damage appears to have been limited to 14 servers and 20 desktop workstations at the DoE’s HQ. Although the breach might have ultimately been aimed at gaining access to classified systems, early indications are that no classified info was compromised, according to an official letter from the agency to its employees seen by Reuters.

For now the identity of the hackers and how they went about accessing vulnerable systems remains unclear. However two months ago, an official government report criticised the Department of Energy for its tardiness in patching desktop systems. More than half of the agency’s desktops had failed to apply patches issued months beforehand, according to an assessment by the DoE’s inspector general.

This is exactly the sort of basic security mistake – akin to leaving gaps in the fencing around sensitive buildings – that makes life easier for potential intruders. China has unsurprisingly emerged as among the most likely suspects behind the hack attack, at least according to early reports of the breach, which are notably thin in furnishing any evidence to back up this suspicion.

More commentary on the breach can be found in blog posts by Graham Cluley of Sophos here and Rik Ferguson of Trend Micro here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/05/us_dept_energy_hack/