STE WILLIAMS

Anon claims ‘d0x’ on bank execs

As part of its ongoing campaign following the suicide of RSS inventor and activist Aaron Swartz, Anonymous has published the names and login details of what it says are 4,000 US banking executives.

The information was first posted on a site under the Alabama .gov domain (the Alabama Criminal Justice Center), with a mirror posted to a Chinese domain (a choice bound to stoke paranoia among the infosec community). Operation Last Resport has, via Twitter, claimed responsibility for the attack.

At least some of the names checked by The Register correspond to the individuals’ affiliations given in the Anonymous spreadsheet (we have not, of course, attempted to test login information). While e-mails for the individuals aren’t secret (they were revealed by Google as soon as El Reg conducted its name searches), the login information will be sensitive at least until all the compromised accounts are reset.

The group had already attacked the United States Sentencing Commission website (susbstituting its home page with a game of Asteroids). On the Operation Last Resort Twitter account, the attackers claimed that the information was obtained from Federal Reserve machines.

Another message on the same account associated the timing of the information release with the February 4 deadline for Attorney General Eric Holder to respond to House Oversight Committee questions about the handling of Aaron Swartz’s prosecution.

Swartz had opened a hole in MIT’s JSTOR system, allowing free access to academic papers, and the Justice Department was pursuing him for computer crimes with as much as a half-century of jail time on offer. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/04/anon_d0xes_bank_execs/

‘Broke’ Estonian suspect pleads guilty to DNSChanger click fraud scam

An Estonian man has pleaded guilty to involvement in the DNSChanger click fraud scam. The Trojan infected 4 million computers worldwide, netting cybercrooks an estimated $14m in the process.

Valeri Aleksejev, 32, pleaded guilty to fraud and computer hacking offences at a hearing at a US federal court on Friday, Reuters reports. Aleksejev is the first of six Estonians and one Russian indicted in 2011 following a high-profile takedown operation. They face five charges each of wire and computer intrusion. One of the defendants, Vladimir Tsastsin, was charged with 22 counts of money laundering.

The DNSChanger malware at the centre of the scam changed internet address look-up settings on infected computers so that surfers attempting to reach Apple’s iTunes website, the Inland Revenue Service, or Netflix’s movie website were routed towards unaffiliated businesses. The ads presented to surfers visiting Amazon, The Wall Street Journal and other sites from infected machines were also under the control of cybercrooks, who earned a slice of the resulting advertising revenue from third-party affiliates. The scam ran for around four years between 2007 and late 2011.

In court, Aleksejev said he had helped write code that blocked infected machines from receiving anti-virus updates. His lawyer claimed his client was broke.

Aleksejev and five other Estonians were arrested by police in the Baltic republic in November 2011. Another Estonian suspect, Anton Ivanov, has already been extradited, while extradition proceedings involving the other four remain ongoing. A Russian suspect in the case, Andrey Taame, has not been apprehended.

The DNSChanger operation was shut down after a two-year FBI-led investigation dubbed Operation Ghost Click. The feds set up temporary DNS systems to service requests from infected machines for months after the takedown, a move designed to give corporates time to clean up infected systems. The case is: USA v Tsastsin et al, US District Court in Manhattan, No 11-00878. Aleksejev won’t be sentenced until 31 May. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/04/dns_changer_guilty_plea/

Unlucky for you: UK crypto-duo ‘crack’ HTTPS in Lucky 13 attack

Two scientists say they have identified a new weakness in TLS, the encryption system used to safeguard online shopping, banking and privacy. The design flaw, revealed today, could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites.

Professor Kenny Paterson from the Information Security Group at Royal Holloway, University of London and PhD student Nadhem Alfardan claim they can crack TLS-encrypted traffic in a man-in-the-middle attack.

According to their study, the weakness revolves around altering messages exchanged between the web server and browser, and noting microsecond differences in the time taken to process them.

These timings effectively leak information about the data being transferred, allowing eavesdroppers to rebuild the original unencrypted information slowly piece by piece.

Specifically, an attacker strategically changes the data used to pad out the encrypted blocks of information, and measures the time taken for the server to work out that the message was tampered with before rejecting it. The progress of the algorithms processing the blocks is revealed by this time difference, and it’s enough to gradually calculate the contents of the original message.

But it is tricky to precisely measure these timings due to network jitter and other effects. And tampering with the data will cause the connection between the browser and the server to fail. Thus, a bit of client-side malware is needed to repeatedly probe a server with new connections, replaying slightly altered versions of the original encrypted message, which might for example be a login cookie. This is similar to the earlier BEAST (Browser Exploit Against SSL/TLS) attack.

We’re told attacks against DTLS – a variant of TLS used by VPNs to secure traffic – can be carried out in a single session.

Speaking to El Reg, Prof Paterson said JavaScript code injected into a web page could implement the new research and decrypt a victim’s login cookie in about two hours: “An ordinary cyber-criminal would just use a phishing attack [to get a password] but for a nation state interested in getting an activist’s login cookie for Tor, this sort of attack is possible for a determined and well-resourced attacker.

“TLS is not quite as bullet-proof as we thought.”

A paper [PDF] titled Lucky Thirteen: Breaking the TLS and DTLS Record Protocols was published on Monday, and states:

The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks like the Internet. It is widely used to secure web traffic and e-commerce transactions on the Internet. Datagram TLS (DTLS) is a variant of TLS that is growing in importance. We have found new attacks against TLS and DTLS that allow a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode encryption is used.

The attacks arise from a flaw in the TLS specification rather than as a bug in specific implementations. We have carried out experiments to demonstrate the feasibility of the attacks against the OpenSSL and GnuTLS implementations of TLS, and we have studied the source code of other implementations to determine whether they are likely to be vulnerable.

Professor Paterson said: “While these attacks do not pose a significant threat to ordinary users in its current form, attacks only get better with time. Given TLS’s extremely widespread use, it is crucial to tackle this issue now.

“Luckily we have discovered a number of countermeasures that can be used. We have been working with a number of companies and organisations, including OpenSSL, Google and Oracle, to test their systems against attack and put the appropriate defences in place.”

The attacks apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. All TLS and DTLS cipher-suites that include CBC-mode encryption are potentially vulnerable.

Like CRIME (Compression Ratio Info-leak Made Easy) and the earlier BEAST SSL exploit, both developed by security researchers Juliano Rizzo and Thai Duong, the Royal Holloway academics’ Lucky Thirteen study threatens a fundamental e-commerce security protocol. The latest attacks “are quite different from BEAST and CRIME” as the university pair explain in an FAQ:

BEAST exploits the inadvisable use of chained IVs in CBC-mode in SSL and TLS 1.0. CRIME cleverly exploits the use of compression in TLS. Our attacks are based on analysing how decryption processing is carried out in TLS. However, our attacks can be enhanced by combining them with BEAST-style techniques.

The computer-science duo tested their attack against OpenSSL and GnuTLS. For OpenSSL, full plaintext recovery of encrypted data is possible. For GnuTLS, partial recovery is possible. The researchers have not studied any closed-source implementations of TLS. Blocking the attack can be achieved by either adding random time delays to CBC-mode decryption or switching to either the RC4 or AES-GCM cipher-suites.

GnuTLS released a patch on Monday. OpenSSL is working on a fix. Other vendors, including web browser developers, may also need to adapt their software in response to the threat. ®

Bootnote

The researchers have a neat explanation for why the attack they have developed is called Lucky Thirteen:

“In Western culture, 13 is considered an unlucky number. However, for our attack, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky – from the attacker’s perspective at least. This is what passes for humour amongst cryptographers.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/04/unlucky_13_crypto_attack/

Oracle blocks security hole with quick, hot ‘n’ premature Java update

Oracle has brought forward the timetable of an upcoming Java security update by two weeks in order to block off an in-the-wild security hole.

The update, originally scheduled for 19 February, was released a fortnight early on Friday because of “active exploitation ‘in the wild’ of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers”.

The update covers 50 flaws, 49 of which are remotely exploitable. More than half (26) of the bunch carry the maximum Common Vulnerability Scoring System (CVSS) risk score of 10.

The latest official versions are Java 7 Update 13 and Java 6 Update 39. This month (February 2013) marks the end of life of Java 6.

Despite the update, security experts continue to advise against installing Java plug-in on browsers. If users do need to use Java applets to use certain sites, or for internal applications, then these should be accessed using a second browser, not used for day-to-day surfing.

The security implications of the Java security update can be found in a blog post by Paul Ducklin of Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/04/oracle_java_update/

Schmidt slams China as world’s most prolific hacker

Google executive chairman Eric Schmidt has strongly criticised China, claiming the country is the world’s most prolific hacker of foreign firms and predicting that its actions will increasingly drive Western tech vendors closer to their governments.

The remarks came in a new book, The New Digital Age, which the Wall Street Journal has managed to get its hands on.

Co-written with Google Ideas bod Jared Cohen, the book tries to map out the key trends shaping the information society of the future.

In doing so, Schmidt reserves special ire for the People’s Republic – described as “the world’s most active and enthusiastic filterer of information” and “the most sophisticated and prolific” attacker of foreign organisations.

Although the Googler is also sure to point out US involvement in cyber incidents such as Stuxnet and the export of surveillance tech to repressive regimes, the WSJ’s extracts claim that US and Chinese firms have fundamentally different values – a fact which puts the former at a distinct strategic and commercial disadvantage.

“The United States will not take the same path of digital corporate espionage, as its laws are much stricter (and better enforced) and because illicit competition violates the American sense of fair play,” the book states, according to the WSJ.

Most interestingly, the book apparently claims that Western tech firms may increasingly find themselves aligned with their governments in opposition to China and work to co-ordinate efforts “on both diplomatic and technical levels”.

Schmidt and Google enjoy a fractious relationship with the Chinese government, ever since 2010’s Operation Aurora attacks saw China fingered as as the source of an attack on the company. Google subsequently decided to relocate its search servers outside the Great Firewall.

Since then its search market share in China has slipped to under five per cent, while Android phones sold in the country are largely stripped of any Google apps or services, thereby crimping another revenue stream.

In this context, Schmidt has less to lose in slamming the Chinese government and the morality of its firms than, say, Apple, which regards the country as a hugely significant market.

By coincidence, the Obama administration is thought to be preparing a tougher response to Chinese hackers, both to protect national security and the commercial interests of its businesses.

President Obama has already been given the de facto power to launch a pre-emptive strike against a hostile nation if convincing evidence comes to light that it is about to be hit by a large scale cyber attack, according to the New York Times.

In addition, a new National Intelligence Estimate (NIE) is being prepared to assess the e1xtent of the cyber threat from countries like China, said AP. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/04/google_schmidt_slams_china/

Twitter clients stay signed in with pre-breach passwords

Twitter has detected a breach and suggested 250,000 users change their passwords. Yet users who heed that advice will still find that apps using the Twitter API, including the company’s own, allow access to the service without asking users to enter the new password.

Reg readers and hacks in Vulture South, our Australian outpost, were among those in receipt of a notification that their accounts were among those compromised after an attack on the micro-blogging service. Twitter quickly ‘fessed up to the attack and sent those users whose privacy was threatened a notice they should reset their passwords.

A password change performed on the web did not, however, cause Twitter’s own apps for iPad (under iOS 5.1.1 on an iPad 1) or iOS (under iOS 6 on an iPhone 5) to prompt us for the new password. Instead, it remained possible to post tweets from both.

TweetDeck also allowed us to to post tweets after a password change on Twitter but no new input to TweetDeck. As Vulture South runs TweetDeck as a Chrome app, we logged out of Twitter in Chrome but were still able to post from TweetDeck without being asked to enter the new Twitter password we had created around 40 hours previously.

Other users of Twitter’s iOS app confirmed the same issue, one telling The Reg that only after he deleted and re-installed the app was he prompted for a new password.

Freelance technology journalist Alex Kidman reset his password on the web and was afterwards able to tweet from an Android handset, again without being required to enter the new password into the app. Our own Richard Chirgwin noticed the same issue with the YoruFukurou (NightOwl) Mac OS Twitter client he favours.

Twitter spokesperson Jim Prosser did not deny that clients can continue to access the service even after passwords have been changed, and told The Reg, by email, that “TweetDeck and other clients use [open authentication standard] OAuth, so as long as you don’t sign out, you don’t have to re-input your credential every time you open the app.”

Prosser has also pointed out that the situation described above is an OAuth token issue, not a password issue.

However the web page Twitter published to detail the attack says, in part, that “As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts.”

OAuth makes use of two types of tokens: access tokens and refresh tokens. The former establishes an authenticated link between a user and an online service. The latter sustains and extends authentication and has a role in initiating new sessions.

Based on Vulture South’s experience, the tokens Twitter says it has revoked are not OAuth tokens.

Twitter has already been the subject of trouble on a similar topic, as security researcher Cesar Cerrudo recently found it was possible for apps to direct messages without users’ knowledge thanks to those apps’ use of OAuth.

The Reg has asked Prosser whether apps being able to to stay logged in through OAuth after passwords change represents satisfactory security, especially in light of the recent attack on the company. A reply to that question has not been received at the time of writing.

But Chester Wisniewski, a senior security adviser at Sophos Canada, feels Twitter has not used best practice.

“It is possible to revoke tokens,” he said, and while a change to OAuth to formalise revokation has not been signed off, “there is nothing that would stop them from doing it anyway.”

Wisniewski has two theories for why Twitter did not revoke the tokens, the first of which is that the company understood the nature of the attack so well it felt it was safe to operate without doing so. The second is that “Twitter are being foolish.”

“I do question why they did not reset the oAUTH tokens,” he added, declaring the company has earned a B+ grade for its handling of the attack, but only because most responses to similar incidents are far worse.

Sean Duca, an enterprise solutions Architect from McAfee’s APAC office offered a similar opinion, telling The Reg by email that “when a password is changed on one device and you have two other devices logged in with the old password (for example), the vendor should terminate all open sessions for the given account.”

That seems not to be Twitter’s position, as the company’s OAuth guidance for developers, available here, says the following:

“We do not currently expire access tokens. Your access token will be invalid if a user explicitly rejects your application from their settings or if a Twitter admin suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended.”

We’ve asked Twitter whether it issues its own tokens and how it manages them, but have not received a response at the time of writing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/04/twitter_oauth_apps_logged_in_with_old_passwords/

Twitter breach leaks emails, passwords of 250,000 users

If you find that your Twitter password doesn’t work the next time you try to login, you won’t be alone. The service was busy resetting passwords and revoking cookies on Friday, following an online attack that may have leaked the account data of approximately 250,000 users.

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data,” Bob Lord, Twitter’s director of information security, writes in a blog post.

According to Lord, Twitter was able to shut down the attack within moments of discovering it, but not before the attackers were able to make off with what he calls “limited user information,” including usernames, email addresses, session tokens, and the encrypted and salted versions of passwords.

The encryption on such passwords is generally difficult to crack – but it’s not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them.

As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just “a small percentage” of the more than 140 million Twitter users worldwide.

If yours is one of the accounts involved, you’ll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods. In addition, he recommends against using the same password on multiple sites.

Lord says Twitter’s investigation is ongoing, and that it’s taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal:

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users. 

Although the attack took place this week, it seems to have no relationship to the outage that took Twitter offline for several hours on Thursday. On the other hand, however, Lord’s post does make rather cryptic mention of the US Department of Homeland Security’s recent recommendation that users disable the Java plug-in in their browsers. He mentions Java twice, in fact.

While it’s true that the Java plug-in contains multiple known vulnerabilities and that numerous security experts have warned that it should be considered unsafe, the connection between Java and the attack Twitter experienced isn’t clear – and Twitter reps didn’t respond to El Reg‘s request for clarification. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/02/twitter_breach_leaks_user_data/

First the NYT, now the Wall Street Journal: But are hacking attacks from China new?

Analysis The Wall Street Journal is the latest media titan after the New York Times to admit it was raided by Chinese hackers.

The WSJ confessed on Thursday a day after the NYT similarly blamed intruders linked to China’s military for a persistent four-month assault against its computer systems.

The attack against the NYT used a combination of spear-phishing – targeting specific individuals in a company – and customised malware. The newspaper’s observation that its Symantec-supplied protection systems only spotted one of the 45 incoming software nasties provoked a defensive statement from the antivirus maker.

As previously reported, the NYT said the attack resulted in the theft of staff passwords. It reckoned the espionage was an attempt to discover how the paper came to run an expose on outgoing Chinese Premier Wen Jiabao’s family finances. The NYT hired internet security firm Mandiant to investigate the network compromises.

The WSJ goes into less detail about the assault against its systems, but said that hackers were trying to monitor its China coverage. Journal publisher Dow Jones Co said its broadsheet’s computer had been infiltrated by Chinese miscreants and that these attacks were geared towards identifying sources for stories and information on upcoming articles.

The Journal was notified by the FBI of a potential security breach in the middle of last year and that a subsequent investigation suggested that journalists in the paper’s Beijing bureau – such as Jeremy Page and bureau chief Andrew Browne – were the targets. We’re told that the intruders gained access to the overseas office’s PCs and used them as a route to infiltrate the paper’s global computer system.

It said that the attacks were the latest in a series of assaults from China against the WSJ.

News agencies are also plagued by spies creeping in over the internet: the WSJ reports that Reuters was hacked twice in August. The newswire either doesn’t know or isn’t prepared to say who it reckons was behind the attacks. Bloomberg said it was also targeted by hackers but claims that it was able to fend off the assault.

Western organisations accuse the hackers of having strong links to China’s Communist-run government. The WSJ even quotes web security biz CrowdStrike as saying that one of the 20 Chinese hacking groups it tracks specialises in attacking the media industry.

China’s foreign ministry has angrily rejected allegations of state collusion; its top brass said any suggestion that officials masterminded cyber-incursions into major US news outlets is “groundless” and “totally irresponsible”.

“It is irresponsible to make such an allegation without solid proof and evidence,” Foreign Ministry spokesman Hong Lei said. “The Chinese government prohibits cyber-attacks and has done what it can to combat such activities in accordance with Chinese laws.”

Hong added that China itself had been the victim of hackers but declined to identify the infiltrators nor who or what they targeted within the Asian nation’s Great Firewall.

APT as easy as ABC

So-called Advanced Persistent Threat (APT) attacks against media outlets are part of a huge range of attacks against high-tech companies, government agencies, oil exploration outfits, defence contractors and so many others. And it has been going on for years.

More recently, the onslaughts have moved on from spear-phishing to planting malicious code on websites commonly visited by workers at targeted organisations – a so-called watering hole attack. This is ultimately designed to spread customised malware.

Victims of an ongoing campaign – variously codenamed Aurora, TitanRain, ShadyRAT and Night Dragon – over the years have included Google, RSA, and Coca-Cola in the US; Canada’s Nortel; Mitsubishi Heavy industries in Japan; Rolls-Royce and Royal Dutch Shell in the UK; and numerous others.

Over the years patriotic hacker groups, who choose to defend their home nation or beat up their state’s enemies, and criminals have forged alliances; this is a process thought to be facilitated by the Chinese government and in particular the Peoples’ Liberation Army.

There are various roles within such outfits including malware distributors, bot masters, account brokers and, most importantly, vulnerability researchers. The Chinese often prefer to use freelance hackers for plausible deniability, but the use of Chinese-language tools first seen in internet sorties against Tibetan activists has led computer security experts to point the finger of blame towards the Chinese government in many cases.

There’s little point in dismissing or being shocked by the New York Times attack, which is just one example of a serious ongoing problem that has provoked formal complaints by the US State department to foreign nations.

“Sophisticated, targeted attacks have changed the cyber landscape. Everybody is vulnerable to these threats – no organisation is safe,” said Rob Cotton, chief exec at infosec biz NCC Group.

“Although we can’t blame this incident purely on the antivirus software, the ongoing issue is that signature based antivirus tackles a problem that was prevalent 20 years ago but is largely irrelevant to today’s cyber threats.”

Antivirus is like ‘homeopathy for computers’

The NYT electronic break-in was a catalyst for a debate about the effectiveness of antivirus software. There are broadly three camps to this discussion: Defenders of the continuing usefulness of the technology argue that it’s necessary but insufficient. You need antivirus, and not just on the desktop, along with intrusion prevention, monitoring and other layers of protection.

The second camp argues that custom malware is always going to punch through defences so what you need is early detection of infection, and then recovery and a response to attacks. By responding quickly, organisations can minimise the effect of a breach and prevent the theft of valuable information. This approach makes a fair bit of sense when if you appreciate that attackers use an initial infection to get a foothold on a targeted organisation’s network but what they’re really after is often stored elsewhere. So thwarting so-called stepping stone attacks makes a lot of sense.

The third, and most vocal, camp argues that antivirus software is hopelessly outdated in the face of modern threats; some describe the industry as selling “blunt razor blades” or more damningly “homeopathy for computers“.

Vendors in this camp include those who advocate white-listing as an alternative to antivirus (technology that blacklists known malicious programs). However modern security software incorporates white-listing and behaviour-based detection so this argument is far from a clincher or at least it’s more complicated than it looks on the surface. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/wsj_blames_china_for_hack_attacks/

Rotund Mega baron Dotcom offers bounty for breaking his crypto

Kim Dotcom is offering a prize of € 10,000 ($13,600) for anyone who can break the cryptography of Mega, his recently launched cloud-based storage site.

Mega’s launch last month was meet by criticism from multiple security researchers. Everything a user uploads is encrypted before it leaves their browser, using a master key that can be unlocked by a password only known to the punter. The failure to use a good source of random number generation in coming up with user passwords, the lack of account recovery options – or even the ability to change passwords – as well as the possibility of cracking the cryptographic hashes using dictionary-based attacks all became targets of criticism. The strength of the SSL certificate used on one of the main Mega servers also became an issue.

In response, Mega published a blog post designed to reassure users that all was well. It has since introduced the ability to change passwords and a password reset capability.

All this has failed to placate some critics, who argue that Mega’s unconventional cryptography system was more suited to providing it with plausible deniability over the use of the site to share pirated content than an effective means of safeguarding user privacy.

The fat controller himself responded to this ongoing criticism on Friday by making good on an earlier promise to offer a bounty to anyone who breaks the site cryptography.

“‪#Mega‬’s open source encryption remains unbroken! We’ll offer 10,000 EURO to anyone who can break it. Expect a blog post today,” Dotcom said in a Twitter update.

Further details are yet to appear on Mega’s blog. Prizes for hacking into things are all good clean fun but don’t actually prove a system is secure, of course. It just shows nobody has found a bug as yet, or they’ve found something but don’t want to go public on the discovery or that they’re holding out for a bigger prize.

In other Mega news, the file locker service has begun blocking third-party search engines from indexing publicly available files shared by Mega users. One such third-party service, Mega-Search.em, turned Mega into a source of pirated content. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/mega_crypto_break_bounty/

Symantec: Don’t blame us for New York Times hack

Symantec has taken the unusual step of commenting on a story about a customer, issuing a robust statement denying its anti-virus products were to blame for sophisticated targeted attack on the New York Times.

The Gray Lady revealed yesterday that it had been persistently attacked for four months by China-based cyber insurgents. They used classic APT-style techniques to breach defences before lifting New York Times staff passwords in an attempt to find out more information on an expose run by the paper into outgoing Premier Wen Jiabao.

The killer paragraph for Symantec, however, was the following, which could be interpreted as the NYT attempting to shift blame for the breach onto its security provider.

“Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant”.

Although Symantec’s policy is not to comment on its customers, it wasn’t long before it released the following as a “follow-up” to the Times story.

“Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”

Symantec obviously falls short of clarifying whether the New York Times had these extra capabilities, and if it did whether they were “switched on”, although the careful wording of the statement would indicate not.

Most security vendors today have supplemented their standard signature-based AV offerings with more advanced tools to spot zero day malware – which is usually employed in attacks like this.

While CSOs are wisely cautious of believing every piece of FUD-based “intelligence” from the information security vendor community, a tipping point does seem to have been reached where it’s now wise to invest in such tools, especially if you’re a high profile organisation.

As if to re-iterate its message on the prevalence of advanced targeted attacks, Symantec warned in a new blog post published on Friday of a sophisticated spear phishing campaign targeting the directors and VPs of aerospace and defence firms. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/symantec_responds_nyt_apt/