STE WILLIAMS

Security researchers have outlined the danger that tweeters face if they “save time” by signing into third-party applications using a Twitter account.

Developers can allow users to log into their applications using Twitter or Facebook using the OAuth authentication standard – which saves the user time as well as minimising the number of account login credentials he or she needs to remember. But certain miscreants are abusing the security feature to implement workarounds which violate users’ privacy.

Authorised applications typically gain access to a user’s Twitter public feed (such as the ability to read tweets from their timeline and see who a user follows). In addition, applications can also be given to ability to post tweets under a user’s profile. But third-party applications should not have access to passwords, even after a user signs in with Twitter, as that would defeat the purpose of OAuth. Direct messages also ought to be out of bounds.

However Cesar Cerrudo, chief technology officer at security firm IOActive, discovered it was possible for such third-party applications to obtain access to a user’s direct messages without prior notification or permission. Cerrudo came across the issue while experimenting with an application that bundled functionality to access and display Twitter direct messages.

The functionality didn’t work initially, and shouldn’t work at all, unless the users granted proper authorisation through a second (separate) security permission page.

The page invites users to “Authorize app” instead of “Sign in”, which many users might miss in their haste to type in their username and password. Cerrudo didn’t grant this permission, but as he continued to experiment with the application, logging in and out from the application and Twitter, he noticed that the application had begun displaying all his Twitter direct messages.

This prompted him towards investigating how the application had bypassed Twitter’s security restrictions.

After some testing, I found that the application obtained access to my private direct messages when I signed in with Twitter for a second or third time. The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its “Sign in with Twitter” web page.

Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorisation, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages.

Cerrudo central concern is that he never authorised the application to gain access to direct messages he sent on Twitter. “I never authorised the application, and I did not encounter a web page requesting my authorisation to give the application access to my private direct messages,” he writes.

The security researcher reported the issue to Twitter, which reportedly resolved the problem within 24 hours by 17 January. Cerrudo praises this response but faults Twitter for failing to publish an advisory about the issue.

The two basic morals of the story are that users would do well to think twice before signing in to third-arty apps with their Twitter credentials. And after they sign up, they would do well to periodically check permissions.

“There should be millions of Twitter users (remember Twitter has 200 million active users) that have signed in with Twitter into third-party applications. Some of these applications might have gained access to and might still have access to Twitter users’ private direct messages (after the security fix the application I tested still had access to direct messages until I revoked it),” Cerrudo said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/24/twitter_dm_security_snafu/

Nearly two-thirds of retail banks experienced at least one distributed denial of service (DDoS) attack in the past year, according to a new survey.

In a new report, (12-page/941KB PDF) commissioned by Corero Network Security, 64 per cent of 650 IT and IT security experts from 351 banks said a DDoS attack had been carried out on the financial institution they work for. More than 10 DDoS attacks were carried out on 7 per cent of banks, it said. DDoS attacks typically involve hackers using malware-infected computers to bombard systems with such large amounts of traffic that they cease to function.

Only 37 per cent of respondents described their banks’ ability to prevent DDoS attacks as effective or very effective, whilst the remainder said the measures in place were either somewhat effective (30 per cent), not effective (23 per cent) or unsure about how effective they had been (10 per cent). Fewer than half (43 per cent) said that their institutions’ efforts to detect DDoS attacks were either effective or very effective.

Half of the respondents to the survey, which was conducted by the Ponemon Institute on behalf of Corero, said that the “most critical barrier to preventing DDoS attacks” was either banks having insufficient personnel and in-house expertise (26 per cent) or inadequate or insufficient technologies (24 per cent), whilst a further 15 per cent said budget constraints were the biggest barrier to stopping such attacks.

The Ponemon Institute said that it estimated that each retail bank experienced an average of 2.8 DDoS attacks in the last year. It added that 78% of respondents to its survey expect DDoS attacks to continue or significantly increase in 2013.

“It really comes as no surprise that DDoS attacks are one of the most severe security risks cited by the banking industry and these results clearly demonstrate the level to which they are being targeted on a continued basis,” Dr Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. “When such an attack occurs, the time and efforts of IT staff are devoted to dealing with the problem instead of managing other IT operational and security priorities. This leaves financial institutions open to more dangerous attacks that further compromise their infrastructure.”

The survey respondents said that banks were most commonly relying on traditional firewall protections and on-premises anti-DDoS technology to repel DDoS attacks, but Marty Meyer, president of Corero, warned that those measures may not be provide sufficient defence.

“The belief that traditional perimeter security technologies such as firewalls are able to protect against today’s DDoS attacks is lulling not only financial institutions but organisations across every sector into a false sense of security,” said Meyer said. “Many organisations assume traditional firewalls can provide protection against DDoS and Zero-Day exploits at the perimeter, yet this is not what they were designed to do and therefore attacks are still getting through.”

“Organsations need to add first line of defence solutions that can provide this protection and are able to remove all of the ‘noise’ at the perimeter before it hits the network so that firewalls and servers can optimally work on the functions they were originally designed for,” he added.

The survey respondents had classed ‘Zero-Day’ attacks as the most severe security threat facing banks. The term refers to attacks that exploit a previously unknown weakness in organisations’ systems.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/24/ddos_survey_banks/

US prosecutors have accused three people of using a bank-account raiding Trojan to infect at least one million computers and steal millions of dollars.

Russian national Nikita Kuzmin, 25, Latvian resident Deniss Calovskis, 27, and Mihai Ionut Paunescu, a 28-year-old Romanian, were behind the scam, according to charges filed against them. The allegations were revealed in an indictment unsealed on Wednesday, 23 January. The US wants to extradite both Calovskis and Paunescu from their respective countries.

Systems at NASA were among the 40,000 computers in the US infected by the trio’s Gozi Trojan, described in a US Department of Justice statement as “one of the most financially destructive computer viruses in history”*.

Kuzmin, who masterminded the Trojan, was arrested in the US in November 2010 and pled guilty to various computer hacking and fraud charges in May 2011. Calovskis, who allegedly helped program Gozi, was arrested in Latvia in November 2012. Paunescu (AKA Virus) allegedly supplied the “bulletproof [web] hosting” service that helped Kuzmin and other crooks distribute the Trojan as well as ZeuS, SpyEye and other malware – some linked to spam distribution and DDoS shenanigans. Paunescu was arrested in Romania in December 2012.

FBI Assistant Director-in-Charge George Venizelos said:

This long-term investigation uncovered an alleged international cybercrime ring whose far-reaching schemes infected at least one million computers worldwide and 40,000 in the US, and resulted in the theft or loss of tens of millions of dollars. Banking Trojans are to cyber criminals what safe-cracking or acetylene torches are to traditional bank burglars – but far more effective and less detectable. The investigation put an end to the Gozi virus.

The Gozi Trojan first surfaced in 2007. Over the years it has infected Microsoft Windows computers in the US, UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere, causing tens of millions of dollars in losses to individuals, businesses and governments whose computers were compromised. Gozi was distributed in various guises, most commonly disguised as a benign PDF document.

Kuzmin rented out access to the latest versions of the Gozi Trojan on a weekly basis through a business called “76 Service”, which was advertised on various underground cybercrime forums.

From 2009 onwards he sold the source code to various conspirators, some of whom paid others to refine, update, and improve the software nasty. Calovskis was allegedly among the most able of these black-hat programmers. US prosecutors blame him for developing code, known as “web injects”, that altered how the web pages of particular banks appeared on infected computers.

One such “redesign” changed a bank’s welcome page on a compromised machine to trick victims into disclosing additional personal information – such as their mother’s maiden name, social security number, driver’s licence information and account PIN – supposedly needed in order to continue to access the banking website. These details were then relayed to crooks to exploit as they wished.

Various versions of Gozi were tailor-made to attack banks targeted by each underworld buyer. Paunescu allegedly operated the servers that collected the swiped personal data and controlled infected machines. He allegedly acted as an ISP for crooks, charging them a premium for providing a degree of anonymity and fending off takedown requests from security firms and upstream service providers.

As the US Department of Justice points out, “the charges contained in the indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty”.

The case was handled by NASA’s Office of Inspector General; Latvian State Police; the Romanian Intelligence Service; the Romanian Directorate for Combating Organized Crime; the Romanian Directorate for Investigating Organized Crime and Terrorism; and the FBI and various prosecuting agencies led by Preet Bharara, the US Attorney for the Southern District of New York, and Lanny A. Breuer, the Assistant Attorney General of the Department of Justice’s Criminal Division. ®

Bootnote

* While US prosecutors describe Gozi as a virus it doesn’t replicate itself and for this and other reasons is better described as a Trojan.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/24/gozi_trojan_indictment/

Sony has been fined £250,000 for allowing million of UK gamers’ details to be spilled online by PlayStation Network hackers.

The UK’s Information Commissioner’s Office (ICO) levied the heavy fine against Sony Computer Entertainment Europe for a serious breach of the Data Protection Act.

Personal information of millions of Brits – including their names, addresses, email addresses, dates of birth and account passwords – were swiped by hackers who broke into systems running the PlayStation Network (PSN) in April 2011. The data watchdog added that credit card details were also at risk.

Sony blamed Anonymous or a section of the hacktivist collective for the attack, but Anonymous denied any involvement. The group admitted launching denial-of-service attacks on various Sony websites, but who was behind the PSN breach remains unclear or at least unproven.

An ICO investigation concluded that the database raid could have been prevented if Sony had applied the latest security patches to its systems’ software had and followed best practice guidelines in password security – such as hashing and salting credentials. The conclusions fall into line with earlier technical analysis of the breach by security specialists.

David Smith, deputy commissioner and director of data protection at the ICO, said in a statement on the fine:

If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

Smith described the case as “one of the most serious ever reported” to the ICO in explaining the bumper fines. “It directly affected a huge number of consumers, and at the very least put them at risk of identity theft,” he concluded.

Sony rebuilt the PSN in the wake of the breach to ensure its network is more secure. The entertainment giant has repeatedly apologised for the massive breach, which made it a poster child for system insecurity. The raid may have had some positive effects in promoting greater awareness of securing passwords and patching among consumers and large corporations.

The breach resulted in a five-week outage of the PSN as Sony drafted in security experts to resolve the resulting mess. This cost an estimated $171m, making the UK data breach fine small change by comparison. A chunk of this multi-million-dollar bill probably footed generous welcome back packages and compensation to gamers rather than security consultant fees and costs for extra technology, but Sony has never provided a detailed breakdown on this point. ®

Bootnote

The ICO can fine an organisation up to £500K for data security breaches. The Sony fine is among the heaviest ever levied but is not a record. “It’s not a record fine – it’s one of our biggest monetary penalties, but Brighton and Sussex NHS Trust was fined £325k and the recent text message fine came to a total of £440k,” an ICO spokesman explained. Hard drives from the Brighton trust were sold on eBay instead of being destroyed or at least wiped. Sensitive data left on the computer kit included STD test results as well as the names and dates of birth of more than 1,500 HIV positive patients.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/24/sony_psn_breach_fine/

Hackers waging war against Egyptian websites have forced the closure of Egyptological, a journal on Egyptology.

Egyptologist Kate Phizackerley, who published the web periodical with Andrea Byrnes, has also closed down her personal blog for the same reason. Egyptological was shut down after it was “targeted by a professional hacking group as part of an onslaught on Egypt-related websites” during a wave of unrest that started late last year.

The hackers see Egyptology sites as “representing a form of political threat”, according to Phizackerley. For now, she has abandoned hope of restoring Egyptological and her personal website after negotiations with the hackers broke down.

Various ancient history bloggers – including Mike Heiser and Roger Pearse – accused Islamic hardliners of knocking Phizackerley’s web magazine offline. Phizackerley said on Tuesday she is unable to confirm this and expressed a desire to avoid politicising the issue.

“There seem to be suggestions that Andrea and I know the affiliation of those who hacked us,” Phizackerley wrote. “We don’t and by policy I haven’t speculated. Part of the reason for my reticence is that some, although not all, of the hackers have been polite to us. In particular, at no point did the hackers claim association with any religion.

“We have also made no public assessment of our web host for Egyptological. Were the site to reappear it would be with a different host, but we needed to swap hosts anyway on grounds of capacity and economy,” she added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/23/egyptology_site_forced_online_by_hackers/

Australia is tooling up for a “long, persistent fight” online, and believes digital combat will be as important to the nation’s future security as involvements in Iraq and Afghanistan were in the last decade.

No less a figure that Prime Minister Julia Gillard expressed that opinion today in a speech billed as a landmark security policy pronouncement that had as its premise the assertion that “The 9/11 decade is ending and a new one is taking its place.”

To ready the nation for coming online battles, Gillard said Australia will combine the infosec functions of several agencies – the Attorney-General’s Department, the Australian Defence Force, ASIO, the Australian Federal Police and the Australian Crime Commission – in a single location to operate as the new Australian Cyber Security Centre. The new operation should be up and running by year’s end.

Gillard said the Centre will be “a hub for greater collaboration with the private sector, State and Territory governments and international partners to combat the full breadth of cyber threats” and will mean Australia has “an expanded and more agile response capability to deal with all cyber issues — be they related to government or industry, crime or security.”

Gillard’s speech made constant reference to a previous landmark utterance, namely one that launched the “Asian Century White Paper” that offers a long-term vision for Australia as a nation enmeshed with Asia and less engaged with European and North American nations when it comes to trade cultural influences and defence.

Today, Gillard said “our national objectives in the region can only be realised if there is sustainable security in Asia.”

It’s probably drawing too long a bow to suggest that’s a barbed message to China that Australia is keeping an eye on its online activities. But it does signal Australia considers its digital frontier something that needs strengthening as its Asian engagement deepens.

One signal missing from the speech is just how the Centre will engage with the private sector. One element of that sector – security vendors – has not been shy of approaching the Australian government to push their agendas and have not been rebuffed when the offer aid. McAfee recently helped to prepare a cyber-safety campaign for Australian children, while The Register is aware of a prominent security vendor’s involvement in lobbying for and formulating data breach laws due to go before Parliament this year.

One hint of what the new Centre might get up to derives, in part, from our own story that ASIO, Australia’s largest intelligence agency, has changed its recruiting practices to ensure it has specialist staff to assist in its work.

Since we started work on that story, the agency has advertised for a Telecommunications Interception Specialist. That worker could conceivably be one of those transferred to the new national centre. Who’s calls will the new hire be tapping? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/23/australia_cyber_security_centre/

A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using.

Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access their records when they found a hole in Omnivox software the college used. The hole allowed free access to personal information the college held on students, such as social insurance number, home address and phone number and class schedules

Al-Khabaz reported the problem to his college professor and said he and his friend were initially congratulated and were told the problem would be fixed by the college and the software’s developers Skytech.

Later he ran a scan using commercial Acunetix vulnerability scanning software to check on progress and within minutes the phone at his parent’s home started to ring he said. On the other end was Edouard Taza, the president of Skytech.

“He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed,” the student said.

“He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement.”

Taza said that he did mention the legal and police situation to Al-Khabaz but has denied making any threats. The security hole in question was being fixed he said, and the firm is confident no-one’s privacy has been breached, but he was concerned at the scanning software used.

“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake,” he said.

Unfortunately for Al-Khabaz Dawson College didn’t feel that way, and began an investigation for a for a “serious professional conduct issue.” Al-Khabaz was called in for a meeting to discuss his future, which he said seemed to focus mainly around who knew about the problem with the college’s code.

After the meeting a vote was taken among staff and his expulsion was confirmed by a vote of 14 to one. Al-Khabaz has appealed to the heads of the college but was turned down and is now in a difficult situation.

“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct,” he said. “I really want this degree, and now I won’t be able to get it. My academic career is completely ruined.”

But Dawson College has disputed his claims and says it stands by its decision. It says Al-Khabaz was formally warned to not repeat activities that he was being investigated for and was expelled for breaching those terms.

“When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student,” said the educational institution in a statement.

A spokeswoman told El Reg that AL-Khabaz was praised for his resourcefulness in the initial report to his tutors, but a month later repeated unauthorized access to the software, which is run by a third-party supplier and “injected SQL code,” according to his expulsion letter.

Skytech are so-far unavailable for comment about the precise nature of this SQL injection, but it’s clear this case is going to take some time to sort out and we expect writs to start flying shortly. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/21/dawson_student_expelled_code_flaw/

The organizers of the Pwn2Own hacking competition held at the annual CanSecWest security conference have upped the prize pool to $US560,000 and will now be offering prizes for hacking web plug-ins from Adobe and Oracle.

The contest, which dropped mobile phone hacking last year, has added web plug-in hacking to the prize pool. Contestants get $70,000 apiece for cracking Adobe Reader and Flash, and $20,000 for getting past Java. Based on the latter’s recent parlous performance in the security arena that price discount seems justified.

“We’ve added browser plug-ins as a reflection of their increasing popularity as an attack vector,” said Brian Gorenc, manager of vulnerability research at Pwn2Own sponsors HP DVLabs. “We want to demonstrate new hacking areas and design new mitigation techniques.”

For the more traditional hacks against browsers, a working Chrome exploit for Windows 7 will net $100,000, with the same again for an IE10 hack in Windows 8 or $75,000 for breaking IE9 in Windows 7. A Safari exploit in OSX Mountain Lion is worth $65,000 and Firefox on Windows 7 just $60,000, and all hacks must be completed in a 30 minute time frame.

As ever with the Pwn2Own competition, the winning hackers also get the laptop used in the successful hack. HP, meanwhile, is asking for the full details of the exploits used and the technique followed in a successful hit, which it will share with the cracked software’s developer. This latest rule change has some security researchers worried.

“If the full exploit technique are shared with the vendor, we will probably *not* enter, or we have to use some tricks ;-),” said last year’s winner Chaouki Bekrar, CEO of security research firm VUPEN, on Twitter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/22/pwn2own_web_plugin_prize/

Indian police have arrested two men who allegedly circumvented a bank’s two-factor authentication protection and looted online accounts.

The pair are suspected of buying victims’ personal details from other crooks and then tricking mobile phone companies into giving the duo replacement SIM cards. Anyone in possession of these SIM chips could authorise fraudulent withdrawals and forward the cash to bank accounts set up by lackeys or other money mules.

The online transfers would need to be approved by a one-time authentication code sent to the victim’s phone number in a text message; this code must be correctly typed into the banking website to allow the withdrawal.

But these messages will be directed to the mobile in which the replacement SIM is installed, rather than to the victim. Fraudulent transfers can be carried out before a victim realises that his or her mobile has been kicked off the network by the new SIM in the crook’s handset and complains to the service provider – presumably in person at a shop or on a landline since marks would be left unable to make anything other than emergency calls using their original SIM card.

The suspects, one aged 39 from Mumbai and the other from Delhi, were arrested by cops from the Economic Offences Wing of India’s Criminal Bureau of Investigation, the Indian Financial Express reports.

Indian police said they latched onto the fraud following a complaint from a victim, who alleged that 2,000,000 rupees ($35,000) had been fraudulently transferred from his account at YES Bank in October. Further commentary on the information security aspects of the case can be found in a blog post by Paul Ducklin of Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/21/indian_sms_bank_fraud_arrests/

Security researchers have decapitated a spam-spewing network of hacked computers by pulling the plug on the central command-and-control servers. The compromised PCs were infected by the Virut virus and were being remotely controlled from these servers by miscreants.

The takedown operation was coordinated by CERT Polska, the computer emergency response team in Poland. Virut – which spreads via file-sharing networks, compromised web servers and infected USB drives – was responsible for 6.8 per cent of malware infections in 2012, according to stats from Russian security biz Kaspersky Lab.

The software nasty infects .exe and .html files to display adverts and open a backdoor to the botnet’s masters. It has been linked to data theft and distributed-denial-of-service attacks, as well as spam distribution, according to CERT Polska. Other researchers, including the bods at Symantec, have linked the botnet to ad-click fraud.

“Since 2006, Virut has been one of the most disturbing threats active on the Internet,” CERT Polska wrote. “The scale of the phenomenon was massive: in 2012 for Poland alone, over 890,000 unique IP addresses were reported to be infected by Virut.”

CERT Polska has sinkholded 23 domain names, including zief.pl and ircgalaxy.pl, used by servers calling the shots not only for Virut-infected machines but also systems hit by the Palevo strain of malware and variants of the infamous bank-account-raiding ZeuS Trojans. Sinkholing involves seizing control of the domain names for a botnet’s command-and-control systems to redirect connections from the hacked PCs to investigators’ machines.

This allows the security experts to capture communications from compromised computers phoning home to the command-and-control servers to receive their next instructions. This reveals the operations and internal structure of the network of zombie PCs, which steers the strategy for subsequent cleanup operations. Seizing the reins of the botnet to monitor network chatter disrupts the criminal activity, at least temporarily, but in itself does nothing to remove infections from compromised drones – which are, don’t forget, innocent users’ Windows PCs.

As a back-up mechanism each compromised Virut host can try using one of 10,000 alternative domain names each day to connect to a command server if contact with the main control systems is lost; this feature allows the zombie masters to rollout fresh updates and new connection details and regain control of the botnet. Days before the takedown, Symantec warned that Virut was redistributing Waledac, a spam-sending bot whose original control system was pulled offline in a high-profile takedown operation orchestrated by Microsoft in 2010.

The Virut botnet created a platform for the distribution of other strains of malware onto compromised hosts and this formed the main mechanism for its controllers to make money, often through elaborate affiliate programs.

One money-making affiliate network aped legit software businesses by actually publishing an end-user licence (EULA) for Virut, according to investigative journalist Brian Krebs. The terms-of-use document, for those wishing to redistribute the virus, refers to “bundling” rather than infection, and boasts that “QuickBundle technology” spread by the botnet “enriches” files with ad-supported content.

The licence forbids users from sharing the download with computer security organisations or anti-malware firms. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/21/virut_botnet_take_down/