STE WILLIAMS

Cisco has identified the Linksys router affected by the vulnerability published by DefenseCode on January 14.

In an e-mail to The Register, the vendor says its review shows the vulnerability only exists in the WRT54GL home router.

“Following our assessment of information recently released by DefenseCode, we have confirmed a vulnerability in the Linksys WRT54GL home router,” the e-mail says. “At this point, no other Linksys products appear to be impacted.

“We have developed and are testing a fix for this issue, and will release it for our customers as soon as possible. Until this time, customers using the WRT54GL can stay safe by ensuring their wireless network is securely configured, and the only people using an Ethernet cable for connecting to the router are friends. Linksys takes the security of our products and customers’ home networks very seriously, and we will continue provide updates as they become available.”

DefenseCode announced the vulnerability, saying it had notified Cisco of the problem. In its original post, the company said it would not publish details of the vulnerability or any exploit until a fix is available. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/17/cisco_responds_to_linksys_vuln/

The Shylock banking Trojan has been revamped with extra features that allow the malware to spread using the chat function of Skype, the popular Voice over IP application.

Skype spreading functions within Shylock is implemented with a plugin called “msg.gsm”. The plugin also adds additional following functionality including the ability to send messages and transfer files using Skype, the ability to bypass Skype warnings and restrictions as well as the facility to clean messages and transfers from Skype history.

Beside the new ability to spread through Skype, Shylock can also spread through local shares and removable drives. Infection by the Trojan allows cybercrooks to steal cookies, inject HTTP into a website, setup setup VNC (allowing remote control of compromised desktops), and upload files, among other functions.

Shylock is a strain of banking Trojan that first appeared in 2011 and these days is principally targeted at UK banking customers, according to sinkhole data collected by Danish security consultancy CSIS, and illustrated on a map here. “Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems,” CSIS warns. “The code is constantly being updated and new features are added regularly.”

Microsoft just recently announced that it is discontinuing its Messenger, replacing it with Skype. This may have been a factor spurring the interest of the unknown cybercrooks behind the malware into developing additional components that allow their creation to spread using Skype chat, CSIS speculates.

Previous versions (or configurations) of the malware hijacking live chat sessions in a bid to trick business banking customers into handing over their banking login credentials or into authorising fraudulent transactions. ®

Bootnote

Shylock’s moniker is a reference to the inclusion of random excerpts from Shakespeare’s The Merchant of Venice in its binaries.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/17/shylock_trojan_skype/

RIM is hoping its reputation for superior security will smooth its path into wallet management as it gains Visa approval for the TSM platform that it is pushing to network operators.

Everyone planning secure NFC apps needs a Trusted Service Management (TSM) platform, but the four big SIM providers already have approved TSM platforms. This means that RIM will face an uphill battle for acceptance, though it may have an old advantage in the form of legacy enterprise deployments and love from the BOFHs.

Approval from Visa saw RIM’s share price jump 6 per cent, though as NFC Times points out, such approvals are normally awarded to TSMs to be used by banks rather than network operators, and that the four big players in SIM provision all have approved TSM platforms on the market. Nevertheless, RIM is offering to manage content across secure elements, and thus take advantage of what hooks it still has into enterprise customers.

NFC, the Near Field Communications standard which permits pay-by-bonk and a host of other short-range apps, requires a secure element as well as a short-range radio, and ownership of that secure element is still in dispute. Google puts one into its Nexus handsets, and uses it to host pay-by-bonk with Google Wallet, while network operators prefer to put the secure element into the SIM and rent out space to bank, voucher schemes and the like.

RIM has long been a supporter of NFC, building the tech into its phones and embedding a secure element into every handset (as well as supporting the SIM-based one owned by the network operator). RIM’s TSM will manage content across both secure elements, as well as supporting other devices, and RIM could be ideally placed to take advantage of some of NFC’s more interesting capabilities.

Bonk to synchronise, or pair up Bluetooth, is old news, but in two weeks RIM will be launching BB10 hardware and should be demonstrating how an NFC-equipped phone can be more than a bonkable audio player. RIM is already working with secure identity services firm HID Global to get BlackBerry handsets compatible with existing electronic locks so we’d expect to see entry systems demonstrated – there’s no reason not to expect workstation-unlocking to also be NFC-based.

Not that the radio would be necessary; the secure element is more than capable of providing a challenge/response akin to a hardware token for remote logon, thus providing secure identification without additional hardware beyond the handset.

NFC has loads of potential, now that it is being built into devices by default, and RIM will be hoping that operators look in its direction when thinking about how to manage all those apps. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/17/rim_nfc_tsm/

A new online petition has called for the firing of US attorney Carmen Ortiz for pursuing Aaron Swartz with charges that could have put him in prison for at least three decades.

Meanwhile, Democrat congresswoman Zoe Lofgren has drawn up a new bill called “Aaron’s Law” to amend the US Computer Fraud and Abuse Act used to prosecute Swartz until his death last week.

Internet prodigy Swartz, 26, took his life on Friday in the midst of a lengthy computer fraud case against him. The charges were brought after he copied 4.8 million scientific articles from the nonprofit journal archive JSTOR to allegedly redistribute online.

In the days after he was found dead at his New York home on Friday, Swartz’s family said their son’s suicide was “the product of a criminal justice system rife with intimidation and prosecutorial overreach”.

Now Lofgren has announced on Reddit, the immensely popular discussion website Swartz helped build, her intention to put forward Aaron’s Law. The bill aims to tighten up the Act’s definition of fraud.

“There’s no way to reverse the tragedy of Aaron’s death, but we can work to prevent a repeat of the abuses of power he experienced,” she wrote.

“The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute.

“Using the law in this way could criminalise many everyday activities and allow for outlandishly severe penalties.”

Her proposed bill, which would need to be discussed and passed around the House of Representatives and the Senate to take effect, asks to change the CFAA to make it more specific by excluding certain violations of user agreements.

Meanwhile, a White House website petition to have US attorney Ortiz removed from office for “overreach” in Swartz’s case has surpassed the 25,000 signatures it needs to land an official response. More than 35,000 people have signed the petition since it was created on Saturday.

Swartz was known to be depressed and took his life shortly after his legal team was unable to convince prosecuting lawyers to reduce the charges for “liberating” the JSTOR archive and help him avoid a long spell behind bars. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/16/congresswoman_petition_aaron_swartz/

Defence giant Thales has withdrawn its demand for the removal of banking security documents from whistle-blowing website Cryptome.

The global corporation filed a DMCA* takedown notice last week citing copyright infringement: two of its manuals for cryptographic equipment have been available from Cryptome since 2003.

Ross Anderson, a professor in security engineering at the University of Cambridge Computer Laboratory, fired a broadside at Thales earlier this week arguing that the action amounted to attempted censorship. The manuals documented the software interfaces between hardware security modules in cash machines and other equipment, an important thread of research in banking security.

“API security has been a goldmine for security researchers, it’s been an embarrassment for the industry, in which Thales is one of two dominant players. Hence the attempt to close down our mine,” Anderson explained. The computer science expert went on to argue that removing the long-standing resource would hamper competition as well as inhibiting research, comparing the case to the ill-fated Lexmark DMCA case against Static Control Components.

In response, Thales conceded that the DMCA takedown nastygram was a mistake and withdrew it. Rather than seek to inhibit research into banking security Thales was only seeking the removal of and out-of-date and obsolete resource, the security firm said in a statement.

Thales is in no way trying to censor information that would benefit banking security research.

The information concerned, as has been noted, has been available since 2003 and is in fact obsolete. It also does not reflect the current Thales payment hardware security module.

It is not unusual for Thales to suggest that out-of-date information is removed from web sites so that it doesn’t cause confusion or mislead our customers.

This would normally be handled with a polite request to the web site owner; on this occasion, unfortunately, we were over zealous in initiating a takedown notice. That notice is being withdrawn, and we would like to apologise to the site owner of Cryptome for the distress it caused.

Thales fully appreciates the benefits of openly sharing information relating to our security products and fully supports legitimate academic research in this area. The most up-to-date and accurate information can be obtained directly from Thales.

Thales added that its e-Security division is actively involved in key technical forums such as ASC X9, Global Platform, NACHA, PCI SSC, Smart Card Alliance and OASIS, all of which contribute to banking security research. A letter sent to John Young of Cryptome by Thales along the same lines as the statement it supplied to El Reg can be found here. ®

* The US Digital Millennium Copyright Act.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/17/thales_dmca_takedown_row/

Tensions on the Korean peninsula flared again this week after Seoul accused its northern neighbour of two separate hacking attacks targeting the press.

South Korean news agency Yonhap reported on Thursday that a web server in the office of the presidential transition team had been attacked by suspected state-sponsored villains from the North.

The server in question handled the office’s press rooms, so attackers are not thought to have penetrated the transition team’s main office. Details are still emerging but journos at the scene are apparently being told to make sure their device security is up-to-date and to change passwords frequently.

Park Geun-hye edged out her liberal opponent Moon Jae-in at the elections last month to become the woman elected to lead South Korea.Park is the daughter of former dictator Park Chung-hee, whose 18 years in power saw two assassination attempts by Pyongyang before his own security chief killed him in 1979.

North Korea has been fingered for numerous cyber attacks on the South over the years. On Wednesday the National Police Agency released a statement blaming Pyongyang for an attack on the hardline JoongAng Ilbo newspaper last June.

After analysing records, it said one of the 17 overseas servers used in the attack had been used before by North Korea, and that one China-based IP address belonged to Pyongyang’s Ministry of Post and Communications, according to AP.

During that attack, the paper’s web site was defaced with the picture of a smiling cat and the message: “Hacked by IsOne”. Attempts were also made to disrupt the paper’s production system. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/17/north_korea_cyber_attack_south/

Unpatched Java installations may have helped spread the malware responsible for the recently uncovered “Red October” cyber-spying campaign, researchers at Seculert have revealed.

Kaspersky Labs first disclosed the existence of Red October on Monday, claiming that the program had been responsible for attacks on systems in Eastern European countries, former Soviet republics, and Central Asian nations over the last five years.

The primary vectors used to install the malware were emails containing attached documents that exploited vulnerabilities in Microsoft Word and Excel. Recipients who opened the documents became unwitting participants in the cyber-espionage scheme.

But further investigation by Seculert has revealed that Red October’s masterminds had a backup plan – namely, installing the malware by directing users to a web page that exploited a known vulnerability in the Java browser plugin.

In a blog post on Tuesday, Seculert researchers explained that a special folder on the Red October command-and-control servers contained a PHP page that could exploit the Java flaw, causing the hapless victim’s browser to download and execute Red October’s “Rocra” malware automatically.

Similar exploits have made headlines in recent months, with hackers and security researchers exposing a seemingly endless series of Java vulnerabilities that could allow attackers to compromise client machines. Occasionally, researchers have discovered sites that actively exploit these flaws in the wild.

In the case of Red October, the specific vulnerability targeted was an old one, CVE-2011-3544, which Oracle fixed with a Critical Patch Update in October 2011.

It may seem strange that Red October’s authors would go after such an ancient flaw, given that their exploit code was compiled in February 2012, well after a fix had already been issued. But these Java vulns have a way of lingering around on unpatched machines.

In fact, CVE-2011-3544 was one of the Java vulnerabilities used to spread the Mac-specific Flashback Trojan in early 2012. One of the reasons that attack was so successful was because at the time, security fixes for Apple’s Mac OS X–specific version of Java tended to lag behind fixes for the mainline version.

Even Oracle has been known to take its sweet time patching potentially risky Java bugs. In August 2012, Adam Gowdiak of Polish firm Security Explorations revealed that although he had promptly informed Oracle of several serious vulnerabilities he had discovered, the database giant dragged its feet for more than four months before issuing patches, a delay that gave cyber-crooks time to discover and exploit the flaws. And even then, Oracle’s fix didn’t fully address the problem.

Metasploit founder HD Moore claims it will likely take Oracle two years to get its Java security house in order, given its past track record. Little wonder, then, that no less than the US Department of Homeland Security has cautioned users to disable Java in their browsers “unless it is absolutely necessary.”

According to Seculert, Java flaws probably weren’t involved in most Red October infections, but only because a misconfigured server disabled the PHP code that would have delivered the exploit.

If hackers were looking for a new way to keep Red October going, however, it wouldn’t be hard to find one. On Sunday, security researchers announced that a new, unpatched Java security hole had already been discovered following Oracle’s most recent patch, and that one enterprising hacker was offering to sell an exploit kit at a price of $5,000 a throw. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/16/red_october_java_connection/

Half of the phones stolen in London over the summer were iPhones, the capital’s cops reported this week.

According to new statistics, phone-related crime, particularly snatching, was up year on year. Between April and September, 28,800 mobes out of 56,680 nicked handsets in London were Apple pocket strokers. That’s an average of 314 phone thefts a day or 158 iPhone thefts a day.

Officers also predict a jump in January 2013: 8,078 phones were reported stolen two years ago in December 2010 compared to 9,751 last month. January is usually worse for phone theft than December, added the coppers.

Queuing for an iPhone in London, these young fans are more likely to have their new smartmobes stolen

Cracking a few numbers from phone sales in Q4 2012, we estimate that iPhones make up perhaps 17.5 per cent of handsets in the UK: iPhones had a 28 percent share of smartphone sales in Q3 2012 and 62.3 percent of all phones sold in the UK are smartphones, according to Comscore.

Met Police spinners were unavailable to comment on why iPhones are statistically more likely to be targeted than other brands. It could be something to do with an overlap between the iPhone fanboi demographic and those most likely to get mugged. The Met said:

The most common profile for all [robbery] victims however is a young professional likely to be aged between 20 and 30, out and about in the capital at an entertainment spot or other public places.

Reassuringly expensive iPhones are also very attractive to opportunistic thieves. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/16/iphone_most_often_stolen_phone_met_police/

Phones lost and stolen in Las Vegas are mistakenly telling their owners they’re at the house of one Wayne Dobson, who’s getting pretty angry at the late night demands and visits from the police.

We’re indebted to the Las Vegas Review-Journal which tells us that Dobson’s plight has been ongoing for two years. It follows what appears to be a flaw in Sprint’s location database which points phones last seen nearby as being precisely in his house and prompted him to erect a sign outside his home.

NO LOST CELL PHONES!! This location gives a false “phone location” position due to a cell tower behind the house. Please contact the North Las Vegas police and file a report

In fact it’s unlikely to be the tower causing the problem, which seems to be limited to phones on Sprint’s network, so it’s almost certainly down to an error in Sprint’s database, but that’s little consolation to Dobson who’s had the desperate and the angry waking him up at all hours, begging, pleading and threatening in the hope of recovering their property.

But it’s not just the public who come knocking. The police have been round four times; twice when victims refused to believe the technology could be faulty, and twice when responding to 911 (emergency) calls which came from a mobile reporting itself as being at the house.

Satellite location systems don’t have problems like this, but sat-nav only tells the phone where it is, sharing that data requires an app to connected to some sort of reporting service. Without that the network operator can provide a rough location based on the cell tower and signal strength, and best guess is that all phones whose last connection was to the tower behind Wayne’s house are claiming to still be on the premises.

Either that or there’s a particularly cunning thief living in his loft.

Sprint is apparently looking into the problem, and a fix should be possible, but until then Dobson is sleeping by the door so callers don’t get him too far out of bed, and offering what sympathy he can for their loss. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/16/las_vegas_phones/

Two US power stations were infected by malware in the last quarter of 2012, according to a report by the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

USB flash drives packed with software nasties were blamed for a compromise of industrial control systems in both cases. Neither infected power plant was named.

The first case emerged after a maintenance engineer noticed the thumb drive he used to back up control system settings had become unreliable. The worker then referred the matter to the IT department, which found three infections on the gadget.

Investigators found sophisticated although unspecified malware on two engineering workstations associated with running critical applications. The subsequent cleanup operation was complicated by a lack of backups.

The second infection was blamed on a third-party contractor who unwittingly poisoned systems at a power generation utility after plugging in an infected USB drive at work. A “crimeware” virus got into a turbine control system and hit approximately 10 computers on its network. The subsequent cleanup delayed a plant restart operation by about three weeks, the report said.

ICS-CERT highlights cases as a means to educate other power station operators about the risk of malware in industrial control system environments. More details on both cases, along with information about proactive research by ICS-CERT into SCADA security, can be found in a quarterly report here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/16/us_power_plant_malware/