STE WILLIAMS

The EU’s new European Cybercrime Centre (EC3) will be inaugurated at Europol in The Hague later today.

The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. The centre is designed to provide greater international co-ordination in the fight against online fraud, child abuse and other cybercrimes which can’t be effectively tackled by national police forces alone.

It will focus on organised crime groups, especially attacks targeting e-banking and other online financial activities, online child sexual exploitation and crimes that affect the critical infrastructure and information systems in the EU.

EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. The centre is designed to draw on information from open sources, private industry, police and academia while acting as a knowledge base and training centre for national police forces in European member states. It will also work with industry to develop threat assessments.

It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.

“EU citizens and businesses require an open, free and transparent cyberspace so we need to protect the online world just as we do the off-line world,” said Troels Ørting, head of EC3, said in a statement. “EC3 will be a valuable tool for the EU and its Member States to help coordinate and support efforts that keep the Net safe from criminals”,

EU Commissioner for Home Affairs, Cecilia Malmström, added: “The Cybercrime Centre (EC3) will focus our efforts and provide a strong boost to the EU’s capacity to fight cybercrime. We need to reduce cybercrime activities, contain the threat and ensure the digital environment remains a secure place for our citizens and businesses. This is key for the EU’s internet-based economy,” she added.

A look inside the new European Cybercrime Centre can be found in a video report by the BBC here. The facility includes a Faraday room to act as a repository for seized equipment used in the commission of cybercrime, including ATM skimmers with built-in technology designed to transmit stolen PIN codes and card details by mobile phone. The facility stops crooks from remotely wiping seized gear.

EC3 head honcho Ørting told the BBC that African fraudsters pose a growing threat to consumers and businesses in the EU, as the IT infrastructure on the continent improves. Ørting is a former Danish police intelligence chief with more than 30 years of experience fighting organised crime. Europol has assigned 43 highly skilled experts to work at the centre, Ørting told EurActiv. He added that there were also plans to deploy experts with mobile offices – a kind of “flying squad” – to deliver on-the-spot assistance in cybercrime investigations.

The official opening of the centre comes days after Europol warned that most of the credit card numbers misused in the EU come from data breaches in the US. Security enhancements such as chip-and-PIN cards have reduced incidents of face-to-face transactions. Around 60 per cent of losses to card fraud, totaling around €900m, were caused by card-not-present fraud, the EU said.

Organised criminal groups make €1.5bn a year from credit card fraud in Europe, according to Europol. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/11/eu_cybercrime_centre/

Innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned.

The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat.

ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. It said that the software used for such systems were not the most “mature”, and added that devices were vulnerable to being lost or stolen due to their “mobility”. The very fact that they are universally popular also enhances the threat of the technology being exposed to hackers, the agency added.

The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices, known as ‘drive-by exploits’, ENISA said.

“Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash,” it said in a new report [96-page / 1.56MB PDF].

“The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code.”

ENISA also warned of an increasing threat that confidential information could be compromised through data breaches, including where information is sent over mobile communication channels. In addition, it said that an “emerging issue” could arise due to the increasing use of mobile to make payments and for doing banking. These activities on mobile platforms “will gain the attention of attackers,” it said.

Attackers are also likely to increasingly seek to exploit “low to medium maturity of security controls” contained within social networking technology, ENISA said. One of the main emerging threats in this context is the ability of hackers to “abuse” information that is already in the public domain in order to access social network accounts.

ENISA also warned that hackers will increasingly use “rogue certificates” in order to obtain “fake trust within components of trust infrastructure”. Trust infrastructure is becoming of emerging importance as “electronic identity systems for the identification of citizens” are developed.

That’s a nice silo of sensitive personal data, you’ve got there. Would be a shame if anything happened to it

“Trust infrastructure components may be used at all levels of information systems, i.e. from application level to network protocols,” ENISA’s report said. “Trust infrastructures are usually based on strong encryption technology and key management. Examples of trust infrastructures are authentication infrastructures, secure communication protocols, public key infrastructure components, etc.”

“Trust infrastructures are extremely important for information security as they build the basis for securing information at many levels; and help authenticating partners or systems by establishing trusted interactions (i.e. trusted connections, trusted transactions, electronic signatures, etc.),” it said.

Due to the “concentration” of data that cloud computing technology provides for, there would be a greater potential impact if hackers successfully exploited weaknesses in those systems, ENISA said. It warned that cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.

ENISA added that ‘big data’, which it said is the aggregation of information generated “as a consequence of the proliferation of social technologies, cloud computing, mobile computing and the internet use in general”, had also become an emerging security issue.

“Exploitation of big data will affect data privacy,” ENISA said. “At the same time, exploitation of big data through adversaries might open doors to new type of attack vectors.”

“A number of challenges have been identified for big data security. Indicatively, these challenges address data protection, data access control and data filtering issues for huge data amount that are beyond the processing power of contemporary Security Information and Event Management (SIEM) products,” it said.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/11/enisa_slates_buzzword_tech/

A new security bug in the popular Foxit PDF reader plugin for web browsers allows miscreants to compromise computers and install malware. There’s no patch for this zero-day vulnerability.

Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link. The plugin is kicked into action by the browser to handle the file and promptly bombs.

But the bug is not triggered by a booby-trapped document, which is the usual way of infecting systems running insecure PDF readers. Instead, clicking on a link to any PDF that deliberately includes a very long query string after the filename causes a buffer overflow in the Foxit plugin.

The offending code, highlighted by Micalizzi, is a simple loop that copies the entire URL into a fixed-sized buffer while scanning for ‘%’ escape codes. By smashing through the end of this buffer, the attacker can arbitrarily overwrite the program’s memory and its stack to gain control of the processor.

Versions 5.4.4.1128 and older are affected. The plugin is available for a number of operating systems, including Linux and Symbian, but the bug is at least confirmed in the Microsoft Windows build.

Other security researchers have confirmed the flaw. A proof-of-concept exploit for the hole was not made available in Micalizzi’s disclosure.

“The crash, which is a side-effect of a stack overflow, pretty much lets you write to a memory location of your choice,” said Paul Ducklin, Sophos’s head of technology for Asia Pacific.

Foxit can be installed for Mozilla Firefox, Google Chrome, Opera and Apple Safari. Danish vulnerability management firm Secunia rates the flaw as highly critical. The makers of Foxit – which is billed as “better than Adobe” – have yet to comment on the issue.

Many fans of Foxit have adopted the software as a way of avoiding the not infrequent security problems with Adobe PDF Reader. The appearance of the Firefox plugin vulnerability is further evidence that no software application is immune to security problems. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/11/foxit_pdf_plugin_vuln/

Microsoft was quick to brush off the debugging hack that allows locked-down Windows RT Surface slabs to run unauthorised desktop software. But now the exploit has been packaged into a slick jailbreaking tool that can unlock a Redmond fondleslab in seconds.

A programmer going by the name of Netham45 has released RT Jailbreak Tool v1, a batch file that automates the Windows RT trick first revealed by security researcher C. L. Rokr.

Netham45 reckons you can jailbreak a slab in about 20 seconds just by running the runExploit.bat file on the tablet and pressing a button, although it may ask a few “self-explanatory” questions afterwards.

The hack lets users install and run any desktop software of their choosing on Microsoft’s Surface tablet-laptops and any other Windows RT devices. The Redmond giant wanted punters to only use cryptographically signed apps obtained from the official Windows Store, rather than any old program compiled for RT, the ARM port of Windows 8. The jailbreak hack simply disables this security signature check.

Netham45 has published a list of desktop apps recompiled to run on hacked Windows RT devices, here and here.

Rokr’s hack required use of a Windows Debugger software with Administrator-level permissions, remotely connected to the tablet to manipulate the device’s kernel memory. Specifically, the exploit injects a piece of ARM code that switches off the signature checks and briefly diverts the Windows RT kernel to run these instructions.

The RT Jailbreak tool will not permanently alter the machine, but since it is only altering a kernel variable in RAM, it must be run after rebooting or powering up the tablet if one wishes to use any unauthorised software.

It may also void the fondleslab’s warranty and, while active, obviously allows any ARM-compatible software to run including malware if it even exists.

Microsoft earlier this week brushed off the Rokr exploit but suggested the vulnerability might be closed in a future release of Windows RT.

In fact, the Redmond giant doesn’t even consider it to be a security vulnerability. The company stated: “We applaud the ingenuity of the folks who worked this out and the hard work they did to document it. We’ll not guarantee these approaches will be there in future releases.” ®

Bootnote

Samsung has iced plans for a US launch of its Qualcomm processor-powered Windows RT tablet, blaming confusion among potential customers. Company vice-president Mike Abary told Cnet at CES in Las Vegas this week that there hadn’t been a “very clear positioning of what Windows RT meant in the marketplace and what it stood for relative to Windows 8”. Samsung bosses think there needs to be some “heavy lifting” and “heavy investment” to educate consumers – an expensive effort that the electronics giant is unwilling to commit to.

Samsung had announced its Windows RT ATIV Tab at the IFA trade show in Berlin in August 2012. The ATIV was Samsung’s Windows 8 PC, tablet and Windows Phone 8 range, and was the backwards spelling of vita, meaning “life” in Latin.

At the time, Microsoft vice-president Nick Parker, who oversees Redmond’s relationship with computer manufacturers, called Samsung “a highly valued partner” and said “it’s great to see this investment in a global brand for its Windows-based Smart PCs, tablets, and phones”. Er.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/11/windows_rt_jail_break_tool/

Just as Nokia announces numbers that look like it may avoid irrelevance, the mobile supplier has become embroiled in a privacy row centered on the behavior of its browsers.

The brouhaha hit the wires when Unisys Global Services India security architect Gaurang Pandya wrote up his investigations into the behavior of his Nokia Asha phone.

Discovering that browser traffic was being diverted to proxy servers owned by Nokia – a common behavior in the mobile world designed to improve browser performance on skinny mobile data links – Pandya began investigating what else was happening to his traffic.

The results are documented here. In brief, Pandya accuses the vendor of staging a man-in-the-middle attack against its own users: even for HTTPS traffic (his test case was https://www.google.com), he writes, the phone sends a DNS request to the Nokia-owned cloud13.browser.ovi.com domain.

This raised the question of how the ovi.com server was handling certificates. By packet-sniffing the traffic, Pandya identified Nokia certificates that the phone was pre-configured to trust – with the result that the substitution of the ovi.com server for Google didn’t throw out a security warning.

His conclusion is that this behavior gives Nokia full, unencrypted access to browser traffic.

According to TechWeek Europe, Nokia has agreed that the diversion takes place, to allow it to compress Xpress mobile browser traffic for acceleration. The company denies storing the data, and says that none of the traffic is visible to any of its staff.

“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner,” the vendor told TechWeek Europe.

The row comes as Nokia announced what looks like a turnaround, releasing financials showing a profit on smartphone sales, compared to an October forecast for a 10 percent loss. It announced fourth-quarter sales of 4.4 Lumia units and 9.3 of the low-end Asha smartphones. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/11/nokia_decrypts_says_it_doesnt_snoop/

Indonesian president Susilo Bambang Yudhoyono (SBY) has come under cyber attack after hackers defaced the homepage of his website for several hours, apparently in protest at growing corruption and wealth inequality in the country.

The website is now back to normal but those responsible have posted an image of the defacement here.

The image indicates that a hacker dubbed MJL007 from a group known as the Jember Hacker Team was responsible for the incident. The only message reads: “This is a PayBack From Jember Hacker Team”.

JHT told local news site Merdeka that it carried out the attack because of increasing anger at the current administration.

“Corruption is rampant, the poor are everywhere. The rich get richer, the poor get poorer,” a representative from the group told the site (after translation from Google), hinting that there may be more cyber-related protests in the future.

Indonesian communications and information minister, Tifatul Sembiring, told news site Detik that the perpetrators managed to change the site’s homepage by redirecting the IP address, which corresponds to one tended at hosting firm SoftLayer’s Texas data centre.

The Minister added that plans were being discussed to create a back-up server in another country to mitigate the risk of a similar attack in the future.

The government is apparently working with law enforcement teams to examine log files in a bid to trace the origin of the attack. That may not prove an onerous task: a quick bit of Googling here at Vulture South yielded the existence of jember-hacker.org, which was operational at the time of writing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/11/indonesian_presidents_website_hacked/

Popular programming framework Ruby on Rails has two critical security vulnerabilities – one allowing anyone to execute commands on the servers running affected web apps.

The newly uncovered bugs both involve the parsing and handling of data supplied by visitors to a Rails application. The CVE-2013-0156 hole is the more severe of the two because it allows remote-code execution against any Ruby on Rails application that has the XML parser enabled – a feature switched on by default. According to security tools firm Sourcefire the flaw allows hackers to run system commands on the server with the same level of privileges as the app.

Both vulnerabilities can be resolved by updating to the latest version of the Ruby on Rails platform.

But what makes the holes particularly nasty is that, until the patches are applied, every application running on the insecure open-source framework will be vulnerable – like castles built on sand and the tide is rising: at least 240,000 websites powered by RoR are thought to be at risk.

An update on the Ruby on the Rails developer blog this week highlights the severity of flaw:

I’d like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely critical security fixes so please update IMMEDIATELY.

HD Moore, the developer of Metasploit and chief security officer at security biz Rapid7, reiterated the advice to patch sooner rather than later.

“Ruby on Rails remote code execution confirmed: expect a Metasploit module in the next 4 to 12 hours. Patch your Rails apps,” Moore said in a Twitter update. The latest security flap is not related to a SQL injection vulnerability, also affecting Ruby on Rails, that emerged last week. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/10/ruby_on_rails_security_vuln/

The brains behind the Blackhole Exploit Kit is using profits from the hacking toolbox to buy up security exploits and create a far more formidable product.

The ubiquitous Blackhole kit is usually installed on compromised websites and uses vulnerabilities in web browsers and other software to inject malware into visitors’ PCs.

It is widely available through underground forums, and is affordable and reliable. Access to the technology is rented out for about $700 a quarter or $1,500 for a year, often bundled with web hosting fees of $500 a month, according to an investigation by Sophos.

Paunch, the main author of Blackhole, is now buying up code that exploits software security bugs from hackers and researchers to craft a far more powerful toolkit. Dubbed “Cool”, this toolbox is available at a hefty $10,000 a month and is linked to a recent wave of successful online attacks.

The Cool Exploit Kit pack first surfaced in October and was used to push ransomware, which typically demands a victim to pay a fee to unlock his or her compromised computer. A French security researcher going by the name of Kafeine was among the first to notice the Cool kit using a critical vulnerability in Microsoft Windows (CVE-2011-3402). The flaw in the operating system’s font processing code was first exploited by the cyber-espionage worm Duqu. That attack was added to the toolkit about a week later.

The same sequence of events happened with a Java runtime vulnerability (CVE-2012-5076) first abused by Cool mid-November, and later bundled in Blackhole. An analysis by F-Secure revealed similarities in the programming and functionality of the two exploit kits, which was further evidence that they were created by the same author or team.

Paunch admitted he created the Cool Exploit kit in an interview with investigative journalist Brian Krebs, and said his exploit framework costs $10,000 a month. “At first I thought Paunch might be pulling my leg, but that price tag was confirmed in a discussion by members of a very exclusive underground forum,” Krebs noted.

An associate of Paunch posted a request for attack code on an underground cybercrime forum, and boasted that the group had a budget of $100,000 to buy exploits for unpatched web browser security bugs, as well as details of other undisclosed software flaws and tactics for improving the success rates of online assaults.

A portion of that message board post, translated from Russian by a professional translator, can be read on Krebs’ website. The blogger concluded that the gang led by Paunch has moved on from exploiting vulnerabilities known to vendors, and likely patched by users, to relying on flaws that have not yet been disclosed to software makers – a dangerous development for web surfers and an expensive business for Paunch: getting hold of these so-called zero-day vulnerabilities is not cheap.

The Cool Exploit kit is been used by the Reveton ransomware gang. Symantec recently obtained access to a control panel and uncovered evidence [PDF] that the group was earning $30,000 A DAY through the scam, more than enough to justify the hefty outlay of an elite exploit pack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/10/cool_exploit_kit/

US Army private Bradley Manning, who is accused of “aiding the enemy” by allegedly handing over classified Army documents to Wikileaks, will get 112 days cut from any prison sentence he could get if he’s convicted on the charges. This is after a military judge ruled that Manning had been “illegally punished” in a Marine Corps brig.

The judge said that Manning’s treatment in Quantico, when he was kept in a windowless cell for 23 hours a day, sometimes without clothing, was “excessive”, the Associated Press, The Washington Post and others have reported.

Manning’s defence had claimed that he was woken every day at 5am and forced to stay awake until 10pm that night without lying on his bed or leaning against the wall. His lawyer was trying to have all the 22 charges he’s facing thrown out over the treatment.

Manning’s charges include “aiding the enemy”, a charge that carries a life sentence.

Manning has offered a partially guilty plea in the case, which doesn’t admit to all of the charges, but does accept responsibility for some of the offences.

The trial is scheduled to start on 6 March. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/10/manning_sentence_reduction_for_bad_treatment/

Vid Yahoo! is now offering to encrypt its webmail service with HTTPS for security-conscious users. Meanwhile, an exploit that allowed anyone to hijack Yahoo! Mail accounts if victims clicked on a link was being flogged to cybercrims for $700.

The HTTPS development, which is not enabled by default, affords Yahoo! webmail users greater privacy when accessing their emails and reassurance that someone is not intercepting and nobbling their communications. Competitors such as Microsoft’s Hotmail and Google’s Gmail have offered full-session HTTPS for some time. Emails handled in a web browser session without HTTPS are sent over the network unencrypted, leaving them wide open to eavesdropping, particularly when access through insecure locations such as Wi-Fi hotspots.

The handshaking that takes place when logging into a Yahoo! account was already encrypted, but this is no longer sufficient by itself as Yahoo itself now recognises.

Security experts have urged users to enable the always-on HTTPS privacy option, labelled “Turn on SSL”, as soon as possible in the Yahoo! Mail Options tab.

In other Yahoo! news, the online giant claimed it had squashed a cross-site scripting (XSS) vulnerability in its webmail service; the flaw was blamed for a spate of account hijackings. The compromised accounts were used to send spam.

The bug, which was triggered by tricking users into clicking on a malicious link (as demonstrated in the above YouTube video), appears to be the same bug offered for sale for about $700 on an underground forum in November.

However researchers, including Offensive Security, reckon the bug remains and is still exploitable, contrary to Yahoo’s claims otherwise. The situation remains somewhat confused: while things settle down, Yahoo! webmail users are advised to be extra cautious about following links in emails. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/10/yahoo_webmail_security_update/