STE WILLIAMS

Thousands of online gaming accounts linked to convicted sex offenders were shut down in the US this month.

Operation: Game Over resulted in the closure of 2,100 accounts registered through Gaia Online, NCSOFT, Funcom, THQ and other gaming platforms. Earlier this year 3,500 accounts were deleted from Microsoft, Apple, Blizzard Entertainment, Electronic Arts, Disney Interactive Media Group, Warner Brothers and Sony as part of the same clampdown.

The action was spearheaded by New York Attorney General Eric Schneiderman to prevent sex abusers from grooming children for subsequent abuse via online gaming. In a statement, Schneiderman said the action would making online gaming a safer venue for children.

“We must ensure that online video game platforms do not become a digital playground for dangerous predators,” Schneiderman said. “That means doing everything possible to block sex offenders from using gaming systems as a vehicle to prey on underage victims.”

Under the New York State’s Electronic Securing and Targeting of Online Predators Act (e-STOP), convicted sex offenders must register all of their email addresses, screen names and other internet aliases. The availability of this information made the crackdown possible. The operation affected Xbox Live, the PlayStation Network, World of Warcraft, Gaia Online and many other popular multi-player gaming accounts.

Online video games allow users to send messages to each other anonymously, a feature parents may be unaware of even though it has the potential for misuse.

In 2011, a 19-year-old man in Monroe County, NY, was indicted on sexual abuse charges after allegedly meeting and abusing a 12-year-old boy he befriended over a period of three months using Xbox Live. The adult invited the lad over to his house where the sex assault occurred, according to police.

Laura A. Ahearn, executive director of Parents for Megan’s Law and the Crime Victims Center, praised the clampdown: “This is a groundbreaking effort that keeps the online community safer for our children, and sends a strong message that sexual predators can’t hide behind anonymous profiles online to prey on victims anymore.”

New York State has more than 34,000 registered sex offenders, according to official records. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/27/child_abusers_online_gaming_purge/

Google has taken two steps to prevent its Chrome browser becoming an attack vector for malware that runs as extensions to the browser.

Like many other browsers, Chrome allows users to install “extensions”, apps that add functionality. Google even runs the “Chrome Web Store” to promote extensions.

Security outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all their data.

Google has responded in two ways, one of which is a new service “To help keep you safe on the web” that will see the company “analyzing every extension that is uploaded to the Web Store and take down those we recognize to be malicious.”

Changes are also coming in the forthcoming version 25 of the browser, which will no longer allow extensions to install without users’ knowledge. That’s currently possible because Chrome, when running on Windows, can is designed to allow unseen installs “to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application.”

“Unfortunately,” Google now says in a blog post, “this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users.”

Chrome 25 will therefore remove the auto-install feature, replacing it with a new system that presents the Windows Vista-esque screen below when extensions try to ingratiate themselves with the browser.

Hi! I’m the ghost of Windows Vista! Would you like to install this extension?

As ever, Google’s blog posts and support notice on the changes position them as responsible enhancements that show, yet again, Google is doing the world a favour.

A more critical analysis could consider the announcements in light of malware found in Google Play and take Google’s decision to more aggressively curate the Chrome Web Store as an admission it needs to devote more attention to this stuff, lest Chrome and other Google products become malware-ridden quagmires that users don’t trust. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/23/google_bans_auto_install_chrome_extensions/

Security researchers have sniffed out dodgy apps floating around the Amazon App Store for Android-powered devices.

Roel Schouwenberg, a Kaspersky Lab Expert, ran into the “malware” while looking for benchmarking apps for his Kindle Fire HD on the online shop.

The “Internet Accelerator Speed Up” program, for example, is supposedly designed to boost internet connection speeds however it fails to “do much of anything”, according to Schouwenberg. The app is free but does show adverts from a mobile marketing network.

The independent developer behind the software has also released another app intriguingly called Shake Battery Charger.

The appearance of suspicious apps on the Amazon store reflects the popularity of the online bazaar. Schouwenberg has filed a complaint with Amazon about the potentially dodgy software.

“It should come as no surprise that there are malicious apps in the Amazon App Store,” Schouwenberg explains in a blog post. “Amazon.com is incredibly popular and it’s a very trivial step to also upload an app into their store.”

“We detect these pieces of malware as Hoax-AndroidOS-FakeBapp-A and have been in contact with Amazon.com about this. The apps were previously available in Google Play as well, but had been removed at an earlier time,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/21/amazon_app_store_dodgy_app/

China has tightened the screws on its infamous web-filtering system, according to virtual private network providers.

The Great Firewall of China has been enhanced to “learn, discover and block” encrypted VPN protocols. Machine learning algorithms have been applied to carry out encrypted traffic analysis, something advocated by Fan Bingxing, the founding father of China’s web filtering system.

China Unicom drops connections where a VPN is detected, The Guardian reports. Astrill, an application that provides VPN services to users inside and outside China, warned consumers in an email that the “Great Firewall” system is blocking at least four common VPN protocols.

The latest developments provide a technical basis that supports earlier reports that China was planning a clamp-down on VPN technology.

The development marks the latest phase in the cat and mouse game between privacy protecting and surveillance technology.

VPN services establish more secure tunnels across the internet. As well as providing privacy in insecure locations, such as Wi-Fi hotspots, the technology can also be used to access otherwise blocked websites. Within China, VPNs allow locals to access services blocked by the great Firewall, which include Twitter, Facebook, and Western media outlets. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/21/china_blocks_vpns/

Miscreants have crammed malware into a Microsoft PowerPoint presentation about today’s supposed Mayan Apocalypse. If someone emails you a .ppt slideshow titled Will the world end in 2012?, give it a wide berth unless the world really does end today and you’re feeling wild.

The booby-trapped presentation packs Visual Basic macro code designed to drop an infectious executable called VBA[X].exe onto Windows machines. The malware-secreting macro code also appeared in an Excel spreadsheet of a Sudoku puzzle that turned up on the internet earlier this week.

The “end is nigh” PowerPoint file needs macro execution to be switched on in order to work when opened. The code puts together a valid Windows Portable Executable file from an array of bytes. This generated program connects to a remote command-and-control server to carry out orders on behalf of its masters – although researchers studying the software found that it didn’t work properly.

Back in the 1990s, macros were the weapon of choice for budding virus writers. Microsoft responded by disabling macros by default, all but killing off the threat. The return of this malicious scripting code is an interesting curiosity rather than a pressing danger.

Searching on the web reveals the presentation’s authors gathered warnings of impending doom from a US preacher who almost certainly had nothing to do with the booby-trapped document. However the blog of the implicated believer has been compromised to manipulate search engine results for, er, lovemaking enhancements, “off-shore” casinos, foreign exchange fraud and payday loans.

A blog post by Sophos, including screenshots, that explains the threat in greater depth can be found here. ®

Doomnote

The Mayan Long Count calendar cycles every 5,125 years, each period covering a great age of humanity. According to ancient myths, there are five such ages and each one ends in cataclysm of some kind. Today marks the end of the fifth age, or so the story goes.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/21/mayan_apocalypse_malware/

India’s government and military have suffered one of the worst cyber attacks in the nation’s history, after over 10,000 email accounts belonging to top officials were compromised, despite a warning from the country’s cyber security agency.

The attack came on 12 July, four days after the government was warned by the National Critical Information Infrastructure Protection Centre (NCIIPC), part of the National Technical Research Organisation (NTRO), that some sophisticated malware was spotted targeting specific individuals and organisations.

News of the attack was revealed at a day-long NCIIPC meeting in New Delhi this week, according to the Indian Express.

Email addresses belonging to officials working at the Prime Minister’s Office, defence, home, finance and external affairs ministries and intelligence agencies were nabbed in the attack, which has been blamed on state actors.

“The Ministry of External Affairs and Ministry of Home Affairs took the biggest hit, plus strategic information related to critical sectors, including troop deployment, was compromised,” an NTRO official told the Express.

“Paramilitary forces were also badly hit, especially the Indo Tibetan Border Police (ITBP), as deployments were revealed. There were serious cases of negligence, the involvement of insiders, if any, is also being checked.”

India’s most prolific foe in cyber space is thought to be Pakistan, but the frequent skirmishes between the two tend to involve web site defacements and the occasional DDoS attack from various hacktivist groups.

Back in March, minister for communications and IT, Sachin Pilot, revealed that over 100 government sites had been compromised in this manner between December 2011 and February 2012, while the India CERT said there were 834 defacements of .in sites in January alone.

However, the attack in July appears to have been more co-ordinated and carried out with the aim of obtaining specific information.

The NTRO was tight-lipped on the source of the attack.

“We would not like to name the state actors but D4 — destroy, disrupt, deny and degrade — process was initiated and counter offensive launched,” the NTRO official told the Express.

Back in June reports emerged that India’s National Security Council was finalising plans to give the NTRO and Defence Intelligence Agency (DIA) the power to carry out unspecified offensive operations if necessary. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/21/indian_government_email_hacked/

Apple has adopted HTTPS for searches and downloads on the version of iTunes used in China. The move comes at a time when China’s government prepares to step up regulation of online app stores and continues its crackdown on VPNs.

Greatfirewall.org, which tests blocked URLs and popular web platforms to provide info on censorship in China, blogged on Thursday that the switch to HTTPS has effectively enabled Apple to bypass the Great Firewall, for now.

“Before this adoption, searching for certain keywords such as ‘vpn’ would lead to a connection reset on iTunes and visiting the page for certain apps, such as VPN Express would also cause a reset, which means there is no way for users in China to search for or download certain apps even if they are available in China App Store,” it said.

“But because now HTTPS is implemented by Apple on almost all connection to iTunes server, Great Firewall of China has no way to selectively block connection to certain contents. A test to the same link mentioned above with HTTPS protocol yields no censorship.”

Other e-commerce platforms such as Taobao actively self-censor results for things like net circumvention tools, Greatfirewall.org added.

It’s still unclear exactly when Apple made the switch to HTTPS but last week the government signalled its intent for the first time to begin regulating the online application market.

This will involve forcing operators of mobile app stores to acquire a license before they can sell online and could potentially extend to real name registration rules for developers and some form of regulation for the apps themselves, according to the state-run Global Times.

It’s being done in the name of the “healthy development” of the mobile internet, and to be fair China does have a big problem with malware-ridden apps and dodgy third party stores, but raises the fear that it will also be used to extend the suppression of freedom of expression into yet another sphere.

The news also comes as the authorities appear to be taking a harder stance on VPNs – the main means by which netizens inside the Great Firewall access banned content. As early as a week ago reports came in that various VPN providers such as Astrill and StrongVPN had been deliberately disrupted for users inside China.

Apple couldn’t immediately be reached for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/21/itunes_https_shift_routes_around_great_firewall/

ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC’s memory to decrypt PGP and TrueCrypt-protected data.

Forensic Disk Decryptor attempts to unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. The tool is designed for criminal investigators, IT security bods and forensic specialists. PGP and TrueCrypt set the industry standard for whole-disk or partition encryption.

Normally, the unencrypted content of these data containers is impossible to retrieve without knowing the original passphrase used to encrypt the volume. Vladimir Katalov, chief exec of ElcomSoft, said encryption technology, in the right conditions, can be circumvented thanks to human laziness:

The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data.

No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory.

Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool.

ElcomSoft’s gear can extract these decryption keys from a copy of the computer’s memory, typically captured using a forensic tool or acquired over Firewire. Once it has the key, the protected data can be unlocked.

If the computer is powered off, the analyser can retrieve the keys from a hibernation file on the disk, in which the operating system saves the state of the machine including its main memory.

“Algorithms allow us to analyse dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures,” Katalov explains.

Encrypted drives must be mounted at the time a memory dump is taken or else the process will fail to work. For this, and other reasons, considerable skill is needed to use the tool properly.

“Our customers asked us for a tool like this for a long, long time,” said Katalov. “We’re finally releasing a product that’s able to access encrypted volumes produced by all three popular crypto containers.”

Simon Steggles, director of forensics at data recovery biz Disklabs, said ElcomSoft’s utility merely automates a process for retrieving decryption keys that is already used by computer forensics teams, if not the wider IT community.

“In forensics, we have known about this for years. It only works when the computer is switched on. Once it is powered down, the RAM memory is gone and you lose that key,” Steggles explained.

“Coincidentally, I looked at the Truecrypt website yesterday and noted that it said on the site that it does on-the-fly encrypting and decrypting, which means that the key must be in the RAM.”

The Forensic Disk Decryptor costs £299. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/20/elcomsoft_tool_decrypts_pgp/

The US Department of Justice has floated a plan to advance criminal prosecutions against cyber-spies.

This is after the department’s agency, the Defense Security Service (DSS) reported* this week that the number of foreign cyberattacks aimed at snaffling US tech, intellectual property, trade secrets and classified information rose by 75 per cent in 2010-11.

Report after report has alleged that state-sponsored hackers from China are trying to steal intellectual property from US high-tech firms. China routinely denies this but nobody believes it and the truth is probably every other country with the capability is almost certainly at it.

Congressional reports decrying hacking from China and Russia combined with diplomatic offensives by the State Department have failed to have much effect on cyber-espionage attacks against defence contractors and others. Offensive cyber retaliation is legally fraught, especially if directed against countries with business and economic ties to the US. In the absence of any better idea, filing indictments seems to have become a popular option.

“We are having people look at bringing one of these cases, it’s there to be brought, and you’ll see a case brought,” John Carlin, the principal deputy assistant Attorney General in the Department of Justice’s national security division told Defense News.

Carlin added that up to 100 prosecutors are being specially trained in cyberespionage prosecution, under a programme dubbed the National Security Cyber Specialist, or NSCS, network. Individual hackers could be charged with offences in much the same way that conventional spies acting within a US territory can be charged with offences.

The big difference, of course, is that hacking attacks can be carried out anywhere in the world. Carlin said the DoJ may file indictments that name government officials or governments blamed for sponsoring hacking attacks. He added that indicting a government isn’t unprecedented. He told the paper that in 2011, an Iranian Al Quds official was charged with conspiring to kill Saudi Arabia’s ambassador to the US. Even though there’s no expectation that the case will be heard, such lawsuits can have a warning effect, the idea goes.

More plausibly Carlin suggested the most likely target for prosecution could be a foreign company that makes use of stolen technology.

“Whether it is a state-owned enterprise or a state-supported enterprise in China — if you can figure out and prove that they’ve committed the crime, charging the company means they can’t do business in the US, or in Europe,” Carlin told Defense News. “It affects their reputation and that then causes them to recalculate: ‘Hey, is this worth it?’,” he added.

While the main responsibility for co-ordinated response to cyber attacks falls under the responsibility of the US Department of Homeland Security, the FBI and the DoD’s Cyber Command also have a role. The Defense Department is mainly tasked with defending military networks but can be drafted in to help address problems with civilian networks, in response to requests from US cabinet officers.

Reactions to the DoJ plan from cyber-security experts have been lukewarm. Richard Bejtlich, chief security officer at Mandiant, and a retired black hat instructor, commented: “What happens when the other side decides to prosecute US, etc?”

Mikko Hypponen, chief research officer at Finnish anti-virus firm F-Secure, added: “Next: Iran to prosecute US Contractors behind Stuxnet and Flame?” ®

Bootnote

Espionage may be frowned upon, but international agreements implicitly accept it as a natural political activity – and every country with the capability is engaged in it.

And, of course, cyberspying is often illegal in the “victim country” and legal in the “aggressor country” – and one man’s filthy, underhand (cyber) spy is another man’s brave fighting hero risking life and limb behind enemy lines (firewalls), to paraphrase Black Adder‘s General Melchett:

CAPTAIN DARLING: So you see, Blackadder, Field Marshall Haig is most anxious to eliminate all these German spies.

GENERAL MELCHETT: Filthy Hun weasels, fighting their dirty underhand war!

CAPTAIN DARLING: Fortunately, one of our spies…

GENERAL MELCHETT: Splendid fellows, brave heroes risking life and limb for Blighty!

* (Targeting US Technologies: A Trend Analysis of Reporting from Defense Industry/PDF)

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/20/prosecute_foreign_hackers_plan/

Anti-virus outfit Eset has discovered a malicious Apache module in the wild that serves up malware designed to steal banking credentials.

As the company states in this post, the module, dubbed Linux/Chapro, is already being used to inject a version of Win32/Zbot (Zeus) into content served by the compromised Web servers.

The attack points the victim to a Lithuanian server running the Sweet Orange exploit kit. The Sweet Orange authors claim it has a 10 to 25 percent infection rate and can drive 150,000 unique users to its customers, according to ThreatPost.

The process described by Eset goes like this: a user requests a supposedly-innocent Web page from a compromised server, which contacts its command and control server. The CC machine sends compromised content – like an iframe – back to the Web server, which sends the malicious content to the end user.

That leaves the user infected with Zeus, and under control of the exploit hosting server.

“This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate,” Pierre-Marc Bureau, Eset’s security intelligence program manager, wrote in the blog post. “It is not clear at this point in time if the same group of people are behind the whole operation, or if multiple gangs collaborated, perhaps with one to drive traffic to the exploit pack and sell the infected computers to another gang operating a botnet based on Win32/Zbot.”

The attack is carefully designed not to draw attention to itself, Bureau writes. It doesn’t try to serve the malicious frame to search engine robots, and it ignores users connecting to a compromised site over SSH, to avoid infecting site administrators. Cookies and IP address logs are used to avoid sending the exploit to any user more than once. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/20/apache_dangerous_plugin/