STE WILLIAMS

Cybercrooks swiped £30 million (€36m) from the banks accounts of 30,000 customers in Italy, Germany, Spain and Holland over the summer using an elaborate mobile banking fraud scam.

The malware-based attack targeted both corporate and private banking users, performing automatic transfers that varied from €500€ to €250,000 to intermediary accounts controlled by members of the gang. The fraud used malware based on the infamous ZeuS cybercrime toolkit to target the PCs and mobile phones of banking customers.  It circumvented SMS messages used by banks to secure customers’ account logins and authenticate transactions, according to firewall and security tools firm Check Point.

The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan. Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach.

With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully.

Customers at an estimated 30 banks fell victims to the cyberheist. The so-called Eurograbber attack began with infecting victims PCs with a modified versions of the ZeuS Trojan before hijacking bank sessions online to trick victims into handing over their mobile number. Fraudsters then sent links to download a modified version of the Zitmo (Zeus in the mobile) malware to marks under the guise of an “online banking security update”. This step allow hackers to authorise fraudulent transactions while all the while keeping victims unaware that anything had gone wrong.

The scam was discovered by Check Point and Versafe, a private developer of security applications. Affected banks have been notified. The two security firms are working with law enforcement to block the attacks.

Check Point and Versafe got involved because they were asked to investigate a spate of unusual transactions from bank accounts, and started tracing the routes and IP addresses involved in those transactions.  This uncovered the Zeus infections and the attack process, leading them to notify the affected banks and law enforcement.

“Cyberattacks are constantly evolving to take advantage of the latest trends,” said Gabi Reish, head of product management at Check Point Software Technologies. “As online and mobile banking continue to grow, we will see more targeted attacks in this area, and Eurograbber is a prime example.”

Eran Kalige, head of security operation centre, Versafe, added: “As seen with Eurograbber, attackers are focusing on the weakest link, the people behind the devices, and using very sophisticated techniques to launch and automate their attacks and avoid traceability.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/07/eurograbber_mobile_malware_scam/

Microsoft is planning to release seven bulletins next Tuesday, five of which tackle critical vulnerabilities, as part of its final Patch Tuesday update of 2012.

All currently supported operating systems (including Windows 8 and Windows RT) will need patching. The updates feature critical updates for Redmond’s IE 9 and IE 10 browser software, a critical update for Microsoft Word, and critical updates for some of Microsoft’s server products (Exchange and Sharepoint).

Wolfgang Kandek, CTO of Qualys, singled out the Word update for particular attention.

“Bulletin 3 is special, as it affects Microsoft Word and is rated critical, which happens very rarely,” he said.

“Usually Microsoft downgrades even Remote Code Execution Office vulnerabilities to ‘Important’, because a user interaction (e.g., opening a malicious file) is required. In this case we assume the ‘critical’ rating comes from Outlook, which can be configured to use Word to visualise documents in its preview pane. This is an automatic mechanism that does not require user interaction. In any case, this is will be an important bulletin to watch out for.”

Microsoft pre-release bulletin can be found here.

Paul Henry, a security analyst patch management firm Lumension, noted that Microsoft has managed to reduce the number of updates it issued this year compared to 2011.

“In 2011, Microsoft had 100 bulletins for the calendar year, of which 34 were critical, 63 important and 3 moderate,” Henry said. “In 2012, they reduced the number of bulletins by close to 20 percent, coming in at 83 bulletins for the year, of which 35 were critical, 46 important and 2 moderate. It’s great to see that Microsoft’s Secure Coding Initiative is paying off, reducing the number of vulnerabilities in their software.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/07/patch_tuesday_dec_2012_pre_alert/

Apple has added to its growing security team with the hiring of noted white-hat hacker Kristin Paget, who broke and then got hired to fix Windows security, Wired reports.

Kristin Paget, formerly Chris and originally from the UK but lately of California, is the inventor of the term “shatter attack” in a 2002 paper on a system for privilege-escalation attacks on applications in Windows NT, 2000, and XP operating systems. Microsoft issued a partial patch for the problem in December, but it wasn’t finally fixed until Vista came out.

One of the reasons for that fix was that Redmond had made the canny move of hiring Paget and a team of other hackers to beef up the security on Vista. They gained renown – and caused Microsoft not a little aggravation – by delaying the launch of Vista after finding a critical security failure at the last minute.

Paget has made a name for herself with a number of interesting hacks across the technological spectrum outside of the world of pure software. In 2007 she was forced to pull out of a Black Hat conference talk on hacking building entry systems under threat of legal sanction from a major US RFID manufacturer.

A few years later, she showed off a $250 proof-of-concept device that cloned three passport card RFID tags during a 20-minute drive in downtown San Francisco. Later that year she demoed a $4,000 prototype that could match the random channel-hopping systems used by GSM, allowing extended eavesdropping.

At the 2010 DefCon security conference, Paget set up a spoof GSM base station in the conference hall that hacked many of the audience’s phones and left them messages telling them their security had been compromised. All participants had been warned beforehand – Paget’s good, but she’s strictly white hat.

Paget has worked at a variety of security consultancies since her sojourn at Redmond, but in July she announced on her Twitter feed that she was looking for another job. “I’ve done too much breaking of things, it’s time to create for a change,” she said.

It now appears that Apple has scooped her up as part of its attempts to beef up security and fend off a growing malware threat. Cupertino has been quietly hiring security experts for a few years now, although many haven’t lasted long at the company, citing Apple’s tricky corporate culture.

While Paget has been a regular on the DefCon/Black Hat/Shmoocon hacking conference circuit, it’s not clear whether her new employers will allow her to continue. Apple’s first presentation at Black Hat this year was widely mocked as insultingly low in information, whereas Paget is more of a full-disclosure type of person.

Nevertheless, Apple has itself a valuable asset in Paget, and it’s going to be interesting to see what kind of changes will sneak into iOS and OS X that come from their new hire. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/06/apple_hires_kristen_paget/

Updated A moment of inattention has allowed the ITU’s proposed deep packet inspection (DPI) standard to escape.

The slip-up happened when an Australian CryptoParty activist Asher Wolf put out a public call on Twitter asking for a copy of the text. The ITU duly sent it by e-mail – only later realising its mistake and asking her to treat it as for her eyes only.

By which time, Vulture South and other journalists had seen the document…

So what is the ITU proposing?

The document – all 95 pages of it – is exactly what it purports to be: a proposed technical interoperability standard for deep packet inspection systems (its very existence comes as something of a surprise to this vulture: in the context of network performance, I asked several vendors when this would be standardised, and the unanimous response was “never”).

The standard describes itself as applicable to “application identification, flow identification, inspected traffic types” – which The Register would highlight as the most sensitive functions – along with how DPI systems manage signatures, report to network management systems, and interact with their policy engines.

A block diagram is going to be needed.

A thumbnail outline of the ITU’s concept of DPI

What’s odd about the ITU’s decision to standardise DPI is this: the point of standardisation is interoperability – and interoperability matters most where systems interact with the outside world.

Looking at this block diagram, the biggest question that occurs to The Register has been the same question throughout the life of DPI: if the interfaces behave themselves, passing packets in and out as they should, what’s the point of standardising the internals?

Yet that is what the ITU is attempting – whether or not this can be taken as an endorsement of DPI is another matter.

At the high level, there’s nothing remarkable. Packet identification – unidirectional or bi-directional – is specified as a necessary component of DPI because it is. The ITU spec says that the flow identification should comply with IETF RFCs 5101 and 5102.

The next piece defines the existence and operation of the signature library, the specification for which requires “only” that the signature library exist and what signatures it contains. It also demands that the library be secured. And – naturally enough – that signatures can be added, removed, modified and so on.

There’s a lot more, but the first thing to understand is this: much of the standard does nothing more than describe the functional components of DPI systems that already exist.

What about the impact on the network?

Here, at least, the ITU seems aware that DPI can carry risks, so it insists that deployments don’t impact emergency telecommunications (for example, by introducing excessive, unwanted latency or packet loss).

The devil’s in the appendices

If you’ve stayed with me this long, congratulations. It’s in the appendices that we reach the part of the spec that has people worried. Specifically, Appendix I: application scenarios.

This section looks at various use-cases: service differentiation (which, of course, raises the debate about network neutrality); traffic monitoring for resource allocation based on subscriber policy (ie, “premium” versus “best effort” services – neutrality again); malicious traffic identification (which isn’t a bad idea); service-based billing (which could, again, tie back to the neutrality question)…

…and so on, ad infinitum.

Having read the document – twice now – this Register author is starting to form the opinion that for a 95-page epic, the ITU proposed DPI standard is less than the sum of its parts.

As has been pointed out to me privately, and will no doubt give rise to extensive public condemnation, the proposed standards use-case examples include VoIP blocking, BitTorrent detection, SIP blocking and so on.

I don’t suspect for a moment that the ITU conceived such ideas on its own. They read as if they were drawn from vendor configuration manuals. In other words the examples were provided – because they already existed.

And if the standard were adopted, what then?

The argument that the standard will act as an enabler to repressive regimes seems to ignore the long history of DPI deployment that already exists, across both democratic and non-democratic countries. It’s already there.

Also, the argument against the WCIT’s proposed International Telecommunications Regulations runs that the ITU’s involvement will stifle innovation and hamper the Internet. Why would the same body’s involvement become an enhancer and enabler to DPI?

It seems to me that DPI could do with the kind of stifling that the ITU is accused of threatening to the online world.

Unless, of course, the outcry over the DPI standard is intended as another rallying cry against the virtual black helicopters of the ITU… ®

Updated to add

The ITU has now announced that the DPI standard has been approved. Its announcement spins the standard in the direction of performance management, managing not to dwell on unwelcome issues such as BitTorrent or VoIP blocking.

It states that the standard will soon be available for download. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/06/dpi_standard_leaked/

Updated – vote approves DPI standard A moment of inattention has allowed the ITU’s proposed deep packet inspection (DPI) standard to escape.

The slip-up happened when an Australian CryptoParty activist Asher Wolf put out a public call on Twitter asking for a copy of the text. The ITU duly sent it by e-mail – only later realising its mistake and asking her to treat it as for her eyes only.

By which time, Vulture South and other journalists had received copies…

So what is the ITU proposing?

The document – all 95 pages of it – is exactly what it purports to be: a proposed technical interoperability standard for deep packet inspection systems (its very existence comes as something of a surprise to this Vulture: in the context of network performance, I asked several vendors when this would be standardised, and the unanimous response was “never”).

The standard describes itself as applicable to “application identification, flow identification, inspected traffic types” – which The Register would highlight as the most sensitive functions – along with how DPI systems manage signatures, report to network management systems, and interact with their policy engines.

A block diagram is going to be needed.

A thumbnail outline of the ITU’s concept of DPI

What’s odd about the ITU’s decision to standardise DPI is this: the point of standardisation is interoperability – and interoperability matters most where systems interact with the outside world.

Looking at this block diagram, the biggest question that occurs to The Register has been the same question throughout the life of DPI: if the interfaces behave themselves, passing packets in and out as they should, what’s the point of standardising the internals?

Yet that is what the ITU is attempting – whether or not this can be taken as an endorsement of DPI is another matter.

At the high level, there’s nothing remarkable. Packet identification – unidirectional or bi-directional – is specified as a necessary component of DPI because it is. The ITU spec says that the flow identification should comply with IETF RFCs 5101 and 5102.

The next piece defines the existence and operation of the signature library, the specification for which requires “only” that the signature library exist and what signatures it contains. It also demands that the library be secured. And – naturally enough – that signatures can be added, removed, modified and so on.

There’s a lot more, but the first thing to understand is this: much of the standard does nothing more than describe the functional components of DPI systems that already exist.

What about the impact on the network?

Here, at least, the ITU seems aware that DPI can carry risks, so it insists that deployments don’t impact emergency telecommunications (for example, by introducing excessive, unwanted latency or packet loss).

The devil’s in the appendices

If you’ve stayed with me this long, congratulations. It’s in the appendices that we reach the part of the spec that has people worried. Specifically, Appendix I: application scenarios.

This section looks at various use-cases: service differentiation (which, of course, raises the debate about network neutrality); traffic monitoring for resource allocation based on subscriber policy (ie, “premium” versus “best effort” services – neutrality again); malicious traffic identification (which isn’t a bad idea); service-based billing (which could, again, tie back to the neutrality question)…

…and so on, ad infinitum.

Having read the document – twice now – this Register author is starting to form the opinion that for a 95-page epic, the ITU proposed DPI standard is less than the sum of its parts.

As has been pointed out to me privately, and will no doubt give rise to extensive public condemnation, the proposed standards use-case examples include VoIP blocking, BitTorrent detection, SIP blocking and so on.

I don’t suspect for a moment that the ITU conceived such ideas on its own. They read as if they were drawn from vendor configuration manuals. In other words the examples were provided – because they already existed.

And if the standard were adopted, what then?

The argument that the standard will act as an enabler to repressive regimes seems to ignore the long history of DPI deployment that already exists, across both democratic and non-democratic countries. It’s already there.

Also, the argument against the WCIT’s proposed International Telecommunications Regulations runs that the ITU’s involvement will stifle innovation and hamper the Internet. Why would the same body’s involvement become an enhancer and enabler to DPI?

It seems to me that DPI could do with the kind of stifling that the ITU is accused of threatening to the online world.

Unless, of course, the outcry over the DPI standard is intended as another rallying cry against the virtual black helicopters of the ITU… ®

Update: The ITU has now announced that the DPI standard has been approved. Its announcement spins the standard in the direction of performance management, managing not to dwell on unwelcome issues such as BitTorrent or VoIP blocking.

It states that the standard will soon be available for download. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/06/dpi_standard_leaked/

Reform candidate Dave Lewis has been elected to the (ISC)² board of directors.

The security certification body, which administers the Certified Information Systems Security Professional (CISSP) qualification, has about 80,000 members worldwide.

Four of the 13 seats on the (ISC)² board were up for election this year; one of the positions went to Lewis, a Canadian who stood on a platform of seeking to restore the integrity of the CISSP exam.

Three other radicals – Scot Terban, Boris Sverdlik and Chris Nickerson – were unable to get their names on this year’s ballot, which closed last Friday. None of the three succeeded as write-in candidates either.

Three of the four board election candidates on the ballot were dismissed as “time-servers” by the (ISC)²‘s critics. The board is made up of representatives from academia, industry and internet committees. But some in the security world want to see more people, such as Lewis and Wim Remes, with real-world experience heading the organisation.

Remes, who was elected to the (ISC)² board of directors last year, told El Reg that much of the criticism was unfair.

“The present board are a diverse bunch who are well in touch with what’s happening in security, and knowledgeable,” he said.

CISSP certification can help boost one’s career prospects in information security, but it’s not mandatory and is a poor cousin to the professional qualifications in the legal and medical industries. Membership to (ISC)² costs $85 a year, a bone of contention for some people. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/06/isc2_election/

Orange will install freebie mobile security suite Lookout on every Android handset it sells and bundle premium access with selected tariffs.

As part of the deal, the EE-owned mobile operator will sink some cash into Lookout, but both companies are adamant there’s more to this deal than bundling software. From early next year, Android smartphones sold to EE customers in the UK, including T-Mobile, and Orange customers in France, Spain and Slovakia will come loaded with the antivirus kit.

Operators routinely stuff software onto handsets, particularly if the application vendor is prepared to cut the mobile network a slice of its revenue. Lookout charges $3 a month for the premium service so there’s potentially considerable income to share, but we’re told that’s not the point of this collaboration.

Orange will offer Lookout Premium to customers on specific tariffs; all customers will at least get basic services such as malware scanning, cloud backups and the ability to locate a lost phone – the software even sends details of its last known location just before the battery dies. Only those on the right contracts will get photo backup space and the power to remotely wipe a phone as well as checking every URL for phishing or other nastiness.

The URL checking is becoming standard practice on desktops, but Lookout tells us that 40 per cent of its premium subscribers have clicked on a dodgy link subsequently blocked by its software. Lookout insists it keeps no records of which URLs you tried to visit.

Exactly which tariffs will get the premium treatment Orange isn’t saying, but nonetheless bundling antivirus packages is an interesting additional service from a network operator. Mobile networks are keen to extend their offerings beyond access, and their brands can engender trust thus making security products an easy sell.

But Orange (and EE) will need to bundle the premium version in a range of tariffs, otherwise this deal is just more free bloatware that tries to upsell the user while spawning websites devoted to getting rid of it. Orange will need to walk very carefully to prevent that perception, bearing in mind how many fixed-line and mobile providers have failed in the past to persuade customers to accept bundled freebies. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/05/orange_lookout/

Some 48 countries have agreed to join forces to halt the spread of online child sex abuse videos and images.

EU Commissioner for Home Affairs Cecilia Malmström will team up with US Attorney General Eric Holder to launch the Global Alliance Against Child Sexual Abuse Online at a conference held today in Brussels, Belgium.

The initiative, billed as the biggest of its kind, aims to combat the increase of child pornography on the internet. It is estimated one million child abuse images are available on the web and this figure is estimated to increase by 50,000 per year.

Ministers from 27 EU member states will join 21 countries outside the continent – Albania, Australia, Cambodia, Croatia, Georgia, Ghana, Japan, Moldova, Montenegro, New Zealand, Nigeria, Norway, the Philippines, Serbia, Republic of Korea, Switzerland, Thailand, Turkey, Ukraine, USA and Vietnam – all backing the initiative, which aims to build international cooperation in the fight against the distribution of the vile imagery.

“This international initiative will strengthen our mutual resources to bring more perpetrators to justice, identify more victims of child sexual abuse, and ensure that they receive our help and support,” said Eric Holder. “Through this global alliance we can build on the success of previous cross-border police operations that have dismantled international paedophile networks and safeguard more of the world’s children.”

Child abusers exploit the dearth of information exchanged between nations’ authorities and any legal loopholes available to operate freely, underlining the need for global cooperation to investigate and prosecute offenders.

As well as identifying victims, so as to find and protect them, and investigating incidents of child abuse, the scheme also aims to boost children’s awareness of the risks posed by the web and those using it; kids will be told to take extra care with any photos they of themselves and to be wise to “grooming” methods used by paedophiles. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/05/alliance_fights_child_abuse_dist/

Twitter says it has plugged its years-old SMS spoofing vulnerability after yet-another disclosure, this time by security consultant Jonathan Rudenberg. Facebook and social payments outfit Venmo have also blocked the vulnerability.

In the case of Twitter, users with SMS-posting enabled weren’t forced to use any kind of authentication, although the option to use a PIN for posting was available. If the user didn’t require the PIN, someone who knew their number could post under their identity using an SMS gateway.

The gateway would allow the attacker to send a message to Twitter with the spoofed number, Rudenberg explains in this blog post. In fact, until the vulnerability was fixed, the full set of Twitter commands could be sent under the spoofed ID. The only mitigation, for users in regions that didn’t support PINs, was to disable SMS posts.

Twitter confirmed to Rudenberg that the issue was resolved on December 4. As he also noted, Facebook and Venmo have also plugged the same vulnerability in their networks. All three, he claims, took nearly three months to act, with his first disclosures made to the social networks in mid-August.

What’s surprising about this is that the Twitter spoofing vulnerability has existed since at least 2007, when Twitter first introduced PIN protection for tweets – but didn’t make it a requirement for mobile users.

In 2009, the issue rose up again, shambling like a zombie, with Security Fix reporting that the bug was fixed, while Heise Security said spoofing was still possible, as reported by The Register here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/05/twitter_dumb_sms_bug_plugged_again/

The Swiss intelligence agency (NDB) has been warning its US and UK counterparts that it may have lost terabytes of their secret information, thanks to one of its IT administrators pulling an inside job.

The rogue administrator, whom a source described to Reuters as “very talented,” had admin rights to most of the NBD’s servers, including sensitive files contributed from other agencies such as Britain’s MI6 and the CIA. He’d worked at the NDB for eight years but was reportedly disgruntled at his job and felt management were ignoring his suggestions on systems management.

The source said that the admin had been exhibiting warning signs, like failing to show up for work on a regular basis, and had copied large amounts of data onto small portable drives and smuggled them out of the office in his backpack. It is believed he was trying to sell the data to third parties.

The NDB were only alerted when the Swiss bank UBS told them of a suspicious attempt to set up a numbered account. Investigators raided the admin’s home and found large numbers of files stashed on portable drives.

It appears at this stage that he was raided before he managed to sell any of the data, but the NDB has informed partner agencies just in case. Nevertheless, it’s an embarrassing situation for the Swiss, given that country’s reputation for secrecy and reliability. A Swiss parliamentary committee has been set up to examine the affair and is expected to issue a report in the spring.

While you’d expect the NDB would have some sort of data tracking system to monitor who was downloading what, it’s also likely that a senior administrator would have been able to find a way around it. It’s another case of a “Layer 8” security problem that’s very difficult to deal with.

Here in San Francisco, we had our own version of this with the case of Terry Childs, who was one of the chief admins on the city’s intranet. In a fit of pique he locked everyone else out of the system and refused to hand over the passwords to anyone other than the mayor. He got four years in prison and a bill for $1.5m in cleanup costs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/04/swiss_intelligence_data_loss/