STE WILLIAMS

Malware on a computer in the Japan Aerospace Exploration Agency (JAXA) has been stealing data on the latest Nipponese solid-fuel rocket system.

JAXA said that a security sweep of its systems on November 21 showed that a single computer had been subverted by the malware, and it was not clear if this was a targeted cyber-attack for espionage purposes. But data on Japan’s Epsilon rocket system, which JAXA has spent ¥15bn developing, had been sent out of the organization to persons unknown.

The Epsilon program is building an advanced solid-fuel rocket that can further Japan’s space-exploration and satellite industry. But unfortunately, governments around the world would also be interested in the technology for military purposes.

Solid-fuel rockets have a number of advantages over other designs. Liquid-fueled rockets don’t make a good mobile-missile solution, and can’t sit around long when fueled up since the liquids involved are highly corrosive. With solid fuel you can assemble the missile and it’s ready to go whenever.

The first Epsilon rocket is close to takeoff, with the first launch scheduled for next summer. By this time almost all of the final testing will have been carried out, and if the attackers were interested in espionage, they may have got hold of some very valuable data indeed.

This is the second time JAXA has been hit in this way. In January the agency reported a similar malware data loss, that time for its H-II cargo transfer vehicle. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/30/jaxa_data_loss/

Friday marks the final day to submit votes for this year’s election of directors to the (ISC)² security certification body.

(ISC)², which administers the widely recognised Certified Information Systems Security Professional (CISSP) qualification, has around 80,000 members and several vocal critics in the infosec community. Respected members of the security community, including Jack Daniel, co-founder of the BSides security conference, and Rob Graham have criticised the institution in the weeks leading up to this year’s election, as previously reported.

(ISC)² directors are elected for a three-year term. Four of the 13 seats on the board are up for re-election this year.

Four radicals – the so-called “Four Horsemen of the Impending Infosec Apocalypse” – launching campaigns to stand for election to the infosec board, standing on a reform ticket. Only one of the four – Dave Lewis (@gattaca) – made the cut by getting 500 nominations from (ISC)² members before a 17 September deadline. Scot Terban, Boris Sverdlik and Chris Nickerson all fell short.

Lewis, from Canada, wants to restore the integrity of the CISSP exam. There’s still the option to cast votes for alternative write-in candidates but there names won’t appear on the official ballot papers, largely filed with established candidates standing for re-election.

Longstanding critics praised the election of Wim Remes to the (ISC)² board last year as part of an overdue reform process. Remes is is a manager in risk and assurance practice at Ernst Young in Belgium. He’s also been involved in organising the well-regarded BruCON security conference and presenting at BlackHat, something that gives him a fair amount of street cred.

The board of (ISC)² is made up of representatives from academia, industry and internet committees. CISSP has been accused by several critics of being “out of touch”, but Remes told El Reg: “We need fresh blood but we don’t want to throw our history away. The present board are a diverse bunch who are well in touch with what’s happening in security… and knowledgeable.”

CISSP certification helps people to get or retain jobs in information security but it’s not mandatory. Membership to (ISC)² costs $85 a year, a bone of contention among some members.

Security blogger Javvad Malik, a CISSP member, said that much of the criticism was unfair.

“(ISC)² is changing quite significantly, going from a certificate only organisation to more of a member organisation. So personally I believe they are heading in the right direction,” Malik told El Reg. “In my opinion there are many critics out there of (ISC)² who have never ever proactively tried to find out more about the organisation.

“When I was at their congress event in Philadelphia a few weeks ago, I learned a great deal about how it operates, got to meet with many of the board members etc – and to be honest I came away with an overwhelmingly positive opinion of them. I don’t think anyone will claim it’s a perfect organisation, but it’s nowhere near as bad as people make it out to be.”

Malik’s experiences at the (ISC)² congress can be found in a video blog post here.

Voting for the (ISC)² board elections ends at 17.00 EST (22.00 GMT) on 30 November. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/30/isc2_election/

Computer scientists in the US have discovered a potential means to abuse cloud-based web browsers.

Cloud-based web browsers such as Amazon Silk on the Kindle Fire feature a split architecture that means some processing associated with rendering web-pages is offloaded onto server farms in the cloud. Some smartphone browsers, particularly Opera Mini, adopt a similar model, as does web browsing from thin clients running Citrix. This is a different architecture from conventional desktop browsers such as Chrome, IE or Safari on desktop PCs and tablets.

However security researchers from North Carolina State University and the University of Oregon have found a way to exploit “cloud browser” services, using the Puffin and Cloud Browse apps that are available for Android and iOS.

Cloud browsers are designed to perform complex functions, so the researchers investigated whether they could be used to perform number-crunching functions that had nothing to do with browsing. Specifically, the researchers wanted to determine if they could perform those functions using the “MapReduce” technique developed by Google, which facilitates parallel computing.

Making this work would have to involve passing large packets of data between different nodes, a potential stumbling block. However by using bit.ly and other URL-shortening sites, and then passing the resulting “links” between various nodes, the compsec boffins were able to get around this problem.

The researchers were able to perform standard computation functions using data packets that were one, 10 and 100 megabytes in size. “They could have been much larger,” explained Dr William Enck, an assistant professor of computer science at NC State, “but we did not want to be an undue burden on any of the free services we were using.”

This sort of number-crunching power could be applied to benign protects such as SETI but could equally be applied to more potentially problematic schemes, such as password-cracking.

“We’ve shown that this can be done,” Enck adds. “And one of the broader ramifications of this is that it could be done anonymously. For instance, a third party could easily abuse these systems, taking the free computational power and us[ing] it to crack passwords.”

Cloud browsers can protect themselves to some extent by requiring users to create accounts – and then putting limits on how those accounts are used. This would make it easier to detect potential problems.

Enck said that malware need not necessarily be involved in all this.

“Our proof-of-concept framework does not require the users doing anything,” he told El Reg. “Instead, we reverse-engineer the protocol that is used between the client and the cloud browser server.

“We can then start new rendering jobs from any computer that we already have control of. There is no need for it to be a smartphone or mobile device,” he added.

A paper (abstract below) by the researchers, Abusing Cloud-Based Browsers for Fun and Profit, is due to be be presented at the 2012 Annual Computer Security Applications Conference in Orlando, Florida on 6 December.

Cloud services have become a cheap and popular means of computing. They allow users to synchronize data between devices and relieve low-powered devices from heavy computations. In response to the surge of smartphones and mobile devices, several cloud-based web browsers have become commercially available.

These “cloud browsers” assemble and render web pages within the cloud, executing JavaScript code for the mobile client.

This paper explores how the computational abilities of cloud browsers may be exploited through a Browser MapReduce (BMR) architecture for executing large, parallel tasks. We explore the computation and memory limits of four cloud browsers, and demonstrate the viability of BMR by implementing a client based on a reverse engineering of the Puffin cloud browser.

We implement and test three canonical MapReduce applications (word count, distributed grep, and distributed sort). While we perform experiments on relatively small amounts of data (100MB) for ethical considerations, our results strongly suggest that current cloud browsers are a viable source of arbitrary free computing at large scale.

The paper was co-authored by Vasant Tendulkar and Ashwin Shashidharan, graduate students at North Carolina State, and Joe Pletcher, Ryan Snyder and Dr Kevin Butler, of the University of Oregon. The research project was supported by the National Science Foundation and the US Army Research Office. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/30/cloud_based_web_browser_exploits/

A FOREX trading website has been contaminated with a malicious Java applet that is designed to install malware on the systems of visiting surfers.

The targeted website is a popular FOREX (foreign exchange market) website called “Trading Forex” (tradingforex.com). The website remains contaminated as of Thursday lunchtime according to Websense, the web security firm that detected the attack.

The backdoor planted on Trading Forex is written in Visual Basic.Net and requires the Microsoft’s .NET framework to be successfully installed and running on a victim’s computer. This is an unusual approach.

Hackers intent on distributing malware through compromised websites often use pre-packaged tools, available through underground forums, most notably the widely used Blackhole Exploit kit.

Elad Sharf, senior security researcher at Websense, said it is unclear why the FOREX VXers have taken a different line of attack, although he has a few theories.

“We can only speculate why. One of the likely reasons is that the ‘Blackhole exploit kit’ costs money either to rent or to buy,” Sharf told El Reg. “On the other hand, the attack vector that was used on that website can be created with tools that are available for free.

“It’s important to note that there was no exploit involved in this attack but rather a social engineering trick that requires the victim’s involvement – if successful it will allow a backdoor Trojan to run on the victim’s machine,” he added.

Carl Leonard, senior security research manager EMEA at Websense, added. “This injection could deposit malware to the users of this site, possibly opening them up to data stealing. We’re also seeing typosquatting being used here, perhaps ready for a future attack.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/30/forex_trading_website_hack/

Microsoft Security Essentials, Redmond’s free antivirus tool for home users and business with up to ten PCs, can detect just 64 per cent of zero-day threats when running under Windows 7.

That low detection rate has cost it the AV-TEST Institute’s seal of approval, a certification it hands out to products that meet 11 of 18 criteria it assess. Those criteria consider how effective software is at detecting and blocking threats, repair of infected systems and overall usability including “average slowing down of the computer when the software is used on a daily basis, false positives during a system scan and the display of false warnings or the blocking of certain actions during the installation and during the use of known good software.”

The Institute conducts tests bi-monthly and lists longitudinal data on software products’ performance.

During October the Institute rated Security Essentials 4.0 and 4.1 at just 1.5 out of 6 in terms of its ability to protect a PC, thanks largely to the 64 per cent zero-day detection rate being well below the industry average 89 per cent.

Security Essentials has lost AV-TEST’s seal before, with its September 2010 test failing to meet the lab’s criteria. It is the only one of 24 AV products for Windows 7 without the certification. Four products missed out for Windows Vista and two for Windows XP. Windows 8 AV tools are yet to go under the microscope and Microsoft is absent from AV-TEST’s list of vendors thanks to the new OS’ integrated protection software.

While tests like these have no official standing, a look at AV-TEST’s longitudinal analysis of Security Essentials show it has consistently struggled to perform well in its malware detection and blocking tests.

Another security software testing organisation, Virus Bulletin, says Security Essentials’ performance is sufficient to justify its VB100 rating, which can only be attained by software that “prove[s] it can detect 100% of malware samples listed as ‘In the Wild’ by the WildList Organization” without generating any false positives. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/30/microsoft_security_essentials_loses_av_test_certification/

Google potentially allowed former web admins to drive corporate websites off a cliff by resurrecting deleted accounts for its webmaster tools service.

Google Webmaster Tools accounts can be used by anyone to manage their websites, from checking the indexing of pages to fine-tuning their visibility in the dominant search engine. Google’s glitch, which revived old or disabled accounts and granted them permission to make alterations, was first noted by search-engine optimisation blogger Dave Naylor.

Although the tools are free to use, they have become quite powerful over the years, and can help make or break a site in terms of visitor numbers. Unauthorised access to the service could be used for all sorts of mischief, Naylor warned:

Webmaster Tools is so much more powerful than it ever was there is a serious risk that damage could be caused to sites by people who no longer have permission to make changes. Things like disavow link lists, de-index urls or the entire site, redirect urls, geolocation alterations… a whole world of pain.

The blunder also opened up access to Google Analytics, allowing ex-employees or contractors to spy on their former employers, Search Engine Journal added.

Fortunately Google resolved the screw-up, according to a statement issued to Searchengineland.com on Wednesday:

For several hours yesterday a small set of Webmaster Tools accounts were incorrectly re-verified for people who previously had access. We’ve reverted these accounts and are investigating ways to prevent this issue from recurring.

The cause of the breach remains unclear. We’ve put in a query to Google and will update this story if we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/29/google_webmaster_tools_snafu/

Antivirus startup Anvisoft was founded by an infamous Chinese hacker who allegedly cut his teeth exploiting Microsoft Office security holes to hack US defence contractors, it has emerged.

Investigative journalist Brian Krebs uncovered evidence – largely based on historic domain records for Anvisoft and reports compiled by VeriSign on Chinese hacking activities – to allege that black-hat Tan Dailin established the antivirus startup.

In response to inquiries from The Reg, Anvisoft confirmed via a message from its official Facebook account that the report is accurate. “Yes, it is true,” it simply stated.

Dailin, AKA Wicked Rose or sometime Withered Rose, allegedly led a state-sponsored four-man crew called NCPH – Network Crack Program Hacker. According to VeriSign’s iDefense, NCPH developed a rootkit [PDF] that was used to infiltrate the US defence establishment in 2006. The group is accused of launching Microsoft Office-based attacks for two years before it disbanded in 2008.

Krebs followed various online clues to piece together his tentative conclusion that Dailin, a 28-year-old graduate of Sichuan University of Science and Engineering in Zigong, registered Anvisoft’s domain in 2011, and may still be a key player at the startup.

One of Dailin’s cohorts in NCPH, a hacker nicknamed Rodag, wrote a blog post describing Anvisoft’s Smart Defender as a “security aid from abroad” and praised the technology, Krebs noted.

Anvisoft confirms reports

Trademark registration records pinpoint Anvisoft’s genesis in the Chinese city of Chengdu although the company states it is based in Toronto, Canada.

Kreb’s digital detective work, though persuasive, was far from conclusive, which he admits. There is no suggestion of any wrongdoing by Anvisoft.

“Anvisoft may in fact be a legitimate company, with a legitimate product; and for all I know, it is. But until it starts to answer some basic questions about who’s running the company, this firm is going to have a tough time gaining any kind of credibility or market share,” Krebs noted.

Anvisoft’s technology has not been widely reviewed, but that’s not to say it is ineffective or untrustworthy. Against this Trend Micro, alone among mainstream antivirus software, flags up Anvisoft’s Anvi Smart Defender Free setup utility as malign, according to results from VirusTotal.

Western antivirus firms, at least, generally have a policy of not employing former malware writers. Aside for presenting a negative image to potential customers, and sustaining the myth that antivirus firms employ an underground army of virus programmers to ramp up demand for their products, VXers are thought to be ill-suited to life in an antivirus firm.

Not only have they shown themselves to have dubious morals but from a purely practical view the skills required to write a decent antivirus program are not the same as those necessary to construct modern malware.

Almost all Western antivirus firms have a standing ban on employing anyone mixed up in malware for reasons explained in greater length by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/29/anvisoft_chinese_intrigue/

The vast majority (91 per cent) of targeted attacks begin with a spear phishing email, according to a new study by Trend Micro.

Spear phishing is a form of phishing that makes use of information about a target to make attacks more specific and “personal”. These attacks may, for example, refer to their targets by their specific name, rank, or position at the organisation instead of using generic titles common in broader (consumer focused) phishing campaigns. The end goal is usually to trick prospective victims into opening a malicious file attachment (in 94 per cent of cases) or to follow links to an exploit-laden site.

The most commonly used and shared file types accounted for 70 per cent of the total number of spear phishing email attachments during the period of Trend’s study, between February and September this year. The main file types were: .RTF (38 per cent), .XLS (15 per cent) and .ZIP (13 per cent). Executable (.EXE) files were not as popular among cybercriminals, most likely because emails with .EXE file attachments are usually detected and blocked by security products at the edge of corporate networks, long before they reach the in-box of prospective marks.

Targeted attacks are often malware-based and designed to infect networks, stay resident, explore, further infect and steal information. This information can be anything from emails to technology blueprints, policy documents or research.

Aside from spear phishing, other tactics that have been noted in targeted attacks include the use of removable media (USB, CD etc), theft of credentials giving access to systems and networks (eg, VPNs).

Spear phishers most frequently target government and activist groups. Details of government agencies and appointed officials are often posted on public government websites.  Members of activist groups are often active in social media, and are also quick to provide member information in order to facilitate campaigning or recruit new members. As a result, three out of four of the targeted victims’ email addresses were easily found through web searches or using common email address formats.

The percentage of malicious attachments in emails has been in steady decline over recent years. But the researchers insist this trend is likely to reverse itself, bringing with it extra spam and the need to redesign corporate defences, according to Trend Micro.

“We fully expect to see a resurgence of malicious email as targeted attacks expand and evolve,” said Rik Ferguson, director of security research and communications at Trend Micro. “Experience has shown us that criminals continue to abuse tried and trusted methods to directly leverage intelligence gathered during the reconnaissance for targeted attacks.”

“We have also seen that targeted attacks are evolving and expanding. The abundance of information on individuals and companies makes the job of creating extremely credible emails far too simple. It’s a part of a custom defence that should not be ignored.”

Trend’s study can be found here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/29/spear_phishing/

The two owners of a rogue marketing firm have to cough up £440,000 for spamming UK mobiles with millions of texts over the last three years.

The Information Commissioner’s Office (ICO) made its first use of new powers to levy heavy fines for serious breaches of the UK’s Privacy and Electronic Communications Regulations (PECR) against the two owners of Tetrus Telecoms, Christopher Niebel and Gary McNeish.

The ICO launched an investigation against Tetrus Telecoms in May 2011 after receiving a tip-off that the firm was sending huge volumes of unsolicited text messages from offices in Stockport and Birmingham, without the consent of the recipient and without identifying the sender – both legal requirements under the PECR. Replies to junk messages about PPI and personal injury claims earned the duo an estimated income of £7,000 to £8,000 a day in affiliate marketing income from claims-marketing firms and other pondlife.

More than 400 complaints about spam texts received by the ICO have been linked to Tetrus.

The ICO’s investigation included raids at Tetrus Telecoms’ Stockport premises, in August 2011, and the Manchester home of Niebel, in February 2012. Tetrus was using unregistered pay-as-you-go SIM cards to send out as many as 840,000 illegal text messages a day.

Examples of the text messages sent out by Tetrus Telecoms include:

• CLAIM TODAY you may be entitled to £3500 for the accident you had. To claim free, reply CLAIM to this message. To opt out text STOP. Thank you
• URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim reply ‘YES’
• You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP

Leads generated from the dodgy texts were sold to rogue companies claiming to offer payouts for accidents a person has never had or Payment Protection Insurance (PPI) claims that they are not necessarily entitled to.

Niebel and McNeish are reckoned to have made hundreds of thousands of pounds in profit since Tetrus was set up in December 2009.

Niebel has now been ordered to pay a penalty of £300,000, while McNeish, who appears to have taken less out of the business, has been fined £140,000.

The pair also face potential prosecution from the ICO for failing to notify it that Tetrus Telecoms was processing personal information, a legal requirement for organisations under the Data Protection Act

Information Commissioner, Christopher Graham, said: “The two individuals we have served penalties on today made a substantial profit from the sale of personal information. They knew they were breaking the law and the trail of evidence uncovered by my office highlights the scale of their operations.”

The ICO is also currently considering issuing penalties to three other companies suspected of illegal text spamming. The data privacy watchdog is working with network providers to trace text spammers and with the Ministry of Justice to target claims management companies who purchase marketing information breaching the Data Protection Act, as well as electronic marketing regulations.

“The public have told us that they are distressed and annoyed by the constant bombardment of illegal texts and calls and we are currently cracking down on the companies responsible, using the full force of the law,” Graham said.

“In March we set up a survey on the ICO website so people can tell us about any unwanted texts and calls they have been receiving. So far we have received over 60,000 responses. We know the majority of these messages and calls have been made by companies who try to remain anonymous in the hope they can profit by selling personal information to claims management companies and other marketing organisations. We are using the information provided by the public to identify those responsible,” he added.

The ICO advises consumers not to respond to text messages with unspecified senders.

An ICO statement explaining how spam texters make a lucrative income, as well as providing more information on the Tetrus enforcement action, can be found here.

Neil Cook, CTO at message security firm Cloudmark, said that the problem of unregistered pay-as-you-go SIM cards being used to send unsolicited spam messages is continuing to grow:

Cloudmark has noticed a 10x increase in reports from UK subscribers since 2011.

I welcome the ICO’s decision to fine the pair found to be sending unsolicited text message spam, and I hope that this will help to deter anyone currently operating or thinking about operating similar schemes.

Users who receive unsolicited text messages should consider forwarding the messages to the shortcode “7726”. “This will help the mobile operators to take action against the individuals and companies responsible for sending the messages,” Cook explained. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/29/text_spam_megafine/

Web-tracking is rife on technology vendor websites, with Microsoft among the worst offenders. Tech sites serve up even more trackers than the average online retailer, say browser privacy plug-in devs.

Trackers follow surfers after they visit a website to serve behavioural ads elsewhere online. The technology started in the world of online retail but has recently moved into other areas, such as technology, travel and entertainment websites.

The developers behind ad-tracking browser plug-in Ghostery said they’d logged 137 different trackers on the Microsoft website and 107 on Apple’s site, while they logged 66 on Samsung’s site and 65 on HP’s. Dell has 106. All of these tech sites make greater use of trackers associated with behavioural advertising than specialist retail sites such as Tesco (64), John Lewis (46) and Dabs (12).

Some trackers are associated with website analytics but others are more focused on delivering behavioural ads, and are therefore a bigger privacy concern. Higher numbers of web trackers (Ghostery only counts third-party tools) means more data is being collected and that a website is partnering with more third-party web marketing firms.

Andy Kahl, director of consumer products at the Ghostery division of software developers Evidon, explained that tracking tags collect information about users. Technology sites tend to make more use of tracking tags than retail or travel sites because IT firms have “greater exposure and familiarity” with web tracking technology, according to Kahl.

Tracking tags come in various flavours.

“Tracking tags work to measure a user’s interests to help match advertising on other sites and/or to help the site’s publisher understand the audience that is drawn to their page,” Kahl explained. “Some trackers, which we call behavioural beacons and analytics scripts, do only that – you can’t even see them (they take up only a single pixel on the page).”

“Other scripts actually deliver the ads you see (but still collect data in the process), and still others provide some sort of page functionality, such as a social network Like or Share button, or an embedded video. These are all provided by some other company than the site that you’re viewing, and data about what you’re seeing and sharing is sent back to these companies.”

Ghostery is a free browser plugin that consumers can use to identify third-party trackers on the sites they visit, by keeping track of invisible tags on websites that track internet activity. The software is also available as either an iPad and iPhone app. The technology is broadly compared to AdBlock Plus, although Ghostery argues it provides more detail on trackers and more granular controls.

The technology gives its more than 16 million users a breakdown of the ad networks, behavioural data providers, web publishers, and other companies interested in their activity. Users have an option to block ad trackers on a case-by-case basis. Only half the users of Ghostery block any ad trackers at all, according to Kahl. “What tends to get blocked is annoying ads and bothersome pixels,” Kahl explained. “What goes unblocked is Facebook Like buttons, Twitter tags and video links – trackers that people feel have some value.”

The EU ePrivacy directive has brought attention to the existence of web-tracking, but consumers remain largely clueless about the extent to which their data is used. Ghostery aims to close this knowledge gap, making the web more transparent and giving consumers a way of controlling behavioural tracking.

The annual UK revenue from behavioural advertising is between £64m and £95m, according to figures (PDF) from the Office of Fair Trading.

The targeted advertising industry likes to compare itself to a friendly local shopkeeper who knows his or her customers but that analogy breaks down online, according to Kahl.

“When the local butcher shows familiarity with me, I understand how that familiarity was built and I’m comfortable with the relationship. But online, I don’t know how a website knows which shoes or trousers I was browsing about earlier,” Kahl explained. “The problem is not the data… the problem is that the process of collecting and using that data was not transparent, and I didn’t have a choice about it.”

“That’s what tends to make consumers uncomfortable online – it’s not so much that you know I was shopping for shoes, but that those shoes are somehow following me around the internet, even when I’m not looking at anything related to shoes,” he added.

Ghostery has an infographic that describes the most common tracking technologies and tags

“Technology companies and the sites that partner with them need to do a better job of helping consumers understand how the process works,” Kahl concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/29/web_tracking/