STE WILLIAMS

Australia’s Federal Police (AFP) has triumphantly announced it has brought a gang of Romanian credit card fraudsters to heel, but not before the criminals purloined half a million credit card numbers from small Australian retailers.

Detective superintendent Brad Marden, the AFP’s national co-ordinator for cybercrime operations, told The Register the gang targeted small retailers likely to be ignorant of security and used three techniques to pull of the heist.

The first was using remote desktop management software to infiltrate retailers’ PCs, an exploit made possible by the fact whoever installed it had not changed the default passwords.

“The stores relied on local consultants who they were not experts on PCI-DSS, they just wanted to set up a simple small business network,” Marden explained. That left RDP ignored and open to attack.

The second issue was un-patched point of sale software.

The third vulnerability that made the attack possible was an insecure point-of-sale PIN pad that Marden said was in the process of being addressed by banks, which issue the devices.

Once attackers were able to access PCs through RDP they were then able to operate the point of sale software and access credit card numbers collected from the PIN pads.

Marden said 46 of the 100 PCs known to have been hit offered sufficient evidence of the source of the hacking and that Australia’s banks gathered evidence to help the force pursue the case.

Both vulnerabilities have since been addressed and an education campaign has commenced to inform small retailers about the need to update their software and hardware.

The gang came to the AFP’s attention in June 2011 and the revelation of its activities set in motion a 13-nation effort that yesterday culminated in the detention of 16 people, among them champion Graeco-Roman wrestler and mixed martial arts practitioner Gheorghe ‘The Carpathian Bear’ Ignat, according to the ABC.

The Carpathian Bear was not one of seven people arrested over the matter, which saw $AUD30m of purchases made with purloined credit card numbers. Those transactions took place around the world.

Georghe ‘The Carpathian Bear’ Ignat

Source: Wikipedia

The AFP says those purchases were made with 30,000 credit cards, but that the gang managed to get its hands on half a million.

Australian financial institutions have made sure punters aren’t out of pocket, refunding them for fraudulent purchases.

The news may not be as good for the retailers, as contracts offered by banks down under can make them liable for fraudulent transactions if they’ve not taken all requisite safeguards to protect credit cards. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/29/australian_federal_police_bust_romanian_credit_card_fraudsters/

A Californian software company which sued the Chinese government for pirating its flagship content filtering product has revealed how it was targeted by hackers from the People’s Republic for the three years of the resulting legal proceedings.

Santa Barbara-based Solid Oak Software filed the civil lawsuit against China after discovering thousands of lines of code from its parental filtering CYBERsitter had been lifted and used to develop the Green Dam Youth Escort – Chinese software which was originally intended to be rolled out nationally by the government.

Just 12 days after Solid Oak founder Brian Milburn went public with his intentions, the hackers began targeting his employees with a view to infiltrating the company, gleaning intelligence about the court case and disrupting sales as much as possible, Bloomberg reported.

“It felt like they had a plan,” Milburn told the newswire. “If they could just put the company out of business, the lawsuit goes away. They didn’t need guys with guns or someone to break my kneecaps.”

The attackers made initial incursions with spyware hidden in malicious email attachments and were soon able to remotely control PCs and switch on webcams to spy on individuals. They also apparently went after Solid Oak’s law firm in the hope of lifting documents which they believed may have helped in the upcoming court case.

Solid Oak’s web and email servers were also targeted, frequently crashing several times a day, and the small family-run business dived into the red as customers looking to buy the software online were not able to complete their transactions thanks to some tinkering with the script that controlled payment processing, Bloomberg said.

Forensic investigators told the newswire that the malware and attack toolkits they found on Solid Oak’s network and servers were unique to Chinese hackers known as the Comment group – a gang fingered for attacks on Coca Cola and others revealed earlier this month.

In the end Solid Oak survived by the skin of its teeth, with Milburn and his staff forced to share documents on webmail and Dropbox in an attempt to thwart their foes.

Within two months of a settlement in the case , the attacks reportedly stopped. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/29/solid_oak_china_hacked_three_years/

The UN’s International Atomic Energy Agency (IAEA) has admitted to suffering a data breach that leaked the email addresses of more than 150 people allegedly involved with Israel’s nuclear weapons program.

A hitherto-unknown hacker group calling itself Parastoo claimed responsibility for the breach in a statement released to Pastebin on Tuesday, saying, “You will be hearing game changing news from us frequently from now on.”

“Parastoo” is a Farsi word meaning “swallow” – as in the bird – and it’s also a fairly common Persian girls’ name. Both facts suggest Iranian involvement with the hack, although Iran is not specifically mentioned in the group’s statement.

The statement, written in wobbly English and typed in all caps, focuses on Israel’s nuclear program, and in particular the “activities at Dimona.” Dimona is an Israeli city that is the site of the Negev Nuclear Research Center, a top-secret facility that is widely believed to be involved in the manufacture of nuclear weapons.

“Israel owns a practical nuclear arsenal, tied to a growing military body and it is not a member of internationally respected nuclear, biochemical and chemical agreements,” Parastoo’s statement reads.

Israel itself has never officially admitted to having nuclear weapons, choosing instead to maintain a policy of deliberate ambiguity on the issue, but it is believed to have had an operational nuclear arms capability since as early as 1967. It also has not signed the international Non-Proliferation Treaty.

Parastoo’s statement goes on to list 167 email addresses that the group claims to have extracted from a server at an IP address owned by the IAEA in Vienna, followed by a threat:

We ask these individuals to sign a petition demanding an open IAEA investigation into activities at Dimona. We would like to assert that we have evidences showing there are beyond-harmful operations taking place at this site and the above list who technically help IAEA could be considered a partner in crime should an accident happen there. In such case, many people would like to at least ask some questions and Parastoo will publish whereabouts of every single one of these individuals alongside with bits of helpful personal and professional details.

The group closed its statement with a variation on Anonymous’ well-known catchphrase, reworked as another veiled threat against the individuals whose personal information it has obtained: “You are not anonymous. Expect us.”

If Parastoo is in fact an Iranian group, its activities could be seen as a primitive form of payback. Iran’s own nuclear program has been hampered by repeated cyber-attacks in recent months, with the US and Israel widely considered to be the culprits. While those incidents involved sophisticated malware, however, the IAEA leak appears to be the result of a bog-standard web exploit.

For its part, the IAEA appears to be taking the incident in stride. On Tuesday, Reuters reported IAEA spokeswoman Gill Tudor as saying the agency “deeply regrets” the leak, but that the information disclosed was taken from “an old server that was shut down some time ago.”

“The IAEA’s technical and security teams are continuing to analyze the situation and do everything possible to help ensure that no further information is vulnerable,” Tudor said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/28/anti_israel_hackers_leak_addresses/

Australia’s Federal Police (AFP) has triumphantly announced it has brought a gang of Romanian credit card fraudsters to heel, but not before they purloined half a million credit card numbers from small Australian retailers.

Detective superintendent Brad Marden, the AFP’s national co-ordinator for cybercrime operations, told The Register the gang targeted small retailers likely to be ignorant of security and used three techniques to pull of the heist.

The first was using remote desktop management software to infiltrate retailers’ PCs, an exploit made possible by the fact whoever installed it had not changed the default passwords.

“The stores relied on local consultants who they were not experts on PCI-DSS, they just wanted to set up a simple small business network,” Marden explained. That left RDP ignored and open to attack.

The second issue was un-patched point of sale software.

The third vulnerability that made the attack possible was an insecure point-of-sale PIN pad that Marden said was in the process of being addressed by banks, which issue the devices.

Once attackers were able to access PCs through RDP they were then able to operate the point of sale software and access credit card numbers collected from the PIN pads.

Marden said 46 of the 100 PCs known to have been hit offered sufficient evidence of the source of the hacking and that Australia’s banks gathered evidence to help the force pursue the case.

Both vulnerabilities have since been addressed and an education campaign has commenced to inform small retailers about the need to update their software and hardware.

The gang came to the AFP’s attention in June 2011 and the revelation of its activities set in motion a 13-nation effort that yesterday culminated in the detention of 16 people, among them champion Graeco-Roman wrestler and mixed martial arts practitioner Gheorghe ‘The Carpathian Bear’ Ignat, according to the ABC.

The Carpathian Bear was not one of seven people arrested over the matter, which saw $AUD30m of purchases made with purloined credit card numbers. Those transactions took place around the world.

Georghe ‘The Carpathian Bear’ Ignat

Source: Wikipedia

The AFP says those purchases were made with 30,000 credit cards, but that the gang managed to get its hands on half a million.

Australian financial institutions have made sure punters aren’t out of pocket, refunding them for fraudulent purchases.

The news may not be as good for the retailers, as contracts offered by banks down under can make them liable for fraudulent transactions if they’ve not taken all requisite safeguards to protect credit cards. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/29/australian_federal_police_bust_romanian_credit_card_fraudsters/

A hacker today redirected web surfers looking for Yahoo, Microsoft or Google to a page showing a TV test card by apparently poisoning Google’s public DNS system.

Punters and organisations relying on Google’s free service were affected, rather than the websites themselves being compromised.

Visitors to yahoo.ro, microsoft.ro and google.ro were served a message from an Algerian miscreant using the moniker MCA-CRB. Traffic destined for the Romanian websites of Kaspersky Lab and Paypal was also hijacked. Affected web browsers were pointed to a frankly boring message resembling nothing more than a test card and an animated GIF background.

MCA-CRB is a prolific online graffiti artist who has defaced at least 5,000 sites, according to records kept by Zone-H. The latest attack was carried out to gain bragging rights rather than to trouser a profit or stage a political protest.

Costin Raiu, a senior security researcher at Kaspersky Lab, said “the problem is with the Google free DNS servers (8.8.8.8, 8.8.4.4) not with the DNS servers for the specific domains”. His colleague Stefan Tanase believes Google’s public DNS servers were tricked into giving out the wrong IP addresses for the affected domains; one way this attack can be pulled off is by poisoning the web giant’s DNS cache with bogus entries.

Other experts think the problem originates further up the food chain at Romania’s TLD servers.

Catalin Cosoi, chief security strategist at Romanian antivirus firm Bitdefender, explained: “The breach appears to have initially originated at the Romanian TLD, from where the compromised DNS records propagated to DNS cache servers. We believe that the RoTLD breach was carried in a similar manner as in the Pakistani hack. It is only a supposition, but all signs point to the same group.”

Last week, defaced copies of Google, Yahoo!, Microsoft, eBay and Apple’s Pakistan websites were shown to surfers, again as a result of a DNS hijack. Hackers latched onto vulnerabilities at PKNIC, a Pakistani domain name registrar, and altered records to pull off the attack, Softpedia reported.

Access to the affected Romanian sites was restored by Wednesday lunchtime, except Paypal.ro which proved difficult to reach in any case.

DNS systems translate human-friendly domain names, such as theregister.co.uk, to internet addresses that routers and servers can understand and process. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/28/google_romania_dns_hack/

Bogus “pay by phone parking receipts” doing the rounds by email and targeted at UK users are actually designed to spread malware, security watchers warn.

The spam campaign is designed to trick recipients into viewing a fictitious list of parking transactions, contained in a malicious attachment. “Upon executing the malicious attachment, the malware opens a backdoor on the affected host,” Dancho Danchev, a security researcher at Webroot explains.

Webroot and many other anti-virus vendors have added detection for the malware, Gamarue-I, associated with the campaign. But the safest course is to ignore dodgy emails, which pose as receipts from Westminster City Council.

Sample screenshots of the malware touting spamvertised emails can be found in a blog post by Webroot here.

Westminster City Council actually has a Pay by Phone parking service so the scam messages are more plausible than is normal for malware ruses, especially in cases where recipients of the dodgy messages happen to live in London or have driven there lately. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/28/pay_by_phone_parking_receipt_malware/

Some Samsung printers, including models the Korean company made for Dell, have a backdoor administrator account coded into their firmware, says US CERT.

The brief vulnerability notice does not mention which models have the account, but does say “The vendor has stated that models released after October 31, 2012 are not affected by this vulnerability.” Which will be welcome relief for those who acquired a printer in the last month.

US CERT says that someone who gains access to the administrator account could “ … access an affected device with administrative privileges” and that “Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information (e.g., device and network information, credentials, and information passed to the printer), and the ability to leverage further attacks through arbitrary code execution.”

US CERT advises Samsung “… has also indicated that they will be releasing a patch tool later this year to address this vulnerability in affected devices.”

The Register has asked Samsung representatives to confirm the existence of the back door and to explain which devices will need the patch. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/28/samsung_printers_have_backdoor_admin_account/

Multinationals and foreign web users based in China to get jittery on Wednesday after pictures began circling the internet which suggested a new clamp down on the use of virtual private networks (VPNs).

While VPNs in the Western world are more commonly used to enhance security, for netizens-in-the-know living in the People’s Republic they represent an essential tool for bypassing the Great Firewall, which blocks many foreign sites and services including Twitter, Facebook and, periodically, Gmail.

As such, they can also be important for the continuing productivity of foreign firms operating inside China, ensuring unfettered access for employees to the world wide web, although just how important will depend on the type of company. However, China Digital Times has got its hands on two photos posted to Google+ last week, which depict signs in a business centre in the Shandong capital of Jinan.

The first, written by the Orwellian sounding “Jinan City Internet Monitoring Team”, warns that some staff have been found “privately logging on to prohibited websites”.

“Upon discovering such activity, the violator’s internet access will be directly cut off and the police will be notified,” it continues.

The second sign apparently reads as follows:

Warning. In order to eliminate access to prohibited websites through use of VPN software by internal staff, starting today, the VPN function will now be disabled. For those who must use a VPN to access the internet, after preparing your file, go to D1 (88885681) and ask a technician to help set up your connection.

There’s of course no suggestion that this hard line approach will be mirrored throughout the People’s Republic, or even throughout Shandong province.

However, it serves to highlight once again the precipitous nature of doing business in China and the unique tech challenges this throws up.

VPN companies were deliberately disrupted and their services blocked during the politically sensitive Communist Party Congress earlier this month, for example.

In addition, reports emerged last year that IT departments in some companies had been forced to warn staff not to use VPNs for accessing overseas web sites as it could result in the authorities black-listing their corporate IP addresses. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/28/china_vpn_great_firewall_censorship_blocked/

Serious security holes in the website of Companies House – the UK database of corporate information – have exposed sensitive data and create the risk of corporate identity theft, security consultants warn.

The UK government agency maintains that alleged security flaws identified by researcher Paul Moore are either in the process of being fixed or not worthy of serious concern. A spokesman initially told El Reg that issues first highlighted in a blog post last month by Moore were “nothing we weren’t aware of already”. He added that most of the information held by Companies House was public information.

Moore strongly disputes this. His blog post covers a litany of alleged security problems but he said that three were particularly pressing. Firstly comes the ability to login as any company (WebCheck/WebFiling) without a username/password. Moore is also highly critical of the “poor SSL implementation” on the site. Lastly he charged Companies House with failing to put the site through adequate penetration testing, a security evaluation procedure commonly used across the industry as a means to pick up on security problems before they are exploited by hackers.

Moore first highlighted concerns about the Companies House website more than a month ago. He updated his warnings on with a video highlighting the alleged vulnerabilities to the site, and the potential impact of these disputed security flaws.

These flaws open the door to corporate identity theft, he warns. Companies House strongly disputes but an independent security expert asked by El Reg to review arguments on both sides said there are reasonable grounds for concern.

“Based upon the information in the video and the reply you received from Companies House, it is a bit of a mess,” Chester Wisniewski, a senior security advisor at Sophos Canada, told El Reg.

“The techniques outlined by [Moore] are certainly not things I expect the average internet user to understand, but they are also not in the category of rocket science. These flaws are not likely to be unknown and anyone with basic penetration testing skills could easily uncover them. We should expect and demand better of our government and those we entrust with our reputations.”

Wisniewski, who added the caveat that he hadn’t created the accounts necessary to personally verify Moore’s claims, concluded that although “by no means are these issues catastrophic”, but nonetheless “they should be resolved”.

“It is appropriate to pressure Companies House about why they are inconsistent in their use of SSL, strange password limitations and insecure password reset policies,” he added.

Corporate ID theft is an infrequent though not unprecedented scam. Several years ago, for example, UK firms were urged to be on their guard against a then-emerging scam which specifically targeted the Companies House database. The scam was based on changing the registered office of a limited company before ordering goods and services and disappearing before any invoice came up for payment leaving the hijacked firm holding the can.

Fraud detection firm Early Warning told us at the time that three companies (a Kent property company, an antique dealer and flooring company, both in London) had fallen victim to the scam.

Fraudsters used the same scam to hijack the identity of a firm owned by billionaire businessman Philip Green in September 2005.

This was seven years ago and doubtless procedures have been applied to block that particular ruse, as evidenced by the lack of other corporate victims since. However the reappearance of similar scams using different techniques calls for constant vigilance.

Pass-time

Moore began investigating problems on the Companies House site after requesting a password reset and receiving a plain text password reminder by return of email. It’s well known in the security industry that this is slipshod practice and recent problems involving retail giant Tesco brought the issue to wider attention. Some pointers on best practice for password resets can be found here.

After receiving an inadequate response to this issue, Moore dived deeper, discovering a myriad of problems in the process.

That was in early October and although over the subsequent weeks Companies House managed to fix XSS (Cross Site Scripting) and XSRF/CSRF (Cross Site Request Forgery) its fix for the password reset issue was itself problematic, according to Moore.

“Companies House no longer send password reminders; instead opting for a more secure technique whereby passwords can be reset using a token sent to the user’s email address,” Moore explained. “In this context, the token should be considered a temporary replacement password, as anyone in possession of it can gain access to the account.”

“As such, it should also be securely hashed (or encrypted at least) to prevent unauthorised use. In order to maintain security, the token should expire immediately after use and within an appropriate time frame (90 minutes in this instance), again to prevent unauthorised use.”

Moore said that the first attempt to remedy the situation only made matters worse.

“Previously, if your email/backups were intercepted, your password would be visible in plain text,” he explained. “That’s clearly a serious risk, but one which can be mitigated by changing your password and securing your inbox. Assuming the hacker hasn’t tampered with the account profile (email address for example) the security of the account should now be restored.”

“Following the changes however, the user’s information/company is still at risk even after the password has been changed and the inbox has been secured. The token doesn’t actually expire, despite the system telling you it had,” he added.

Moore also argues that SSL setup of the Companies House (CH) website is flawed. He said that although most of the information in WebCheck is publicly available (apart from the personal details used to register) the WebFiling system that allows companies to file returns, accounts, add directors/shares etc) is also vulnerable.

“I don’t think it’s sunk in yet,” he said.

Checks on the secure Companies House WebFiling page using GlobalSign’s SSL Configuration Checker, developed using the assessment technology of Qualys SSL Labs, grade the website at a “C”. This is a passing grade but one which shows scope for improvement, as illustrated by the results of the publicly available test.

Moore has engaged in extended dialogue with developers and others at Companies House in an attempt to get the alleged vulnerabilities fixed. Although a professional security consultant he said that he acted only as a concerned citizen and business owner and was not seeking to get work from Companies House.

“I’m releasing this information purely to protect businesses and raise awareness, not for financial gain,” Moore told El Reg

Taken together the alleged failings suggest shortcomings in the web development and testing process at the government agency.

Days after Moore published his video, in response to a request for comment by The Register, a Companies House spokesman supplied us with an updated statement.

I would reiterate that nothing that was raised by Mr Moore was not already known to us and, where necessary, actions were in train to address matters. Indeed a number of issues have been definitively addressed since we last corresponded. A number of assumptions were made without knowledge of our infrastructure or additional security controls.

We would not wish to discuss these in any public forum for obvious reasons but it remains the case, as we have stated on a number of occasions, that we do take security seriously and any issues raised by customers or other sources are examined and necessary mitigation put in place. This is not just a trite phrase but a matter all public agencies take seriously.

Companies House provides services that allow limited companies in the UK to be either incorporated or dissolved. It also stores company information delivered under the Companies Act and related legislation, such as accounts, and makes this information available to the public. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/28/companies_house_website_security/

US Army private Bradley Manning will speak publicly for the first time in two years, when he’s called as a witness in a pre-trial hearing later today.

Manning, who is accused of “aiding the enemy” by handing over army secrets to Wikileaks, is expected to be called to testify at Fort Meade army base in a hearing that’s expected to last until this weekend. If he’s found guilty when the full court martial kicks off in February next year, he could in theory receive a death sentence, though military prosecutors have stated that this will not be requested. Thus at worst Manning might be imprisoned for life.

His lawyer, David Coombs, is trying to get the case thrown out or at least have any possible sentence cut because of his treatment when he was being held at the Quantico US Marine base in Virginia, according to the Baltimore Sun. Manning, who’s been imprisoned for over 900 days now, was held for nine months in the base before being transferred to the army’s Fort Leavenworth correctional facility.

His legal team say that Manning was held in “the equivalent of solitary confinement” in a cell with no window for the first five months of his time at the Marine base and denied exercise. They also claim that he was woken up every day at 5am and forced to stay awake until 10pm, during which he was not allowed to lie on his bed or lean against the cell wall.

When his harsh treatment in the Marines’ “brig” became widely known, the UN rapporteur on torture, Amnesty International and law experts all condemned it. A spokesperson at the US State department even resigned after criticising the regime in public.

Manning’s supporters also say the length of time it’s taking for the court martial to start is against his right to a speedy trial.

If the judge decides that Manning’s pre-trial treatment isn’t enough to end the court martial, the days that he’s already spent imprisoned could be taken off his new term. Coombs is looking for a ten-to-one credit on days, ten days off for every one served, if the charges against Manning stand. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/27/bradley_manning_witness/