STE WILLIAMS

Two laptops used by European Commission officials were pinched last week in Azerbaijan’s capital Baku during the Internet Governance Forum, Digital Agenda commissioner Neelie Kroes has revealed.

In a blog post at the weekend, Kroes explained that she was in two minds about attending the summit, held this year in the gas and oil-rich country, because the Azerbaijani government has “a very troubling attitude to freedom and democracy”. She added the following:

When the IGF comes to town, radical change often follows. Because, when empowered, connected citizens press for greater freedom. As happened in Tunisia and Egypt in the years after they held this conference.

But on the other hand I was denied access to meet political prisoners, despite a commitment from the President himself. Activists were harassed at the internet conference. My advisers had their computers hacked. So much for openness.

The attack in question targeted the MacBooks of Kroes’ spokesman Ryan Heath and a second colleague while they were in their hotel. Heath told AP they received a warning message from Apple that the computers had been accessed by a third party.

“I’m presuming it was some kind of surveillance,” he told the news wire.

“What we’re going to do is to get the computers forensically analysed to see what if anything was taken out of them.”

The Azerbaijani administration has since hit out at Kroes, claiming her accusations were made to deliberately undermine the event organisers, and the country’s good name.

“We state beforehand that there was no such interference, and couldn’t have been,” head of Azerbaijani Presidential Administration Social and Political Department, Ali Hasanov, told local news site Trend.

“If Kroes and her assistant really believe that there was interference in their computers, then please let them turn to the Azerbaijani Prosecutor General’s Office. A criminal case will be filed and investigation will be launched based on this appeal.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/13/ec_kroes_hack_azerbaijan_igf_macbook/

The industrial control system fright machine is getting another kick along today, via a survey by Russian vendor Positive Technologies.

The company’s study makes some startling claims: 40 percent of SCADA systems “available from the Internet” can be easily hacked, half of the vulnerabilities the company found allow the execution of arbitrary code on the target system, one-third of vulnerabilities arise from poor configuration such as using default passwords, and one-quarter are related to users not installing security updates.

The study was based on an analysis of vulnerabilities announced on sources such as ICS-CERT, Bugtraq, vendor advisories, and similar lists.

While the most basic datum – the number of vulnerabilities announced – isn’t surprising (98 in 2012 compared to 64 in 2011, and only 11 in 2010), The Register would note that nobody paid serious attention to SCADA and industrial control security until shocked into action by Stuxnet.

Similarly, while Siemens’ position at the top of the list (with 42 identified vulnerabilities) looks bad, it’s because the vendor has instituted a vulnerability assessment program designed to discover problems in its ICS. The report notes that Siemens has fixed 88 percent of published vulnerabilities (at the top of the list is Advantech with 91 percent of vulnerabilities fixed, compared to Schneider Electric at 56 percent).

However, assessing the risk posed by these vulnerabilities is less easily done. For example: while the study claims that all of the “internet-visible” ICS it identified in Switzerland are vulnerable, that country accounts for less than two percent of the total sample (El Reg also notes that the sample size is unknown).

Without any clear indication of the extent of Positive Technologies’ test, beyond identifying whether a route existed to a device, it’s impossible to discuss whether any of the “Internet-available” devices are secured in any way. ®

Bootnote: Australian admins can, perhaps, breathe a sigh of relief of some kind: the analysis doesn’t report any vulnerable systems down under. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/12/scada_vulnerability_study/

Hacktivists claim to have hacked and defaced the website of the far-right group English Defence League.

The englishdefenceleague.org site remains unreachable on Monday morning following a claimed assault by ZHC (ZCompany Hacking Crew). The Pakistani hacking crew claims to have gained access to Gmail accounts owned by EDL administrators before using donated funds to book expensive hotel rooms. Screenshots posted to substantiate this claim are inconclusive.

The defacement (archives by defacement mirror zone-h.org here) lambasts the EDL for its militant Islamaphobia and racism. Defenceleagueclothing.co.uk was defaced with the same message. Both sites run Apache on Linux. It’s unclear how they were hacked.

ZHC, which accuses leaders of the organisation of using donations for their own personal benefit, also claims to have deleted the EDL’s Facebook page. There are several EDL pages on Facebook and one of main ones, with more than 37,000 members, appeared to be working as normal on Monday morning.

A Zcompany Hacking Crew News page on Facebook boasted on Friday: “We told you EDL we will hack your facebook page we did it. We told you we will hack your website, we have done it today. EDL official website englishdefenceleague.org hacked and defaced. Expect more ;)”

The hackers threatened that “details of supporters and donors of EDL will be made public soon”, cyberwarnews.info reports.

ZHC’s manifesto against the EDL can be found on YouTube here. The attack fits the pattern of ZHC’s previous attacks, which have included hundreds of defacements, many semi-automated.

The weekend’s activities are not the first time the EDL website has been targeted by the controversial organisation’s political opponents. Last year its forum was hacked by TeaMp0isoN, another hacktivist crew. The incident resulted in the alleged theft of the group’s membership list, which TeaMp0isoN claimed was a result of its hack attack on EDL’s website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/12/edl_hacked/

FBI agents may not have been the first to rumble the affair between CIA director David Petraeus and his biographer that led to the four-star general’s resignation on Friday.

Anyone with a copy of the leaked Stratfor databases, a half-decent PC, some political nous and a barrel of luck could have uncovered the fling months ago, it has emerged.

Paula Broadwell, the former spy chief’s mistress and biographer, was a customer of Stratfor, the private intelligence outfit that was attacked by Anonymous hackers last year. Buried in the megabytes of subsequently leaked information was Broadwell’s Yahoo! email address and her hashed Stratfor login password.

A security researcher says he spent the weekend recovering her original password from the MD5 hash, or at least a passphrase that will generate an identical hash value, using a brute-force approach and 17 hours of number-crunching on his computer. If the password is indeed the same one she used for Stratfor, and she also used it for her Yahoo! account, then anyone before now could have used the information at hand to compromise her webmail and follow a trail of messages to her illicit liaison with America’s spook supremo.

How a top general came to fall on his sword

Petraeus, 60, resigned on Friday after the Feds discovered his dalliance with Broadwell, a married 40-year-old former military officer. An FBI probe was launched months ago when another woman alleged Broadwell had sent her “harassing” emails, the New York Times reports. This is contrary to earlier reports suggesting agents began monitoring on the spy boss’s personal Gmail account over concerns it had been compromised by Chinese hackers.

An anonymous “senior US military official” named Jill Kelley, a 37-year-old from Tampa in Florida, as the woman who complained to the FBI; she is an executive on the State Department’s liaison to the military’s Joint Special Operations Command, and is known to both Petraeus and Broadwell.

It is alleged Broadwell used her [email protected] address to send unpleasant emails to Kelley, possibly perceiving her as a love rival, that included extracts of sexually suggestive messages copied from a Gmail account setup by Petraeus. The emails sent to Kelley warned her to “stay away from” the general, the Wall Street Journal claims. This linked the complaint to Petraeus, a breadcrumb trail picked up by investigators – and potentially anyone else who was able to log into the Yahoo! account.

Cracking her Stratfor password – and potentially unlocking her Yahoo! inbox too

Broadwell’s Stratfor password was fairly strong; if it was one character longer, it would have been beyond the grasp of security researcher Robert Graham of Errata Security. He used a cracking utility called oclHashcat and a GPU accelerator to brute force the original password from its MD5 hash value, or at least a phrase that would generate the same value, eventually finding out the password after 17 hours of exhaustive crunching.

It is possible she used the same combination of eight characters elsewhere, perhaps even for her Yahoo! account. This would have given anyone who cracked her password a way to access her webmail, assuming they had decided to target Broadwell months before she hit the headlines.

However, Graham can find no reference to the password after a Google search, suggesting that if a hacker had compromised the password then it wasn’t an Anonymous or LulzSec bod, who often like to brag in public and reveal stolen credentials.

Graham said his exercise in cracking Broadwell’s password was justified because her account and password had already been blown.

Meanwhile some are beginning to speculate that Google’s location tracking of IP addresses of Gmail accounts might have betrayed the identity of the adulterous CIA chief. The Atlantic reports Petraeus used a pseudonym to set up his private Google mail account, but this didn’t prevent his identity from being gleaned by investigators monitoring Broadwell’s email accounts. It is believed that rather than exchanging emails, the two lovers swapped explicit messages using shared access to the same Gmail account.

Tinker, tailor, shagger, spy

‪Petraeus‬’ affair with Broadwell began after the former architect of the US counterinsurgency strategy in Iraq retired from the military and joined the CIA last year, according to a former aide.

‪Petraeus has been married ‬for ‪37 years to Holly Petraeus and the couple have two children, including a son serving in Afghanistan.‬ Justice Department and high-level administration officials, including Attorney General Eric Holder, have reportedly been aware of the investigation into Broadwell since spring but things only came to a head over the last fortnight.

FBI agents interviewed Petraeus, who admitted the fling. A report was submitted to Director of National Intelligence James Clapper last week by the Feds. They noted no crime had been committed‪, ‬but the spy chief‪ nonetheless‬ understood his position was untenable.

In a resignation statement, ‪Petraeus‬ said:

Yesterday afternoon, I went to the White House and asked the President to be allowed, for personal reasons, to resign from my position as D/CIA.  After being married for over 37 years, I showed extremely poor judgment by engaging in an extramarital affair. Such behavior is unacceptable, both as a husband and as the leader of an organization such as ours. This afternoon, the President graciously accepted my resignation.

Lawmakers left in the dark are beginning to raise questions over the Petraeus affair and the timing of his resignation days before an important hearing. ‪Petraeus‬ was due to testify before Congress regarding the Obama administration’s handling of a terrorist attack in Benghazi that led to the death of four Americans, including US ambassador Chris Steven.

“We received no advanced notice. It was like a lightning bolt,” said Democratic Senator Dianne Feinstein of California, who heads the Senate Intelligence Committee, AP reports.

Some commentators are upset ‪Petraeus has been obliged to resign‬ for behaviour that in other Western countries may have passed almost without notice. Predictably the whole business has quickly become a butt of jokes.

Patriot hacker ‏th3j35t3r joked: “Give Petraeus a break, having sex w/ ur biographer is unquestionably more exciting than having sex w/ ur autobiographer. Right ‪#assange‬?” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/12/cia_boss_resignation_webmail_intrigue/

UK government departments have a green light to use iPhones and other iOS 6 devices for handling sensitive emails. The move may encourage civil servants and ministers to toss their BlackBerries to the wind, provided they don’t have to read anything that’s more than mildly important.

For years RIM’s BlackBerry handsets were the only mobile kit accredited for accessing sensitive information by the Communications-Electronics Security Group. CESG is a GCHQ branch tasked with shoring up computer defences in banks, power stations and other critical systems in Blighty.

But the long-term viability of RIM, which has suffered a steady decline in smartphone market share, and improvements in the security of the iPhone operating system iOS have prompted a rethink on the use of Cupertino’s Jesus mobe in government.

In a statement, CESG explained that it updated its guidance on the suitability of iOS 6 devices (available for the iPhone 3GS onwards, and iPad 2 and later models) to support the handling of sensitive emails:

CESG is currently working on updates and enhancements to a number of our mobile security guidance documents. As part of this work CESG has published risk management guidance for iOS 6 devices for protecting sensitive emails – up to and including Impact Level 3 depending on local risk management decisions. The guidance is based on existing CESG security procedures for iOS, but includes updated guidance, additional technical controls and improvements to user guidelines to more effectively manage identified risks with mobile working

Government emails and documents are categorised into one of seven levels that describe the impact caused were the file to leak – from zero for no impact to six for severe. Level 3, now appropriate for accessing with iOS 6 devices, sits in the middle of this spectrum. Typically, information deemed protected, restricted, confidential, secret or top secret fall into levels 2, 3, 4, 5 and 6, respectively.

CESG recommends iPhones and iPads running the latest system of iOS are fortified with additional defences: network monitoring and protections need to be extended, and users should switch on security features bundled in iOS 6.

UK government departments use as many as 20,000 BlackBerry devices which are still considered secure – but the gap between RIM’s and Apple’s software is narrowing. iOS6 on its most restricted settings, perhaps enforced by third-party tools, is now considered a viable option for sensitive emails, at least.

Full device encryption; remote-wiping capabilities so data can be purged from lost or stolen devices; rock-solid separation of software into sandboxes; an operating system free of security holes; and locking down apps to prevent users from installing leaky apps are key features in any mobile OS to make it suitable for use in either government or large enterprises.

The government is also reportedly considering whether to open up the option of using smartphones running either Android or Windows mobile to handle sensitive information. This fits with the wider bring-your-own-device trend that IT managers in corporates have been grappling with for some months. Corporate security managers we’ve spoken to tend to accept the need to support email and calendar functions on users’ own smartphones, tablets or laptops. Instant-messaging apps can sometimes fall into this category.

However corporates are far more reluctant when it comes to opening up sales, enterprise resource planning and supply-chain applications to phones they don’t own.

Rik Ferguson, director of research at net security firm Trend Micro, told El Reg that the quality of the mobile device management features bundled with iOS is approaching the sophistication of security features build into BlackBerry’s technology, which hasn’t been updated for some months.

Although iOS started off as a consumer technology, it is now possible to turn off features such as iCloud backups which would be a concern for any enterprise worried about keeping control of sensitive information in its own hands. It’s also possible to disable application like Siri and prevent the installation of new unapproved apps among other features explained in greater depth in a security guide from Apple here.

Trend Micro’s audit of the security of mobile OS earlier this year found BlackBerry to be the most secure, followed by iOS, Windows Mobile and Android.

Android is moving towards offering enterprise-friendly security features but is further back on this path than iOS. For example, Android only recently supported full device encryption. “iOS is a tight ship and closed but with Android there’s no uniformity,” according to Ferguson.

Windows Phone is “unproven” while the multiplicity of different versions of Android mean that any government accreditation would be for a specific version of the OS on a specific smartphone, according to Ferguson. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/12/iphone_uk_government_approval_pending/

A Hong Kong IT business owner has been banged up for nine months after launching distributed denial of service (DDoS) attacks on a Hong Kong Stock Exchange web site in a botched attempt to market his firm’s anti-DDoS service.

Tse Man-lai, the 28-year-old owner of local web hoster Pacswitch Globe Telecom, was found guilty of launching the attacks on the HKExnews site on August 12 and 13 last year, according to South China Morning Post.

The site is the stock exchange’s official platform for company announcements and so a high profile target for those looking to disrupt the Special Administrative Region’s financial stability.

Tse’s attacks followed two arguably more serious DDoS blasts from outside the region on August 10 and 11, which forced the exchange to shut down the site and suspend trading in seven firms including HSBC and Cathay Pacific.

Tse was apparently trying to prove that HKExnews was still vulnerable to DDoS, and his attacks only lasted 390 seconds and 70 seconds, respectively.

He followed them up with a web forum post entitled “Ernest Networking teaching”, where he criticised the HKSE’s web infrastructure and tried to promote his firm’s own DDoS mitigation service.

Former Hong Kong legislative council member for the IT Functional Constituency, Samson Tam, even wrote to defend the Pacswitch owner, apparently arguing that his actions had “advanced” IT in Hong Kong.

Judge Kim Longley apparently didn’t agree, however, as the misguided marketing stunt earned the Tin Shui Wai resident the best part of a year in the slammer.

DDoS attacks are still a popular tool for blackmailers and hacktivists in Hong Kong.

Six cyber extortionists were arrested in July on the mainland after targeting 16 Hong Kong-based firms including the Chinese Gold Silver Exchange with classic DDoS-related blackmail.

In August an alleged Anonymous member was cuffed in Hong Kong after threatening to disrupt local government sites, while an overwhelming surge of data traffic was thought to have deliberately sabotaged the Miss Hong Kong competition. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/12/hong_kong_ddos_marketing_blunder/

Nearly one in four netizens are using outdated web browsers and are therefore easy pickings for viruses and exploit-wielding crooks.

The average home user upgrades his or her browser to the latest version one month after it is released, according to a survey of 10 million punters. Two thirds of those using old browser software are simply stuck on the version prior to the latest release – the remaining third are using even older code.

Internet Explorer is the most popular browser (used by 37.8 per cent of consumers), closely followed by Google Chrome (36.5 per cent). Firefox is in third place with 19.5 per cent.

Firefox users tend to be the worst for keeping up to date with new software releases, according to the survey by security biz Kaspersky Lab. The proportion of users with the most recent version installed was 80.2 per cent for Internet Explorer and 79.2 per cent for Chrome, but just 66.1 per cent for Firefox.

Old-codgers Internet Explorer 6 and 7, with a combined share of 3.9 per cent, are still used by hundreds of thousands of punters worldwide.

Andrew Efremov, director of whitelisting and cloud infrastructure research at Kaspersky, said: “Our new research paints an alarming picture. While most users make a switch to the most recent browser within a month of the update, there will still be around a quarter of users who have not made the transition. That means millions of potentially vulnerable machines, constantly attacked using new and well-known web-born threats.”

Even though application and operating system developers can be swift to fix security holes and release new version, clearly not everyone updates swiftly enough. There are enough potential victims to lure in criminals, who exploit vulnerabilities in web browsers and plugins to install malware capable of raiding online bank accounts and worse.

The statistics were drawn from the web usage patterns of 10 million randomly selected Kaspersky Lab consumer customers worldwide, collected during August 2012. The data from business customers does not feature in the study.

Nonetheless, lessons learned from study are relevant to business. Employees typically lack the privileges to upgrade their work PC software, so it’s the responsibility of the IT dept to juggle rolling out upgrades with ensuring new browser versions are compatible with the business’s apps.

The Russian security firm’s full Global Web Browser Usage and Security Trends report, which includes secure web-browsing tips and recommendations for consumers and businesses alike, is available for download here as a PDF. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/12/outdated_browser_software_kaspersky/

There are red faces at the Securities and Exchange Commission after a report highlighted computer security failings by agency staff that forced it to spend $200,000 to check whether it had lost critical information.

Staff at the Trading and Markets Division were found to have stored highly confidential and market-sensitive information on their laptops without any encryption, even when out and about. Some staff attended the Black Hat hacking convention with these unsecured laptops, an act of lunacy given the predilections of the attendees.

The security failings came to light in a yet-to-be-released report ordered by the SEC’s Interim Inspector General Jon Rymer. The report found that the SEC had to hire a third-party computer forensics specialist to go through its data and check to see if anything had been purloined by hackers – it appears that no systems were compromised.

Sources within the SEC said that the staff involved had been disciplined over the security failings following an internal investigation. Rich Adamonis, a spokesman for the New York Stock Exchange, told Reuters that the exchange was “disappointed” at the report’s findings.

“From the moment we were informed, we have been actively seeking clarity from the SEC to understand the full extent of the use of improperly secured devices and the information involved, as well as the actions taken by the SEC to ensure that there is proper remediation and a complete audit trail for the information,” he said.

What makes this doubly worrying is that the Trading and Markets Division has a responsibility for checking the security, audit, and disaster recovery systems used in the major equity markets. These policies essentially map out each exchange’s infrastructure in a level of detail that would be a boon to anyone looking to hack the most lucrative markets in the world.

That the SEC attended Black Hat isn’t surprising – but that they didn’t secure their hardware is.

All attendees are warned in the conference materials to lock down their systems before attending, to run full-disk encryption, never use non-conference Wi-Fi, and to change all their passwords after the show is finished.

At this year’s show, for example, a first-time press visitor from a national newspaper was sat down by the Black Hat flacks and had the rules explained to him in such frightening terms that he nearly reverted to note-taking with pencil and paper.

Hacking attendees’ systems is actually frowned upon at Black Hat. The conference is keen to stress that it has grown up and that such behavior is seen as a breach of etiquette – but it goes on nevertheless.

But what’s really worrying is whether the SEC staffers stayed on after Black Hat to attend the Defcon event that’s held afterwards.

Every Defcon runs the Wall of Sheep, where teams of volunteers passively scan systems that log onto the conference network for insecurities. The publicly-displayed list shows the names, passwords (partially blacked out), domains, and applications of hacked systems, and those caught out receive some very humbling ridicule and helpful reminder to be smarter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/09/sec_security_snafu/

A US man has been charged with selling counterfeit Microsoft software valued at more than $1.2m.

Bruce Alan Edward, 48, of Atlanta, Michigan, is accused of five counts of criminal copyright infringement, and one count of mail fraud, over the alleged resale of pirated software sourced from the far East.

According to his charge sheet, Edward unlawfully distributed Microsoft Office 2003 Professional and Microsoft Windows XP Professional by purchasing dodgy copies of the products from China and Singapore, and then sold the software through auctions on eBay.

Edward allegedly made at least $140,000 through selling more than 2,500 copies of Microsoft programs between May 2008 and September 2010 before he was arrested.

If convicted, Edward faces up to 45 years in prison and $1.5 million in fines.

US prosecutors are seeking a forfeiture order that would allow them to seize any criminal proceeds and “any property used to commit the alleged criminal activity”, according to a Department of Justice statement. Edward was brought before the district court of Eastern Michigan on Thursday under an indictment agreed by a grand jury late last month.

Lawyers from the department’s computer crime and intellectual property section and the US Attorney’s Office for the Eastern District of Michigan teamed up to prosecute the case, which was investigated by the National Intellectual Property Rights Coordination Center task force as well as investigators from the US Immigration and Customs Enforcement division of Homeland Security. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/09/ebay_counterfeit_ms_software_prosecution/

Microsoft will release critical updates for Windows 8 and other software on November’s Patch Tuesday next week. The upgrades will arrive within weeks of the Win 8 launch at the end of last month.

All supported versions of the Windows operating system from XP SP3 up to and including Windows 8 and Windows Server 2012 will need patching to close three security holes that enable hackers to execute malicious code remotely on vulnerable systems. The fourth critical patch will address a vulnerability in Internet Explorer 9 on Windows 7, Vista and Server 2008.

Two of the updates this month will also patch Windows 8 RT as used in Microsoft’s new Surface tablet laptop fondletops.

Redmond’s security gnomes have also lined up an “important” update that corrects a remote-code execution bug in Excel in Microsoft Office 2010, 2007 and 2003. A sixth update, labelled “moderate” in severity, prevents information leaking from Windows Vista, 7 and Server 2008.

More details, as usual, will be published by Microsoft after it releases its patches on Tuesday, 13 November. An advanced alert, with a full chart of all the version numbers of affected products, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/09/nov_patch_tuesday_pre_alert/