STE WILLIAMS

Huawei’s efforts to improve its information security credentials have appeared to receive a boost after CISO John Suffolk revealed the Chinese tech giant is engaging with a researcher who exposed flaws in some of its routers.

Former UK government CIO Suffolk told Reuters at a security summit in New Delhi that he’s sending a team of underlings to meet German researcher Felix Lindner, who has been an outspoken critic of Huawei in the past.

“We’ve very much taken on board Felix’s views and you’ll see over the coming period we’ve got a whole host of significant operations to deal with these issues,” Suffolk told the newswire.

“We like these comments, although sometimes you think to yourself that’s a bit of a slap in the face.”

Lindner and Gregor Kopf of Berlin-based Recurity Labs revealed research at Defcon in August revealing major coding errors which could allow hackers to remotely take control of Huawei’s AR18 and AR28 router products.

They claimed the products, which address the home office (AR18) and mid-sized enterprise (AR28) markets, contained 1990s style code and no OS hardening, leaving them open to “nineties style exploitation”.

They also complained that it had been difficult to responsibly disclose the flaws, claiming Huawei has no obvious “externally visible product security group”.

Although the Chinese tech giant at the time responded fairly unequivocally, by pointing all such cases towards its Network Security Incident Response Team (NSIRT), Suffolk now seems to be striking a more conciliatory tone in an attempt to effect lasting improvements in product design.

“Sometimes you need a bit of a slap in the face to step back, not be emotive in your response, and say what do I systematically need to change so over time any these issues begin to reduce?” he told Reuters.

“I can fix the Felix issue in a few lines of code. But I’m interested in systemic change within Huawei.”

It remains to be seen whether improving the security and reliability of its products will convince governments such as the US and Australia that Huawei doesn’t pose a national security risk, however.

The US House of Representatives Intelligence Committee report came out against Huawei despite releasing no evidence to prove its products contained deliberate backdoors. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/01/huawei_report_security_router_hacker/

Here’s a riddle for you: what’s the cost of identity theft and so-called “cybercrime” in Australia on an annual basis? If you answer “I don’t know”, you’re probably as close as most people.

The latest data to be lobbed into the discussion is here, from Essential Research. Of its survey respondents – 995, the study had the same sample as its latest political poll – 10 percent of Australians have experienced online fraud of some kind, sixteen percent have had their credit card stolen, and just one percent have experienced identity “theft”.

The average self-reported loss from some kind of computer crime was $310, with 23 percent of respondents reporting loss between $100 and $500.

Unfortunately, the methodology doesn’t give us quite enough to extrapolate the data to the national level, for a few reasons: it’s impossible to state the overlap between the key financial attacks (credit card theft and identity theft); and the study didn’t differentiate between online and offline attacks (for example, the credit card might have been in a stolen wallet).

Unlike Crikey’s Bernard Keane’s analysis, I’m not going to bump the figure up to take into account multiple events happening to one person. However, I am going to treat each incident as distinct – in other words, I won’t try to de-duplicate the data on the assumption that one attack put someone into two categories (for example, identity theft leading to online fraud).

The cumulative total of all computer-related crimes, according to the Essential data, is a little over $AU2.8 billion – and that’s not constrained by a time period (the research didn’t say “in the last twelve months”), if the data is extrapolated only to Australia’s 15.9 million adults (ABS 2011 census).

The really notable datum in the research is “identity theft”, which was reported by just one percent of respondents and would extrapolate out to around $AU37 million. Even if identity theft, online fraud and computer fraud are taken together, the value is only $AU1.4 billion.

Even without singling out the inflated values claimed by computer security firms like Norton or Symantec, this result seems to suggest that even moderately-disinterested data sources overstate the case. The ABS, for example, put the number at $AU1.4 billion for 2010-2011. Its figure for ID theft was lower than Essential’s, at 0.3 percent, in line with lower credit card fraud (3.7 percent) and scam victims (2.9 percent) – but the ABS reported a considerably higher per-incident loss (average $AU2,000).

Yet last year, Suncorp’s preferred number for ID theft alone was $AU3 billion annually, while Austrac believed the figure was $AU1 billion back in 2003.

What are we to make of all this?

Well: the biggest problem with Essential’s research is the small sample size – but that only means there’s a margin of error a little over 3 percent.

There is, however, one major gap in the Essential data: it looks at the cost to the responding individuals, and does not include the charge-back costs borne by the credit industry, for fraudulent transactions that have to be reversed. I don’t call this an “omission” on Essential’s part – but it does mean that the data isn’t sufficient to draw an economy-wide conclusion. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/31/essential_research_id_theft/

Comment The occurrence of a natural disaster or celebrity death have been guaranteed to mean the appearance of topical scams and malware for some years, certainly since the Indian Ocean Tsunami of 2004 if not before.

But the devastation wrought by superstorm Sandy on the US north-east coast and beyond has strangely been accompanied by little or no hurricane-themed scams or malware. Fake photos of the storm have appeared online but they haven’t been used to trick surfers into visiting scareware portals or exploit-ridden sites. Fake donation pages are notable by their absence. We haven’t even come across bogus emails from supposed Nigerian princes left stranded by the storm in Staten Island or Atlantic City, or similar curtain-raisers for the ever popular 419 (advanced fee fraud) scams.

There hasn’t even been increased spam, we’d tentatively suggest. Online scams normally surface, at the latest, 24 hours after tragedy strikes but with Sandy there have been unusually few scams, or at least few reports of attempted fraud.

We’d like to think that either disaster-themed scams have lost their appeal as lures or that compassion has won the day. Only a cynic would suggest that perhaps scammers mainly live in New Jersey …

Meanwhile, back in the real world, Sandy has claimed at least 55 lives, left thousands (at least temporarily) homeless, shut down the electrical grid and caused billions of dollars’ worth of damage, mainly in New York and New Jersey. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/31/hurricane_sandy_scamless/

Name and email addresses of Facebook users are available online at prices as low as $5 per million.

The dodgy trade was uncovered by Bogomil Shopov, an internet marketeer and blogger in the Czech Republic. Shopov said he approached the social network about the problem. He said Facebook asked him to forward and then delete the data, which came in the form on a compressed spreadsheet. Facebook representatives also wanted to know where he’d bought the data and what payment systems were used, he said, adding that he had been happy to answer.

However, the Czech blogger said he objected to requests he says were made by the Facebook representatives to keep his conversations with with them about the matter a secret. He said Facebook told him it was running an internal legal investigation but dragged its feet when it came to promising to advise users about how to avoid their data ending up in the hands of unscrupulous data brokers. “I asked if it was possible to tell what the problem was, after they finished the investigation, so that the users could protect themselves, but they they emphasised that it would be an internal investigation and they would not share any information with third parties,” Shopov wrote in an updated blog post.

Shopov suspects the Facebook data, which contained Facebook profile URLs as well as email addresses and names on users of the social network, came from a third-party developer. Shopov said ads advertising the sale of the data were pulled soon after he tipped Facebook off about the issue. The Czech blogger was able to verify that at least some of the email addresses contained in the list were accurate.

Although internet services marketing site gigbucks.com has removed the offending ad, it can still be viewed via Google cache here, Ars Technica reports.

Shopov told El Reg that other sites are offering Facebook data for sale. “I know two so far and it seems the part of the data is (was) available in a post in Facebook,” he said.

In a statement, Facebook said early indications were that the data was scraped from its site before being bundled with other information and sold online, probably illegally.

Facebook is vigilant about protecting our users from those who would try to expose any form of user information. In this case, it appears someone has attempted to scrape information from our site and combine the information with data publicly available elsewhere on the web.

We have dedicated security engineers and teams that look into, and take aggressive action on reports just like these. In addition to the engineering teams that build tools to block scraping we also have a dedicated enforcement team that seeks to identify those responsible for breaking our terms and works with our legal team to ensure appropriate consequences follow.

We continue to investigate this specific individual.

Shopov told El Reg that he didn’t believe the data was scraped from Facebook. Whoever is behind the scam can expect to face sanctions from Facebook, up to and including the possibility of criminal prosecution.

Thriving trade in black market likes

In other Facebook-related security news, Imperva warned that it had uncovered a bustling trade in social network fraud on an online black market it monitors. The 250,000-member hacker forum plays host to a thriving black market for buying and selling illegitimate social network “Likes”, followers, and endorsements, with particular attention given to the origin of these Likes and followers.

“Likes and followers can be used to gain rank, win competitions, and many other causes that can often be translated to monetary profit,” Imperva explains. “Many forum discussions contain requests to buy Facebook friends and Likes, Twitter followers and other types of social currency. There are, of course, many who are willing to provide the service, for variable prices.”

A thousand Facebook Likes can be easily purchased for $10 or less, with discounts for bulk purchases.

Imperva’s report on the hacker forum, published on Tuesday, can be found here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/31/dodgy_brokering_facebook_data/

US cops have arrested 14 people over an elaborate scam where $1m was stolen from casino kiosks in a scam the FBI has described as ‘Gone in 60 Seconds’ bank fraud.

The suspects allegedly stole $1m by exploiting a gap in Citibank’s electronic transaction security protocols in casino “cash advance” kiosks – which required multiple withdrawals all within 60 seconds.

The court documents alleged that Ara Keshishyan, 29, of Fillmore, California, set up the scam by depositing money in seed Citibank accounts and recruiting the casino equivalent of money mules. The gang then went to casinos located in Southern California and Nevada before making a series of co-ordinated cash withdrawals, the indictment alleged.

The scam worked because withdrawals were authorised at multiple machines before balances were updated, taking throwaway accounts well into the red.

The stolen funds were often used to gamble, leading many casinos to supply the alleged conspirators with free rooms due to their extensive gambling activity, the FBI said.

When Citibank noticed the discrepancies, it alerted the authorities, leading to an FBI-led investigation that resulted in the arrest of the suspects in a series of raids in southern California last week.

All 14 of the defendants are charged with conspiracy to commit bank fraud and conspiracy to illegally structure financial transactions to avoid reporting requirements (deposit and withdrawals were kept below the reporting minimum of $10,000). In addition, Keshishyan is charged with 14 counts of bank fraud. Prosecutors are also seeking to recoup Citibank’s losses by obtaining a forfeiture order, allowing them to seize goods or property obtained with the proceeds of crime.

An FBI statement on the case can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/31/casino_kiosk_scam/

Georgia has taken the unusual step of publishing photos of a man it suspects of being the hacker who has been attacking the former Soviet Republic’s systems for months.

Photos of the alleged cyber-spy were captured after Georgia security experts set up a honeypot sting, tricking the person they believed to be the hacker into downloading what spoofed “sensitive information” before capturing the man’s image using his own web cam.

The Register notes that the man pictured has not been charged with any crime, nor has he been proven to be involved in any hack attacks.

Investigators from the Georgian government’s Computer Emergency Response Team (Cert.gov.ge) took the highly unusual step of publishing two photos of the man they suspect of being a cyber-spy in the government’s official cybersecurity report (PDF). The series of malware-based attacks targeting Georgia government agencies and banks began around March 2011, the same time security analysts at the Georgian CERT launched an investigation.

The attacker(s) planted malicious code on various Georgian news sites but only inserted into stories featuring headlines involving US-Georgia relations and NATO, subjects likely to be of interest to his target audience. The tactic was used to seed infections associated with the Georbot information-stealing zombie network. Georbot managed to infect between 300 to 400 computer in Georgian government agencies alone.

Connections to the command and control server associated with the Georbot zombie network were blocked. In response, the hacker/s launched a further wave of attacks featuring emails featuring malicious attachments posing as PDF files, again designed to siphon off potentially interesting files from compromised Windows computers. The PDF attack was unusually sophisticated because it featured abuse of the XDP file format, a tactic that circumvented anti-virus defences for some months before security experts latched onto the trick, IT World reports.

The use of the tactic is clear evidence that the Georgians weren’t dealing with a common-or-garden script-kiddies but a cadre of sophisticated hackers located in both Russia and, evidence suggested, Germany.

Georgian security experts launched a counter-offensive by deliberately allowing a machine to become infected. This computer contained an infected ZIP file, called “Georgian-Nato Agreement”. An attack purportedly from the Russian suspect siphoned off this file, just as investigators hoped, before the hacker made the mistake of attempting to open it and view its contents, infecting his computer and opening a backdoor in the process.

Investigators were able to use their malware to capture the presumed perp’s image. The attack also allowed them to root around his machine for sensitive documents. The Georgians claimed that one Word file they had siphoned off contained instructions on who to target and how to hack into targets in Russia, IT World adds.

The alleged perp, who was named only by his online nickname Eshkinot, is unlikely to have acted alone. Georgian authorities allege that Russian intelligence agencies are mixed up in an ongoing cyber-espionage operation, citing intelligence obtained from their counter offensive (including data from Georbot CC systems, decrypted communication mechanisms and malicious files) as evidence. Nonetheless the allegation remains unproven.

The Georgian CERT paper concludes: “Advanced malicious software was collecting sensitive, confidential information about Georgian and American security documents and then uploading it to some of command and control Servers (which change[d] often upon detection).

“After investigating attackers’ servers and malicious files, we have linked this cyber attack to Russian official security agencies.”

The best evidence for this assertion is that a domain associated with the Russian Ministry of Internal Affairs, Department of Logistics, in Moscow was the source of spam emails bearing infectious PDF files spoofed to appear to come from [email protected]”, an address ostensibly associated with the Georgian president. This is a bit circumstantial since it doesn’t rule out the abuse of open relays at the Russian ministry to send “perfectly spoofed” spam or other trickery along these lines.

The Georgians also concluded that the IP and DNS servers used to control infected Georgian computers belonged to the Russian Business Network, better evidence but still not conclusive.

Motives for a Russian attack on the Georgian government are not hard to guess while it’s far more difficult to imagine why anyone else would want to get involved.

Relations between Russia and Georgia remain poor four years after a dispute about the separatist ambitions of South Ossetia and Abkhazia led to an armed conflict between Georgia and Russia in August 2008. Diplomatic relations have been severed since so the chance of any prosecution of the alleged Russian hacker for attack on Georgia are extremely low. The 2008 conflict on the ground was accompanied by a side-show in cyberspace, featuring denial of service attacks and websites defacements targeting news outlets and government agencies on both side of the conflict, as summarised by Arbor Networks here. Most of these information warfare attacks were aimed at planting propaganda, in one way or another. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/31/georgia_russia_counter_intelligence/

A study conducted by BAE security subsidiary Stratsec claims that cloud services aren’t doing enough to secure their instances against being used to host attacks.

The company has described a series of experiments here. Stratsec says it was able to set up botnets – it refers to them as botClouds – on all five of the cloud services it tested, and that none either raised alerts nor placed restrictions on the accounts that were originating malicious traffic.

While the study doesn’t name the cloud services it tested, El Reg would assume that all five have had a private notification by Stratsec.

The experiments were conducted by setting up accounts with various cloud providers, setting up ten cloud instances on each account, and using those instances to send malicious traffic at “victim” systems on controlled networks. Common services like HTTP, FTP and SMTP were enabled on the victims.

The cloud services were then used to fire a variety of attacks against the victims: malformed traffic, malware attacks, DoS attacks, brute-force attacks against the FTP passwords, shellcode attacks on the victims’ services, and Web application attacks (such as SQL injection, cross-site scripting, and path traversal).

With this setup in place, four experimental setups were tested with the victim in (a) a corporate-style environment behind an IDS and firewall; (b) on the same cloud service that hosted the attacks; (c) the victim on one cloud service suffering an attack launched from another. In the last experiment, the attack on the private network victim was extended to 48 hours to try and elicit a response from the cloud providers.

Stratsec reports that “although we were expecting responses from cloud providers”, very little happened. There were no connection resets or terminations on the traffic, nor was the malicious traffic throttled or rate limited. The attacks failed to draw a response in the form of an alert or an account suspension, and although one provider blocked FTP, SMTP and HTTP traffic by default, the experimenters only needed to use a non-standard port to continue the attacks.

Without a stronger security posture from cloud providers, the report states, their services offer a cheap, scalable, reliable, and user-friendly platform – for anyone wanting to set up a botCloud. Moreover, they note, a corporate with its own relatively mature in-house security could find itself degrading its protection by moving to the cloud. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/30/clouds_can_host_botnets/

A Brazilian ski-fields worker has been sentenced to community service in New Zealand for breaking into the network of a Queenstown backpacker lodge, the Otago Daily Times reports.

The newspaper says the judge wasn’t impressed either by Daniel Cabral Schiavini’s guilty plea, nor that he notified the Pinewood Lodge that its systems were vulnerable.

For accessing the lodge’s network between June 20 and 25, and again on June 30, Schiavini has been fined $1,670 and ordered to perform 100 hours’ of community service.

On the surface of it, Schiavini’s actions appear benign. The Otago Daily Times reports that he accessed the lodge’s systems via its WiFi network and, having accessed his own reservation, left a message for the managers that he had gained access to their system. He then told management how to fix the vulnerability, and later tested the system again on management’s request.

This would make it seem that Schiavini is an unfortunate white-hat being unfairly penalised. However, New Zealand lawyer and software developer Guy Burgess has blogged that Schiavini went beyond what’s wise.

Pinewood claims that Schiavini “broke into our encrypted wireless network, downloaded 80Gb of ‘data’, and a copy of the our database for further study. He then decided to tell us assuming that by telling us that all would be made good.”

It is, perhaps, this aspect that resulted in the Queenstown District Court judge Dominic Flatley describing the breach as “a serious crime”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/30/nz_cracker_community_service/

Your mouse may actually be a RAT in disguise

Plague-bearing horrors mask themselves as rodent chum

By John Leyden • Get more from this author

Posted in Security, 30th October 2012 10:46 GMT

Free whitepaper – Operationalizing Information Security

The growing volume of malware means automated threat analysis systems are increasingly important. Only the more unusual analysis work gets passed on to human analysts. Even if the mouse-attached RAT gets caught out at this stage it still gains extra longevity. The development means that anti-virus firms will probably need to include a virtual mouse clicker and nudger in their automated analysis routines.

The sneaky mouse-hogging malware was detected by security researchers at Symantec. The security giant has also come across strains of malware that use “sleep mode” to evade dynamic analysis systems.

A detailed write-up of both (unnamed) threats can be found in a blog post here. ®

Free whitepaper – AccelOps’ Unified Infrastructure Management Examined

• Send corrections
  
• 16 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/30/sneaky_trojan_hides_behind_mouse/

Israeli police departments were pulled offline last Thursday following the discovery of a Trojan especially targeted at law enforcement networks in the Jewish state.

The malware was distributed using spammed messages, spoofed so that they appeared to come from the head of the Israel Defense Forces, Benny Gantz. The malicious emails contained the subject line “IDF strikes militants in Gaza Strip following rocket barrage”, and a compressed .RAR file was attached. Opening the dodgy attachment on Windows machines leads to infection by the XTRAT-B Trojan (AKA Benny Gantz-59).

Samples of the malware obtained by Trend Micro suggest that the initial target of the attack was systems within the Israeli Customs agency.

“Based on our analysis, this backdoor is an Xtreme remote access Trojan (RAT) that, like all RATs, can be used to steal information and receive commands from a remote attacker,” Ivan Macalintal, a threat research manager at Trend Micro explains. “The Xtreme RAT appears to have been used in previous attacks targeting Syrian anti-government activists.”

The Trojan features Windows 8 compatibility, improved audio and desktop capture capabilities as well as better routines for grabbing passwords saved in Chrome and Firefox.

Antivirus firms are adding detection for both the spammed message and the malicious file but the damage may already have been done. Roni Bachar, head of Israeli security firm Avnet, told the Times of Israel that police servers might have been compromised for up to a week before the outbreak was detected, and quarantine procedures were applied.

“It was only late Wednesday night that police realized what happened and ordered that computers be taken offline,” Bachar said. “Apparently the virus was also distributed to other government departments.”

Police forces re-established limited internet connectivity by Sunday but it’s unclear when full access will be restored, the Times of Israel adds.

It’s also unclear who created the malware or why, although Iran has (unsurprisingly) emerged as a likely suspect.

“Benny Gantz-55 may have been a prank,” the DigitalIntifada blog speculates.

“It may also have been generated by Iran’s burgeoning cyber warfare centres which have been rapidly expanded since Tehran’s nuclear programme was hit by the Stuxnet virus in 2010.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/30/trojan_hits_israeli_cops/