STE WILLIAMS

French police have arrested a 20-year-old man who allegedly earned €500,000 (£405,00, $650,000) through an Android malware scam.

The unnamed perp from the Amiens region allegedly tricked 17,000 victims into installing a Trojan that posed as a legitimate application on their Android smartphones. In reality, the malicious application sent SMS messages to premium rate numbers, allegedly earning the suspect a tiny slice for each SMS. Victims were left none the wiser until they received bills charging them for the fraudulent transactions.

The malware also stole login details for gaming and gambling websites. The suspect, who reportedly began his involvement with the scam last year, has admitted responsibility but told investigators he was motivated by technical curiosity and ambitions to become a software developer rather than greed, the BBC reports.

Android SMS malware is not a new problem. Most reported incidents have happened in either Russia or China but there are precedents for this sort of malfeasance in France. Trojan apps typically pose as popular mobile games, such as Angry Birds, or useful* utilities, such as Instagram.

Back in February, French cops cuffed two men linked to the distribution of the Foncy Trojan, another strain of malware that sent expensive SMS messages from infected Android smartphones.

More commentary on the security aspects on the case can be found in a blog post by Sophos here. ®

*Yes, we know, we’ll be hearing from you in the comments…

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/19/french_android_trojan_suspect_arrested/

Updated An Anonymous-affiliated group has claimed responsibility for attacks that left HSBC websites worldwide knocked offline on Thursday night.

UK-based Fawkes Security claimed responsibility for the digital sit-in via a post to Pastebin.

As some of you may be aware HSBC bank suffered several DDoS attacks on the named sites in the past hours us.hsbc.com hsbc.co.uk hsbc.com hsbc.ca they were all brought down by #FawkesSecurity. Before any claim fags attempt to take ownership of this attack, the proof is all in our Twitter account, Targets, time and date :) @FawkesSecurity

Several posts in @FawkesSecurity’s timeline (such as this) provide circumstantial evidence to support its claim that it launched what it variously describes as #OpHSBC and #OpDosLikeABoss. In a YouTube video the group said it was holding back on its reason for the attack.

Previously it was thought that HSBC was hit by Muslim hacktivists as part of a threatened extension of their campaign of denial of service attacks against US banks last month in protest against the controversial Innocence of Muslims video pulled from YouTube. This is now looking much less likely.

In a series of statements, HSBC said that it managed to restore normal access to internet banking services as all its affected websites (in the US, Canada and the UK) by 03.00 BST on Friday, 19 October. It stressed that customer data was never at risk.

Some reports suggest purchases using debit cards issued by HSBC might also have been affected, but this remains unconfirmed.

Security experts are beginning to analyse the attack, with early indications suggesting it was probably a mixture of brute-force flooding as well as more sophisticated application-layer attacks. Zombie bots are a likely source of the attack traffic, if recent experience is anything to go by, but this too remains unconfirmed.

FawkesSecurity has been in touch since this story was published, and told El Reg in a Twitter exchange: “We’ll be targeting other banks in the future, as well as any other sites we see worth attacking.”

Asked why it was interested in targeting banks, FawkesSecurity said “It’s their fault that the worlds economics are so messed up”.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/19/anon_group_hsbc_ddos/

Apple has discontinued its own Java plugin, issuing an ‘update’ that removes it from MacOS and encourages users to instead download Oracle’s version of the software.

The update, available now and depicted at the bottom of this story, advises users to install new software with the following effect:

Java for OS X 2012-006 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37. This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

It’s not clear why Apple has taken this decision, but Sophos security researcher Paul Ducklin has blogged his opinion that this regime “may sound like a bug, but for most users, it’s a feature,” given Java’s security issues. Ducklin even suggests Cupertino’s decision may be related to Oracle’s recent release of a security update for Java.

Mac users seem a little confused about what’s going on, if this thread in Apple’s support communities is any indicator.

The move leaves Cupertino hostile to Flash in browsers for mobile devices and Java in browsers for desktops. One anti-plugin decision looked picky. Two may look like a developing policy. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/19/apple_banishes_java_from_macos_browsers/

The latest monthly survey by the SSL Labs project has discovered that many SSL sites remain vulnerable to the BEAST attack, more than a year after the underlying vulnerability was demonstrated by security researchers.

BEAST is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt the encrypted cookies that a targeted website uses to grant access to restricted user accounts.

October figures from SSL Pulse survey of 179,000 popular websites secured with the ubiquitous secure sockets layer (SSL) protocol reveals that 71 per cent (127,000) are still vulnerable to the BEAST attack.

The latest stats show little change from September figures, down just one percentage point from the 71.6 per cent vulnerable to the BEAST attack recorded last month.

Exposure to the so-called CRIME attack was also rife, 41 per cent of the sample support SSL Compression, a key prerequisite of the attack.

The so-called CRIME technique lures a vulnerable web browser into leaking an authentication cookie created when a user starts a secure session with a website. Once the cookie has been obtained, it can be used by hackers to log in to the victim’s account on the site.

The root cause of the BEAST attack, first outlined by security researchers in September 2011, is a vulnerable ciphersuite on servers. The dynamics of the CRIME attack are more complex but capable of being thwarted at the browser or quashed on a properly updated and configured server.

The SSL Pulse survey also looks at factors such the completeness of certificate chains and cipher strengths, among other factors.

Of the 179,000 sites surveyed only 24,400 (or 13.6 per cent) deserve the designation as “secure sites”, according to SSL Labs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/18/ssl_security_survey/

As the overpriced beers flowed and dusk approached in central London pubs surrounding the venue of RSA Europe last week, talk often turned towards the (ISC)² security certification body.

(ISC)², which administers the widely recognised Certified Information Systems Security Professional (CISSP) qualification, was “a waste of money” and its board of directors “filled with a bunch of out-of-touch boobs” who are unaware of the practical issues in the working life of an infosec professional, we heard.

Membership fees for the organisation are $85 a year. But what do the 80,000 (ISC)² members get in return?

A cursory search reveals that the beer-fuelled criticism is matched by a series of critical blog posts by respected members of the security community, including Jack Daniel, co-founder of the BSides security conference, and other security honchos such as Rob Graham.

Many of these blog posts note that upcoming (ISC)² elections in late November offer a chance to make a change.

(ISC)² directors are elected for a three-year term. Four of the 13 seats on the board are up for re-election this time around. As well as the six candidates on the approved slate there will also be a chance to vote for two alternative (unendorsed) candidates, one standing on a reform ticket. Eligible (ie, fully paid-up) members of (ISC)² also have the opportunity to cast their vote for a write-in candidate. More details on the (ISC)² board election process can be found here.

Now it seems that a group of radicals wish to infiltrate the group. The “Four Horsemen of the Impending Infosec Apocalypse” – prospective candidates for the (ISC)² election who not included on the official slate – have put themselves forward for election. Only one of the four – Dave Lewis (@gattaca) – made the cut. Scot Terban, Boris Sverdlik and Chris Nickerson all fell short. Another candidate, Diana-Lynn Contesti, will appear on the official ballot papers. Contesti was previously on the board but is not an incumbent.

Manifestos for members of the loosely formed “freak ticket” alliance can be found by searching for (ISC)² on infosecisland.com. There’s also a CSOonline article on Lewis’s candidacy and desire to restore the integrity of the CISSP exam. Both Lewis and Contesti are Canadian residents.

The two successful unendorsed candidates managed to get 500 nominations from (ISC)² members, via emails in support of their candidacy from registered accounts, before a 17 September deadline. Pulling off this not-inconsiderable feat means that their names will appear on the ballot for the upcoming election. Signing the petition to get someone on the ballot does not commit members to vote for them in the actual election.

Of the two unendorsed candidates, only Lewis represents reform. The lack of choice among the rest is likely to irk critics of the organisation, who are not difficult to find.

“I think (ISC)2 and the CISSP just need to go away, be put on an ice floe and sent out to sea – but since that seems unlikely, I’ll support folks who want to make a change,” writes Daniel, in characteristically caustic style. “Wim Remes made it to the board last year from a write-on candidacy, let’s see if we can get more – at least on the ballot.”

Another critic, NovaInfosec.com (an association of infosec professionals in the Washington DC area) writes: “Keeping the same old guard on the board will simply result in a certification that continues to be disconnected from the day-to-day practical aspects of today’s security professionals. The first step to reconnect the ISC² board with the practical aspects of today’s infosec pro is to get more community representation.”

And there’s more along the same lines from Rob Graham of Errata Security, who writes: “The best known professional certification in cybersecurity is the ‘CISSP’ (by the (ISC)² organisation), but it’s horrible. The test givers are incompetent. The organization is corrupt. Its ethics are unethical. It’s a typical example of rent-seeking behavior rather than a badge of quality. These problems have only gotten worse over the last decade as the organization has resisted reform.”

Graham, like Daniel, praised the election of Wim Remes to the board last year as part of a much-needed reform process. Remes is is a manager in risk and assurance practice at Ernst Young in Belgium. But what really appeals to those who dislike the stuffed shirts is his work organising the well-regarded BruCON security conference and presenting at BlackHat.

Remes told El Reg that he might have joined in with the criticism last year himself but 10 months on the (ISC)2 board has shifted his opinion. The board of (ISC)2 is made up of representatives from academia, industry and internet committees. Unlike critics, Remes doesn’t think the group is out of touch.

“We need fresh blood but we don’t want to throw our history away,” he said. “The present board are a diverse bunch who are well in touch with what’s happening in security, and knowledgeable.”

“They’re not stuffy types… and not on the board just to be on the board. (ISC)2 is less bureaucratic than I thought it would be,” he added.

CISSP certification helps people to get or retain jobs in information security but it’s not mandatory to have any qualification to have a job in the profession.

Remes cites the fact that the 80,000 membership of (ISC)² is going up as evidence that the organisation is still relevant and focused on the needs of its members. The (ISC)² board meets face to face quarterly in diverse and sometimes exotic locations as well as taking part in more regular teleconferences.

Although the board is in charge of governing (ISC)², the day-to-day running of the organisation is left to a management team.

John Colley, managing director for EMEA and co-chair of the European advisory board for (ISC)², said members get two broad categories of benefit.

The first is “continuing professional education opportunities”, he said. “We do this by staging online and face to face events with the (ISC)² Secure series and Think Tank sessions and by negotiating concessions and discounts at major industry events around the region,” Colley explained.

The second major benefit cited by Colley is that “(ISC)² provides a voice for the community, develops recognition for the profession itself and facilitates opportunities to give back to society.”

The latter, in particular, sounds a bit woolly. Against this Colley said that (ISC)² member volunteers will be presenting to an audience of over 3,000 professionals in the UK during Get Safe Online Week (22-26 October). (ISC)² is also developing an application security challenge for Cybersecurity Challenge UK, a government-backed scheme aimed at filling the growing security skills gap by attracting newcomers to the infosecurity profession, he said.

Remes highlighted networking opportunities organised by local chapters and the ability to share best practice as a key benefit of remaining a CISSP.

Colley added that the thorny issue of what members get for their $85 (£53) membership fees crops up every year, normally around the time of board elections. “To understand the value received for AMFs [annual membership fees], we made a concerted effort to ask the members in this region what they are looking for from (ISC)²,” he said.

A light-hearted look at the benefits of being a CISSP can be seen in a video by security blogger Javvad Malik (below).

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/18/isc2_election/

IBM is launching what it claims is the first data security system for Hadoop, as part of its biggest product rollout of security software and services yet seen from the company.

Big Blue’s not the highest profile security firm, but it has been buying in a lot of talent over the last three years and last year grouped staff and resources around a dedicated security unit. That team has now released a raft of new and updated products as part of a drive to make the company something for everything, from the datacenter to the mobile.

The Hadoop system, dubbed InfoSphere Guardium v9 for Hadoop, stems from technology bought out by Big Blue in 2009 from Guardium, and covers real time security and vulnerability monitoring. The software works with both structured and unstructured databases and includes an automatic compliance and data privacy reporting system.

Also for Hadoop systems, IBM has upgraded its Optim Data Masking system for Big Data users, which obfuscates sensitive data, limiting direct access, and also supports application-specific masking from Oracle and SAP. For those that want to encrypt their data there’s also an upgrade to Tivoli Key Lifecycle Manager.

On the mainframe front IBM’s extending the QRadar platform it debuted in February onto its zSecure reporting and audit system, but the company has put a lot more effort into cloud offerings. QRadar will be built into IBM’s zSecure cloud service, there’s also a new automated patching system and a couple of new identity and access management services for both cloud and mobile.

Paula Musich, principle analyst in enterprise security at Current Analysis, told The Register IBM’s looking to become a one-stop shop for security tools and service, capitalizing on IT managers’ desire to simplify their security around a few key providers.

“The larger vendors don’t move that quickly, and we’re still at the top of the hype cycle for Big Data,” she said. “I sense IBM might surprise you a lot more often in that regard. It’s moved really quickly in the year since forming the security division and there’s a sense of urgency that didn’t exist before. Bringing everything under one unit has really brought some focus.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/18/ibm_hadoop_security/

The Information Commissioner Christopher Graham has characterised the Home Office’s proposed law to massively increase surveillance of the internet in the UK as one that would only be capable of capturing stupid criminals.

Graham told a committee of MPs and peers on Tuesday that the draft Communications Data Bill as it stands would only put a stop to “the incompetent criminal and the accidental anarchist”.

The information chief said he was yet to have a conversation with the Home Office about Theresa May’s planned legislation to give spooks and police greater access to comms data.

At this stage, he said, it is not even clear to him what the bill means by the term Communication Service Providers (CSPs). He said he fully expected the six big telcos – Virgin Media, BT, BSkyB, Orange, O2 and TalkTalk, who together service some 95 per cent of netizens in the UK – would fall under the CSP banner. But he asked: “What of the other 5 per cent?”

He added that an international terrorist, for example, would simply avoid accessing the web via the big six providers when operating within Britain to avoid detection from government spooks.

Graham also expressed concerns about the costs to his office of overseeing any such law and described the issue as “chicken and egg” because he was yet to be fully briefed by the Home Office on the details of the bill. He said it was clear, though, that the ICO would need more powers and resources to make that happen.

The commissioner kept returning to the same point that many others have made to parliamentarians perusing the bill, saying: “We’ve got a proposition but no detail.”

He noted that the so-called Snoopers Charter wasn’t new to the Coalition and provided some colour by explaining an exchange he had with then-Home Secretary Jacqui Smith in 2009 when he first became the Information Commissioner.

The data chief said that before he had even started his post, Smith had written a letter to Graham urging him to recognise the importance of the Interception Modernisation Programme (IMP), which was shelved by New Labour in the face of massive opposition – including from the Tories and LibDems.

Graham also told peers and MPs at the committee hearing – when asked about jurisdiction stumbling blocks relating to foreign outfits that operate in the UK – that Google and Facebook were both good at conducting “grown-up” discussions about data protection and privacy. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/17/christopher_graham_labels_web_super_snoop_bill_as_law_for_stupid_crims/

Apple has enabled user tracking of its customers once again, with the recently released iOS 6 enabling advertisers to see which apps users have run, and which adverts they’ve seen – all for the benefit of the users, of course.

The feature wasn’t highlighted by Apple at the launch of iOS 6, as Business Insider points out in its detailed rundown, but the new tracking number is important as it enables advertisers to target users, and provides decent enough obfuscation to make switching it off really quite difficult, though those making use of it would question why one would want to turn it off anyway.

The IFA, or Identification For Advertisers, is a random number generated once by the iOS device which is used to uniquely identify that device between applications. The number is available to apps which can send it to their advertising service of choice to pull down new adverts, perhaps based on previous usage of viewing, without sharing the identity of the user or their equipment.

Prior to iOS 5, developers could use the UDID, a unique device identifier which was available to applications. The UDID worked fine, but there was no way to prevent applications reading it and while lots of applications, and advertisers, were benignly making use of the UDID, customers started to get riled about privacy and (after giving developers a decent warning) Apple pulled the plug.

UDIDs weren’t just used by advertisers, they also allowed apps to download settings when reinstalled into a device where it had previously been used (assuming the vendor kept records), and enabled analytical software (such as Crashlytics) to identify when different applications are crashing on the same device – pointing to faulty hardware – something impossible with alternative schemes.

Apple’s new IFA isn’t guaranteed not to change – the device could generate a new random number at any time, but Cupertino isn’t saying how often, or if, it will. But that shouldn’t matter to advertisers who don’t care if it’s not perfect. More importantly the IFA can be switched off by users, or (more accurately) one can switch the “opt out” option to “on”, assuming one can find it under Settings/General/About/Advertising, not “Privacy” where one might expect to find it – Business Insider has a step-by-step guide with pictures.

While we’re on the subject, Bruce Schneier reminds us that last month Apple posted details of how to opt out of its own advertising platform iAd, or the tracking performed by iAd at least, one has to keep watching the ads as long as one wants free stuff.

Which brings us to the question of why one would bother. We’re told that tracking is used to present adverts in which we might be interested, and ensure that the same adverts aren’t presented repeatedly everywhere we go, but that might not be as true as one would hope if Google is any guide.

Some months ago your correspondent expressed some interest in a Fluke Thermal Imager, from a technical point of view, and since then at least half the websites visited have shown the same advert for Fluke, which eventually phoned to ask if I was going to buy one. I’m not – I have an interest, but no use, for such a thing – but still I’m unable to avoid the adverts everywhere.

If that’s the future of tracked adverts then random selection would seem a more desirable option, and if it enhances one’s privacy then that’s all to the good. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/17/itrack/

Chinese telecoms kit maker ZTE has sold its majority stake in ZTE Special Equipment (ZTEsec) – a company that sells surveillance systems.

The under-fire Shenzhen-based firm said in a little-publicised filing with the Hong Kong Stock Exchange at the end of September that it would “dispose of its 68 per cent equity interests” in ZTEsec.

Doing so, it said, will “allow the company to focus its resources on its principal businesses in line with the requirements of its strategic development.”

The sale to ten investors, most of them local venture capital firms, is expected to generate between 360m and 440m yuan, a handy sum given ZTE has had a poor year financially.

Preliminary results for the first three quarters of 2012 predict a 260 per cent, or 1.75bn yuan (£174m), drop in profits from 2011.

The ZTEsec English language web site says it produces “data network security surveillance and other intelligence support systems” including the Deep Insight deep packed inspection tool.

A Reuters report back in March accused ZTE of selling similar surveillance tech to the state-run Telecommunication Co. of Iran (TCI) in 2010 as part of a €98.6m (£82.4m) deal for networking equipment.

It went on to say that ZTE also sold the telco US-made products on a 900-page ‘packing list’, breaking strict American sanctions on Iran.

The Chinese tech giant said it “always respects and complies with international and local laws wherever it operates” and that it would wind its Iran business down, but is still under investigation by the US authorities over these claims.

It’s unclear whether the decision to jettison the ZTEsec subsidiary was taken in response to these on-going investigations or in an attempt to smooth relations with the US before the release of a high profile report into whether it and Huawei posed a national security risk.

That report from the House of Representatives Intelligence Committee, as we know now, ended pretty badly for both Shenzhen companies.

ZTE couldn’t immediately be reached for comment on the news. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/17/zte_sells_security_surveillance_subsidiary/

AdaptiveMobile, a company which spends most of its time filtering out junk SMS messages, has written up a list of the scams hitting GSM handsets, with mis-sold payment protection insurance topping the list.

The spam texts differ significantly from the usual email spam in being more direct, claiming intimate knowledge of the recipients’ financial affairs, and obviously being much shorter. The top five all promise instant money, not from some unknown benefactor but from large companies from whom theft is morally permissible.

First up is mis-sold Payment Protection Insurance, with a message providing a detailed figure of compensation available. Payment protection was mis-sold in some cases, and many refunds have been given (though that has not stopped some people trying to make claims on their refunded policies), which makes the scam more believable.

Next up is a loan offer, followed by accident compensation and “new legislation” which will allow the punter to write off debts “instantly”, with better-performing pensions rounding out the top-five list.

The SMS scammers provide exact figures for owed compensation for accidents, encouraging the recipient to justify such promises with selective memory or creative interpretation, which may also filter out the more suspicious types who wouldn’t fall for the scam anyway.

Interestingly all the top five SMS scams end with variations on “to opt out text STOP”, which is required of premium-rate text messages but has obviously become recognisable as the ending of any legitimate message. In this case replying would just confirm the validity of the phone number so should be avoided.

Spam SMS was previously not particularly widespread, just as cold calling was almost unknown in the UK, as the cost of making a call or sending a text was prohibitive. But these days the cost of communication has fallen to such a level that text spamming – sending hundreds of thousands of messages in the hope one will stick – is now financially viable.

For the network operators, spam texts present an interesting problem too, as they have a contractual responsibility to deliver messages which have been paid for. Ten years ago most SMS spam was sent from hacked SMS centres (routing nodes), but these days numerous operators offer unlimited texting so cost is no barrier – even if the sender is breaching the terms and conditions of the connection.

Those TsCs also allow the operator to filter out spam, using filters from AdaptiveMobile or elsewhere, but they walk a path much narrower than their email-providing equivalents, and thus tend to err on the side of delivery, exposing all of us to ever more spam. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/17/sms_spam/