STE WILLIAMS

Key personnel in a Texas-based electronics firm are among 11 people arrested over an alleged conspiracy to smuggle advanced microelectronics from the US to Russia.

Arc Electronics Inc allegedly acted as a conduit for the smuggling of high-tech components potentially useful in radar, weapons guidance, surveillance and other applications to Russia. The Feds said that evidence against Alexander Fishenko, 46, the Kazakh-born founder of Arc Electronics, and other suspects includes intercepted phone calls and emails. The evidence also includes a letter to Arc Electronics from a Russian lab affiliated to Russia’s Federal Security Service (FSB) – the successor to the KGB – complaining about defective microchips and demanding replacements.

The Feds allege that starting in October 2008, Fishenko (a US citizen since 2003) and his firm allegedly supplied “analog-to-digital converters, static random access memory chips, micro-controllers, and microprocessors” and hi-tech components to Apex System, a Moscow-based procurement firm, allegedly part-owned by Fishenko.

According to an FBI indictment, unsealed this week, Arc posed as a supplier of traffic light control kit while actually acting as an important supplier to the Russian military and intelligence agencies.

The defendants allegedly exported many of these high-tech goods, frequently through intermediary procurement firms, to Russian end users, including Russian military and intelligence agencies. To induce manufacturers and suppliers to sell them these high-tech goods and to evade applicable export controls, the defendants often provided false end-user information in connection with the purchase of the goods, concealed the fact that they were exporters, and falsely classified the goods they exported on export records submitted to the Department of Commerce.

For example, in order to obtain microelectronics containing controlled, sensitive technologies, Arc claimed to American suppliers that, rather than exporting goods to Russia, it merely manufactured benign products such as traffic lights. Arc also falsely claimed to be a traffic light manufacturer on its website. In fact, Arc manufactured no goods and operated exclusively as an exporter.

The suspects were arrested Tuesday and Wednesday. Feds executed search warrants at seven residences and business locations associated with the suspects, and seizure warrants were executed on five bank accounts held by Fishenko and Arc Electronics.

Arc has shipped approximately $50m worth of microelectronics and other technologies to Russia since it was established. According to the Feds, much of this inventory should never have been allowed to leave the US.

“The defendants spun an elaborate web of lies to evade the laws that protect our national security,” said US Attorney Loretta E Lynch in a DoJ statement on the case. “The defendants tried to take advantage of America’s free markets to steal American technologies for the Russian government. But US law enforcement detected, disrupted, and dismantled the defendants’ network.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/russia_micro_electronics_smuggling_charges/

A former Verizon network engineer is beginning a four-year jail term after being sentenced for scamming Cisco and Verizon out of millions of dollars worth of kit and fencing it through the reseller community.

For nearly a decade, Michael Baxter, 62, used his position at Verizon to order processors, cards, and other networking equipment from Cisco, saying it was needed to repair Verizon’s critical infrastrure. In fact, he was selling it and using the proceeds to fund a high-rolling lifestyle, including frequent foreign holidays and a round of plastic surgeries for his girlfriend.

“To accomplish his fraud, this defendant exploited a program designed to keep this critical infrastructure running uninterrupted: Cisco’s program for replacing expensive equipment on a moment’s notice,” said United States Attorney Sally Quillian Yates in a statement.

“He also abused his insider access to Verizon’s procurement system,” Yates said. “He funded a lavish lifestyle with his stolen funds and has now earned himself several years in a federal prison.”

Seven years after joining Verizon, Baxter began exploiting purchasing access to an extended warranty contract Verizon had with Cisco. If a part failed, Cisco undertook to get a new one sent out before receiving the old one in return, to deal with network outages more quickly. Baxter sent out hundreds of false failure reports for equipment, some costing up to $40,000 apiece, and then sold them to resellers.

Not content with this system, Baxter also had Verizon purchase around half a million dollars worth of kit from Cisco directly, again apparently for critical network operation. This too went out via the reseller market.

Baxter ran this scam for almost a decade before being found out and fired from Verizon. According to the FBI, he spent his purloined loot to buy jewelry, cars, and “extravagant international travel, and other personal luxury goods and services, including multiple cosmetic surgeries for his girlfriend.”

In addition to his sentence of four years in the big house (and three years of probation thereafter), Baxter was ordered to pay Cisco $2,333,241.18 in restitution and $462,828 to his former employer. Neither company is expected to see much of that since there’s not much of a market for second-hand breast implants, so the ruling will most likely bankrupt Baxter.

The fact that a network engineer was able to get away with such a relatively simple scam for almost a decade raises serious questions about the internal accounting of the companies involved. El Reg suspects that Baxter is not the only person involved in the affair that’s going to earn some hard time in the near future. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/bofh_jail_kit_theft/

The director of GCHQ Iain Lobban credited Alan Turing with bringing technology to Brit spooks in a speech marking 100 years since the late mathematician’s birth.

Lobban, who gave a talk at Leeds University last night as part of the famous Bletchley Park codebreaker’s centenary celebrations, also said the wartime crypto-boffin would be solving today’s computer security problems if he was alive today.

The boss of the UK’s eavesdropping nerve centre pointed out a few areas where Turing’s innovations are still directly used by GCHQ bods:

GCHQ mathematicians still use the ban, a unit of measurement originally devised by Turing and Jack Good to weigh the evidence for a hypothesis; standards for secure speech systems take the design of the voice encryption system devised by Turing as their starting point.  I could even talk […] about our continuing use of Bayesian statistics to score hypotheses, in the way first developed by Turing and his cryptanalytic colleagues at Bletchley.

But beyond the specifics, Lobban said Turing’s single greatest contribution was to bring computers into GCHQ, thus turning the intelligence agency into the highly technological outfit that it is now.

Undoubtedly, the maths genius – who was born in June 1912 and died in 1954 – would be working on cyber-security if he were around today, Lobban said, at the place where the war for information is at its most complex and most critical:

Bletchley Park was really about exploiting the adversary’s information risk, while minimising our own. Today the Internet provides the virtual global landscape for an analogous struggle.

Lobban also paid tribute to Turing’s unique habits:

Of course there are many Turing stories: burying his silver bullion and then forgetting where he had buried it; chaining his mug to his radiator; cycling in his gas mask to ward off hay fever; play on a sense of eccentricity.  But Turing was not an eccentric, unless you believe that there is only one way of being normal and to be otherwise is to be peculiar. Turing wasn’t eccentric: he was unique.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/turing_gchq_boss_speech/

Security researchers have taken revenge on a publishing outlet that spams them with requests to write unpaid articles – by using a bogus submission to satirise the outlet’s low editorial standards.

Hakin9 bills rather grandly bills itself as the “biggest IT security magazine in the world”, published for 10 years, and claims to have a database of 100,000 IT security specialists. Many of these security specialists are regularly spammed with requests to submit articles, without receiving any payment in return.

Rather than binning another of its periodic requests, a group of researchers responded with a nonsensical article entitled DARPA Inference Checking Kludge Scanning, which Warsaw-based Hakin9 published in full, apparently without checking. The gobbledygook treatment appeared as the first chapter in a recent eBook edition of the magazine about Nmap, the popular security scanner.

In reality there’s no such thing as DARPA Inference Checking Kludge Scanning (or DICKS, for short) and the submission was a wind-up. Nonetheless an article entitled Nmap: The Internet Considered Harmful – DARPA Inference Checking Kludge Scanning appeared as the lead chapter in recent eBook guide on Nmap by Hakin9.

This content is normally only available to paid subscribers. However the rib-tickling chapter can still be found here (PDF), perhaps for a limited time only.

“Maybe they were sick of Hakin9’s constant please-write-an-unpaid-article-for-us spam and decided to submit some well-crafted gibberish in response,” security researcher Gordon Lyon (Fyodor) wrote in a post to the popular seclists mailing list last week. “They clearly chose that title so just so they could refer to it as DICKS throughout the paper. There is even an ASCII penis in the ‘sample output’ section, but apparently none of this raised any flags from Hakin9’s ‘review board’.”

The nine-page article includes references to “the 10th-percentile latency of NMAP, as a function of popularity of IPv7”. While the writers cite 27 references, including seminal journal articles like “Towards the Synthesis of Vacuum Tubes” and “Decoupling 802.11 Mesh Networks From Hierarchical Databases in DNS”.

All, of course, complete cobblers from the authors, credited as Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard and Mark Dowd.

“All credit for the Hakin9 article belongs to @endrazine [Jonathan Brossard] http://seclists.org/nmap-dev/2012/q3/1050 Hopefully the end result will be less Hakin9 spam in your inbox,” said Jon Oberheide, in a Twitter update.

Lyon – the original developer of Nmap – reckons the authors used the Automatic CS Paper Generator as a starting point but this remains unconfirmed.

Amusingly, Hakin9 is now threatening unspecified legal action unless Lyon pulls the guide and his initial post ridiculing the publication of the nonsensical article.

“I guess they expected the security community to be impressed by their DICKS, but instead they faced scorn and ridicule,” Lyon writes in a follow-up post to seclists. “Now they’re so embarrassed by everyone mocking their DICKS that they had their lawyer send me a removal demand.”

Despite these quasi-legal threats, Lyon (along with several other security researchers) still received a request to submit an article to Hakin9 on Wednesday. “Anyone have good ideas for what I should submit? Maybe a paper on the Continuously Updating Nmap Technology System,” Lyon suggested.

The incident prompted one advertiser to withdraw support from Hakin9. “We have officially withdrawn any advertisement investment from HAKIN9 in response to the nmap guide fiasco,” eLearnSecurity said.

The whole episode recalls the so-called Sokal hoax. Alan Sokal, a physics professor at New York University, submitted a nonsensical article to Social Text, an academic journal of postmodern cultural studies in 1996. The submission was designed to test whether the journal would publish an article “liberally salted with nonsense if it (a) sounded good and (b) flattered the editors’ ideological preconceptions,” as Sokal explains.

Social Text, much like Hakin9, fell for the ruse.

We approached Hackin9 for a comment on this story but are yet to hear back. We’ll update as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/hakin9_silliness/

A technology audit has identified security failings in three of the most popular tablets, raising concerns about the security implications of allowing workers to use their personal technology at work.

A study by Context Information Security looked at Apple’s iPad, Samsung’s Galaxy Tab and RIM’s BlackBerry PlayBook, and concluded the Samsung device was the least enterprise-ready of the trio. While the iPad and BlackBerry PlayBook performed better, both still have security deficiencies – including desktop software that fails to encrypt backups by default.

The BlackBerry was the only device of the three found to provide good separation between personal and work data, something that ought to be a key feature in supporting the growing trend of Bring Your Own Device (BYOD).

All three tablets supported Exchange ActiveSync, a factor that means their core security configurations can be managed from a central Exchange server. But differences in security controls affect their suitability for enterprise use. These security controls included data protection, software integrity and updates, access control, security configuration profiles and connectivity, along with backup and synchronisation.

The iPad has robust data protection and damage limitation facilities. However, its security shortcomings include the regularity of new jailbreak attacks, and ineffective disk encryption unless a strong passcode policy is applied. And although the iPad’s disk encryption scheme is well designed, the default behaviour for iTunes backups is to store files in clear text, obviously unacceptable for the storage of potentially sensitive corporate data. Much the same back-up approach is adopted with the BlackBerry PlayBook.

The Samsung tablet does not ship with a locked bootloader but the built-in disk encryption provides weaker support, making it more difficult to use. Even when encryption is enabled on the Galaxy, it allows badly written apps to store sensitive information on any unencrypted SD card inserted into the device.

A lack of enterprise-level management tools beyond ActiveSync also means that it is very difficult to manage more than a small number of Galaxy Tabs in an enterprise environment, a shortcoming the kit shared with the iPad. The BlackBerry PlayBook, by contrast, provides “excellent logical and data separation between work and personal modes” thanks to its Balance architecture – which allows secure wipes of biz data from the device by the employer while leaving personal information intact – combined with its built-in Bridge content-porting application.

Context Information Security’s report, entitled Tablets – A Hard Pill to Swallow (available here), casts a rule on the robustness of the security controls on the three popular tablet platforms.

We can’t stop BYOD

Jonathan Roach, principal consultant at Context and author of the report, concludes that even though security controls are easier to apply on traditional desktops and laptops, the trend towards allowing working to bring their own devices into work is unstoppable.

“It is difficult to ignore the growing presence of tablet computers in the home and workplace offering a blend of productivity, connectivity and physical freedom which has never been achieved before,” Roach said. “The device format is perfect for social networking and creating and sharing documents, presentations and other content on-the-fly, but the same characteristics also present tough security challenges for organisations. Our research suggests that most tablet manufacturers still have a way to go before their products can deliver the high levels of security required for use in most corporate enterprises.”

Many security vendors are marketing third-party tools designed to overcome some of the security shortcomings surrounding the use of consumer devices in corporate environments.

Roach indicated that these tools are likely to help correct some of the issues the study outlined but it’s not clear how much. The effectiveness of BYOD management and security tools was beyond the scope of Context’s initial study into the security of tablet devices but may become the topic of follow-up research. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/tablet_security_audit/

Microsoft is planning a light October edition of its regular Patch Tuesday updates next week that focuses on Office flaws and features just one critical patch.

The critical bulletin features a vulnerability in Microsoft Office 2003, 2007, and 2010 as well as Word Viewer and Microsoft Office Web Apps. Office for Mac is not affected. The critical vulnerability designation is “not very common for Office vulnerabilities and typically indicates that no user interaction, such as opening an affected file, is required to trigger the vulnerability,” Wolfgang Kandek, CTO of security tools firm Qualys, writes.

The vulnerability is of a type that might easily lend itself to malware attacks, so caution is advisable even though nothing bad has been reported as yet. “We recommend being alert for the first Bulletin and prepare for a fast roll-out of that update,” Kandek added.

The other six bulletins are all rated important. Three of upcoming updates affect components of the Office family (Works 9, Infopath and Sharepoint) while two both involve privilege elevation flaws in Windows. The final bulletin covers an update for all versions of MS-SQL Server, also tackling a local escalation-of-privilege vulnerability.

The light Patch Tuesday in October follows a scramble to fix a Java-related 0day security vulnerability affecting all versions of Internet Explorer last month. Redmond addressed the issue with an out-of-schedule patch five days after it first appeared in attacks and exploits.

Marcus Carey, security researcher at Rapid7, commented: “It should be a relief to many that none of the bulletins requires immediate attention, as none of them address vulnerabilities being exploited in the wild; all were privately reported vulnerabilities. This means that there isn’t any publicly known exploit code for this month’s bulletin cycle.”

Carey added that Microsoft’s October updates will disallow the use of certificates that are less than 1024-bit encrypted, a measure introduced as a means to tighten up security shortcomings, and, specifically, exploits by the Flame cyber-espionage tool. “This could result in headaches for organisations who still have legacy certificates in production. This weekend will be the last weekend to clean up legacy certificates before next Tuesday,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/ms_october_patch_tuesday_pre_alert/

Microsoft has bought PhoneFactor, the maker of software that allows punters to securely identify themselves to computer systems using their mobiles. Terms of the deal, announced yesterday, were undisclosed.

The snapped-up biz offers phone-based authentication as an alternative to physical security tokens that can, for instance, be plugged into a PC to grant remote access to a corporate network.

PhoneFactor instead offers tokens stored by software on phones or out-of-band text message codes that can be entered into a website or other system. The technology already works with many Microsoft products and services, including Outlook Web Access and Internet Information Services, as well as interoperating with Active Directory.

Redmond said the deal to acquire PhoneFactor will allow it to “bring effective and easy-to-use multi-factor authentication to our cloud services and on-premises applications”.

Timothy Sutton, PhoneFactor chief exec, has blogged about the gobble, and there’s an FAQ on the agreement here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/ms_buys_phonefactor/

A New Zealand auction website has shut after just a day, thanks to IT professionals who noticed extraordinarily relaxed security operations.

The site in question is Wheedle.co.nz, which currently says “unforeseen technical problems “have “postponed further activity on the website.”

Postp0wned may be a more accurate term, as blogger Ben Gracewood noticed the URL wheedle.co.nz /search/editprice. Visitors to that address could indeed edit the price of goods up for auction, and even peer at the reserve price. Other users complained of a password reset scheme that saw their secret words sent a plaintext in emails. Allegations also surfaced that the software responsible for sending out password reminders had been accessed, with the result that account holders received multiple password-related emails.

Before those issues came to light the site staggered beneath big launch-day traffic loads that took it offline. Revelations that the site hired programmers based in India led to some raised eyebrows among Kiwi coders, and competitive sniping from other startup Kiwi auction sites as noted in the National Business Review.

Making the situation more juicy is the fact that the site Wheedle aimed to take down – in a competitive sense – is owned by Fairfax Media, the Australian-owned publisher of ComputerWorld in New Zealand. Needless to say, Fairfax’s New Zealand outlets have not let the failure of Wheedle go un-noticed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/05/wheedle_feeble/

European banks teamed up with information security agencies and governments to run a DDoS cyber-attack preparedness exercise today.

Cyber Europe 2012, a simulated cyber security attack involving 300 cyber security professionals, is being co-ordinated by European Union security agency ENISA. It’s the second exercise of its type, following the running of a similar pan-European simulated DDoS attack scenario two years ago. “Compared to the 2010 exercise, Cyber Europe 2012 has grown considerably in scope, scale and complexity,” according to a statement by ENISA.

Four countries are observing the exercise and 25 countries are actively participating. Using the lessons learned from Cyber Europe 2010, the private sector (from finance, ISPs and eGovernment) is taking part for the first time. In the exercise, public and private participants across Europe will take action at the national level. At the same time, public participants will cooperate across borders.

The scenario for Cyber Europe 2012 combines several technically realistic threats into one simultaneously escalating Distributed Denial of Service (DDoS) attack on online services in all participating countries. This kind of scenario would disrupt services for millions of citizens across Europe.

The complexity of the scenario allows for the creation of enough cyber incidents to challenge the several hundred public and private sector participants from throughout Europe, while at the same time triggering cooperation. By the end of the exercise, the participants will have had to handle more than 1000 injects (simulated cyber incidents).

The exercise is designed so that it avoids affect real networks, systems or services.

Paul Lawrence, VP International Operations at Corero Network Security, praised the exercise as a useful step towards enabling government to work together with the private sector in coming up with best practice for repelling cyber-attacks.

“What is interesting about the ENISA’s 2012 attack scenario is that it will combine several technically realistic threats into one simultaneously escalating Distributed Denial of Service (DDoS) attack,” Lawrence said. “This goes to show that DDoS attacks have gone from a minor annoyance carried out by bedroom hackers, to a serious security threat that ENISA feels needs to be addressed. The recent attacks on US banks just goes to show the increasing sophistication of hackers, or cyber criminals, and that any site can be brought down – even some of the most well-protected organisations.”

DDoS attacks “have become a regular staple in many hackers’ toolkits”, Lawrence commented, adding that firewalls alone provide little effective protection.

Other security watchers question how useful and realistic the simulated attacks will be. After all, DDoS attacks are only one of the threats that businesses face. Hacking using malware or other tactics to obtain corporate secrets or financial data is an even more potent threat. All this is outside the scope of the simulated attacks Cyber Europe 2012 will test against.

A six-minute video nicely illustrating the varied techniques a hacking crew might use to break through corporate security before extracting valuable security can be found here. The dramatisation, put together by Rik Ferguson of Trend Micro, is based on a true story of how an (unnamed) global corporation was hacked, costing the victim more than $60m. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/04/simulated_cyber_security_attack_exercise/

BCC The UK will spend an extra £2m every year on improving international computer security defences, including a research centre for businesses and countries to tap into.

A senior Foreign Office official said last night Blighty was focussed on helping enterprises overseas and nations to sort out their cyber-security.

“This centre will try to answer questions about where countries should get help and where donors should give their money,” the official said, speaking just ahead of the Budapest Conference on Cyberspace (BCC). The event follows London’s inaugural confab last year.

The UK already gives money to the EU, the Commonwealth and other regions to help them shore up their computer security systems. However, the official said some of those schemes were one-off projects and didn’t have long-term goals, hence the need for a new centre to oversee efforts.

Responding to a question about whether the new centre would be busily promoting British companies, he said that “market mechanisms have a part to play in [security defence] capacity building”.

The new centre will get a home at one of the eight “academic centres of excellence” – universities given a special status for security research including Oxford, UCL, Southampton, Queen’s Belfast, Lancaster, Bristol, Imperial College and Royal Holloway of London.

The official also said that since last year’s conference in London, the government had put “a lot of energy” into building up confidence with countries that have different policies on the openness of the internet like China and Russia.

The conference in Budapest starts today and will feature speeches from government figures, such as the Prime Minister of Hungary Viktor Orban and the vice-minister of foreign affairs and trade in South Korea Kim Sung-Han, as well as speakers from bodies including the ITU and the OSCE. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/04/uk_cyber_security_centre/