STE WILLIAMS

A Frenchman has been cleared of wrongdoing after a court accepted he accessed the Bank of France’s internal telephone systems by accident.

An unnamed 37-year-old Breton longed to avoid premium-rate calls while using Skype back in 2008, and set about hunting for a cheap-rate gateway number to the public networks. But he inadvertently dialled a number for the Bank of France’s debt service system, which picked up the call but did not identify itself. The bank’s back-end computer waited for a valid passcode to be keyed in, and the jobless bloke simply pressed 1, 2, 3, 4, 5 and 6, according to his lawyers.

The access triggered an alarm that led to the suspect’s arrest two years later and subsequent trial. The Bank of France suspended services for 48 hours as a result of the phone call. The financial institution’s spinners assured AFP that the man was not able to access sensitive data, although according to some reports the trivial passcode was enough to enter the phone system.

The hard-up bloke submitted his home address when registering for voice-chat service Skype, so the length of time leading up to his arrest is puzzling – but it may have something to do with the fact that the Bank of France’s loan telephone service is actually in Luxembourg.

Judges sitting in a criminal court of Rennes, northwest France, dismissed the case against the man on Thursday, citing the prosecution team’s failure to demonstrate any criminal intent in his actions.

A report by Nouvel Observateur on the case can be found here (in French). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/21/bank_of_france_phone_hacker/

Chinese hackers have taken up cyber arms and followed up widespread anti-Japan protests in the People’s Republic over a set of disputed islands by attacking at least 19 Japanese government and other web sites.

Japan’s National Police Agency (NPA) revealed that 11 of the 19 sites, including those of the Defence Ministry and Internal Affairs and Communications Ministry, appeared to have been hit by Distributed Denial of Service attacks, Kyodo reported.

The remainder, including those of the Supreme Court and the Tokyo Institute of Technology, were defaced with pictures of the Chinese flag.

The web sites of banking, utilities and other private companies were also hit, although most now appear to be back up and running as normal.

Things got even worse for the the Tokyo Institute of Technology, whose site was defaced endured an attack that saw names and telephone numbers of over 1,000 members of staff leaked.

The NPA confirmed to AFP that 300 Japanese web sites were short-listed for attack on a message board of Chinese hacktivist group Honker Union, while around 4,000 individuals had posted messages about planned attacks on Chinese chat site YY Chat.

The dispute over the Diaoyu islands, or Senkaku as they’re known in Japan, intensified last week when the Tokyo decided to buy them from the Japanese family who had owned them for the past 100+ years. The uninhabited islands have only been actively claimed by China and Taiwan until the late 1960s when it was discovered they may house oil deposits.

The protests took a turn for the ugly earlier this week given 18 September marks the day of the Mukden, or Manchurian, Incident of 1931, which led to the Japanese invasion of China. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/21/japan_china_attack_sites_senkaku/

A Galaxy SIII running Android 4.0.4 was infected with malware over an NFC connection at a hacking contest in Amsterdam using nothing more than a bump in the dark.

Full details of the vulnerabilities exploited haven’t been revealed by the team, who came from MWR InfoSecurity and were showing off at Mobile Pwn2Own this week, as they are giving Samsung and Google time to issue a patch. An iPhone 4S was also compromised via a WebKit bug during the competition between security bods.

The Galaxy SIII infection was accomplished using Android’s Beam application to send a file, which is executed thanks to a buffer overflow attack, allowing the hackers to escalate privileges to superuser level and establish a network connection to a remote server. The assault hands over complete control of the device and allows the data within to be siphoned off.

Android devices with NFC use Beam as a simple file exchange mechanism, but they’re not supposed to execute received files. The vulnerability probably extends to any other Android device running Ice Cream Sandwich with NFC enabled, and might well extend to Jelly Bean as well although the team admits that might be harder.

The attack is a two-stage process: one vulnerability is used to get the received file to execute, and a second tool is then used to escalate privileges and gain access to private data. The randomised positioning of critical software components in memory – a security technique employed by Android and many other operating systems – makes that escalation challenging; over a hundred attempts were required during the demonstration, but those attempts can be made after the infection and took less than a minute anyway.

Jelly Bean apparently has more memory locations at which components are stored, decreasing the chance of finding the exact data or instruction address needed to further an exploit, but the team doesn’t know how much that helps, or isn’t saying.

The details are promised later, once the vendors involved have had a chance to fix it. The NFC execution should be an easy fix, one would hope, but the other part of the attack may prove harder to mitigate against. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/21/android_nfc/

Hackers bent on espionage have infiltrated a large oil company in the Philippines, an energy biz in Canada and a military organisation in Taiwan among others, claim researchers.

The crooks also targeted other as yet unidentified businesses in Brazil, Israel, Egypt and Nigeria, according to the preliminary results of a probe by Dell SecureWorks. The researchers have been tracking the hackers’ so-called Mirage campaign for about five months since April.

Secureworks reckons the group behind these latest attempts to obtain company secrets are the same miscreants who launched attacks against a Vietnamese petroleum firm and others in February in the so-called Sin Digoo affair. Email addresses linked to command servers associated with the Mirage campaign also emerged in the Sin Digoo op.

“This indicates that either the actors behind both the Sin Digoo Affair and Mirage APT [Advanced Persistent Threat] campaigns are the same person, or they are working within the same hacker group,” the Dell SecureWorks team concluded in a report.

One of the people behind the Sin Digoo campaign previously ran a blackhat search engine optimisation business, which uses shady techniques to boost clients’ websites up search rankings. And the malware used to infect corporate machines in the Mirage espionage disguises its connections to the hackers’ server as harmless Google search queries. It pulls off this trick by crafting HTTP requests that look like typical lookup requests to Google’s search engine frontend. Targeted emails containing booby-trapped attachments are used to push inject the Mirage Trojan onto Microsoft Windows PCs.

Victims are simply tricked into executing the files, at which point the malicious software installs itself and phones home with the specifications of the infected computer. It is not immediately clear exactly what kind of data is stolen by the spying software. Some variants of the worm include a line from The Matrix: “Neo, welcome to the desert of the real.” Another variant includes a lyric from the REM song It’s the end of the world as we know it.

The IP addresses of the systems used by hackers to remotely control Mirage-infected machines belong to the China Beijing Province Network (AS4808), as did three of the IP addresses used in the Sin Digoo campaign. “AS4808 is known for many other connections to malware and is considered by some to be a hotbed of espionage C2s [command and control servers],” SecureWorks concludes.

More details on the espionage campaign can be found on the SecureWorks website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/21/mirage_cyberespionage_campaign/

A security researcher says some versions of the Oracle database contain a vulnerability so serious that anyone with access to the server over a network can crack database passwords using a basic brute-force attack, given nothing more than the name of the database and a valid username.

“This is a critical issue because it’s very easy to exploit, and it doesn’t require any privileges,” AppSec’s Esteban Martinez Fayó said in an interview with Dark Reading.

According to a report issued on Thursday by Kaspersky Labs’ Threatpost, the vulnerability stems from a fundamental flaw in the logon authentication protocol used by Oracle Database 11g Releases 1 and 2.

Normally, Oracle databases maintain connections with clients by issuing each a unique value known as a Session Key. But affected versions of Oracle 11g send the Session Key before the user is fully authenticated. As a result, an attacker can send a username, receive a Session Key, then hang up the connection and use the Session Key to guess the user’s password.

“The attacker can perform a brute force attack on the Session Key by trying millions of passwords per second until the correct one is found,” Fayó said, adding, “This is very similar to a SHA-1 password hash cracking.”

According to Fayó, he and his team first alerted Oracle to the bug in May 2010. It was fixed in mid-2011, he says, but the patch was not included in a Critical Patch Update, and it only solved the problem by issuing a new, incompatible version of the authentication protocol, version 12.

Even when the patch is applied to a database, it will still use version 11.1 of the protocol by default. To get up and running with version 12, database servers and clients must both be patched, which means a large number of organizations are still using version 11.1 – and are therefore still vulnerable.

According to Fayó, Oracle currently has no plans to patch version 11.1 of the protocol to fix the flaw, and they aren’t doing much to help customers migrate to version 12, either.

“The only comment from them was a paragraph about a new protocol fixing some security issues,” he said. “They haven’t said anything that made people aware to update the database and all of the database clients.”

Mind you, brute-force attacks are not the easiest way to crack a password, since they essentially involve exhausting every possible combination of characters until the right combination is found. And Fayó says advanced cracking techniques, such as rainbow tables, can’t be used to exploit this vulnerability, because of the way Oracle’s cryptography is designed.

Still, he says, GPU acceleration and hybrid dictionary attacks can speed up the process of guessing passwords considerably, and Fayó has developed a proof-of-concept attack that can crack eight-character Oracle passwords in around five hours using standard CPUs.

In lieu of a fix from Oracle, Fayó recommends several work-arounds. One is to wrap database connections in some additional form of authentication, such as SSL or directory services. Another is to disable version 11.1 of the authentication protocol altogether and use an earlier version, such as 10g, which isn’t vulnerable. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/21/oracle_11g_db_password_flaw/

Dutch hackers have exploited a WebKit bug in mobile web browser Safari to rinse an iPhone 4S of its photos, address book contacts and its browser history. The flaw exists in Apple’s iOS 5.1.1 and the latest developer preview of iOS 6, the first public build of which was released last night to fanbois.

It should thus affect iPhones, iPads and modern iPods – including the iPhone 5 due out tomorrow.

The vulnerability could also exist in BlackBerry and Android phones, which also use the WebKit engine in their built-in web browsers, although the hack hasn’t been tested on these platforms.

The bug was demonstrated by the team at small biz Certified Secure at the Pwn2Own Mobile hacking contest in Amsterdam this week. A Samsung Galaxy S3 was also broken into and compromised by a separate team at MWR Labs using wireless NFC technology, but the iPhone hack is regarded as a far more serious breach: Apple’s handset is known for its strong defences against security attacks, even though it only took the Dutch hackers a few weeks to build their exploit; WebKit is a widely used engine for web browsers; and NFC has a range of a few centimetres and can be switched off.

Simply visiting a malicious web page with Safari is enough to trigger the infiltration: specially crafted JavaScript code is able to attack the internal operation of Webkit to such an extent that memory can be arbitrarily overwritten in the iPhone. This allows the hackers to construct a new block of executable instructions to which the device’s ARM processor is then redirected. This safely bypasses Apple’s code-signing security system – that only allows authorised executables to run – and other defences, such as address space layout randomisation. The hackers are free to then raid the phone for data and fire it off to a remote server.

Joost Pol and Daan Keuper of nine-person company Certified Secure earned themselves $30,000 by pulling off the exploit in the contest. Security bods were challenged to break into a range of hardware and earn prizes for successfully compromising the gadgets.

Pol and Keuper said it took them relatively little time to twist their way into the iPhone – three weeks as an after-work project.

“We really wanted to see how much time it would take a motivated attacker to do a clean attack against your iPhone. For me, that was the motivation,” Pol said in an interview. He continued:

The easy part was finding the WebKit zero-day. It was a basic vulnerability but we had to chain a lot of things together to write the exploit.

Email and SMS were not not available because they were sealed off from the hijacked Safari process and separately encrypted.

Pol said it was significant that they had pulled off the exploit on an iPhone because, in his mind, that was considered the most secure handset of the Blackberry, Android, Windows Phone and Nokia Symbian kit up for attack.

Pol left with this warning:

The CEO of a company should never be doing e-mail or anything of value on an iPhone or a BlackBerry. It’s simple as that. There are a lot of people taking photos on their phones that they shouldn’t be taking.

Pwn2Own is a yearly security conference running since 2007, and this year is the first one specifically targeting mobile phones. Pol and Keuper said they have since destroyed all copies of their exploit.

Apple has not responded to questions about the weakness. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/20/iphone_hack_photos_contacts_taken/

Tools designed for testing server and network defences are being snapped up by hacktivists to launch denial-of-service attacks on websites.

More and more assaults are concentrating on knackering web apps and the HTTP server software running it, rather than simply flooding the underlying stack with bogus traffic to exhaust resources and bandwidth, according to the latest edition of Imperva’s Hacker Intelligence report.

This type of attack may be directed at specific flavours of web servers such as IIS or Apache, or to specific applications, such as SharePoint – Microsoft’s content management server software.

The latest and most popular distributed denial-of-service (DDoS) tools include LOIC, SlowHTTPTest and railgun. The use of the latter two white-hat tools shows how black-hat hackers have begun running attacks that utilise white-hat testing tools. Attacks analysed by Imperva in its report include network assaults by hacktivists in Bahrain, Colombia and Russia as well as web blitzes against businesses linked to DDoS-for-hire scams. DDoS attacks typically run from botnet networks of compromised computers.

In many cases the distinct signature of each weapon can be used to devise effective filtering rules.

“Denial-of-service is a primitive, yet popular attack vector, for politically and profit-motivated hackers,” said Tal Be’ery, a senior web researcher at Imperva. “DDoS can gridlock enterprise resources to a halt, just like traffic on the highway, but organisations can mitigate these effects by learning how to identify and protect against malicious traffic.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/20/ddos_trends_imperva/

Cyber criminals from Eastern Europe present a more sophisticated information security threat to Western firms than their rivals in East Asia, according to a surprising new assessment of the global threat landscape by a former White House cyber security advisor.

Peter the Great vs. Sun Tzu is a new report from Tom Kellerman, cyber security VP at Trend Micro and until recently a commissioner sitting on The Commission on Cyber Security for the 44th Presidency.

In it, he reveals seven reasons why the researchers at Trend Micro believe “hackers from the former Soviet bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts”.

Ever since the Operation Aurora attacks on Google and scores of other businesses came to light in 2010, targeted attacks or Advanced Persistent Threats (APTs) originating in China have accounted for the majority of high profile campaigns publicised in the media, including Night Dragon, Ixeshe and Luckycat.

However, Eastern European cyber criminals tend to use more sophisticated, customised malware, built without third party tools and often featuring “robust anti-debugging techniques and complex command-and-control”, according to Kellerman.

Eastern European attacks are a legacy of high quality science and maths education in Soviet bloc countries. Kellerman says the highly competitive nature of the Eastern European underground also helps to produce malware “ so elegantly crafted as to be the ‘Faberge Eggs’ of the malware world.”

Infrastructure including DNS servers also tends to be developed in-house, with the cyber hoodlums aiming to maintain control of the entire stack.

East Asian operators, by contrast, use cheap, hosted infrastructure as they’re less bothered about being identified. They also tend to employ simpler, off-the-shelf malware to get the job done.

Eastern European hackers are organised in small, independent mercenary units which live or die by the quality of their work and are motivated solely by profit, meaning they’re capable of more precise and focused attacks and aim to steal credentials that can be sold on the black market.

The report likens East Asian cyber criminals, on the other hand, to “cyber foot soldiers” tasked with gathering information for their commanders – more focused on longer term strategies and better insulated from any losses or failures.

Given that reputation and profit is everything, hackers from the former Soviet bloc go to great lengths to stay hidden, whereas their East Asian rivals, once inside the network concentrate on “lateral movement, use of command-line tools, and passing of credentials”, the report said.

“The thousand grains of sands approach is symbolic of an East Asian colonisation as the reconnaissance is ongoing and the battlefield not necessary prepped like the East European model,” wrote Kellerman. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/20/eastern_european_hackers_beat_asia/

Sophos users woke up to mayhem on Thursday after the business-focussed antivirus firm released an update that classified itself and any other update utility as a virus.

As a result enterprise PCs running the application went haywire, generating false positives reporting SSH/Updater-B malware. Sysadmins were bombarded with automated alerts by email about the bogus problem. The issue was resolved with a functional update, issued on Wednesday evening.

For many, troubles continue because many endpoints and corporate networks hit by the false positive have been left with systems that can no longer update themselves properly because the required functionality has been consigned to quarantine.

A knowledgebase article from Sophos explaining what to do to resolve the problem can be found here.

False positives hitting antivirus updates have affected all vendors from time to time. The consequent problems are at their worst when Windows operating system files are falsely classified as potentially malign and quarantined, resulting in unstable or unusable Windows boxes.

Sophos’s auto-immune screwup caused just as much if not more pain, judging by the large number of reader emails we’ve already received on the topic.

“About 9.20 this evening, every PC on my network (about 100 of them) started sending me an email every 10 minutes saying that a virus had been detected in one of the DLL files of Sophos Endpoint Security Control,” said Reg reader Iain H in an email that’s typical of those we’ve received.

“It’s obviously a nasty false positive – in that it is disabling the AV itself so (a) we’re open to threats and (b) it may not be able to update itself when the new signatures are released,” added the hard-hit admin.

Iain spent some time trying to get someone from Sophos support on the phone before receiving confirmation that a false positive was behind the snafu.

“It’s a bit of a face-plant: classifying your own product as a virus. Still, I am sympathetic. Whilst ‘friendly fire’ is never a good thing, it’s perhaps an inevitable accidental consequence of any long-running and intense conflict. However friendly fire normally means shooting your friends – not your own foot,” he added.

Questions will inevitably arise about Sophos’s testing and quality assurance process in the aftermath of the screw-up. Glenn C explains the impact of the problem.

“A fix was quickly released from Sophos but the auto-update program was quarantined and wasn’t allowed to run.  For a home user, a quick disabling of on-access scan, update, re-enable on-access scan and remove any items marked with the Shh/Updater-B virus from quarantine fixed the issue,” he said.

“For corporate users, it was a little more problematic as it’s not possible to remove items from the quarantine using the Enterprise Console. You can use the Enterprise Console to push out a new policy with either on-access disabled (not recommended) or at least excluding the Sophos auto-update folder from on-access scanning.  This meant it was possible to get the latest update out to the clients – however it is still necessary to go to every single impacted system and clean out the quarantined items. Ouchie.”

Customer discussion of the issue can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/20/sophos_auto_immune_update_chaos/

Microsoft is promising to release an emergency patch that tackles a zero-day vulnerability in Internet Explorer on Friday.

In the meantime, the software giant is pointing customers towards a temporary fix, issued on Wednesday. The stop gap fix uses Redmond’s “application compatibility shim mechanism” as a sort of battlefield field dressing to fix a flaw in Internet Explorer that is under active attack. The release of the stop gap fix updates an advisory admitting the flaw and explaining possible workarounds first issued earlier this week.

Corporates are probably best advised waiting for a proper patch from Microsoft on Friday, a blog post by Wolfgang Kandek, CTO at Qualys, advises.

“The decision on whether to deploy the FixIt or whether to wait for the final patch should take into account that attacks are not widespread yet; currently attacks using the vulnerability continue to be of the targeted type with low infection rates reported,” Kandek writes.

Security researcher Eric Romang discovered a 0-day exploit for Internet Explorer on an attack site in Italy. Analysis of the exploit revealed that it works against IE 7,8 and 9 running Adobe Flash on fully-patched Windows XP, Vista and 7 machines. Attack scenarios simply involve tricking Windows users into visiting a booby-trapped website, Rapid7 (the firm behind the Metasploit pen test tool) warns.

The exploit has been tied to the Chinese hackers behind the recent infamous Java zero-day flaw. AlienVault reports that the zero day is being used in attacks that install the Poison Ivy Trojan, the same payload spread by the earlier Java zero-day flaw.

The appearance of the Java zero-day prompted widespread calls from member of the security community to uninstall Java or at least remove Java plug-ins from browsers.

Java is not required for the majority of websites.

The appearance of the internet Explorer zero-day has also prompted a debate. A German government agency advised citizens to avoid browsing the web with internet Explorer until the software was properly patched. The Federal Office for Information Security (BSI) advised consumers and business to switch to alternative browsers instead.

Rik Ferguson, director of security research communication at Trend Micro, advises against this type of knee-jerk reaction to the latest IE flaw. Google’s Chrome and Mozilla Firefox, the most popular alternatives to IE, are no more immune to vulnerabilities or zero-days than Microsoft’s oft-criticised browser software, Ferguson points out. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/20/ie_zero_day_latest/