STE WILLIAMS

Security firms are investigating what looks to be another piece of state-sponsored malware, which has been targeting banks in the Middle East and distributing an unknown payload.

Dubbed Gauss by Kaspersky Labs, the malware first seemed to be a module of the highly sophisticated Flame virus but has now been recognized as a separate entity. It was first detected in September 2011 and over 2,500 infections have been found on Kaspersky’s cloud network.

“Gauss was created by the same ‘factory’ which produced Flame. This indicates it is most likely a nation-state sponsored operation,” Kaspersky’s report on the malware states.

Gauss is designed to infect Windows systems and harvests browsing information and payment logins via PayPal, Citibank and a number of Lebanese operations such as the Bank of Beirut and Fransabank.

The infection pattern is curiously localized. The vast majority of infections are in Lebanon, with Israeli and Palestinian computers making up the bulk of other victims, plus a smattering of appearances in other Middle Eastern countries.

Gauss infections are curiously localized (click to enlarge)

It also has a separate encrypted payload in the malware which is installed on any USB drives put in a Gauss-infected machine. When the drive is used in an uninfected PC, the malware scans the new system’s configuration for data such as its OS, network shares, proxy data, and URL history, and then matches that against a known configuration stored in the malware code. If there is no match then the malware deletes itself to avoid detection.

“The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload,” said Kaspersky, after its experts were unable to break the encryption.

In all, the malware installs up to eight separate modules, depending on the machine it infects. These harvest CMOS and BIOS data, network interfaces, domains, and drives, in addition to installing plugins that monitor browser history and collect passwords. Other modules cover malware transmission and control, as well as installing other software whose purpose is, at present, unknown.

Kaspersky don’t think that the purpose of Gauss is to steal cash, but rather to record and track individual computers and bank accounts. The theft angle would be incompatible with a nation-state attack, the company suggests, and it looks as though data collection was the motivation of its authors.

The Russian firm identified five command and control servers for Gauss, all running Debian Linux and listening on ports 22, 80, and 443 (as with Flame) but on July 13 they were taken offline. Purloined data was sent to seven domains and the load balancing systems used indicate high levels of traffic.

Kaspersky has now put out a signature file for Gauss and the boffins at Hungarian research lab CrySyS have come up with an online detection tool to find new infections. As part of its payload, Gauss installs a new font, Palida Narrow, and the tool checks to see if this is installed as an indicator of infection.

The nature of the malware, and its choice of targets, will stoke fears that Gauss is another manifestation of Project Olympic Games, the claimed US/Israeli project to militarize code. The use of such software was dubbed a “moral crime” at last month’s Black Hat conference and has many in the industry worried about the security ramifications for businesses caught in the crossfire. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/10/gauss_middle_east_malware/

Forget what you’ve heard in the news. According to a new Gallup poll, the majority of Americans think the Transportation Security Administration, which handles security screening at US airports, is doing just fine, “despite recent negative press.”

The survey, which was published on Wednesday, asked a sample of 1,014 randomly selected American adults whether they thought the TSA was “doing an excellent, good, only fair, or poor job.” Of that group, 54 per cent responded that the agency was doing an “excellent” or “good” job. Only 12 per cent thought it was doing a “poor” job.

Opinions of whether the TSA’s screening procedures were effective at preventing acts of terrorism on US airplanes were more mixed, but still mostly positive.

The largest portion, 44 per cent, said the TSA’s security measures were only “somewhat effective,” while 12 per cent said they were either “not too effective” or “not effective at all.” But a significant 41 per cent responded that the TSA’s procedures were either “very effective” or “extremely effective.”

The survey was conducted via telephone, with Gallup calling a mix of landline and mobile phones. n cases where the respondent spoke Spanish, a Spanish-speaking interviewer was used.

Not all of those surveyed had recent first-hand experience with the TSA. In fact, nearly half had never boarded an airplane during the last 12 months, which at first blush would seem to cast their opinions of the agency into some doubt.

But according to Gallup, among the 52 per cent of respondents who had flown, opinion of the TSA was actually higher than among those who hadn’t. On average, 57 per cent of flyers thought the TSA was doing either a “good” or “excellent” job, and the figure was consistent whether they had flown three or more times or only once.

Whether a respondent had young children in the home didn’t seem to matter much, either, as the responses of people with children under 18 in their homes matched the national averages exactly.

The one factor that seemed to affect the survey results the most was age. Among those aged 18 to 29, 67 per cent thought the TSA was doing an “excellent” or “good” job, a figure 13 per cent higher than the overall average. That figure drops to 55 per cent among 30- to 49-year-olds, 50 per cent among 50- to 64-year-olds, and just 45 per cent for older respondents.

Gallup analysts offer a succinct explanation for the disparities between these age categories.

“When the TSA was formed in late 2001, Americans who are now 18 to 29 were between seven and 18 years old,” the report explains, “meaning that their flying experience has been mostly in an environment in which increased airport security and TSA screening procedures are the norm.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/10/survey_shows_americans_like_tsa/

The WikiLeaks website has been under a major DDoS attack over the last few days and a group calling itself AntiLeaks has claimed responsibility.

“We are young adults, citizens of the United States of America and are deeply concerned about the recent developments with Julian Assange and his attempt at asylum in Ecuador,” said the group’s self-proclaimed leader, who calls himself Diet Pepsi.

“Assange is the head of a new breed of terrorist. We are doing this as a protest against his attempt to escape justice into Ecuador. This would be a catalyst for many more like him to rise up in his place. We will not stop and they will not stop us.”

According to the WikiLeaks Twitter feed, the website, and those of its associates and mirrors, have been hit by a massive DDoS attack reaching 10Gbits/s and using a more complex system than a standard bulk UDP or ICMP packet flooding. The range of IP addresses is huge, indicating either thousands of machines taking part or some really good simulation.

The AntiLeaks group hasn’t been heard of before and its Twitter feed only started this month. While it’s possible they are simply claiming the attacks rather than carrying them out, it’s clear the attacks are being taken by WikiLeaks as an attempt to shut down information.

Attacks on #WikiLeaks are not only intended to prevent secrets from being revealed, but also to maintain an monopoly on influence.

— WikiLeaks (@wikileaks) August 10, 2012

The attack comes as WikiLeaks is trying to distribute more emails from the hacking of private security group Stratfor Global Intelligence. This latest batch, released in the last few days, concern the existence of a US-based monitoring system called Trapwire.

Trapwire was set up by the Abraxis Corporation, a private security operation fun by former intelligence officers and headed by ex-CIA man Richard Helms. The Abraxis CEO said in an interview seven years ago that the system was designed to share threat information and establish patterns of data that could be used to predict attacks.

“It can collect information about people and vehicles that is more accurate than facial recognition, draw patterns, and do threat assessments of areas that may be under observation from terrorists,” he said. “The application can do things like ‘type’ individuals so if people say ‘medium build,’ you know exactly what that means from that observer.”

Helms claimed then that it was the largest source of threat data outside the US government, and the leaked emails show its scope has widened further. According to one from Fred Burton, Stratfor’s vice president for intelligence, the Trapwire network is now covering most North American and British high-value targets (HVT.)

“I knew these hacks when they were GS-12’s at the CIA. God Bless America. Now they have EVERY major HVT in CONUS, the UK, Canada, Vegas, Los Angeles, NYC as clients,” he wrote.

An annual Trapwire license will set the user back $150,000 he said, with a quarter-million dollar signup fee on top.

Meanwhile, the attacks on Wikileaks go on and the organization is appealing for more funds to get extra bandwidth. AntiLeaks might have a few more problems on their hands, however, if Anonymous is to be believed. ®

Hey @antileaks, do you know who you’re messing with? #Anonymous #WikiLeaks

— Anonymous (@_anonops) August 10, 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/11/antileaks_attacks_wikileaks/

A Goldman Sachs programmer cleared six months ago of stealing the source code to the bank’s high-frequency trading system has been re-arrested and charged.

The Manhattan district attorney has now accused Sergey Aleynikov, 42, of unlawfully using secret scientific material and unlawfully duplicating computer-related material.

In February Aleynikov overturned a conviction on federal charges that claimed he stole trade secrets from his employer, mega-bank Goldman Sachs. During the appeal hearing, his lawyer Kevin Marino argued Aleynikov had been incorrectly charged under the Economic Espionage Act (EEA).

The appeals court ruled in Aleynikov’s favour, finding that taking source code is not a crime under federal law, which instead makes it illegal to steal trade secrets, and that the code didn’t qualify as stolen goods under another federal law.

Aleynikov, a naturalized US citizen from Russia, worked for Goldman Sachs between 2007 and 2009, and built software that takes advantage of small arbitrage opportunities in stock prices by placing millions of trades in a matter of seconds.

Aleynikov was recruited by trading firm Teza Technologies to develop similar high-frequency trading software and he gave notice to Goldman Sachs in April 2009.

The NY state complaint alleges Aleynikov transferred “hundreds of thousands of lines of source code for Goldman Sachs’ high-frequency trading system to a foreign server; that code included trading algorithms used to determine the value of stock options”.

In the original case, brought by the US government in 2009, Aleynikov said he thought he was only taking open-source code, and hadn’t realised any proprietary code was included. That defence was rejected by the trial judge and Aleynikov was sentenced in December 2010 to eight years in prison, with three under supervised release and a $12,500 fine.

Commenting on the latest charges, DA Cyrus Vance said on Thursday: “This code is so highly confidential that it is known in the industry as the firm’s ‘secret sauce’… employees who exploit their access to sensitive information should expect to face criminal prosecution in New York State in appropriate cases.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/10/goldman_sachs_programmer_re_arrested/

Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hackers.

The gaming outfit said in a lengthy statement on its website that its security team had spotted “unauthorised and illegal access” into its system.

It said: “We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.”

Blizzard said it was yet to uncover evidence that sensitive financial data, including gamers’ credit cards and billing addresses, had been compromised. “Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed,” the company added.

However, a list of email addresses for Battle.net users across the globe, excluding those based in China, had been lifted in the hacking. And it gets worse:

For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

Blizzard, whose Battle.net service requires gamers to be online while they cast spells and argue over items, eased the pain a little bit:

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.

Stamford University’s Thomas Wu explained in a paper about SRP that an “attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host”.

Despite Blizzard’s reassurance to its users, the gaming firm went on to warn:

As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

Blizzard also plans to automatically prompt its players on North American servers to change their secret questions and answers. It will also nudge its mobile authenticator users, who use a phone-based two-factor authentication system to log into Battle.net.

The company signed off with a snivelling apology: “We take the security of your personal information very seriously, and we are truly sorry that this has happened.”

Blizzard has a detailed FAQ about how its network was compromised here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/10/blizzard_hacked/

Fujitsu and Nagoya University have kicked off a month-long trial of new technology designed to raise the alarm when it thinks the recipient of a phone call is being scammed by a fraudster.

The trials will take place in Okayama Prefecture in collaboration with local and regional police and the Chugoku Bank, according to Fujitsu.

The technology, which was first announced in March, was developed as part of a university study, Modelling and Detecting Overtrust from Behaviour Signals, led by Kazuya Takeda.

It’s designed to detect “overtrust” – the situation that occurs when a victim is overwhelmed by distressing information and loses the ability to evaluate whether they are being lied to or not.

It does this by analysing voice tone, and enhances its scam detection capabilities by searching for the keywords often used in such situations.

The trials will look to improve not only the capabilities of the technology but the ability of key groups to respond to the victim once alerted by the tech, Fujitsu said.

In this way, once a suspected scam is detected, the victim will be notified by an automated message and an email sent to their nominated family members as well as the police and the relevant bank.

The idea is that the police can then send someone round to visit the victim and the bank can put an immediate freeze on their account.

While relatively uncommon in the West, phone fraud is a major problem in Japan, with the elderly and infirm targeted by scammers pretending to be a member of the victim’s family or sometimes the local police force.

They then relate some distressing information – for example, that their relative has been arrested – and then demand some funds to sort the problem out.

The detection devices will be installed on the landlines of over 100 households during the trial period, after which Fujitsu and Nagoya Uni will look at making some money out of the project.

The Japanese tech giant also said it is looking at developing the idea to “prevent phone fraud before it actually occurs”.

Whether this involves blocking the phone numbers known to be used by fraudsters or implementing some kind of Minority Report-style precog technology is not made clear. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/10/fujitsu_phone_fraud_tech_trials/

Bucks muck chuck muck-up leaks 840 email addresses

Council lets folks know how to get in touch with EVERYBODY

By Brid-Aine Parnell • Get more from this author

Posted in Enterprise Security, 9th August 2012 11:01 GMT

Free whitepaper – Using case management to empower employees

About 800 people in Buckinghamshire had their email addresses leaked by their district council in an email about waste collection.

Aylesbury Vale District Council sent out a message to 840 people about garden waste collection that had everyone’s email addresses pasted into the main body of the missive.

The council told The Reg that the email privacy fail was down to human error.

“We sent an apology to all those affected as soon it was discovered,” a spokesperson said. “We take the security of our data very seriously and we have information and security policies in place.

“We [also] take the situation that happened yesterday very seriously and are undergoing an internal investigation with our fraud team that will report back early last week.” ®

Free whitepaper – Capture Enabled BPM

• Send corrections
  
• 13 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/09/aylesbury_vale_council_email_fail/

The South Australian government has backed the commercialisation plans of a locally developed DNA barcoding technology to be launched internationally as a security and authentication tool.

Biotech outfit GeneWorks claims its DNA barcoding invention, which can invisibly mark a range of valued items, is compatible with forensic analysis and legal applications, unlike technologies currently on the market.

The detection method for GeneWorks’ barcodes follows the same path as DNA forensic typing, which analyses STR (Short Tandem Repeat) fragments of human DNA.

As this barcode technology is already accepted by the legal system worldwide, GeneWorks anticipates that its technology will gain traction as submission for evidence in court cases.

“The plan is to have, within a year, sufficient unique codes that will be able to be applied to all sorts of industries to tag and track items. This could be from fisheries to art to money or illegal drugs. It’s limitless really,”GeneWorks general manager Nik Psevdos.

The GeneWorks technology can also be applied as a fixative spray which can physically tag intruders upon entering a security protected premise.

“The analysis can be done in-house by forensics, not by a third party. Forensics could have complete control of the process from analysis to interpretation of results,” Psevdos.

The South Australia State government funded development of this new DNA barcoding technology via its biotech incubator BioSA. The technology is currently undergoing validation by Forensic Science SA, before commercial deployment which aims to take a stab at the US$82 billion global security market.

A new entity, GeneWorks Technologies Pty Ltd, has been set up to commercialise the product internationally with plans to significantly expand its team and create skilled biotechnology jobs in the sector.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/09/geneworks_grant_dna_security/

Comment Apple and Amazon have, in the wake of the grievous p0wnage inflicted on WiReD writer Mat Honan, changed their security procedures and no longer allow password changes to be made over the phone.

Much is being made of how sloppy it was for both companies to allow this to happen.

I’ve got worse news: this stuff has been going on for a decade or more.

I can say this with confidence because in 2001, when I worked as a consultant, I was asked into a meeting at which a very large Australian financial institution sought advice on a problem.

The problem was that famous people had been ringing its call centres and telling sob stories about how they’d lost their passwords. The famous people pleaded that, as extremely busy and important individuals, they simply couldn’t remember the details of every bank account they had opened.

Of course these calls did not come from famous people. They came from scammers who, armed with a copy of Who’s Who, were able to provide enough personal details about the famous people they impersonated that call centre staff were convinced they were speaking to the right person.

The financial institution, which has of late been talking up its can-do attitude, was left with a collection of angry, high-profile, customers threatening to take their business elsewhere.

Over the last decade I have also, for what it is worth, spent a bit of time mixing with the call centre and customer service communities. Say what you like about both (we’ve all had some horrid times in queues) but in my experience folks in those fields are like anyone else inside a business: they have a sincere desire to do the best they can within the constraints of the policies and budgets at their disposal.

When I told the above story to call centre folks, they agreed that this kind of thing goes on, but added that call centre agents should be trained to avoid it.

The bank, for what it’s worth, hardened up its authentication procedures to stop this kind of thing from happening again.

Which leaves the “problem” Amazon and Apple have addressed in a fact a known way to scam call centres that has, even in the far antipodes, been something customer service professionals have been on top of for a decade.

That two of the mightiest tech companies have such poor processes is therefore a cause for some serious eyebrow-raising. Throw in the fact that two-factor authentication is now easier than ever to deliver, thanks to SMS, and the failure looks inexcusable. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/09/apple_amazon_authentication_fail/

While most of the world is treating the once-mighty BlackBerry as an also-ran in the smartphone market, malware authors still think it’s worth a crack – and have crafted a package designed to drop a Zeus malware variant on the device.

This post to Securelist by Kaspersky’s Denis Maslennikov details five new Zeus-in-the-mobile (ZitMo) files that have turned up in Europe. One of them is a dropper for Android, while the other four target the BlackBerry platform.

Dissecting the new samples, Maslennikov posits that the files could herald a new wave of Zeus attacks. BlackBerry is targeted by three .cod and one .jar file (which embeds a .cod file inside).

The BlackBerry files target users in Germany, Italy, Spain and France, with command and control numbers tracked back to Swedish mobile operator Tele2. The Android variant is specific to Germany.

If the attack is successfully installed, it’s designed to redirect financial verification code messages to the CC number (although in the case of the Android version, all SMSs are forwarded). Maslennikov also spots a couple of new functions in the code designed to notify the CC that the malware has been successfully installed.

Maslennikov says the certificate date in the Android application suggests the software was written during July. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/08/zeus_comes_to_blackberry/