STE WILLIAMS

Backdoored versions of a widely used privacy tool have surfaced in Iran, raising fears that its government is using the Trojanised software to spy on its citizens.

A free encrypted proxy tool called Simurgh – official website https://simurghesabz.net – is used by many Iranians to circumvent locally applied net censorship technologies. Recently a Trojanised version of the tool (Simurgh-setup.zip) has begun appearing on file-sharing networks and wares sites.

The real software works as a standalone tool that can be run off a USB stick at locations such as cybercafes and other public internet access points. By contrast, the Trojanised version requires installation on a client PC. Thereafter, the software tracks user activities including keystrokes and websites visited. This data is then uploaded to US-based servers registered to a Saudi Arabian organisation, human rights activist group CitizenLab.org says.

Morgan Marquis-Boire from CitizenLab.org was among the first to publicise the presence of malware in knock-off copies of a tool used by Iranian dissidents and others looking to safeguard their privacy or visit proscribed websites.

Both the Trojanised version of the tool and the real thing connect to a web page that confirms that users are surfing through a proxy. Developers at Simurgh are taking advantage of this behaviour to automatically detect if a surfer is using a Trojanised version of their software before warning them that they are in danger.

Iran’s internet censorship regime already blocks access to many foreign websites, social networks and other web services. Attempts to “phish” for social network usernames and passwords have been reported in Syria and Iran, as well as the use of false security certificates. More recently Iran rolled the capability to block https and the ports used by Virtual Private Networks, according to Reporters Without Borders (here).

The web has played a central role in recent campaigns of political dissent inside the country and free expression more generally – hence the ongoing push by the country’s rulers to tighten the screws on what its citizens can do online. This has stimulated interest in web proxies, such as Simurgh, designed to circumvent censorship controls, making the appearance of Trojanised versions of the tool all the more dangerous.

“This malware is targeting users for whom having their communications compromised could result in imprisonment or worse,” warns Chester Wisniewski, a senior security advisor at Sophos Canada. Wisniewski added that it is “almost always a bad idea” to download and run files from unknown websites, especially files from torrent and file-sharing sites. Computer users would do far better to go to a developer’s website for software download instead, he argues.

A blog post by Sophos explained the Trojanised Simurgh threat in greater depth can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/30/trojaned_privacy_tool_hits_iran/

Two separate “Timeline-removing” spam scams are doing the rounds on Facebook, security watchers warn.

Both ruses feature dodgy messages targeting users of the social network who happen to dislike the recently introduced feature, and are looking for a way to go back to the “old look”. In the first case, users who take the bait are encouraged to install a browser plug-in that supposedly removes Facebook Timeline from social networking profiles.

At the time of writing on Tuesday lunchtime, anti-virus vendor Sophos was in the process of evaluating what the software, available for download from a recently established website in Turkey, actually does. In the meantime it advises users to avoid installing the plug-ins.

Screenshots of the messages, and the browsers plug-ins they, err, plug, can be found in a blog post by Sophos here.

Timeline-exorcising browser extensions are also being offered via an application called “Facebook Timeline Remover”, Chris Boyd of GFI Software warns. However in this case no browser plug-in is actually on offer. Marks are instead invited to complete a collection of surveys, enriching dodgy marketing affiliates in the process. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/30/facebook_timeline_remover/

Is it something to do with Slavic names? The Register is quite accustomed to Eugene Kaspersky’s astonishing ability to escalate every threat into a “cybergeddon”; now Cambridge researcher Sergei Skorobogatov seems to have taken his lessons to heart.

Let’s pick up the high points of Skorobogatov’s story again: (1) a ‘military grade’ FPGA that is (2) manufactured in China (3) has a backdoor. With a combination like that, the headlines are guaranteed – even if the threat is nebulous.

First, as Errata Security points out, “military grade” does not have the “wow, spook stuff!” meaning that it’s been given in too many outlets. Here is Actel’s outline of specifications for the ProASIC3 series of chips, including the mil-spec device. The first table shows the difference between different devices in the series; the A3P1000 is the “military” version – which means that it has been tested to military temperature requirements.

“Military” doesn’t mean “this is a chip designed to protect military secrets.” It means “if you put this chip into a product it can stand temperatures from -55°c to 125°C.”

Errata Security also points out that “manufactured in China” does not mean “the Chinese tampered with the design to insert the backdoor”. Following the old rule that a stuff-up is more likely than a conspiracy, Errata suggests that the backdoor was probably an intentional feature that the designers forgot to disable when they committed the FPGA’s design to manufacture.

It’s also important to remember that even if the backdoor exists, and even if it’s malicious, it’s not a very useful backdoor. For example, it’s not likely to enable a remote attack allowing Boeing 787 Dreamliners to drop out of the sky.

FPGAs are attacked not by sending a packet over the Internet with the evil bit set. To interfere with the FPGA, you need physical access to the device, and the appropriate equipment and software to program it.

That puts into context another observation made by Errata Security: the purpose of the encryption that Skorobogatov has cracked. The encryption exists not to protect communication between the device and the Big Bad Internet (more on this in a second) – it exists to protect the design placed on the chip. In other words, the threat is not that “military secrets will be stolen”, it’s that your design (and therefore your intellectual property) will be copied. At worst, if that particular chip was in something like a military drone, and if it were captured by an enemy, and if they were able to reproduce the attack – then the design might yield useful information about the drone’s design.

There is, of course, a scenario in which the FPGA might communicate with the Internet: the design implemented on the chip might be a communications stack. Even in that case, the purely internal encryption, designed to protect the gate designs on the chip, has nothing to do with its relationship to the outside world.

Should sensitive users of the chip be worried? Certainly. They want their designs protected. There’s even a discernable risk to someone like Boeing, since it’s feasible that someone with legitimate access to FPGAs might be persuaded or forced to reprogram them with malicious code, or steal Boeing’s code.

For the rest of us, our time would be better spent defending ourselves against the thousands of threats that affect our security. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/researcher_trolls_internet_with_silicon_backdoor/

Analysis The exceptionally complex Flame malware, this week found on numerous systems across the Middle East and beyond, is likely to take months if not years to analyse.

Early indications suggest that Flame is a cyber-espionage toolkit that has penetrated computers primarily, but not exclusively, in Iran and Israel. The worm may have been in circulation for at least two years (and perhaps much longer) but only hit the news on Monday following a series of announcements by security groups and antivirus firms.

Iran’s National Computer Emergency Response Team published a warning about the data-stealing virus, promising an antidote: so far the malware has completely evaded detection by commercial antivirus scanners. Iranian researchers described the malware as a “close relation” to Stuxnet, the famously well-engineered nasty that sabotaged industrial control systems linked to Iran’s controversial nuclear programme.

Kaspersky Lab said the UN International Telecommunication Union had alerted it to Flame and asked for help analysing the malware, which was believed to be wiping information from Middle Eastern computers. Kaspersky said the unusually large virus has been spreading since March 2010.

However, Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS) fear Flame may have been active for somewhere between 5 to 8 years. The Budapest-based lab published a preliminary analysis [PDF] of the malware, which it dubbed sKyWIper – the CrySys Lab realised the complex piece of malicious software that they had been analysing for weeks was clearly a build of Flame.

Other security firms have since waded in with their own observations and early analysis; confusingly, other researchers are calling the threat either Viper or Flamer.

There’s general consensus that Flame is the most elaborate malware threat ever uncovered, and that it was almost certainly developed by a state-sponsored team. The Hungarian team concludes that the malware was “developed by a government or nation state with significant budget and effort, and may be related to cyber warfare activities”.

How Flame spread its digital inferno

The 20MB virus compromises Windows-based PCs and stealthily installs itself before stealing data and passwords, taking screenshots and surreptitiously turning on microphones to record audio conversations. The malware sets up a backdoor and opens encrypted channels to command-and-control (CC) servers using SSL protocols.

Flame shares some characteristics with the early Duqu and Stuxnet worms, but also has a number of differences.

Like Stuxnet and Duqu, Flame malware can spread via USB sticks and across insecure networks. All three infect machines running Microsoft’s operating system. Flame contains exploits for known and fixed vulnerabilities, such as the print spooler’s remote code execution bug and the .lnk security hole first found in Stuxnet.

However, Flame is much more complex than either Stuxnet or Duqu: it is made up of attack-launching modules that can be swapped in and out as required for a particular job; it uses various open-source libraries including libz for compression; it is spread out over several files rather than as one executable; and most unusually it uses a database managed by the SQLite library.

It also executes a small set of scripts written in Lua – a programming language favoured by computer game makers such as Rovio for Angry Birds. These direct the operation of the attack modules.

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid (or even possibly stolen) private key – unlike the signed files used by Duqu and Stuxnet.

Both Duqu and Stuxnet targeted industrial control systems, while Flame is far more promiscuous. Crucially, analysis suggests that while Stuxnet and Duqu use the same building blocks (a common platform most likely used by the same programming team), Flame is independent of this architecture.

“The threat shows great similarity to Stuxnet and Duqu in some of its ways of operation yet its code base and implementation are very different, and much more complex,” McAfee notes, hypothesising that Flame might be a “parallel project” to Stuxnet and Duqu.

Worm rears head after attacks on oil field systems

Over recent weeks, prior to Monday’s announcement about the malware, Iran reported intensified cyber-attacks on its energy sector, which they observed as a direct continuation of the Stuxnet and Duqu attacks. This may be linked to a decision last month to disconnect the main oil export terminal on Kharg Island in the Persian Gulf following a computer virus infection.

“Evidently, the threat has been developed over many years, possibly by a large group or dedicated team,” McAfee notes.

“We found publicly available reports from anti-spyware companies, and log files in public help forums, which could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example: March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.”

Symantec agrees with its rival’s assessments that Flame was developed by a team, concluding that the “code was not written by a single individual but by an organised well-funded group of personnel with directives”. Unlike Stuxnet, Flame is not particularly targeted and has spread to civilians’ systems in many countries.

“Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear,” Symantec said.

“However, initial evidence shows the victims may not all be targeted for the same reason. Many appear targeted for individual personal activities, rather than their company of employment. Interestingly, in addition to particular organisations being targeted, many of the attacked systems appear to be personal computers being used from home Internet connections.”

David Harley, senior researcher at ESET, agreed with McAfee that Flame and Stuxnet are more different than they are similar.

“Whether it’s actually targeting a specific country is not clear: after all, Stuxnet is nowadays assumed to have been targeting Iran, but was originally detected over a very wide area,” Harley said. “While there’s speculation that Flamer is linked in some way to Stuxnet and Duqu, that seems to me to be purely speculative right now, as the code seems very different.”

Other than saying it’s likely the work of state-sponsored black hat coders, possibly in the employ of an intelligence agency, nobody is speculating who is behind Flame. A lot of the same caveats apply to Stuxnet, but circumstantial evidence does point towards some sort of joint Israeli-US operation.

Even though the full capabilities of Flame, much less who created it and why, remain a bit of a mystery, security firms can at least add detection for the malware now that samples are circulating among researchers.

“Other tricks that Skywiper/Flame might have up its sleeve may take some time to ascertain. It’s code more than twenty times larger than Stuxnet, which means it could take substantial effort to analyse it all,” writes Graham Cluley, a senior security consultant at Sophos. “Fortunately, complete code analysis is not necessary to add detection.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/flame_cyberweapon_analysis/

A pair of security researchers claim to have found a back door in a commercial field-programmable gate array (FPGA) marketed as a secure tool for military applications.

The FPGA in question is the Actel ProASIC3, a device manufacturer MicroSEMI recommends for use in “portable, consumer, industrial, communications and medical applications with commercial and industrial temperature devices,” but also comes in models boasting “specialized screening for automotive and military systems.”

Sergei Skorobogatov, a researcher at the University of Cambridge, and Christopher Woods of London’s Quo Vadis Labs have released a draft paper (PDF) describing a method whereby attackers can “disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device.”

The pair chose the ProASIC3 for their tests because, they say, it is a very widely used device, boasts of superior security and is known to have military users. Those qualities, the pair say, made it an ideal subject for a back door hunt.

The pair used the Actel’s own analysis tools and the Joint Test Action Group (JTAG) interface to analyse the silicon. That analysis yielded undocumented features, thanks to discovery of what the draft paper calls “command field and data registers.”

The pair also applied differential power analysis (DPA), a method of analysing variations in electrical activity that hint at tasks being performed in silicon, and “ Pipeline Emission Analysis (PEA)” to probe the device “in an attempt to better understand the functionality of each unknown command.” Just how PEA does so is not clear: the draft paper says PEA was developed by the “sponsor” of the research, but that entity is not revealed. Even the footnote describing the technique has been redacted so it reads “ Removed to comply with anonymity requirement for submission”.

But the paper hints PEA is a more sensitive version of DPA, describing it as follows:

“The outstanding sensitivity of the PEA is owed to many factors. One of which is the bandwidth of the analysed signal, which for DPA, stands at 200 MHz while in PEA at only 20 kHz.”

PEA seems to have done the trick, yielding evidence of a passkey that allows control of many features in the FPGA.

“Further investigation,” the paper says, “revealed that this is a backdoor function with the key capable of unlocking many of the undocumented functions, including IP access and reprogramming of secure memory.”

The paper is clearly marked as a draft and Skorobogatov promises to detail the exploit fully at the 2012 Workshop on Cryptographic Hardware and Embedded Systems in Belgium.

One imagines the presentation will be rather well attended. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/silicon_backdoor/

Google has proudly told the world its online productivity suite, Google Apps, has gained the ISO’s good cloudkeeping seal of security approval, in the form of the ISO 27001 security certification.

Eran Feigenbaum, Google Enterprise’s Director of Security let us all know the good news on Monday, US time, and named Ernst Young CertifyPoint as Google’s auditor.

The announcement was made without any of the recent unpleasantness over security for cloud apps which, as we reported earlier this month, saw Google and Microsoft swap accusations about just who’s cloud suites have achieved the FISMA certification required to win business from the US government.

Google has had that accreditation sewn up for a while now. With ISO 27001 also on its trophy shelf alongside SSAE 16 / ISAE 3402 certificates, the company now feels its security credentials are second-to-none and that “businesses are beginning to realize that companies like Google can invest in security at a scale that’s difficult for many businesses to achieve on their own.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/google_apps_iso_27001/

A pair of security researchers claim to have found a back door in a commercial field-programmable gate array (FPGA) marketed as a secure tool for military applications.

The FPGA in question is the Actel ProASIC3, a device manufacturer MicroSEMI recommends for use in “portable, consumer, industrial, communications and medical applications with commercial and industrial temperature devices,” but also comes in models boasting “specialized screening for automotive and military systems.”

Sergei Skorobogatov, a researcher at the University of Cambridge, and Christopher Woods of London’s Quo Vadis Labs have released a draft paper (PDF) describing a method whereby attackers can “disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device.”

The pair chose the ProASIC3 for their tests because, they say, it is a very widely used device, boasts of superior security and is known to have military users. Those qualities, the pair say, made it an ideal subject for a back door hunt.

The pair used the Actel’s own analysis tools and the Joint Test Action Group (JTAG) interface to analyse the silicon. That analysis yielded undocumented features, thanks to discovery of what the draft paper calls “command field and data registers.”

The pair also applied differential power analysis (DPA), a method of analysing variations in electrical activity that hint at tasks being performed in silicon, and “ Pipeline Emission Analysis (PEA)” to probe the device “in an attempt to better understand the functionality of each unknown command.” Just how PEA does so is not clear: the draft paper says PEA was developed by the “sponsor” of the research, but that entity is not revealed. Even the footnote describing the technique has been redacted so it reads “ Removed to comply with anonymity requirement for submission”.

But the paper hints PEA is a more sensitive version of DPA, describing it as follows:

“The outstanding sensitivity of the PEA is owed to many factors. One of which is the bandwidth of the analysed signal, which for DPA, stands at 200 MHz while in PEA at only 20 kHz.”

PEA seems to have done the trick, yielding evidence of a passkey that allows control of many features in the FPGA.

“Further investigation,” the paper says, “revealed that this is a backdoor function with the key capable of unlocking many of the undocumented functions, including IP access and reprogramming of secure memory.”

The paper is clearly marked as a draft and Skorobogatov promises to detail the exploit fully at the 2012 Workshop on Cryptographic Hardware and Embedded Systems in Belgium.

One imagines the presentation will be rather well attended. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/silicon_backdoor/

A new super-cyberweapon targeting countries like Iran and Israel that has been knocking around in computers for two years has been discovered by researchers.

“Flame”, a highly sophisticated piece of malware, was unearthed by the International Telecommunication Union (ITU) and Kaspersky Lab, which said it was more complex and functional than any cyber threat it had seen to date.

Because Flame is so super-complicated and because of the geography of the attack, Kaspersky Lab’s global research and analysis team head Alexander Gostev said he was in “no doubt” that it was a state-sponsored worm.

Flame is a cyber espionage program that steals data such as computer display contents, information about targeted systems, stored files, contact info and even audio conservations. Kaspersky Lab said that the worm’s features were different from Duqu and Stuxnet, but it matched up with them when comparing where it attacked, the software vulnerabilities it uses and the fact that only certain computers were targeted.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” Eugene Kaspersky said in a canned statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”

Iran’s National Computer Emergency Response Team posted a warning about the malware on its site today and said a fix would be coming soon.

“At the time of writing, none of the 43 tested anti viruses could detect any of the malicious components. Nevertheless, a detector was created by Maher centre and delivered to selected organisations and companies in first days of May,” the site said.

“And now a removal tool is ready to be delivered.

“The research on samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat,” it added.

Kaspersky Lab said it was currently doing deeper analysis of Flame, which has been in the wild since March 2010, and it would tell everyone what it learned on its blog posts.

“For now what is known is that it consists of multiple modules and is made up of several megabytes of executable code in total – making it around 20 times larger than Stuxnet, meaning that analysing this cyber weapon requires a large team of top-tier security experts and reverse engineers with vast experience in the cyber defence field,” the security firm said.

Gostev said that the malware was still stealing data.

“One of the most alarming facts is that the Flame cyber attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/28/kaspersky_discovers_flame_worm/

A hard-up ex-engineer at Nokia Siemens swiped wireless routers worth thousands of pounds from his employer to refurbish and flog on eBay.

Dewaldt Hermann, 33, appeared at Swindon Crown Court to admit he was behind a spate of thefts some months after he started work at the firm, Newbury Today reports.

Tessa Hingston, prosecuting, said Hermann had trousered £6,000 from peddling the stolen goods by the time the police raided his garage to find more stolen kit.

Hermann was snared when he left his PC logged into his eBay account after leaving Nokia Siemens’ Kembrey Park office in Swindon, the court was told. A colleague using the machine found auction listings of equipment belonging to the firm.

The routers were estimated to have cost Nokia Siemens £28,000 when new, but had a scrap value less than a quarter of that tally. The units were stored in the firm’s office after being returned by biz customers, which Hermann believed were due to be dumped, said David Maudner, defending.

He said Hermann, a married father of two teenage step-children, felt financial pressures after his wife was forced to take part-time work, and pointed to his client’s clean criminal record.

After Hermann pleaded guilty to theft on 22 May, Judge Euan Ambrose told him “the items that you stole had a variety of different fates”.

“Some were repaired, refurbished and sold on eBay. In fact, your work had effect and they were sold at a greater value than they would have been worth. Some you still had in your garage,” he added.

Judge Ambrose said the total value of routers, which were taken in late 2010, was a little over £7,000.

He handed Hermann a one-year community order and told him to complete 300 hours of community service. Hermann, of Peregrine Road, Bishop’s Green, was also ordered to cough up £725 in court costs. The branch of Nokia Siemens that he was worked for has since closed and the firm was not seeking compensation.

It was revealed during the case that, after leaving Nokia Siemens, Hermann landed a job in September 2011 as a field networks engineer at 2e2. But a spokesman confirmed to El Reg that he has been “suspended” due to the court case. 2e2 made no further comment, Nokia Siemens did not respond to calls and Hermann was unavailable to comment. ®

Article source: http://go.theregister.com/feed/www.channelregister.co.uk/2012/05/28/hermann_court_case/

A new activist group is drumming up recruits for a cyberwar campaign against corporate giants due to launch on Friday, 25 May.

TheWikiBoat intends to hit a high profile list of more than 40 multinationals – including BT, Best Buy, Tesco, McDonald’s, Wal-Mart and Apple – with denial of service attacks as well as attempts to raid corporate systems for intelligence.

The precise motivations behind OpNewSon, which was announced around a month ago, remain unclear but the overall flavour is part anti-capitalist and part general devilment, a characteristic found in many Anonymous-style hacktivist protests.

“While attacking the major companies of this planet may seem lulzy, we also wish that this operation make a difference,” the group said in a manifesto for OpNewSon. “We are ‘sticking it to the man’ so to speak.”

Would be participants in the campaign, which aims to take out targeted sites for at least two hours, are been encouraged to use the LOIC denial of service tool, a favourite with hacktivists. By default LOIC does nothing to shield the anonymity of its users, a factor that has allowed police to track down and arrest many suspected hacktivists across the world over recent months.

Previous pre-announced activist operations to take down Facebook or launch assaults against the internet’s DNS structure have turned out to be damp squibs. Security firms nonetheless argue that corporations targeted as part of Operation NewSon ought to take the threat seriously.

“It remains to be seen if the hacking group live up to their claims, but any organisation which is a target would be unwise to dismiss the threat,” said André Stewart, president international at Corero Network Security.

“With prior knowledge of an impending attack, they have the opportunity to pro-actively put in place additional security measures to ensure that they remain secure.”

Stewart explained that TheWikiBoat pre-announced its intended as a tactic designed to rally recruits to its cause.

“It’s not uncommon for hacking groups to announce their targets, particularly when they are ahead of a Distributed Denial of Service (DDoS) attack,” he explained. “This enables them to ‘recruit’ like-minded individuals who support the ideology of the hacktivist group to join in on the attack. However, the majority of DDoS attacks are often carried out using an army of automated computers, called botnets, which can be controlled by a single user.”

“The hacking group is planning a second stage attack, in which they will attempt to infiltrate the organisation’s network and steal sensitive information. DDoS attacks are often used as a smokescreen to hide further, more dangerous attacks, and due to the long list of potential targets, there is a high probability that they will succeed.”

Additional commentary from application security firm Radware can be found here.

#OpNewSon is due to begin begin at 4pm PST. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/25/thewikiboat_ddos/