STE WILLIAMS

Cyber-crooks are blagging SIM cards that allow them to circumvent mobile-based banking security measures and swipe cash from punters’ accounts.

Security biz Trusteer has uncovered two elaborate techniques that will defeat out-of-band authentication mechanisms such as SMS-delivered one-time passwords (OTP) for online banking websites. These scams involve crooks getting their hands on duplicate SIM cards to execute fraudulent transactions.

The extra effort is worthwhile because accounts protected by OTP systems typically have higher transfer limits, making them more valuable to crooks. In addition, banks tend to treat transactions given the go-ahead by OTP authorisation as less likely to be fraudulent and are therefore far less likely to be subjected to additional anti-fraud screening, according to Trusteer.

How the scams work

The first attack involves a combination of online and physical fraud: the crook either runs a phishing expedition or uses malware to obtain a victim’s bank account details and credentials. As well as requesting login details, the fraudster also seeks to obtain the intended victim’s name, phone number and other personal information.

Armed with these details the crim impersonates a victim to report the mark’s mobile as lost or stolen to the cops. This allows the fraudster to get their hands on a police report.

The criminal then calls the victim to notify them that their mobile phone service will be interrupted for few hours. In the meantime, the criminal visits a mobile service provider’s retail outlet, presenting the police report on the supposedly lost or stolen mobile.

The victim’s SIM card is deactivated by the mobile provider while the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number.

Trusteer came across the elaborate scheme in an underground carder forum.

In the second attack, a variant of the Gozi Trojan uses a web page injection hack on infected Windows PCs that prompts victims to enter their mobile’s unique IMEI number when they attempt to access their online bank account. The malicious script explains how to retrieve the IMEI number, which can be found on the phone’s battery or accessed by dialling *#06# onto a mobile keypad.

Using this number, the fraudster then reports the mobile phone as lost or stolen to a mark’s mobile service provider and requests a new SIM card. Once the crook gets his hands on the duplicate SIM cards, OTPs intended for the victim are sent to the fraudster-controlled device instead.

“The one common thread in both schemes is that they are made possible by compromising the web browser with a Man in the Browser (MitB) attack to steal the victim’s credentials,” explains Trusteer’s CTO Amit Klein. “By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions.”

“They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorising these transactions themselves,” he added.

More details of both scams can be found in a blog post by Trusteer here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/15/malware_based_mobile_banking_blag/

The monarchy-loving Thai authorities have deleted over 5,000 web pages in the past three months in a continued crack down on content deemed insulting to the royal family, although critics argue it’s just an excuse to exercise ever more hardline censorship controls.

Thailand national police spokesman Piya Utayo explained that content critical of the royals had decreased during the period from December to March, although gave no explanation why, according to an AFP report.

Those found guilty of lèse majesté– literally ‘injured majesty’ – could face up to 15 years in a Thai slammer, and the pages of the interwebs are littered with the cases of unlucky souls such as Wipas Raksakulthai, who is thought to be the first person charged with the crime after an ill-considered Facebook post.

Although revered by many in the country, the 84-year-old King Bhumibol Adulyadej, who is the country’s longest reigning monarch, does seem to polarise opinion – perhaps because he has personally intervened in the running of the country on several occasions.

Many have argued that lèse majesté is being used by the government as a smokescreen for an ever more rigorous approach to online censorship in the country.

On Monday, rights group Reporters Without Borders explained in its yearly report that Thailand was on its “countries under surveillance” list and could even swap places with the notoriously repressive state of Burma if it doesn’t soften its approach.

“If Thailand continues down the slope of content filtering and jailing netizens on lèse-majesté charges, it could soon join the club of the world’s most repressive countries as regards the internet,” the report said.

The government already nailed its colours to the mast earlier this year when it became the first to publically endorse a new feature on micro-blogging site Twitter designed to allow for the blocking of tweets at a country level in order to comply with local laws.

ICT permanent secretary Jeerawan Boonperm told the Bangkok Post that the functionality was a “welcome development” and that the Thai government wanted to make use of it.

Thailand is not alone in the world when it comes to wanting to block the free flow of information across the web, of course. China, Iran, India and Pakistan have all built or are mulling plans to build national content filtering systems. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/15/thai_king_web_censorship/

Ten to twenty per cent of utterances collected by voice biometrics systems are not strong identifiers of the individual that spoke them, according to Dr. Clive Summerfield, the founder of Australian voice biometrics outfit Armorvox. Voice biometrics systems could therefore wrongly identify users under some circumstances.

Most voice biometrics implementations require users to utter a pass phrase or mention personal details as part of their authentication process. Dr. Summerfield told The Register that while a small fraction of the population, which he labels “wolves”, have voices that match many other voice prints, the need to know the pass phrase means voice biometrics systems are not likely to be casually cracked without an effort to also collect users’ secret words. But he also feels that most voice biometrics systems build in tolerances for those with less distinct voice prints, therefore applying a lower authentication standard for all users.

Some of the less-effective voice prints are gathered because of ambient noise when utterances are collected. Signal clipping applied by carriers can also have the unintended consequence of reducing the quality of voice prints. Some individuals simply have generic voice prints that share qualities with many others. Summerfield labels those afflicted, for whatever reason, with poor voice prints as “goats”, in contrast with the majority of “sheep” whose voices are a strong authentication token.

Armorvox’s answer is a system it calls ImpostorMap which tests every utterance in a database to see if any could authenticate more than one user. Those with less-secure voiceprints can then be encouraged to re-enrol with a better sample. By doing so, Summerfield says voice biometrics can become a stronger authentication technique as users create more distinct utterance collections that are harder to imitate.

The company has already secured channel partners in Australia and is actively seeking implementation partners beyond Antipodean shores. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/14/voice_biometrics_at_risk/

Australian Internet users are turned off by overly-intrusive personal data collection, according to a study conducted by Queensland University, and we want more information about how information is collected and used.

The 1,100-sample survey into Australians’ attitudes to the collection and use of personal information also found that more than 90 percent of respondents support “do not track”-style regulations that would allow them to track how information about them is collected and used.

The phone survey found that users also want to be able to opt-out of information collection and to request deletion of their personal information.

The study, which feeds into a growing unease about recent news such as Google’s revised privacy policy, also found that more than half of the people surveyed (56 percent) don’t want personally-targeted ads, and 64 percent don’t want personally-targeted news stories. This last result aligns with a Pew Internet American Life study which found that 73 percent of Americans don’t like personalized search engine results.

Dr Mark Andrejevic, leader of the survey and head of the Queensland University’s Personal Information Project, noted that “most of us have very little idea about what information is being collected and how it’s being used, so we cannot provide informed consent.”

If the responses accurately reflect the attitudes of Australians in general, it also suggests that over-collection is harming some Internet companies, with 69 percent of respondents saying they had refused to use a Web site or application because it sought too much personal information. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/14/punters_care_about_privacy/

Microsoft has released six updates in this month’s patch Tuesday, including one critical hole that Redmond warns will be hit in the next 30 days.

The critical flaw covers all versions of Windows and is found in the Remote Desktop Protocol (RDP). It allows attackers to run code remotely behind the firewall, although Vista users and above can activate the Remote Desktop’s Network Level Authentication (NLA) to trigger an authentication request. RDP is disabled by default, but is often activated.

“We are not aware of any attacks in the wild. However, due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” said the Microsoft security research center blog.

Of Microsoft’s other patches, four are deemed important. Expression Design has a DLL preloading issue fixed and Visual Studio’s add-on handling gets an add-on issue resolved, while the kernel and DNS systems also get a patch. There’s also a low priority fix for DirectWrite.

The release caused some problems for Mozilla, which had also been planning an update. It said that the issue it was concerned about in Microsoft’s patches turned out to be something Mozilla had already fixed, but that it was only making updates available manually for the time being as a precaution.

“In order to understand the impacts of Microsoft’s “Patch Tuesday” fixes, we will initially release Firefox for manual updates only. Once those impacts are understood, we’ll push automatic updates out to all of our users,” said Johnathan Nightingale, senior director of Firefox engineering on the browser’s blog. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/13/microsoft_patch_tuesday_mozilla/

The controversial Indian legal imbroglio over censorship of web content and involving twenty companies including Google, Facebook and Microsoft has been deferred until May 23.

Top executives from al subpoenaed companies were originally scheduled to make a court appearance yesterday but executives of all companies have been exempted from appearing in person by an earlier higher court order.

The case stems from a complaint instigated by journalist, Vinay Rai, who claimed that web content companies should be prosecuted for alleged offenses such as criminal conspiracy, defamation, promoting enmity between different groups on grounds of religion and race and obscene content, among others.

Google, Facebook and Microsoft have vigorously petitioned to quash the case with Yahoo’s Indian arm having already extracted itself from proceedings.

New laws passed last year oblige internet companies to remove material that is objectionable, harmful, defamatory or blasphemous within 36 hours of notification.

The affected companies are arguing that India’s IT law protects them from liability for user generated content but the companies acknowledged they have a responsibility to remove content, in some cases, but only if notified about it.

Aside from arguing for free speech, they also claim that monitoring their services without receiving complaints would not be feasible, given the amounts of traffic on their sites. If convicted, the online executives could face jail time coupled with significant fines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/14/india_wants_to_censor_web/

Updated John Swainson, president of Dell Software, took control of the giant’s nascent software business last week and has moved fast, using the Dell checkbook to snap up SonicWall – a firewall and threat-management software and appliance maker – for an undisclosed sum.

SonicWall, which was founded in 1991 by brothers Sreekanth and Sudhakar Ravi, sold Ethernet cards, hubs, and other networking gear. During the dot-com boom, the company launched a firewall and virtual private networking appliance aimed at small and medium businesses and the company took off – enough for SonicWall to go public in November 1999 on the NASDAQ. Four years later, SonicWall brought in a new management team, headed up my Matt Medeiros, who is still CEO at the company.

Back in June 2010, private equity firm Thoma Bravo teamed up with the Ontario Teacher’s Pension Plan Board to acquire SonicWall for $11.50 a share, or $717m. At the time, SonicWall had $200.2m in cash and in its prior year ended in December 2009, SonicWall had $73.8m in product sales, which had fallen by 25.4 per cent over two years, while license and services revenues had grown by 26.4 per cent to $126.7m. The company’s unified threat management tools accounted for 77 per cent of total sales, which content security management software accounted for 10 per cent, VPN products made up 9 per cent, and continuous data protection and backup software brought in 4 per cent. Net income at SonicWall in 2009 was $13.2m, nearly triple the income it netted in 2008 but less than half of what it gained in 2007.

Dell said in a statement that it was taking on SonicWall’s 950 employees and “plans continued investments to grow this business.” Dell said that SonicWall has over 15,000 resellers worldwide and that Dell plans to take the best of the SonicWall channel programs and mash them up with its own PartnerDirect programs – and also allow its own PartnerDirect peddlers to push SonicWall UTM software and its SuperMassive next-gen firewall.

In a conference call with Wall Street analysts this morning, Dell said that SonicWall had approximately $260m in revenues in the trailing 12 months and had over 300,000 active customers around the globe. Dell expects the deal to close in its second quarter of fiscal 2013, which ends in early August. On a non-GAAP basis, Dell reckons that SonicWall will be accretive to earnings in the second half of fiscal 2013.

SonicWall has made over 139 patent applications to the US Patent and Trademark Office, and 64 patents have been issued to date. This is one reason why Dell is interested in SonicWall. Another is that it wants to bulk up its security offerings, which include its SecureWorks service. Dell acquired SecureWorks in January 2011 for an undisclosed sum, and at the time SecureWorks had about $120m in revenues.

Another reason Dell wants SonicWall is that it reckons that the unified threat management market is worth about $2.4bn in 2011 and will grow to around $3.9bn by 2015. Also, the UTM appliance and software maker will beef up Dell’s security product portfolio, thus:

Dell’s security product portfolio

The idea is to secure the data center with SonicWall products; secure and manage client devices – PCs, tablets, smartphones, and so forth – with KACE appliances; back up and monitor files with AppAssure; and monitor threats and provide other security services with SecureWorks.

By the way, each part of that Dell product line has come from a recent acquisition. Dell bought the KACE control freak in February 2010 and just three weeks ago it snapped up AppAssure – which has more sophisticated data replication software than SonicWall. Dell did not disclose how much it paid for any of these businesses. KACE had 125 people when it was acquired, AppAssure had 230, and SecureWorks had 700.

Update

On that conference call, Swainson said that unified threat management was important to Dell because in emerging markets, many customers are buying their first UTM product, while in the established markets, many companies are in need of upgrading their existing UTM appliances. No matter where companies are located, they are all wrestling with more data spread out over more kinds of devices, as well as an increasing number of threats to their IT systems.

“Customers see security as one of their key IT risks – in some cases, their main IT risk,” said Swainson.

Medeiros, who will be staying on at Dell along with SonicWall’s other employees, said that during the past two years while being private, SonicWall had shifted more of its revenues to software and services and away from just hardware appliance sales. The idea is simple enough: get a recurring revenue stream because customers hang on to their appliances for a long time.

The other idea, said Medeiros, was to leverage Dell’s foot-in-the-door in corporate data centers to get the SuperMassive UTM appliance into corporate accounts where in the past SonicWall might have been chosen for remote branch offices. Dell already had a reseller agreement with SonicWall to peddle the SuperMassive appliance, and in fact, the very first one that SonicWall sold was done in conjunction with Dell.

Of that $260m revenue stream, Medeiros said that about $130m of it was for software and support services, and that about two-thirds of that, or around $87m, is recurring subscription revenues. The overall business grew in the mid-teens in the past year, but the shift to software and subscriptions means that SonicWall has been building up its deferred revenues for software and subscriptions at the expense of hardware revenues. This was done on purpose.

But don’t get the wrong idea. Medeiros said that the SuperMassive firewall had revenue growth in the mid-20s in the past year, compared to prior generations of hardware appliances. So hardware is still important to SonicWall – and will be important to Dell as well.

As for other potential acquisitions, Swainson said that he would have more to say in June at Dell’s annual analyst meeting, adding that he had only been on the job a few weeks but that he was keen on adding any “software that leverages and complements the rest of the Dell portfolio.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/13/dell_buys_sonicwall/

A hacker known as The Jester claims to have siphoned personal information from prominent members of Anonymous, a US politician and other assorted “enemies” after running a mobile malware-based attack that relied on the curiosity of his intended victims. The raid is unconfirmed.

In a blog post reminiscent of the penultimate act of a James Bond movie, the Jester described “how he done it”.

The Jester said he laid a trap for intended victims by changing the icon for his Twitter account (@th3j35t3r) to a QR-code, just after news of last week’s Anonymous/LulzSec arrests broke.

Victims induced “by their own curiosity” to scan this QR-code into their mobile phones were taken to a website loaded with mobile browser exploits that targeted both Android and iPhone users. The exploits reportedly relied on security bugs lodged inside the WebKit framework that is used by several mobile browsers.

According to the hacker, malicious code he used in the “attack” handed over the compromised users’ Twitter credentials via a netcat command to the so-called patriot hacker. The Jester claims he checked these credentials against a list of known targets before moving on to the next phase of the attack: further exploitation.

“Enemies” of the hacker listed as targets included @AnonymousIRC, @wikileaks, @anonyops, @barretbrownlol (the Twitter address of sometime Anonymous spokesman Barrett Brown) and @RepDanGordon (Rhode Island State Representative Dan Gordon) and others. Gordon made it onto The Jester’s hit list for his comments on Twitter referencing Anonymous in what The Jester saw as a sign of approval for the hacktivist group.

The Jester, previously most famous for claiming credit for an application-based DDoS attack against WikiLeaks and for disrupting pro-Jihadist websites, said he raised his permissions on each exploited device. iOS has a default username/password combination of root/alpine, making this step of the process simple on iPhones.

The process is more complicated on Android but even there a variety of attack tools exist. After obtaining these elevated privileges, the Jester then allegedly extracted data from databases on compromised devices, which he claimed allowed him to obtain SMS, voicemail, call logs, and email*.

That’s the theory. In practice the hack would have involved taking the next steps in exploits already demonstrated by famed white-hat hacker Charlie Miller and others. In addition, the assault would have relied on users sticking to default SMS and email applications, as explained in an informative commentary of the attack by Johannes Ullrich, a security researcher at the SANS Institute’s Internet Storm Centre here.

Damage analysis

It’s unclear whether the attack, clever though it was, actually claimed any victims. It’s quite possible that the hack was entirely unsuccessful and The Jester is only claiming otherwise in a bid to wind up his enemies and possibly induce them into making a security lapse that he can exploit.

The Jester has wasted little time taunting his intended victims in messages that set out to justify his hijinks, which pose obvious privacy worries for regular smartphone users, as carefully targeted against known “bad guys”.

“I had a list of ‘targets’ twitter usernames I was interested in, these were comprised of usernames of: Islamic Extremists, Al Qaeda Supporters, Anonymous Members, Lulz/Antisec Members,” The Jester writes in a blog post entitled Curiosity Pwned the Cat.

“EVERYONE else without exception was left totally ‘untouched’ so to speak. This was a proof of concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world. I do not feel sorry for them.

“In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How’s that for ‘lulz’?”

The Jester posted a PGP data file from his Webkit Exploit op on Monday night. Since the data is encrypted it could be anything, or nothing. The Jester claims more than 1,200 curious netizens scanned the QR code – of which 500 devices “reverse shelled back to the listening server” (stage one of the attack. He claims that a “significant number” of these 500 were on his ‘shit-list’ and as such treated as valid targets. The patriot hacker doesn’t say how many were compromised, if any.

US state representative Dan Gordon (Republican) reportedly reacted angrily to news that he might have been targeted, threatening to report the patriot hacker to the feds for offences ranging from threatening a state official to hacking the mobile phone of an elected politician. Gordon later said he had not scanned the Jester’s QR code and thus could n’t possibly have been hacked, via a succession of Twitter updates on Monday pointing to posts that cast doubt on the plausibility of the supposed attack. “@m4yH3mKITTEH @th3j35t3r/fag @ChronicleSU bit.ly/zwevPv More nonsense. Plus, couldn’t have executed if I never scanned it, right?”, one such Tweet said. ®

Bootnote

* The database for Tweetie holds “Twitter username, recent searches, device UDIDs, among other information”, which would make it trivial for The Jester to identify iPhone users who happen to use the default Twitter application on iOS, the ISC explains.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/13/jester_qr_exploits/

Apple has released an update for its Safari browser that patches a record number of serious security vulnerabilities, promises JavaScript performance improvements, and eliminates the annoying “white flash” page-switching bug.

The JavaScript performance increase isn’t trivial: Apple promises an “up to” 11 per cent speed-up. Neither is the number of security vulns fixed: 83 – a load that Computerworld says is a new record, surpassing the 62 vulns fixed in Safari update 5.0.4.

Click to read Safari 5.1.4’s

Software Update notice

By the way, don’t bother checking the web page to which Apple sends you for details on Safari 5.1.4’s security update – at least not yet. As is Apple’s tradition, they’re late on providing that info, and the page had yet to be updated by 10:00am Pacific Time on Monday. Check that first link in our previous paragraph, instead.

The vast majority of the patches – 72 – are for vulnerabilities in WebKit, including some that could, in Apple’s standard wording, result in the dreaded “arbitrary code execution”. Another vuln, now fixed, allowed cookies to be set even when Safari was set to block them.

Other niceties are also delived in Safari 5.1.4. For example, links in downloaded PDFs are now preserved, a bug that caused screen dimming when watching HTML5 movies has been fixed, and cookies that are set during regular browsing sessions are now available during Private Browsing sessions – meaning that any cookies you set when you were in the open will work when you’re hiding, but you still won’t set any when you’re private.

The update is for Safari running on OS X Lion 10.7.3 and Snow Leapord 10.6.8, and Windows XP SP2, Vista, or Windows 7. You can find it in all the usual places: the Apple menu’s Software Update or download page, and Windows users running Safari will be notified by the Apple Software Update utility. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/13/safari_5_1_4/

New research by a US university has shone a little more light on the murky world of Chinese web censorship to tell us that, yes, home grown social media is policed pretty damn effectively in the People’s Republic.

In what they claim is the first study of its kind into “soft censorship” – that is, deletion of individual messages rather than the wholesale blocking of sites – researchers at Carnegie Mellon University’s School of Computer Science analysed millions of Chinese microblog, or weibo, posts to uncover which terms drew the ire of the censors.

The team collected some 57 million messages posted on the popular Sina Weibo platform from June to Septmber 2011 using a developer API. A few months later it then checked a random subset of these messages and then another subset containing known politically sensitive terms, to see which had been deleted.

According to the team, a combination of automated technology and manual labour ensures that politically sensitive terms are deleted. Some, like outlawed spiritual movement Falun Gong or human rights activists Ai Weiwei and Liu Xiaobo, are likely to be flagged straightaway while others are dependent on circumstances and context.

For example, the term ‘Lianghui’ is normally a legitimate reference to the meeting of the National People’s Congress and Chinese People’s Political Consultative Conference, but in February 2011 became used as a code word for planned protest and thus was censored, the researchers explained.

On another occasion normally acceptable references to Communist Party hero Jiang Zemin were censored after rumours of his death circulated in early July 2011.

At the height of the rumours, the researchers compared mentions of his name on Sina Weibo – one in every 5,666 – with the Chinese language version of Twitter – one in 75 tweets – to highlight that messages were indeed being deleted.

They added that the authorities focus particularly on areas of known political unrest such as Tibet, where half of all messages generated locally were deleted during the research period.

The report continues that not all censored content is political, with the authorities also cracking down on web rumours of contaminated salt following the Japanese nuclear incident at Fukushima.

If anything, the research is notable for proving that state censorship of the web in China is not yet completely 100 per cent effective. Although the Great Firewall does a pretty good job of blocking sites on the blacklist, some weibo messages are still slipping under the censor’s radar, although it will surely not be long before that is righted.

The government’s latest ploy to discourage the posting of any controversial content is to mandate that users sign up to weibo accounts with their real names – something Sina thinks could lose it 40 per cent of its punters.

Under Hu Jintao’s leadership the country has seen a definite online crack down on free speech, with regular purges of web sites deemed to be hosting fraudulent, pornographic or “harmful” content.

This came most notably in November 2011 when first China’s major tech companies were bullied into encouraged to remove any content deemed harmful to the state, and then journalists were given strict reporting guidelines designed to discourage them from reporting on stories circulating on social media.

Twitter is of course well placed to enter the Chinese market should the government deem it fit after launching functionality which allows tweets to be blocked at a country level if they don’t conform with local laws. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/13/china_weibo_censorship/