Computers can be hack without internet connections - using cellphones

Hackers no longer need the Internet to invade and control a system, Ben Gurion University researchers say

Cutting off the Internet won’t keep you safe from long-distance hackers, Ben Gurion University researchers discovered. Using a technique called air-gap network hacking, all a hacker has to do is implant the right kind of malware into a cellphone that gets within range of a computer. Hackers on the other side of the world could use cellphone-based malware to remotely access any data they want, using the electromagnetic waves emanating from computer or server hardware, with no need for an Internet connection

The hack isn’t new, according to Prof. Yuval Elovici, head of BGU’s Cyber Security Lab. The technique was used to attack Iranian servers in the Stuxnet hack attack. What’s new is the use of a cellphone to do it.

The Iranian network targeted by Stuxnet was an air-gapped one, connected only to local computers, with no external connection to the Internet. The virus infected the servers controlling the Iranian nuclear program’s centrifuges, “choking” them until they ground to a halt. It was, many experts believe, physically transferred to the closed network via a USB flash drive. The attack described by Elovici is light-years ahead of Stuxnet, because no physical contact is required to compromise a system.

Even if you don’t think your computer is connected to anything, it sends electromagnetic or acoustic emanations from its hardware. The NSA’s (National Security Agency) TEMPEST program uses special devices to pick up data from computers and servers via leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations from hardware such as video monitors, keyboards, network cards and memory chips.

Each stroke on a keyboard, for example, transmits an electrical signal that runs through a computer’s processor and shows up on the monitor, emitting electromagnetic waves. Since each letter is unique, each key gives off a different frequency wave. If a hacker can capture those waves and reconstruct them, he could figure out what usernames and passwords were used to log onto the network.

How could a mobile phone be used to hack into an air-gapped network? In a take-off of an email phishing attack, a hacker could send an unsuspecting employee in a sensitive installation a text message that looks legitimate, but contains a link to malware that surreptitiously gets installed on their cellphone.

Once the malware is on the phone, it scans for electromagnetic waves which can be manipulated to build a network connection using FM frequencies to install a virus onto a computer or server. Elovici’s team has demonstrated how this is done with computer video cards and monitors. With the virus installed on the system, the phone connects to it via the FM frequency, sucks information out of the server and uses the phone’s cellphone network connection to transmit the data back to hackers. All that’s needed is physical proximity to the system. The team said that one to six meters is enough.

Elovici and his team demonstrated this technique to President Shimon Peres during his visit to BGU’s Cyber Lab last month.

Right now, Elovici said, there’s little that can be done to prevent this kind of cyber-attack other than turning off the phone. As that is not a practical solution in this day and age, his team is searching for other solutions. It’s a major security risk, he said. Until a solution is found, that risk will only increase, as news of the hack spreads in the hacker community.

Article from TimesofIsrael

read more

Hackers use refrigerator in cyber attack

Call it the attack of the zombie refrigerators.

Computer security researchers say they have discovered a large "botnet" which infected internet-connected home appliances and then delivered more than 750,000 malicious emails.

The California security firm Proofpoint, which announced its findings, said this may be the first proven "internet of things" based cyber attack involving "smart" appliances.

Proofpoint said hackers managed to penetrate home-networking routers, connected multimedia centres, televisions and at least one refrigerator to create a botnet — or platform to deliver malicious spam or phishing emails from a device, usually without the owner's knowledge.

Security experts previously spoke of such attacks as theoretical.

But Proofpoint said the case "has significant security implications for device owners and enterprise targets" because of massive growth expected in the use of smart and connected devices, from clothing to appliances.

"Proofpoint's findings reveal that cyber criminals have begun to commandeer home routers, smart appliances and other components of the internet of things and transform them into 'thingbots'", to carry out the same kinds of attacks normally associated with personal computers.

The security firm said these appliances may become attractive targets for hackers because they often have less security than PCs or tablets.

Proofpoint said it documented the incidents between December 23 and January 6, which featured "waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting enterprises and individuals worldwide".

More than 25 per cent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices. No more than 10 emails were initiated from any single device, making the attack difficult to block based on location

"Botnets are already a major security concern and the emergence of thingbots may make the situation much worse," said David Knight at Proofpoint.

"Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them."

read more

Electoral Commission Twitter account hacked, voters asked not to click

Australian voters have been asked to ignore direct messages purportedly sent from the Australian Electoral Commission, after the commission's Twitter account was hacked on Tuesday.

Twitter users started telling the AEC its Twitter account had been hacked shortly after 7 am, when they received links in direct messages from @AusElectoralCom. Some of the messages read "I found a funny pic of you!" with the link leading to a fake Twitter page designed to capture users' login details by way of  "verification".

It is a classic phishing scam - Twishing - perpetrated by malicious hackers and something the social network has moved to curtail by limiting the number of DMs that can be sent at once to 250. The scam's goal is to capture more and more Twitter login details to in turn send more DMs. Links of similar scams have been found to lead to malware downloads, including banking trojans.

Evan Ekin-Smith, spokesman for AEC, said the commission received advice from Twitter early Tuesday that its account had been compromised together with a list of measures to fix the problem.

Mr Ekin-Smith said he was not aware of how its password had been obtained, but was certain no one from the organisation had been phished in a similar scam or divulged the password.

He said the AEC would now change its password daily and to increasingly more complex combinations to ensure it wouldn't happen again. It has also elected to use Twitter's two-factor authentication introduced in May, requiring a verification code sent to a linked mobile number to login.


"It's the power of social media used in a negative way. I have been speaking to our IT people this morning, they are putting in further steps - so anyone who tries to access our Twitter account will have to go through many more complicated steps in the future."

At 9:10 am the AEC posted: "The Twitter issue has been resolved swiftly this morning. It was in no way related to any AEC IT systems."

Mr Ekin-Smith said AEC was quick to address the issue and to determine no IT systems had been compromised. He said no third-party applications were linked to the account.

AEC is the latest in a string of hacked high-profile accounts - Jeep, The Guardian, and Associated Press were among those hacked recently, some as a result of hactivism.

Twitter's help centre has advice for people whose account has been hacked.

read more

Tor 'deep web' servers go offline as Irish man is held over child abuse images

Freedom Hosting, linked by the FBI to child abuse images, has gone offline, as the FBI sought the extradition of a 28-year-old suspect from Ireland.
Eric Eoin Marques is the subject of a US arrest warrant for distributing and promoting child abuse material online.

He has been refused bail by the high court in Dublin, reported the Irish Independent, until the extradition request is decided. Marques, who is both a US and Irish national, will face the high court again on Thursday.
If extradited to the US, Marques faces four charges relating to images hosted on the Freedom Hosting network, including images of the torture and rape of children. He could be sentenced to 30 years in prison.
Freedom Hosting hosted sites on the The Onion Router (Tor) network, which anonymises and encrypts traffic, masking the identity of users.

Whistleblowers, journalists and dissidents too?

On Sunday, Tor's official blog posted a detailed statement confirming that a large number of "hidden service addresses", or servers anonymised using the network, had unexpectedly gone offline.
Tor was quick to distance itself from Freedom Hosting, which has been claimed to be a hub for child abuse material as well as Silk Road – the eBay of hard drugs, saying "the persons who run Freedom Hosting are in no way affiliated or connected to the Tor Project Inc, the organisation co-ordinating the development of the Tor software and research."
"Anyone can run hidden services, and many do," said the statement. "Organisations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse recovery.
"Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example."
Security blogger and former Washington Post reporter Brian Krebs wrote on Sunday that users were identified using a flaw in Firefox 17, on which the Tor browser is based.
Rik Ferguson, vice-president of security research at Trend Micro, said he was awaiting further details to be made public as Marques is brought to trial, but that the takedown and related law enforcement "is great news for the campaign against child exploitation".
"The malicious code made a 'victim machine' which visited one of the compromised hidden sites, and requested a website on the 'visible' web, via HTTP, thereby exposing its real IP address. As the exploit did not deliver any malicious code, it is highly unlikely that this was a cybercriminal operation.
"It is a legitimate concern that users of child abuse material may simply go elsewhere, and as such the individual users should continue to be targeted by law enforcement globally. However, going after the people and organisations that really enable this content to be made available at all is a much more effective strategy."
In 2011, hacking collective Anonymous took down Freedom Hosting with a targeted DDos attack as part of an anti-paedophile campaign. Anonymous also published details of the accounts of 1,500 members of Lolita City, claiming Freedom Hosting was home to 100GB of child abuse material.

FBI conspiracy?

Users on the Tor sub-Reddit were suspicious about the news, dissecting the details of the vulnerability and pointing to a previous case where the FBI had taken over and maintained a site hosting child abuse material for two weeks in order to identify users.
"FBI uploads malicious code on the deep web sites while everyone is off at Defcon. Talk about paying dirty," commented VarthDaTor. Defcon is an annual event in the US for security experts and hackers.
"The situation is serious," said gmerni. "They got the owner of FH and now they're going after all of us. Half the onion sites were hosted on FH! Disable Javascript in your Tor browser for the sake of your own safety."

read more

Android malware discovered, most advanced yet claims researchers

Security researchers have discovered what is claimed to be the most sophisticated Android malware ever seen.

Android malware discovered, most advanced yet claims researchers

Dubbed Obad, the malware can send texts to premium rate numbers, download and install additional malware and remotely execute console commands. It also uses complex obfuscation techniques to evade detection.

The malware was unearthed by researchers working for IT security firm Kaspersky said that once the smartphone is infected, the malware quickly gains access to privileges on the phone and starts working in the background. The Trojan then attempts to spread through Wi-Fi and Bluetooth networks sending malicious files to other phones.

Obad also exploits vulnerabilities in the Android OS. It can gain administrator privileges, making it virtually impossible for a user to delete it off a device. Another flaw in the Android OS relates to the processing of the AndroidManifest.xml file. This file exists in every Android application and is used to describe the application’s structure, define its launch parameters.

"The malware modifies AndroidManifest.xml in such a way that it does not comply with Google standards, but is still correctly processed on a smartphone thanks to the exploitation of the identified vulnerability," said Roman Unuchek, Kaspersky Lab Expert. "All of this made it extremely difficult to run dynamic analysis on this Trojan."

It also interferes with DEX2JAR code on the device, this converts APK files into JAR files. The disruption complicates analysis of the Trojan.

The Trojan collects large amounts of data from the device, which it passes back to hackers through a command and control (C&C) server, according to Unuchek. The collected information is sent to the server in the form of an encrypted JSON object.

This information is sent to the current C&C server every time a connection is established. In addition, the malicious program reports its current status to its owner: it sends the current table of premium numbers and prefixes to which to send text messages, the task list, and the list of C&C servers. During the first C&C communication session, it sends a blank table and a list of C&C addresses that were decrypted as described above. During the communication session, the Trojan may receive an updated table of premium numbers and a new list of C&C addresses.

Unuchek said that the malware "looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits."

"This means that the complexity of Android malware programs is growing rapidly alongside their numbers," he said.

read more

PayPal vulnerability finally closed

On Wednesday night, payment processor PayPal closed the security hole in its portal that had been publicly known for five days. The company had been aware of the vulnerability for about two weeks. The hole was a critical one: it allowed attackers to inject arbitrary JavaScript code into the PayPal site, potentially enabling them to harvest users' access credentials.

Why PayPal took so long to fix the hole is incomprehensible – the information required to exploit the hole has been circulating on the net since last week and there was an urgent need for immediate action. In similar cases, affected companies tend to respond within 24 hours.

Another cause for irritation is that, even as late as Tuesday, a PayPal spokesperson told The H's colleagues at heise Security that "at this moment, there is no indication" that PayPal customer data is at risk – despite heise Security providing proof to the contrary by embedding their own login form into the HTTPS-secured PayPal site. Attackers with a little more criminal motivation could have injected a phishing page that, at first glance, looked identical to the original.

The vulnerability was discovered by Robert Kugler, a 17-year-old student, who originally wanted to report it via the bug bounty program that the company launched last year. When PayPal didn't allow him to participate in the program because he wasn't yet 18, the student released the details of his discovery on the Full Disclosure security mailing list, but only after giving PayPal a week's period of grace, which the company allowed to pass. 

Kugler reports that he received another email from PayPal yesterday in which the company said: "the vulnerability you submitted was previously reported by another researcher", which suggests that the company knew of the problem for more than two weeks before moving to fix the issue. PayPal says it is for this reason that they are not paying Kugler the bug bounty and chastises Kugler for disclosing the issue to the public. The company is, though, offering to send the young researcher a "Letter of recognition" for his investigation.

read more

Drupal hacked, resets passwords after millions of accounts exposed

Passwords for almost one million accounts on the Drupal.org website are being reset after hackers gained unauthorized access to sensitive user data.

Drupal.org is the official website for the popular open-source content management platform. The breach is the result of an attack that exploited a vulnerability in an undisclosed third-party application, not in Drupal itself, Holly Ross, executive director of the Drupal Association, wrote in a blog post published Wednesday. The hack exposed usernames, e-mail addresses, country information, and cryptographically hashed passwords, although investigators may discover additional types of information were compromised.

"Malicious files were placed on association.drupal.org servers via a third-party application used by that site," Ross wrote. "Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability."

There's no indication credit card data was intercepted. There's also no evidence that any unauthorized changes were made to Drupal source code or projects.

Drupal.org administrators have responded by rebuilding production, staging, and development systems and enhancing most servers with grsecurity, a set of security patches for the Linux operating system. The admins have also hardened their configuration of the Apache Web server application and added antivirus scanning to their security routine. Some Dupal.org subsites, particularly those with older content, have been converted to static archives so they can't be updated in the future.

Drupal.org account holders will be required to change their password by visiting this link, entering their username or e-mail address, and following the link included in the e-mail message that follows. Ross also encouraged account holders to change login credentials on other sites that used the same or a similar password used on Drupal.org.

Most of the passwords stored by Drupal.org were both salted and, more importantly, passed through a cryptographic hash function multiple times using the open-source phpass application. Some older passwords weren't salted. If Drupal engineers followed good practices—and there's no indication they didn't—the repeated hash iterations will go a long way to preventing anyone who obtains the data from quickly cracking the hashes and exposing the underlying plaintext that generated them. (Cryptographic salting, which appends unique characters to each password before it's hashed, is also helpful, although people frequently overstate the protection it provides. For much more on password protection see the Ars feature Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”.)

Ross didn't identify the exploited third-party application. Given Drupal.org's use of Apache, it's possible the site was compromised by the same attack that has plagued at least 20,000 other sites in recent weeks. Researchers still don't know how attackers are gaining almost unfettered, "root" access on these servers, but the same backdoor, often known as Linux/Cdorked, more recently started compromising sites that run on the nginx and Lighttpd Web servers too.

The hacks are underscoring the growing vulnerability of websites to serious malware attacks. On Tuesday, evidence emerged that servers running the Ruby on Rails framework were being compromised and made part of a botnet. The attackers in that case were exploiting an extremely critical vulnerability that was patched in early January.

Drupal's front page states there are 967,545 people in 228 countries (speaking 181 languages) using the platform.

read more

Chinese hackers breach key US weapons designs

The Washington Post is reporting that the designs for many of the U.S.’s “most sensitive advanced weapons systems have been compromised by Chinese hackers.”

While the U.S. has started to increase its pressure on China, it is a dollar short and a day late. Rather than allow state-sponsored hackers to continue to harm U.S. national and economic security, the U.S. needs to take stronger actions to deter future cyber aggression.

The new report by the Defense Science Board lists at least 29 specific weapons system designs that were stolen by hackers. These included several missile defense systems, such as the Aegis Ballistic Missile Defense System, the Terminal High Altitude Aerial Defense, and the Patriot Advanced Capability-3. Aircraft, such as the F-35 and F/A 18 fighter planes, the C-17 cargo plane, and the UH-60 Black Hawk Helicopter, were compromised, as were the Navy’s new Littoral Combat Ship and several information and control systems.

According to those familiar with these hacks, the vast majority are part of an ongoing and growing Chinese cyber-espionage campaign to steal U.S. technologies, advance Chinese weapons development, and then turn them against their creators. Earlier this year, the security firm Mandiant also identified a specific bureau of the Chinese military as responsible for stealing huge amounts of data from U.S. companies over the past seven years. Taken together with countless other confirmed and suspected Chinese hacks, clearly the U.S. should do more to stop cyber aggression.

First, the U.S. should continue to name and shame China. This will mean issuing more reports that identify China as a bad cyber actor and then having U.S leaders use this information to call out China in speeches and diplomatic discussions. While the U.S. is starting to actually put the blame on China in some of its reports, our leaders continue to naively treat China as a cyber ally.

In April, the highest-ranking American military officer, chairman of the Joint Chiefs General Martin Dempsey, stated that the U.S. sought “collaboration and transparency” with China, since “cyber threatens our economy and [the Chinese] economy.” U.S. leaders should be pointing the finger at the Chinese instead of inviting them to steal U.S. secrets.

Second, the U.S. should actually take a tougher line on China by ceasing to cooperate with China on cybersecurity. The U.S. should not be engaging in cyber war games and cyber exchanges with the Chinese when they are merely using that information to learn how to do a better job hacking U.S. systems. Continuing to collaborate with China only proves that the U.S. knows about the problem but lacks the will to do anything about it, thus further emboldening China. The U.S. should also consider working with allies to take economic and legal actions against Chinese companies that peddle stolen property.

U.S. military and business secrets are being stolen as part of an extensive cyber campaign by the Chinese to advance their weapons capabilities and economy. The U.S. should stand up to China and make them feel pain when they steal U.S. secrets. Failing to do so would further endanger U.S. national security and economic growth.

read more

LulzSec hacker Jeremy Hammond pleads guilty to Stratfor hack

Jeremy "anarchaos" Hammond, LulzSec member and self-styled activist, announced today that he's pleading guilty to one count of violating the Computer Fraud and Abuse Act (CFAA).

Hammond admits that he worked with Anonymous to hack into the website of private intelligence company Stratfor as well as other sites involved in the law enforcement and intelligence sphere. He says he acted because he believes "people have a right to know what governments and corporations are doing behind closed doors." Some five million e-mails between the company and its clients were given to WikiLeaks, which has in turn published slightly more than 900,000 of them.

This attack was part of the "AntiSec" (Anti-Security) operation started by LulzSec in June 2011. That initiative saw numerous law enforcement and intelligence organizations attacked.

Hammond pled not guilty to the charges about one year ago. He says he changed his plea because the prosecutor "stacked the charges with inflated damage figures." These high damage figures mean that under current sentencing guidelines Hammond faced more than 30 years in prison if found guilty.

Further, with other indictments outstanding against him, Hammond says that even if he won one trial, further trials were likely to occur.

Under the terms of the plea agreement, Hammond will be given immunity from further prosecution in federal courts. He still faces up to 10 years in prison for the charge he admitted to, as Hammond supporters argue that he should be sentenced to no more than time served. The LulzSec man already spent 15 months in prison awaiting trial. Sentencing is scheduled to take place on September 6. Hammond has also agreed to pay $250,000 in restitution.

Hammond broke into Statfor's systems in late 2011. After doing so, he got in touch with LulzSec ringleader Hector "Sabu" Monsegur to discuss the hack, using Monsegur's servers to store the data.

The e-mails were given to WikiLeaks. Other information—including e-mail addresses, hashed passwords, and around 30,000 credit card numbers—was published online. Subsequent to the hack, some $700,000 in unauthorized charges was made to the stolen cards.

What Hammond didn't know at the time was that Monsegur had been arrested earlier that year and was secretly working as an FBI informant. The offer of storage space for the purloined data came at the FBI's request. The FBI used information from Hammond's chats with Sabu, including mentions of previous arrests, to determine his identity.

Earlier in the month, four LulzSec members in the UK were sentenced to between 24 and 32 months for their parts in the group's hacking activities. Two group members in Ireland were arrested but subsequently released, with prosecutors there declining to press charges.

read more

Sky News Google Play page defaced

Sky News seems to have a habit of letting its credentials escape into the outside world, apparently letting the Syrian Electronic Army get its paws on its Google Play admin account.

 

As a result, it's had the embarrassment of having the Sky News app screenshots in Google Play replaced with an announcement that “The Syrian Electronic Army Was Here”.

To rub salt into the wound, the company's help desk Twitter account was also taken over to send out a message stating “Both Sky+ and SkyNews Android apps were replace, please uninstall”. However, that claim may have exaggerated the extent of the attack, since it seems more likely at this stage to be a case of the SEA putting its graffiti on the Google Play store page for the Sky News apps.

The account takeover also included redirecting the developer help e-mail account to the SEA.

It's not the first time Sky News has been embarrassed by being careless with security. Earlier in May 2013, one of its Twitter accounts was compromised to post “Colin was here”. In 2009, a Web petition being run by the broadcaster was defaced.
The Register has contacted Sky News seeking further information on the attack, but has yet to receive a response. ®

read more

Blueprints of Australia's top spy agency headquarters stolen by Chinese hackers

SECRET and highly sensitive blueprints outlining the layout of Australia's top spy agency's new headquarters have been stolen by Chinese hackers, the ABC says. 

The documents contained details of the ASIO building's floor plans, communication cabling layouts, server locations and security systems, potentially putting the entire organisation at risk, Monday night's Four Corners program alleges.

It is unclear precisely when the alleged theft took place, or if there have been diplomatic ramifications from the embarrassing breach.

But it comes amid deepening concern about widespread, aggressive state-sponsored hacking by China, with further allegations that its cyber spies have recently obtained sensitive Australian military secrets and foreign affairs documents.

Companies including BlueScope Steel and Adelaide-based Codan, which makes radios for military and intelligence agencies, are also said have been targeted by the Chinese, according to the ABC.

The allegation comes just weeks after Canberra softened its stance towards China, claiming in May's Defence White Paper that it no longer saw the rising superpower as a threat.

Aside from the diplomatic implications, the alleged ASIO theft may help explain why its new headquarters, overlooking Canberra's Lake Burley Griffin, is millions over budget and still not operational.
ASIO said in its October annual report that the building would cost taxpayers about $630 million - $41 million more than expected.

It was due to open in April, but staff are yet to move in.

The ABC did not cite the source of its claims, but said the blueprints had been taken from a contractor involved with the project.

"It reeked of an espionage operation. Someone had mounted a cyber hit on a contractor involved in the site," Four Corners reported.

"The plans were traced to a server in China."

Professor Des Ball, from the Australian National University's Strategic and Defence Studies Centre, suggested the theft meant China could bug the building.

"At this stage with construction nearly completed you have two options," he told the ABC.

"One is to accept it and practice utmost sensitivity even within your own headquarters.

"The other, which the Americans had to do with their new embassy in Washington ... was to rip the whole insides out and to start again."

Federal Attorney-General Mark Dreyfus refused to confirm the theft.

Whistleblowers interviewed by Four Corners also allege the Australian defence department's classified email and restricted networks have been hacked.

"A factor of of ten times the entire database, or the entire amount of information stored within the Defence Restricted Network, has been leached out over a number of years," one worker said.

Another whistleblower said a "highly sensitive document" belonging to the Department of Foreign Affairs and Trade had been stolen by China.

"It's a project that would give an adversary a significant advantage when dealing with Australia," the source told the ABC about the DFAT document.

Source

read more

Iranian Hackers targeting US oil, gas, and electric companies

For all the noise that the Syrian Electronic Army and China’s PLA Unit 61398 have been making recently, the US is facing a much deadlier threat to its cyber interests right now. State-sponsored hackers from Iran have reportedly ramped up their cyber-espionage campaign against the US in recent weeks, infiltrating a number of the country’s industrial control systems.

According to the Wall Street Journal, Iranian hackers have been able to gain access to the servers of several energy companies in the US. The government has refused to identify exactly how many, or which companies were involved, but its believed that they include oil, gas and electricity firms. Experts warn that the hackers could have easily manipulated oil and gas pipelines, potentially causing catastrophic damage to energy infrastructure and the environment had they chosen to do so. While it’s not clear to what extent the hackers infiltrated the company’s systems before being noticed, one official told the paper that they got “far enough to worry people”.

For the moment at least, we can breathe easy. Security experts believe that the Iranians are merely attempting to learn how the control systems work. Nevertheless, the fact they’re doing so can be considered a very ominous sign, as this kind of reconnaissance would be the first step in any co-ordinated attempt to disrupt or destroy critical infrastructure.
It might be early days yet, but US defence officials are said to be far more concerned with Iran’s activities than they are with China’s state-sponsored espionage.

“This is representative of stepped up cyber activity by the Iranian regime. The more they do this, the more our concerns grow,” said one anonymous official to the WSJ. “What they have done so far has certainly been noticed, and they should be cautious.”

read more

New Android Virus Forwards Messages To Hackers

A new Trojan malware infecting Android phones is capable of intercepting inbound text messages and forwarding them to hackers. The malware, called Android.Pincer.2.origin, is particularly troubling because it can easily thwart the two-step verification systems employed by online banking, email and social media accounts.

The malware, discovered by Russian antivirus company Doctor Web, spreads as a fake security certificate that tricks users into thinking they need to install it on their Android phones. After installation, users will get a notification that installation was successful, but the malware won’t do any other noticeable activities. It will instead run in the background, connecting to a remote server to send information about the user's Android device, including model and serial number, carrier information, phone number and operating system.

A new virus infects Android phones, forwarding text messages to hackers.

A new virus infects Android phones, forwarding text messages to hackers.

A new virus infects Android phones, forwarding text messages to hackers.

Once connected, hackers can send the malware instructions to intercept and forward messages from specific phone numbers, send new text messages, display a message on the Android device’s screen, and other deceptive activities.

The ability to specify a phone number from which to intercept messages allows a hacker to use the malware for targeted attacks, stealing only specific messages that contain valuable information. For example, the hacker could set the malware to forward texts received from banking services.

Two-step verification systems often use cellphone messaging to verify a user’s identity. The user registers his or her phone number with the service, and when they attempt to log in to their account, the service sends a text message with the password. The user must then use this password to complete the login.

The system, which Kim Dotcom claimed Thursday to have invented, is designed to protect against phishing scams that use malware to send hackers the login information. When an account requires a second password that is randomized each time and sent to a device that only the user has access to, not even a hacker with access to the primary user name and password can access it. Twitter announced a two-step verification system on Wednesday after hackers compromised several high-profile Twitter accounts.

But if a hacker has access to cellphone messages and can set the malware to forward every message sent from Twitter or a bank, they could get that password and access to the account. Stay on the lookout and be careful to install software only from trusted sources.

read more

Does Microsoft spy on Skype conversations?

Your Skype conversations aren't very private, a new report reveals.

In an experiment, tech news site Ars Technica found that two out of the four links they sent over Skype were accessed by a computer that matched Microsoft's IP address.

The report basically demolishes the commonly held notion that Skype is using so-called end-to-end encryption--basically locking up your message from when you send to when it's received, Ars Technica points out in its report on Monday.

To be fair, on Skype's privacy policy, it is clearly stated that Skype has the right to scan and review your instant messages and SMS:
 Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links. In limited instances, Skype may capture and manually review instant messages or SMS in connection with Spam prevention efforts.

Last March, San Francisco-based writer Tienlon Ho was kicked off of Google because the bots searching for spam and phishing thought that a document of usernames and passwords she had in Google Drive violated Google's terms of service.

The issue was first raised by The H Security last Tuesday. The security news site's associates in Germany experimented with sending HTTPS URLs through Skype's instant messaging tool and found that those URLs were visited by an IP address matching Microsoft headquarters soon after they were sent

If you share a URL in a Skype instant message, there’s a possibility (not a guarantee, just a chance) that a SmartScreen server will ask for more information about the server from which that URL originated. It will then use that information to help determine whether that link is legit.

read more

Hacker jailed for ATM skimming invented ATM security scheme

A Romanian man serving a five-year jail sentence for bank-machine fraud says he's come up with a device that can be attached to any ATM to make the machine invulnerable to card skimmers.

Valentin Boanta was arrested in 2009 and charged with supplying ATM skimmers – devices that can be attached to ATMs to surreptitiously copy the data from unwitting users' cards – to a local organized crime gang.

It was during his subsequent trial and sentencing that Boanta saw the light and traded in his black hat for a white one, Reuters reports.

"Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction," Boanta told reporters from his jail cell in Vaslui, Romania. "So that the other part, in which I started to develop security solutions, started to emerge."

Boanta's solution, known as the Secure Revolving System (SRS), is an ingenious one that uses mechanical rather than digital security.

ATM skimmers work by installing a second, concealed card reader over the one that's built into the ATM. When an unsuspecting bank customer inserts a card into the slot, the card's magnetic stripe first runs past the read head of the skimmer, allowing it to copy all of the card's data. The transaction then proceeds as normal and the ATM returns the card to the customer, who is none the wiser.

With Boanta's device installed on the ATM, however, that all changes. Customers insert their cards into the slot long side first, so that the magnetic stripe is parallel to the face of the machine. The device then rotates the card 90 degrees into the ATM, where the legitimate card reader scans the magnetic stripe, then rotates it back out again to return it to the customer.

That rotation makes it impossible for an add-on skimmer to read the card, because the magnetic stripe never moves in a straight line until it is secure inside the ATM.

While awaiting the outcome of his trial, Valentin pitched his idea to Mircea Tudor and Adrian Bizgar of Bucharest-based technology firm MB Telecom, who helped him to patent his idea and funded development of the SRS device.

The design would go on to win the International Press Prize at the 41st International Exhibition of Inventions in Geneva, Switzerland, in April. Boanta, however, wasn't available to accept the award. He's currently just six months into his sentence and won't see freedom for another four and a half years. Still, his partners at MB Telecom say all credit for the SRS design should go to him.

"He fully deserves such recognition," Tudor told Reuters. "He's taking part in improving Romania's image abroad and he'll surely join our team when released."

MB Telecom is currently finalizing details of the commercial version of the device and expects to bring it to market in the second half of the year

read more

Yahoo Japan suspects 22 million user IDs stolen

Unauthorized access attempt of Yahoo! Japan portal may have led to theft of up to 22 million user IDs, Yahoo has revealed.

There has been no information about leaks of such a massive database of user IDs as yet and according to Yahoo, the information that was stolen didn’t have passwords or any other information that would allow unauthorized users to carry out user identity verification. 

Yahoo hasn’t ruled out the possibility of a leak though considering the volume of traffic it noticed flowing from its servers to external entities.

Following the alleged breach, Yahoo has revealed that it has beefed up its security controls to avert any such future attempts. Yahoo is the top most search provider when it comes to Japan with over 50 per cent market share. Google holds 40 per cent market share in comparison.

Japan has already acknowledged that the country lags behind in cyber security plans specifically in the preventative aspects that would otherwise deter such attacks.

Why Yahoo! Japan?

Yahoo! Japan is controlled by Japan’s mobile phone operator SoftBank (35.5%) and  Yahoo! Inc (34.7%), what is interesting is the market share of the portal Yahoo! Japan that holds 50% of the top search engine position in Japan, a figure superior to the Google concurrence at 40%, it’s clear that the corporation represents a privileged target of cyber criminals and state-sponsored hackers.

Which information has been stolen exactly?

According first investigation it seems that the exposed information doesn’t include any data that could be used to identify the user’s identity or that could be exploited successively to force password reset.

Yahoo! has immediately started the incident response procedure adopting any countermeasure to prevent further incidents.

On the case is also working the Japan’s national police agency that recently announced the  launch an investigation team specialized in cybercrimes, let’s remind that in the last years the Japan has been hit by a huge quantity of cyber attacks that interested the Japan Aerospace Exploration Agency, Sony and Government itself.

read more

Critical Linux vulnerability imperils users, even after “silent” fix

For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole.

The severity of the bug, which resides in the Linux kernel's "perf," or performance counters subsystem, didn't become clear until Tuesday, when attack code exploiting the vulnerability became publicly available (note: some content on this site is not considered appropriate in many work environments). The new script can be used to take control of servers operated by many shared Web hosting providers, where dozens or hundreds of people have unprivileged accounts on the same machine. Hackers who already have limited control over a Linux machine—for instance, by exploiting a vulnerability in a desktop browser or a Web application—can also use the bug to escalate their privileges to root. The flaw affects versions of the Linux kernel from 2.6.37 to 3.8.8 that have been compiled with the CONFIG_PERF_EVENTS kernel configuration option.

"Because there's a public exploit already available, an attacker would simply need to download and run this exploit on a target machine," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. "The exploit may not work out-of-the-box on every affected machine, in which case it would require some fairly straightforward tweaks (for someone with exploit development experience) to work properly."

The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles.

Now that a fix is available in the kernel, it will be folded into all of the affected stable kernel releases offered by kernel.org, which maintains the Linux core code. Individual distributions are expected to apply the fix to their kernels and publish security updates in the coming days.

Additional details of the bug are available here, here, here, and here. People running vulnerable machines with untrusted user accounts should check with their distributors to find out when a patch will be available and what steps can be taken in the meantime. One user of a Red Hat Linux distribution posted temporary mitigation steps here, although at time of writing, Ars was unable to confirm that they worked. Readers are encouraged to post other mitigation advice in comments.

read more

Lulzsec hackers to be sentenced for cyber attacks on the CIA and Pentagon

A court has heard that four UK-based hackers involved with the Lulzsec group thought of themselves as being "modern-day pirates".

Ryan Ackroyd, Jake Davis, Mustafa al-Bassam and Ryan Cleary have all pleaded guilty to hacking offences.

Cleary has also pleaded guilty to possession of images showing child abuse, which were found by police on his hard drive.

The men will be sentenced at Southwark Crown Court later this week.

Lulzsec carried out a series of attacks in 2011. Targets included Sony Pictures, video games maker EA, the News International media group and Britain's Serious Organised Crime Agency (Soca).

'International notoriety'

Ackroyd, 26, from Mexborough, South Yorkshire, has admitted stealing data from Sony. The former soldier was also responsible for redirecting visitors trying to visit the Sun newspaper's site to a fake story about News Corp chairman Rupert Murdoch committing suicide.

He has pleaded guilty to carrying out an unauthorised act to impair the operation of a computer.

Bassam, 18, from south London, Davis, 20, from Lerwick, Shetland, and Cleary, 21, from Wickford, Essex, all pleaded guilty to two charges - hacking and launching cyber-attacks against organisations including the CIA and Soca.

In addition, Cleary pleaded guilty to a further four charges, including hacking into the US Air Force's computers and possession of indecent images of babies and children.

Prosecutor Sandip Patel said that unlike the others, Cleary was not a core member of Lulzsec although he had wanted to be.

"It's clear from the evidence that they intended to achieve extensive national and international notoriety and publicity," he said.

"This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cybercriminal."

Judge Deborah Taylor will sentence the men after considering mitigating factors highlighted by their lawyers.

Cleary's lawyer said his client suffered from Asperger's syndrome, which had been misdiagnosed as attention deficit disorder.

Botnet attack

Lulzsec's name is combination of the acronym Lol - meaning laugh out loud - and security.

It emerged as a splinter-group from the hacking collective Anonymous two years ago.

Mr Patel said the spin-off lacked the "libertarian" political agenda of the larger group. Instead, its stated goal was to laugh at others' flawed security measures "just because we could".

This involved stealing emails, credit card details and passwords from their targets' computer servers and crashing victim's websites with distributed denial of service (DDoS) attacks. This involved flooding organisations' web servers with requests sent from hijacked computers used as part of a botnet.

Lulzsec's original ringleader is alleged to be another man - US-based Hector Monsegur, also known as Sabu. He was arrested in June 2011 and later co-operated with the FBI to help it identify other members of Lulzsec. Monsegur has yet to be sentenced.

A 24-year-old Australian has also been arrested and accused of attacking and defacing a government website as part of Lulzsec's campaign.

source

read more

Firefox 21 Fixes 3 Critical Flaws, Introduces New Health Report

Mozilla fixed eight vulnerabilities, three critical, in the 21st build of its flagship Firefox browser yesterday.

One of the fixes remedies an Address Sanitizer memory corruption flaw (MFSA 2013-48) that could’ve allowed remote code execution. The other two critical flaws could’ve also led to arbitrary code execution and deal with fixing memory safety bugs (MFSA 2013-41), and a video resizing bug (MFSA 2013-46) in Firefox and Thunderbird.

For a complete list of the bugs fixed by Firefox 21, all 681 of them, head to Bugzilla.

The latest version of the browser also introduces something Mozilla is calling the Firefox Health Report, a tool that aims to give users a comprehensive look into the browser’s health and usage. The report will breakdown any insecure and unstable plugins it blocks throughout the day and will also document crash history and malware attack history, according to a post on Mozilla’s Future Releases blog by Jonathan Nightingale, the company’s Vice President of Engineering.

Users can choose whether they want the tool to share data Mozilla gathers about their browser with the company. If shared, the information will be aggregated and anonymized and used to help Firefox’s security team improve the browser. Users can change their preferences in the Data Choices section of the browser’s Options menu.

The update also brings expanded social API and Do Not Track options to help users better customize their privacy settings.

The social API opens the browser up to sidebar and toolbar providers like Cliqz, msn NOW and Mixi, while the Do Not Track update tweaks an already existing setting in the browser. The new default privacy setting doesn't tell websites anything about the users’ tracking preferences. Users can change that and choose whether they want to tell sites if they want to be tracked (Do Track, Do Not Track, No Preference) in the settings.

The updates are being pushed to Firefox users via the browser’s automatic update system, per usual. Those who don’t have that set up can download them through both the Firefox and Thunderbird download pages.

read more

Accused PlayStation Hacker Smashes Computers, Gets House Arrest

Todd Miller is one of the men accused of being behind the 2008 PlayStation Network hacks. Last week he was sentenced to 12 months house arrest, but here's the thing: authorities couldn't prove he was involved.

Instead, the Columbus Dispatch reports, the sentence was handed out because Miller, having been interviewed by the FBI in 2011, went and smashed all his computers before they could return with a search warrant.

Because of this, they couldn't prove he was involved in the hacks. So they nailed the 23 year-old with "obstructing a federal investigation" instead.

In addition to the house arrest, Miller - who has a ninth-grade education - was also ordered by the judge to complete a high school certificate.

Which is getting off lightly. He could have faced up to 20 years prison and a $250,000 fine.

source

read more