Friday 30 August 2013

Security researchers prove Dropbox is hackable

Dropbox logo
Developers have released a paper detailing how to bypass two-factor authentication security in cloud storage service Dropbox.
The paper was released by Openwall's Dhiru Kholia and Code Painters' Przemyslaw Wegrzyn and details techniques to sneak past Dropbox's two-factor authentication to intercept SSL data from the company's servers. The two researchers claim to have discovered the exploit by reverse engineering Dropbox's source code.
"We show how to unpack, decrypt and decompile Dropbox from scratch and in full detail. This paper presents new and generic techniques to reverse engineer frozen Python applications," wrote Kholia and Przemyslaw.
The pair claim to have bypassed Dropbox's security using a custom-built, open-source Dropbox client. They said the technique is fairly basic but dangerous as, if misused, hackers can steal data from Dropbox and hijack unwary users' accounts.
"Our work uses various code-injection techniques and monkey-patching to intercept SSL data in [the] Dropbox client. We have used these techniques successfully to snoop on SSL data in other commercial products as well," read the paper.
Last year Dropbox was forced to add two-factor authentication after millions of its users were spammed following a successful cyber attack on its systems.
A Dropbox spokesperson told to V3 the company is aware of the research, but downplayed its significance, clarifying the exploit only works if the user's main machine is already compromised.
"We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user's computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board," said the spokesperson.

The paper added: "We hope that our work inspires the security community to write an open-source Dropbox client, refine the techniques presented in this paper and conduct research into other cloud-based storage systems."
Kholia and Wegrzyn are two of many to publicly publish exploits on big-name services and technologies in recent weeks. Renowned hackers Charlie Miller and Chris Valasek released tools capable of hijacking control of moving cars to the general public at the Defcon expo in Las Vegas at the beginning of August.

Aberdeen Council fined £100,000 by ICO after children’s data posted online

money-pound-notes2
The Information Commissioner’s Office (ICO) has fined Aberdeen City Council £100,000 after a member of staff inadvertently posted data relating to the care of vulnerable children online.
The incident occurred in November 2011 when a member of staff accessed a batch of documents on their home computer from the council's network. These documents were then automatically uploaded to the web by a program installed on the machine.
The information was subsequently found in February 2012 by a council member who was mentioned in one of the documents that had been uploaded. They informed the council and the data was removed and the ICO informed.
The member of staff responsible told the ICO the software that uploaded the data must have been installed by the previous owner of the computer as she was not aware of what had happened.
“The employee told the data controller that the computer is second hand and that it must have been installed by a previous owner,” the report by the ICO reads.
The report also noted that the council had no relevant home-working policy and no sufficient measures in place to restrict the access of sensitive information from the council’s network.
Ken Macdonald, assistant commissioner for Scotland at the ICO, said the incident should make all social work departments in councils "sit up and take notice" of the issues raised around home working and data protection.
“As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure,” he said.
“In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information.”
Aberdeen City Council said it takes data protection extremely seriously, which is why it reported the matter to the ICO itself when it came to light, and claimed it was making improvements on its policies. The council made no direct comment on the fine.
"A data protection audit report on the City Council by the ICO this summer found that a comprehensive suite of up-to-date data policies are in place, strong arrangements are in place concerning a wide range of routine data-sharing, and the content of data protection and information security training material used by Aberdeen City Council is detailed and thorough."
The fine is the latest of many to be imposed by the ICO against councils for poor data-handling procedures, with Islington Council fined £70,000 for an issue relating to Excel that caused 2,000 residents' details to be leaked online.

Facebook proposes privacy changes to facial recognition and advertising terms

Image of Facebook logo and login screen
Facebook has released its latest raft of changes to its terms and conditions, including a small update to the way the firm makes use of its facial recognition technologies to increase the accuracy of photo-tagging.
It also details updates to clarify the use of user data in advertising following a $20m court settlement last week.
While facial recognition-assisted tagging currently only uses other tagged images to make recommendations, the feature would change to use profile pictures to suggest tags. This update would mean that automatic tags would also be made based on the content of a user's profile picture, whether they are tagged in it or not.
This particular feature, however, will not be available in the EU following recommendations from the Irish Data Protection Commissioner (DPC) in 2011, which saw all EU users' facial-recognition data deleted.
The addition can also be turned off by altering privacy settings. Facebook did however clarify to V3 that facial recognition tagging in the EU is currently being worked on so it adheres to DPC best practices.
Elsewhere in the update, Facebook said it has clarified the way in which users' profile pictures and other data may be used alongside advertisements. "We revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services."
Facebook said that it is implementing this change following a "court case relating to advertising". The case in question was brought about in 2011 when a group of Facebook users took legal action following anger that their profile pictures had been used in adverts without their permission. Facebook proposed a $20m settlement, which was approved by the judge.
The update also included reminders about how third-party applications can use user data.
In a blog post on Facebook's data governance pages, chief privacy officer Erin Egan asked users to provide their feedback on the changes within seven days by leaving comments on the post.

Syrian Electronic Army say Expect Us

Syrian hackers behind recent attacks on the New York Times and Twitter have warned media companies to "expect us".
The Syrian Electronic Army, which supports President Bashar al-Assad, added it had "many surprises" to come.
Interviewed via email following the UK Parliament's vote against military intervention on Thursday, a spokesman told BBC News: "It's the right thing."
He added: "Military intervention in Syria has many consequences and will affect the whole world.
"Our main mission is to spread truth about Syria and what is really happening."
The SEA has targeted various media companies, including the BBC, CNN and the Guardian.
Brian Krebs, a former Washington Post reporter, wrote that clues discovered when the SEA's own website was hacked earlier in the year pointed towards at least one member of the group being based in neighbouring country Turkey.
But the SEA's spokesman dismissed these claims, saying that "they keep publishing names so they can get attention".
"All the media outlets that we targeted were publishing false/fabricated news about the situation in Syria," he told the BBC.
"Our work doesn't need funds. It just needs a computer and internet connection."
Explosion tweet
Until this week's attacks, the SEA's efforts had largely focused on "phishing" social media accounts, tricking users into handing over log-in details.
In one particularly effective attack, the Twitter account of the Associated Press was compromised, and the group posted a tweet saying US President Barack Obama had been hurt in an explosion.
The New York Times attack was more damaging, however, as the hackers were able to redirect people trying to visit the newspaper to the SEA's website instead, albeit briefly.
"Our goal was to deliver our anti-war message on NY Times website - but our server couldn't last for three minutes," the group said.
"The Twitter attack was because of the suspension of our accounts on Twitter by its management.
"We succeeded in our attack as we expected."

Information Warfare, Russia, New Zealand...it is arms race

Information warfare, under this term governments are working to improve their cyber capabilities, last in order of time are Russia and the New Zealand.

Information warfarecyber warfare, are all terms that are becoming familiar for population all over the world. Every government is aware of the risks connected to the exposure to a cyber attack for sabotage or cyber espionage, due this reason military all over the world are creating dedicated cyber units to respond to new needs. The reality is that  almost every government is working on the definition of cyber capabilities (e.g. Creation of a new generation of cyber weapons, development of active defense systems) also for offensive purposes, a cyber conflict has numerous advantage respect traditional offensives. A few days ago the Russian Government announced the creation of a dedicated breach for the Information warfare belonging to the Russian Armed Forces, its purpose is to improve cyber capabilities of the country exactly has many other governments are doing. Official military fonts revealed that the agency’s budget for 2013 is 2.3 billion rubles ($70 million).
“Cyber space is becoming our prioritythe decision to create a cyber-security command and a new branch of the armed forces has already been made,” “We are working on the overall concept of the program to be developed in this area,” “We have reviewed 700 innovative projects so far,”declared Andrei Grigoryev, the head of the recently-created Foundation for Advanced Military Research, in an interview with Echo Moskvy radio.
The Foundation for Advanced Military Research is considered the equivalent of US DARPA (Defense Advanced Research Projects Agency) and was set up in 2012 to boost the improvement of Russian cyber capabilities development of advanced weaponry and help streamline the arms procurement process in Russia. According Andrei Grigoryev, the head of the recently-created Foundation for Advanced Military Research, the new unit will be composed by three main areas of military R&D:
  • Futuristic weaponry
  • Future soldier gear
  • Cyber warfare
Information Warfare
The Russia isn't the unique government that announced recently to boost its cyber structures, a few weeks ago was spread the news that the New Zealand Defense Force planned to spend $469 million for the creation of a new cyber army despite the meaningful cut to defense expense of the last years. The investment is considered important by security analysts, consider that today the Australian Army has no surveillance or reconnaissance systems.
It will be set up a new division under the Network Enabled Army initiative that will be specialized in the development of high technological equipment such as drones and robots as well as sensors that would monitor the location, the health and condition of soldiers and vehicles.
"The goal of the NEA Programme is to enhance the NZDF’s ability to support deployed land forces by improving its battlefield command and control system, communications and intelligence, surveillance and reconnaissance sensor systems."
The Defense Force has invited technology suppliers to a briefing day at its Trentham military base, the Sydney Morning Herald program manager Colonel Phil Collett revealed the spending would be over 20 years.
Governments are getting ready for a new arms race,  the cyberspace is the new battlefield and cyber weapons are entering in their arsenal near conventional weapons. Stuxnet spread has radically changed the perception of Information warfare, a conflict that is fought in the fifth domain, and that is pushing the producing of weaponized software on an industrial scale. This is considerably an historical moment, Information Warfare is assuming a fundamental importance for any government, leading powers are sustaining the arms race followed by many other countries that may be effective in the same way. We are in a situation similar to the one observed when nuclear weapon will ne used for first time ... every government is trying to improve its cyber capabilities, they cannot be left behind!
Cyber weapons can potentially do serious damage to “critical infrastructures”,  and in many cases weaponized tools are also freely available on the internet, cyber terrorists and state-sponsored hackers could exploit them to hit a government or a private business. Due this reason every government is working to the definition of a proper cyber strategy to mitigate cyber threats meanwhile principal organization are working to the definition of rules for the Information Warfare.

Thursday 29 August 2013

Nearly 7,000 Malicious Android Apps Infest China's Appstores

Android Malware
The independent testing lab AV-Comparatives has released the results of a six-month long study of third-party Android app stores. They found that most of the dangerous apps are concentrated in Chinese stores, and encountered about 7,000 dangerous apps in third-party stores. Now that's a number to worry about.
The study ran from November 2012 to May 2013, and looked at 20 major third-party app stores. Of these stores, most are known to be located in China and the region also boasts the most malware found in a single store (1,637 malicious apps in the Anzhi store, but more on that later).
In total, AV-Comparatives found 7,175 pieces of malware and greyware, the latter of which the company defines as things like spyware and adware which is risky but not necessarily malicious. Of the dangerous apps, 95 percent were concentrated in Chinese stores. The Anzhi and EoeMarket stores were the worst offenders.
Why So Concentrated?
"The investigations' findings suggest that the dramatic numbers of malicious apps present on the Asian market are closely linked to this market's booming activity," wrote AV-Comparatives, attempting to explain why Chinese stores seem glutted with malware. "From this point of view, European and US markets can be considered secondary targets, as they are entering a stage where growth is steady."
The concentration of malicious software is also likely tied to the official Google Play store being partly or entirely inaccessible in that region. In places were users can buy Android phones but can't reliably access Google Play, third party app stores flourish along with malware.
We've seen similar clusters of illegal and semi-legal activities based on law enforcement and malware business models. For instance, Russia has a hugely complex malware industry built on using SMS codes that are only valid in that region. Another example is spammers moving operations to Belarus when other countries started cracking down, resulting in over 25 percent of the country's IP addresses being blocked for spam
Staying Safe
The good news is that not all Android marketplaces outside of Google are nests of malware. AV-Comparatives found several stores with just a handful of dangerous apps and one store—F-Droid in the UK—had no malware or greyware.
Unfortunately, no store is completely safe—even the official Google Play store has had a few pieces of malicious software. The best way to stay safe is to think carefully about what you download and use some kind of security software on your device, such as our Editors' Choice award winners Bitdefender Mobile Security and Antivirus and avast! Mobile Security & Antivirus. Also, consider what you're downloading: if it's a "free" version of a for-pay game, then you're taking a big risk.
Android users can also take advantage of a new service from AV-Comparatives called AVC UnDroid. This online scanner lets you submit suspicious APK files (apps) for scrutiny. For people without access to official app stores and few trustworthy security apps, this is a good first step to curbing malware infestations.
Hopefully, the scary numbers of today will spur more marketplaces and developers to provide safer stores and more robust security suites.

Hacking Heist Flummoxes French Banks

Image via Flickr user JasonBechtel
Bank robbery just isn't what it used to be. Cutting holes in walls, disarming security cameras, cracking safes... that's sooo 1990's. The modern robber needs cyber skills. A Remote Access Trojan (RAT) is more effective than a mole in the bank office. And why crack the safe when you can transfer the money wirelessly? A group of banks and multinationals in France got hit with just this sort of high-tech heist, and Symantec has documented the whole drama.
It all started with a simple email message directing a VP's administrative assistant to deal with a particular invoice. Given that the invoice was hosted outside the company, on a file-sharing site, the admin might have hesitated. However, minutes later that same assistant got a phone call purportedly from another VP urging her to expedite the invoice. Fooled by the fraudulent phone call, she opened it, thereby releasing a RAT within the company network. The aggressive combination of spear-phishing email and fraudulent phone call caught the interest of Symantec researchers; they dug deeper and found more, and worse, attacks on other French companies.
Defenses Defeated
In a blog post released today, Symantec revealed how attackers managed to defeat all of one company's protections against unauthorized money transfers. It really does read like the script for a heist movie.
For starters, they used the double-pronged social engineering attack described above to load a RAT onto the PC of an administrator's aide. The RAT harvested company information, including the company's disaster plan and its telecom provider details. Using the stolen information, the crooks invoked the disaster plan, claiming a physical disaster. This let them redirect all of the organization's phones to a new set of phones under their control.
Next they faxed a request to the company's bank for multiple large fund transfers to offshore accounts. Naturally the bank representative called to confirm; the crooks intercepted the call and approved the transaction. As soon as the money showed up in those offshore accounts, they siphoned it out. Mischief managed!
Symantec discovered quite a few other cases, many of them much less elaborate. For example, one attacker simply called the victim and stated that regular maintenance required disabling two-factor authentication for fund transfers temporarily. Another informed the victim that computer upgrades required a "test" fund transfer; the "test" actually wired real funds to an offshore account. Clearly gullible humans are the weak point in many security systems.
Whodunnit?
Knowing that this kind of chicanery was taking place, the Symantec team managed to get a lead on an in-process operation, a caper they dubbed "Francophoned." They managed to trace the command-and-control traffic through Ukraine to IP addresses originating in Israel.
Analyzing the IP addresses used, they noticed two oddities. First, the addresses came from a block assigned specifically to MiFi cards—GSM cellular radios that can be used to provide Internet access via the cellular network. Second, they were constantly changing, meaning that the bad guys were driving around, passing different cell towers. The telecom couldn't triangulate a moving target, and the MiFi connections were apparently anonymous and prepaid, so there was no way to catch the crooks.

The Powerloader 64-bit update based on leaked exploits

A few months ago on this blog I described PowerLoader functionality including an interesting way for privilege escalation into the explorer.exe system process. The leaked PowerLoader code is also used in other malware families. For example the Win32/Gapz dropper is based on leaked PowerLoader code. In August 2013 we have tracked a new modification of PowerLoader for 64-bit operating systems (detected by ESET products as Win64/Vabushky.A). This modification uses three exploits for local privilege escalation (LPE): MS13-053 (CVE-2013-3660), MS12-041 (CVE-2012-1864), and MS12-042 (CVE-2012-0217). Use of this set of LPE exploits was not previously observed in PowerLoader samples or by related malware families.
Win64/Vabushky is a good example of how cybercriminals update their projects with code based on leaked Carberp sources. Two 64-bit exploits (CVE-2012-1864 and CVE-2012-0217) from the updated PowerLoader update are based on the leaked code. Before this leak into the public domain, 64-bit exploitation code for these vulnerabilities was not available. It’s also worth noting that the PowerLoader code was leaked in April 2013 and initiated the wave of distribution of droppers based on PowerLoader leaked code.
The dropper for Win64/Vabushky is packed by MPRESS because this packer is one of the few free products that support x64 PE32+ files. After unpacking, the dropper extracted the original PE32+ header with the time of compilation:
1
All binaries include a payload compiled at the beginning of August, according to time stamp data. PowerLoader’s export table  also shows a few changes after unpacking when compared to the older version:
2
The most interesting part of latest changes provided concern the exploitation code for local privilege escalation.

LPE exploits update

After code injection into explorer.exe the modified version of PowerLoader tried to execute following local privilege escalation exploits into trusted process address space:
flow-graph
This set of LPE exploits can bypass some types of sandbox technologies used by security products. This is because direct manipulation of some kernel-mode structures is possible from user-mode using legitimate WinAPI calls.

CVE-2013-3660

Google researcher Tavis Ormandy discovered the MS31-053 vulnerability in March and exploitation details were disclosed in May. The patch only became available with July’s patch Tuesday. Before this modified version of PowerLoader, I hadn’t seen a 64-bit version of MS13-053 exploit in-the-wild. Only an x86 version of proof of concept code has been seen made available publicly, but PowerLoader uses 64-bit exploitation code. There is a good description of the way in which this vulnerability is exploited in the VUPEN blog.
Before the start of the exploitation process a second desktop is created for hiding visible artifacts by manipulating GDI objects.
second desktop
The main exploitation code for CVE-2013-3660 is presented in the following figure:
CVE-2013-3660
The shellcode which executed by nt!NtQueryIntervalProfile() looks like this:
shellcode
This exploitation code does not work for the 64-bit MS Windows 8 platform because it cannot bypass the Intel SMEP (Supervisor Mode Execution Protection) technology in modern CPU’s (for which support has been provided since the Ivy Bridge line of processors). Microsoft only started to support SMEP with Windows 8 and upwards. This technology blocks attempts to execute code from user-mode memory pages into kernel-mode. A good description of Intel SMEP as exploit protection technology can be found here. The SMEP technology in Windows 8 for x64 can be bypassed using a ROP (Return-Oriented Programming) technique. However, Intel announced the new protection technology SMAP (Supervisor Mode Access Prevention). Intel’s SMAP blocks attempts to read memory pages from user-mode into kernel-mode. SMAP and SMEP were developed to prevent exploitation of NULL pointer dereferences in kernel-mode but SMAP is not supported in Microsoft operating systems yet.

CVE-2012-0217 and CVE-2012-1864

The CVE-2012-0217 and CVE-2012-1864 exploitation code is based on leaked Carberp sources. The 64-bit versions of CVE-2012-1864 had never been made public before the source code leakage. The exploitation code for CVE-2012-0217 released on public doesn’t work reliably on 64-bit versions of operating systems. Neither exploit will work on Microsoft Windows 8 because of the restricted vulnerability of the platform. After observing the similarity to leaked Carberp source code I checked compiled exploit binaries found in the leaked archive. In both compiled exploits I found the same path to the build directory.
leak1
leak2
This finding points to the same developer and seller for these exploits. The exploitation code for CVE-2012-0217 is different in many respects to the publicly available Proof of Concept exploits. The leaked exploit works more reliably and supports 64-bits operating systems.
I’m going to check similarities in the code from the PowerLoader modification and the leaked exploit for CVE-2012-0217. The following flow graph shows the similarity of basic structural blocks (PowerLoader code on the left side):
CVE-2012-0217
It looks to be pretty much the same structure. All the differences are found only in additional debugging code which is not included in PowerLoader modification. Also there are some specific techniques for making the exploitation more stable that look exactly the same.
HalDispatchTable
This code provides modifications in nt!HalDispatchTable for avoiding 100% CPU activity with multiple threads in exploitation process.
The same thing was found with exploitation code for CVE-2012-1864 vulnerability. This exploit has never before been publicly available either. CVE-2012-1864 was discovered by Tarjei Mandt from Azimuth Security. The vulnerability details were disclosed on the slides “Smashing the Atom” at the Recon conference in June 2012 but exploitation code was not released to the public. The exploit code from PowerLoader looks more optimized and doesn’t have debugging code with console output. For example, as seen in this code (disassembly code from PowerLoader is the second image):
CVE-2012-1864 leak
CVE-2012-1864 PL
CVE-2012-0217 and CVE-2012-1864 are good examples of exploits that make it possible to bypass sandboxes in security software. Both of these exploits can manipulate kernel-mode structures from user-mode using standard WinAPI functions. A nice description of vectors for bypassing sandboxes using these types of vulnerabilities is presented in the research report “Application Sandboxes: A Pen-Tester’s Perspective” by Bromium Labs.

The Payload

After successful PowerLoader execution and privilege escalation, the ransomware (Win64/Vabushky.A) was downloaded in order to infect the system. Earlier this week my colleague Jean-Ian Boutin discussed another example of ransomware in the blog post “Nymaim – Obfuscation Chronicles”. The downloaded file was executed once escalated privileges were achieved to SYSTEM. The Win64/Vabushky installer uses the trick with a self-generated legitimate certificate and the following installation to the local trust store as a ROOT CA and TrustedPublisher. The following code shows this technique:
CA
This trick is not new and was mentioned in the blog post “The “Hikit” Rootkit: Advanced and Persistent Attack” by Mandiant. Also, during the installation process modifications are made to Boot Configuration Data (BCD) so as to activate test-signing policy for loading the unsigned driver module. The next figure presents registry keys with system configuration to allow the malicious driver to load (safeboot with various options is covered too):
Paths
The next steps are to install the malicious driver for locking the system and displaying a demonstration screen with the picture downloaded from the following URL’s, hardcoded into malicious code:
pic urls
After successful infection the locked desktop screen looks like this:
ransome
The user-mode part of Win64/Vabushky also encrypts the user’s files using the Microsoft CryptoAPI and uses the .crypted file extension for encrypted files. The driver code uses standard tricks for locking that don’t merit further discussion in this blog.

Conclusion

The Win64/Vabushky dropper uses an interesting modification to the PowerLoader code. However the PowerLoader modifications are based on leaked LPE exploits for 64-bit operating systems from Carberp code. All modules and components dropped by Win64/Vabushky target x64 versions of Microsoft Windows. Only one exploit, CVE-2013-3660, can attack MS Windows 8. However the exploitation code does not work for the 64-bit version of Windows 8 because it can’t bypass Intel SMEP technology. Microsoft is implementing better kernel-mode protection on Windows 8, making x64 exploits for this operating system more expensive. These security mechanisms can be bypassed in such cases with targeted attacks but this adds up to an expensive exploitation technique for run-of-the-mill cybercriminals.

Special thanks to R136a1 who reported the new modification of PowerLoader.
Aleksandr Matrosov, Security Intelligence Team Lead

SHA1 hashes for analyzed samples:
Win64/Vabushky.A (dropper)        – 110e23ce497d6cd1fd3dc570e50cd701c612b7ba
Win64/Vabushky.A (driver installer)    – 62a53ff68d1c862c9c68fb577b06fa261ef573e4
Win64/Vabushky.A (driver)        – 9434792df305f59a7b9deb99dd8b2617942513b0
Author Aleksandr Matrosov,

Mobile banking apps pose “serious” safety risks, financial watchdog warns

Mobile banking apps pose an “important risk” to consumers as banks increasingly offer access to banking services via smartphones.
The Financial Conduct Authority, a British watchdog, is to investigate the risks posed by banking apps, according to a report by This is Money - particularly the threat of malicious apps that pose as genuine banking apps.
“One of the most popular ways for consumers to access mobile banking is by downloading a mobile banking application, or app, for their smartphone,” the FCA said in a statement. “While this provides some consumers with a convenient way of managing their money, it can also lead to the risk of malware.”
“This can occur if a consumer downloads an application that appears to be from a genuine payment provider but is actually malware designed to capture sensitive financial information. Malware is an important risk for firms to consider, as it can result in financial loss and undermine consumer confidence in mobile banking.”
The FCA said that many banks are already aware of the risks involved in allowing consumers to access sensitive information via apps.
“Many of the firms we have spoken to are aware of these potential issues and we have seen firms take steps to manage them. Examples include firms providing clear security information to consumers, issuing warnings to only download applications from official stores and providing antvirus software.”
The FCA also warned that the use of third-party providers for IT solutions could spell risks.
“For firms to successfully provide mobile banking services to their customers, they will be dependent on IT systems, technical expertise and detailed knowledge of the payments system. Many of the firms entering this market are using the specialised services of outsourcing partners,” the FCA said. “This leads to the risk that there may be a chain of companies involved in a customer’s transaction,resulting in a greater likelihood of a problem occurring.”

More than 800,000 Facebook users fall victim to password-harvesting browser malware, researcher claims

Malware disguised as a Facebook video has infected up to 800,000 users’ machines, according to independent Italian security researchers. The malware hijacks web browsers to harvest passwords, using a fake browser plug-in for Google’s Chrome.
Speaking to the New York Times’ Bits blog, researcher Carlo de Micheli says that the malware spreads in links, emails or Facebook messages which tell users they have been “tagged” on the site. When users click the link, they are prompted to download a browser extension, Micheli says.
The extension is malicious – and can send any information stored in the browser to the attackers. Many web users store information such as passwords, Facebook and Twitter log-ins, and that information is instantly available to the attackers.
De Micheli says that the malware is spreading at a rate of 40,000 attacks per hour, and has infected 800,000 users. De Micheli claims that the attackers have now released a version targeting Firefox users.
“A few years ago, you’d tell your friends, don’t click on attachments,” Mr. De Micheli said in a phone interview. “Now, the same advice applies to browser add-ons.”
The tactic of disguising malware as browser add-ons is not new. ESET reported this week on a popular browser add-on, Orbit Downloader, which contained hidden remotely-updating DDoS functions.
“When we detect items containing malware or learn of them through reports, we remove them. In the meantime, we have been blocking people from clicking through the links and have reported the bad browser extensions to the appropriate parties,” a Facebook spokesman said in a statement.  “We believe only a small percentage of our users were affected by this issue, and we are currently working with them to ensure that they’ve removed the bad browser extension.”

Data controllers failing to encrypt sensitive data, warns ICO

Data security
The Information Commissioner's Office (ICO) has criticised businesses for failing to adequately protect information they hold, claiming a lack of knowledge about encryption technologies is causing many to mishandle sensitive data.
ICO group manager of technology, Simon Rice, made the comment in a blog post, addressing businesses' lack of knowledge about security.
"Using appropriate encryption can be a simple and effective means to protect personal data in these circumstances, and one which we advise all organisations to take if the loss of the data could cause damage and distress to the individuals affected. However evidence shows that data controllers are still not addressing the problem," he wrote.
Rice added that the problem is largely down to education, with many firms thinking simple password protection is appropriate.
"A common misconception is that just requiring users to log in to a device or service with a username and password provides an equivalent level of protection to encryption. This isn't the case," he wrote.
"A password or PIN to control access to a device isn't encryption and it isn't enough to protect against unauthorised or unlawful access. In practice a password can be easily circumvented and full access to the data can be achieved."
Rice said there are a variety of encryption tools available offering a variety of security defences, and businesses handling sensitive data should consult an expert to decide what form of encryption is appropriate.
"The option that will be the most appropriate for your organisation will depend on the sensitivity of the information you are using and how it is being stored and processed," he wrote.
"For this reason it is difficult to provide a comprehensive list of software as everyone's needs are different. You can, however, look out for internationally recognised standards such as those described on the encryption section of our website."
He added that when encrypting data, businesses must also consider how to safely store the encryption key. "You wouldn't install high-end locks on your house, only to leave the front door key under the mat. The same applies for storing a laptop encryption key or password in the same bag as an unencrypted laptop, or equally, sending encrypted data as an email attachment with the means to decrypt it included in the body of the email," he wrote.
Rounding up, Rice said adding more robust encryption services will be of long-term financial benefit to UK industry.
"The time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in three recent cases where encryption wasn't used (£700,000 in total). The price of getting it wrong could therefore extend well beyond upsetting people," he wrote.
The wider security community has welcomed Rice’s call for better security. Senior architect at FireEye, Jason Steer, told V3 the ICO statement is a good start, but added firms will need other security services to deal with the cyber threat facing them.

"The advice from the ICO is spot on in terms of encryption. However, in reality, some of these steps are difficult to implement as the onus is being put on the end user, and we cannot always rely on the end user to remember to implement all security measures when their main focus is trying to get their job done,” he said.

“Whilst implementing these security measures, organisations also need to add additional controls to their networks to ensure that if a user forgets about security there are controls in place within the system to ensure the organisation and its information and users remain still secure.”

ISACA Security Advisory Group (SAG) chair, Amar Singh mirrored Steer’s comments adding the blog does not address key problem areas like education.

“The article makes the right type of noise but misses a few critical points,” he said. “Even for most techies, encryption remains a dark science that only the academically inclined pursue. Vendors could work together to put a common encryption awareness/education session to educate the masses on what types of encryption are out there.”
The cost of cybercrime has been a growing problem facing businesses of all sizes. Most recently the Federation of Small Businesses (FSB) estimated that cybercrime costs small businesses £800m a year.

Security threats from spam and malicious texts are far greater than email menace

spam-spam-spam
Spam and malicious text messages pose a far bigger threat to consumers and businesses than email spam, according to security firm Cloudmark.
The firm, which runs the global spam reporting service on behalf of the GSMA, revealed earlier this year that there are six million spam texts sent everyday in the UK. It has now warned that the problem is getting worse due to a number of converging factors driving crooks to mobile spam.
The firm’s chief technology officer, Neil Cook, told V3 that the fact people are far more likely to open text messages than emails poses a major problem. “The open rate for an SMS is 80-90 percent within a minute, whereas email you may not look at all day,” he noted.
"As a result it is far easier to get someone to open a message telling them to ring a number or visit a website than on email."
He also said people are still not as wary about messages they receive on phones as they are via email.
“The phone is a more trusted medium, which is why we see more fraud as opposed to bulk spam selling, because fraud is much more easily monetised by getting people to ring a premium number from the text, or visit a malicious website," he said.
"There’s not so much screen real estate so it’s harder to tell what is a phishing message or something genuine."
Cook also pointed out that the high-end capabilities of smartphones and new, IP-based 4G networks, are ideal for criminals to compromise, something that is posing fresh concerns for operators.
“As more people move from fixed to mobile broadband and smartphones then problems from botnets and viruses are moving from PCs to smartphones so there is the potential for real issues here,” he said.

“This could also have a big impact on operators as it will chug the network. For fixed line this doesn’t affect people so much, but with mobile over the air resources are very precious, so if network is being chewed up with spam sending messages, that’s a concern.”
On top of this Cook cited the BYOD trend as a major risk to enterprises that fraudulent texts pose, noting that it only takes one handset to be infected to put an entire organisation at risk.

“BYOD is a big issue. One of the new areas we're getting into is helping protect phones from going to malicious websites or calling malicious phone numbers, which is an increasing concern as that’s a route to infect your phone or steal company secrets,” he said. “You only have to have one person infected with a phone running an application key logger or sending company data.”
The rising concerns over spam and malicious text messages come amid reviews by the government to tackle this menace, and a stronger stance by the Information Commissioner’s Office (ICO) to hurt the firms behind messages, with several notable fines levied by the watchdog.

Cyber criminals phishing for passwords with Google Docs bait

malware virus security threat scam
A new phishing message loaded with a malicious Google Doc is targeting Gmail users, according to security firm Sophos.
Senior security advisor at Sophos Chester Wisniewski reported the scam in a blog post, confirming that the message attempts to dupe users into clicking a suspect link by pretending to be a "Secure Document" from their bank.
Wisniewski said the attack is basic in principle, but it is dangerous as the message has been cleverly socially engineered to look like it is authentic and uses an atypical infection method.
"While those of us in the security industry might not be surprised, phishing attacks are consistently proving themselves to be one of the most effective ways to evade traditional defences. As many organisations move to the Google cloud, this type of phishing lure will continue to yield results for the criminals," he said.
"Many organisations are using Google and other cloud service providers to provide critical IT services. At first glance this could be very believable."
The attack reportedly links the victim to a phishing page hosted in Thailand, which attempts to dupe them into entering their password information for a variety of online services.
"The page not only asks for your Google credentials, it also suggests it will accept Yahoo, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account. Of course filling out this form can only end in tears. Your details are sent off to the compromised servers for whatever purposes these thieves desire," he wrote.
Wisniewski said the password theft is likely to be the first stage in a wider attempt to steal more information, such as the web user's banking login details.
"You might think, so what, my Gmail isn't full of secrets that will destroy my nation/life/career. You would likely be wrong. Your email is the key to unlocking much of your online identity. Forget your banking password? No worries, they will email you a password reset link," he wrote.
He added that the high success rate of phishing means attacks like this will continue until businesses work harder to educate their staff about cyber best practice.
"As an IT administrator these are opportunities to educate your staff on the risks. This might not be the most convincing of the phishes that are out there, but it is a useful tool to educate your staff," he wrote.
Phishing is a growing problem facing businesses. Kaspersky Lab reported that the number of phishing messages hitting UK web users has tripled over the last year, with crooks targeting an average of 3,000 Brits every day.
The UK government has set up a number of resources to help businesses protect themselves against the influx of attacks. Most recently The GCHQ launched two cyber incident response and advice initiatives, designed to help businesses prepare for and mitigate the damage of cyber attacks.

Android malware makes up 79 percent of total threats, warns US Department of Homeland Security

Google Android Malware
The US Department of Homeland Security (DHS) warned law enforcement, security and government workers against using outdated versions of Google Android, claiming that 79 percent of all mobile malware targets the platform.
The DHS issued the warning in a Roll Call Release for US emergency services. The department said criminal interest in Android is due to a combination of its impressive market share, open architecture and fragmented ecosystem.
High malware figures were cited as proof that agents using smart devices must ensure their phones and tablets always run the latest software available.
"Android is the world's most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture," read the report. "The growing use of mobile devices by federal, state and local authorities makes it more important than ever to keep mobile OS patched and up to date."
Interestingly, despite being all but defunct, Nokia's ancient Symbian OS is the second most targeted, with the DHS finding that 19 percent of all mobile malware is designed for it.
While high, the 19 percent figure is probably a false indicator of criminals' interest in Symbian today, and is likely to be composed of older malware rather than dangerous new threats. Prior to the arrival of Android, Symbian was the OS of choice for criminals due to its ties to Nokia, but since buyers became more interested in Android and iOS, criminal interest in Symbian has waned.
Apple iOS and "other" operating systems were both listed as being the victims of 0.7 percent of all mobile malware. At the very bottom Windows Phone and BlackBerry were each listed as being the target of 0.3 percent of the world's mobile malware.
The low number of threats targeting Apple iOS, despite the popularity of its iPhone and iPad devices, is largely due to the closed security model. This model forces developers to sell their wares on Apple's official App Store, which closely vets all applications before allowing them into the marketplace.
Earlier this year F-Secure security expert Mikko Hypponen praised Apple for its robust security, listing the App Store as one of the security community's greatest achievements.
The findings mirror those of numerous security vendors. Kaspersky Labs reported detecting 100,000 mobile malware variants targeting Android during the second quarter of 2013, in its IT Threat Evolution report.

Hackers targeting Java native layer vulnerabilities to insert malicious code


Java logo
Criminal groups are using Java native layer vulnerabilities to infiltrate businesses and government systems, according to security firm Trend Micro.
Trend Micro threats analyst Jack Tang reported the shift in a blog post, confirming the new attacks on Oracle's Java platform are getting increasingly complex.
He wrote: "Java exploits can be divided into two types: Java layer exploits and Java native layer exploits. In the past, Java layer vulnerabilities were more common, but that is no longer the case. Before 2013, there was a three-to-one ratio of Java layer vulnerabilities to Java native layer vulnerabilities. Starting this year, however, we are now seeing more native layer flaws."
Tang said the move to target Java Native Layer exploits is troubling as they show an advance in sophistication within the cyber criminal community.
"Java native layer exploits target the Java native layer runtime. These exploits are harder to create, as they need to bypass OS-level protections like ASLR [address space layout randomisation] and DEP [Data Execution Prevention]. In addition, the skills needed to create native layer exploits are more difficult to acquire," he wrote.
"This year, however, attackers clearly have the capability to take advantage of native layer vulnerabilities. Two methods of exploitation are becoming more common, one is to make use of a Java array length overflow to tamper with the JavaBeans. Statement object's AccessControlContext member."
Tang added that the exploits detected are doubly dangerous as they grant the attack a number of powers over successfully infected systems.
"An attacker can then use the array object to get or set the following buffer precisely. They can tamper with the following JavaBeans. Statement object's acc field, which points to a AccessControlContext object. In general, the acc field will be tampered to point to a full permission AccessControlContext object. This will let arbitrary code be run on the affected system."
Oracle's Java platform has been a growing target for cyber criminals. Over the last year the attacks have forced Oracle to release a number of out of cycle security updates.
Director of enterprise security at Trusteer Dana Tamir said despite having fixes available many firms are yet to release the updates, meaning criminals can and are still creating attacks to target them.
"Vulnerable versions of Java can still be found in many organisations. This is either because users haven't upgraded to the latest Java version available, or because some tools or applications bundle vulnerable versions of Java. This leaves an open window to attackers who exploit such vulnerabilities in order to compromise employee endpoints and gain a foothold in the network," sad Tamir.
Tang mirrored Tamir's sentiment calling for businesses to update their systems as soon as possible. "We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws," he wrote.
Java security issues have been a recurring theme throughout 2013 with numerous patches issued by the likes of Oracle and Apple.

KIS Shines in Independent Anti-Phishing Testing

Phishing is a dangerous type of Internet fraud that uses fake websites to swipe user logins and passwords to hijack their online accounts to steal money or spread spam and malware through compromised email accounts and social networking platforms. It is a very effective tool used by online attackers, and it is on the rise.
kis_title
The good news is that users have options to protect themselves, including Kaspersky Internet Security 2014, which recently blocked 99 percent of phishing urls in independent testing conducted by antivirus testing lab AV-Comparatives.
Kaspersky Internet Security 2014 recently blocked 99 percent of phishing urls in independent testing conducted by antivirus testing lab AV-Comparatives.
AV-Comparatives tested the anti-phishing protections of various security products in a simulation designed to replicate typical web browsing conditions. It was carried out using Windows 7 PCs with two scenarios. The first checked for false alarms on 400 popular banking sites, while the second assessed phishing URL detection rates. Those URLs targeted various types of personal data, including login credentials for PayPal, online banking and credit cards, email accounts, eBay, social networks and online games, among others.
Kaspersky’s product blocked 99 percent of the 187 phishing websites while producing zero false alarms among the 400 legitimate URLs, earning first place among its competitors with an Advanced + award from AV-Comparatives.
“Phishing websites pose a real threat to users,” said Nikolay Grebennikov, chief technology officer for Kaspersky Lab. “About 20 percent of all phishing attacks mimic banks and other financial organizations and can result in the very real loss of money. That’s why we are constantly improving our anti-phishing technologies, and independent tests like this one demonstrate just how effective our work is.”
A recent survey by B2B Communications, in conjunction with Kaspersky Lab, showed that the number of Internet users who encountered phishing attacks over the last 12 months grew from 19.9 million to 37.3 million, an increase of 87 percent. Kaspersky Internet Security 2014’s success in the anti-phishing testing wasn’t its first successful independent testing, having earned high marks from AV-Comparatives for its protection capabilities earlier this year. The product’s predecessor, Kaspersky Internet Security 2013, also excelled in multiple independent tests.

India Atomic Research,Space Center Hacked Documents leaked Online

The website of the Electronics Corporation of India Ltd (ECIL) was hacked and documents involving the Bhabha Atomic Research Centre (BARC) and Indian Space Research Organization (ISRO) were leaked by an online hacker on last Saturday.
They also claimed to have hacked Tata motors sites.
Two days later, the hacked documents were available on a website. They included a contract issued by ECIL to ISRO, Peenya Industrial Area, for design and development of antenna systems at Hassan, among other places.
They also included BARC's Rs 39-crore work order to ECIL for detailed design, supply, installation and commissioning of the MACE telescope in Ladakh, and agreement for design, development, fabrication, supply and acceptance of full motion antenna systems.

Syrian Electronic Army hit NYT and Twitter

The group of Syrian Electronic Army hackers is intensification its hacking campaign pro-Assad. Details of the attacks against the HuffingtonPost UK, Twitter and the NYT.

The Syrian Electronic Army once again successful in an attack, to be precise the popular group of hacker this time hacked into Twitter, Huffington Post and NY Times’ registry accounts modifying DNS records and contact details. The attack to a DNS could allow hackers to redirect target domain visitors to any other site, a technique usable to server malware hijacking victim is on compromised website.
The Syria Electronic Army, is considered the cyber unit of government of Damascus, during the last months they have conducted numerous operation against numerous organization and companies. The operation of the group notorious to be a pro the Syrian president Bashar al-Assad are intensifying  in conjunction with the escalation of the deep political and social crisis which affects the country.

Just to mention the latest events early August the group has announced that at least three White House employees personal Gmail accounts were hacked, In July the Syria Electronic Army conducted a series of attacks exposing account details of major Communications Websites such as Truecaller, Tango and Viber.
Following the detailed timeline published by FireEye on the attacks:
  • July 16: SEA hacked the Swedish site Truecaller, home to the world’s largest online telephone directory, with over a billion phone numbers in over 100 countries. SEA claimed this attack also gave it access codes to more than a million Facebook, Twitter, LinkedIn, and Gmail accounts. The initial attack vector was an older, vulnerable version of WordPress.
  • July 21: SEA hacked the video and text messaging service Tango, stealing more than 1.5 TB of data, including user information, true names, phone numbers, emails, and personal contacts for millions of accounts. Again, the attack vector was a vulnerable version of WordPress CMS (v 3.2.1), which gave SEA unauthorized access to the database server.
  • July 24: SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged the attack, explaining that the initial compromise vector was an email phishing scam which enabled SEA to access two customer support sites. Thus far, the company has denied that private user information was lost.
The list of victims of the Syrian Electronic Army is very long and included also BBC, the Associated Press, The Financial Times and  the Guardian. Compression for social media accounts could be used to spread fake and disturbing news, the attack against  Associated Press Twitter account disseminated the news of an attack against the White House causing the fall of the stock markets and losses for more than $100 billion dollars. The group is politically motivated and many security experts consider its campaigns as part of PSYOPs campaign directed by the Syrian Regime.  The Syrian Electronic Army first emerged in May 2011, during the first Syrian uprisings, when it conducted various attacks against social media for pro-Assad propaganda.
The latest  attack against Twitter was announced in the popular social media with a post of the screenshot of the Whois records for Twitter.com domain
Syrian Electronic Army Twitter DNS record

The Syrian Electronic Army also provided evidence of the hacked Twitter accounts in a second tweet:

Syrian Electronic Army 2

The hackers of the Syrian Electronic Army also altered the DNS records for the domain twimg.com which Twitter uses to maintain CSS, JS, images and more, this caused problems in displaying avatars for some users. following the statement issued by the company:
“At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored.  No Twitter user information was affected by this incident.”
The hackers also hit the NY Times with serious consequences, they redirected homepage visitors, the popular journal confirmed that its website was disrupted in attack by hackers.
[The attack was carried out by a group known as] “the Syrian Electronic Army, or someone trying very hard to be them.” The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., we believe that we are on the road to fixing the problem.” said Marc Frons, chief information officer for The New York Times Company.
Syrian Electronic Army NYT defeaced

MelbourneIT sent an email to all its customers that indicate that the hackers seems have used a reseller account as part of the hack. The information hasn’t confirmed but it is possible that the hackers exploited a flaw in the reseller interface that allowed a privilege escalation to take over control of other MelbourneIT customers.
The group of Syrian hackers also hit the HuffingtonPost UK altering its DNS records but as 4pm PST both HuffingtonPost UK’s and Twitter DNS records have been corrected, also Twimg and NY Times records have been fixed.
Just a few minutes ago the group has announced on Twitter and Facebook that its website and domain are down.

SEA_down
A possible countermeasure
The CloudFlare company posted an interesting article on the incident, I desire to extract the suggestion related to a possible countermeasure against this kind of attacks.
“There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically. If you run a whois query against your domain, you can see if you have a registry lock in place if it includes three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited.
Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult. However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place.”
The imminent strike of Syria by US and its allies will have serious repercussion also in the cyberspace .. It’s just the beginning.
Pierluigi Paganini
(Security Affairs – Syrian Electronic Army, hacking)
The post Syrian Electronic Army hit NYT and Twitter appeared first on Security Affairs.

Facebook to add 1b+ members' profile photos to facial recognition database

Facebook Inc is considering incorporating most of its 1 billion-plus members' profile photos into its growing facial recognition database, expanding the scope of the social network's controversial technology.
The possible move, which Facebook revealed in an update to its data use policy on Thursday, is intended to improve the performance of its "Tag Suggest" feature. The feature uses facial recognition technology to speed up the process of labeling or "tagging" friends and acquaintances who appear in photos posted on the network.
The technology currently automatically identifies faces in newly uploaded photos by comparing them only to previous snapshots in which users were tagged. Facebook users can choose to remove tags identifying them in photos posted by others on the site.
The changes would come at a time when Facebook and other Internet companies' privacy practices are under scrutiny, following the revelations of a U.S. government electronic surveillance program.
Facebook, Google Inc and other companies have insisted that they have never participated in any program giving the government direct access to their computer servers and that they only provide information in response to specific requests, after careful review and as required by law.
Facebook Chief Privacy Officer Erin Egan said that adding members' public profile photos would give users better control over their personal information, by making it easier to identify posted photos in which they appear.
"Our goal is to facilitate tagging so that people know when there are photos of them on our service," Egan said.
She stressed that Facebook users uncomfortable with facial recognition technology will still be able to "opt out" of the Tag Suggest feature altogether, in which case the person's public profile photo would not be included in the facial recognition database.
Facial recognition technology has been a sensitive issue for technology companies, raising concerns among some privacy advocates and government officials. Tag Suggest, which the company introduced in 2011, is not available in Europe due to concerns raised by regulators there.
Google's social network, Google+, also employs similar technology, but requires user consent. And it has banned third-party software makers from using facial recognition technology in apps designed for its Glass wearable computer.
Egan said Facebook was not currently using facial recognition technology for any other features, but that could change.
"Can I say that we will never use facial recognition technology for any other purposes? Absolutely not," Egan said. But, she noted, "if we decided to use it in different ways we will continue to provide people transparency about that and we will continue to provide control."
Facebook also amended its Statement of Rights and Responsibilities on Thursday, adding and tweaking the language so that members under 18 years of age are deemed to have affirmed that a parent or legal guardian has agreed to allow marketers to use some of their personal information in ads.
The language was the result of a recent court-approved legal settlement regarding its "sponsored stories" ads.

BREAKING: AnonGhost sniffed 10000 Twitter accounts from Japan

It looks like AnonGhost declared war on Twitter and Japan as AnonGhost hacker Mauritania Attacker and his team were able to steal 10000 Twitter accounts in a sniffing session.  Mauritania Attacker said that Twitter should get prepared for future attacks as this was just a demo to show how scared Twitter actually should be.
The .TXT file that has been shared on this hosting server has is free to download. The content however has been encrypted to ensure that Twitter needs to digg out the hacked accounts.
The first time Twitter got hacked by AnonGhost they declined the attack(src: TheGuardian) lets see how Twitter will catch up this little bugger.
The hacker claims to lead a hacking group called AnonGhost and to be defending the dignity of Muslims through his hack. The group is reckoned to have been behind the hacks of more than 10,000 sites in the past seven months, but none is as high-profile as Twitter.

Syrian Electronic Army (SEA) Leader named?

Evidence has emerged that the leader of the notorious Syrian Electronic Army (SEA), is a 19-year-old Syrian man called Hatem Deeb. However, SEA denies Deeb is anything other than an "innocent friend".
The SEA has been all over the news in the last few weeks, following hacks on several prominent media houses.
Although the group has remained anonymous, Vice.com reported that it is headed up by Deeb.
Vice claims that one of its hacking contacts in Syria was able to get his hands on SEA's IP in Damascus, and through that, access the SEA server. Through this access, the hacker claims to have gleaned about 140 e-mail addresses, allegedly belonging to SEA members.
The hacker said there is evidence that the group's leader, who goes by the handle "ThePro" is in fact Deeb. He claims Deeb listed his real name on one vital document - a receipt for the VPS he had rented for the organisation.
On the receipt, the e-mail address was listed as Admin@ThePro.sy, the same address associated with ThePro's blog. The credit card number used in the transaction was tied to Deeb.
The claim is compounded by a tweet on an SEA-related Twitter account, in which the identity of the SEA leader, using the handle "ThePro", was revealed as Deeb.
SEA denial
However, The Desk claims to have interviewed ThePro, who denied he was Deeb, referring to the 19-year-old as an "innocent friend".
During the interview, ThePro claimed that Deeb - who he described as a friend of the organisation - initially gave his permission for his name to be used on registration records of services obtained by the SEA.
The SEA leader now claims that Deeb has left Syria, and that the Vice.com article is endangering his life.
ThePro added that the organisation will do no more interviews with Vice, and said SEA will remove the offending article "in its own way" if Vice does not amend or remove it within 24 hours.

Syria, Aided by Iran, Could Retaliate Cyber Attacks Against More U.S. Companies

If the United States attacks Syria, it will be the first time it strikes a country that is capable of waging retaliatory cyberspace attacks on American targets.
The risk is heightened by Syria’s alliance with Iran, which has built up its cyber capability in the past three years, and already gives the country technical and other support. If Iran stood with Syria in any fray with the United States that would significantly increase the cyber threat, security experts said.
Organized cyber attacks have already been carried out by the Syrian Electronic Army (SEA), a hacking group loyal to the government of President Bashar al-Assad. It has disrupted the websites of U.S. media and Internet companies and is now threatening to step up such hacking if Washington bombs Damascus.
“It’s likely that the Syrian Electronic Army does something in response, perhaps with some assistance from Iranian-related groups,” said former White House cybersecurity and counter terror advisor Richard Clarke.
Little is known about the hackers behind the Syrian Electronic Army, and there is no evidence that the group is capable of destructive attacks on critical infrastructure.
However, former U.S. National Security Agency director Michael Hayden told Reuters that the SEA “sounds like an Iranian proxy,” and it could have much greater ability than it has displayed.
Thus far, the SEA’s most disruptive act was in April when it broke into the Twitter account of the Associated Press and sent fictional tweets about explosions at the White House. The false messages sent the stock market into a downward spiral that, for a short time, erased more than $100 billion in value.
In an email to Reuters on Wednesday, the SEA said if the U.S. military moves against Syria “our targets will be different.”
“Everything will be possible if the U.S. begins hostile military actions against Syria,” the group said in the note.
President Barack Obama vowed on Wednesday that the Syrian government would face “international consequences” for last week’s deadly chemical attack in Syria, but he made clear that any military action would be limited.
Asked about the threat of cyber retaliation, U.S. Department of Homeland Security spokesman Peter Boogaard said the government “is closely following the situation and actively collaborates and shares information with public and private sector partners every day.”
A U.S. Department of Defense spokesman said he could not discuss specific threats, while another source at the Pentagon said no unusual activity had been detected by late on Wednesday.
IRAN SHARPENS ITS GAME
Cyber experts have said that Iran increased its cyber capabilities after the United States used the Stuxnet virus to attack Tehran’s nuclear program.
U.S. intelligence officials have blamed hackers sponsored by Iran for a series of so-called distributed-denial-of-service attacks against many U.S. banking sites. In DDoS attacks, thousands of computers try to contact a target website at the same time, overwhelming it and rendering it inaccessible.
In three waves of attacks since last September, consumers have reported inability to conduct online transactions at more than a dozen banks, including Wells Fargo & Co, Citigroup Inc, JPMorgan Chase & Co and Bank of America Corp. Banks have spent millions of dollars to fend off the hackers and restore service.
Researchers have said that Iran has also infiltrated Western oil companies, and it could try to destroy data, though that would increase the risk of retaliation by the United States.
Things in cyberspace would get more complicated if Russia, an ally of Iran and Syria, were to step in. Former Obama administration officials have said that Russia, which has supplied arms to Syria, has cyber capabilities nearly as powerful as the United States.
Even if the Russian government did not act directly, the country’s private hackers rank with those in China in their ability and willingness to conduct “patriotic” attacks. Cyber experts have said that Russian hackers have struck at government and other sites in Estonia and Georgia.
The Syrian Electronic Army’s servers are based in Russia, and that alliance could strengthen if matters in Syria became more dramatic, said Paul Ferguson of the Internet security company IID.
“We already have a bad geopolitical situation,” Ferguson said. “This could play into the entire narrative I don’t want to see happen.”
It is unclear how much cyber damage Syria could or would want to inflict, said Dmitri Alperovitch, chief technology officer of security firm CrowdStrike.
“We haven’t seen significant intrusion capabilities from them or destructive capabilities,” he said.
Earlier this week, as the Obama administration pushed for more support for strikes on Syria, the New York Times, Twitter and the Huffington Post lost control of some of their websites. The SEA claimed responsibility for the attacks.
Security experts said electronic records showed that NYTimes.com, the only site with an hours-long outage, redirected visitors to a server controlled by the Syrian group.
The SEA had planned to post anti-war messages on the Times site but was overwhelmed by the traffic it received and its server crashed, the SEA said by email. Late on Wednesday, some users still could not access NYTimes.com.
The SEA managed to gain control of the New York Times web address by penetrating MelbourneIT, an Australian Internet service provider that sells and manages domain names.
It could have done much worse with such access, experts said, underscoring the vulnerability of major companies that use outside providers.
“Chief information officers need to realize that critical pieces of their online entities are controlled by vendors and that security policies should apply to them as well,” said Amichai Shulman, chief technology officer at security firm Imperva.