Tuesday 3 September 2013

Hacking Heist Flummoxes French Banks

Image via Flickr user JasonBechtel
Bank robbery just isn't what it used to be. Cutting holes in walls, disarming security cameras, cracking safes... that's sooo 1990's. The modern robber needs cyber skills. A Remote Access Trojan (RAT) is more effective than a mole in the bank office. And why crack the safe when you can transfer the money wirelessly? A group of banks and multinationals in France got hit with just this sort of high-tech heist, and Symantec has documented the whole drama.
It all started with a simple email message directing a VP's administrative assistant to deal with a particular invoice. Given that the invoice was hosted outside the company, on a file-sharing site, the admin might have hesitated. However, minutes later that same assistant got a phone call purportedly from another VP urging her to expedite the invoice. Fooled by the fraudulent phone call, she opened it, thereby releasing a RAT within the company network. The aggressive combination of spear-phishing email and fraudulent phone call caught the interest of Symantec researchers; they dug deeper and found more, and worse, attacks on other French companies.
Defenses Defeated
In a blog post released today, Symantec revealed how attackers managed to defeat all of one company's protections against unauthorized money transfers. It really does read like the script for a heist movie.
For starters, they used the double-pronged social engineering attack described above to load a RAT onto the PC of an administrator's aide. The RAT harvested company information, including the company's disaster plan and its telecom provider details. Using the stolen information, the crooks invoked the disaster plan, claiming a physical disaster. This let them redirect all of the organization's phones to a new set of phones under their control.
Next they faxed a request to the company's bank for multiple large fund transfers to offshore accounts. Naturally the bank representative called to confirm; the crooks intercepted the call and approved the transaction. As soon as the money showed up in those offshore accounts, they siphoned it out. Mischief managed!
Symantec discovered quite a few other cases, many of them much less elaborate. For example, one attacker simply called the victim and stated that regular maintenance required disabling two-factor authentication for fund transfers temporarily. Another informed the victim that computer upgrades required a "test" fund transfer; the "test" actually wired real funds to an offshore account. Clearly gullible humans are the weak point in many security systems.
Whodunnit?
Knowing that this kind of chicanery was taking place, the Symantec team managed to get a lead on an in-process operation, a caper they dubbed "Francophoned." They managed to trace the command-and-control traffic through Ukraine to IP addresses originating in Israel.
Analyzing the IP addresses used, they noticed two oddities. First, the addresses came from a block assigned specifically to MiFi cards—GSM cellular radios that can be used to provide Internet access via the cellular network. Second, they were constantly changing, meaning that the bad guys were driving around, passing different cell towers. The telecom couldn't triangulate a moving target, and the MiFi connections were apparently anonymous and prepaid, so there was no way to catch the crooks.
I can't wait for the movie version!

New CEO Brings Avira New Direction, New Energy

Taken in the botany lab aboard Neil Rubenking
Doing the same job for 27 years can be tough, unless you really love your job. No, I'm not talking about my career writing for PCMag. I'm talking about Tjark Auerbach, founder and CEO of German antivirus giant Avira. After 27 years of running the company, Mr. Auerbach retired earlier this summer. I quizzed Avira's new CEO, Travis Witteveen, about what changes we're likely to see at Avira. Prior to becoming CEO on July 1st, Mr. Witteven "ran all the sales, marketing, finance, and HR" for Avira, so he's no stranger to the management track.
Pulling Up Scores
Witteveen frankly admitted that Avira's scores in tests by independent labs such as AV-Comparatives and AV-Test have been sagging. "We're heading back to the top," he proclaimed. "We've had cloud-based protection for a while, but only during scans. Our first priority is to incorporate cloud technology into our real-time protection."
He also referenced my own reviews of Avira's previous edition, in which I faulted it for failing to install on malware-infested test systems. "Our Avira Rescue System will help. It's not yet integrated into the other products, but it works." (The Rescue System didn't ace my hands-on tests, but it might well remove obstacles to installing the company's full-scale antivirus.)
Expert Marketplace
In addition to traditional modes of tech support, Avira last year introduced a concept called the Expert Marketplace. Users and experts interact much the way eBay buyers and sellers do, negotiating a price for a specific fix and rating the experience afterward. "We see about 330,000 unique visitors monthly," said Witteveen. "Some don't even want money; they just want to help."
To make better use of freely offered tech help, Avira will introduce a marketplace spinoff called Avira Answers next month. "The only condition is that the problem and the answer must go public," explained Witteveen. "Capturing the info this way benefits us and other users. That's the important thing."
Avira Inside
I asked Witteveen just how many people use Avira. "We only say that our installed base is above 100 million," he replied. "However, if you think of our partners, it's much more. Baidu, Qihoo, Tencent—their antivirus is based on ours. If you add their users, it's far north of half a billion."
Witteveen explained that these Chinese companies make plenty of revenue in other areas. Baidu is a huge search site, for example, and Tencent supplies instant messaging. They have no trouble paying Avira to license antivirus technology that they then offer for free. "From a revenue point of view," said Witteveen, "it's our number two market worldwide. China has 450 million broadband installations, twice that of the U.S."
Being a big player in China isn't easy. "It costs a lot extra for us to enable special detection in Chinese markets," Witteveen said. "We see a lot of valid software incorporating ripped-off tools and libraries, so the builds are slightly corrupt. Our normal heuristics would flag them as malware. We have an enormous testing department just for Chinese technology."
Going Forward
Witteveen observed that engineers like Mr. Auerbach typically have a different management style than those trained as managers. He sees a "different kind of Avira" coming. "There are cultural challenges, challenges in people, strategy, vision. You have to change."
"Going forward, our challenge is still to support 'Aunt Emma'," said Witteveen, referencing Avira's fictitious non-techie target user. "We are still a privately held company; we don't have to worry about EBITDA and such pressures. The product is who we are and what we deliver to the world."
Avira's 2014 product line will release around the end of September. I'll definitely put them through their paces and report my results here.

Syria, Egypt strife sparks surge in cyber attacks - McAfee

Syria's civil war and political strife in Egypt have thrown up new battlegrounds on the Web and driven a surge in cyber attacks in the Middle East, according to a leading Internet security company.
More than half of incidents in the Gulf this year were so-called "hacktivist" attacks - which account for only a quarter of cybercrime globally - as politically motivated programmers sabotaged opposing groups or institutions, executives from Intel Corp's software security division McAfee said on Tuesday.
"It's mostly bringing down websites and defacing them with political messages - there has been a huge increase in cyber attacks in the Middle East," Christiaan Beek, McAfee director for incident response forensics in Europe, Middle East and Africa (EMEA), told Reuters.
He attributed the attacks to the conflict in Syria, political turmoil in Egypt and the activities of hacking collective Anonymous.
"It's difficult for people to protest in the street in the Middle East and so defacing websites and denial of service (DOS) attacks are a way to protest instead," said Beek.
DOS attacks flood an organization's website causing it to crash, but usually do little lasting damage.
The Syrian Electronic Army (SEA), a hacking group loyal to the government of President Bashar al-Assad, defaced an Internet recruiting site for the U.S. Marine Corps on Monday and recently targeted the New York Times website and Twitter, as well other websites within the Middle East.
Beek described SEA as similar to Anonymous.
"There's a group leading operations, with a support group of other people that can help," said Beek.
McAfee opened a centre in Dubai on Monday to deal with the rising threat of Internet sabotage in the region, the most serious of which are attacks to extract proprietary information from companies or governments or those that cause lasting damage to critical infrastructure.
Cyber attacks are mostly focused on Saudi Arabia, the world's largest oil exporter, Qatar, the top liquefied natural gas supplier, and Dubai, which is the region's financial, commercial and aviation hub, said Gert-Jan Schenk, McAfee president for EMEA.
"It's where the wealth and critical infrastructure is concentrated," he said.
The "Shamoon" virus last year targeted Saudi Aramco, the world's largest oil company, damaging about 30,000 computers in what may have been the most destructive attack against the private sector.
"Ten years ago, it was all about trying to infect as many people as possible," added Schenk. "Today we see more and more attacks being focused on very small groups of people. Sometimes malware is developed for a specific department in a specific company."

Citadel Trojan bank robber horde returns from from the dead

Digital security padlock red image
Evolved versions of the notorious Citadel banking Trojan have resurfaced targeting Japanese computer users, according to Trend Micro researchers, which warned the threat could move to Europe at any time.
The researchers announced findings linking the malwares to command and control servers in Europe in a public blog post, warning current evidence suggests the attacks are part of a wider campaign.
"We've identified at least nine IP addresses serving as its command and control (C&C) servers, most of them detected to be belonging in the US and Europe," according to the report.
"Monitoring these servers, we also discovered that 96 percent of the connections to these servers are coming from Japan - further proof that the most of the banking Trojan infections are coming from that one specific country."
The Trend researchers reported detecting 20,000 unique IP addresses connecting to the malware servers in the six days its was actively tracked.
"During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there are still a large number of infected systems stealing online banking credentials and sending them to the cyber criminals responsible," read the report.
The news is the latest incidence of the Citadel Trojan reappearing following take down attempts by law enforcement. In the past Microsoft and the US FBI have mounted numerous takedown attempts against criminals using the Citadel Trojan. The campaign has had some success, with the pair taking down a $500m Citadel botnet in June 2012.
Despite the success of the takedowns, the Citadel Trojan has constantly resurfaced. Trend Micro security director Rik Ferguson said the open nature of the malware and its public availability on numerous cyber black markets means it is likely more versions of the Citadel Trojan will continue to appear.
"Citadel is a successful offshoot of the ZeuS source code and now a highly effective piece of malware, both as financial malware in its own right and as a software distribution platform for other malicious activity, such as ransomware," he wrote.
"Obviously arrests lie the actions of the Spanish police against the Reveton gang and botnet takedowns such as Microsoft recent action against 1,400 Citadel domains can make a dent in criminal operations, but anyone with access to a builder is able to start again, rebuilding botnets and infecting new victims."
Ferguson added the new versions will not be limited to targeting Japan, clarifying European businesses are equally at risk from the Trojan. "Citadel is of course not specific to Japanese victims, and we expect to see further Citadel activity in European territories too," he said.
Prior to Trend Micro numerous other security firms have listed Citadel as one of the biggest threats facing businesses. Most recently McAfee listed tweaked versions of the Citadel and Koobface Trojans as two of the biggest cyber threats facing companies in its Q1 2013 Threat Report.

V3 Hot Seat: Dr Louise Bennett, chair of BCS Security and director at consultants Vivas

Dr Louise Bennett is currently director at risk management consultants Vivas and chair of the BCS Security Group.

Dr Bennett had an initial career as a government scientist working on locust plague dynamics in Africa for seven years, before moving onto operations analysis and aircraft cockpit design at the Royal Aircraft Establishment. In the late 1980s, she moved into the private sector as an IT Director.

Over the past 20 years, she has worked at board level in both the private sector, including stints at Thorn EMI and Logica, and the public sector. Dr Bennett has also worked on various government advisory bodies, including the Police IT Organisation.

Dr Bennett's Hot Seat follows those from Steve Watt, St Andrews University chief information officer, Ocado director of technology Paul Clarke, and General Electric global technology director William Ruh.

V3: What would be your dream job?

Dr Louise Bennett: I was originally a geographer and zoologist, so I would love to have had David Attenborough’s job and have spent my life travelling the world making those fantastic programmes.

Which mobile phone and tablet do you currently use?

A BlackBerry Torch and a Lenovo ThinkPad. I am waiting for the Surface Pro to bring out a version with a decent battery life, so I can move to something lighter, but still have all the great pen features.

Which technology has had the biggest impact on your working life?

Satellites. I was the first UK scientist to use the output of the National Oceanic and Atmospheric Administration (NOAA) satellites for agricultural and weather monitoring. It revolutionised those activities. Now it enables me to drive the car to my destination faultlessly, without worrying about reliance on map reading when alone in a moving car. Satellites are a key part of the infrastructure for ICT and with GPS are enabling a whole raft of new analytics.

What’s been the highlight of your career so far?

Writing the software for the first air combat simulators at the Royal Aircraft Establishment and actually getting them to work, so that we could conduct a great raft of experiments to improve the man-machine interface in aircraft.

What was your first job?

Beyond summer jobs, it was forecasting locust plagues in Africa.

What’s your favourite thing about working in the IT industry?

The enormous variety of opportunities.

What will be the next big innovation of the coming years?

Personalised healthcare, from genetically specific products and treatments, to remote monitoring and treatment of chronic conditions like diabetes and remote monitoring for the elderly to enable them to remain safely at home.

What keeps you awake at night?

Nothing. I sleep like a log.

What was the last book you read and was it any good?

The Lacuna by Barbara Kingsolver. It is much, much too long, but really gripping. I felt daunted even starting it until the summer, when I felt I might find time to read all 800-plus pages. Perhaps because it is so slow, I have numerous vivid images from it in my mind. It inspired me to go to the Royal Academy exhibition about Mexico, A Revolution in Art, as that also featured Diego Rivera, Frida Kahlo and the other artists of that era, who were central to the book and I was not familiar with them. It was wonderful to see photographs and paintings of all the characters and places in the book.

Who is your favourite band or musician?

On the whole I like the sound of silence! But if I listen to anything it is 1960s pop and my favourite song is Procol Harum’s A Whiter Shade of Pale.

Where’s your favourite place for escape?

Paphos in Cyprus, because the pace is slow, the people are so nice, and the food, climate and scenery are lovely.

E-readers or real books?

Real books, every time.

The Beatles or The Rolling Stones?

The Beatles, but it is a close thing.

Favourite film?

A Town Like Alice.

Windows or Mac OS?

I started with Mac, but got really irritated by the lack of compatibility with Windows, which has always been used by everyone else in my work environment. So now I am a Windows convert and will never go back to something that locks you into one vendor, like the way Apple does with the Mac.

Facebook shells out $12,500 for photo deleting security bug find

Image of Facebook logo and login screen
Facebook has paid a bug hunter $12,500 for spotting a flaw in its software that could theoretically be exploited to delete users photos without their consent.
The bug was found by 21-year-old Indian engineer and self-professed security enthusiast Arul Kumar, who reported receiving the payment in his blog. "I would like to share one of Critical Bug in Facebook which leads to delete any photo from facebook without user interaction," he wrote.
"[The] Facebook team has recognised my bug after sending video POC. Interesting part is, In that video I have exploited Mark Zuckerberg's photo from his photo album and I did not remove his photo. Now it has been fixed fully and Facebook has rewarded me $12,500 for finding this Critical Bug."
At the time of publishing Facebook had not responded to V3's request for confirmation of Kumar's blog post. Kumar explained the flaw was in the mobile version of Facebook's support dashboard and prior to the new fix was remotely exploitable.
"The support dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your support dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week," he wrote.
"Mainly this flaw exists on mobile domain in [the] support dashboard. If any reported photo was not removed by Facebook team, [the] user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message, Facebook server will automatically generate photo removal link and it will send to the owner. If [the] owner clicks that link, [the] photo will be removed."
Kumar claims Facebook initially ignored his bug report with a research replying: "Yeah I messed around with this for the last 40 minutes but cannot delete any victims photos."
The Indian engineer is one of many researchers whose initial reports have been disregarded. Prior to it independent researcher Khalil Shreateh received a similar message after attempting to disclose a bug allowing users to post on other people's public Facebook pages even if they are not friends.
However, unlike Kumar, who responded by sending a video offering a more detailed guide about how to exploit the bug, thus earning his bounty, Shreateh controversially exploited the flaw he'd discovered to post a message on Facebook founder Mark Zuckerberg's wall. The move led Facebook to refuse to pay Shreateh for the bounty as he had broken its responsible disclosure policy.

Hi all, Cyberinfocts IT Security September Forum -- 14 th September 2013

Hi all, Cyberinfocts IT Security September Forum -- 14 th September 2013 @ Perfect Touch Consulting 1A Basheer Augusto Street, Eric Emmanuel Bus stop Off Bode Thomos Street Surulere. Time: 9:00 am Registration Fee: 500.

What is Cyberinfocts IT Security Forum about?
It is a platform independent forum where experts, beginners from different IT field, companies meet second Saturday in a month to share ideas, is also a place where questions regarding IT and security are answered.
Different topics are discuss monthly from various fields of IT topics include: PCI-DSS, IP surveillance Camera, Car Security(Trackers) Windows password recovery, securng your network, Securing your website, Bluetooth security, cloud computing, IP address, networking, linux, internet marketting, Ethics and code of conduct, Security products to enhance your computer, mobile device and home security.

Who should attend?
Hackers, IT Security Expert, Cyber Security Expert, Web masters, Network Admins, Website Developers, Physical security Experts, Database Admins, Programmers/Developers, Computer Users, internet users.

For further details please contact:07037288651 cyberinfocts@yahoo.co.uk

US Silent Cyberwar Target Iran China Russia NKorea

The revelation is based on a classified intelligence budget provided to the paper by fugitive leaker Edward Snowden, as well as on interviews with former US officials.
The Post also reported that, under a $US652 million ($735.1 million) project code-named "GENIE", US specialists hack foreign computer networks to secretly put them under American control.
This involves placing "covert implants" in computers, routers and firewalls, it said, adding that by year's end "GENIE" is projected to control at least 85,000 "malware" plug-ins in machines around the globe.
That compares to just over 21,200 in 2008, the Post reported, citing the intelligence budget.
"The documents provided by Snowden and interviews with US officials describe a campaign of computer intrusions that is far broader and more aggressive than previously understood," the daily said.
Of the 231 "offensive operations" conducted in 2011, nearly 75 per cent were against top-priority targets that the Post, citing former officials, said included "adversaries such as Iran, Russia, China and North Korea and activities such as nuclear non-proliferation."
The paper said US intelligence services make "routine use" of government-constructed malware around the globe that "differs little in function from the 'advanced persistent threats' that US officials attribute to China."
However, while an unnamed National Security Agency spokesman confirmed to the Post that the Defense Department does engage in computer network exploitation, the paper also quoted him as saying that, unlike China, "the department does not engage in economic espionage in any domain, including cyber."
Snowden, a former US National Security Agency contractor, was granted temporary asylum in Russia on August 1.
He is wanted by Washington on espionage charges linked to media disclosures about US surveillance programs.

Cyber attack: Abu Dhabi nursery's website hacked

An Abu Dhabi nursery’s website was hacked this week in what was believed to be a random cyber attack.
Instead of finding information about the International Montessori Nursery, anyone who logged on to www.imn.ae was greeted by a map of the Arabian Gulf and a message declaring the hacker’s “love for Iran”.
Using the tag HackeD By OmiDeR, the hacker wrote “My Love Iran. Persian Gulf for ever” on the home page.
A prospective parent spotted the hack on Sunday and alerted the nursery.
Barbara Knaap-Broughton, the nursery’s principal, said she was shocked when she realised the site had been targeted.
“I honestly do not know why they did it,” she said. “It was propaganda about Iran. We do not know why we were targeted. We do not have any political affiliations.”
Ms Knaap-Broughton contacted IT experts to restore the home page, who were working to figure out how the hacker managed to take control of the site and how the domain was so vulnerable.
“How it was possible? We do not know,” said Ms Knaap-Broughton. “Our website is generated in India.”
The website was running normally again by mid-morning yesterday.
Ms Knaap-Broughton said it was the second time the school’s website had been hacked – albeit not by the same hacker.
HackeD By OmiDeR has struck on other sites, including a kick-boxing website and a religious website based in New York.
The hacker’s identity is revealed by a trademark tag, sometimes accompanied by a hanging skeleton. The message – “My Love Iran” – is consistent on each site that has been disabled.
David Michaux, from cyber-security company Whispering Bell, said it was likely that whoever had changed the site scanned the internet for vulnerable domains and chose the nursery at random.
“This case is quite simple,” he said. “There are a number of different kinds of hackers that break in. What this guy seems to be is what is known as a ‘script kiddie’.”
Script kiddie is a nickname given to hackers that do not know how to write their own hacking programmes.
Mr Michaux said this sort of hacker is not a sophisticated cyber attacker. More probably it is a hacker who has learnt how to take control of a site through advice gleaned from the internet.
“He has basically managed to use some free tool from the internet to download some auditing tool used by professionals and potential hackers,” said Mr Michaux.
The tool allows users to see if websites have a vulnerable domain.
Mr Michaux said the hacker would have used the tool to check a host of UAE websites to see which were vulnerable to a cyber takeover.
“Once he finds he can exploit that security issue he can upload whatever he wants,” said Mr Michaux.
These kinds of hackers are often after the “fame and glory” that comes with hacking a site, he said.
“It is not something malicious. I would say it was extremely unlikely he has acted deliberately to target the nursery. I think it is simply a matter of looking for any site that is vulnerable and exploiting it.”

Kaspersky Internet Security Blocks All Banking Malware

In news that has been making the rounds on various forums since mid-August, analysis conducted by independent IT security research firm MRG Effitas indicates that very few security companies can completely protect users’ systems from online banking malware.
bank_title_EN
Kaspersky Internet Security 2013 was among nine products that passed every test, earning an MRG Online Banking Browser Security Certification, which is given out only for flawless performance in all tests. Many popular security solutions cannot pass this test.
Kaspersky Internet Security 2013 was among nine products that passed every test, earning an MRG Online Banking Browser Security Certification.
Testing was carried out over the course of the second quarter of 2013, during which 21 security applications were tasked with preventing so-called man-in-the-browser attacks (MitB), in which an attacking program hijacks what should be a secure transaction. The applications were also charged with detecting and blocking 100 test samples based on Zeus, the most prevalent and continually evolving form of financial malware in use today, according to Effitas.
MRG Effitas has been doing this type of testing for four years. The company estimates that worldwide cybercrime has a value of more than $250 billion and is on pace to surpass international drug crime in total revenue. Kaspersky Internet Security 2013 also earned high marks from MRG Effitas earlier this year. To read the full MRG Effitas Online Banking/Browser Security Assessment Project from Q2, click here.

How AnonGhost forced Hayton College to lose its virginity

Hayton College has been breached by the famous hacking team AnonGhost - the team made sure that Hayton College would lose their virginity when it comes to being hacked. AnonGhost published the following Pastebin which revealed the database dump of the Hayton College website.
If you navigate to the Hayton College website you will see the AnonGhost defacement.
Below you will see the details of the mirrors and the defaced webpages.
Hayton.com.au got defaced and Haytoncollege.com.au got defaced in the same attack.
  1. Hayton College Hacked By AnonGhost
  2.  
  3.