Friday 4 October 2013

Tor Can't Always Keep You Safe; Just Ask Silk Road

via Wikipedia
It was the end of an era yesterday when the Internet's largest (and highly profitable) black market website Silk Road was finally taken down by the feds. Its proprietor Ross William Ulbricht (aka Dread Pirate Roberts) was taken into custody and now we're learning a lot about the site that offered everything from drugs to assassins. We're also learning about the limits of online anonymity.
Silk Road
Named for the ancient cross-desert trade route, Silk Road was a marketplace designed to let users sell their wares—particularly, illegal goods and services. According to documents filed in conjunction with the investigation, the service saw billions of dollars pass through it in the form of untraceable Bitcoins.
To protect the site's users, Silk Road took advantage of the Tor (The Onion Router) anonymity network which bounces your request around to make it harder to track. When you connect to Silk Road, and other websites secured by Tor, your request is bounced through a series of volunteer servers. The request uses encrypted layers, like an onion, so that each relay server can only see where the request has immediately arrived from and where it will go next.
For instance, if you're on computer A trying to connect to website E, your request is bounced through Tor servers B, C, and D. Server B can see where you are because it's the first hop in the chain, but it doesn't know that you're trying to reach website E. Server D does know what website your request is headed to, but it doesn't know where you are. Server C doesn't know much of anything.
It's a clever system that has protected journalists and human rights activists, in addition to providing a modicum of security to less reputable operations. But like all security technology, it can be beaten.
Breaking Tor
Back when we looked at the Pirate Bay Browser, we highlighted a few of the problems with Tor. The big one, and the one that Tor has always admitted to, is that with careful traffic monitoring and a little math you can figure out who connects to what on Tor.
"The way we generally explain it is that Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate," reads a 2009 blogpost from Tor. "But Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math."
Basically, if you think that person A is connecting to website E, you can sit at the entry to the Tor network and at an exit point, you can eventually infer the path of travel. But you have to know who to watch before you start your investigation.
Alternatively, you can be infected with malware while on a Tor site and have your computer's identifying information sent off to an observer. This is how the FBI was reportedly able to crack a notorious child pornography ring and bring charges against its operator, Eric Eoin Marques.
In that investigation, it appears that the FBI took control of Freedom Hosting—which hosted Marques's site—and used them to display an error message. Within the error message was an iFrame which in turn injected code onto the computer of anyone who visited a Freedom Hosting site. Wired writes that this code captured the infected computer's MAC address and Windows host name. This information was then packaged up and sent back to an unidentified server somewhere in Northern Virginia.
Plain Ol' Detective Work
In the case of Silk Road, the investigation appears to have relied on more traditional policework than breaking Tor. Wired reports that the feds simply looked around for the earliest mention of Silk Road on the Internet. That led to a posting on a magic mushroom forum, which in turn led to Ulbricht's Gmail account.
That's not the whole story, and in fact there are a lot of gaps in the chain of events. Police somehow got a hold of several fake IDs with Ulbricht's face on them during a border check, and somehow were able to trace Silk Road's servers. But the initial connection to Ulbricht appears to have required no special hacking, just some persistent Googling and subpoenas.
The lesson here is that behind all the encryption and obfuscation is a person. A person who makes mistakes, a person who leaves clues, and a person who is now facing serious charges. As long as people are still people, they'll always be vulnerable.

Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities –contd

The emergence and sophistication of DIY botnet generating tools has lowered the entry barriers into the world of cybercrime. With ever-increasing professionalism and QA (Quality Assurance) applied by cybercriminals, in combination with  bulletproof cybercrime-friendly hosting providers, these tactics represent key success factors for an increased life cycle of any given fraudulent/malicious campaign. Throughout the years, we’ve witnessed the adoption of multiple bulletproof hosting infrastructure techniques for increasing the life cycle of campaigns,with a clear trend towards diversification, rotation or C&C communication techniques, and most importantly, the clear presence of a KISS (Keep It Simple Stupid) type of pragmatic mentality; especially in terms of utilizing HTTP based C&C communication channels for botnet operation.
In this post, I’ll discuss a managed botnet setup as a service, targeting novice cybercriminals who are looking for remote assistance in the process of setting up the C&C infrastructure for their most recently purchased DIY botnet generation tool. I’ll also discuss the relevance of these services in the content of the (sophisticated) competition, that’s been in business for years, possessing the necessary know-how to keep a customer’s fraudulent/malicious campaign up and running.

Sample screenshot of the (international) underground market proposition:
Botnet_Setup_Managed_Setup_Bulletproof_Hosting_Malware_Bot_Malicious_Software_Service For the static amount of $50, the cybercriminal behind the managed botnet setup service will configure, register HTTP based C&C domains, as well as host them for one year, and currently supports 11 different DIY malware/botnet generating tools. The service’s value proposition is similar to that of a recently profiled managed bulletproof hosting service for malicious Java applets, in terms of lacking the necessary know-how and experience to ensure smooth (cybercriminal) operations. Does a cybercriminal need to take advantage of one of the market leading (Russian) bulletproof cybercrime-friendly services in order to increase the life cycle of his campaigns? Not necessarily, as the botnet generating tools offered by this service can be best described as ‘beneath the radar‘ botnets, that is, small botnets that rarely make the news headlines.
We expect to continue observing similar (international) underground marketplace propositions, with more cybercriminals realizing the market segment potential for products and services targeting novice cybercriminals exclusively.

A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform

The perceived decline in the use of blackhat SEO (search engine optimization) tactics for delivering malicious/fraudulent content over the last couple of years, does not necessarily mean that cybercriminals have somehow abandoned the concept of abusing the world’s most popular search engines. The fact is, this tactic remains effective at reaching users who, on the majority of occasions, trust that that the search result links are malware/exploit free. Unfortunately, that’s not the case. Cybercriminals continue introducing new tactics helping fraudulent adversaries to quickly build up and aggregate millions of legitimate visitors, to be later on exposed to online scams or directly converted to malware-infected hosts. This is achieved through cybercrime-friendly underground market traffic exchange networks offering positive ROI (Return on Investment) in the process.
In this post, I’ll take a peek inside a blackhat SEO/cybercrime-friendly doorways management script, discuss its core features, and the ways cybercriminals are currently abusing its ability to populate major search engines with hundreds of millions of search queries relevant bogus Web pages, most commonly hosted on compromised Web servers in an attempt by the cybercriminals behind the campaign to take advantage of the compromised Web site’s high page rank.

Sample screenshots of the administration panel for the blackhat SEO/cybercrime-friendly multi-user doorways management platform:
Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_01 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_02 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_03 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_04 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_05 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_06 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_07 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_08 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_09 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_10 Blackhat_SEO_Cybercrime_Fraud_Rogue_Search_Engine_Doorway_Management_11 Basically, what this platform enables cybercriminals to do is to have their fraudulent/malicious/rogue content indexed by Yandex and Google in a near real-time fashion — as you can see in the last screenshot, it only took 24 hours to have one of the rogue doorways indexed by Yandex. How is this accomplished? The cybercriminals behind this service have created an ecosystem designed to generate rogue content, and mal-links pointing back to it, with the actual content and links hosted on compromised Web shells, usually hidden on Web servers with high page ranks.
Next to the advanced customization evident throughout the entire administration panel, the tool is also blackhat-SEO-cybercrime-friendly compatible, as it has been designed to be integrated with other tools. Moreover, the multi-user nature of the platform, allows cybercrime/blackhat SEO groups to work simultaneously while maintaining the necessary degree of QA, ensuring the success of their campaigns. And with the market for (compromised) Web shells proliferating, based on the increasing number of supply+demands underground market type of propositions appearing on, both, public/dark Web, it shouldn’t be surprising that cybercriminals would continue possessing access to tens of millions of unique visitors, which they can convert into virtually anything given that the right incentives have been offered through a cybercrime-friendly affiliate network.
We’ll continue highlighting the existence of these platforms, with the idea to emphasize on on just how easy it is to populate the world’s most popular search engines with fraudulent/malicious/rogue content.

T-Mobile MMS message has arrived’ themed emails lead to malware

A circulating malicious spam campaign attempts to trick T-Mobile customers into thinking that they’ve received a password-protected MMS. However, once gullible and socially engineered users execute the malicious attachment, they automatically compromise the confidentiality and integrity of their PCs, allowing the cybercriminals behind the campaign to gain complete control of their PCs.

Detection rate for the spamvertised sample – MD5: 5d69a364ffa8d641237baf4ec7bd641f – detected by 11 out of 48 antivirus scanners as W32/Trojan.XTWU-6193; TR/Sharik.B; Trojan.DownLoader9.22851
Once executed, the sample phones back to networksecurityx.hopto.org – 69.65.19.117
The following subdomains are also known to have phoned back to the same IP in that past:
1216289731481872.no-ip.info
128096312288.no-ip.info
130715253.no-ip.info
1364170516.hopto.org
1365606917.hopto.org
1365607817.hopto.org
1365608717.hopto.org
1365609617.hopto.org
1365611417.hopto.org
1365614117.hopto.org
1365615017.hopto.org
1365615917.hopto.org
1365617717.hopto.org
1365621317.hopto.org
1365622217.hopto.org
1365623117.hopto.org
1365624017.hopto.org
1365624917.hopto.org
1365625816.hopto.org
The following malicious MD5s are also known to have phoned back to the same domain/IP in the past:
MD5: f65f5b77b0c761e4b832c4c6eb160abe
MD5: 04d70ee87b53c6b72667a64c90310c6c
MD5: f9012d4c5b184bfce0d38fbe59ed5f01
MD5: e04211eebf720db3a3020894c8902d91
MD5: 8ee9dcaa13c43ef1c597e6602f13a18d
MD5: 0f0bd979a4653bd1dd3851c2401bd6f5
MD5: bed1f172fc063ef6ef6462694ec08b57
MD5: 6d91c5519d7e775026256a8a03c94298
MD5: cef1668439de2c59392207a1e5b694be
MD5: e3e1500f61974748524a9c6ec24fba20
MD5: db188979d05cc07b9a2f28c629f665e7
MD5: 8ae4171c1ff33d5f28073abc459084e5
MD5: 440205bed295ffbcb7e8a97ba7fafe5f
MD5: 9454f19a4a4f8132eb67b8333a1c685b
MD5: 18ffaf17b6144fbd2557574b450b6890
MD5: 06a610c631b723ab818d9fc14ff462d1
MD5: c1133b01880db299f4b598bd04fc6816
Webroot SecureAnywhere users are said to be  proactively protected from these threats.

DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities

DDoS for hire has always been an inseparable part of the portfolio of services offered by the cybercrime ecosystem. With DDoS extortion continuing to go largely under-reported, throughout the last couple of years — mainly due to the inefficiencies in the business model — the practice also matured into a ‘value-added’ service offered to cybercriminals who’d do their best to distract the attention of a financial institution they’re about to (virtually) rob.
Operating online — under both private and public form — since 2008, the DDoS for hire service that I’ll discuss in the this post is not just offering DDoS  attack and Anti-DDoS protection capabilities to potential customers, but also, is ‘vertically integrating’ within the ecosystem by starting to offer TDoS (Telephony Denial of Service Attack) services to prospective customers.

Sample screenshot of the ‘DDoS for Hire’ vendor’s Web site:
DDoS_For_Hire_Rent_Buy_Purchase_Denial_of_Service_Attack_Botnet_Malware The service oprates 24/7, and promises 100% anonymity when accepting and processing the requests. It charges $20 for one hour of DDoS attack, $50 for a day, and $500 for one week, with a 50% discount for for regular customers, as well as additional discounts when attacking more than one site. Ironically, it also offers Anti-DDoS attack protection capabilities, charging $30 for one hour of protection, $250 for one day and $1,600 for one week of protection. Not surprisingly, taking into consideration the increasing professionalism applied by cybercriminals internationally on their way to optimize the the effects of their campaigns, the DDoS for hire service also offers TDoS services, in an attempt to position itself as a one-stop-shop for commercially available Denial of Service attack capabilities.
The service is just the tip of the iceberg in this vibrant market segment that has managed to preserve its core business strategies for years through the reliance on constant OPSEC-violating advertising on public, cybercrime-friendly communities. With attribution procedures becoming more prevalent across the community, some cybercriminals quickly adapted through the utilization of the ‘aggregate-and-forget’ process, namely, the aggregation of malware-infected hosts to be used in a specific, highly targeted DDoS attack campaign, on their way to make attribution obsolete.
We expect to continue observing more ‘vertical integration’ in this market segment, with vendors who’ve been in business for years, introducing new ‘value-added’ services, on their way to achieve a one-stop-shop business model for anything DDoS related.

Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted in the wild


Standardization is the cybercrime ecosystem’s efficiency-oriented mentality to the general business ‘threat’ posed by inefficiencies and lack of near real-time capitalization on (fraudulent/malicious) business opportunities. Ever since the first (public) discovery of managed spam appliances back in 2007, it has become evident that cybercriminals are no strangers to basic market penetration/market growth/market development business concepts. Whether it’s the template-ization of malware-serving sites, money mule recruitment, spamming or blackhat SEO, this efficiency-oriented mentality can be observed in virtually each and every market segment of the ecosystem.
In this post, I’ll discuss a recent example of standardization, in particular, a blackhat SEO friendly VPS (Virtual Private Server) that comes with over a dozen multi-blackhat-seo-friendly product licenses from third-party products integrated. It empowers potential customers new to this unethical and potentially fraudulent/malicious practice with everything they need to hijack legitimate traffic from major search engines internationally.

Sample screenshot of the pricing page for the blackhat SEO-friendly service:
VPS_Blackhat_SEO Surprisingly, the service offers licenses to BHSEO products targeting the international market, instead of licenses for the market leading Russian-based blackhat SEO ‘products’ typically offered by competing vendors. It also features an “About the Team” page with information about the people behind this unethical business venture. Interestingly, the service is also not pitching itself as a bulletproof hosting provider, presumably due to the fact that a huge percentage of hosting providers for ‘grey and black’ projects explicitly state that they blackhat SEO campaigns hosted and operated through their infrastructure.
Over the last couple of years, we’ve witnessed the emergence of blackhat SEO intersecting with the objectives of fraudulent and malicious actors internationally. Empowering them with access to legitimate hijacked traffic, the cybercriminals conducting it quickly started monetizing it, resulting in widespread campaigns, which on the majority of occasions were used to distributed rogue/fake security software. Moreover, thanks to the once again efficiency-oriented approach when it comes to the mass compromise of tens of thousands of Web sites, and the resulting vibrant marketplace for access to compromised Web shells, in 2013, cybercriminals have virtually everything they need to abuse and hijack legitimate search engine traffic.
Blackhat SEO – just because you don’t see it, it doesn’t mean it’s not there.

New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild

Thanks to the free, commercial availability of mass Web site hacking tools, in combination with hundreds of thousands of misconfigured and unpatched Web sites, blogs and forums currently susceptible to exploitation, cybercriminals are successfully monetizing the compromise process. They are setting up iFrame based traffic E-shops and offering access to hijacked legitimate traffic to be later on converted to malware-infected hosts.
Despite the fact that the iFrame traffic E-shop that I’ll discuss in this post is pitching itself as a “legitimate traffic service”, it’s also explicitly emphasizing on the fact that iFrame based traffic is perfectly suitable to be used for Web malware exploitation kits. Let’s take a closer look at the actual (international) underground market ad, and discuss the relevance of these E-shops in today’s modern cybercrime ecosystem.

Sample screenshot of the (international) undeground market ad:
Cybercrime_iFrame_Traffic_Buy_Purchase_Eshop The PayPal and Bitcoin accepting service offers 5,000 visits for $15, 50,000 visits for $100 and 100,000 visits for $175, as well as geolocated traffic consisting of American, French, British and Canadian visitors.
The E-shop opens up two possibilities for abuse:
  • directly embedding exploits and malware serving iFrame URLs – client-side exploit serving URLs can be directly embedded in the form of iFrames on the hacked Web sites that the cybercriminal behind the service has access to, potentially exposing its visitors to the malicious payload served by the service’s customers
  • ‘visual social engineering’ campaigns displayed at Adult Web sites – a typical campaign could take advantage of the same ‘instant action provoking’ visual social engineering campaigns that are typical for PUA (Potentially Unwanted Application) campaigns, in the context of featuring appealing ads mimicking popular products, demanding urgent reaction, or promising a reward for clicking on them

Loose lips sink ships: Apple’s voice assistant Siri lets ANYONE in – again

An Israeli security researcher has found  another way round Apple’s Fingerprint ID security system – this time via a two-step lock-screen glitch which works with the new iOS update 7.0.2, and allows attackers access to the Phone app, including potentially valuable address data, including the  owners phone number and home address.
The “hack” is one of several such glitches which have exploited Apple’s “voice assistant” Siri, according to The Register - some of which were closed off in the recent update, 7.0.2.
Researcher Dany Lisiansky said via his Twitter account, “Great update, Tim Cook! In my video,  I demonstrate the use of two Lock Screen bypass glitches. The first one to initiate the phone call (using an emergency call glitch). And the second one to get access to the phone app.”
The bypass glitch allows access to iPhone’s phone app, which could offer a spouse, or cybercriminal valuable contact information, including addresses, email addresses and phone numbers.
Lisiansky says, “Steps to reproduce:
1. Make a phone call (with Siri / Voice Control).
2. Click the FaceTime button.
3. When the FaceTime App appears, click the Sleep button.
4. Unlock the iPhone.
5. Answer and End the FaceTime call at the other end.
6. Wait a few seconds.
7. Done. You are now in the phone app.”
Apple’s Siri voice control has been the target of various hacks against the device, both on the current iOS 7, and on previous versions. Andy Greenberg of Forbes described the new hack as a “reminder to turn Siri off on your lockscreen.”
At launch, Apple’s senior vice president of marketing, Phil Schiller, described iPhone 5S as “most forward-thinking smartphone in the world.” Apple’s handsets are often targeted by hackers who vie to “jailbreak” each new operating systems first – but the Fingerprint ID system in iPhone 5S has drawn the most attention with this update, with researchers attempting various methods to “get round” the security device.
Last week, Germany’s Chaos Computer Club demonstrated a method to “fool” the sensor - and warned users not to leave secure data on iPhone 5S. Their method was laborious, however – involving the use of forensics equipment, a laser printer, transparency slides and wood glue.
ESET Senior Researcher Stephen Cobb says that such hacks do not “prove” that biometric security cannot work.
“Bear in mind the effort required to defeat the biometric, and also to crack your iPhone password, then ask yourself how many people want your iPhone data that badly,” Cobb says.
“There is a constant tension between claims of security and efforts to undermine that security. It is clearly true that having to supply a fingerprint as well as a password to access the iPhone 5S, or anything else, makes the data on the device more secure against certain types of attack than only requiring one form of authentication.
“Whether that added level of security is enough for your to trust “sensitive” information to your iPhone is a question for each user to answer. Would I put priceless IP on a mobile phone? No. But read what it takes to beat the fingerprint reader and ask yourself who would go to that trouble for the stuff you do have on your phone.”

Internet Explorer vulnerability will finally be patched on Tuesday after “months” of attacks

Internet Explorer users will be a great deal safer from Tuesday onwards, after Microsoft announced a patch for a vulnerability that has been exploited by attackers “for months” according to reports.
The  vulnerability has been used in targeted attacks against users in Japan and Taiwan, according to ComputerWorld, and experts feared that less-capable hackers would use the exploit after it was released as a module for the popular penetration-testing tool Metasploit.
The vulnerability affects all versions of Microsoft’s browser, and the patch will be released as part of Microsoft’s standard “Patch Tuesday” package.
On September 21, the Internet Storm Center raised its threat level to yellow in response to reports of attacks which exploited the vulnerability, saying, “The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505.  Accordingly, we’re moving the InfoCon up to Yellow.”
“Today we’re providing advance notification for the release of eight bulletins, four Critical and four Important, for October 2013,” said Dustin Childs of Microsoft Trustworthy Computing in a blog post.
“The Critical updates address vulnerabilities in Internet Explorer, .NET Framework and Windows. The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505.”
Earlier this week, the exploit had been released as a module for the popular penetration testing tool Metasploit – sparking fears of a new wave of attacks.
The open-source tool is used to test vulnerabilities, but Lucian Constantin of the IDG News Service suggested that, “An exploit for a vulnerability that affects all versions of Internet Explorer and has yet to be patched by Microsoft has been integrated into the open-source Metasploit penetration testing tool, a move that might spur an increasing number of attacks targeting the flaw.”
The module was posted by Metasploit contributor Wei Chen, who said, “Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft.”
https://community.rapid7.com/community/metasploit/blog
There have been multiple reports of the exploit being used in the wild, according to a report by PC World. PC World also suggested that while Metasploit is targeted at the researcher community, the release could lead to the exploit code landing in the hands of cybercriminals.
Microsoft has already released an emergency fix for the vulnerability in all versions of Internet Explorer. Microsoft warns that targeted attacks have already attempted to exploit it
In a blog post, Dustin Childs of Microsoft’s Security Response Center said that the risks for users lay in attackers compromising trusted websites – or convincing them to click links in emails or instant messages.
“This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type,” Childs wrote.  “This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message.”

Intel: Security should be free and ubiquitous rather than opt-in

McAfee Focus 2013 main stage Intel
LAS VEGAS: High-technology companies need to drop archaic opt-in security models and begin designing products with fully integrated security from the get-go, and even give them away free, according to Intel president Renee James.
James claimed the current opt-in security model that requires businesses to proactively tag security services onto their devices and systems is no longer effective.
"We believe that raising the base line of security to a level where at very minimum everyone is protected is not an opt-in any more," she said at a McAfee event in Las Vegas. "We have responsibility in the computing industry and we in particular as a leader in the industry, to make it non-optional. We're no longer living in a world where you can say 'yeah if you want security then turn it on. If you want a firewall go ahead and turn it on'. It's just not ok, to work like that anymore."

James added that based on the magnitude of threats, security needs to be built-in "from the get-go. They shouldn't have to opt in or out for it, and maybe they shouldn't even have to pay for it, maybe it should be ubiquitous."
The Intel president cited the growing number of smart devices being used by businesses as proof old security models are no longer workable. "We actually believe the way computing fundamentally works, the architecture, what's happening with the data centre, what's happening with mobile device proliferation, for all of this security will be central," she said.
"We're going to build teeny teeny little things that all connect and can send data back, so it's not just the billion and half smartphones, it's the billions of other devices out there. You can't solve this one application at a time."
The number of smart devices being used by businesses is an ongoing security concern due to the extended number of entry points into company systems they offer hackers. Prior to James' warnings, experts from Europol, Trend Micro and the International Cyber Security Protection Alliance (ICSPA) warned that hacker attacks on new smart devices, like Google Glass, will cause real-world harm by 2020, if manufacturers do not increase their focus on security.
James said Intel's cross-industry reach and use in multiple devices and technologies puts it in a unique position to help solve the security crisis.

"We touch everything. You don't have to own everything to touch it and we certainly touch the data centre, the cloud. Once you see all those things you're in a very unique position," she said. "There are very few companies that can turn round and say they're going to fix security, to go 'that's wrong I'm going to fix it'. We're one of those companies. It's not altruistic because we know we'll sell more if it's secure."
The Intel chief is one of many technology experts to call for increased industry focus on security. Last week, F-Secure web reputation service expert Christine Bejerasco listed the failure of free cloud services, such as Facebook, Twitter and Dropbox, to adequately test their security before launching as a key problem facing the technology industry.

Workshare explains why it left San Francisco for Silicon Roundabout

The typical tech acquisition story is as follows: large US giant spots up-and-coming UK firm with a good portion of a market it wants to get into. It uses its massive cash reserves to buy UK firm.
We’ve seen it this year with Cisco paying £310m for Swindon-based Ubiquisys, and more recently IBM bought Milton Keynes-based Daeja and Irish firm The Now Factory. Perhaps the most (in)famous example is HP’s somewhat flawed buy of Autonomy. So, end of story. Or is it?
In a rare example of a UK firm buying a US venture, last autumn V3 reported on the acquisition of Workshare by UK firm SkyDox. A win for the Brits, even if the firm did decide to use the Workshare brand as it’s bigger name.
Barrie Hadfield is the CTO of WorkshareThere is more to it than this, though. The founder of SkyDox, Barrie Hadfield (pictured), was also the founder of Workshare, and is now the chief technology officer of the new company. One year on from the deal, V3 caught up with Hadfield to ask how the deal had gone, and how such a unique situation came to pass.
Workshare started life as an on-premise provider of tools for comparing different versions of documents, so staff could track changes and propose alternatives. It has a strong emphasis on security, so only certain members of staff could access, edit or share sensitive documents and data. This has seen it become a popular provider in the legal market, with 4,000 customers to date worldwide.
SkyDox was set up along very similar lines but with an increased focus on collaboration and commenting, and the service was offered in the cloud for firms happy not to have applications or data residing on premise. Hadfield explained that the deal between the two last year was the result of a conversation between himself and the then-chief executive of SkyDox, now entrepreneurial CEO for Workshare, Anthony Foy.
Foy saw that a move to bring Workshare into Skydox’s offering would be complementary for both firms to combine their capabilities and offer both on-premise and cloud tools.
“He [Foy] suggested that we buy Workshare and bring it into SkyDox and we were able to find backers that supported the deal,” Hadfield said. The backing included a £20m investment from Scottish Equity Partners (SEP) towards the firm's growth.
The last 12 months have seen the firms work through the various cultural and professional challenges that come with any acquisition. Chief among these have been relocating the headquarters for Workshare from San Francisco to London.
“We felt it was more efficient to be in London so we could have everyone in one space. Working with management across time zones is very difficult and just not as efficient as all being in the same rooms discussing ideas,” Hadfield explained.
For US staff, suddenly facing the propsect of leaving the West Coast and moving to London, the change must have been tough. “I think it has been fine for most of them,” answers Hadfield, before adding that the success the company has seen since moving also justifies the decision.

Setting up in London, the firm made its base in the Spitalfields area of the up-and-coming Tech City area, which Hadfield said has been a boost for London and the startup community.
“Ten years ago none of it [the community] existed, you had to go to Croydon if you wanted to start a tech firm. But this has all changed now and it’s a really positive development. We are fully supportive of it and try to help where we can with talks and events,” he said.
However, while the company may have moved to London it is still very much focused on the US, with the East Coast proving a lucrative market for its offerings in particular.
“We have offices in New York and Chicago, and we are seeing about 60-70 percent of our business in these markets so they are incredibly important for us,” Hadfield explained.
The US interest in the firm’s offerings over the UK is seen by Hadfield as indicative of the difference between the cultures in the two nations towards up-and-coming technology.
“The UK is quite difficult to be successful in initially because firms are so much more reticent to try new things,” he said. “Australia is usually the most willing to take a chance, followed by the West Coast, the East Coast and then Europe.”
Hadfield believes this is holding the UK back to a small degree, and says it could be down to a misplaced belief that software from other nations, especially the US, is seen as ‘better’ than technology in a home country.
“It would be better for the UK if it were quicker at adopting things. You don’t see a lot of support for UK firms towards UK technology companies, which is similar in Europe. They often seem not to like their nation’s own software firms," he said.
Hadfield blames this on a classic difference in UK and US cultural values. “The UK values understatement, and to be boastful is seen as a negative, but the US is more about promoting and talking about what you’ve done,” he said.
“Having worked in both the US and the UK I have not encountered better people in either locations but people in San Francisco, say, are far better at talking about their ideas and getting them heard.”
However, as the success of SkyDox has shown in acquiring a US-based firm and having the confidence to base itself in London, the UK should feel confident in taking on the US.
“I would never be as bold to suggest it, but I would love it if an outcome of our deal was that we became a blueprint for others. That they can see they don’t have to go to the US for an advantage. There is access to talent and money in the UK,” he said.

Why Bitcoins are the new black in cybercrime

Since Bitcoins first appeared, the cryptographic digital currency has been a controversial topic for businesses, security experts and governments.
This is because, being powered by a self-perpetuating, self-regulating algorithm commonly listed as being the work of a coding and mathematical genius, Bitcoins have the potential to fundamentally change the way we do commerce.
The first key reason for this is that the algorithm and code that powers Bitcoins allows them to determine their own value and automatically regulate how many Bitcoins are being distributed to avid miners, in other words those who generate them. As well as being an impressive feat in its own right, as noted by numerous analysts and academics, this is huge, because in effect it removes power from banks and governments, by cutting them out of the equation so users can make and take payments without paying a cut to the bank or tax to the government.
V3 reporter Alastair Stevenson photo
The second reason is the currency's ability to facilitate instant payments and micro-transactions using mobile devices. These capabilities are huge because, as noted by pretty much every tech company under the sun, the next billion people waiting to be connected to the internet will access the web via smartphones. Considering the poor exchange rate of most developing regions' currencies and the cost of using third-party payment services, Bitcoins have the potential to become the international currency of choice for developing regions.
For this reason it's unsurprising that every day we hear fresh stories of more people setting up mining machines to collect the digital currency. In a normal situation, a user runs an algorithm on their computer to authenticate Bitcoin transactions. Those running the algorithm are in turn rewarded with Bitcoins.
The flipside is that all these strengths can also help cyber criminals, with the self-authenticating, unmoderated nature of Bitcoins making it very difficult to track transactions, creating an ideal platform for criminal groups looking to hide their movements from law enforcement. Earlier this month the popularity of Bitcoins in cybercrime was poignantly demonstrated during the FBI's Silk Road takedown. The FBI reported that the infamous cyber black market – which is well known to have facilitated illegal activities such as the sale of class A drugs – earned a massive 9.5m Bitcoins (£739m).
This was the price of a cryptographic currency, and in my mind it was a semi-acceptable one; criminals have always found ways to launder their ill-gotten gains and this is just the latest development. However, the last four weeks have shown that criminal interest in Bitcoins is evolving in alarming ways. Most recently this was demonstrated by Symantec when it sinkholed 500,000 of the 1.9 million zombie machines from the infamous ZeroAccess botnet. The intelligence gained from the operation showed that, despite earning far less money than they would with basic click fraud, the hackers behind the operation had repurposed ZeroAccess-enslaved machines into Bitcoin mines.
For me this is troubling as it shows that criminals are now as interested in illegally accruing Bitcoins as they are in using them to hide their money's movement from law enforcement. The reason for this remains unknown, though as noted by Symantec, and F-Secure chief research officer Mikko Hypponen, it's likely that the reduced risk of Bitcoin mining compared with other scams such as click fraud. Mining operations are less risky because they have little real impact on a victim aside from a slightly increased electricity bill. For this reason, I can see Bitcoin botnets being the new vogue item in cybercrime circles – a state of affairs which will only serve to cast further doubt upon Bitcoins' legitimacy and hamper non-criminal users from enjoying the benefits of crypto-currencies.

US government failing to prepare for cyber Pearl Harbor, says ex-defence secretary

whitehouse
LAS VEGAS: The US government's failure to work with businesses is leaving the country's critical infrastructure open to a crippling "cyber Pearl Harbor" attack, according to former CIA director and secretary of defence for President Obama, Leon Panetta.
Panetta criticised the government, arguing that partisan battles within the government are stopping it from properly addressing the growing cyber threat facing industry, during a press briefing attended by V3.
"I have never seen in all my time in and out of Washington so many people who are committed to screwing things up," he said. "In the past I've described the potential happening of a cyber Pearl Harbor, an attack that devastates our critical infrastructure and paralyses our nation. We need better defences to confront these threats."
Panetta said the lack of affirmative action is dangerous as state-sponsored hackers are already targeting the country. "We still live in a dangerous world and the last thing we should do is reduce our guard. We're still a nation, and war and terrorism remains a threat," he said.
"When I was at the CIA in 2009 our counter-intelligence teams told us we were experiencing as many as 100,000 cyber attacks every day. Now you can imagine for the defence department the number of cyber attacks is also enormous. This is because the network is enormous: 1.4 million people on active duty, 300,000 reserves, 800,000 civilians, all of them armed with devices on the network. All of that needs to be defended."
He added that the threat posed by state-sponsored hackers is not limited to government departments and the country has already mitigated attempts on critical infrastructure areas.
"In 2009 to 2012 the focus of our concern was economic espionage and the threat to US intellectual property. Then we received reports of even more disturbing attacks. Distributed denial of services targeting financial institutions. Though largely just nuisance attacks they broke the threshold. They were the first state attacks against our private industry. The next attack was destructive," he said.
"In August of 2012, state-backed hackers hacked into the system of a national oil company in Saudi Arabia. The attack contained a very particular virus the Shamoon virus that literally destroyed 30,000 computers. This is the level of the cyber threat and there are concerns there could be even more destructive attacks – we know state actors are probing our critical infrastructure."
Attacks on businesses involved in critical infrastructure has been a growing concern for governments across the world. Numerous security providers have criticised critical infrastructure areas, such as power plants, for their reliance on outdated software that leaves them open to attack.
Experts from Bluecoat systems and the Jericho Forum argued last year that UK businesses linked to critical infrastructure areas have opened themselves up to cyber attacks by prematurely moving key systems online.
Panetta said governments need to adopt a similar three-stage strategy to that taken by the UK. "First of all, we need to have the American people and the people of the world understand the nature of the threat. Second, we need a strong government and private sector partnership, we all share a global infrastructure and we have a duty to protect it. Private industry must invest more in its defences and it must be willing to share data with the government," he said.
"Third, we have to continue to invest in cyber technologies. The government must continue to invest in creating new technologies and in training and recruiting skilled cyber warriors."
The UK Cyber Security Strategy has already seen the UK government launch numerous initiatives designed to increase collaboration between the public and private sector, and to increase the number of young people training in information security.
These have included schemes such as the Cyber Security Information Sharing Partnership (CISP) and the GCHQ-led Can You Find It code-tracking challenge.

PRISM: Government faces court action in Europe over spy scandal

GCHQ Cheltenham
The Government Communications Headquarters (GCHQ) is facing a legal challenge in the European Court of Human Rights (ECHR) over its involvement in the PRISM spying scandal.

The case is being brought by three leading civil liberties organisations in the UK – Big Brother Watch, the Open Rights Group and English PEN – which argue that privacy rights were infringed by the spying programme.

Deighton Pierce Glynn solicitors will represent the applicants and Daniel Carey, the solicitor heading the case, said the case against GCHQ was strong and needed to be dealt with in public.
“We are asking the court to declare that unrestrained surveillance of much of Europe’s internet communications by the UK Government, and the outdated regulatory system that has permitted this, breach our rights to privacy. This is not something the secret investigatory powers tribunal can do.
"Indeed, it is precisely the sort of case that we need the ECHR for. We are asking for the case to be dealt with on a priority basis, so I am hopeful that it will be formally communicated to the UK Government within a period of weeks.”
V3 contacted the GCHQ for comment but it said it would not comment on the case.
Nick Pickles, director of Big Brother Watch, said it was vital that the government was held accountable for its actions, especially as it was taking advantage of outdated privacy laws.
“The laws governing how internet data is accessed were written when barely anyone had broadband access and were intended to cover old-fashioned copper telephone lines,” he said.
“Parliament did not envisage or intend those laws to permit scooping up details of every communication we send, including content, so it’s absolutely right that GCHQ is held accountable.”
Jim Killock, executive director of the Open Rights Group, said tackling the issue was vital as the potential for spying programmes to get out of hand was a chilling prospect.
"Mass surveillance systems create risks for everyone, and place extreme degrees of power in the hands of secret agencies," he said.
"This is made worse by the lack of democratic accountability and judicial oversight. People living across the UK, Europe, the USA and beyond need the courts to protect their rights and start the process of re-establishing public trust."
The PRISM spying scandal broke earlier this year when it was revealed by whistleblower Edward Snowden that the US had been leading a huge spying programme to monitor and analyse internet traffic.
This also led to revelations about a UK-led operation called Tempora, which saw the GCHQ tap into global telecoms networks to extract and analyse worldwide web traffic.

Cloud computing and BYOD will force firms to redesign networks to combat security threats

LAS VEGAS: Businesses will have to redesign their networks from the ground up if they hope to protect their data from next-generation hackers, according to McAfee president Michael DeCesare.
DeCesare said business and high-tech companies will have to use a by-design strategy if they wish to remain ahead of the threats they face. He was speaking during a keynote at the McAfee Focus conference, attended by V3.
"We have to figure out how to integrate security into [networks] from the get-go. We have to redefine the role of network security. Companies are going to have to change. All companies will be rebuilding their networks," he said.
DeCesare cited new trends resulting from developments in mobile cloud technologies, such as bring your own device (BYOD), as proof of the weakness of current networks.
"We are asking so much of our networks these days, not just with security, but in general. But, when we designed these networks five or 10 years ago we did not contemplate what we'd be asking of them today: to ingest the concept of a public or a private cloud, adjusting to the parameters of BYOD," he said.
"We're also asking them to be able to offer higher levels of security on any bit of information or device connecting to them and we're balancing that with the concept of software-defined networking. What is happening in the network space is the same thing that was happening with the data centre space over the last 10 years – virtualisation is coming to the network."
He added that businesses will have to move quickly to address the problem as it is now far easier for hackers to target them. "There is a physical divide as the budgets we have aren't growing at the same rate as the technological sophistications of the adversaries that we face every day. Lastly there is a playing field divide, it is asymmetrical warfare. As security professionals we try and guard against this growing number of attacks on every IP-enabled device," he said.
"But every one of these that comes online is on different platforms, different software versions and we as security professionals have to guard all of these. But the adversaries we deal with every day just have to find one way in. The adversaries also don't have to worry about usability standards, they don't care if they break machines."
DeCesare said the trend is even more troubling as hackers have already begun using the new technologies to create next-generation cyber attacks. "We've seen an increase over the last 12 months of targeted Trojans. Sure we've seen these before, what's changed is the deployment model. A big thing is the concept of free apps. Ten years ago you'd have never downloaded anything free to your laptop or phone, free was bad news. Now this has changed and applications can be built for different purposes," he said.
"We've also seen an increase in evasion techniques. Malware is now able to know if it's in a sandbox and sit idle until the scan's finished before moving on. These are all examples of the growing technical sophistication of where the cyber criminals are heading."
McAfee is one of many security companies to warn of the dangers posed by new smart devices and cloud services. Last month F-Secure web reputation service expert Christine Bejerasco claimed that the failure of free cloud services, such as Facebook, Twitter and Dropbox, to adequately test their security before launching helped to ignite the current cybercrime boom.

Yahoo to pay up to $15,000 for bug finds after 't-shirt gate' scandal

Yahoo has changed its bug bounty policies following a deluge of negative feedback in the wake of the news that ethical hackers were rewarded with $12.50 in gift vouchers for security flaw discoveries.
The firm's director of security, Ramses Martinez, announced in a candid post on Yahoo's developer blog that successful bug reports would now warrant a minimum reward of $150 and a potential top payment of $15,000 for the most severe and unique discoveries.
The policy will be backdated to reports submitted after 1 July 2013 and would come into full effect on 31 October. "The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue," he said.
Martinez, who claimed he paid for t-shirts for developers out of his own pocket in the past, said a process had already been set in motion before this week's "t-shirt-gate" scandal broke to properly compensate hackers for their finds.
"We recently decided to improve the process of vulnerability reporting. My 'send a t-shirt' idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning 't-shirt-gate' hit. My inbox was full of angry email from people inside and out of Yahoo.
"How dare I send just a t-shirt to people as a thanks?", he lamented.
Yahoo offers a range of merchandise including this fetching cap for five dollars
Gift vouchers were valid for Yahoo t-shirts, mugs, hats and much more
He added that the reporting process would be streamlined to improve speed and quality and that companies and individuals who submitted reports would get corporate recognition to boost their own reputation, as well as public recognition for the best and most important finds in a "hall of fame".
"We're excited to get this new process going and believe it will improve Yahoo's relationship and effectiveness with the security community," Martinez concluded.
Ilia Kolochenko, chief executive of Switzerland-based High-Tech Bridge which conducted the gift voucher-exposing research, maintained that while he did not do the research for money, he believes Yahoo's change in policy was an important step for its future.
"The fact that Yahoo is changing their programme is a good sign because it will definitely help them to facilitate relationships with security researchers," he said.
Kolochenko added that Martinez' policy of buying t-shirts with his own money was "definitely an example of how a CSO [chief security officer] should behave", but said Yahoo was better off sending no reward at all instead of corporate gifts, something he said could be interpreted as "insulting".
Martinez had the last word on the issue, saying that even Kolochenko's firm would get their just reward. "This includes, of course, a cheque for the researchers at High-Tech Bridge who didn't like my t-shirt," he said.

Hackers steal data on 2.9 million Adobe customers and product source code

Adobe headquarters in San Jose

Adobe has admitted that cyber criminals have stolen source code to several of its products and accessed data on millions of customers after it uncovered “sophisticated attacks” on its network.
Chief security officer at Adobe Brad Arkin wrote in a blog post that data on 2.9 million customers was accessed and reams of data was stolen.
“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” he said.
“At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred.”
Arkin added that the firm is now working with law enforcement agencies to assess the incidents and is taking a number of steps to try to protect customers. This includes resetting passwords for all customers and notifying those whose data was stolen.
Banks have also been informed about the incident so they can try to stop any fraudulent activity taking place through customer accounts.
Regarding the theft of source code for its products, Adobe said that its Acrobat, ColdFusion, ColdFusion Builder and other, unnamed, Adobe products were affected. It said it was currently not aware of any zero-day exploits targeting these problems.
“Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” Arkin said in a separate blog post. The firm said earlier this week that fixes for two key products would arrive next week, although it's unclear if this is related.
"Adobe is planning to release security updates on Tuesday, October 8, 2013 for Adobe Reader and Acrobat XI (11.0.04) for Windows," it said
The firm also thanked Brian Krebs, of KrebsOnSecurity.com, and Alex Holden, chief information security officer at Hold Security, for helping Adobe deal with the incident when it came to light.
Arkin added that the threat posed by attackers to firms such as Adobe is becoming ever more real, as these attacks have proved.
“Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers.”
The incident should serve as a warning for other firms in the business world, as criminals are attacking the networks of an increasingly diverse range of companies. Earlier this year kitchenware store Lakeland was the target of a successful attack, underlining that firms of all shapes and sizes must be on their guard.

Apple iPhone 5S fingerprint scanner must be a springboard for better biometric tech

McAfee Focus 2013 main stage
LAS VEGAS: Security firms need to build on the biometric technology seen on the Apple iPhone 5S to provide better security protection for users wary of giving away too much data, according to McAfee.
The firm's chief technology officer Michael Fey criticised the Apple iPhone 5S Touch ID fingerprint scanner, claiming the phone maker failed to take advantage of the potential security benefits of biometric technology, during a press keynote attended by V3.
"We can do so much more with biometrics than just attaching it to a password. Dealing with identity is about protecting your identity and privacy, and using that to make it safer traveling within an environment. It's not just about replacing your password with one of your biometrics," he said.
"Your phone has the capability to know who you are, where you are, where you were yesterday, what's your user habit, what you look like, how you sound. All of these things can be used to ensure that you control your identity online and your passage through that environment."
Apple lists the Touch ID scanner as a key selling point for the 5S. It is designed to make the iPhone more appropriate for business use, offering a further layer of protection against potential data breaches if devices are lost or stolen. The fingerprint scanner works by scanning the sub-epidermal skin layers of the person holding the iPhone to verify their identity before unlocking.
Biometric authentication is a hot topic in the security community, with many end users feeling uncomfortable with the amount of user data the practice requires to work. These concerns reached new heights earlier this year with the PRISM scandal. The scandal broke when whistleblower Edward Snowden leaked documents to the press proving that the NSA is gathering vast amounts of user data from technology companies.
Fey moved to address these concerns, arguing: "The conversation about identity is driven by these concerns, it's about letting the user own their identity and keep their data private. We're in complete alignment over the concerns about the behaviour that's been in play. If you look at the people that are using identity – the Googles, the Facebooks – they're turning these people into a product. If you use something like Facebook you become a product and you have to be happy being schlepped out as a product," he said.

"We believe there is a big proportion of people out there not happy to have their identity put out there in that format. Those are the people we want to extend our trusted relationship to now and say we get the need for biometrics, they're wonderful for identifying who you are, but let's use them in a way that [means] you stay personal."
The McAfee chief added that, even if correctly implemented, biometrics alone aren't sufficient to fully secure users' data. He said to fully secure devices manufacturers will have to begin building them with security in mind from the start. Fey added the firm has already begun working towards this goal, partnering with parent company Intel to create new security chips and components.
Fey is one of many security professionals to call for smart device makers to place more importance on security. Experts from Europol, Trend Micro and the International Cyber Security Protection Alliance (ICSPA) warned that hackers will begin causing real-world harm if manufacturers do not increase their focus on security.

FBI shuts down deep web Silk Road cyber black market

FBI Agent
The FBI has arrested a man believed to have created the notorious Silk Road cyber black market, which has now been shut down as a result of the arrest.
The arrest and shutdown was revealed in a court filing against 29-year-old Ross William Ulbricht in the Southern District of New York. Believed to be the notorious "Dread Pirate Roberts", the filing charged Ulbricht with conspiring to traffic narcotics, hack computers and launder money.
"From in or about January 2011, up to and including September 2013, the Silk Road Hidden Website... has served as an online marketplace where illegal drugs and other illicit goods and services have been regularly bought and sold by the site's users," read the court filing.
"The complainant further alleges, in part, that the Silk Road Hidden Website is designed to facilitate the illicit commerce hosted on the site by providing anonymity to its users, by operating on what is known as The Onion Router or Tor network... and by requiring all transactions to be paid in Bitcoins, an electronic currency designed to be as anonymous as cash."
Silk Road is a deep web black marketplace only accessible through the Tor network, known to facilitate the trade of illegal substances, such as class A drugs. The site also offered tutorials on a variety of illegal activities, such as how to make explosives and hack bank machines. It also offered contact information for a variety of illegal services, including listings for hitmen.
The site took payments for services rendered in the cryptographic Bitcoin currency. The filing said the website generated sales of more than 9.5m Bitcoins (£739m) before being shut down. Silk road is one of many illegal cyber black marketplaces to begin taking Bitcoin payments. In May, Webroot researcher Dancho Danchev reported uncovering a cyber black market accepting Bitcoins as payment for a keylogger.
McAfee CTO Raj Samani told V3 that while this is positive news, it is likely that a new similar marketplace will appear to fill the gap left following the takedown.
F-Secure chief research officer Mikko Hypponen recently reported that criminals' interest in Bitcoins has grown and that many are using machines connected to Botnets to run illegal Bitcoin-mining operations. Bitcoin mining refers to the way Bitcoins are earned, and works by paying users Bitcoins for running an algorithm on their computer to authenticate transactions on the Bitcoin platform.
Hypponen's claim was backed up by security firm Symantec, which reported rescuing 500,000 of the 1.9 million zombie machines enslaved by the infamous ZeroAccess Bitcoin-mining botnet at the end of September.

Integral offers mSATA SSDs with FIPS-certified encryption for ultrabooks and tablets

Integral Crypto mSata SSD
Integral Memory is claiming to be the first storage vendor with mSATA solid-state-drive (SSD) modules that support FIPS-certified 256-bit hardware encryption to protect data.
Integral's Crypto mSATA SSDs, which are available now for laptops and tablets, support 64GB, 128GB and 256GB capacities for system integrators and individual buyers via resellers such as Insight and Misco, with guide prices of £142, £183 and £267, respectively, the firm said.
Drives with built-in encryption have become increasingly common as businesses, especially those in the financial sector, become more aware of the risks of data breaches from lost or stolen end user devices.
However, while self-encrypting hard drives and SSDs are already available, Integral claims to be the first vendor to offer Federal Information Processing Standards (FIPS) certified SSDs in the mSATA format, designed for smaller portable devices such as laptops, ultrabooks and tablets.
The encryption is 256-bit Advanced Encryption Standard (AES), endorsed by the US National Institute of Standards and Technology (NIST) to meet the FIPS 197 data security standard.
Integral's security product manager Samik Halai said: "Crypto mSATA SSD allows organisations to meet their obligations under data protection laws, provides many advantages over software encryption alternatives, and delivers all the benefits of SSD technology ranging from improved productivity to increased laptop battery life."
Integral said the Crypto mSATA SSD encrypts all data on the drive, including the operating system, at shutdown. The user can only access the disk and boot into Windows by entering the correct 8-16 character password, and all the data will be erased after a preset number of failed password attempts.
The Crypto mSATA SSD is configured and passwords set using the supplied SSD Lock tool, which supports both administrator and user passwords. If a user forgets their password, the Crypto mSATA SSD can then be unlocked by the administrator and the user password reset.
The module itself supports a 6Gbps SATA 3 interface, and is capable of sustained read speeds of up to 397MBps and write speeds of 354MBps, according to Integral.

Microsoft enterprise cloud customers protected by a wall of lawyers

Microsoft logo at its Redmond headquarters
Microsoft's user data requests transparency report contained a brief line about the customers using the firm's enterprise services.
It stated that 19 requests had arrived in the first six months of 2013, all of which came from US agencies relating solely to customers within the US. Microsoft also added that so far it had received no requests regarding enterprise customers in connection with national security orders, which are more serious requests that can't be reported in detail.
It said that the 19 requests related to 48 accounts, which resulted in customer content (emails, documents, chat messages) being disclosed on four occasions, with one other request responded to with non-content data, which includes usernames and IP addresses. Of those five requests, four of the customers were notified while one other was not. Thirteen other requests were rejected or had no relevant data, with one further case still pending.
Microsoft defines enterprise customers as organisations subscribing multiple users to services such as Office 365, Azure, Exchange Online and CRM Online.
Microsoft highlighted that this is particularly pertinent as, while it obviously affects such a tiny minority of users, it still means that enterprise customers using cloud services have no choice as to whether they choose to release their data or not. If it's stored on Microsoft's servers, it's Microsoft's responsibility to disclose data whether they like it or not.
The crumb of comfort for Microsoft's enterprise customers is that Redmond clearly has a crack legal team that will reject any request it sees as legally unjustified. With that being said, there's still a lot of faith the public has to put into a group of unknown legal experts.
It will be interesting to see how Microsoft's data compares with other enterprise cloud service providers if they choose to release their own data, which they are of course not obliged to do.

GCHQ to quality check UK industry network professionals' security skills

Man using Gunnars specs while working at his computer
The GCHQ has announced plans to extend its ongoing CESG Certified Professional (CCP) scheme to accredit all workers responsible for securing UK industry networks at all types of organisations.
Communications-Electronics Security Group (CESG), the information security arm of the GCHQ, announced the extension in a public post. The scheme will now offer security professionals the ability to apply for CCP Practitioner, Senior Practitioner and Lead Practitioner level accreditations across six key roles. These include Security and Information Risk Advisor (SIRA), IA Accreditor, IA Architect, IA Auditor, IT Security Officer and Communications Security.
Applicants skills will be tested by a joint consortium run by the Institute of Information Security Professionals (IISP), the Council for Registered Ethical Security Testers (CREST) and Royal Holloway University's Information Security Group (ISG). Those who pass will be given accreditation for three years. The exams and accreditations are designed to be a quality benchmark assuring businesses of the professionals' abilities.
Chloe Smith, minister for political and constitutional reform, said the benchmark will help bolster the UK's reputation as a world leader in the cyber security industry. "Since its launch last year, the CCP scheme has been warmly welcomed and endorsed by government cyber security professionals. With demand growing from industry to be part of the scheme, now is the right time to open up CCP and set a unified standard for cyber security professionals right across the UK," she said.
Chris Ensor, CESG's deputy director for the National Technical Authority for Information Assurance (IA), mirrored Smith's sentiment. "CCP is something that UK industry has been waiting for and I am delighted that we have been able to make the scheme available. I would particularly encourage those organisations that support the UK's critical national infrastructure to endorse the scheme and help build a community of UK cyber security professionals that is the envy of the world," he argued.
Growing and protecting the UK's digital economy has been a central goal of the UK government's cyber strategy since it launched in 2011. The government has listed increasing collaboration between the public and private sector as a key step in its security strategy. Cabinet Office minister Francis Maude launched The Cyber Security Information Sharing Partnership (CISP) in March to help with this endeavour.
The GCHQ's CCP scheme was originally unveiled in 2012 but was only offered to government employees and select external service providers. IISP chairman, Alastair MacWillson welcomed the extension, confirming the scheme has already helped accredit 900 government workers.
"We have already helped some 900 government employees and external service providers achieve CCP certification and the decision to extend the scheme to the public sector will increase the UK's IA knowledge, skills and capability in all fields of cyber security to meet one of the objectives of the UK Cyber Security Strategy," he said.
"CESG's decision to base the CCP scheme on the IISP Skills Framework is further recognition of our work to develop critical skills and provide greater professionalism in the cyber security industry."
President of CREST Ian Glover added that the exams aim to increase the number of people interested in a role within the information security industry, by offering them a clearer career path.
"Extending the broader CCP scheme to the private sector is a very logical extension and will give UK companies a much greater level of confidence in the skills, knowledge and competence of their staff and contractors and will provide real career paths for those working in the industry," he said.
Getting more young people interested in careers in cyber security has been a growing challenge facing both the public and private sector. The GCHQ has launched several initiatives designed to help find and train new cyber security professionals. Most recently the GCHQ launched its new Can You Find It challenge to help find and recruit the next generation of cyber security code experts.

Symantec sink holes 500,000 zombie machines enslaved by ZeroAccess botnet

Digital security padlock red image
Symantec researchers have successfully rescued 500,000 of the 1.9 million zombie machines enslaved by the infamous ZeroAccess botnet. The researchers reported managing to save the machines after uncovering a way to sink hole an earlier version of the botnet, in a public blog post.
"Back in March of this year, our engineers began to study in detail the mechanism used by ZeroAccess bots to communicate with each other to see how the botnet could be sinkholed. During this process, we examined a weakness that offered a difficult, but not impossible, way to sinkhole the botnet," read the post.
"This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed."
Sinkholing is a takedown commonly used by law enforcement and security professionals when combating botnets. The technique works by re-routing the identification of the malicious command and control (C&C) server used by the botnet to send commands to the zombie machine to the sinkholer's own analysis server. Prior to Symantec's operation it was thought impossible to sinkhole as it doesn't feature a central command and control (C&C) server instead existing and operating on a peer-to-peer network.
"Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet. Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network," explained the Symantec post.
"What this exercise has shown is that despite the resilient P2P architecture of the ZeroAccess botnet, we have still been able to sinkhole a large portion of the bots. This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes."
Symantec managed to garner fresh insights into ZeroAccess' money making mechanisms during the operations. ZeroAccess is an atypical botnet that not only uses enslaved machines for generic click fraud scams, but also as Bitcoin miners. The security firm reported the investigation showed an increased focus on Bitcoin mining, confirming the scams were causing as much as $560,887 worth of harm per-day in electricity use alone.
"To work out the cost of ZeroAccess to an unsuspecting victim, we calculate the difference between the cost of Bitcoin mining versus the cost of the computer idling; for our test setup it works out at an extra 1.82 KWh each day, which is not a whole lot for one victim to pay," read the report.
"If each KWh of electricity costs $0.162 then it would cost $0.29 to mine on a single bot for 24 hours. But multiply this figure by 1.9 million for the whole botnet and we are now looking at energy usage of 3,458,000 KWh (3,458 MWh, enough to power over 111,000 homes each day.)
"This amount of energy is considerably greater than the output of the largest power station in Moss Landing, California, which could produce 2,484 MW and would come with a corresponding electricity bill of $560,887 a day. Despite the costs, all this energy will create just $2,165 worth of Bitcoins a day!"

The botnet's focus on Bitcoin mining was taken as odd as Symantec's research showed its click fraud operations were far more profitable. "The bots running click fraud operations are quite active. In our tests, each bot generated approximately 257MB of network traffic every hour or 6.1GB a day," read the report.
"They also generated around 42 false ad clicks an hour (1008 each day). While each click may pay a penny or even a fraction of a penny, across 1.9 million infected machines, the attacker is potentially generating tens of millions of dollars a year."
The reason for the  focus on Bitcoin mining remains unknown, though security researchers, like F-Secure's Mikko Hypponen, have in the past theorised it could be due to the decreased risk Bitcoin mining offers. This is because, outside of the minor rise in electricity costs, the operation doesn't greatly impact the victim, meaning the crooks can operate undetected while running the scam.
ZeroAccess is one of many Botnets to be targeted with a sinkhole attack in recent months. Prior to ZeroAccess, Microsoft and the FBI targeted the infamous Citadel botnet with a sinkhole attack. At its height the Citadel botnet is believed to have controlled millions of infected PCs and been responsible for more than $500m in bank fraud.

UK hackers responsible for just 0.016 percent of worldwide cybercrime

painted-pound
British hackers are far behind their US counterparts, with a meagre 0.016 percent of cyber attacks stemming from the UK, according to security firm FireEye.
Senior architect at FireEye Jason Steer cited statistics in the firm's latest World War C threat report as proof that the US is the biggest source of cybercrime during an interview with V3.
"Whilst the UK is sixth in the FireEye national callback table, statistically this represents only 0.016 percent – while we continue to see the US dominate the callback league with almost 50 percent of originating callbacks, more than 500 percent more than the next country in the league table, Hong Kong. The US, with open markets and bulletproof hosting providers, creates an ecosystem ripe for use by attackers today," he said.
Steer said knowing exactly why the UK is responsible for so few cyber attacks is difficult, though it is likely in part due to the country's robust anti-hacker laws and police initiatives.
"Many reasons explain this, including a lack of bulletproof hosting providers, strong law enforcement [such as the] Serious Organised Crime Agency (SOCA), and other countries providing a better service for a cheaper price. Simply, the UK isn't the best place to launch attacks and have callbacks come back to – it's more risky than doing it in other countries," he said.
Combating cybercrime has been a central goal of the UK government's Cyber Security Strategy since it launched in 2011. The strategy has seen the government launch several cybercrime-busting initiatives designed to increase collaboration to combat cyber threats between the public and private sector. These have included the creation of a new British Computer Emergency Response Team (CERT), the opening of two cyber security advice centres for businesses and the launch of the Cyber Security Information Sharing Partnership (CISP).
The strategy has had some success since launching, with the Metropolitan Police reporting last month that UK law enforcement's anti-hacker efforts have stopped criminals stealing over £1bn from businesses and citizens in the last two-and-a-half years.
Steer said despite the positive news FireEye has detected a number of local attacks mixing real-world and cyber techniques. "We occasionally hear that some attacks against UK organisations originate within the UK. There is a broad assumption that all attacks come from overseas, but the intel we hear suggests that often there is a physical connection that initiates a cyber attack – this is the catalyst for it being local."
The mixing of cyber and real-world techniques by criminals is a growing problem facing UK police. Prior to the FireEye report the Metropolitan Police have charged four individuals with conspiring to hack a Santander bank branch in London.
The criminals reportedly planned to hack the Surrey Quays Santander branch by attaching a keyboard video mouse (KVM) switch to a terminal. The tactic would let the criminals take control of the terminal from a remote location at a later date.