Wednesday 26 March 2014

Hackers Can Force ATMs to Spit Out Money With a Text Message

http://i.kinja-img.com/gawker-media/image/upload/s--z77y8x0R--/t_ku-xlarge2/qipg2ekjivkyiuc8fhx9.jpg
It's getting remarkably easy to hack ATMs these days, and security researchers say that Microsoft's aging Windows XP is making the problem worse. This week, security analysts at Symantec blogged about a new technique popping up in Mexico that uses text messages to give hackers access. It's as wild as it sounds.
The method does take some grunt work, though. The first step in this method involves installing a known type of malware called Ploutus on an ATM. This requires the thief to physically break into the cabinet and use a CD-ROM or USB stick to infect that machine. In the past, the attack would then be carried out using an external keyboard to crack the ATM's security system. Now, however, you can simply connect a cell phone to the machine via USB and send a text to the phone. The phone turns the text into a network packet that commands the ATM to spit out cash.

NSA hacked into servers at Huawei headquarters, reports say

The U.S. National Security Agency has hacked into Huawei Technologies servers, spied on communications of company executives and collected information to plant so-called backdoors on equipment from the Chinese networking manufacturer, according to reports published over the weekend.
In response, the NSA said that it declines to comment on specific, alleged foreign intelligence activities. In a statement emailed to the IDG News Service, the agency elaborated, saying that "NSA's activities are focused and specifically deployed against -- and only against -- valid foreign intelligence targets in response to intelligence requirements."
On Monday, Huawei said in an email, "If the actions in the report are true, Huawei condemns such activities that invaded and infiltrated into our internal corporate network and monitored our communications."
The latest reports are part of a long-running cyberespionage saga. U.S. officials have contended for years that China's People's Liberation Army (PLA) works with manufacturers and hacking groups to spy on U.S. companies and government agencies.
Since last June, documents leaked by former U.S. intelligence contractor Edward Snowden and published by various news organizations have shown that the NSA has conducted its own surveillance campaigns, including programs to hack into equipment from Chinese networking manufacturers.
But according to new reports over the weekend from The New York Times and Der Spiegel and based on documents leaked by Snowden, the NSA succeeded in penetrating equipment at Huawei headquarters in a plan to monitor communications on the company's networking equipment worldwide.
The NSA "pried its way" into Huawei servers at the company's headquarters in Shenzhen, China, according to an online report in The New York Times Saturday.
The operation, code-named "Shotgiant," was to try to establish long-suspected links between Huawei and the PLA, and also to plant backdoors on Huawei equipment sold worldwide, according to the Times.
Among the information cited by newspaper was a 2010 document detailing Shotgiant operations. However, covert operations against Huawei go as far back as 2007, The New York Times report said. The NSA also monitored communications of Huawei executives, the report said.
One goal of Shotgiant was to place backdoors on Huwei technology in order to monitor communications on network equipment acquired by the company's customers, which include U.S. allies and adversaries, according to the report.
The report in the Times does not specify how successful this was, since technical details of the operation were withheld from publication at the request of the U.S. government, according to the newspaper.
The NSA is taking pains to distinguish its surveillance activities from those of China. U.S. government and business officials claim Chinese spying activities are intended, among other things, to gain commercial advantage over the U.S.
"We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of -- or give intelligence we collect to -- U.S. companies to enhance their international competitiveness or increase their bottom line," the NSA said in an emailed statement Sunday.
"It is important to note the overlay of law, regulation, policy, procedure, technical safeguards, training, culture, and ethos in the use of such tools; all of these things govern how NSA deploys various foreign intelligence techniques to help defend the nation," the NSA said.
The latest reports of the NSA's spying on Huawei follow earlier news stories about efforts to place backdoors on equipment from the company.
In December last year, Der Spiegel published a report outlining how the NSA intercepts deliveries of new computer equipment en route to plant spyware. The operation was conducted by the NSA's Office of Tailored Access Operations (TAO), which specializes in infiltrating computers, according to the report.
The newest reports this weekend say that the TAO unit by 2010 gained access to Huawei headquarters and was able to collect communications from Ren Zhengfei, the company's founder.
The Times story, however, pointed out that none of the documents leaked by Snowden show that NSA operations proved a specific link between Huawei and the PLA.
U.S. government officials for years have suspected that Chinese networking companies have worked with the PLA. For example, a congressional committee concluded an inquiry in 2012 with members still in doubt about the security of networking equipment from Huawei and ZTE
The U.S. government has also blocked efforts by Huawei to expand its business in the country. In September 2011, for example, the U.S. Department of Commerce said it had told Huawei that the company was barred from participating in a project to build a national wireless network.
Last October, Huawei issued a company report on cybersecurity in which it suggested ways companies could work together internationally to secure networks from hacking.
"We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies," Huawei Deputy Chairman Ken Hu said in the report.
In an online article Saturday, The New York Times quoted William Plummer, a U.S.-based Huawei executive, as saying: "If such espionage has been truly conducted then it is known that the company is independent and has no unusual ties to any government, and that knowledge should be relayed publicly to put an end to an era of mis- and disinformation."
In addition to selling networking equipment, Huwaei is also the third-largest vendor of smartphones in the world. However, as recently as Mobile World Congress last month, a Huwaei official confirmed that the company has essentially given up on the network infrastructure business in the U.S., which makes efforts to sell mobile devices in the country more difficult.

An Open Letter to IBM's Open Letter

Last week, IBM published an "open letter" about "government access to data," where it tried to assure its customers that it's not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers.
At the outset, we think it is important for IBM to clearly state some simple facts:
  • IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.
  • IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.
  • IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.
  • IBM does not put "backdoors" in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.
  • IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.
To which I ask:
  • We know you haven't provided data to the NSA under PRISM. It didn't use that name with you. Even the NSA General Counsel said: "PRISM was an internal government term that as the result of leaks became the public term." What program did you provide data to the NSA under?
  • It seems rather obvious that you haven't provided the NSA with any data under a bulk collection surveillance program. You're not Google; you don't have bulk data to that extent. So why the caveat? And again, under what program did you provide data to the NSA?
  • Okay, so you say that you haven't provided any data stored outside the US to the NSA under a national security order. Since those national security orders prohibit you from disclosing their existence, would you say anything different if you did receive them? And even if we believe this statement, it implies two questions. Why did you specifically not talk about data stored inside the US? And why did you specifically not talk about providing data under another sort of order?
  • Of course you don't provide your source code to the NSA for the purpose of accessing client data. The NSA isn't going to tell you that's why it wants your source code. So, for what purposes did you provide your source code to the government? To get a contract? For audit purposes? For what?
  • Yes, we know you need to comply with all local laws, including US laws. That's why we don't trust you -- the current secret interpretations of US law requires you to screw your customers. I'd really rather you simply said that, and worked to change those laws, than pretending that you can convince us otherwise.
EDITED TO ADD (3/25): One more thing. This article says that you are "spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government." Do you not know that National Security Letters require you to turn over requested data, regardless of where in the world it is stored? Or do you just hope that your customers don't realize that?

Walkthrough of a Recent Zbot Infection and associated CnC Server

During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to it's CnC and exfiltrating data via POST requests.
  • MD5: 0b43d6a65f67ef48f4da3a1cc09335a1
  • Size: 442368 bytes
  • Detected as PWS:Win32/Zbot by Microsoft (VT 43/49)
[POST DATA]


iTpRAQWetIVVzRx502Gqds3DKmG80ru/P1ggedWTJAgrue/EVaoL95bMH6K0It8I9/wGHEIKbkXhcoxGOKgJOxGFYkvfoWsUM/NWAUQ+wdjlZOpD0Ke77Sob6rQT0WToRF9lWkhx514Es9wGHNKTn5xrTY7pJeqxGiTNMsB3fsCFfjZZKabmhwDzKTP/0W6FFEJb

What separated this discovery from your average CnC server? The attackers were kind enough to leave the CnC server largely exposed (directory browsing enabled, many files not password protected) to provide a rare behind the scenes look at a live botnet operation. Let's walk through what we observed.  

The above mentioned Zbot variant was responsible for dropping the following malicious files:
  • 6ca1690720b3726bc76ef0e7310c9ee7 - Win32/Stoberox.B (VT 26 / 50)
  • d2c6a0e888d66882d7dc29667c4c9ec0 - TrojanDownloader:Win32/Cutwail (VT 38/50)
We also noted that it started a server listening on ports 1548 and 3492 and sends some data via POST requests to hxxp://vodrasit.su/admin/gate.php
(see malwr sandbox report).

Domains contacted:
  • shivammehta.com [ IP: 181.224.129.14]
  • merdekapalace.com [IP: 202.71.103.21]
  • vodrasit.su [IP: 37.115.13.224]
IPs contacted:

Malicious IP Virus total links
99.42.33.76 https://www.virustotal.com/en/ip-address/99.42.33.76/information/
115.126.143.176 https://www.virustotal.com/en/ip-address/115.126.143.176/information/
50.179.168.36 https://www.virustotal.com/en/ip-address/50.179.168.36/information/
158.58.230.200 https://www.virustotal.com/en/ip-address/158.58.230.200/information/
212.186.32.8 https://www.virustotal.com/en/ip-address/212.186.32.8/information/
61.27.49.175 https://www.virustotal.com/en/ip-address/61.27.49.175/information/
86.133.91.153 https://www.virustotal.com/en/ip-address/86.133.91.153/information/
206.205.226.130 https://www.virustotal.com/en/ip-address/206.205.226.130/information/
172.245.217.122 https://www.virustotal.com/en/ip-address/172.245.217.122/information/
80.213.146.163 https://www.virustotal.com/en/ip-address/80.213.146.163/information/
81.206.227.11 https://www.virustotal.com/en/ip-address/81.206.227.11/information/
91.21.200.217 https://www.virustotal.com/en/ip-address/91.21.200.217/information/
1.240.64.211 https://www.virustotal.com/en/ip-address/1.240.64.211/information/
24.184.76.143 https://www.virustotal.com/en/ip-address/24.184.76.143/information/
97.104.63.159 https://www.virustotal.com/en/ip-address/97.104.63.159/information/
172.11.217.35 https://www.virustotal.com/en/ip-address/172.11.217.35/information/
87.1.90.206 https://www.virustotal.com/en/ip-address/87.1.90.206/information/
81.149.88.233 https://www.virustotal.com/en/ip-address/81.149.88.233/information/
203.110.94.69 https://www.virustotal.com/en/ip-address/203.110.94.69/information/
50.11.239.126 https://www.virustotal.com/en/ip-address/50.11.239.126/information/
181.224.129.14 https://www.virustotal.com/en/ip-address/181.224.129.14/information/
108.162.199.119 https://www.virustotal.com/en/ip-address/108.162.199.119/information/
202.71.103.21 https://www.virustotal.com/en/ip-address/202.71.103.21/information/
65.55.172.254 https://www.virustotal.com/en/ip-address/65.55.172.254/information/
120.150.210.249 https://www.virustotal.com/en/ip-address/120.150.210.249/information/

While looking at the POST data submitted to hxxp://vodrasit.su/admin/gate.php, we explored this site and found that it is currently hosting two malicious files and a password protected admin console.

Below are the files which are hosted on hxxp://vodrasit.su/, which can be observed thanks to the fact that the attackers left directory browsing enabled:

[   ]  admin.zip 03-Mar-2014 09:49 12M  
[DIR] admin/ 21-Aug-2013 23:44  
[   ]  all.exe 21-Mar-2014 17:36 457K
[   ]  rok.exe 21-Mar-2014 06:23 75K


 
all.exe attempted to communicate to the followings DGA generated Domains:
  • aulbbiwslxpvvphxnjij.biz
  • kvdmkndexomrceqydtgepr.net
  • gadmxsmfeqrscmfytvksirnyxm.com
  • xgkzhahdqsxgusireqxdqkzsk.ru
  • aemfyldumrlithbaayzhib.com
  • jbqswspnseqsqwmrnzxodivuciv.net
  • ijfifyhydeydxwdnrkuwsovofm.org
  • lrtofahqzlvrsxsscdaykzuqs.info
  • dgmeulrobvsfaskdrknkfswyt.biz
  • cqdwgydskztyluwhjzcmmjlfqs.ru
  • hiciqglzaqwopnzdmtkdro.com
  • xgadhizdspnditwhdaxcjae.info
  • bypjgqusdmeanbylqghtvcqkead.org
  • civmvcibuhjzuoijxrozaegmfi.biz
  • ijrtkzdjbztgattccytojrswsd.com
  • igaytdmoqkmfauzdbmrwrceapf.ru
  • jbtkscmfuuygmdmdrorodfmp.com
  • sougwcinroivgtpvjzijuocagqau.net
  • hiufeamaqsyxmntswooronrnvz.biz
  • bymncecukrcusxvctsduxceu.info
  • prdmzrmreylvkqqodj.com
  • sbusxwswayizfepfydtoovvbqhm.ru
  • yhayxjzmbpscaypizlnftofl.com
  • tkytijfhiaqbymnxkxcwxg.biz

Admin Console

Although we weren't able to access the live admin console as it was password protected, we were able to replicate the setup from the exposed source files (hxxp://vodrasit.su/admin.zipand it would appear as shown below:



Another directory with browsing enabled exists at hxxp://vodrasit.su/admin/db/. Here the data from infected machines connecting back to the CnC server can be observed:


Before being transmitted from a victim machine, the data is encrypted using RC4 encryption, base64 encoded and then sent via the POST method to the CnC.

Here is the code for first decoding the data using base64 decoding and then RC4 decryption:




After decoding and decrypting, a record is created in the aforementioned directory hxxp://vodrasit.su/admin/db/.

The following a sample of the information stored from an infected victim:



What does this data represent?


This particular record includes the following:
  • OS: WINDOWS 7
  • Bits: 0 means OS is 32 BIT 
  • Country: SOUTH KOREA

Chinese cops cuff 1,500 in fake base station spam raid

China’s police have arrested over 1,500 people on suspicion of using fake base stations to send out mobile SMS spam.
The current crackdown, began in February, according to Reuters. Citing a Ministry of Public Security missive, the newswire says a group operating in north-east Liaoning province, bordering North Korea, is suspected of pinging out more than 200 million spam texts.
China's fearsome law enforcers periodically embark on crackdowns of this kind which, given the sheer size and scale of the Middle Kingdom, often amount to little more than a symbolic gesture.
However, mobile spam is a massive problem in China.
Some 200 billion unwanted messages were sent in the country in the first half of 2013 alone, according to a Xinhua report from late last year
Fake base stations are becoming a particularly popular modus operandi. Often concealed in a van or car, they are driven through city streets to spread their messages.
This Beijing News story from November 2013 tells a typical tale.
The professional spammer in question charged 1,000 yuan (£100) to spam thousands of users in a radius of a few hundred metres.
The pseudo-base station used could send out around 6,000 messages in just half an hour, the report said. Often such spammers are hired by local businessmen to promote their wares.
Trend Micro highlighted the problem in a recent expose of the Mobile Cybercriminal Underground Market in China.
GSM modems, internet short message gateways and “SMS servers” were all listed as available on the dark web for local cyber criminals to buy.
The latter is effectively a “fake base station”, in that it apparently sends out a high power signal which forces all mobiles in the area to disconnect from their legitimate base station and connect to it.
SMS servers cost around 45,000 yuan (£4,400), according to the report.

About 55K in San Francisco impacted in theft of Sutherland computers

The San Francisco Department of Public Health (DPH) is warning more than 55,000 patients served in DPH facilities that their personal information may have been compromised in a Feb. 5 breach of Sutherland Healthcare Solutions (SHS), a billing and collections services provider.
How many victims? About 55,900. 
What type of personal information? Names, dates of birth, billing information, dates and locations of services, and, in some cases, Social Security numbers.
What happened? The SHS office in Southern California was broken into and computers containing the client information were stolen.
What was the response? The DPH is notifying all impacted patients and SHS is offering them a free year of credit monitoring and identity theft protection services.
Details: The SHS offices were broken into on Feb. 5. SHS notified the DPH on March 18 that the information was compromised. Most impacted patients received DPH services between August 2012 and November 2013.
Quote: “There is no confirmation that there has been any attempted access or attempted use of the information involved in this incident,” according to a notification posted to the DPH website. 
Source: sfdph.org, “Department of Public Health Patient Information Involved in Security Breach,” March 21, 2014.

Forget black hats – the best hackers are going grey and getting legit

A report from the Rand Corporation suggests the increasing market for software vulnerabilities that can be sold legitimately is tempting the most 1337 hackers and crackers to go legit, rather than suffer the vagaries of the black market in code and credentials.
"There's an economic seesaw in the market," Michael Callahan, VP of security products at Juniper Networks, told The Register. "At a point it becomes more attractive to sell on the legitimate market verses selling them to online arms dealers. It's driven by economics."
The black market can be as lucrative as the drugs trade, the Rand report notes, but the risks are also high, and not just from the police. While law enforcement is improving its abilities to catch cyber criminals the report notes that the attackers have the upper hand, but double-crossing within the industry is rife.
The study states that around 30 per cent of sellers in black market bazars for stolen credit cards and credentials are rippers – those who take the money and run. Of these, less than a fifth are caught and forced to complete the transaction.
Rand says that the increasing use of bug bounty programs offers an increasingly attractive form of revenue for security specialists, and one that provides a legitimate source of income., While rewards for such programs are still low, the report notes that some very high prices can be got for major undiscovered vulnerabilities from security organizations and from government buyers.
The report lists prices of up to $250,000 quoted for a solid iOS zero-day flaw (the top price for OS X is just $50,000) or $120,000 for a serious Windows flaw. The price depends a lot on how recent and effective the flaw is, but it's widely recognized in the community that the American government will outspend almost anyone else in the market.
Other revenue streams traditionally used by hackers and crackers on the dark side are also under pressure. Malware generation and exploit kits used to be a solid source of illicit revenue but the market is increasingly flooded and there are plenty of dodgy practices.
Last year 33 new exploit kits were detected online, the report states, and 42 more that are revamped versions of older code. But sellers are increasingly ripping off code of more successful kits and some, at the cheaper end of the market, are of little use against up-to-date security software.
Overall, the report finds that the prices for traditional purloined online goods like credit card numbers are falling rapidly, due to oversupply in the market. Those hackers working on the illegal side of the market are seeing revenues squeezed and this to could provide more of an incentive to go legit for the best players.

Palo Alto Networks pays $200m for endpoint security firm Cyvera

cyber-security-web
Palo Alto Networks is to buy Israeli endpoint security specialist Cyvera for $200m in the latest deal within the security sector.
The deal has been agreed by both Palo Alto and Cyvera's executive teams and is expected to close in the second half of this year, pending regulatory approval. The deal will see Palo Alto integrate Cyvera's advanced endpoint defence technologies into its enterprise security platform.
Mark McLaughlin, CEO of Palo Alto Networks, said the combination of technologies will let the company offer customers holistic security against advanced threats.
"This event marks a key milestone in our strategic enterprise security vision. It extends our next-generation security platform with a very innovative approach to preventing attacks on the endpoint," he said.
"It enables us to accelerate the delivery of the market's only highly integrated and automated enterprise security platform spanning networks, endpoints and the cloud. For customers, this translates into the most sophisticated and automated threat prevention for their entire organisation."
Cyvera currently has 55 employees at its Tel Aviv headquarters. It is currently unclear how they will be integrated into Palo Alto's workforce following the acquisition, and at the time of publishing Palo Alto had not responded to V3's request for comment.
Despite the lack of detail Cyvera has welcomed the move. The firm said it will allow the companies to become industry leaders in the growing advanced threat mitigation market.
"Much like Palo Alto Networks set out to disrupt the network security market with its next-generation security platform, we founded Cyvera to revolutionise protection for the endpoint – one of the most vulnerable frontiers for cyber attacks. We are pleased to join the Palo Alto Networks team and together help enterprise customers tackle the advanced threats they face today."
The news comes during a wider shift by Palo Alto to bolster its next-generation threat-mitigation offering. Palo Alto Networks released a new next-generation firewall called the PA-7050 in February.
Palo Alto is one of many security firms to acquire an endpoint security specialist in recent months. Competitor FireEye acquired endpoint security firm Mandiant in a $1bn deal earlier in January.

Tumblr rolls out two-factor authentication security upgrade

tumblr
Tumblr has rolled out a two-factor authentication security upgrade, in order to protect its customers from account-hijacking cyber attacks.
The company announced the move in a blog post, alerting users that it can be turned on from the settings page of their account. If turned on, users will need to authenticate their identity when logging in with a second set of credentials.
"You know how you need two keys to launch a nuclear missile? Two-factor authentication works like that. One key is your password, the other key is your cellular phone, and you need both to access your Tumblr Dashboard," explained the post.
The extra security feature is designed to stop hackers taking control of users' Tumblr accounts with a brute-force cyber attack, or stolen password. The feature can be disabled in the Settings menu of the Dashboard, but Tumblr urged its customers to leave the two-factor authentication service on.
"Your account is far less likely to get compromised if you've enabled two-factor authentication. But if you must, we'll ask you to enter your account password to make sure it's really you. You'll then be able to log in to your account without the extra verification step. If you would like to re-enable it at any point, you'll have to go through the aforementioned setup process again."
Tumblr is one of many companies to roll out the service. Twitter added the feature in May 2013 after suffering a number of data breaches. Dropbox rolled out the service in August 2012 following a massive data breach that saw criminals break into a number of its customers' accounts using passwords stolen in a separate phishing attack.
Account-hijacking cyber attacks targeting websites and services such as Tumblr have been a growing problem facing the security community. Security firm Sucuri detected a cyber attack that had hijacked more than 162,000 legitimate WordPress sites earlier in March.

Hackers targeting Microsoft Word and Outlook zero-day vulnerability

cyber-security-man
Hackers are targeting a newly discovered zero-day vulnerability in Microsoft's Word and Outlook services, according to security firm Qualys.
Qualys CTO Wolfgang Kandek revealed the attack in a blog post, warning businesses that a successful attack could grant hackers remote access to their systems.

"The vulnerability CVE-2014-1761 is in the file format parser for RTF (Rich Text Format) and could be used by an attacker to gain remote access to the targeted system. The attack vector is a document in RTF format that the victim would have to open with Word," read the post.
"If the target uses Outlook 2007, 2010 or 2013 for email, please be aware that Word is the default viewer for emails, and that even looking at the email in the preview pane could lead to an infection through this attack."

Kandek said the vulnerability is particularly troubling as it affects Apple Mac systems running Microsoft Office for the Mac 201 as well as Windows systems.
Microsoft has since released an emergency workaround for the vulnerability on its TechNet blog.
"Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010," read the advisory.
"To facilitate deployment of the first workaround, we are providing a Fix it automated tool. The fix uses Office's file block feature and adds few registry keys to prevent opening of RTF files in all Word versions."
Kandek praised Microsoft for its rapid response, confirming that the temporary fix does effectively mitigate the exploit. "It seems that EMET ASLR enforcements efficiently counters the exploit. Good stuff," he said.
The Word and Outlook attack is one of many advanced threats uncovered targeting Microsoft services in recent months. Microsoft was forced to release an emergency fix for a vulnerability in Internet Explorer known to have been targeted by hackers earlier in March.

Microsoft warns Windows XP users the end is nigh as cyber apocalypse awaits

Microsoft will end support for XP on 8 April 2014
Microsoft has warned die-hard Windows XP users to prepare to deal with an influx of cyber attacks targeting their systems following the official support cut-off. The warning comes just two week before support for XP ends on 8 April.
Microsoft Trustworthy Computing Group (TwC) director Tim Rains issued the warning in a blog post, advising businesses still using XP that they will be putting themselves and their customers at increased risk.
"Today, attackers typically steal personal and business information from the systems they go after and try to keep a lower profile, as the goal is financial profit more regularly than mischievous disruption or ego," read the post.
"The types of attacks that we expect to target Windows XP systems after 8 April 2014 will likely reflect the motivations of modern-day attackers. Cyber criminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues."
Rains highlighted the danger posed by self-replicating malware, such as the Conficker worm, as a particularly dangerous threat, warning that once the cut-off occurs it will be close to impossible to stop the malware spreading.
"Malware purveyors will likely integrate new vulnerabilities targeting Windows XP, into malware that tries to multiply. The success of the virus named Conficker, to infect systems in enterprise environments, illustrates that security firewalls and strong password policies are still not comprehensively used," read the post.
"Organisations that continue to run Windows XP after support ends, should be on guard for this type of threat in their environment."
Conficker is an infamous worm that was first discovered targeting Windows users in November 2008. The malware was designed to create a criminal botnet and at its peak is believed to have infected as many as 15 million machines.
Rains highlighted ransomware as another key threat facing Windows XP users. "We have seen a large uptick in ransomware in recent years. Attackers use this type of malware to extort users into paying them to unencrypt files that the malware has encrypted on their system, or to unlock the system's desktop," read the post.
"After April 2014, attackers will likely attempt to use unpatched vulnerabilities on Windows XP-based systems to distribute ransomware. This type of attack can have a crippling impact on small businesses and consumers that lose access to important data or systems."
Rains is one of many security experts to warn SMEs about the danger a successful cyber attack can pose. Security firm AVG told V3 in September 2013 that SMEs' lax attitudes to security is leaving them one cyber attack away from bankruptcy.
Worse still, Rains said following the cut-off, businesses will be more susceptible to basic cyber attacks, such as phishing and drive-by downloads. He said businesses may mitigate the threat by disconnecting XP systems from the internet, but argued that the safest policy will be to upgrade to a newer version of Windows.
"The guidance above provides suggestions towards managing some of the risks of running Windows XP post 8 April. However, the primary thrust of our advice is clear: the best option is to migrate to a modern operating system like Windows 7 or Windows 8 that have a decade of evolved security mitigations built in and will be supported after 8 April 2014," read the post.
Rains is one of many security professionals to warn businesses to avoid using Windows XP after the cut-off. Experts from numerous companies told V3 that criminals are hoarding exploits in preparation for an XP hacking rampage earlier in March. Security firm Malwarebytes pledged to support Windows XP for as long as possible in a bid to shield its users from the hacking rampage.

Malwarebytes pledges to protect Windows XP users after support cut-off

Microsoft Windows XP screen
Security firm Malwarebytes has pledged to protect Windows XP for as long as possible in a bid to shield its users from the hacking rampage expected to occur after support from Microsoft ends on 8 April.
Malwarebytes made the promise while unveiling its new Premium anti-malware tool. The news comes after reports that criminals are hoarding exploits in preparation for an XP hacking rampage when support ends.
A Malwarebytes spokesman told V3 companies still need XP security as much of its customer base, which numbers in the hundreds of millions, are still using the decade-old operating system (OS).
“Malwarebytes is offering XP support because a lot of our current users are still using the OS, and they evidently still need protection. These make up 20 percent of the existing user base,” he said.
He added that Malwarebytes will continue to provide XP support for as long as it could. “We’re going to support XP as long as we’re technically able. The only time we’ll stop is if Microsoft does something like forcibly upgrade its XP customers,” he said.
The Premium tool features uses a custom heuristics engine designed to track malware's behaviour and advanced Anti-Rootkit technology to protect users from advanced threats.
Malwarebytes founder and CEO Marcin Kleczynski claims the combination of technologies will protect users from advanced threats other security services can't detect.
"Six years after the launch of the first version, and following 18 months of development and countless research hours, we are thrilled to announce Premium," he said.
"It has been a real labour of love. We are proud of what we have created and believe it builds upon the success of our existing products to give people a strong proactive countermeasure against today's advanced online threats."
The Premium service is available on the Malwarebytes store now and costs $25 per year. Each licence provides coverage for up to three PCs.
Malwarebytes is one of many security firms to warn of the dangers posed by the XP support cut-off. Paul Ducklin, senior security analyst at Sophos, told V3 in February that Microsoft's XP support cut-off could lead to a boom in global spam levels.

US hacked servers at Chinese firm Huawei and scoured email database

huawei-sign-logo
The National Security Agency (NSA) hacked into the servers of Chinese telecoms giant Huawei and accessed the source code at the heart of its products, according to reports.
The New York Times and Der Spiegel said documents from ex-CIA worker Edward Snowden showed that the spy agency went to great lengths to infiltrate the servers of Huawei, and had great success.
Der Spiegel said the US gained access to the source code at the heart of key Huawei products as well as information on 1,400 customers and internal documents on training given to its product engineers.
Such widespread knowledge and access to its source code allowed the US to read emails sent by all staff at the firm, which are routed through the firm's key servers in Shenzhen, including those of CEO Ren Zhengfei.
"We currently have good access and so much data that we don't know what to do with it," states one internal NSA document, according to Der Spiegel.
The document reportedly states that the reason for the large-scale effort against Huawei was due to the “unique” threat it could pose to the US, given its dominance in the telecoms market that gives it such large-scale insight to global web traffic.
"Huawei's widespread infrastructure will provide the PRC [People's Republic of China] with SIGINT [signals intelligence] capabilities."
Huawei hit back at the revelations in a statement criticising the US: "If the actions in the report are true Huawei condemns such activities that invaded and infiltrated into our internal corporate network and monitored our communication."
It also moved to reassure customers that its equipment and networks were free from interference, secure and not under threat.
"The security and integrity of our corporate network and our products are our highest priorities. That is the reason why we have an end-to-end security assurance system and why we are continuously working to enhance that system," it said.
"Like other enterprises, we continuously block, clean and reinforce our infrastructure from cyber threats."
The revelations come amid ongoing tensions between the US and China in the cyber arena, with China accused of targeting US firms on several occasions. Mandiant uncovered 141 attacks against US companies in February 2013.
Publicly, though, both nations have always downplayed any animosity and claimed they share common goals online. Whether this public show of unity lasts after the latest revelations remains to be seen.

Monday 24 March 2014

Windigo Hijacks 25,000 Servers to Spew Out Spam, Malware

cyber-attack Attackers infected and seized control of over 25,000 Unix servers to create a massive spam and malware distribution platform, ESET said. Linux and Unix administrators need to immediately check if their servers are among the victims.
The gang behind the attack campaign uses the infected servers to steal credentials, distribute spam and malware, and redirect users to malicious sites. The infected servers send 35 million spam messages each day, and redirect half a million Web visitors to malicious sites daily, said Pierre-Marc Bureau, a security intelligence program manager at ESET. The researchers believe the campaign, dubbed Operation Windigo, has hijacked over 25,000 servers in the past two-and-a-half years. The group currently has 10,000 servers under their control, Bureau said.
ESET released a technical paper with more details about the campaign, and included a simple ssh command which administrators can use to figure out if their servers have been hijacked. If that happens to be the case, administrators should re-install the operating system on the infected server and change all credentials ever used to log into the machine. Since Windigo harvested credentials, administrators should assume all passwords and private OpenSSH keys used on that machine are compromised and should be changed, ESET warned. The recommendations apply to both Unix and Linux administrators.
Wiping the machine and re-installing the operating system from scratch may sound a little extreme, but considering that the attackers had stolen administrator credentials, installed backdoors, and had gained remote access to the servers, taking the nuclear option seems necessary.
Attack ElementsWindigo relies on a cocktail of sophisticated malware to hijack and infect the servers, including Linux/Ebury, an OpenSSH backdoor and credential stealer, as well as five other pieces of malware. Over the course of a single weekend, ESET researchers observed more than 1.1 million different IP addresses passing through Windigo's infrastructure before being redirected to malicious sites.
Websites compromised by Windigo in turn infected Windows users with an exploit kit pushing click fraud and spam-sending malware, showed questionable advertisements for dating sites to Mac users, and redirected iPhone users to online porn sites. Well-known organizations such as cPanel and kernel.org were among the victims, although they have cleaned their systems, Bureau said.
Operating systems affected by the spam component include Linux, FreeBSD, OpenBSD, OS X, and even Windows, Bureau said.
Rogue ServersConsidering that three in five of the world's websites are running on Linux servers, Windigo has plenty of potential victims to play with. The backdoor used to compromise the servers was installed manually and exploits poor configuration and security controls, not software vulnerabilities in the operating system, ESET said.
"This number [10,000 servers] is significant if you consider each of these systems has access to significant bandwidth, storage, computing power and memory," said Bureau.
A handful of malware-infected servers can cause a lot more harm than a large botnet of regular computers. Servers generally have better hardware and processing power, and have faster network connections than end-user computers. Recall that the powerful distributed denial of service attacks against various banking websites last year originated from infected Web servers in data centers. If the team behind Windigo ever switches tactics from just using the infrastructure to spread spam and malware to something even nastier, the resulting damage could be significant.

Fake video of Malaysia Airlines flight MH370 rescue is ‘callous’ cyber scam

A post promising a video of a plane landing on water has been circulating on Facebook, with a title suggesting that it contains news footage showing the rescue of passengers on board the missing Malaysia Airlines flight MH370 – but the video is a ‘callous’ cyber scam, according to Hoax-Slayer, and in fact shows a plane landing on water in Bali in 2013.
IT Pro Portal reports that one variant of the scam is a ‘video’ titled, “Malaysia Plane MH370 Has Been Spotted Somewhere Near Bermuda Triangle. Shocking Videos Release Today”, and that the video is being used to spread malware. Other reports say that variants of the scam are used to direct users to spread the video via Facebook, and complete bogus surveys, used by cybercriminals to harvest personal details from their victims.
IT Pro Portal points out that the Bermuda Triangle is 10,000 miles from the last point of contact with the flight.
The Epoch Times reports that the images show a plane crash near Bali in Indonesia in 2013, where 100 passengers were rescued after a plane landed on water. In all reported variants of the scam, there is no video to click through to – just surveys designed to steal personal information, or bogus downloads which are in fact malware.
Hoax-Slayer describe the scam as a ‘callous’ variant on a common cybercriminal trick of using posts which promise ‘sensational’ viral videos to harvest personal information or spread malware.
“The image used in the scam post shows a Lion Air passenger plane that crashed into the sea, when landing on Bali in April 2013. While there were some injuries in the crash, there were no fatalities. The picture has no connection whatsoever with flight MH370,” the site reports. “Once they have shared [on Facebook] as requested, users will then be taken to another fake page that supposedly hosts the video. However, a popup ‘Security Check’ window will appear that claims that they must prove that they are human by clicking a link and participating in an online survey or offer. But, no matter how many surveys or offers they complete, they will never get to see the promised video.”
Scammers often target Facebook with copies of viral content – or entirely fake, sensational videos, such as ‘Giant Snake Swallows Zookeeper’, as reported by We Live Security this year.
In many cases, scam videos will install a ‘rogue’ Facebook app to spread rapidly via the network – but as reported here, such scams can, in the worst case scenario, lead to tainted sites which infect users with malware.

Facebook’s ‘Deepface’ photo-matching is nearly as good as human brains

Facebook’s ‘Deepface’ photo-matching software can now ‘recognize’ pairs of human faces with an accuracy just a fraction of a percentage point behind human beings – a huge leap forward in the technology, which some see as having potentially alarming implications for privacy.
Deepface can now match two previously unseen photos of the same face with 97.25% accuracy – humans can do the same with around 97.5% accuracy, a difference which TechCrunch describes as “pretty much on par”.
Facebook uses its current facial recognition software to ‘tag’ people in photos, which is used widely around the world. Although Deepface is a research project, and unrelated to the technology used on the site, it “closes the vast majority of the performance gap” with human beings according to the Facebook researchers behind it (PDF research paper here), and can recognise people regardless of the orientation of their face, lighting conditions and image quality.
Publications such as Stuff magazine describe the technology as “creepy”, saying that were it implemented “in the wild” it should make site users “think twice” about posting images such as “selfies.”
Deepface uses deep learning to leap ahead of current technology – an area of AI which uses networks of simulated brain cells  to ‘recognize’ patterns in large datasets, according to MIT’s Technology Review.
Yaniv Taigman of Facebook’s AI team says, “You don’t normally see that sort of improvement. We closely approach human performance.”
The leap forward in performance cuts errors by more than 25% in the accuracy – achieved, Taigman says in Facebook’s brief description of the milestone, by 3D modeling faces, and using a “nine-layer deep neural network” to analyze 120 million parameters. Business Insider describes the process as akin to using the 3D software to turn faces “forward” for comparison.
Deepface was “trained” using a dataset of four million facial images belonging to 4,000 individuals, Taigman says.
“Our method reaches an accuracy of 97.25% on the Labeled Faces in the Wild (LFW) dataset, reducing the error of the current state of the art by more than 25%,” Taigman says, noting that the software is “Closely approaching human-level performance.”
 In a paper entitled, Deepface: Closing the Gap to Human-Level Performance in Face Verification, Taigman and his co-authors write, “We believe that this work, which departs from the recent trend of using more features and employing a more powerful metric learning technique, has addressed this challenge, closing the vast majority of this performance gap [as compared with humans],” saying that Deepface can be applied to various population, without regard to pose illumination or image quality.
“Our work demonstrates that coupling a 3D model-based alignment with large capacity feedforward models can effectively learn from many examples to overcome the drawbacks and limitations of previous methods.”

“You have cancer” phishing attack shows how low cybercriminals will go

A “particularly unpleasant” phishing email purporting to be the results of a blood count report showing that the recipient may have cancer is circulating in the UK, claiming to be sent from a government health care organization, and containing an infected attachment claiming to be a blood analysis report.
NICE (the National Institute for Health and Care Excellence) has posted a spam warning, saying, “NICE is aware that a spam email is being sent to members of the public regarding cancer test results. Please be assured that this email is not from NICE and we are currently investigating its origin. If you have received the email, do not open the attachments.”
Eduard Kovacs of Softpedia reports that the emails arrive with a subject line IMPORTANT: blood analysis results” and appear to come from the email address, “no_reply@nice.org.uk.”
British anti-fraud organization Action Fraud warns users that the file is “likely to contain malware” and reports that one variant of the email says, “We have been sent a sample of your blood analysis for further research. During the complete blood count (CBC) we have revealed that white blood cells is very low, and unfortunately we have a suspicion of a cancer… We suggest you to print out your CBC test results and interpretations in attachment below and visit your family doctor as soon as possible. Sincerely, Dr.Moon Earnest.”
ESET Senior Research Fellow David Harley describes the phishing attack as “particularly unpleasant” in a blog post,  and says, “This is more than spam: it contains an attachment claimed to be a blood count report suggesting that the recipient may have cancer, but in fact it’s a password stealer.”
Harley points out that certain features of the email are unconvincing, and that the criminals rely on users panicking, “Firstly, it’s likely that if you’d given a sample for a blood test you’d remember. However, there’s obviously a chance that some of these messages might reach people who have actually given samples recently, and would be more likely to be panicked into clicking on the malicious attachment. Secondly, NICE is not in the business of doing blood tests: its remit is rather more abstract. But again, the hope is that the victim will be too panicked to check properly.”

Revenue Service breach may have leaked data on 20,000 employees

Personal data for around 20,000 workers for the U.S. Internal Revenue Service (IRS), including names, social security numbers and addresses may have been exposed on the internet, after an employee plugged a thumb drive into a computer on an unsecured home network.
The breach affects 20,000 employees and ex-employees who worked in Pennsylvania, New Jersey and Delaware, the IRS said in a statement. No details about taxpayers, or tax records, were leaked in the breach, according to NBC’s report.
The commissioner of the IRS, John Koskinen, said that an unencrypted thumb drive had been plugged into an unsecured home network, meaning that the information had been potentially available to third parties online, according to news agency Reuters.

Koskinen
said that, “At this point we have no direct evidence to indicate that this personal information has been used for identity theft or other inappropriate uses.” Many of the employees affected by the breach no longer work for the IRS, Koskinen said, and the agency would reach out to ex-employees to offer free identity theft monitoring, according to NBC’s report. .
Koskinen said that the drive contained,  ”sensitive personnel information, including names, Social Security numbers and addresses, of some employees, former employees and contracted employees.”
ABC News reported that Republican Dave Camp, chairman of the House Ways and Means Committee, said, “In the past, the IRS has released personal taxpayer information to the public, and has not been able to effectively prevent and detect identity theft. This latest report is concerning. The IRS has repeatedly broken the American people’s trust, and the Ways and Means Committee will take a thorough look into this incident.”

Google Glass spyware lets snoopers “see through wearer’s eyes”

Spyware which stealthily takes photographs using Google Glass’s built-in camera and uploads them to a remote server without the user being aware has been demonstrated successfully on the eyepiece – despite Google’s policies explicitly forbidding programs which disable the screen while the camera is in use.
The spyware was designed by two California Polytechnic students, Mike Lady and Kim Paterson, who disguised their program as a note-taking app (albeit with a name that offers a clue to its actual function, Malnotes), and successfully loaded the app, which takes a photo every ten seconds and uploads it to the internet, according to Ars Technica’s report.
Google’s policies forbid programs which take pictures when its wearable Glass eyepieces are turned off – but there is nothing to stop users doing so, Forbes reported.
“The scary thing for us is that while it’s a policy that you can’t turn off the display when you use the camera, there’s nothing that actually prevents you from doing it,” Paterson told Forbes’ Andy Greenberg.
“As someone who owns Glass and wants to install more apps, I’d feel a lot better if it were simply impossible to do that. Policies don’t really protect us.”
The pair were able to upload Malnotes successfully to Google’s Play store, but were unable to sneak the app into the curated MyGlass store for Google Glass, Ars reports. Paterson noted that many Glass apps are currently “sideloaded” – ie not installed via official stores, but installed using developer tools in debug mode – as Glass is still in prototype.
“A lot of Glass developers are just hosting their apps from sites just to let other people try it. It’s sort of a wild-wild west atmosphere since very few apps are being released through the MyGlass store,” Paterson told Forbes. Paterson warned that if a user left Glass unattended, it would be easy to install such software without the wearer even being aware of its presence.
Google’s Glass eyepieces remain a hot topic for privacy advocates. Speaking to Business Insider, Daen de Leon, a software engineer, says that 13 bars and restaurants in San Francisco have an explicit “no Glass” policy, as well as others in Seattle, and Oakland, California.
After an incident where a Google Glass wearer was allegedly assaulted in a bar in Lower Haight for wearing the eyepieces, de Leon spoke to regulars and says that he, “”found her assumption that, as a complete stranger, she could enter a bar and just start recording regular customers without their permission quite disturbing.”

Target breach optioned as Sony feature film

The Target breach, and in particular the role of respected security blogger Brian Krebs in breaking the story, has been optioned as a feature film by Sony. The studio has bought the rights to the New York Times article, “Reporting From the Web’s Underbelly,” which told Krebs’ story in the wake of his exclusive revelations about the data breach at Target.
The Hollywood Reporter writes that the studio envisions the story as a “cyber thriller” set in the “high stakes world” of cybercrime.
Mashable reports that the studio has recruited Richard Wenk, writer of its recent version of The Equalizer, and action sequel The Expendables 2, to write the script.
Krebs’ blog, Krebs on Security, broke the story of the Target breach late last year, revealing that a large number of American debit and credit card details had been leaked from the retailer. The story had been leaked to Krebs, a former reporter at the Washington post, via officials at American credit card issuers.
In February this year, Nicole Perlroth’s profile article for the New York Times offered a portrait of Krebs, describing incidents such as Russian cybercriminals attempting to frame him with heroin purchased from the Silk Road “online drug market” (reported by We Live Security here), and describing how Krebs landed a string of exclusive stories, including several key revelations about the Target breach.
Perlroth described Krebs as, “A former reporter at The Washington Post who taught himself to read Russian while jogging on his treadmill and who blogs with a 12-gauge shotgun by his side.”

Bitcoin fixes Mt Gox theft bug – as exchange staff find 200,000 BTC in ‘forgotten’ wallet

Bitcoin’s developers have released a new version of the software, which includes a long-awaited fix for the “transaction malleability” bug said to have brought down large exchanges such as Mt Gox and Bitstamp.
The new version, called Bitcoin 0.9.0 was revealed by a bitcoin developer in a Tweet, according to ZDNet. The release notes say that the version of Bitcoin Core offers, “Bug fixes and new regression tests to correctly compute the balance of wallets containing double-spent (or mutated) transactions.”
The bug allowed users to alter the unique ID of BTC transactions, before they were confirmed, and thus allegedly steal coins according to ZDNet‘s report. Mt Gox blamed the “transaction malleability” bug for its loss of more than $400m in Bitcoin, and other collapsed banks and exchanges said they had fallen victim to the same bug.
VentureBeat reports that the new version of Bitcoin includes five fixes to prevent fraudulent transactions, with a function which stops “mutated transactions” being relayed, and two more functions which report double-spending and conflicting wallet transactions.
Early in March, Mt Gox admitted that nearly $500 million in bitcoin had “disappeared”, in a statement posted online, blaming abuse of the “transaction malleability” bug in the system.
The exchange, which filed for bankruptcy protection early in March, as reported by We Live Security here, posted a new message to its site on Monday, saying that bitcoins had been “illicitly moved through the abuse of a bug”, and that “Although the complete extent is not yet known, we found that approximately 750,000 bitcoins deposited by users and approximately 100,000 bitcoins belonging to us had disappeared.”
Meanwhile, questions remain over whether investors in Mt Gox will ever be able to reclaim their money. The exchange said this week that it had “found” 200,000 BTC in old wallets, during its bankruptcy procedures.
The Register commented,“That’s good news for creditors inasmuch as it means the exchange is “only” missing about 650,000 Bitcoin, so there’s some prospect of recovering some of their lost currency.”
The site said in a statement, “MtGox Co., Ltd. had certain old format wallets which were used in the past and which, MtGox thought, no longer held any bitcoins. Following the application for commencement of a civil rehabilitation proceeding, these wallets were rescanned and their balance researched. On March 7, 2014, MtGox Co., Ltd. confirmed that an old format wallet which was used prior to June 2011 held a balance of approximately 200,000 BTC (199,999.99 BTC)”