Monday 15 September 2014

Four Vulnerabilities Patched in IntegraXor SCADA Server

industrial
Four different remotely exploitable vulnerabilities were recently discovered and patched in a popular SCADA server.

The vulnerabilities exist in some versions of IntegraXor, a SCADA server manufactured by Ecava Sdn Bhd, a Malaysian-based software company.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) disclosed the vulnerabilities, which were first brought to light back in August, in an advisory on Thursday.

Essentially the biggest problem is that if left unpatched, an attacker could read and modify files and database records on the SCADA database, something that in turn could give them full access.

ICS-CERT warns that attackers could create a large file on the server and cause a denial of service attack, overwrite potentially sensitive files and even create new, malicious files that could later be executed via a CSRF attack against users.

In addition to file read/write ability, attackers could also use the vulnerabilities to manipulate SQL queries and disclose information, like the full path names of files on the system.

Independent security researchers Andrea Micalizzi, via Zero Day Initiative, and Alain Homewood discovered and reported the vulnerabilities, all of which can be exploited remotely.

Homewood, a New Zealand-based researcher at PricewaterhouseCoopers’ Security and Technology division, tested the patch to verify that it addressed the vulnerabilities, according to ICS-CERT.

These specific servers are native web SCADA systems used across 38 different countries including the U.S., U.K., Australia and Canada according to the advisory. The software is primarily used in the industrial automation field, especially firms in charge of sewerage, railways, telecom, and heavy engineering.

Chinese Hacking Groups Team Up Against Government, Military Systems

chinaus
Two Chinese cyber espionage campaigns are working in tandem in hopes of sniffing out trade secrets from surrounding nations.

Researchers from FireEye outlined information about the two attack groups in advance of a more comprehensive report.

One of the groups, Moafree, operates out of the Guandong Province, in Southern China while the second, DragonOK, works out of the Jiangsu Province, in Northern China. Both groups are based on the coast and are likely targeting intelligence from countries surrounding the South China Sea such as Japan and Taiwan, according to FireEye.

Researchers Thoufique Haq, Ned Moran, Mike Scott and Sai Imkar Vashisht, said in a report on the company’s blog that technically Moafee is targeting government and military operations while DragonOK appears to be targeting “high-tech and manufacturing companies,” going after trade secrets for economic advantage.
The researchers point out that there are several traits the campaigns share, suggesting at least a connection between the two, or perhaps a shared resource between a third, separate group.

For example, both of the campaigns use a series of remote administration tools (RATs) and backdoors to secure access after they’ve gotten into systems by tricking users into clicking on a spear-phishing email.

The two campaigns were also found using similar tools like CT/NewCT/NewCT2, the Trojan Nflog, and the RAT PoisonIvy. Both attacks also used HTRAN, a reverse proxy server used to mask TCP traffic, to disguise their location information.

A third group was actually found using the same set of backdoors and RATs but FireEye refused to outright connect it to Moafree and DragonOK.

“Both groups, while operating in distinctly different regions, either 1) collaborate, 2) receive the same training, 3) share a common toolkit supply chain, or 4) some combination of these scenarios,” the researchers wrote Thursday, likening it almost to a “production line” chain of attacks.

FireEye’s report didn’t specify what kinds of information the groups make have absconded with thus far, but did stress that the region’s “rich natural resources,” in this case intel on the abundance of oil and natural gas in the South China Sea, were the focus.

A similar group of Chinese hackers who go by APT 18 were ultimately connected to last month’s Community Health Systems breach. While the group – somewhat like Moafree and DragonOK – is usually associated with pilfering data on the aerospace, defense, engineering sectors, in this case it stole information regarding medical technology and pharmaceutical manufacturing processes.
Two Chinese cyber espionage campaigns are working in tandem in hopes of sniffing out trade secrets from surrounding nations.
Researchers from FireEye outlined information about the two attack groups yesterday in advance of a more comprehensive report.
One of the groups, Moafree, operates out of the Guandong Province, in Southern China while the second, DragonOK, works out of the Jiangsu Province, in Northern China. Both groups are based on the coast and are likely targeting intelligence from countries surrounding the South China Sea such as Japan and Taiwan, according to FireEye.
Researchers Thoufique Haq, Ned Moran, Mike Scott and Sai Imkar Vashisht, said in a report on the company’s blog that technically Moafee is targeting government and military operations while DragonOK appears to be targeting “high-tech and manufacturing companies,” going after trade secrets for economic advantage.
The researchers point out that there are several traits the campaigns share, suggesting at least a connection between the two, or perhaps a shared resource between a third, separate group.
For example, both of the campaigns use a series of remote administration tools (RATs) and backdoors to secure access after they’ve gotten into systems by tricking users into clicking on a spear-phishing email.
The two campaigns were also found using similar tools like CT/NewCT/NewCT2, the Trojan Nflog, and the RAT PoisonIvy. Both attacks also used HTRAN, a reverse proxy server used to mask TCP traffic, to disguise their location information.
A third group was actually found using the same set of backdoors and RATs but FireEye refused to outright connect it to Moafree and DragonOK.
“Both groups, while operating in distinctly different regions, either 1) collaborate, 2) receive the same training, 3) share a common toolkit supply chain, or 4) some combination of these scenarios,” the researchers wrote Thursday, likening it almost to a “production line” chain of attacks.
FireEye’s report didn’t specify what kinds of information the groups make have absconded with thus far, but did stress that the region’s “rich natural resources,” in this case intel on the abundance of oil and natural gas in the South China Sea, were the focus.
A similar group of Chinese hackers who go by APT 18 were ultimately connected to last month’s Community Health Systems breach. While the group – somewhat like Moafree and DragonOK – is usually associated with pilfering data on the aerospace, defense, engineering sectors, in this case it stole information regarding medical technology and pharmaceutical manufacturing processes.
- See more at: http://threatpost.com/chinese-hacking-groups-team-up-against-government-military-systems/108227#sthash.uCqhKUSf.dpuf
Two Chinese cyber espionage campaigns are working in tandem in hopes of sniffing out trade secrets from surrounding nations.
Researchers from FireEye outlined information about the two attack groups yesterday in advance of a more comprehensive report.
One of the groups, Moafree, operates out of the Guandong Province, in Southern China while the second, DragonOK, works out of the Jiangsu Province, in Northern China. Both groups are based on the coast and are likely targeting intelligence from countries surrounding the South China Sea such as Japan and Taiwan, according to FireEye.
Researchers Thoufique Haq, Ned Moran, Mike Scott and Sai Imkar Vashisht, said in a report on the company’s blog that technically Moafee is targeting government and military operations while DragonOK appears to be targeting “high-tech and manufacturing companies,” going after trade secrets for economic advantage.
The researchers point out that there are several traits the campaigns share, suggesting at least a connection between the two, or perhaps a shared resource between a third, separate group.
For example, both of the campaigns use a series of remote administration tools (RATs) and backdoors to secure access after they’ve gotten into systems by tricking users into clicking on a spear-phishing email.
The two campaigns were also found using similar tools like CT/NewCT/NewCT2, the Trojan Nflog, and the RAT PoisonIvy. Both attacks also used HTRAN, a reverse proxy server used to mask TCP traffic, to disguise their location information.
A third group was actually found using the same set of backdoors and RATs but FireEye refused to outright connect it to Moafree and DragonOK.
“Both groups, while operating in distinctly different regions, either 1) collaborate, 2) receive the same training, 3) share a common toolkit supply chain, or 4) some combination of these scenarios,” the researchers wrote Thursday, likening it almost to a “production line” chain of attacks.
FireEye’s report didn’t specify what kinds of information the groups make have absconded with thus far, but did stress that the region’s “rich natural resources,” in this case intel on the abundance of oil and natural gas in the South China Sea, were the focus.
A similar group of Chinese hackers who go by APT 18 were ultimately connected to last month’s Community Health Systems breach. While the group – somewhat like Moafree and DragonOK – is usually associated with pilfering data on the aerospace, defense, engineering sectors, in this case it stole information regarding medical technology and pharmaceutical manufacturing processes.
- See more at: http://threatpost.com/chinese-hacking-groups-team-up-against-government-military-systems/108227#sthash.uCqhKUSf.dpuf
Two Chinese cyber espionage campaigns are working in tandem in hopes of sniffing out trade secrets from surrounding nations.
Researchers from FireEye outlined information about the two attack groups yesterday in advance of a more comprehensive report.
One of the groups, Moafree, operates out of the Guandong Province, in Southern China while the second, DragonOK, works out of the Jiangsu Province, in Northern China. Both groups are based on the coast and are likely targeting intelligence from countries surrounding the South China Sea such as Japan and Taiwan, according to FireEye.
Researchers Thoufique Haq, Ned Moran, Mike Scott and Sai Imkar Vashisht, said in a report on the company’s blog that technically Moafee is targeting government and military operations while DragonOK appears to be targeting “high-tech and manufacturing companies,” going after trade secrets for economic advantage.
The researchers point out that there are several traits the campaigns share, suggesting at least a connection between the two, or perhaps a shared resource between a third, separate group.
For example, both of the campaigns use a series of remote administration tools (RATs) and backdoors to secure access after they’ve gotten into systems by tricking users into clicking on a spear-phishing email.
The two campaigns were also found using similar tools like CT/NewCT/NewCT2, the Trojan Nflog, and the RAT PoisonIvy. Both attacks also used HTRAN, a reverse proxy server used to mask TCP traffic, to disguise their location information.
A third group was actually found using the same set of backdoors and RATs but FireEye refused to outright connect it to Moafree and DragonOK.
“Both groups, while operating in distinctly different regions, either 1) collaborate, 2) receive the same training, 3) share a common toolkit supply chain, or 4) some combination of these scenarios,” the researchers wrote Thursday, likening it almost to a “production line” chain of attacks.
FireEye’s report didn’t specify what kinds of information the groups make have absconded with thus far, but did stress that the region’s “rich natural resources,” in this case intel on the abundance of oil and natural gas in the South China Sea, were the focus.
A similar group of Chinese hackers who go by APT 18 were ultimately connected to last month’s Community Health Systems breach. While the group – somewhat like Moafree and DragonOK – is usually associated with pilfering data on the aerospace, defense, engineering sectors, in this case it stole information regarding medical technology and pharmaceutical manufacturing processes.
- See more at: http://threatpost.com/chinese-hacking-groups-team-up-against-government-military-systems/108227#sthash.uCqhKUSf.dpuf

Facebook wants to know why you hate specific adverts

Facebook has announced yet more slants to its constant ad fiddling.
Namely, it says it's going to do two things to try to avoid users clicking that dreaded "hide" option on the ads in our newsfeeds.
First: after we tell Facebook that we don't want to see an ad, it will ask us to explain ourselves.
"Help us understand the problem," it will ask in its best Freudian accent as we stretch out on the couch and it grabs a notepad.
The choices for why we don't want to see ads will include:
  • It's not relevant to me
  • I keep seeing this
  • It's offensive or inappropriate
  • It's spam
  • Something else
Facebook ads
When testing the feature, Facebook says that it used the results of this particular update to stop showing bad ads that were offensive or inappropriate and thus saw a "significant decrease" in the number of ads people reported as offensive or inappropriate.
That's nicer for all, Facebook said:
This means we were able to take signals from a small number of people on a small number of particularly bad ads to improve the ads everyone sees on Facebook.
The second ad move Facebook's making is to pay more attention to feedback from quiet people: i.e., those who don’t often hide ads.
Because they don't hide ads much, when they do hide them, those ads must be ultra bad, the thinking goes.
If someone hides things very rarely, we’ll consider that when we choose what to show them. If we think there is even a small chance they might hide an ad, we won’t show it to them. This affects the type of ads we show everyone, but has a bigger impact for people who don’t often hide ads.
When Facebook tested the "listen closely to quiet people" update, it saw that people who rarely hide ads ended up hiding 30 percent fewer ads with the change.
Facebook took that to mean that by listening carefully, it can show better ads - even to those who aren’t very vocal.
But who knows? Maybe the quiet ones have slipped further still into advertising-induced comas.

Online Retailer Yandy Breached

Online Retailer Yandy Breached Online lingerie retailer Yandy is notifying almost 45,000 customers about a cyber-attack that exposed payment card information.
The company learned of the attack on Aug. 18. The intrusion paved the way for hackers to access customers' data that was submitted during the checkout process, according to a letter to the New Hampshire attorney general's office.
Information exposed in the breach includes names, addresses, credit card or debit card numbers, expiration dates, CVV numbers and e-mail addresses, Yandy says.

"We are unable to confirm any improper use of your personal information in connection with this incident," the company says in its notification letter.
Yandy says it has filed a complaint with the Internet Crime Complaint Center. And it's offering affected customers free credit monitoring services, a spokesperson told Information Security Media Group.
"Since discovering this issue we have worked diligently and expeditiously to ensure the safety of our customer information," the company says. As a result of the incident, Yandy says it's assessing and modifying its privacy and data security policies and procedures.

How Online Black Markets Have Evolved Since Silk Road’s Downfall



Yarek Waszul
When the FBI tore down the billion-dollar drugs-and-contraband website Silk Road last October, its death made room for a new generation of black-market bazaars—many with better defenses against the Feds. Nearly a year later, more drugs are sold online than when the Silk Road ruled the dark web, according to a study by the Digital Citizens Alliance last April. Here’s how the world of anonymous ecommerce has mutated and evolved over the last year.
Silk Road 2.0
A month after the FBI arrested 29-year-old Ross Ulbricht, the alleged Silk Road creator known as Dread Pirate Roberts, someone else using the same pseudonym launched Silk Road 2.0. This defiant clone of the original claimed that its source code was backed up to 500 locations in 17 countries, so if authorities shut it down, administrators can rebuild in 15 minutes flat. “If Silk Road was taken down we could have it up and running again within 15 minutes,” wrote the new DPR. “Hydra effect on a massive scale.”
Evolution
In February, Silk Road 2.0 said it had been hacked, losing $2.7 million in users’ bitcoins. Tired of seeing their coins stolen or seized by the cops, savvy users migrated to sites like Evolution, Cloud Nine, and the Marketplace, which allow multisignature transactions—bitcoins are held in escrow at an address agreed on by buyer, seller, and the site. To move them, two out of three parties must sign off on a deal.
OpenBazaar
A Virginia coder named Brian Hoffman created this open source project to be a fully peer-to-peer uncensorable marketplace: Product listings are hosted on the computers of anonymous users, and freelance arbiters settle disputes for a fee. Hoffman says he’s not inviting in drug dealers, but that he can’t stop them from crashing the party. And with potentially thousands of different computers hosting the network and no central target for the Feds, it could be nearly impossible to shut them down.

Feds Threatened to Fine Yahoo $250K Daily for Not Complying With PRISM


Government slide showing when Yahoo and other internet companies began supplying data to the PRISM program. Courtesy of The Washington Post
A secret and scrappy court battle that Yahoo launched to resist the NSA’s PRISM spy program came to an end in 2008 after the Feds threatened the internet giant with a massive $250,000 a day fine if it didn’t comply and a court ruled that Yahoo’s arguments for resisting had no merit.
The detail of the threat became public today after 1,500 pages worth of documents were unsealed in the case, revealing new information about the aggressive battle the Feds fought to force the company to bow to its demands. The information was first reported by the Washington Post following a blog post published by Yahoo’s general counsel disclosing that the documents had been unsealed and revealing for the first time the government’s threat of a fine.
Yahoo fought to unseal the case documents to provide better transparency about the government’s data collection programs and the FISA Court’s controversial history in approving nearly every data request the government makes.
The company disputed the initial order in 2007 because it deemed the bulk demand for email metadata to be unconstitutionally broad, but it lost that fight both in the Foreign Intelligence Surveillance Court and during appeal to the Foreign Intelligence Court of Review. It was among the first of nine internet companies to fall to the government’s demands for customer data and was a crucial win for the Feds since they were allowed to wield the ruling as part of their demand to other companies to comply.
Each of the internet companies fell in line with the program at separate times in the wake of that ruling.
“The released documents underscore how we had to fight every step of the way to challenge the U.S. Government’s surveillance efforts,” Yahoo General Counsel Ron Bell wrote in a post published after the unsealing. “At one point, the U.S. Government threatened the imposition of $250,000 in fines per day if we refused to comply.”
The unsealing of FISA Court documents is extremely rare but, as Bell noted, it was
“an important win for transparency, and [we] hope that these records help promote informed discussion about the relationship between privacy, due process, and intelligence gathering.”
The documents were posted online today by the Office of the Director of National Intelligence. Bell noted that “[d]espite the declassification and release, portions of the documents remain sealed and classified to this day, unknown even to our team.”
The American Civil Liberties Union praised Yahoo for pushing back on the government’s unreasonable surveillance.
“Yahoo should be lauded for standing up to sweeping government demands for its customers’ private data,” Patrick Toomey, staff attorney with the ACLU said in a statement.”But today’s [document] release only underscores the need for basic structural reforms to bring transparency to the NSA’s surveillance activities.”
Yahoo’s secret battle, and the PRISM program, came to light only last year after documents released by NSA whistleblower Edward Snowden exposed the data-collection program. Yahoo, Google, Apple and other companies were harshly criticized for complying with the program and seemingly putting up no resistance to it. But shortly after the program was exposed, Yahoo’s dogged battle with the Feds to resist its inclusion in the program came to light only after another document leaked by Snowden exposed the company’s legal fight against the FISA Court order.
Yahoo fought back on Fourth Amendment grounds, insisting that such a request required a probable-cause warrant and that the surveillance request was too broad and unreasonable and, therefore, violated the Constitution.
Yahoo also felt that warrantless requests placed discretion for data collection “entirely in the hands of the Executive Branch without prior judicial involvement” thereby ceding to the government “overly broad power that invites abuse” and possible errors that would result in scooping up data of U.S. citizens as well.
The request for data initially came under the Protect America Act, legislation passed in the wake of the 9/11 terrorist attacks that allowed the Director of National Intelligence and the Attorney General to authorize “the acquisition of foreign intelligence information concerning persons reasonably believed to be outside the United States” for periods of up to one year, if the acquisition met five criteria. The Protect America Act sunset in February 2008, but was incorporated into the FISA Amendments Act in July that year.
Under the law, the government has to ensure that reasonable procedures are in place to ensure that the targeted person is reasonably believed to be located outside the U.S. and that a significant purpose of the collection is to obtain foreign intelligence. In its request to Yahoo, the government apparently proposed additional measures it planned to use to ensure that its data collection was reasonable.
But Yahoo felt the procedures and measures the government proposed to undertake were insufficient and refused to comply with the data request. The government then asked the FISA Court to compel Yahoo to comply, which it did.
Yahoo applied to appeal the decision and requested a stay in the data collection pending the appeal. But the FISA Court refused the stay, and beginning in March 2008, Yahoo was forced to comply with the request for data in the meantime “under threat of civil contempt.”
Five months later, in August 2008, the FISA Court of Review found that the data request, undertaken for national security reasons, qualified for an exception to the warrant requirement under the Fourth Amendment and upheld the original court’s order to comply.
As for Yahoo’s concern that the request was too broad and opened the possibility for potential abuse, the judges wrote that the company had “presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse in the circumstances of the instant case” and called Yahoo’s concerns “little more than a lament about the risk that government officials will not operate in good faith.”
To support their ruling, the judges wrote that the government “assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.”
A year’s worth of Snowden revelations, however, have now shown this to have been a misguided statement on the part of the judges.

Hackers pop Brazil newspaper to root home routers

A popular Brazilian newspaper has been hacked by attackers who used code that attacked readers' home routers, says researcher Fioravante Souza of web security outfit Sucuri.
Attackers implanted iFrames into the website of Politica Estadao, which when loaded began brute force password guessing attacks against users.
Souza says the attackers aimed to change the DNS settings on hacked routers, writing that " ... the payload was trying the user admin, root, gvt and a few other usernames, all using the router default passwords.
"[The] script is being used to identify the local IP address of your computer. It then starts guessing the router IP by passing it as a variable to another script," he " Souza adds.
"iFrames were trying to change the DNS configuration on the victim’s DSL router by brute forcing the admin credentials".
Za Nella Za Nella
The attack code was manipulated to target Internet Explorer that targeted possible IP addresses on a readers' local network range including '192.168.0.1' and '192.167.1.1'.
Content was loaded from the likely compromised website laspeores.com.ar and two others using iFrames that contained malicious JavaScript code.
"This is but one example of a wide range of actions available to the crackers," Souza said. Websites have been the number one distribution mechanism for malware for a while, and now we're seeing this evolution in attacks. It's unlikely that this will end soon"
The attack could be most easily foiled if users changed the administrative credentials on their routers which left usernames and passwords often set both to admin.
Concerned users should disable JavaScript and play options for browser objects, and consider running script blockers such as NoScript or Not Script.

Snowden, Dotcom, throw bombs into NZ election campaign

Edward Snowden and Kim Dotcom have joined hands and waded into New Zealand politics ahead of the nation's forthcoming election, by alleging prime minister John Key has told fibs about his government's involvement with the NSA's nasties.
Snowden has released a new missive in which he claims that the many tools with which he worked at the NSA well and truly covered New Zealand.
That's politically sensitive because prime minister Key has said, during the election campaign and before, that New Zealand's government has not conducted mass surveillance of its people.
Snowden says New Zealand's government is up to its neck in the NSA's activities and offered the following statement:
Let me be clear: any statement that mass surveillance is not performed in New Zealand, or that the internet communications are not comprehensively intercepted and monitored, or that this is not intentionally and actively abetted by the GCSB, is categorically false.
Snowden also says that when using the XKEYSCORE tool offers its users a "Five Eyes Defeat" button that gives analysts the option to exclude searches from data drawn from the five-way intelligence alliance involving the U.S., U.K., Canada, Australia, and New Zealand.
"Ask yourself: why do analysts have a checkbox on a top secret system that hides the results of mass surveillance in New Zealand if there is no mass surveillance in New Zealand?" Snowden writes.
Spicing this stew is a new allegation, reported by (as reportedthe New Zealand Herald) of an email from Warner's Kevin Tsujihara to Mikael Ellis of the MPAA alleging that Key allowed Dotcom to settle in New Zealand in order to expedite his extradition to the USA.
The problem: the source appears to be a print-out of an e-mail - which would make proving its authenticity problematic at best.
Snowden amanuensis Glenn Greenwald has also weighed in at The Intercept, detailing how the Kiwi government engaged in mass surveillance through its Government Communications Security Bureau (GCSB).
Greenwald claims that the GCSB commenced work to implement a mass metadata surveillance system in 2012 and 2013, a project which Key says he spiked before it went into operation. That program included the following allegation:
"Top secret documents provided by the whistleblower demonstrate that the GCSB, with ongoing NSA cooperation, implemented Phase I of the mass surveillance program code-named 'Speargun' at some point in 2012 or early 2013. “Speargun” involved the covert installation of 'cable access' equipment, which appears to refer to surveillance of the country’s main undersea cable link, the Southern Cross cable. This cable carries the vast majority of internet traffic between New Zealand and the rest of the world, and mass collection from it would mark the greatest expansion of GCSB spying activities in decades."
Key has since released four cabinet papers ( see this, this, this and this, all PDFs) he says disproves the allegation of a cable tap and mass surveillance efforts.
The information detailed above dribbled out over the last few days and was then re-hashed at an event in New Zealand on Monday evening titled "The Moment of Truth" and playing at YouTube.
Greenwald spoke at the event and said, among other things, that he has no interest in influencing the outcome of New Zealand's election.
"The idea that I got on a plane and flew 40 hours ... because I developed a desire to influence the outcome of the election is frivolous," he said.
Glenn Greenwald and Kim DotcomGlenn Greenwald (L) and Kim Dotcom on stage at "The Moment of Truth" event in New Zealand
Greenwald also denied that he was being paid for his trip to New Zealand. But he agreed he was invited by New Zealand's Internet Party, an entity formed after urging by Kim Dotcom. The Mega man also funded the party and has promoted it vigorously in recent months.
It's hard to say if these revelations will have any impact on the election. The Internet Party and its allied Mana Party have occasionally hit 3.5 per cent in opinion polls. Perhaps that will spike in the wake of today's revelations.