I’m in midtown Manhattan, connected to the Net over my hotel’s slow but costly wi-fi connection. Normally when I’m traveling — at least here in the U.S. — I avoid lame hotel connections by using AT&T’s cellular data system, usually through my iPhone’s “personal hotspot.” more>>

Customers who used the self-checkout lanes at Lucky Supermarkets have been hacked. The grocer, which operates stores in California, says some of their credit card machines have been altered with sniffers to capture credit and debit card numbers. Lucky, owned by parent company Save Mart, is telling customers who used those machines to close their bank and credit card accounts. At least 80 at-risk accounts have been identified and the supermarket chain has gotten calls from more than 500 calls from customers who fear they are victims of fraud.

Card-skimming scams have been reported at gas stations and ATMs and retail chain stores. But this appears to be a first widespread attack at a supermarket checkout lane.

A key question remains how criminals could have attached these devices at multiple Lucky locations without anyone noticing. Lucky says at least 24 Bay area stores have been affected.

According to a report in the San Jose Mercury News, Save Mart’s CFO doesn’t think it’s an inside job, saying “It’s pretty well-understood technology. If a bad guy really wanted to go do this, they could probably go online and educate themselves at Google.”

Lucky first got suspicious on November 11th, when an employee doing maintenance noticed something that didn’t look right. They discovered an extra computer board inside the checkout machine recording customer info. Lucky says it warned customers on November 23rd, but it wasn’t aware of any cases of fraud at the time.

The checkout card readers were made by VeriFone, which confirmed there was a problem. The Lucky spokesman told the Mercury News “it was a very sophisticated device that they’d never seen before.” In addition to making credit card readers, VeriFone has a partnership with Google for NFC-based mobile payments.

Save Mart operates 233 stores in Northern California and Nevada under the names Save Mart, S-Mart Foods, Lucky and FoodMaxx brands. Lucky has posted a list of stores affected and information for consumers on their website.

The bounty to get a workable version of the Android operating system installed on the now-discontinued HP TouchPad is up to $2,000+, as of today.

As we previously reported, the goal of this project is to get some version of Android 2.x onto the TouchPad and, most importantly, stable. If successful, this effort will help keep the HP tablet a little more relevant to those unfortunate early adopters who have been left with a mobile operating system whose future is decidedly uncertain.

The project is being led by the modding community called HackNMod, which said it would divvy up the money to developers who achieve certain milestones, such as the first to get a “basic” port up and running, the first to get Wi-Fi working, the first to get audio functional, etc. $450 for the Android port itself comes from HackNMod itself, while the remaining portion will come from sponsors.

Today, the popular developer forum site XDA announced it, too, is getting in on the effort and has teamed up with HackNMod to increase the bounty to over $2,000. Its donation comes from an anonymous XDA member. XDA also has a dedicated forum for the TouchPad and TouchPad development. The forum thread announcing the increased bounty is here.

One group to watch in this effort is RootzWiki, which is working own its own “Touchdroid” project detailed here. Something tells us they’re going to end up with a good bit of that cash prize.

They’re out there. Be afraid. They could be anywhere, everywhere, anyone. They are shadowy, deadly, mysterious, guided by intellects vast and cool and unsympathetic. Security consultants and antivirus firms whisper legends of them to their clients to scare them straight. They are the Voldemort of online security, except that everyone is all too eager to say their name: the Advanced Persistent Threat. Hide your children! You cannot stop them!

…well, actually you probably could, and pretty easily too, but apparently most folks can’t be bothered.

Vanity Fair just wrote breathlessly about “Operation Shady RAT”, which featured “a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer.” Military-industrial standard-bearer Northrop Grumman is “constantly under attack by cyber-gangs.” A few months ago Security firm RSA’s SecurID systems were the victim of “an advanced persistent threat, a slow and consistent attack used by hackers to obtain specific information.” The Pentagon is alive to the APT threat, and says it is beginning to focus more on deterrence than on defence, because “each year, a volume of intellectual property exceeding the size of the Library of Congress is stolen from U.S. government and private-sector networks.” Why, just this week, San Francisco’s government-owned BART system was hacked by—

…waaaaaait a minute.

One can never be sure, particularly in this arena, but it seems that BART’s police database was hacked by … a teenage French girl, who reported: “They had zero security.” Here’s the link she allegedly used to hack them. Don’t worry, it’s no longer active. Take a good look at that URL. Remind you of anything? It should, if you’re an XKCD reader:

Ah, SQL injection, that old canard. But wait, it gets even worse:

Seriously? Seriously? Plaintext? Who runs security for these jokers, Mr. Bean?

OK, so maybe the BART hack was a script kiddie enabled by morons. But what about “Shady RAT”? So glad you asked. Vanity Fair’s clueless hyperbole makes it sound like no one in the history of the Internet had ever sent an email that linked to a page with a browser exploit before. Earth to their editors: you’re about a decade-and-a-half behind the times. The attacker then used steganography to communicate with the compromised machines. Ooo, steganography, scary and hard to pronounce! Sure, that might have been amazingly sophisticated…ten years ago.

The RSA hack worked in exactly the same way: emails to employees with an enticing-looking attachment, plus a zero-day Flash vulnerability. And the tech media went crazy about the deadly APT attack on a security company. Are you kidding me? That’s an example of an “advanced persistent threat”? Adobe products are legendary for their insecurity. If that’s an APT, so was News Corporation’s kindergarten-tech-level hacking of cell phones.

But don’t just take my word for it: “Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case,” says Symantec security researcher Hon Lau. Or as IT World trenchantly put it, re APT attacks in general: “The striking thing is sophistication of the excuses of victims, not the techniques of crackers … Only 3 percent of attacks were considered too slick for the victims to have been able to stop. That leaves 97 percent of data breach victims trying to find something other than themselves to blame. “

There are genuine, sophisticated, brilliant black-hat hackers out there. Some of them work in groups. Some even work for nation-states and militaries, including, very likely, the people who hacked Google eighteen months ago. But most hacks are made possible because the victims allowed them; and we shouldn’t forget that security companies have every incentive to make the dangers seem as deadly and sophisticated as possible.

Organizations everywhere put up full-spectrum firewalls, draft byzantine and Kafkaesque security policies, send delegates to security conferences to talk very seriously in hushed voices about APTs, and make endless pointless and/or disastrously counterproductive demands in the name of security theatre, such as forcing people to use impossible-to-remember passwords

while storing those incomprehensible passwords in plaintext on databases vulnerable to URL SQL injection, as their employees open poisoned attachments sent by strangers. That’s like being so worried about whether an enemy nation-state has fired a cruise missile at your house that you forget you left your car parked overnight with the door open and the keys in the ignition. In Oakland. Worrying about APTs directed by, say, China is very sexy—if blatantly sinophobic—these days, but maybe organizations shouldn’t start worrying about the enmity of the Middle Kingdom until they’ve first established their ability to handle bored teenage French girls with a bone to pick.

Image credit: “Public Enemy / Minor Threat”, believekevin, Flickr.

We just wanted to give a heads up to everyone to remind them that the annual layerOne hacking and security conference is coming up soon. They have announced their speaker line-up which includes talks on home monitoring, lockpicking, mobile malware and tons more. The event is located in Anaheim California on May 28-29.

They sent us sort of a press release with some information on the event and some details on the badge. You can read their email after the break.

The annual LayerOne hacking and security will be held on May 28-29,
2011 in Anaheim, CA. As always, there’s a great speaker lineup
(http://www.layerone.org/?page_id=85) at Layer One 2011. Some
highlights include John Norman talking about DIY Access Control
Systems (http://www.layerone.org/?page_id=85#arclight), Sam Bowne
talking about Layer 7 DDoS attacks
(http://www.layerone.org/?page_id=85#bowne), and Jimmy Shah talking
about For-profit malware on mobile devices
(http://www.layerone.org/?page_id=85#shah).

LayerOne includes a full fledged Lockpicking Village
(http://www.layerone.org/?page_id=105) and Hardware Hacking Village
(http://www.layerone.org/?page_id=103), both of which will have
demonstrations and training for those interested in picking locks,
cracking safes, making blinky lights, or learning how to surface mount
solder. This year will also be LayerOne’s first Tamper Evident Contest
(http://www.layerone.org/?page_id=45#tamper), where teams compete to
see who can best defeat mechanical, adhesive, and electronic tamper
indicating technologies while leaving no trace of their attacks.

This year’s badge will be a custom PCB that can be worked on in the
Hardware Hacking Village to make a mini synthesizer. Designed by
Charliex of Null Space Labs (http://www.nullspacelabs.com), it is
based on the open source meeblip (www.meeblip.com) and the AVR Synth
(http://www.elby-designs.com/avrsynth/avrsyn-about.htm). (The meeblip
is a reworked version of the AVR synth.) It has a 16 bit output with a
DAC that’s loaded 8 bits at a time. To cut down costs and assembly
time we used a simple R2R ladder and dropped off the amp stage, since
R2R’s pretty much rock.

The design was changed to surface mount (from through-hole); we don’t
have any through hole soldering equipment and it’s not 1980. The CPU
was switched to the ATMEGA64 or ATMEGA128 for those needing next-level
beats and more hackability. The MIDI interface is on a seperate mini
PCB that connects to the badge so you can play Rockband’s pro keyboard
or guitar. The pots were changed to linear slide and the switches to
momentary to save cost and space. Our intial meeblip version we
reworked at NSL worked out about half the cost of the original —
this one is even less than that. Both ISP and JTAG are broken out,
since the ATMEGA64/128 is one of the bastard children of the ATMEL
series. Finally, 20 charlieplexed LED’s were added because blinky
things are a must have at any premier security conference.

Speakers will have their own top-secret 4-layer PCB badges designed by
Krs (http://www.layerone.org/?page_id=85#krs), who is also giving a
short talk on their design and her experiences going from EE newbie to
designing complex PCBs in less than a year.

Filed under: news, security hacks

Since Sony’s PlayStation and music networks went down two days ago, there has been a fair amount of public speculation over the cause of the outage. (Largely due to Sony’s tight-lipped handling of public relations.) Many blamed vengeful gremlins loose in Sony’s server clusters and datacenters, while others immediately pointed the finger at Anonymous, the merry band of hackers that metastasized out of 4chan.

Thankfully, after 24+ hours of communication silence, Sony has updated its blog and ended the speculation. According to the electronics colossus, “an external intrusion” is responsible for the ongoing outages of the PlayStation Network and Qriocity. (It probably sounded like this at Sony headquarters. Or this.)

As to who these nefarious “intruders” are: It seems that Sony does not yet know who is responsible for the breach, or if it does, it is instead smartly spending its time sealing areas of vulnerability and trying to get the network back up and running. And though reports of PlayStation’s outage began heating up early Thursday morning, Sony reports that it in fact self-defensively shut down the Network sometime Wednesday evening.

According to the network’s blog, “An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th. Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share.”

So, when I said Sony has ended all speculation, I was really only half-correct. Sony is still not naming the party responsible for the breach, so the speculation will likely continue. (Can you hear the blogosphere cheering?) Anonymous has prior beef with Sony and has attacked the company before, so it’s not surprising many blamed them for the service disruption. (You can read more about Anon’s prior grievances with Sony in yesterday’s post.)

However, AnonOps (Anonymous Operations), the group’s mouthpiece and network through which members frequently communicate, has adamantly stated via its news wing that it was not responsible for the outage. Though, it seems that this particular announcement was made prior to Sony delivering the news that the problem was in fact due to hacking. So, Anonymous pointing to Sony’s incompetence as the cause of the outages is off base. Sort of.

More likely, as Anonymous makes mention of in the announcement, the hack was perpetrated by some offshoot of the group, which is either more angry at Sony than the majority, or is more eager to get its precious “lulz”. (While I have to admit that I sometimes find myself sympathetic to some of Anonymous’ philosophical stances, it’s hard not to use words like “fundamentalist” when referring to “factions” within the group, and draw structural comparisons between black hatters and terrorists. There are obviously important distinctions here, and line-blurring, but there it is.) Or, on the other hand, we might soon be learning of an as-yet-unknown hacker entity that is making a run at Anonymous for public notoriety. Gulp.

The PlayStation Network currently has over 70 million users and is Sony’s online medium for its PlayStation 3 and PlayStation Portable consoles. Both the Network, and Sony’s Qriocity music service were targeted. As stated previously, in its most recent blog post, Network spokespeople make no mention of how long the outage will continue, but it’s likely that it may take several more days to sort out. And this is after Sony posted yesterday saying that the outage may last for a “full day or two” — and after Amazon’s web and cloud services suffered from their own major outage.

At this point, the outage has lasted for over 48 hours and has become quite a disaster for Sony. (Or a “kerfuffle”, if you prefer a softer word.) Now, if this were in fact the result of denial-of-service attacks, it’s hard to place the blame entirely on Sony. Few networks can defend against large-scale DDoS attacks, which is, sadly, the point. That being said, the company has known since Wednesday night that there was an intrusion, so I find it odd that it would wait for two days to inform its users — and remove a post from its EU blog early Thursday saying that the outage is a result of “targeted behaviour by an outside party”.

All in all, the company’s public relations strategy is, at the least, very confusing. While it’s true that millions of gamers are being inconvenienced and are being forced offline, sure, it’s certainly not the end of the world. But, both for the sake of the company — and its users — a higher frequency of communication and level of transparency has to be achieved. In today’s world, a company can’t allow its official Twitter streams (@Playstation has nearly 800K followers) to go without an update for 24 hours. Especially when 70 million people are affected.

So, for everyone’s sake, I hope the Network can get up and running before this turns into the longest widespread network outage (due to hacking) in recent memory. If it isn’t already.

We will update this post over the weekend as we learn more. Stay tuned.

Sometimes it helps to have an entire set of tools with you to tackle a problem, and sometimes it helps to take the discreet route. [StenoPlasma] took the latter of these approaches, and stuffed a USB hub, a 16 GB flash drive, and an Atheros based USB wireless adapter into a regular looking USB mouse to make a Linux bootable system in a mouse. Because he chose the Atheros adapter, he is also capable of doing packet injection with tools like Aircrack-ng, which can invaluable in a security audit or (white hat) hacking situation.

This is the only photo we have, so it could be possible that the mouse is no more than a mouse, however we know all of what [StenoPlasma] claims is 100% possible, so we’ll give him the benefit of the doubt, and hope this inspires others to hack up your own mouse kits. Be sure to check out the full parts list after the break.

Parts:

• Targus USB 2.0 4-Port Bend-a-Hub (Stripped and re-soldered)
• Belkin USB 10′ Extension Cord (with the extension USB in place to make it easy for me to change cable lengths)
• IOGEAR Atheros Wireless B/G Injectable Cracking Adapter
• Corsair Voyager Mini 16 GB Thumb Drive
• Logitech MX310 Wired Optical Mouse

Filed under: linux hacks

Shaun Nichols in San Francisco, V3.co.uk, Thursday 4 November 2010 at 01:30:00

A major distributed denial-of-service (DDoS) attack has cut off network
traffic in the country of Myanmar (formerly Burma).

Security firm Arbor Networks reported major spikes in traffic at certain
times over the past week that prevented access for the country’s largest
internet service provider.

Arbor Networks said that the traffic spikes peaked at 14.58Gbit/s, well
beyond the levels believed necessary to take down the country’s network
infrastructure.

The company declined to speculate on motives for the attack, but chief
scientist Craig Labovitz noted in a
blog
post that the surge is greater than previous high-profile attacks on
national infrastructures.

“DDoS attacks against e-commerce and commercial sites are common (hundreds
per day), but large-scale geo-politically motivated attacks, especially ones
targeting an entire country, remain rare with a few notable exceptions,” he
said.

“At 10Gbit/s to 15Gbit/s, the Myanmar attack is also significantly larger
than the 2007 Georgia and Estonia attacks.”

Myanmar and its junta government are no strangers to controversy when it
comes to internet access. The country has long been criticised for its
censorship
policies and
attempts
to block electronic media.

Shaun Nichols in San Francisco, V3.co.uk, Wednesday 3 November 2010 at 18:26:00

Microsoft is warning users to be on the lookout following the discovery of a
security flaw in its Internet Explorer browser.

The company said that the vulnerability exists in versions, 6 7 and 8 of the
browser, though the IE 9 beta releases are not subject to the flaw.

Microsoft blamed the condition on an invalid flag reference within the
browser. If targeted, an attacker could use a specially-crafted web page to
trigger an error and then have the ability to remotely execute code on a
targeted system.

Such remote code vulnerabilities are a favourite amongst malware writers for
infecting victims with trojan packages.

The company said that while targeted attacks on the flaw have been reported,
the threat to users at this time is believed to be extremely limited. Microsoft
did not say whether the flaw would be addressed with the 9 November monthly
security update or through an out-of-band patch at a different date.

Users wishing to protect their systems in the meantime can run the browser in
protected mode or use the IE 9 beta. Additionally, Microsoft is advising users
to be weary of untrusted sites or suspicious links.

David Neal, V3.co.uk, Tuesday 2 November 2010 at 11:36:00

Google has extended its bounty payouts to researchers who spot security
issues in some of its web applications, following a number of successes with its
Chromium rewards programme.

The company said that the initiative hopes to mirror the reports Google has
been receiving from external security researchers.

“We’ve seen a sustained increase in the number of high-quality reports from
researchers, and their combined efforts are contributing to a more secure
Chromium browser for millions of users,” said the Google Security Team in a
blog
post.

“Today, we are announcing an experimental new vulnerability reward programme
that applies to Google web properties.

“As well as enabling us to thank regular contributors in a new way, we hope
it will attract new researchers and the types of reports that help make our
users safer.”

Researchers are asked to provide information on security problems in Google
search pages, YouTube, Blogger and Orkut.

This means that some applications, most notably Android, Picasa and Google
Desktop, will not be included. Google said that it may expand the programme in
the future.

Google explained that it is difficult to provide a list of vulnerability
discoveries that will be rewarded, but that “any serious bug which directly
affects the confidentiality or integrity of user data” will meet its criteria.

“We anticipate that most rewards will be in bug categories such as XSS,
XSRF/CSRF, XSSI, bypassing authorisation controls (e.g. User A can access User
B’s private data) and server-side code execution or command injection,” the firm
said.

However, Google has a definite list of vulnerability discoveries that will
not be rewarded, including attacks against its own infrastructure, social
engineering and physical attacks, denial-of-service, SEO black hat techniques or
bugs in technology the company has only recently acquired.

Google also warned researchers against testing on accounts that were not
their own or had been set up specifically for testing.

Rewards start at $500 (£310) but can go as high as $3,133 (£1,960).
Benevolent researchers can anonymously donate to charity, and Google will match
any such donations.

Phil Muncaster, V3.co.uk, Saturday 30 October 2010 at 12:01:00

This week in security has been a fairly quiet one. Adobe’s latest revelation
of a zero-day flaw in Reader, Acrobat and Flash was probably the pick of the
stories, while a TechNet conference hosted by the Armed Forces Communications
and Electronics Association also provided some outspoken views on cyber crime.

First to Adobe, though, and its
zero-day
problems. The firm has not yet released a patch, but has issued a workaround
for IT administrators to ward off intruders.

Danish security analysts Secunia rated the flaw as ‘extremely critical’ as it
could cause a crash and potentially allow an attacker to take control of the
affected system

Elsewhere it emerged that the
notorious
Koobface social networking malware is now targeting Mac OS X systems.
Security firms reported that variants of the malware have been targeting Mac
users on social networking sites such as Facebook, Twitter and MySpace.

There was more gloomy news earlier in the week as spam monitoring firm Spam
Ratings found that one in 10 UK web firms is
sending
unsolicited email to customers, contributing to a spam landscape that is
spiralling out of control.

The firm’s 12-month study of 10,000 web sites and 150,000 emails found that
spam has increased dramatically, and that the main source of the messages is web
sites.

However, better news came from Russia, as police were reported to have
filed
a criminal case against a man accused of being one of the world’s most
prolific spammers.

Igor Gusev and his company Despmedia are accused of running a huge
pharmaceutical spam operation that police estimate generated $120m (£75m) in
three and a half years, primarily by selling counterfeit pharmaceuticals such as
Viagra

Elsewhere, the Internet Crime Complaint Center
issued
two fraud alerts warning of attacks targeting enterprises and individual
users.

The attacks range from malware-laden emails and phishing attempts, to social
engineering scams that attempt to trick people into handing over account
information.

Finally, there was some tough talking to come out of the TechNet conference
in London this week. First a senior director from the US Department of Energy US
said the country is
bracing
for an attack on its national energy grid computing systems involving
Stuxnet-like malware.

Then the former CIO for the FBI, Zalmai Azmi, argued during a keynote speech
that
current
laws are outdated and ill-designed for the digital age, and actively prevent
law enforcers effectively fighting cyber crime.

Azmi also warned the crowd of military technologists that the current cyber
security workforce is woefully undermanned to deal with the scale and level of
modern threats, and that greater co-operation between the intelligence community
and the private sector is necessary.

Phil Muncaster, V3.co.uk, Saturday 30 October 2010 at 11:44:00

Crime fighters will soon benefit from training on how to gather evidence from
mobile phones and computers and track suspects via social media.

The National Policing Improvement Agency (NPIA) said it launched the
initiative to make detective training more relevant to the challenges of modern
policing.

Around 3,500 students who take the NPIA’s Initial Crime Investigators
Development Programme each year will benefit from the improvements.

The updated training exercises will teach students how best to gather
evidence from technology such as computers, mobile phones, CCTV, automatic
number plate recognition cameras and National Footwear Reference Collection
images, as well as financial data such as bank statements and the use of cash
machines.

Deputy Chief Constable Nick Gargan, chief executive of the NPIA, explained
that the improvements were necessary to give detectives the skills to tackle the
“challenges and complexities of modern policing”.

“This programme is a vital part of the career pathway for detectives, and the
new training covers sensitive areas of policing where limited guidance existed
previously,” he said.

“The changes underline the importance of having a national agency to provide
guidance and train detectives to a single high standard so they can work on
investigations in any part of the country and give their colleagues and the
public the best quality service in fighting crime.”

The police are often criticised for being woefully under-resourced when it
comes to investigating online fraud and hi-tech crime.

In June it was revealed that the Metropolitan Police Central e-Crime Unit is
to have its funding slashed by 30 per cent as part of Home Office cuts.

Iain Thomson in San Francisco, V3.co.uk, Thursday 28 October 2010 at 22:24:00

Adobe has warned of attacks on a zero-day flaw in its Reader, Acrobat and
Flash applications.

The company has not released a patch, but has issued a workaround for IT
administrators to ward off intruders. Danish security analysts Secunia rated the
flaw as
extremely
critical.

Adobe said in a
security
advisory that the vulnerability could cause a crash and potentially allow an
attacker to take control of the affected system.

“There are reports that this vulnerability is being actively exploited in the
wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of
attacks targeting Adobe Flash Player,” the firm said.

All versions of Flash on Windows, Mac, Linux and Android are vulnerable,
which also affects the Authplay component of Reader and Acrobat 9.x that renders
Flash in PDFs.

A full patch for Reader and Acrobat is expected by 15 November and the Flash
flaw will be fixed a week earlier, according to Adobe.

Adobe
released
a fix yesterday for a previous flaw in Shockwave for Windows and Macintosh.

Phil Muncaster, V3.co.uk, Thursday 28 October 2010 at 16:39:00

The US is bracing for an attack on its national energy grid computing systems
involving Stuxnet-like malware, according to a senior director from the
Department of Energy.

Patrick Ciganer, director of the department’s Transparency Initiative, told
attendees at a conference organised by the Armed Forces Communications and
Electronics Association that “it is going to happen”.

“We have to avoid the obvious scenarios and mitigate the consequences when an
event happens,” he said.

Ciganer explained that the department has already taken preventative steps,
such as ensuring a high level of redundancy in the network and a
defence-in-depth approach to cyber security.

Stuxnet was branded “probably the most important malware in the last 10 years
” by F-Secure chief research officer Mikko Hyppönen at the event.

The malicious code
exploited
four zero-day vulnerabilities in its mission to disrupt industrial
supervisory control and data acquisition systems, and is likely to have been
crafted by a state-backed group.

However, Ciganer warned that Stuxnet is not the only threat facing critical
national infrastructures such as the US energy grid, and that the utility
industry’s move towards smart grids could pose new security threats globally.

“We had a simple point-to-point system with a clearly defined set up of
controls, but as [the system] gets smarter with localised intelligence the risk
will increase,” he said.

“With multi-layered interconnectivity you are opening the door to a broader
set of vulnerabilities.”

Iain Thomson in San Francisco, V3.co.uk, Thursday 28 October 2010 at 03:14:00

Russian police are reported to have filed a criminal case against a man
accused of being one of the world’s most prolific spammers.

Igor Gusev and his company Despmedia are accused of running a huge
pharmaceutical spam operation that police estimate generated $120m (£75m) in
three and a half years, primarily by selling counterfeit pharmaceuticals such as
Viagra.

Russia’s Federal Security Service closed down the spamdot.biz web site last
year, which was reportedly run by Glavmed.com, which was controlled by
Despmedia.

Police raided Gusev’s home on 26 October, and said that, as far as they are
aware, he is not in Russia at the moment, but that they are actively looking for
him. Gusev is thought to have made $2m (£1.25m) personally from his businesses.

Gusev’s lawyer, Vadim Kolosov,
confirmed
to Reuters that a criminal case had been opened against his client, but
maintained that he “has no relation to these activities”.

Russia has become an increasingly popular location for online criminals,
particularly since the Chinese government took steps to
crack
down on abuse within its borders.

Phil Muncaster, V3.co.uk, Wednesday 27 October 2010 at 13:54:00

Browser manufacturer Mozilla is working on a fix for yet another critical
zero-day vulnerability in its Firefox software, which is being used by cyber
criminals to install Trojans on victims’ PCs.

Norwegian security vendor Norman ASA was the first to discover the flaw in
Firefox 3.5 and 3.6, the latest version, after identifying new malware infecting
the
Nobel
Prize site early on Tuesday.

If users of these versions of Firefox visited the site while the attack was
active, the Trojan would have covertly installed itself on their PC, Norman ASA
explained.

The malware would then attempt to connect to two internet addresses which
point to a server in Taiwan. If the connection was successful, the perpetrator
would gain access to the infected PC.

In an update on the
Mozilla
security blog, the browser maker said that the Nobel site is now being
blocked by Firefox’s built-in malware protection.

“However, the exploit code could still be live on other web sites,” the firm
said. “We have diagnosed the issue and are currently developing a fix which will
be pushed out to Firefox users as soon as the fix has been properly tested.”

Mozilla advised users in the meantime to disable JavaScript in Firefox or use
the NoScript add-on.

There are no other reported attempts to exploit this flaw at present.

Only last week,
Mozilla
updated Firefox to fix nine security flaws, including five remote code
execution vulnerabilities which, if exploited, could allow attackers to remotely
install malware on a targeted system.

Shaun Nichols in San Francisco, V3.co.uk, Tuesday 26 October 2010 at 02:02:00

The Internet Crime Complaint Center has issued two fraud alerts warning of
attacks targeting enterprises and individual users.

The
Fraud
Advisory for Businesses (PDF) said that the attacks range from malware-laden
emails and phishing attempts, to social engineering scams that attempt to trick
people into handing over account information.

“First identified in 2006, this ‘corporate account takeover’ fraud has
morphed in terms of the types of companies targeted and the technologies and
techniques employed by cyber criminals,” reads the alert.

“Where cyber criminals once attacked mostly large corporations, they have now
begun to target municipalities, smaller businesses and non-profit organisations.
“

The
Fraud
Advisory for Consumers (PDF), meanwhile, warns of criminal operations
disguised as ‘work from home’ job opportunities. Cyber criminals often use such
postings to recruit people for ‘money mule’ operations.

Victims are asked to receive payments from compromised accounts into their
own bank accounts, and then send the funds overseas via wire transfer.

In the process, the stolen money is ‘laundered’ through the user’s account
and securely transferred to criminal groups.

A group of money mules and the individuals who manage such operations were
the recent target of a
series
of arrests in the US and Europe in connection with the Zeus malware.

The security alert warns people to avoid suspicious job postings,
particularly those that ask for bank account information or a fee prior to
employment.

Phil Muncaster, V3.co.uk, Sunday 24 October 2010 at 15:15:00

This week was dominated by the government’s spending plans, and the IT
security sphere was no different. First up on our round-up list is yet another
high level acknowledgement of the threat to the UK of cyber attack.

This time it was UK home secretary Theresa May who confirmed that the
government is aware of the
threat
of sophisticated terror attacks designed to take out the country’s national
infrastructure

Then the following day, prime minister David Cameron
pledged
a further £500m to help the UK defend against the growing threat of cyber
attacks.

Cameron argued that the rise in “unconventional threats” had made an increase
in spending on cyber defences necessary.

Also this week, Panda Security
launched
an anti-virus product designed to protect popular Apple products including
the iPhone and iPad.

The Spanish security firm said that Panda Antivirus for Mac can counter the
increasing threats targeted at Apple products.

Mozilla and Google, meanwhile,
released
updates designed to shore up their respective browsers.

The Firefox update includes fixes for nine security flaws, including five
remote code execution vulnerabilities. If exploited, such flaws can allow
attackers to remotely install malware on a targeted system without user
notification.

The Chrome update, meanwhile, patches 10 flaws in multiple versions of the
browser, including two unique to the Linux version.

There was bad news for Apple, though, after a
security
flaw was uncovered in its FaceTime for Mac video chat tool just one day
after its introduction.

The application reportedly fails properly to conceal account information
relating to the Apple ID service, putting users at risk of account theft in
certain situations.

And finally, security vendor Stonesoft claimed this week to have discovered a
dangerous
new category of threat which could render network security tools useless.

So-called ‘advanced evasion techniques’ use different methods in virtually
limitless combinations to avoid detection by 99 per cent of current products on
the market, according to the vendor.

The firm argued that a “clear rethink” is needed in the network security
industry to combat such threats.

Iain Thomson in San Francisco, V3.co.uk, Friday 22 October 2010 at 23:25:00

A Scottish man arrested as part of an investigation into the m00p botnet and
hacking group has pleaded guilty to offences under the Computer Misuse Act.

Matthew Anderson used his computer security business Optom Security as a
front for the m00p group, which wrote large amounts of malware to set up botnets
of infected computers. He operated under the handles ‘warpigs’ and ‘aobuluz’.

“This organised online criminal network infected huge numbers of computers
around the world, especially targeting UK businesses and individuals,” said DC
Bob Burls from the Police Central e-Crime Unit (PCeU).

“Matthew Anderson methodically exploited computer users not only for his own
financial gain but to violate their privacy. As this case shows, criminals can’t
hide online and are being held to account for their actions.”

Anderson and two other men were
arrested
in June 2006 by the PCeU, the Finnish National Bureau of Investigation and
the Finnish Pori Police Department, with significant help from the commercial
anti-virus industry.

“We here at F-Secure are happy to get some closure on this long case, with
which we’ve been working for a number of years,” said Mikko Hyppönen, chief
security officer at F-Secure, in a
blog
post.

“This group produced several different malware families over several years.
They were created for financial gain.”

One of the two other suspects, a Suffolk man, was released without charge,
and Artturi Alm pleaded guilty in Finland in 2008 and received a sentence of 18
days and a community service order.

Shaun Nichols in San Francisco, V3.co.uk, Friday 22 October 2010 at 01:04:00

A security flaw has been uncovered in Apple’s FaceTime for Mac video chat
tool just one day after its introduction.

The application reportedly fails properly to conceal account information
relating to the Apple ID service, putting users at risk of account theft in
certain situations.

Apple news site
Macnotes.de
said that, when the FaceTime application is active, user account details,
including password and recovery questions, can be accessed without the need to
enter authentication information.

Apple introduced a beta version of FaceTime earlier this week for Mac OS X
Leopard. The application is expected to be included as part of the
Mac
OS X Lion release.

The report suggests that a third party could potentially access a machine and
take over the Apple ID account of the original user.

Additionally, auto-save components in FaceTime will log password information,
allowing a third party to launch the application without entering a password.

The flaw requires physical access to the machine, but could pose a threat to
those who use a public system or share their computers with others.

Wendy M Grossman, V3.co.uk, Wednesday 20 October 2010 at 12:52:00

Stephen Howes, chief executive and co-founder of
GrIDsure,
has a not-so-modest ambition: to reinvent passwords to make them more secure and
less onerous. He has the technology; what’s needed is real-world adoption.

“People are forgetting the end user,” he said. “Being forced into using
complex passwords doesn’t fit with the natural way of thinking.”

Howes began as a software engineer, graduating from what’s now Oxford Brookes
University in the early 1980s when programming was all mainframes and Cobol.

“You didn’t go immediately to a keyboard and start typing. You had to plan
things out properly and do things on coding sheets and really think about the
problem you were trying to solve,” he said.

“Someone typed your code in for you, and a couple of days later you’d go in
and run it for the first time and see how many errors there were.”

After a brief stint in the pharmaceutical industry, Howes took a “leap of
faith” and went to work for a company that the local recruitment agency told him
was doing things with “this thing called the internet” that might never amount
to anything.

The company was Pipex, and Howes became employee number 20. He stayed there
while it was bought by UUnet and then WorldCom, whose stock options he still has
on paper.

Again, problem solving was a key element. “It was quite recognised within
UUnet that if there were nutty problems to be solved, give them to the guys in
Europe,” Howes said.

Americans would want to give up and move on after a couple of days. “In
Europe we would keep cracking at it until we found a solution,” he explained.

It was, Howes said, an exciting time working with internet visionaries, and
he stayed “until WorldCom came and screwed it up”.

In 2002 he started up an IT consultancy. “I was doing a piece of work for a
guy named Jonathan Craymer [GrIDsure's co-founder], who was working on a
mechanism for being able to remember PINs,” he said.

“Somebody asked him how they could generate one-time PINs or passwords
without having to carry any hardware. So he sat in my kitchen one day and
scribbled on lots of pieces of paper and a few hours later came up with the
GrIDsure concept.”

The technology is deceptively simple: instead of a traditional password entry
box, it offers a square grid made up of smaller squares. Choosing a password is
a matter of picking a pattern.

Thereafter, whenever you need to log in you are shown the same grid with
random numbers in each square; you enter the numbers that correspond to your
pattern.

For many people, remembering a pattern is easier than remembering a complex
sequence of numbers and letters. Meanwhile, an interloper trying to steal the
password is stymied because the numbers in the grid are different every time.

The difficulty with trying to reinvent something as basic as passwords,
however, is getting people to buy in; it’s easier to stick with known methods.
Therefore, the tough problems for GrIDsure to solve are out in the world.

“The hardest is not with GrIDsure per se, but in getting the
established security community to think out of the established box. And also
that people naturally try to find complicated answers to problems,” said Howes.

Instead of looking for the nirvana of security, it would be wiser to accept
that hackers are attacking the problem in “incremental steps”, according to
Howes.

“The approach to hacking should be met by security people who take an
incremental approach to security. You only have to stay one step ahead of the
bad guys to be successful. You don’t have to be 100 steps ahead,” he said.

Howes is regularly asked how he came up with the password idea. “When you’re
trying to solve a problem you have to think a bit differently with an open mind,
” he said.

A lot of that open mind goes back to his personal background. “I’m one of
those people who don’t like being told what to do or think. I hated every day of
school,” he explained. In the military, he said, he’d have been locked up for
questioning orders.

“It would be lovely to resurrect another UUnet,” he said, adding that the
kind of innovative thinking that went on among the group of internet visionaries
assembled there was overtaken by business considerations after the dot-com
bubble burst, and hasn’t really resumed.

“It would be good to get people in a room to blue-sky some things that could
or should be done. There’s a lot more opportunity there,” he said.

“Some of the protocols we use on the internet are 40 to 50 years old. It
needs people to come in and have a rethink about some of these things and
develop new protocols to make it more secure.”

Dan Worth, V3.co.uk, Wednesday 20 October 2010 at 12:26:00

The government has earmarked a further £500m to help the UK defend against
the growing threat of cyber attacks.

Prime minister David Cameron said in the House of Commons on Tuesday that the
rise in “unconventional threats” had made an increase in spending on cyber
defences necessary.

“Over the next four years, we will invest over £500m of new money in a
national cyber security programme,” he said in a
statement
on the Strategic Defence and Security Review.

“This will significantly enhance our ability to detect and defend against
cyber attacks, and fix shortfalls in the critical cyber infrastructure on which
the whole country now depends.”

The announcement is particularly notable as it comes in the same week that
the government will announce its spending review, with huge cuts likely in
virtually all departments, underlining how seriously the cyber threat is being
taken at the highest levels.

The increased budget will be welcomed by GCHQ director Iain Lobban, who
warned earlier this week that a
cyber
attack on the UK is increasingly likely as criminals continue to target
national infrastructure networks.

“Cyber space is contested every day, every hour, every minute, every second.
I can vouch for that from the displays in our own operations centre of
minute-by-minute cyber attempts to penetrate systems around the world,” he said.

William Beer, director of PricewaterhouseCooper’s One Security division,
welcomed the government’s increased spending, arguing that it is vital to have
trained IT professionals to combat this threat before it is too late.

“Fighting the cyber war requires an army of prize troops, and we just don’t
have enough of them at the moment,” he said.

“The people element is often overlooked in building strong cyber defences,
but this funding will be vital in attracting top talent into the industry as
well as providing security professionals with the best training and support.”

Beer added that it is necessary to fund this area of security because cyber
criminals are becoming ever more adept at attacking and infiltrating systems.

“Computer systems in the UK are being targeted daily by highly organised
cyber criminals and state-led operations from across the globe,” he said.

“They are willing to invest in developing sophisticated attacks and, although
it’s impossible to predict the future, gaining insight into new developments
will help to build better defences against potentially crippling attacks.”

David Neal, V3.co.uk, Wednesday 20 October 2010 at 12:18:00

Russian security firm Kaspersky Lab has admitted it was the victim of a
hacking attack on Sunday that exploited a bug in a web program which apparently
involved software downloads.

Kaspersky said that the scammers were able to fool visitors into thinking
that they were downloading an official Kaspersky product when in fact it was a
fake.

The trick seems to be a fairly old one, and users were presented with a
pop-up box that offered to run a scan on their machines. If accepted, this would
alert users to an ‘infection’ and prompt them to download the rogue application.

Kaspersky said that the attack was limited to its kasperskyusa.com domain,
and exploited a vulnerability in a third-party application used for “assisting
web site administration routines”.

The company confirmed in a statement that the domain redirected visitors to a
fake program for around three and a half hours.

“As a result of the attack, users trying to download Kaspersky Lab’s consumer
products were redirected to a malicious web site,” the firm said.

“The web site was simulating a Windows XP Explorer window and a pop-up window
showing scanning processes on the local computer, offering the user a fake
anti-virus program to install.”

Once Kaspersky had been made aware of the vulnerability, probably through its
own
forums,
the affected server was taken offline in 10 minutes.

Vulnerable components were removed and replaced with clean files, and
Kaspersky promised that it has audited the site and that no personal user
information had been exposed.

“Kaspersky Lab takes any attempt to compromise its security seriously. Our
researchers are currently working on identifying any possible consequences of
the attack for affected users, and are available to provide help to remove the
fake anti-virus software,” the company said.

Rosalie Marshall, V3.co.uk, Tuesday 19 October 2010 at 15:27:00

Security experts have warned that the UK needs to act fast in implementing
proper defences against cyber attacks.

The possibility of a attack that could cause serious distress to the UK
government and industry is increasingly likely, according to GCHQ director Iain
Lobban.

The
threat
profile was raised last week at the RSA Conference Europe, when Lobban
advised national security agencies to work with internet service providers to
mitigate a potential attack. Lobban suggested that ISPs provide a direct feed of
information to GCHQ to make the government intelligence agency aware of attacks
as soon as they happen.

The strategy would require a different sort of partnership between national
security agencies and key industry players, he said, with systems being more
interconnected.

Also at the RSA Conference, former White House advisor Richard Clarke urged
the European Union to work with the US to
clamp
down on nation states that allow hackers to carry out attacks from within
their borders.

Clarke suggested that an international organisation could filter the internet
traffic in the troublesome states.

The House of Lords, meanwhile, has committed to staying up to date with the
latest
cyber security issues.

The Lords discussed the need for greater collaboration between the private
sector and government, and echoed the sentiments of the EU, which wants to work
more closely with Nato to share intelligence and defend member states against
cyber attacks.

As the topic became a focus point in the news last week, security experts
have come forward with views on how the UK can best protect itself from attack.

Robert Roy, chief technology officer at Fortify Software, argued that
Clarke’s proposed method of monitoring internet traffic is a reactive measure
which has cost and privacy implications.

“Monitoring traffic certainly has its sensitivities. The US government has
already taken to doing something along these lines with Einstein, the intrusion
detection system that monitors traffic going to government sites,” he said.

“It is now considering using a similar system to protect critical
infrastructure.”

However, Roy warned that private industry is unlikely to spend money
monitoring traffic unless they are legally obliged to do so, and ISPs will not
want to be seen as blocking individuals’ access to the internet.

Roy suggested that a government’s first priority in protecting against cyber
attacks should be strengthening the software it uses.

“The overall issue is that our systems are weak in terms of their ability to
detect threatening attacks,” he said.

“We can be reactive, and monitor attacks and try to intercept them, but the
alternative is to look at what the threats are going after, and to look at the
software and assets.

“Internet criminals want to break into the software, so we need to strengthen
it. We also need financial incentives in place to encourage nations to protect
their infrastructures.

“And the government needs to educate the public on the dangers of clicking on
links they are not familiar with. Visiting web sites with malware on them is one
of the most serious threats at the moment.”

Graham Titterington, principal analyst at Ovum, pointed out that the UK also
needs to strengthen plans for dealing with the aftermath of a cyber attack on
critical national infrastructure.

“This should include a full study of the network interconnections surrounding
supervisory control and data acquisition systems, full application testing
relating to security for these systems, and a review of alternative ways in
which these could be connected, if they have to be connected at all,” he said.

Greg Day, European director of security strategy at McAfee, suggested that
testing government systems and training staff will help the country to combat a
cyber attack.

Day commended the government for its advances this year, including the Cyber
Security Operations Centre and the Office of Computer Security, as well as the
launch of the Cyber Security Challenge aimed at finding the UK’s future cyber
security experts.

“Governments need to understand the potential scale and scope of enemy
attacks in order to put the right defences in place. In the past this has been a
little static, but lessons have been learnt,” Day said.

“The government has talked of a step-change in the approach to national
threats with a major increase in resources to combating internet threats.

“Positive steps are being made, and countries just need to make sure they are
dynamic enough to keep pace with the changing threat landscape.”

Kevin Franks, chief executive at Lieberman Software, agreed that countries
must collect ongoing intelligence about the threat landscape, saying that the UK
needs to establish cyber security laws with teeth rather than relying on annual
IT audits to mitigate vulnerabilities.

“We need continuous compliance, continuous auditing and a new strategy
towards the idea of making cyber defence a daily activity,” said Franks.

Calum Macleod, European director at Venafi, said that his 25 years in the
encryption industry had taught him that automation is key to keeping a close
watch on procedures and security best practices.

Organisations should use comprehensive tools to monitor the status of IT
systems, according to Macleod, as well as the workflow and audit results.

Bradley Anstis, technical strategy vice president at M86 Security, argued
that organisations need to make staff and partners aware of the right people to
notify when they find compromised data, and that the security industry should
share knowledge on new attack methods as much as possible.

The dynamic nature of today’s cyber threats mean that organisations need to
use proactive malware detection technologies and not rely solely on software
patches.

“These proactive technologies are able to detect completely new and emerging
attacks by concentrating on what the attack is trying to do, rather than trying
to identify the attack,” said Anstis.

Phil Muncaster, V3.co.uk, Tuesday 19 October 2010 at 10:52:00

Online authentication firm VeriSign has launched three cloud-based services
designed to help online retailers reduce downtime, improve performance and
availability, and mitigate the risk of DDoS attacks and other threats.

Released in time for the busy Christmas shopping period, which can generate
over a third of annual sales for some retailers, the
eHoliday
Uptime bundle combines a DNS Availability, Network Availability and
Application Availability service.

DNS Availability features VeriSign’s managed DNS service to ensure web site
availability and reduce costs associated with maintaining DNS infrastructure,
according to the firm.

The Network Availability component uses VeriSign’s Internet Defense Network
to provide customers with a scalable DDoS monitoring and mitigation service.

Finally on offer is a real-time threat intelligence service from VeriSign’s
iDefense managed security services arm, designed to provide online retailers
with the information they need to block threats from malware and application
vulnerabilities.

“The DNS failures and DDoS outages experienced by many companies last year
emphasises the high cost of downtime during the holidays,” said Ben Petro,
senior vice president of VeriSign’s Network Intelligence and Availability
business.

“We want every company that depends on their web site for sales to have
access to best-of-breed offerings that defend against the primary threats to
availability.”

Ted Julian, principal analyst at Yankee Group, said that to be forced offline
in the festive season could lead to losses of millions of dollars for the top
online retailers.

“Ensuring availability should be a primary objective for retailers and online
businesses at all times,” he added.

The launch of the eHoliday Uptime bundle coincides with this week’s
E
Commerce Expo taking place at London’s Olympia. V3.co.uk will be
covering all the news from the show and we have a dedicated
e-commerce
blog for our event coverage.

Iain Thomson in San Francisco, V3.co.uk, Tuesday 19 October 2010 at 10:31:00

Microsoft has highlighted an “unprecedented” wave of attacks aimed at Java
over the past three months.

Attacks on Java vulnerabilities have increased from fewer than 500,000 in the
second quarter of 2010 to over six million this quarter, according to Holly
Stewart of the Microsoft Malware Protection Center.

“What I discovered was that some of our exploit ‘malware’ families were
telling a scary story: an unprecedented wave of Java exploitation,” she warned
in a
blog
post.

“In fact, by the beginning of this year, the number of Java exploits (and by
that I mean attacks on vulnerable Java code, not attacks using JavaScript) had
well surpassed the total number of Adobe-related exploits we monitored.”

Exploited holes in Java are now outpacing attacks on PDFs, Stewart said. The
bulk of attacks are via three security holes in Java, all of which were patched
some time ago and are only successful because users are not updating third-party
applications.