Friday, March 26, 2010

Yahoo! Proposes 'Really Ugly Hack' to DNS

Carolyn Duffy Marsan writes on ComputerWorld:

Network engineers from Yahoo are pitching what they admit is a "really ugly hack" to the Internet's Domain Name System, but they say it is necessary for the popular Web content provider to support IPv6, the long-anticipated upgrade to the Internet's main communications protocol.Major 'Net players mulling IPv6 "whitelist".

Yahoo outlined its proposal for changes to DNS recursive name resolvers at a meeting of the Internet Engineering Task Force (IETF) held here this week.

Yahoo says it needs a major change to the DNS -- which matches IP addresses with corresponding domain names -- in order to provide IPv6 service without inadvertently cutting off access to hundreds of thousands of visitors. Under Yahoo's proposal, these visitors would continue accessing content via IPv4, the current version of the Internet Protocol.

The reason Yahoo is seeking this change to the DNS is that a significant percentage of Internet users have broken IPv6 connectivity. Web content providers say they need mechanisms to discover that a user's IPv6 connectivity is broken and to switch these users to IPv4 on the fly. Yahoo views DNS as the best place to make this switch.

More here.

U.S. Military Warns of 'Increasingly Active' Cyber-Threat From China

Patrick Thibodeau writes on ComputerWorld:

On the same day that Google Inc. and the GoDaddy Group Inc. complained about China to a congressional committee, U.S. Navy Admiral Robert Willard appeared before the U.S. House Armed Services Committee with an even stronger warning about cyber-threats posed by China.

Willard's comments about China received little press attention but were stronger than anything said by either company.

"U.S. military and government networks and computer systems continue to be the target of intrusions that appear to have originated from within the PRC (People's Republic of China)," said Willard.

He said that most of the intrusions are focused on acquiring data "but the skills being demonstrated would also apply to network attacks."

More here.

Microsoft Keyboards, Media Devices Under Attack By Open-Source Kit

Dan Goodin writes on The Register:

Security researchers on Friday unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls.

Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer.

Keykeriki not only allows researchers or attackers to capture the entire layer 2 frames, it also allows them to send their own unauthorized payloads. That means devices that don't encrypt communications - or don't encrypt them properly - can be forced to cough up sensitive communications or be forced to execute rogue commands.

At the CanSecWest conference in Vancouver, Dreamlab Senior Security Expert Thorsten Schroder demonstrated how Keykeriki could be used to attack wireless keyboards sold by Microsoft. The exploit worked because communications in the devices are protected by a weak form of encryption known as xor, which is trivial to break. As a result, he was able to intercept keyboard strokes as they were typed and to remotely send input that executed commands on the attached computer.

More here.

After DNS Problem, Chinese Root Server Is Shut Down

Robert McMillan writes on PC World:

A China-based root DNS server associated with networking problems in Chile and the U.S. has been disconnected from the Internet.

The action by the server's operator, Netnod, appears to have resolved a problem that was causing some Internet sites to be inadvertently censored by a system set up in the People's Republic of China.

On Wednesday, operators at NIC Chile noticed that several ISPs (Internet service providers) were providing faulty DNS information, apparently derived from China. China uses the DNS system to enforce Internet censorship on its so-called Great Firewall of China, and the ISPs were using this incorrect DNS information.

That meant that users of the network trying to visit Facebook, Twitter and YouTube were directed to Chinese computers instead.

In Chile, ISPs VTR, Telmex and several others -- all of them customers of upstream provider Global Crossing -- were affected, NIC Chile said in a statement on Friday. The problem, first publicly reported on Wednesday, appears to have persisted for a few days before it was made public, the statement says.

More here.

Hacker Gonzalez Sentenced to 20 Years for Heartland Breach

Nancy Weil writes on ComputerWorld:

Hacker Albert Gonzalez, who participated in a cybercrime ring that stole tens of millions of credit and debit card numbers, was sentenced to 20 years in prison today.

The sentence imposed by U.S. District Court Judge Douglas P. Woodlock was for Gonzalez's role in a hacking ring that broke into computer networks of Heartland Payment Systems, which processed credit and debit card transactions for Visa and American Express and retailers Hannaford Supermarkets and 7-Eleven.

The sentence will run concurrently with two other 20-year sentences meted out Thursday, also in the U.S. District Court for the District of Massachusetts by a different federal judge, Patti B. Saris. Gonzalez pleaded guilty in all three cases last December, with the U.S. Department of Justice agreeing to seek no more than 25 years in prison in each case, with all sentences to run concurrently.

More here.

Electronic Medical Records Data Theft Booming

Nicole Lewis writes on InformationWeek:

Acceleration in the use of electronic medical records may lead to an increase in personal health information theft, according to a new study that shows there were more than 275,000 cases of medical information theft in the U.S. last year.

Unlike stealing a driver's license or a credit card, data gleaned from personal health records provides a wealth of information that helps criminals commit multiple crimes, according to Javelin Strategy & Research, a Pleasanton, California-based market research firm.

Information such as social security numbers, addresses, medical insurance numbers, past illnesses, and sometimes credit card numbers, can help criminals commit several types of fraud. These may include: making payments from stolen credit card numbers and ordering and reselling medical equipment by using stolen medical insurance numbers.

A key finding from the report is that fraud resulting from exposure of health data has risen from 3% in 2008 to 7% in 2009, a 112% increase.

More here.

SCADA Watch: 'Smart' Meters Have Security Holes

An AP newswire article by Jordan Robertson, via MSNBC.com, reports:

Computer-security researchers say new "smart" meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways.

At the very least, the vulnerabilities open the door for attackers to jack up strangers' power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else's power on and off.

The attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc. The firm was hired by three utilities to study their smart meters' resistance to attack.

These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright told The Associated Press.

There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.

More here.

Thursday, March 25, 2010

Hacker Bypasses Windows 7 Anti-Exploit Features In IE 8 Hack

Kelly Jackson Higgins writes on Dark Reading:

A Dutch researcher won $10,000 in the Pwn2Own hacking contest this week for hacking Internet Explorer 8 on a Windows 7 machine -- bypassing built-in anti-exploit features in the operating system.

Independent researcher Peter Vreugdenhil waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

Other successful hacks in the annual contest held at CanSecWest in Vancouver were a non-jailbroken iPhone, Firefox on Windows 7, and Safari on Snow Leopard, each conducted by other researchers who also won the big cash prize. A hacker known as "Nils" hacked Firefox on Windows 7 -- also bypassing DEP and ASLR with an exploit of his own, the details of which were not available at the time of this posting.

Vreugdenhil used a two-part exploit: First he located a specific .dll file to evade ASLR, and then used that information to trigger an exploit that disabled DEP. He used a heap overflow attack to get the address of the .dll file, he said in a paper [.pdf] describing the attack. He would not reveal the vulnerabilities in IE 8 that he exploited, however: "But I might disclose them someday when Microsoft has them patched," he wrote.

More here.

Panel Approves U.S. Grid Security Act

Roy Mark writes on eWeek:

Legislation that would protect the nation’s electricity grid from attacks passed passed the Energy and Environment Subcommittee March 24. The GRID Act (Grid Reliability and Infrastructure Defense Act) passed on a unanimous voice vote by the subcommittee.

The GRID Act would direct the FERC (Federal Energy Regulatory Commission) to take measures to protect the electricity grid from telecommunications intrusions and follows a March 23 subcommittee hearing with all of the Commissioners of FERC. The commissioners emphasized the gravity of the threat America’s grid faces and the inadequacy of existing law to deal with this threat. Chairman Ed Markey (D-Mass.) and others heard the same message during a classified briefing held last month.

More here.

U.S. Cyber Command Hits Speed Bump

William Welsh writes on FCW.com:

The Senate Armed Services Committee this month put the brakes on the creation of the U.S. Cyber Command by requesting more information on its relationship with the National Security Agency, reports Bill Gertz at Washington Times.

Army Lt. Gen. Keith Alexander, who is NSA’s director, has been nominated to four-star rank and to lead the Cyber Command. If approved, he would command both the NSA and Cyber Command and be promoted to full general. The Cyber Command’s headquarters would be located at Fort Meade, where NSA is currently headquartered.

In June 2009, Defense Secretary Robert Gates approved the creation of the Cyber Command as a unified, subdivision within the U.S. Strategic Command that would be responsible for protecting 15,000 computer networks across 4,000 military bases in 88 countries.

The committee has raised a number of detailed questions regarding the department’s plans for Cyber Command, including its relationship to the NSA, and has said that it would like all answers provided before considering Alexander’s nomination, U.S. Strategic Command officials said.

More here.

TJX Hacker Gets 20 Years in Prison

Kim Zetter writes on Threat Level:

Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.

The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.

Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.

Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency … that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”

More here.

Wednesday, March 24, 2010

Mark Fiore: Parts & Parcels



More Mark Fiore brilliance.

Via The San Francisco Chronicle.


- ferg

'Infections Found': Inside The Great Scareware Scam

Jim Giles writes on New Scientist:

One day in March 2008, Kent Woerner got a disturbing phone call from a teacher at an elementary school in Beloit, Kansas. An 11-year-old student had triggered a security scan on a computer she was using, revealing that the machine contained pornographic images. Worse still, the images had appeared on-screen as the scan took place.

Woerner, who manages the computer systems for the local school district, jumped in his car and drove to the school. Repeating the scan, he too saw the images, alongside warnings that the machine was infected with viruses and spyware that were surreptitiously monitoring the computer's users. Yet a search of the hard drive revealed nothing untoward. Switching to another machine, Woerner visited the security website that provided the scan, and ran it again. Exactly the same number of pornographic images popped up.

Woerner was smart enough to spot the ruse. This was not a genuine security scan. It was nothing more than an animation designed to dupe the unsuspecting computer user into shelling out $40 or so for software to combat a security problem where none existed. For those who fall for it, such "scareware" spells double trouble: not only are they relieved of their cash, but the software they download has no protective effect, leaving them vulnerable to malicious attack.

Woerner noted the site behind the fake scan, advancedcleaner.com, and got in touch with the Federal Trade Commission (FTC), the US consumer protection agency. He was one of hundreds. As the FTC trawled through the complaints, it became clear that in its complexity, sophistication and sheer brazenness, this was no normal internet scam. "This is one of the largest internet-based frauds the FTC has ever prosecuted," says Ethan Arenson, an attorney at the agency's headquarters in Washington DC. Over in Hamburg, Germany, analysts at the computer security company McAfee were independently coming to a similar conclusion.

Much more here.

Hat-tip: Spyware Sucks

In Passing: Robert Culp


Robert Culp
August 16, 1930 – March 24, 2010

Law Enforcement Appliance Subverts SSL

Ryan Singel writes on Threat Level:

That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.

“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.

More here.

Rogue AV: Inside a Global Cyber Crime Ring

A Reuters newswire article by Jim Finkle, via MSNBC.com, reports that:

Hundreds of computer geeks, most of them students putting themselves through college, crammed into three floors of an office building in an industrial section of Ukraine's capital Kiev, churning out code at a frenzied pace. They were creating some of the world's most pernicious, and profitable, computer viruses.

According to court documents, former employees and investigators, a receptionist greeted visitors at the door of the company, known as Innovative Marketing Ukraine. Communications cables lay jumbled on the floor and a small coffee maker sat on the desk of one worker.

As business boomed, the firm added a human resources department, hired an internal IT staff and built a call center to dissuade its victims from seeking credit card refunds. Employees were treated to catered holiday parties and picnics with paintball competitions.

Top performers got bonuses as young workers turned a blind eye to the harm the software was doing. "When you are just 20, you don't think a lot about ethics," said Maxim, a former Innovative Marketing programmer who now works for a Kiev bank and asked that only his first name be used for this story. "I had a good salary and I know that most employees also had pretty good salaries."

Much more here.

Google Gmail Users Get Alert if Accounts Compromised

Brian Prince writes on eWeek:

Google is adding a new alert system to Gmail to warn users if their account may have been compromised.

The feature is being rolled out today, and is meant to offer users an additional layer of protection for Gmail users via an automated system that flags suspicious activity and generates a red alert.

“It will be a sort of a bright red message that will say “warning (we believe) your account was recently accessed from” and then a geographic location and a button to click to see recent accesses of the account with information about them like...what was the IP it came from, when did it happen, where in the world do we think they were from (and) highlighting in red the ones that were bad or suspicious to us,” explained Will Cathcart, product manager at Google, in an interview with eWEEK.

More here.

Tuesday, March 23, 2010

Proposed U.S. Law Would Single Out Cyber Crime Havens

Robert McMillan writes on ComputerWorld:

A bill introduced in the U.S. Senate Tuesday would compel the White House to identify international cybercrime havens and establish plans for cleaning them up.

The International Cybercrime Reporting and Cooperation Act takes on a growing problem for banks and U.S. businesses: the ability for cybercriminals to operate with impunity across international borders. The bill is co-sponsored by Senators Kirsten Gillibrand, a Democrat from New York, and Orrin Hatch, a Republican from Utah.

In recent years, cybercriminals have mastered techniques for hacking into consumer and small-business bank accounts and moving money overseas. They have also become adept at converting hacked personal computers into botnet computer networks, which then can be used for spam, distributed denial of service attacks and ID theft.

The bill would shine a spotlight on countries that are thought to be soft on cybercrime and introduce new protocols for addressing the problem.

More here.

TJX Accomplice Gets Probation for Selling Browser Exploit

Kim Zetter writes on Threat Level:

A computer security professional who provided Internet Explorer exploit code that helped hackers penetrate TJX and other companies was sentenced Tuesday in Boston to three years probation and a $10,000 fine.

Jeremy Jethro, 29, was paid $60,000 in cash by convicted TJX hacker Albert Gonzalez for a zero-day exploit against Microsoft’s browser, which Gonzalez and his co-conspirators used to obtain unauthorized access to company networks and steal more than 90 million credit and debit card numbers.

Jethro pleaded guilty to a misdemeanor conspiracy charge for providing the malware. Under Tuesday’s sentence, Jethro will be confined at home, under electronic monitoring, for the first six months of his three-year-long probation. His attorney did not respond to a call for comment.

More here.

IODEF: e-Crime Reporting Format Draws Closer to a Standard

Jeremy Kirk writes on PC World:

The Internet Engineering Task Force is close to approving a specification for a common format for reporting e-crime, a step taken to allow security experts to react faster to cybercrime.

The Anti-Phishing Working Group is already collecting reports from organizations using the XML-based Instant Object Description Exchange Format (IODEF), which has been customized with extensions appropriate for e-crime reports, said Peter Cassidy, secretary general of APWG.

The format will allow for unambiguous time stamps, support for different languages and a feature to attach samples of malicious code.

The specification is now with the IETF, which has been looking at it for more than a year. If it is approved as a standard, the format will likely be taken up by banks, security organizations and other entities, Cassidy said. The format can be used to report crimes such as phishing and fraud incidents.

More here.

FBI Lists Top 10 Posts in Cyber-Criminal Operations

Patrick Thibodeau writes on ComputerWorld:

Criminal hacker organizations are operating with increasing corporate-life efficiency, specialization and expertise, according to the FBI.

From a business perspective, these criminal enterprises are highly productive and staffed by dedicated people willing to operate worldwide, around the clock "without holidays, weekends or vacations," according to Steven Chabinsky, deputy assistant director in the FBI's cyber division. "As a result, when an opportunity presents itself these criminals can start planning within hours."

"The cyber underground now consist of subject matter experts that can focus all their time and energy on improving their techniques, their goods and services," Chabinsky told an audience today at the FOSE conference, a government IT trade show, held here.

During the presentation, Chabinsky presented a list of the top 10 positions in cyber crminal organizations.

More here.

Monday, March 22, 2010

Security Watch: Beware the NSA’s Geek-Spy Complex

Noah Shachtman writes in Wired:

Early this year, the big brains at Google admitted that they had been outsmarted. Along with 33 other companies, the search giant had been the victim of a major hack — an infiltration of international computer networks that even Google couldn’t do a thing about. So the company has reportedly turned to the only place on Earth with a deeper team of geeks than the Googleplex: the National Security Agency.

Most of us know the NSA as the supersecret spook shop that allegedly slurped up our email and phone calls after the September 11 attacks. But NSA headquarters — the “Puzzle Palace” — in Fort Meade, Maryland, is actually home to two different agencies under one roof. There’s the signals-intelligence directorate, the Big Brothers who, it is said, can tap into any electronic communication. And there’s the information- assurance directorate, the cybersecurity nerds who make sure our government’s computers and telecommunications systems are hacker- and eavesdropper-free.

In other words, there’s a locked-down spy division and a relatively open geek division. The problem is, their goals are often in opposition. One team wants to exploit software holes; the other wants to repair them. This has created a conflict — especially when it comes to working with outsiders in need of the NSA’s assistance. Fortunately, there’s a relatively simple solution: We should break up the NSA.

More here.

U.S. Aims to Bolster Overseas Fight Against Cyber Crime

Siobhan Gorman writes on The Wall Street Journal:

The alleged Chinese cyber attacks on Google have spurred proposals at the State Department and on Capitol Hill to establish an ambassador-level cybersecurity post and to tie foreign aid to a country's ability to police cybercrime.

"Google was a watershed moment," said James Lewis, a former State Department official and cybersecurity specialist at the Center for Strategic and International Studies. "It helped push the debate in the direction of better security."

Cybersecurity involves the protection of government and corporate computer systems from hackers. In the wake of the cyber attacks on Google, officials at the State Department circulated a proposal to create an ambassador-like post, according to officials briefed on the proposal. This person would take on such duties as negotiating cyber policy at the United Nations, and making sure the U.S. has a consistent position on cybersecurity when issues come up overseas.

The proposal, however, has run ran into internal resistance from the State Department's intelligence bureau, which currently oversees most cybersecurity matters at the department, said Mr. Lewis, who frequently advises the administration.

More here.

Organized Crooks Hit N.J. Town, Arkansas Utility

Brian Krebs:

An Arkansas public water utility and a New Jersey town are the latest victims of an organized cyber crime gang that is stealing tens of millions of dollars from small to mid-sized organizations via online bank theft.

On Thursday, officials in Egg Harbor Township, N.J. acknowledged that a sizable amount of money was taken in an “outside intrusion into a municipal banking account,” suggesting in public statements that computer criminals were responsible.

Mayor James J. “Sonny” McCullough confirmed that the thieves took close to $100,000 from town coffers, sending the money in sub-$10,000 chunks to individuals around the country who had no prior businesses with Egg Harbor.

In a separate incident on March 4, organized crooks stole roughly $130,000 from North Garland County Regional Water District, a public, nonprofit utility in Hot Springs, Ark. Again, thieves somehow broke into the utility’s online bank account and set up unauthorized transfers to more than a dozen individuals around the country that were not affiliated with the district.

More here.

U.S. Secret Service Paid TJX Hacker $75,000 a Year

Kim Zetter writes on Threat Level:

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez’s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt told Threat Level that Gonzalez was paid in cash to protect his status as a confidential informant. The Secret Service said it would not comment on payments made to informants. Gonzalez’s attorney did not respond to a call for comment.

More here.

Russia Takes On Cyber Criminals

Via Computerworld UK.

Russia is taking the fight to cybercriminals, quietly arresting the alleged mastermind of a major attack on the Royal Bank of Scotland’s Worldpay payment processing systems and also beefing up its controls of top level domain names.

The Russian Federal Security Service has arrested Viktor Pleshchuk, the alleged ring leader of a £6 million attack on RBS, together with other suspects, according to the Financial Times.

A US grand jury indicted Pleshchuk, Sergei Tsurikov, 25, of Tallinn, Estonia; Oleg Covelin, 28, of Chisinau, Moldova; and a person known only as Hacker 3 last November

The indictment alleges that the group used sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards, which are used by companies to pay employees.

Once the encryption on the card-processing system was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of so-called "cashers" with 44 counterfeit payroll debit cards, the US Department of Justice said.

The counterfeit cards were used to withdraw more than £6 million in just 12 hours from more than 2,100 ATMs in about 280 cities worldwide, including cities in the US, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.

More here.