Iran Arrests Stuxnet 'Spies' Who Hit Atomic Work
An AFP newswire article, via Google News, reports:
Iran's intelligence minister said on Saturday authorities had arrested several "nuclear spies" who were working to derail Tehran's nuclear programme through cyberspace.
Without saying how many people were arrested or when, Heydar Moslehi was quoted on state television's website as saying Iran had "prevented the enemies' destructive activity."
His remarks came against the backdrop of reports that the Stuxnet worm is mutating and wreaking havoc on computerised industrial equipment in Iran and had already infected 30,000 IP addresses.
But Moslehi said intelligence agents had discovered the "destructive activities of the arrogance (Western powers) in cyberspace, and different ways to confront them have been designed and implemented."
"I assure all citizens that the intelligence apparatus currently has complete supervision on cyberspace and will not allow any leak or destruction of our country's nuclear activities."
The website said Moslehi emphasised that his ministry was aware of the different activities of "enemies' spy services."
Would Wiretapping Laws Spell the End of Quantum Encryption? Yes.
Davide Castelvecchi writes in Scientific American:
The nascent industry of quantum communications could suffer a fatal blow if the U.S. enacts sweeping new regulations to provide wiretapping access to law enforcement.
The weirdness of quantum mechanics makes it possible for two parties to share an encryption key and be sure that no one else can copy it. Any attempt to eavesdrop on the communication of the quantum key would irreversibly disturb its quantum state, thus revealing that the channel is being wiretapped.
In recent decades, the development of quantum communication and encryption has motivated significant advances in basic research in mathematics, physics and engineering.
FBI Officially Notifies Russia of 4 Arrested Russians in Banking Fraud
Via RIA Novosti.
The U.S. Federal Bureau of Investigation has officially informed the Russian Consulate General on the detainment of four Russian citizens suspected of a large-scale banking fraud, a Russian vice consul said.
The Attorney's Office for the Southern District of New York said on Friday that a total of 25 Russians have been charged in a large-scale banking fraud case in the United States.
"We have received an official notification from the FBI on the detainment of four Russian and two Moldovan citizens on September 30 suspected of conspiracy to commit bank fraud and the use of forged passports," Alexander Otchainov said.
The four Russian names in the notification are Adel Gataullin, Maxim Miroshnichenko, Kristina Svechinskaya and Yulia Sidorenko and the Moldovan citizens are Viktoria Opinka and Alina Turuta.
When asked about a great mismatch in the number of detained Russians stated by the attorney's office and the official FBI notification, Otchainov said that perhaps the part of the detained could have Russian names but could not be citizens of Russia.
U.S. Spies Want Algorithms to Spot Hot Trends
Katie Drummond writes on Danger Room:
The U.S. intelligence community wants a sharp competitive edge on the world’s best and brightest ideas. In an effort to find the next big thing before it happens, they’re looking to do away with fallible human trendspotters, and enlist an algorithmic system to “scan the horizon” and tap into the first signs of burgeoning memes in science and technology.
IARPA, the intel world’s far-out research arm, is already wary of trusting big calls and predictions to flesh-and-blood experts alone. Earlier this year, the agency solicited proposals for a system that would evaluate and rank the value of expert opinion based on niche, learning style, prior performance and “other attributes predictive of accuracy.”
This time around, IARPA’s looking for a system that wouldn’t just rate experts, but would take over many of their responsibilities entirely. The agency’s Foresight and Understanding from Scientific Exposition (or FUSE) wants researchers to create “a reliable, evidence-based capability that…reduce[s] the labor involved to identify specific technical areas for in-depth review.”
As IARPA’s solicitation notes, trying to identify the hottest trends before they heat up is time-consuming, time sensitive and susceptible to human bias. Not to mention that most experts are confined to certain geographic regions, cultures, languages and technical niches. But with globalization churning out innovations worldwide, IARPA wants a system that can operate in several languages and account for cultural differences.
Court Shuts Down Huge Internet Fraud 'Cramming' Operation
A federal court has permanently shut down the illegal operations of Inc21, a firm that placed bogus charges on the telephone bills of thousands of small businesses and consumers for Internet-related services they never agreed to buy.
The court, at the request of the Federal Trade Commission (FTC) has barred the defendants from charging consumers' telephone bills and prohibits them from telemarketing unless they get prior approval from the FTC and the court.
It also ordered third parties through which charges were placed -- including local exchange telephone companies, or LECs -- to return money in escrow to consumers, and ordered the defendants to pay nearly $38 million in restitution for consumers.
U.S. Power Plants at Risk of Attack by Computer Worm Like Stuxnet
Ellen Nakashima writes in The Washington Post:
A sophisticated worm designed to infiltrate industrial control systems could be used as a blueprint to sabotage machines that are critical to U.S. power plants, electrical grids and other infrastructure, experts are warning.
The discovery of Stuxnet, which some analysts have called the "malware of the century" because of its ability to damage or possibly destroy sensitive control systems, has served as a wake-up call to industry officials. Even though the worm has not yet been found in control systems in the United States, it could be only a matter of time before similar threats show up here.
"Quite honestly you've got a blueprint now," said Michael J. Assante, former chief security officer at the North American Electric Reliability Corporation, an industry body that sets standards to ensure the electricity supply. "A copycat may decide to emulate it, maybe to cause a pressure valve to open or close at the wrong time. You could cause damage, and the damage could be catastrophic."
Joe Weiss, an industrial control system security specialist and managing partner at Applied Control Solutions in Cupertino, Calif., said "the really scary part" about Stuxnet is its ability to determine what "physical process it wants to blow up." Said Weiss: "What this is, is essentially a cyber weapon."
Ukrainian Police Arrest 5, Targeting Brains Behind ZeuS Botnet
Robert McMillan and Grant Gross write on ComputerWorld:
Ukrainian police on Thursday arrested five people thought to be the brains behind a scam using the Zeus Trojan to siphon money from small businesses in the U.S.
The operation is part of an ongoing effort to take down a criminal empire that stole $70 million from victims' bank accounts over the past few years. Many of those hit were small businesses or local organizations that ended up having to absorb the costs of the fraud.
Ukraine's national police force, the SBU, made the arrests as part of a joint effort with the U.S. Federal Bureau of Investigation, police in the Netherlands and the U.K.'s Metropolitan Police Service. Those detained are "key subjects responsible for this overarching scheme," the FBI said in a statement.
Ukrainian SBU agents also executed eight search warrants in an operation that was manned by about 50 police officers.
Mark Fiore: Tradition
More Mark Fiore brilliance.
Via The San Francisco Chronicle.
Brussels Calls for Tougher Laws on Cyber-Crime
A DPA newswire article, via Monster & Critics, reports:
The European Union's executive on Thursday called for tougher EU laws on cyber-crime as it warned that hijacked computer networks had already caused major security problems in a number of member states.
EU law already covers computer offences such as hacking and spreading viruses. But remote-controlled attacks, which take over innocent computers and use them to launch raids on information systems, are not yet dealt with at an EU level.
The European Commission is therefore proposing that EU states update the rules by outlawing remote attacks - the so-called 'robot nets' or 'botnets' - and the creation of the software which runs them, and imposing a maximum jail term of two years on offenders.
'With the help of malicious software, it is possible to take control over a large number of computers and steal credit card numbers, find sensitive information or launch large-scale attacks. It is time for us to step up our efforts against cyber crime,' the EU's commissioner for home affairs, Cecilia Malmstrom, said.
UK: Police Surveillance of Muslims Set Up With 'No Regard For Law'
Paul Lewis writes on the Guardian.co.uk:
A secret police operation to place thousands of Muslims living in Birmingham under permanent surveillance was implemented with virtually no consultation, oversight or regard for the law, a report found today.
Project Champion was abandoned in June after an investigation by the Guardian revealed police had misled residents into believing that hundreds of counter-terrorism cameras installed in streets around Sparkbrook and Washwood Heath were to be used to combat vehicle crime and antisocial behaviour.
In fact, the £3m project was being run from the West Midlands police counter-terrorism unit with the consent of security officials at the Home Office and MI5.
The network of CCTV and automatic number plate reading (ANPR) cameras, which were weeks away from being switched on, were intended to monitor people entering and leaving the predominantly Muslim suburbs.
Hackers Blamed in Texas Water Utility Banking Theft
Colin McDonald writes on MySanAntonio.com:
A breach of security while an employee was online at the Bexar Metropolitan Water District allowed hackers to steal $25,000 from one of the utility's Bank of America accounts, according to the private investigation that concluded this week.
It is not known whether BexarMet can recover the missing money, but security measures are being taken to prevent another attack.
“Since no employee was involved, there are no employee disciplinary measures related to the breach,” said spokesman Hernan Rozemberg in an e-mail.
According to BexarMet staff and board members, malware, short for malicious software program, was inadvertently downloaded onto a new computer at the utility while an unidentified employee in the accounting department was on the Internet.
According to board members, it is unclear whether the computer had the latest antivirus software and the utility was adhering to its policy of having two managers sign off on all wire transfers.
Stuxnet Trojan Attacks Could Serve as Blueprint for Future Crimeware
Robert Westervelt writes on SearchSecurity:
The Stuxnet Trojan remains a danger to a small minority of firms that run specialized control equipment, but security experts say it could serve as a guide for copycat malware writers, who can reproduce parts of its processes and take better aim at other companies.
"How do you know that the software you are using to support sophisticated manufacturing processes, ranging from uranium centrifuges to automobiles, is not being targeted by some cyberweapon, throwing off your tolerances and measurements?" asked Paul B. Kurtz, managing partner at Arlington, Va.-based GoodHarbor Consulting LLC. "It's something that can be very costly to private industry and ultimately very disruptive to economies."
The worm surfaced in July when it was discovered exploiting a Microsoft Windows file sharing zero-day vulnerability, spreading using the AutoPlay feature for USB sticks and other removable drives. Microsoft issued an emergency update to close the hole, but researchers discovered several other methods used by Stuxnet, including a printer sharing vulnerability, which was patched this month by Microsoft.
Stuxnet was unique in that it contains code that could identify Siemens' Supervisory Control and Data Acquisition (SCADA) software and then inject itself into programmable logic controllers, which automate the most critical parts of an industrial facility's processes -- temperature, pressure and the flow of water, chemicals and gasses. Kurtz, who served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Bill Clinton and George W. Bush, is convinced that the Trojan's end game is to wreak havoc or even destroy critical infrastructure facilities by altering their vital processes.
Zeus Defendants Denied Bail in U.K. Court
Jeremy Kirk writes on ComputerWorld:
Eleven Eastern Europeans arrested earlier this week for their alleged involvement in a computer hacking and money laundering scheme were denied bail in the U.K. on Thursday.
The U.K. actions were mirrored in the U.S. where the Department of Justice said it had also made arrests in connection with the Zeus botnets.
District Judge Alan Baldwin of Camberwell Green Magistrates' Court in London said some of the defendants were flight risks. Their cases have been referred to Southwark Crown Court.
More serious criminal cases are referred to crown courts rather than held in magistrates' courts in the U.K.
U.S. Charges 37 Alleged Mules and Others in Online Bank Fraud Scheme
Kim Zetter writes on Threat Level:
Thirty-seven people are being charged in the U.S. for their alleged role in an international fraud ring based in East Europe that stole more than $3 million from bank accounts belonging primarily to small businesses and municipalities, according to indictments released Thursday.
The sophisticated ring included a multitude of East Europeans who entered the U.S. on student visas and fake passports to operate as so-called “money mules,” laundering funds stolen from U.S. accounts and sending the money overseas.
Hackers believed to be in East Europe ran a botnet that used variants of the Zeus malware delivered to victims via e-mail. Zeus infected the victims’ computers to steal bank login credentials. The hackers then took over the accounts to initiate illegal bank transfers to other accounts controlled by the mules.
Last January, for example, about $130,000 was siphoned from the California bank account of a hospital.
The charges, filed in the Southern District of New York, are the culmination of a year-long investigation, dubbed Operation ACHing mules. “ACH” refers to Automated Clearing House, the system under which funds can be electronically transferred from one financial account to another.
In Passing: Tony Curtis
June 3, 1925 – September 29, 2010
In Passing: Greg Giraldo
December 10, 1965 – September 29, 2010
States Unable to Protect Citizens' Personal, Health Data From Cyber Thieves
Byron Acohido writes on The Last Watchdog:
This should come as no surprise. State government agencies aren’t devoting nearly enough resources to protect citizens’ sensitive data from hackers and data thieves.
Some 49 out of 50 states report that a lack of budget is crippling efforts to manage cybersecurity effectively. One state chose not to participate.
That’s the upshot of a survey titled “State Governments at risk: A Call to Secure Citizen Data and Inspire Public Trust” conducted by consulting firm Deloitte & Touche and the National Association of State Chief Information Officers.
The study found most state CISOs lack the capabilities to adequately protect vital data, including personal and health information of their constituents, especially when compared to their counterparts in private sector enterprises.
Gaps In International Cyber Law Could Hamper Mariposa Case
Paul Roberts writes on Threat Post:
The take down of the Mariposa botnet is a cyber law enforcement success story - but gaps in international cyber law could make it difficult to prosecute those behind the botnet.
A researcher involved in the analysis and dismantling of the Mariposa botnet said that gaps in cyber crime laws in the countries from which the botnet was operated may make it difficult to prosecute those accused of operating the scheme.
Pedro Bustamante, a senior researcher at Panda Security in Spain said that those alleged to be behind the Mariposa botnet, which netted more than €20,000 a month at its height, may never see jail time because of lax cyber crime laws in Spain that, among other things, don't consider it a crime to operate a botnet.
In a presentation at the Virus Bulletin Conference in Vancouver, British Columbia, Bustamante said the take down of the Mariposa botnet, which controlled close to 13 million computers at one point, was an example of the benefits of close cooperation between IT security and anti malware firms and law enforcement.
Despite Clinton Pledge, State Dept. to Pay Out Billions More to Mercs
Spencer Ackerman writes on Danger Room:
Get ready to meet America’s new mercenaries. They could be the same as the old ones.
A new multi-billion dollar private security contract to protect U.S. diplomats is “about to drop” as early as this week, say two State Department sources, who requested anonymity because the contract is not yet finalized and they are not authorized to speak with the press.
So much for Secretary of State Hillary Rodham Clinton’s one-time campaign pledge to ban “private mercenary firms.”
Neither source would say which private security firms have won the four-year contract or how much it will ultimately be worth. The last Worldwide Protective Services contract, awarded in 2005, went to Blackwater, Triple Canopy and DynCorp. Rough estimates place that contract’s value at $2.2 billion.
This one is likely to be even more lucrative. That’s because this time, the reduction and forthcoming withdrawal of U.S. troops in Iraq is causing the State Department to splurge on private security. In June, a senior department official told the congressional Wartime Contracting Commission that the department requires “between 6,000 and 7,000 security contractors” in Iraq, up from its current 2,700 armed guards. And that doesn’t even take into account those needed to guard the expanded U.S. civilian presence in Afghanistan. Mo’ mercs, mo’ money. And mo’ danger: this year, for the first time, U.S. contractor deaths in Iraq and Afghanistan exceeded troop deaths, ProPublica found.
Police Quiz 19 Over £6M Online Banking Fraud
Hi-tech crime police were today questioning 19 people suspected of orchestrating a multimillion-pound attack on British bank accounts.
Up to £6 million has been taken from online accounts in just three months by a gang of computer hackers.
They used a virus known as "zeus" to infect computers and capture the passwords and other sensitive details of banking customers.
Their money was then transferred into bogus accounts created by the crooks to help them launder the profits.
Detective Chief Inspector Terry Wilson, of the Metropolitan Police, said the amount of money stolen is likely to "increase considerably" as the investigation continues.
Targeted Malware Used in Florida Restaurant PoS Breach
Lucian Constantin writes on Softpedia Security News:
A $200,000 credit card fraud is suspected to have resulted from hackers compromising the Point-of-Sale (POS) system at a Florida restaurant with malware specifically designed for it.
Dave Wendland, the owner of Julie's Place, a Tallahassee eating house dating back to 1978, began learning from his customers of fraudulent out-of-state charges on their credit cards back in July.
Soon afterward he was contacted by the Leon County Sheriff's Office Financial Crimes Unit, which was investigating a $200,000 fraud involving over 100 payment cards, that were all used at his business.
The investigation is still underway, but a technician with the company that installed the Point-of-Sale system at the restaurant has found evidence that hackers penetrated its firewall and deployed malware specifically targeting that model of card terminals.
The terminals are called Aloha and are manufactured by Radiant Systems, one of the largest providers of such systems in the country.
According to BankInfoSecurity, a Radiant representative stressed that the company's product is not vulnerable and blamed the restaurant for not employing enough security layers, as required under PCI.
After Committing to 'Net Neutrality', Rep. Waxman Pushes Bill to Kill It
Stephen C. Webster writes on The Raw Story:
Legislative text put forward by Rep. Henry Waxman (D-CA) under the banner of mandating network neutrality would instead prevent the government from requiring broadband providers to treat all Internet traffic equally.
Waxman, who has vowed that he would support the so-called 'Net Neutrality' policy proposals favored by most Democrats and progressives, has instead put forward an as-yet-unsettled legislative framework that explicitly prohibits the Federal Communications Commission from regulating broadband Internet under Title II of the Communications Act: a caveat key to implementation of what's been called the Internet's First Amendment.
Should the president sign a bill containing Waxman's language, it would effectively kill 'Net Neutrality' efforts and make key parts of a hotly contested proposal by Google and Verizon the law of the land.
CIA Allegedly Bought Flawed Software for Drone Attacks
Elinor Mills writes on C|Net News:
The CIA allegedly purchased flawed targeting software for drone missile attacks on suspected terrorists--software it knew was faulty, and that could misdirect attacks by as much as 39 feet--according to a report in The Register based on claims made in a lawsuit.
The suit, filed by a Massachusetts-based company called Intelligent Integration Systems (IISI), involves another Massachusetts company, Netezza, The Register said in its report today. Netezza, a data warehousing company IBM has made a bid to buy, allegedly got a $1.18 million purchase order from the CIA last year to provide data warehouse appliances for use in drones, according to The Register. When combined with IISI's "Geospatial" software, the devices can be used to track movement of cell phones and pinpoint peoples' exact locations in real time, The Register said.
However, the IISI software does not run on the latest version of the Netezza appliance, which the CIA was purchasing, and when IISI said it couldn't port its software to Netezza's next-generation device fast enough for the CIA, Netezza allegedly met the CIA's demands on its own, with an "illegally and hastily reverse-engineered" version of IISI's code, The Register said. Despite knowing of flaws in the hacked software, the CIA acquired it, the news site reported the lawsuit as saying.
"My reaction was one of stun, amazement that they want to kill people with my software that doesn't work," IISI Chief Technology Officer Richard Zimmerman is quoted as saying in a deposition. The Register said Zimmerman was responding to an alleged comment by the CIA that it would accept untested IISI code in chunks.
Stuxnet Attack Exposes Inherent Problems In Power Grid Security
Kelly Jackson Higgins writes on Dark Reading:
While the Stuxnet worm attack has raised the bar for targeted attacks on the critical infrastructure, it's not the first time the power grid has been in the bull's eye. Attacks against these systems are actually quite common -- it's just that they are mostly kept under wraps and rarely face public scrutiny like Stuxnet has.
Nearly 60 percent of critical infrastructure providers worldwide, including oil and gas, electric, and telecommunications, say they have been targeted by "representatives" of foreign governments, according to a study published earlier this year by The Center for Strategic and International Studies and commissioned by McAfee. More than half of the respondents had experienced a targeted, stealthy attack akin to the Aurora attacks that hit Google, Adobe, and nearly 30 other companies earlier this year. In addition, nearly 90 percent of the respondents said their networks had been infected with malware, and more than 70 percent had been hit with low-level DDoS attacks and vandalism, insider threats, leakage of sensitive data, and phishing or pharming.
As reported last week, Stuxnet has shed light on just how vulnerable their control systems really are, and as the first known malware attack to target power plant and factory floor systems, it has been a wake-up call for the potential damage that could be inflicted on a power plant and the potential consequences to the physical world.
DRM Library From Microsoft Opens Your Computer to Attacks
Alessondra Springmann writes on PC World:
Microsoft has been a proponent of DRM (digital rights management) for some time now, and has built in a number of protections to every level of its operating system.
The msnetobj.dll library, an ActiveX Network Object, is no exception: according to BoingBoing, msnetobj.dll “is intended to prevent the owner of a computer from saving or viewing certain files except under limited circumstances, and to prevent the computer's owner from disabling” the library.
Aside from mandating what sort of files you can and can’t open on your computer, msnetobj.dll is susceptible to three different types of attacks: denial of service, buffer overflow, and integer overflow. Exploit Database notes that “this issue is triggered when an attacker convinces a victim user to visit a malicious website” and that a hacker could then exploit these holes to run malicious code on your system.
In Passing: George Blanda
September 17, 1927 – September 27, 2010
Money Transfers Could Face Anti-Terrorism Scrutiny
Ellen Nakashima writes in The Washington Post:
The Obama administration wants to require U.S. banks to report all electronic money transfers into and out of the country, a dramatic expansion in efforts to counter terrorist financing and money laundering.
Officials say the information would help them spot the sort of transfers that helped finance the al-Qaeda hijackers who carried out the Sept. 11, 2001, attacks. They say the expanded financial data would allow anti-terrorist agencies to better understand normal money-flow patterns so they can spot abnormal activity.
Financial institutions are now required to report to the Treasury Department transactions in excess of $10,000 and others they deem suspicious. The new rule would require banks to disclose even the smallest transfers.
Treasury officials plan to post the proposed regulation on their Web site Monday and in the Federal Register this week. The public could comment before a final rule is published and the plan takes effect, which officials say will probably not be until 2012.
U.S. Is Working to Ease Wiretaps on the Internet
Charlie Savage writes in The New York Times:
Federal law enforcement and national security officials are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone.
Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.
The bill, which the Obama administration plans to submit to lawmakers next year, raises fresh questions about how to balance security needs with protecting privacy and fostering innovation. And because security services around the world face the same problem, it could set an example that is copied globally.
James X. Dempsey, vice president of the Center for Democracy and Technology, an Internet policy group, said the proposal had “huge implications” and challenged “fundamental elements of the Internet revolution” — including its decentralized design.
French Police Dismantle Mobile Phone Hacking Ring
An AFP newswire article, via The Sydney Morning Herald, reports:
French police have busted a network of mobile phone hackers, a fraud worth millions of euros, and arrested nine people, including employees of cellular phone companies, investigators said Sunday.
Three people were still in custody Sunday following the arrests across the country that came after a year-long investigation into the network, which had been operating for a decade and is the first of its kind in France, according to officials in an investigative unit of the Marseille gendarmerie.
Investigators explained that fraudsters purchased codes to unlock SIM cards for three euros (four US dollars) each from high-ranking phone company employees, who had access to company databases.
The network subsequently sold the codes on the Internet for 30 euros. The money earned from these sales were put into tax-free overseas bank accounts.
Google Details Government Requests for User Data
Mark Long writes on Enterprise Security Today:
A new online transparency report introduced by Google on Tuesday shines the spotlight on the actions that governments around the world have been taking to control the flow of information. Among other things, the report delineates the number of government inquiries for information about users as well as the number of requests that Google has received pertaining to the removal of specific web content.
Google said it believes its responsibilities include ensuring that the company maximizes transparency around the flow of information related to Google tools and services. "We hope this step toward greater transparency will help in ongoing discussions about the appropriate scope and authority of government requests" as well as "help facilitate studies about service outages and disruptions," Google said.
According to Google, the United States ranked number one during the first half of 2010 among nations requesting information about individual web surfers. The search giant said it complied with nearly 83 percent of the more than 4,200 data requests issued by U.S. courts.
Ranking second, Brazil issued 2,435 requests for data concerning individual Internet users during the first six months of this year. The other top nations requesting user data were India (1,430), the United Kingdom (1,343), and France (1,017).
One glaring omission in Google's transparency report is the lack of any data on user-information requests from China. "Chinese officials consider censorship demands as state secrets, so we cannot disclose that information at this time," Google explained.