Data breach interactive chart shows major increase in security flaws

If you didn’t believe us that hackers have been keeping themselves really busy in the last few years, this interactive graphic might just be the visual proof you need.
David McCandless of Information is Beautiful created the graphic with coder Tom Evans. It shows all the different “data breaches” that have occurred since 2004 affecting more than 30,000 people. Each attack is displayed as a bubble, based on that victim-count. You can also filter by year, method of leak, what was stolen, and the type of organization.
Pretty much any article about a hack you might read includes some mention of how “cyberattacks are growing,” and “the amount of hacks have increased in the last X amount of years.” This graphic gives those call-outs merit, but also highlights some of the internal mistakes companies have made that let regular folks accidentally leak out data .
As you scroll up from 2004, the size of the breaches actually seem to diminish slightly, but the frequency definitely increases and varies from hundreds of thousands to tens of millions of victims. You can click on each bubble to get a little more information about the breach and click through to a report.
Check it out and let us know what you think of the interactive graphic.

 

Robots.txt is a text (not html) file you put on your site to tell search engine which pages you would like them not to visit. Robots.txt is by no means mandatory for search engines but generally search engines obey what they are asked not to do.

 

Now if this is not configured properly, then there are chances hacker tries to find exploitable targets and sensitive data by using search engines which is known as Google Hacking. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.

 

Information that the Google Hacking Database identifies:

 

 * Files containing passwords
 * Files containing usernames
 * Advisories and server vulnerabilities
 * Error messages that contain sensitive information
 * Sensitive directories
 * Vulnerable servers
 * Web server detection
 * Control of CCTV Cameras
 

Trying to completely update this GHDB soon, So you can refer this post to find latest attack pattern.


GHDB: Files containing passwords

This search show “password” files which contain encrypted/hashed/cleartext passwords. A password cracker can decrypt the encrypted/hashed password faster than Elvis eating jelly doughnuts. Sometimes you will get FULL ADMIN access...

1. inurl:"/root/etc/passwd" intext:"home/*:"
2. intitle:index.of passwd passwd.bak
3. intitle:index.of master.passwd
4. intitle:”Index of” pwd.db
5. intitle:”Index of” “.htpasswd” htpasswd.bak
6. intitle:”Index of” “.htpasswd” “htgroup” -intitle:”dist” -apache -htpasswd.c
7. intitle:”Index of” spwd.db passwd -pam.conf
8. intitle:”Index of..etc” passwd
9. intitle:index.of config.php
10. index.of passlist
11. intitle:index.of administrators.pwd
12. filetype:sql insite:pass && user

GHDB: Files containing usernames

This search reveals userlists, username of different types of user like end user account, administrative user account.

1. inurl:admin inurl:userlist
2. inurl:admin filetype:asp inurl:userlist
3. filetype:reg reg HKEY_CURRENT_USER username
4. filetype:conf inurl:proftpd.conf -sample
5. inurl:php inurl:hlstats intext:”Server Username”
6. intext:”SteamUserPassphrase=” intext:”SteamAppUser=” -”username” -”user”
7. filetype:log username putty

GHDB: Control of CCTV Cameras

This search reveals web cameras, If authentication is not enable then you can take controll of web cameras.

1. inurl:/control/userimage.html
2. intitle:"active webcam page"
3. inurl:camctrl.cgi
4. allintitle:Brains, Corp. camera
5. intitle:"supervisioncam protocol"
6. allinurl:index.htm?cus?audio
7. intitle:"Browser Launch Page"
8. inurl:"next_file=main_fs.htm" inurl:img inurl:image.cgi
9. intitle:"Live NetSnap Cam-Server feed"
10. intitle:"iVISTA.Main.Page"
11. intitle:"V-Gear BEE"
12. intitle:"EvoCam" inurl:"webcam.html"
13. intitle:"i-Catcher Console" Copyright "iCode Systems"
14. intitle:"toshiba network camera - User Login"
15. intitle:"DVR Web client"
16. inurl:netw_tcp.shtml
17. camera linksys inurl:main.cgi

How Secure is Your Mobile Worker?

How well do you know your mobile worker? Understanding the mobile worker’s perceptions and behaviors will offer a better view on the potential security implications your organization must manage. Cisco recently released a new global infographic and white paper, the Cisco Connected World International Mobile Security study. They explore the mobile worker’s view points concerning working remotely, connecting to corporate, and their sense of security. Some of the findings are worth reflecting on to help you set the course for your mobile security efforts.
There is no question that the movement to mobile personal devices in the workforce has been well recognized. A recent response to this trend includes almost half of employers offering to fund workers to buy their own devices. Allowing the “chose your own” device alternative will attract and retain talent and reduce costs (see recent IBSG BYOD research), but what are the security implications?
There are a few striking data points to call out:

• 63% of users download sensitive data on their devices. The frequency significantly increases in some countries which should alarm people doing business internationally if there are no precautions taken to secure the downloaded data. Imagine your financial data or product road maps being downloaded on an unprotected personal device.
• Most believe remote access is a privilege. Yet in some countries they believe it’s a right as a worker. This establishes high expectations for IT to support and secure the devices including, but not limited to, extensive help desk calls.
• Most users are diligent when a pop-up appears and will read through the details and determine what it really means. Yet, many workers from select countries generally tend to be less careful and accept warning pop-ups without reading the details which increases the risk that hidden malware will be downloaded. Hackers depend on this social mining effort.
• 60% of users admit to engaging in risky behavior on a device (for example, personal or company-owned) while connected to corporate resources. This suggests that more security enforcement technology would benefit the prevention of data breaches and/or loss.

So, who really owns the mobile security issue? Mobile workers do not take full responsibility for a safe device with 84% believing that their IT will protect them from threats no matter what device is used. Sometimes IT’s perspective on this dependency is expressed with disbelief. An example of this issue was observed at BlackHat from a security professional during a demonstration we presented a couple weeks ago.
During the demonstration, we were showing how a user who inadvertently clicked on a phony URL sent in an email. That click triggered to phone an alert to a hacker that an “innocent” user is accessing the phony Internet site. The user unknowingly offered login credentials to their bank account. The hacker begins to record the users’ keystrokes to use later for malicious purposes. A security professional from BlackHat chimes in during the demonstration with the comment, “Dumb User.” The demonstration later showed how the combined effort of Cisco ISE and SIEM (Lancope) with unique TrustSec enforcement can identify and control the malicious activity with a single policy (for example, by segmenting and restricting users traffic close to the edge—on a network switch). The surprise to the security experts watching the demonstration was the concept that the network switch provided this enforcement.
Bottom Line: Most mobile workers have good intentions but do rely on IT to step in.
It would be great hear from you on your impressions of these recent findings and whether you are a mobile worker or an IT professional.
Please refer to Cisco’s security response for the mobile workforce: Secure Access

WEAPON OF ANONYMOUS

Before starting, I would like to give a small preview about the topic. This article focuses on the world famous hacker group, known as “Anonymous.” I will be describing their attacking methodologies and way of planning, but we will be focusing more about the weapons or tools they use. The word anonymous simply means having no name or identity. The group Anonymous is a faction of hackers or hacktivists. They have their own website and IRC (Internet Relay Chat) channel where they hold lax online gatherings that focuses on brain storming. Rather than giving orders, the group uses a voting system that chooses the best way in handling any situation. This group is famous for their hacks, one of which is Distributed Denial of Service (DDOS) attacks on government websites, well-reputed corporate websites, and religious websites. Their famous slogan is:

We are Anonymous
We are Legion
We do not forgive
We do not forget
Expect us

This is the signature of Anonymous that can be seen in their every attack.

Skills of Anonymous hackers:

They are people with excellent hacking skills, but they use conventional black hat techniques and methods. In fact, their hacking techniques are familiar with other hackers. For example, they also use the same tools used by other hackers, like havij and sqlmap in performing an SQL injection attack on any website. In other words, they are able to take advantage of common web application vulnerabilities which can be found in many websites.

The Anonymous hackers are comprised of two types of volunteers:

• Skilled hackers –This group consists of a few skilled members that have expertise in programming and networking. With their display of hacking skills, one can surmise that they have a genuine hacking experience and are also quite savvy.
  
• Laypeople – This group can be quite large, ranging from a few dozen to thousands of volunteers from all over the world. Directed by the skilled hackers, their primarily role is to conduct DDoS attacks by either downloading and using special software or visiting websites in order to flood victims with excessive traffic. The technical skills required in this group ranges from very low to modest.
  

There was about a 10:1 ratio of laypeople to skilled hackers.

The Anonymous hackers’ first objective is to steal data from a website and server. If it fails, that is the time they attempt a DDOS attack. They are a very well-managed group. Before selecting a target, they conduct a voting poll in the internet. After that, they name their operation.

They already organized many operations that became very famous, one of which is “Pay Back” which became famous all over the world back in 2010. In operation Pay Back, they stopped the services of well known e-commerce business solutions, such as PayPal, Visa, MasterCard, and Sony by performing D-DOS attacks on them. There are many other operations which were conducted by this group such as Operation leakspin, Operation Israel, Operation Facebook, Operation Gaza, etc.

In the figure below, we can see an example of their voting system for an operation.


After the voting poll, they decide what the next operation is.

In the figure below, we have shown a good example of their voting response.


After finalizing voting for the target, the operation process proceeds.

Their hacking operation consists of three different phases.

1. Recruiting and communication phase

2. Reconnaissance and application attack phase

3. DDOS attack phase

1. Recruiting and communication phase: In this phase, Anonymous uses social media in recruiting members and promoting campaigns. In particular, they use popular social networking sites like Twitter, Facebook, and YouTube to suggest and justify an attack. This is really the essence of all hacktivism campaigns. Messages were spread via social media such as Facebook, Twitter and YouTube.

The content during this phase:

• Explains their political agenda for the campaign. In this case, a website was created that rationalized the attack. Twitter and Facebook were used to bring attention to the website and its arguments. In addition, YouTube videos further rationalizes the attack by denigrating the target and exposing perceived transgressions.

• Declared the dates and targets for protest in order to recruit protesters and hackers.

2. Reconnaissance and application attack phase: In this phase, the attackers have a sound knowledge on attacking tools. They use anonymity services to hide their identity and maintain a low profile. Their attack traffic levels during this phase were relatively low, especially when compared to the attack phase. However, the reconnaissance traffic was relatively high compared to ordinary days. An attacker tries to penetrate the web application by using famous tools like Havij, Acunetix Web vulnerability scanner, etc.

Example of tools used is stated below:

Havij- Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. By using this software, a user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetch data from the database, running SQL statements and even access the underlying file system and executing commands on the operating system.

Acunetix – The Acunetix Web Vulnerability Scanner is an automated black box scanner that checks websites and Web applications for vulnerabilities such as SQL injection, Cross Site scripting, and other vulnerabilities.

Once the attacker successfully exploits any of these vulnerabilities, Anonymous will deface the website by replacing their website’s home page with their defaced page that looks like the figure below, with their slogan and a message to the world.

3. DDOS attack phase: DDOS attack it is the deadliest attack they use and is performed by their skilled hackers. If they fail to penetrate the web application then they go for this attack. They are also famous for this attack because whenever they perform this attack, they always succeed on their operation. But before conducting a DDOS attack, the anonymous group provides a list of tools in different social media like in an IRC channel, Facebook, pastebin, etc.

Some of the famous and powerful tools used by the Anonymous group are H.O.I.C, Pyloris, Qslowloris, Torshammer, etc.

I am going to show you some of the usage of the tools.

H.O.I.C- Also known as High Orbit Ion Cannon. It is a simple script launching HTTP POST and GET requests at the target server. It is a cross platform tool easily found for Windows, MAC and Linux platforms. As we can see in below figure Click on plus icon which opens a new small windows for adding targets.

Input the target address in URL box then set the power level to Low, Medium and High as your requirement.

In the figure above, we can see the third option was left blank.
HOIC’s boosters are used to tailor the HTTP requests sent by HOIC to the target for a specific type of attack. “HOIC is pretty useless,” the documentation file that comes with the code says, “unless it is used in combination with ‘Boosters.’” And that’s putting it mildly—the attack code is generated based completely on what’s in the booster file. When an attack is launched, HOIC compiles the booster to create the HTTP headers to be sent, and sets the mode of the attack.

After selecting the booster, it is ready for the attack, as we can see in the figure below.

Now just click on “FIRE TEH LAZER” and wait for few minutes.

Now when you will open your target web page, you will see a message like the figure above. If you see the message “Resource Limit Is Reached”, then it means the game is over.

PyLoris – It is a python based tool that works simultaneously on Linux and Windows platform. PyLoris also includes a feature called TOR Switcher, which allows attacks to be carried out over the anonymized Tor Network and switch between Tor “identities,” changing the apparent location the attack is coming from at user-defined intervals. Before using this tool, it is required that TOR browser and Python is installed on the system. Now we can start the tutorial.

1. First open Tor. In the Vidalia control panel, go to settings, then “Advanced”, and from the drop down menu, choose password. Finally, deselect Randomly Generate.
2. Next, go to Pyloris folder and open the file Tor_Switcher.py and input the password you just set in Tor. You can lower the rate of interval if you want. If you are getting rejected connections, try lowering or raising the rate of interval.
3. Leave Tor_Switcher.py running and open Pyloris.py. Configure it, by inputting your target website in the host under the general’s menu. The port is usually 80. You can raise the limits depending on how fast your computer is. Once it’s all set up, fire your laser, and click on the launch button.
   
4. After clicking the Launch button, a new window will pop up and will show the status of the attack. Please refer to the image below.
5. It takes some time before all the target’s sockets are filled, usually around 300 or so. Just wait and soon you will see that your target is down.

References:

http://en.wikipedia.org/wiki/Anonymous_(group)

http://arstechnica.com/business/2012/02/high-orbits-and-slowlorises-understanding-the-anonymous-attack-tools/

UN to act over US hacking claims

The United Nations is to contact the United States about reports that America's National Security Agency (NSA) hacked the world body's internal communications.

 

The UN emphasised that international treaties protected its offices and all diplomatic missions from interference, spying and eavesdropping.
Its spokesman Farhan Haq said the UN would "reach out" to US officials about the reports of eavesdropping, as it has in the past when such allegations have been raised.
Mr Haq added that "the inviolability of diplomatic missions, including the United Nations and other international organisations, whose functions are protected by the relevant international conventions like the Vienna Convention, has been well-established international law."
The German magazine Der Spiegel reported that documents it obtained from American leaker Edward Snowden showed the NSA secretly monitored the UN's internal video conferencing system by decrypting it last year.
Der Spiegel also said the NSA installed bugs in the European Union's office building in Washington and infiltrated the EU's computer network.
The 1961 Vienna Convention regulates diplomatic issues and status among nations and international organisations. Among other things, it says a host country cannot search diplomatic premises or seize its documents or property. It also says the host government must permit and protect free communication between the diplomats of the mission and their home country.
But wiretapping and eavesdropping have been rampant for decades, most dramatically between the United States and the Soviet Union during the Cold War.

 

Fake Salman Khurshid account tweets on Syria cause flutter

New Delhi: Amid reports of an impending Western military strike on Syria over the alleged use of chemical weapons, a fake Twitter account of External Affairs Minister Salman Khurshid caused a flutter Wednesday, saying India was in touch with Britain and US over the crisis.

The government complained to the San Francisco-headquartered company and the fake account was blocked within hours.

The imposter Twitter handle 'Salman Khurshid @IndiaMEA' complete with a picture of the external affairs minister, had the posts: "US SECRETARY OF STATE INFORMS OUR GOVERNMENT THAT AN ATTACK ON SYRIA WILL STARTS WITHING 48 HOURS".

Another one went:" Phone talks with British FM W.Hague. Intervention against Syria to start tonight. India expressed concerns."

Its first post went" "This is my official account on Twitter. Welcome! S. Khurshid, Minister of Ext. Relations, India." It also claimed the minister has spoken to the Russian foreign minister on the Syrian crisis.

Soon the Twitter account of India's external affairs ministry spokesperson Syed Akbaruddin was flooded with queries asking if the news was true.

@AkbarMEA, the Twitter handle of the official spokesperson, replied to all queries saying: "The handle @IndiaMEA is a fake one masquerading as Minister Khurshid's account. He does not have a Twitter handle." And "@IndiaMEA is a fake account and has been reported to @Twitter."

Within a few hours, the imposter handle was blocked with the message "Sorry! That page does not exist!"

The fake posting caused All India Majlis-E-Ittehadul Muslimeen chief and Hyderabad MP Asaduddin Owaisi, with Twitter account @asadowaisi, to ask @Akbar MEA: "sir I am sure the GOI is keeping an eye on Syrian crisis as more than 5 million Indians work in that region."

A discerning Twitter account posted: "Seems improbable that India's foreign minister wd spill military secrets divulged in a private phone call on Twitter".

How Twitter Dodged Website Attack That Took Down New York Times

 

Chalk one up for Twitter Inc.

While the New York Times and Google Inc. (GOOG:US) had visitors to their sites redirected this week by hackers, the microblogging service was better able to deflect attacks because of a simple tool called a registry lock. Like alerts sent to credit-card users when something bad happens, the feature notifies website managers of attempts by intruders to tamper with critical information, such as Web-address data.
The cost? As little as $50 a year.

STORY: How Syrian Hackers Found the New York Times's Australian Weak Spot

Large banks, e-commerce companies, gambling sites and pornographers have used registry locks from VeriSign Inc. (VRSN:US) and NeuStar Inc. (NSR:US) to prevent unauthorized changes. Attacks by the Syrian Electronic Army routed New York Times readers to a site that displayed the group’s initials and altered some registration data. They underscore how vulnerable many companies are to relatively unsophisticated attacks, which can take down sites and harm their businesses.
“This is certainly an ah-ha moment,” said Rodney Joffe, a senior technologist at NeuStar. The Sterling, Virginia-based company began offering registry locks in 2010 and requires that website domain information be accompanied by two layers of verification, such as additional codes from security tokens.
“It is a niche business but there’s no reason for it to be,” he said. “It’s the kind of thing you have to do today.”

VIDEO: Anatomy of a Hack: How the NY Times Was Hit

While Twitter’s site operated normally, twitter.co.uk was inaccessible for some users. The Syrian Electronic Army, which backs the country’s president, Bashar al-Assad, claimed responsibility for the New York Times and Twitter intrusions, as well as the Washington Post this month and the Financial Times in early May. Unknown hackers altered Google’s website in the Palestinian territories, displaying a map without Israel.

Raising Bar

The attacks exploited weaknesses in a registration network called the Domain Name System, exposing risks that site operators face because they’re relying on third parties to handle their online addresses. Weaknesses in DNS, which was created in the 1980s to help computers find websites using names instead of numbers, haven’t been seen as a significant threat outside of the financial-services and retail sectors up to now, according to John Pescatore, director of emerging-security trends at the SANS Institute in Stamford, Connecticut.
“There are still a lot of sloppy practices,” Pescatore said. “There’s a lot of room to raise the bar.”

BLOG: Twitter Is Out to Destroy Obamacare

Because Twitter, based in San Francisco, monitors its DNS information in real time and had implemented a registry lock, it was better prepared than the New York Times, according to HD Moore, chief research officer at Rapid7, a Boston-based security firm. Since the attacks, many other companies have moved to institute similar safeguards, he said.

DNS Flaw

Twitter has had its DNS records hacked before. The company acknowledged in 2009 that its DNS records were compromised by hackers who defaced the site with a message about Iran. Jim Prosser, a spokesman for Twitter, declined to comment on the company’s security measures.
A vast system that underpins how computers locate each other, DNS is often called the phone book of the Internet. In 2008, Dan Kaminsky, a security researcher, uncovered a flaw in the system that would let hackers easily impersonate legitimate sites. He worked with technology companies to fix it. The finding prompted several companies that process financial transactions online to adopt additional security measures to ensure their domain information is secure, while others stayed on the sidelines, according to SANS’s Pescatore.

STORY: New York Times: We’ve Been Hacked

Security Steps

NeuStar and VeriSign, another provider of registry lock services, declined to identify the companies using its registry lock services. Danny McPherson, chief security officer of VeriSign, said in a statement that the technology gives customers more control over who can change information.
Eileen Murphy, a spokeswoman for the New York Times (NYT:US) Co., said the newspaper is looking at additional measures.
“In light of this attack and the apparent vulnerability even at what had been highly secure registrars, we are tightening all of our security,” she said.

STORY: Twitter to Advertisers: You Really Need Us

Jay Nancarrow a spokesman for Google, declined to comment on the company’s security. The company’s Palestine site itself wasn’t hacked and Google is talking with the domain manager to resolve the issue, he said.
One complication of hosting sites with addresses of specific countries or regions is that many of the registration providers don’t use registry locks and other protective steps, said Paco Hope, a principal consultant with Cigital Inc.
“When you’re a company like the New York Times or Twitter or Google, your stock in trade is the Internet, it’s the service you offer, and that’s why it makes sense to put in a lot more security,” Hope said.

The rise in sophisticated hacking attacks is helping fuel a market for computer-security technology that is expected to exceed $65.7 billion this year, according to Gartner Inc.

Many companies that didn’t prioritize a threat involving their DNS records are now rethinking that approach, SANS’s Pescatore said.

“It’s one of several Achilles’ heels of using the Internet,

Lack of Details on China Hacking Claim Puzzles Analysts

A netizen in Leping, Jiangxi province uses a smartphone to browse the China Internet Network Information Center (CNNIC) website, July 17, 2013.

ImagineChina

A recent cyberattack on China's country-level .cn domain may not be all that it seems, computer experts said this week.

Beijing's China Internet Network Information Center (CNNIC), which maintains the registry for the top-level domain, announced this week that it was crippled by two distributed denial of service (DDoS) attacks on websites using the .cn suffix in the early hours of Sunday morning.

The first started around midnight Beijing time, and service was restored by around 2:00 p.m. local time, CNNIC said in a statement.

The second, which hit at around 4:00 p.m. local time, was the largest ever DDoS attack to hit China's Internet.

Many websites were rendered completely inaccessible or extremely slow to load for an unspecified period of time, it said.

Beijing's Ministry of Industry and Information Technology, which oversees CNNIC, has launched "specific contingency plans" to protect national domain name resolution services.

But no details of the attack or the contingency plans were made public, leading cybersecurity experts to question the point of the announcement.

Call for details

Rutgers University computer scientist Zhou Shiyu called on Beijing to make detailed information about the attack public.

"The problem is that there's no evidence that indicates whether this attack came from within China or from overseas," Zhou said. "They must explain this clearly."

"All we know is that [DDoS] attacks are the commonest method of attack," he said.

He added that China was no stranger to carrying out large-scale cyberattacks itself.

"The Chinese government has spent huge amounts of money and resources on developing its ability to carry out online attacks," he said.

Smokescreen attack?

Meanwhile, U.S.-based Internet security analyst Li Hongkuan said the likelihood of Chinese government-backed attacks against the .cn domain existed, but wasn't large.

Beijing could even have staged the attacks as a smokescreen, given that its standard response to allegations of government-backed cyberattacks overseas is that it, too, is the target of such attacks.

"It's quite possible that the Chinese government is a thief crying 'thief,' or that it's bluffing," Li said.

"It's also possible that these attacks came from hackers within China who are critical of the government."

For the time being, CNNIC has apologized for the disruption promised that more details will be made public as soon as they are discovered.

Mandiant

China has rejected claims that its People's Liberation Army (PLA) was behind a series of hacker attacks on U.S. corporate networks described in February report by the security firm Mandiant.

Beijing's Ministry of National Defense denied claims made in a 74-page report by U.S.-based Mandiant which said it had traced a large number of transnational cyberattacks to IP addresses assigned to a building it said belonged to the PLA in Shanghai.

Mandiant said the building was the home of the PLA's cyberespionage "Unit 61398," which it said had stolen data, including intellectual property, from at least 141 companies since 2006.

Mandiant's report said it was "highly unlikely" the Chinese government was unaware of the hacking attacks, and was possibly supporting the cyberespionage.

New York Times

In the same month, The New York Times newspaper accused hackers traced to China of "persistently" infiltrating its computer networks over the last four months, also sparking an angry denial from Beijing.

The paper had hired a team of computer security experts to trace the attacks and block any back doors through which they were gaining access to the system, it said.

Cybersecurity experts said the report should be taken in the context of widespread cyberespionage carried out by a large number of countries.

Expect more Web hacking if U.S. strikes Syria: cybersecurity expert

WASHINGTON — The Syrian hacker group that has taken credit for causing outages on the websites of the New York Times and other news organizations probably will increase its activity if the U.S. launches military strikes on the Middle Eastern nation, a cybersecurity expert said Wednesday.
The Syrian Electronic Army wants to keep people from reading what it views as negative information about the regime of President Bashar Assad, which it supports, said Adam Meyers, vice president of intelligence for CrowdStrike, an Internet security firm in Irvine.
The group does so by launching hacking attacks on news and social media sites.
"They’re gearing up to continue the campaign, and if the hammer starts to come down on the current regime, they’re going to start desperately trying to provide positive messaging and negatively impact those speaking badly about the regime," Meyers said.
PHOTOS: Biggest tech flops of 2013 -- so far
In the attack on the New York Times website, which was down for large parts of Tuesday and into Wednesday, the Syrian Electronic Army used a tactic known as "spear phishing" to get access to the user name and password of a sales partner at an Australian Internet company.
The firm, MelbourneIT, allows website owners to buy Internet addresses and the hackers were able to prevent computers from accessing the New York Times website. The news organization redirected readers to a bare-bones alternate site Wednesday.
Twitter, the Huffington Post and other news organizations also were affected by the attack Wednesday and in recent weeks.
"We placed twitter in darkness as a sign of respect for all the dead #Syria-ns due to the lies tweeted it," the Syrian Electronic Army said on its Twitter account Tuesday, one of several tweets referencing the hacking attacks.
This summer, CrowdStrike detected activity by the Syrian Electronic Army aimed at the Los Angeles Times, Meyers said. The group used a Facebook page that has since been taken down to post a flood of comments on articles about Syria to raise doubts about their credibility, he said.
"Their big initiative is to impact dialogue and change messaging to have a pro-Syrian slant to it," Meyers said. "Anything they can do to put up a pro-Syrian slant...or negatively impact an anti-Syrian slant, they do."
The Tribune Co. had no comment, said spokesman Gary Weitman.
Peter Boogaard, a spokesman for the Department of Homeland Security, would not comment on whether the government was monitoring the hacking attacks.
He said the agency's U.S. Computer Emergency Readiness Team "provides response, support and defense against cyberattacks when requested."

Times site affected by hacking attack

New York: The New York Times website was unavailable to readers on Tuesday afternoon after an online attack on the company's domain name registrar, Melbourne IT. The attack also forced employees of The Times to take care in sending emails.

Marc Frons, chief information officer for The New York Times Co., issued a statement at 4:20 p.m. warning employees that the disruption - which appeared to still be affecting the website well into the evening - was "the result of a malicious external attack." He advised employees to "be careful when sending email communications until this situation is resolved."

In an interview, Frons said the attack was carried out by a group known as "the Syrian Electronic Army, or someone trying very hard to be them."

The website first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., Frons said that "we believe that we are on the road to fixing the problem."

The Syrian Electronic Army is made up of hackers who support President Bashar Assad of Syria. Matt Johansen, head of the Threat Research Center at White Hat Security, posted on Twitter that he was directed to a Syrian Web domain when he tried to access The Times' website.

The SEA first emerged in May 2011, during the first Syrian uprisings, when they started attacking a wide array of media outlets and nonprofits and spamming popular Facebook pages like President Barack Obama's and Oprah Winfrey's with pro-Assad comments. Their goal, they said, was to offer a pro-government counter narrative to media coverage of Syria.

The group has consistently denied ties to the Assad government and has said it does not target Syrian dissidents, but security researchers and Syrian rebels are not convinced. They say the group is the outward-facing campaign of a much quieter surveillance campaign targeting Syrian dissidents and are quick to point out that Assad once referred to the SEA as "a real army in a virtual reality."

Until now, The Times has been spared from being hacked by the SEA, which has successfully disrupted the Web operations of news organizations including The Financial Times.

On Aug. 15, the group attacked The Washington Post's website through a third-party service provided by a company called Outbrain. At the time, the SEA also tried to hack CNN. Some information security experts said the group also appeared to be ready to attack The New York Times website that day. (Just a day earlier, on Aug. 14, The Times' website was down for several hours. The Times cited technical problems and said there was no indication the site was hacked.)

In a post on Twitter on Tuesday afternoon, the SEA also said it had hacked the administrative contact information for Twitter's domain name registry records. According to the Whois.com lookup service, the Syrian Electronic Army was listed on the entries for Twitter's administrative name, technical name and email address.

Jim Prosser, a Twitter spokesman, said the social network was "looking into" the Syrian Electronic Army's claim that it had taken control of a Twitter domain.

Frons said the attacks Tuesday on Twitter and The New York Times required significantly more skill than the string of SEA attacks on media outlets earlier this year, when the group attacked Twitter accounts for dozens of outlets ranging from The Guardian to The Associated Press. Those attacks caused the stock market to plunge after the group planted false tales of explosions at the White House.

"In terms of the sophistication of the attack, this is a big deal," said Frons. "It's sort of like breaking into the local savings and loan versus breaking into Fort Knox. A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of websites."

© 2013, The New York Times News Service

Hackers hijack and deface Google Palestine

Hackers hijacked and rerouted Google’s Palestine domain to a different server apparently in objection to labelling of Palestinian territories as Israel in Google Maps.

The group Hackteach claimed responsibility and left a message on the homepage.

“uncle google we say hi from palestine to remember you that the country in google map not called israel. its called Palestine,” the statement read.“#Question : what would happens if we changed the country title of Isreal to Palestine in google maps !!! it would be revolution ..So Listen to rihanna and be cool :P.”

Earlier in May, Google changed the tagline on homepage of its Palestinian edition from “Palestinian territories” to “Palestine” in line with the UN’s decision last year upgrading the Palestinians' status to "non-member observer state."

India: Talent hotspot for global cybercrime industry

MUMBAI: India is fast emerging as a talent hotspot for the global cybercrime industry amid slow hiring in the traditional software industry, the lure of easy money, and lack of law enforcement, according to computer security experts.
Work such as hacking into computer networks and creation of malware is being outsourced to cyber-mercenaries in India through underground marketplaces. It is possible to rent botnets - computers controlled by a hacker - to launch disabling attacks to bring down websites for as little as $2 ( Rs 125) per hour.

"Increasingly, India is becoming not just the victim but the host country with regard to cyber attacks," Jagdish Mahapatra, managing director for India and SAARC at anti-virus maker McAfee, told ET. The process has become so organised that some of these hacking services come with Live Chat customer support, according to McAfee.

In 2012, McAfee Labs identified at least 850 separate bits of ready-to-download malware hosted on computers in India. In the first quarter of 2013, the number had jumped to 1,100. India is ranked eighth in the world in terms of number of attacks originating here, a report by Akamai Technologies in May said.

"Blackhats can make a lot of money, so I'm not surprised that we're beginning to see cybercrime markets emerge in India," said Oxblood Ruffin, a Canadian hacktivist based in Bangalore. In Internet security language, a blackhat refers to someone who exploits vulnerabilities in computers with malicious intent or personal gain. In March, Norwegian telecommunications services provider Telenor reported an intrusion into its computer networks. Cybersecurity company Norman Shark traced that attack to India and documented it in a whitepaper titled 'Unveiling an Indian Cyber-attack Infrastructure'.

India has the 'skills'
"You have underground hacker forums where people post their hacking requirement and you can bid for them and have the money transferred to a PayPal account via a service called Perfect Money," Sarvaiya said. While ethical hackers could earn 30,000 a mon-th legally, cybercrime fetches more than $2,000 (Rs 1,30,000) a month.

Perfect Money functions as an e-currency. The currency units can be transferred between customers, whose identities can be hidden. The units can be redeemed for cash - in dollars or euros - or gold by third-party exchange services.

The hacker forums cannot be accessed via standard web browsers - what is required is a special browser called a Tor Browser that allows access to the 'hidden web' where these blackhat hackers operate.

The forums look like a social networking site designed by death-metal fans. Attempts by ET to contact hackers on these forums were not successful.

Some of the traits that made India the hub for sourcing technology services are also contributing to the rise of this new dubious trade. "You need software skills; the country has that capability. Then you need motivation, which is the money, and the knowledge that the Indian legal system is likely to not be able to prosecute you. These are cross-border computer crimes, our laws have not reached that point," said Dinesh Pillai, CEO of Mahindra Special Services Group.

There is no estimate of the number of Indian hackers for hire. And security industry professionals said while they knew the number of attacks from India was rising, they could not pinpoint individual attacks that could be attributed to Indian hackers.

"It used to be the eastern European countries that had the skilled manpower to provide hackers for hire, but now we can see that moving to emerging economies like India and Sri Lanka where job opportunities have shrunk," said Diwakar Dayal, who leads security sales for Cisco in South Asia.

Hackers are also emboldened by the belief that they are unlikely to get into trouble with the law. While there are sections in the IT Act that govern hacking, cross-border crimes are hard to police even in the real world.

"We have the requisite laws to try and punish such cross-border cybercrimes, even if they are committed by foreign nationals. But it becomes practically difficult due to the need for information sharing and reciprocity (in case of extradition) between countries," said Dipak Parmar, founder of Cyber-IPR.

Experts said a number of steps need to be taken if the rise in this type of crime has to be stemmed.

"The government's cybersecurity policy is a step in the right direction, but internet service providers also play a role. Network security across the board has to be strengthened in the country," Cisco's Dayal said.

External Security Assesment is important for all Network and applications

The most common solution to external network security assessments is scan, scan, scan…and then scan some more

One of the most common vulnerability assessment activities for all companies of all sizes is an external scan, typically targeting internet-facing websites. Because we service the vulnerability assessment and penetration testing needs of large enterprises, we know “you know” that scanning external-facing network resources is important, and an obvious high priority. But we also challenge you to understand that scanning alone is not enough, unless all you really want is a checkmark for an audit of one kind or another.

A complete job of assessing the hardness of your external network includes multiple steps. Here are four of the main steps that you should be familiar with:

1. Anonymous information gathering to discover all Internet-facing assets a hacker could identify as potential entry-points into your network
2. Scanning of your internet-available network access points and web servers for known vulnerabilities (non-credentialed)
3. Verifying scan-result findings through in-depth manual pen testing attack techniques (both credentialed and non-credentialed)
4. Providing deeply informed remediation guidance and advisory services for identified/verified vulnerabilities

Why is BriskInfoSec approached to discuss external vulnerability assessment work with large enterprises?

BriskInfoSec is approached by our large enterprise clients to assess the security of their external-facing network assets for many reasons, but chief among them are dissatisfaction with their own internal tools, their present provider, and/or their own internal team’s ability to effectively manage all of their external testing work efficiently over time in a consistent and professional manner. These kinds of situations frequently result in an assignment for someone in a company’s security staff to search out alternatives; which then open up an opportunity for BriskInfoSec to present our highly-disciplined, in-depth approach to assessing the security of their external-facing network assets as compared to their present approach.

What do these companies discover when comparing BriskInfoSec approach to external security testing with their own present approach?

Because BriskInfoSec is driven by an across-the-board corporate culture that’s passionate about delivering the highest-value findings and recommendations possible, we do more than the basic steps, we do all the steps on your behalf; and then even more than that. If you assign mid-to-low-level-importance projects to others, fine, we see that frequently. But if you have a set of high-value software assets or critical points-of-entry into your network, working with BriskInfoSec always begins with an education about scanning versus penetration testing:

• Scanning and penetration testing are not the same thing, no matter how much the marketing folks working for the scanning tools manufacturers and scanning service providers make it sound that way
• Scanning is never enough, it is only an initial step in the entire assessment process
• Just the scanning step alone done effectively needs multiple scanning tools and multiple over-lapping scans run against the same resources in order to accomplish a thorough job of the scanning step
• Scanning the same resources  with different tools (as just recommended) naturally returns different results in different data formats
• Correlating and normalizing all this desperate scanning data requires special technology: like our proprietary CorrelatedVM™ platform that’s used by all of our pen testers and available (in part) to you through our CorrelatedVM Portal at no additional cost
• Scanning identifies potential vulnerabilities, and the different scanners may recommend different remediation actions – but BriskInfoSec’s CorrelatedVM platform fixes that problem as it correlates and normalizes all the scanning data from multiple scanning products and multiple rounds of scanning into the best set of recommended remediation actions
• Potential vulnerabilities identified by the initial scanning effort need to be verified by experts to eliminate false positives, and to thoroughly analyze the remainder, while also probing for any unidentified vulnerabilities the scanners could not find – this is work that only an expert pen testing company like BriskInfoSec can deliver 

In-depth pen testing to final reporting of findings and recommendations is what sets BriskInfoSec apart, and why we are given the critical responsibility of assessing the security of your most high-value/high-risk external-facing network assets.

The power of CorrelatedVM comes at no cost to you and provides real benefits that only BriskInfoSec can deliver

CorrelatedVM™, our proprietary vulnerability assessment and pen testing management platform, will be utilized for your external network penetration testing service when you hire BriskInfoSec. The CorrelatedVM platform and your complimentary access to its SaaS-based customer portal set our deep-dive pen test work and customer-facing deliverables light years apart from all other pen test services. This one-of-a-kind, powerful platform has been continually enhanced and used exclusively by BriskInfoSec’s elite team of pen test consultants on every pen test engagement for over a decade now.


Once you see our team in action with the CorrelatedVM platform, and what CorrelatedVM can offer your organization in the way of automating and disciplining your external vulnerability assessment efforts, you’ll realize how it solves presently unsolvable problems that will profoundly benefit all of your vulnerability management programs going forward.

Contact us for conduct external security testing against your applications and Network with affordable price info@briskinfosec.com

U.S. spied on United Nations by hacking into video conferencing system at New York headquarters: report

The German magazine Der Spiegel says the U.S. National Security Agency secretly monitored the U.N.’s internal video conferencing system by decrypting it last year.


The weekly said Sunday that documents it obtained from American leaker Edward Snowden show the NSA decoded the system at the UN’s headquarters in New York last summer.
Quoting leaked NSA documents, the article said the decryption “dramatically increased the data from video phone conferences and the ability to decode the data traffic.”

AP Photo/The Guardian, FileEdward Snowden, who worked as a contract employee at the U.S. National Security Agency, in Hong Kong.

In three weeks, Der Spiegel said, the NSA increased the number of decrypted communications at the UN from 12 to 458.
Snowden’s leaks have exposed details of the United States’ global surveillance apparatus, sparking an international debate over the limits of American spying.
The U.S. government’s efforts to determine which highly classified materials the leaker took from the National Security Agency have been frustrated by Snowden’s sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded.
The government’s forensic investigation is wrestling with Snowden’s apparent ability to defeat safeguards established to monitor and deter people looking at information without proper permission, said the officials, who spoke on condition of anonymity because they weren’t authorized to discuss the sensitive developments publicly.
The disclosure undermines the Obama administration’s assurances to Congress and the public that the NSA surveillance programs can’t be abused because its spying systems are so aggressively monitored and audited for oversight purposes: If Snowden could defeat the NSA’s own tripwires and internal burglar alarms, how many other employees or contractors could do the same?
In July, nearly two months after Snowden’s earliest disclosures, NSA Director Keith Alexander declined to say whether he had a good idea of what Snowden had downloaded or how many NSA files Snowden had taken with him, noting an ongoing criminal investigation.

SAUL LOEB/AFP/Getty ImagesThe National Security Agency (NSA) headquarters at Fort Meade, Maryland, as seen from the air, in this January 29, 2010 file photo. The NSA has said that it destroys all data it isn't supposed to see.

NSA spokeswoman Vanee Vines told the AP that Alexander “had a sense of what documents and information had been taken,” but “he did not say the comprehensive investigation had been completed.” Vines would not say whether Snowden had found a way to view and download the documents he took without the NSA knowing.
In defending the NSA surveillance programs that Snowden revealed, Deputy Attorney General James Cole told Congress last month that the administration effectively monitors the activities of employees using them.

These decisions are made to make sure that nobody has done the things that you’re concerned about happening

“This program goes under careful audit,” Cole said. “Everything that is done under it is documented and reviewed before the decision is made and reviewed again after these decisions are made to make sure that nobody has done the things that you’re concerned about happening.”
The disclosure of Snowden’s hacking prowess inside the NSA also could dramatically increase the perceived value of his knowledge to foreign governments, which would presumably be eager to learn any counter-detection techniques that could be exploited against U.S. government networks.
It also helps explain the recent seizure in Britain of digital files belonging to David Miranda – the partner of Guardian journalist Glenn Greenwald – in an effort to help quantify Snowden’s leak of classified material to the Guardian newspaper. Authorities there stopped Miranda last weekend as he changed planes at Heathrow Airport while returning home to Brazil from Germany, where Miranda had met with Laura Poitras, a U.S. filmmaker who has worked with Greenwald on the NSA story.

Marcelo Piu/AFP/Getty ImagesDavid Miranda (left), the Brazilian partner of Glenn Greenwald, a U.S. journalist with Britain's Guardian newspaper who worked with intelligence leaker Edward Snowden to expose US mass surveillance programmes, is pictured at Rio de Janeiro's Tom Jobim international airport upon his arrival on August 19, 2013. British authorities faced a furore after they held Miranda for almost nine hours under anti-terror laws as he passed through London's Heathrow Airport on his way home to Rio de Janeiro from Berlin.

Snowden, a former U.S. intelligence contractor, was employed by Booz Allen Hamilton in Hawaii before leaking classified documents to the Guardian and The Washington Post. As a system administrator, Snowden had the ability to move around data and had access to thumb drives that would have allowed him to transfer information to computers outside the NSA’s secure system, Alexander has said.
In his job, Snowden purloined many files, including ones that detailed the U.S. government’s programs to collect the metadata of phone calls of U.S. citizens and copy Internet traffic as it enters and leaves the U.S., then routes it to the NSA for analysis.
Officials have said Snowden had access to many documents but didn’t know necessarily how the programs functioned. He dipped into compartmentalized files as systems administrator and took what he wanted. He managed to do so for months without getting caught. In May, he flew to Hong Kong and eventually made his way to Russia, where that government has granted him asylum.
NBC News reported Thursday that the NSA was “overwhelmed” in trying to figure what Snowden had stolen and didn’t know everything he had downloaded.
Insider threats have troubled the administration and Congress, particularly in the wake of Bradley Manning, a young soldier who decided to leak hundreds of thousands of sensitive documents in late 2009 and early 2010.
Congress had wanted to address the insider threat problem in the 2010 Intelligence Authorization Act, but the White House asked for the language to be removed because of concerns about successfully meeting a deadline. In the 2013 version, Congress included language urging the creation of an automated, insider-threat detection program.

Free messaging apps unsafe, claim hackers

NEW DELHI: The free text messaging app on your phone can be used to steal your personal information. Sounding this warning, hackers and cyber security professionals have claimed that internet companies can access a mobile user's chat logs and phone data, including location, contacts, mail and much more, through some of these free texting apps.

To prove their point, a team of young hackers demonstrated on Sunday how text messages sent through a Chinese free texting app can be decrypted. They said foreign governments could also be using this method to access data for surveillance or spying.

The vulnerability of free messaging users was one of several privacy issues that hacking enthusiasts discussed at The Hackers Conference in the capital on Sunday.

'Govt fails to tap potential of hackers despite web attacks'

Participants at The Hackers Conference in Delhi on Sunday said the government wasn't utilizing the potential of hackers despite its websites increasingly coming under attack.

Often considered an underground community, hackers are increasingly becoming part of the mainstream IT industry and contributing as security experts. Some also use their skills for larger good, to investigate government documents and data. At the conference, there were people from all of these categories.

"Hacking is like an art which needs skill to master. It is also like science, extremely logical. Today private companies use ethical hackers to make themselves secure. We know of companies that pay hackers more than they spend on developing software," said Kishlay Bharadwaj, 24, a freelance security analyst and organizing member of the conference. Hackers are paid around Rs 1 lakh per month by social networking sites, search engines and software companies, he said, adding that some of these hackers are just teenagers.

Kishlay and Mohit Kumar, 24, another organizing member, said it was about time that the government woke up to the potential of hackers. "The public sector doesn't hire freshers. There is also a misplaced idea that all hackers are criminals. They are just people who are technically sound. There is a 16-year-old hacker who is being paid Rs 4 crore per annum by a leading search engine. The Indian government should understand how important cyber security is," Bharadwaj said.

He said it was easy for hackers from other countries to deface central government websites, create fake pages and fake log-in credentials.

The Jharkhand police was the first government body to start a process of rewarding people who are able to find loopholes on any website or IT infrastructure of government departments. Dinesh O Bareja, an advisor with Cyber Defence Research Centre, Jharkhand police and state IT department addressed hackers on how the 'bug bounty' system was being used effectively.

According to Prabhjot Singh, 28, another organizing member, Indian hackers were increasingly making use of their skills to expose the 'bad' side of governments. "There are many Indians on the group called Anonymous, which is a network of hactivists. Those in 'Op India' of Anonymous are for instance leaking the list of Indian account holders in Swiss banks," Singh said. Edward Snowden, he added, was a role model who showed how leaking data can be for public good. "He is great and he should be given an honor for his bravery," adds Prabhjot.

Not everyone was so candid at the conference. Said Akshat Singal, 13, the youngest participant and member of the hacking community, "I can't say what I think of Snowden; it's controversial. All these issues about cyber security are controversial. But I like computer security and want to understand it. It affects everyone from a fruit vendor to a businessman. There is a rise in connectivity among people but nothing is safe or unsafe in the virtual world," says Singal who studies in class VII at Modern School, Barakhamba Road.

While Singal was probably the only school student at the meet, many other youngsters raised concerns about privacy. Saumya Vishnoi, 25, a security analyst, was appalled at the vulnerability of government's digital data and said there was lack of awareness about violations of privacy on smartphones.

Hackers aren't heroes, they're fraudster scum

      In the era of the internet, hackers are seen as noble figures – anarcho-libertarians, standing up to the man, exposing government secrets and corporate misdeeds.
Actually, that's a myth. The bulk of people doing hacking are absolute scum. In the UK, we're starting to see a wave of cyber-criminals targeting businesses. On hacking forums, although many participants baulk at hacking individuals, going after a company is seen as perfectly morally acceptable.
While high-profile hacks like those on huge firms such as Apple and Associated Press make the headlines, the bulk of this hacking is aimed at small and medium companies – family businesses, in other words. Firms don't like to talk publicly about being victims but in anonymous surveys as many as 40% of firms admit being affected by it.
The mechanisms by which this cyber crime takes place are often exactly the same as those used on individuals – keylogging of passwords to get access to email accounts is common ways, although there are other more sophisticated means. The motivation for attacking businesses is a potent brew: a combination of anti-capitalism that justifies the assault, knowledge of how lucrative hacking a firm can be, and the hacker's disdain for people with people with poor online security.
Lots of hacks are about theft – if you know your way around business banking, you can make a fortune with a stolen email account belonging to a reputable firm, by taking out enormous loans or factoring contracts in their name. Simply put, even small businesses can borrow immensely more money than individuals, and as far as hackers are concerned, if you don't protect yourself, you deserve to be robbed and only have yourself to blame.
There's also a black market in buying a wealth of the information that's easily accessible from business email accounts – everything from tables of common passwords, to databases of customer emails, right down to the user keys for expensive software packages.
It's not just theft or selling data, though. Many business accounts contain valuable, often irreplaceable, data that can be held to ransom. Ransom is a common trick, often deployed when stealing a company website. The cyber criminal gets into the email of whoever administers the website, and moves it to a host domain they control, and changes all the password access.
They can then alter it at will, changing emails so customers don't receive them and even take the website down entirely. It usually takes the business a couple of days to realise they've been hacked, and then the criminals demand cash in return for returning web access to the rightful owners. One Shoreditch tech firm who were recently the victim of an attack like this told me they were told by the police to just pay the ransom, get the website back and be more careful in the future.
The police can't help much with any of this – untangling a web of IP addresses that stretches halfway round the world and usually ends in an internet cafe or a branch of Starbucks is more than they can cope with. The fact that the police usually can't catch these people adds to the hacker's sense of innate superiority, and justifies their community having epic tantrums when one of their own is arrested.
The damage the hacking community does is very real. We're starting to see specific cyber crime insurance policies being offered to compensate firms – such insurance is already worth over a billion dollars in the US alone.
This is the reality of cyber-crime and hacking: it's not anti-capitalist heroism, it's grubby extortion of your local florist, with gleeful criminals that can't be caught and insurance firms rubbing their hands together at the thought of double-digit growth in sales for them, which ramps up prices for everyone else. It's high time we stopped lionising hackers, and started treating them like the petty bottom-feeding crooks they are.

German agency warns Windows 8 PCs vulnerable to cyber threats

A German government technology agency has warned that new security technology in computers running Microsoft's Windows 8 operating system may actually make PCs more vulnerable to cyber threats, including sabotage.

Germany's Federal Office for Information Security, or BSI, said in a statement posted on its website on Wednesday that federal government agencies and critical infrastructure operators should pay particular attention to the risk.
The warning comes after weeks of public indignation in Germany over leaks related to U.S. surveillance programmes. The spying scandal has become a headache for Chancellor Angela Merkel ahead of a September 22 election.
The problem, according to the BSI, is with the use of a computer chip known as the Trusted Platform Module, or TPM 2.0, which is built into Windows 8 computers. TPM 2.0 is designed to better protect PCs by interacting with a variety of security applications.
But the BSI, which provides advice on technology and security to the government as well as the public, said the joint implementation of Windows 8 and TPM 2.0 chips could lead to "a loss of control" over both the operating system and hardware, without specifying exactly how that could occur.
"As a result, new risks occur for users, especially for federal and critical infrastructure," it said.
The statement concluded: "The new mechanisms in use can also be used for sabotage by third parties. These risks need to be addressed."
Microsoft declined comment on the BSI statement.
The company provided Reuters with a statement saying that PC makers have the option to turn off TPM technology, so that customers can buy PCs with it disabled.
TPM was developed by the Trusted Computing Group, a non-profit organization backed by technology firms including IBM, Intel, Hewlett-Packard and Microsoft.
The BSI said it was working with the Trusted Computing Group and operating systems producers to find a solution.

Hand of Thief, a new Linux virus

Just two weeks after reporting about the commercialization of the KINS banking Trojan, RSA reveals yet another weapon to be used in a cybercriminal’s arsenal.
It appears that a Russia based cybercrime team has set its sights on offering a new banking Trojan targeting the Linux operating system. This appears to be a commercial operation, which includes support/sales agents and software developer(s).

 

 

Meet the “Hand of Thief” Trojan

Hand of Thief is a Trojan designed to steal information from machines running the Linux OS. This malware is currently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates.  The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future. At that point, the price is expected to rise to $3,000 USD (€2,250 EUR), plus a hefty $550 per major version release. These prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux.
The Trojan’s developer claims it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. As for desktop environments, the malware supports 8 different environments, including Gnome and Kde.

An Insider’s Glimpse

RSA researchers have managed to obtain the malware builder as well as the server side source code, and a preliminary analysis reveals familiar functionalities of a banking Trojan. Some of the initial features include:

• Form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome, as well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.
• Block list preventing access to specified hosts (a similar deployment used by the Citadel Trojan to isolate bots from security updates and anti-virus providers)
• Backdoor, backconnect and SOCKS5 proxy
• Anti-research tool box, which includes anti VM, anti-sandbox and anti-debugger

Figure 1: Hand of Thief – Linux Trojan’s Builder

Control Panel Features

The developer wrote a basic administration panel for the Trojan, allowing the botmaster to control the infected machines reporting to it. The panel shows a list of the bots, provides a querying interface, and run of the mill bot management options.
The Trojan’s infrastructure collects the stolen credentials and stores the information in a MySQL database. Captured data includes information such as timestamp, user agent, website visited and POST data. Hand of Thief also exhibits cookie-stealing functionality.

Figure 2: Hand of Thief – Linux Trojan’s Admin Panel View

Although Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason. In comparison to Windows, Linux’s user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector.

So What’s Next?

We are left with a number of questions:
Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and raises the question – will the Linux Trojan have the same value as its Windows counterparts?
Also, with recent recommendations to leave the supposedly insecure Windows OS for the safer Linux distributions, does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates to the platform?
Only time will tell. RSA researchers will continue to closely monitor the development of this Trojan and update accordingly.

US Department of Energy is hacked again

The US Department of Energy has again been hacked, having previously fallen to an attack this February.
The DoE is notifying employees that hackers have gained personal information on 14,000 current and former staff, with the data including names and social security numbers.
The hack is said to have taken place late last month, and those affected are being warned about the potential danger of identity theft with their personal information now in the wild. The previous hack also involved the theft of personal data and affected several hundred staff.
The Wall Street Journal reports the attackers were able to get into the DoE systems by hacking into a human resources system, which included payroll data.
The SANS Institute, a cyber security research organisation, said such attacks can see hackers collect personal information to try and control sensitive US networked infrastructures, like that of the DoE, through compromised log-ins and passwords.
A hacker for instance, could use the personal information of an employee to try and get a new network or database password from the IT department.
In a memo confirming the attack, the DoE said, "No classified data was targeted or compromised. Once the full nature and extent of this incident is known, the Department will implement a full remediation plan."
The DoE said it will be paying the costs of identity theft protection to those affected by the data loss.

Scottish Independence: Yes ‘email hacking’ details

An email at the centre of a hacking inquiry within the official pro-independence campaign concerned payment to an academic for writing a newspaper article.

Yes Scotland filed a police complaint after private emails were allegedly accessed. It became aware after it received a media inquiry last week that appeared to contain information from internal correspondence.
The details of the email in question were not initially released but Yes Scotland revealed it was a correspondence with Dr Elliot Bulmer in connection with an article he wrote for the Herald newspaper titled, ‘a Scottish constitution to serve the common weal’.
The pro-independence group said it had no influence over what he wrote and revealed the details of the email to end “unhelpful speculation”.
A Yes Scotland spokesman said: “This matter was first brought to our attention last Wednesday when we were asked for comment on Dr Bulmer and the article in question. We responded quickly, confirming that a small fee had been paid to Dr Bulmer at his request. We were perfectly relaxed and transparent about this.
Legal advice
“However, later that day it became apparent that an email account at Yes Scotland had been accessed illegally and that the information relating to this matter had been gleaned as a result.
“We alerted the police and British Telecom as well as the enquirer who, upon reflection, decided to not proceed further.
“Given that the illegal breach of Yes Scotland email has become the subject of an extensive and ongoing police inquiry involving detectives from Police Scotland’s Digital Forensics Unit, we have - under legal advice and at the request of the investigating officers - been unable to discuss the content of the email relating to Dr Bulmer.
“However, given persistent unhelpful speculation, we can confirm that in the course of a wide-ranging discussion with Dr Bulmer it was suggested that he, as an academic working in a private capacity, might consider writing an article on matters about constitutional frameworks based on his expertise.
“At his request, he was paid a nominal fee for the considerable time and effort he spent on it. We had no input to, or any influence over, what he wrote.
“We would now ask that this serious criminal investigation is allowed to continue unhindered by further unhelpful speculation, accusation and misinformation.”

NSA unlawfully gathered domestic emails

The National Security Agency (NSA) illegally intercepted thousands of e-mails from Americans with no connection to terrorism and misled the court about the scope of what it was doing, according to latest declassified documents.

Officials disclosed the history of that unlawful surveillance, releasing three partially redacted opinions of the Foreign Intelligence Surveillance Court that detailed the judges’ concerns about how the NSA had been siphoning data from the Internet in an effort to collect foreign intelligence.

The documents were released in response to a Freedom of Information Act lawsuit filed by the Electronic Frontier Foundation, an advocacy group based in San Francisco.

According to a redacted 85-page opinion by the chief judge of the Foreign Intelligence Surveillance Court, the National Security Agency (NSA) may have been collecting as many as 56,000 “wholly domestic” communications each year.

“For the first time, the government has now advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court had been led to believe,” John D. Bates, the then surveillance court’s chief judge wrote in his October 3, 2011 opinion.

U.S. intelligence officials sought to portray the matter as a technical glitch that the intelligence agencies caught and fixed.

But in the court opinion, judges said the NSA repeatedly had misled them about the scope of what it was doing.

“The court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection programme,” Mr. Bates wrote.

The latest revelations come amid growing criticism from members of Congress and privacy groups about the NSA surveillance programs and charges that the agency has far overstepped its bounds in collecting information on U.S. citizens.

In a late night statement, the Office of the Director of National Intelligence (ODNI) strongly refuted media reports that the U.S. has unfettered access to some 75 per cent of the country’s online communication.

“The reports leave readers with the impression that NSA is sifting through as much as 75 per cent of the United States’ online communications, which is simply not true. In its foreign intelligence mission, and using all its authorities, NSA “touches” about 1.6 per cent, and analysts only look at 0.00004 per cent, of the world’s Internet traffic,” ODNI said.