Threat Weekly – A Situational Awareness Report from our Technical Security Team

Some weeks ago scammers managed to distribute hundreds of letters misleadingly claiming that recipient’s Amazon.com account will expire soon and that it will be deactivated. No matter that such messages look trustworthy, this is a true example of spam campaign which is used for nothing else but making unaware PC users give their credentials away by filling in the attached form. However, this attachment is detected as Troj/Phish-AZ and should never be opened. Malicious letters, pretending to be sent by Amazon command, claim:

Subject: You have (1) Message from Amazon

Attached file: NO003950033.html

Dear customer,

Your online account is about to expire and will be deactivated.

Please confirm wether you want to continue using Amazon or not.

If the answer is yes, download and complete the attached form.

If the answer is no, please ignore this e-mail.

Best wishes,

Amazon Team

Note – Do not reply to this e-mail.

If it happens for you to open the attached file, you will see a form asking you to fill in your personal information, such as credit card details, birthday and other. That’s a clear scheme of phishing which is widely used by hackers these days helping them to steal users’ personal information and install malware without any permission asked.

To avoid intrusions like this, never click on links you find in letters that look suspiciously. If you are opening a file you found in the email, never save it and open in ‘Read-only’ form.

Source: www.nakedsecurity.sophos.com

Details from 15,000 Israeli credit card customers have been exposed by hackers on the Internet, the Bank of Israel said.

The cards have been blocked from further use in Internet or telephone transactions and cardholders won’t be liable for their misuse as a result of the leak, the central bank said today in an e-mailed statement. The cards, which were issued by Israel Credit Cards Ltd., Isracard Ltd. and Leumi Card Ltd., will be replaced, the central bank said. “Details of credit card customers were recently exposed on the Internet, as a result of hackers breaking into the websites of companies which maintained that information,” the central bank said. “Any problem should be reported to the credit card companies as soon as possible.”

Israel’s Army Radio reported early today that a group of computer hackers claiming to be of Saudi Arabian origin had taken credit for exposing the information in a statement they posted on an Israeli sports website. The hackers broke into the websites of companies that maintained the information, the central bank said.

Dov Kotler, chief executive officer of Tel Aviv-based Isracard, said that details from about 6,600 cards of the 3.3 million issued by the company were exposed on the Internet. “The company invests heavily every year to prevent misuse of its cards, and will continue to do so,” Kotler said in an e- mailed statement.

Source: http://www.businessweek.com/news/2012-01-03/bank-of-israel-says-details-of-15-000-credit-cards-put-on-web.html

Spies working at the Government’s communications headquarters are being offered bonuses worth tens of thousands of pounds to stop them being poached by corporate giants such as Microsoft and Google. The move follows complaints made by the head of GCHQ that he is losing top staff to companies that can afford to pay them £100,000 packages in salaries and generous perks. Some of the staff being targeted by the private sector are vital to Britain’s intelligence services in the fight against cyber warfare.

GCHQ director Iain Lobban told MPs in July last year that he was struggling to recruit and retain key staff. He warned the Intelligence and Security Committee: ‘They will be working for Microsoft or Google or Amazon or whoever. ‘I can’t compete with their salaries. Month-on-month, we are losing whizzes who’ll basically say, “I’m sorry, I am going to take three times the salary and the car and whatever else.”’

Now the Government has approved a competitive package of bonuses and incentives for staff at GCHQ, based in Cheltenham, Gloucestershire. Some of the staff being targeted by the likes of Google are vital to Britain's intelligence services in the fight against cyber warfare. A report by the Cabinet Office states: ‘Experienced internet specialists are highly prized by both Government and industry, and GCHQ recognises that it therefore needs to maintain its competitiveness in the market place.’

The Cabinet Office, which has co-ordinated the Government’s response to the MPs’ review of Britain’s security and intelligence agencies, said GCHQ had started paying bonuses to key staff to thwart tempting offers made by big internet companies. It also said GCHQ was considering ‘other measures to attract and retain suitably skilled staff in greater numbers’. Security sources say that the most prized officers at GCHQ are those who understand the world of hacking and cyber espionage.

Earlier this year, GCHQ set a puzzle for would-be spies as part of a high-profile recruitment drive to bring in talented mathematicians to train  in cyber warfare. But those who made it through to the final stages discovered that the post paid only £25,000. Some GCHQ staff are on less.

Britain has spent more than £100million in the past year on consultants to combat cyber espionage and the growing use of the internet by terrorists. Whitehall sources say private consultant costs are high because Government cutbacks have left gaps that are plugged by outside contractors. A GCHQ spokesman said: ‘We take controlling the cost of consultants very seriously.’

Source: http://www.dailymail.co.uk/news/article-2080841/Spies-bonuses-halt-Google-poachers-pay-times-GCHQ.html

Automated toolkits with business models that include rental agreements and constant updates will gain considerable improvements in 2012, with many attack kits being primed with new features that enable even the least tech-savvy cybercriminals to hone malware in 2012 for highly targeted attacks. Financial malware designed to target and infiltrate bank accounts could be recoded for targeted non-financial attacks, according to Boston-based security vendor Trusteer. The Zeus and SpyEye codebases, which are now publicly available, can be manipulated to pull off more sophisticated targeted attacks against enterprises. “Over the next twelve months perimeters will face an onslaught from various sources, viruses going financial, APT-style technologies in Zeus code derivatives manipulated by new coders and in other commercially available malware kits,” Trusteer CTO Amit Klein noted in the company’s list of predictions. 

A scourge of compromised legitimate websites will continue to fuel an increase in staged attacks in 2012, according to South Jordan, Utah-based network security vendor, Solera Networks Inc. High-profile attacks carried out by hactivist groups demonstrated that even the largest enterprises struggle to control website vulnerabilities that can give cybercriminals a way into sensitive systems. Andrew Brandt, Solera’s director of Threat Research, urges Mozilla Firefox users to keep their plug-ins updated and install NoScript to stop the onslaught of drive-by attacks using malicious JavaScript. “As far as I can tell, it’s the only surefire method of preventing an accidental infection of a Windows PC by exploit-kitted webpages,” Brandt wrote in the Solera blog. “It all starts with a blob of heavily obfuscated Javascript and ends within a few minutes with the victim’s PC pwned and the victim’s passwords in the hands of some Asian or eastern European goon squad.”

Solera’s Brandt also points to vulnerable WordPress.org blog plug-ins as a major contributor to the problem. Malware writers upload their code to the vulnerable webpages, enabling them to serve up keyloggers to blog visitors. “Most of the code we’ve seen uploaded to legit sites redirects the browser into the maw of one or another exploit kits,” Brandt wrote.

Meanwhile, security giant McAfee, which was acquired in 2010 by chipmaker Intel, is predicting a spike in attacks that leverage embedded hardware or use a computer’s master boot record and BIOS layers, to bypass traditional security technologies. “We expect to see more effort put into hardware and firmware exploits and their related real-world attacks throughout 2012 and beyond,” according to McAfee. Embedded systems that run GPS routers, ATM machines, medical devices and other systems can be rooted and are at risk to falling under the control of sophisticated cybercriminals, according to McAfee’s “2012 Threats Predictions” report. “Controlling hardware is the promised land of sophisticated attackers,” according to the report. “If attackers can insert code that alters the boot order or loading order of the operating system, they will gain greater control and can maintain long-term access to the system and its data.”

McAfee’s prediction is somewhat buoyed by Columbia University researchers who demonstrated how HP printer vulnerabilities could be used by cybercriminals to gain access to corporate networks.

Michael Sutton, vice president of security research at SaaS-based email and Web gateway security vendor Zscaler Inc. said the focus on hardware-based threats may force hardware vendors to increase their focus on security and take vulnerability disclosure more seriously. Sutton’s presentation at Black Hat 2011 focused on weaknesses in embedded Web servers. “Security in the hardware space is at least ten years behind security in the software industry,” Sutton wrote in Zscaler’s ThreatLabZ blog. “Hardware vendors will get a wake-up call as researchers shift their efforts to hardware and party like its 1999.”

• http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2012.pdf

Source: http://searchsecurity.techtarget.com/news/2240113180/Multifunctional-malware-staged-drive-by-attacks-to-rise-in-2012

The Japanese authorities have tested a ‘virus’ cyberweapon capable of tracing and disabling computers being used in cyberattacks against the country, a newspaper in the country has reported. Quoting anonymous sources said to be connected to the project, The Yomiuri Shimbun said that Japan’s Defence Ministry's Technical Research and Development Institute began developing the program three years ago in conjunction with Fujitsu, since when it had been tested on a closed network.

What they’ve ended up with sounds like the first of a type of multipurpose program many experts suspect other countries are also developing, namely one capable of quickly identifying the chain of servers and computers being used in different types of cyberattack scenario. These would include DDoS attacks, those in which a large number of computers are used to attack a company’s or countries computing infrastructure, but also subtler attacks designed to steal data. In either case the program is described as being able to disable an attacking resource, which is probably where the trouble starts from a Japanese legal standpoint. The country has strict laws on producing programs that could be construed as malware let alone wielding them in a cyberwar context that inevitably blurs the distinction between defence and attack.

Source: http://news.techworld.com/security/3327548/japan-testing-virus-cyberdefence-weapon-reports-say/

Computer hackers plan to take the internet beyond the reach of censors by putting their own communication satellites into orbit. The scheme was outlined at the Chaos Communication Congress in Berlin. The project's organisers said the Hackerspace Global Grid will also involve developing a grid of ground stations to track and communicate with the satellites. Longer term they hope to help put an amateur astronaut on the moon.

Hobbyists have already put a few small satellites into orbit - usually only for brief periods of time - but tracking the devices has proved difficult for low-budget projects. The hacker activist Nick Farr first put out calls for people to contribute to the project in August. He said that the increasing threat of internet censorship had motivated the project. "The first goal is an un-censorable internet in space. Let's take the internet out of the control of terrestrial entities," Mr Farr said. He cited the proposed Stop Online Piracy Act (Sopa) in the United States as an example of the kind of threat facing online freedom. If passed, the act would allow for some sites to be blocked on copyright grounds.

Whereas past space missions have almost all been the preserve of national agencies and large companies, amateur enthusiasts have in recent years sent a few payloads into orbit. These devices have mostly been sent up using balloons and are tricky to pinpoint precisely from the ground. According to Armin Bauer, a 26-year-old enthusiast from Stuttgart who is working on the Hackerspace Global Grid, this is largely due to lack of funding. "Professionals can track satellites from ground stations, but usually they don't have to because, if you pay a large sum [to send the satellite up on a rocket], they put it in an exact place," Mr Bauer said.

In the long run, a wider hacker aerospace project aims to put an amateur astronaut onto the moon within the next 23 years. "It is very ambitious so we said let's try something smaller first," Mr Bauer added.

• http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/hackers-work-on-satellite-system-aim-for-the-moon-10025121/
• http://www.pcmag.com/article2/0,2817,2398268,00.asp

More on this story at: http://www.bbc.co.uk/news/technology-16367042

A few companies pay money to bug hunters. But Facebook is giving out something more unique than just a check. Some security researchers are getting a customized "White Hat Bug Bounty Program" Visa debit card. The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to the account.

Facebook wanted to do something special for the people who are helping the company shore up its software and keep hackers and malware out. "Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them," Ryan McGeehan, manager of Facebook's security response team, told CNET in a recent interview. "Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say 'I did special work for Facebook.'" Besides holding cash value, the White Hat card may proffer other advantages. "We might make it a pass to get into a party," for instance, McGeehan said. "We're trying to be creative."

Facebook launched its bug bounty program in July, following in the steps of Mozilla and Google. The minimum a researcher can make for reporting a bug that is eventually confirmed is $500, and there is no maximum. Researchers have to follow Facebook's Responsible Disclosure Policy and not go public with the vulnerability information until the hole has been fixed.

The most Facebook has paid out for one bug report is $5,000, and it has done that several times, according to McGeehan. Payments have been made to 81 researchers, he said. Recently, "someone came to us with a bounty-worthy ticket and they said they didn't want the bounty," he said. Instead, the researcher wanted the money--$2,500--to go to a charity and for Facebook to match it. Facebook agreed, McGeehan said.

Brian Krebs, who first wrote about the White Hat Visa, reports that recipients have included Szymon Gruszecki of Poland and Neal Poole, a junior at Brown University who will be an intern at Facebook next summer. And Charlie Miller, a researcher at Accuvant better known for finding holes in iOS 5 and Safari than Facebook, also has received a White Hat card. "Facebook whitehat card not as prestigious as the SVC card, but very cool ;) Fun way to implement no more free bugs," he tweeted.

Facebook has plans to leverage the knowledge and skills of the researchers beyond just providing the bug bounty incentive. "Whenever possible we're going to try to load-in White Hat researchers into products early--as soon as (they are) in production," McGeehan said. Thus Facebook "will get an early warning on anything they find."

Source: http://news.cnet.com/8301-1009_3-57350464-83/facebook-hands-out-white-hat-debit-cards-to-hackers/

Thirty-one mobile carriers 'proven' to be open to surveillance and customer ID theft. It may be tempting to view the illegal interception of telephone voice mail, a practice that has caused anger in Britain after a scandal involving the media empire of Rupert Murdoch, as an arcane tool of scofflaw journalists with friends in Scotland Yard.

But according to a study to be presented this week, mobile phone users in Europe and elsewhere may be just as vulnerable as the actor Hugh Grant and other celebrities to having their personal voice mail hacked — or worse — because of outdated mobile network security. In a study of 31 mobile operators in Europe, Morocco and Thailand, Karsten Nohl, a Berlin hacker and mobile security specialist, found that many operators provided poor or weak protection from illicit surveillance and identity theft. He said he had tested each mobile operator more than 100 times and ranked the quality of their defences. He plans to present his results in Berlin Tuesday at a convention of the hackers' group the Chaos Computer Club, where he will open the project to researchers in other countries.

While his research focused mostly on Europe, Nohl, a German who has a doctorate in computer science from the University of Virginia in the US, said the level of security provided by network operators in the United States was on a par with that provided by European operators, meaning there was room for improvement. In Asia, the Middle East and Latin America, mobile security varies widely and can be much lower. Operators in India and China, Nohl said, encrypt digital traffic poorly or not at all, either to contain operating costs or to allow government censors unfettered access to communications.

In 2009 Nohl, who runs Security Research Labs in Berlin, published the algorithms used to encrypt voice and data conversations on GSM digital networks, used in Europe and elsewhere.

In an interview, Nohl said he had conducted his latest research to avoid the illegal theft of data and communications by intercepting the phone transmissions of a colleague during field tests. In random tests, he said, he ended interceptions one or two seconds after they began.

The technique he used focused on deciphering the predictable, standard electronic ''conversations'' that take place between a mobile phone and a mobile network at the start of each call. Typically, Nohl said, as many as 40 packets of coded information are sent back and forth, many just simple commands like, ''I have a call for you,'' or ''Wait.'' Most operators vary little from this set-up procedure, which he said allowed him to use hacking software to make high-speed, educated guesses to decipher the complex algorithmic keys networks use to encrypt transmissions.

Once he derived this key, he said, he could intercept voice and data conversations by impersonating another user to listen to the user's voice-mail messages or make calls or send text messages on the user's mobile accounts.

Nohl said operators could easily eliminate this vulnerability in the GSM system, which is found in older 2G networks used by almost every cellphone, including smartphones, with a simple software patch. His research found that only two operators, T-Mobile in Germany and Swisscom in Switzerland, used this enhanced security measure, which involves adding a random digit to the end of each set-up command to thwart decoding. For example, ''I have a call for you 4.''

''This is a major vulnerability in most networks we tested, and the irony is that it costs very little, if nothing, to repair,'' he said.

More on this story can be found at: http://www.smh.com.au/it-pro/security-it/lax-security-exposes-voice-mail-to-hacking-study-says-20111227-1pavx.html

Doubts that Iran managed to bring down an advanced US drone over the country last month using an advanced GPS spoofing attack have been raised by experts, who say that attacks of this type would be extremely tough to pull off.

Iran announced on 4 December that it had captured an advanced American remotely piloted spy drone, thought to be an RQ-170 Sentinel, and proudly broadcast images of the captured kit on state TV. The images depicted a drone that was intact and showed little or no signs of damage.

The Islamic Republic initially claimed that its air forces shot the drone down after it encroached  on the country’s airspace near the Afghan border. Iran later claimed it was taken down by a sophisticated cyber-attack. Days later an Iranian engineer said that this attack involved swamping the drone's GPS receivers with a rogue signal that tricked it into landing on autopilot in Iran instead of a US Air Force base.

The unnamed Iranian boffin told Christian Science Monitor that Iran developed the attack after reverse-engineering previously captured or shot down US drones, and by taking advantage inherent weaknesses in the GPS navigation system.

The US said the drone was lost on a mission in Western Afghanistan before conceding it was carrying out a covert spy operation over Iran. The US has asked for the return of the drone via Swiss authorities.

RQ-170 Sentinel drones, nicknamed the Beast of Kandahar, are advanced unmanned aerial vehicle (UAV) with stealth capabilities, developed by Lockheed Martin and operated by the US Air Force, sometimes on behalf of the CIA. The stealth capabilities should have prevented the Iranians from spotting the UAV on radar. However they might have intensified GPS jamming around uranium enrichment sites to ward off drones, so it is plausible that the downed RQ-170 Sentinel came under a GPS nobbling attack. Publicly available material collated by specialist sites, such as The Aviationist, suggest US drones might be vulnerable to this sort of attack, among others.

However, such GPS spoofing attacks are really tough to pull off and analysts are wary of swallowing Iran's spy drone hacking claims. The Iranian authorities would need to know the location of the drone within a matter of metres and hit it with a GPS signal stronger than the satellites' transmissions. Neither of these signals are encrypted so the stronger signal would win out, but the hijacker must gradually introduce errors to guide the craft down towards the chosen landing point, all the time maintaining a signal lock, a non-trivial effort established by US academics during experimentation.

Source: http://www.theregister.co.uk/2011/12/21/spy_drone_hijack_gps_spoofing_implausible

The mother of a 10-year-old boy in Coventry has been expressing her shock after a demonstration model of Apple’s iPhone 4S swore at her son. Kim Le Quesne told the Coventry Telegraph that her son Charlie was out shopping with his father in a local branch of Tesco, saw the handset in a display and asked the Siri personal assistant software how many people there were in the world. The phone replied by telling the lad that it wasn’t sure what he was saying, and telling him to “Shut the f*** up, you ugly t***.”

“It’s verbal abuse,” Mrs Le Quesne said. “We can’t believe the filth it came out with. He showed my husband what the phone had said to him and my husband found the store manager and said ‘it shouldn’t be saying that’.”

Tesco promised the device would be sent off to Apple for diagnostics, but it seems likely that some merry prankster had changed the username on the device to the offending seven words, so that the phone would default to the phrase no matter what the question. Apple is unavailable for comment over the holiday period. Mrs Le Quesne told the paper her son went back to the store the next day and saw the same phone was still on the display case. The paper doesn’t note if the poor lad felt abused, or instead tried it again and dissolved into fits of giggles.

http://www.coventrytelegraph.net/news/coventry-news/2011/12/30/iphone-swore-at-10-year-old-boy-in-coventry-supermarket-92746-30035186/

Source: http://www.theregister.co.uk/2011/12/30/apple_siri_swearing_tesco/