Threat Weekly – A Situational Awareness Report from our Technical Security Team

Volume 2, Issue 4 – 26 January 2012

ThreatCon 1: Normal

No significant new threats have been identified to raise the threat posture.

TOP OF THE NEWS

A new law promising internet users the "right to be forgotten" will be proposed by the European Commission on Wednesday [25th]. It says people will be able to ask for data about them to be deleted and firms will have to comply unless there are "legitimate" grounds to retain it.

The move is part of a wide-ranging overhaul of the commission's 1995 Data Protection Directive. Some tech firms have expressed concern about the reach of the new bill. Details of the revised law were unveiled by the Justice Commissioner, Viviane Reding, at the Digital Life Design (DLD) conference in Munich.

A spokesman for the commissioner clarified that the action was designed to help teenagers and young adults manage their online reputations. "These rules are particularly aimed at young people as they are not always as aware as they could be about the consequence of putting photos and other information on social network websites, or about the various privacy settings available," said Matthew Newman. He noted that this could cause problems later if the users had no way of deleting embarrassing material when applying for jobs. However, he stressed that it would not give them the right to ask for material such as their police or medical records to be deleted. Although the existing directive already coves the principle of "data minimisation", Mr Newman said that the new law would reinforce the idea by declaring it "a right".

Other measures in the bill include an obligation on all firms to notify users and the authorities about data lost through hacking attacks or other breaches "as soon as possible".  Ms Reding said that she would expect that under normal circumstances this would mean within 24 hours. The commissioner said that firms would have to explicitly seek people's permission to use data about them and could not proceed on the basis of "assumed" consent in situations where approval was required.

• http://news.cnet.com/8301-1009_3-57363585-83/new-eu-data-protection-rules-due-this-week
• http://www.siliconrepublic.com/new-media/item/25447-major-changes-to-eu-data

More on this story at: http://www.bbc.co.uk/news/technology-16677370

UK network O2 has found itself at the centre of an embarrassing data privacy storm after it emerged that it allows websites to see the mobile numbers of all subscribers that browse the Internet using its 3G data service.

The controversy was set off by a single O2 user, Lewis Peckover, who noticed that his mobile number was being sent to every website embedded in plain text as part of the http header. Extraordinarily, the numbers appears to be forwarded by O2’s own servers when users connect to the Internet through its 3G service; anyone using a WiFi connection will not be affected because they are not traversing that infrastructure.

Given the potential for websites to capture numbers for text spamming, annoyed users have bombarded O2’s Twitter feed with complaints to which the network found itself responding with a stock tweet to every user who raised the issue. “Hi there, we're looking into this as we speak - it's important to us. Once we've got an update, we'll share it,” tweeted O2.

It turns out that the issue is not new. Graham Cluley of Sophos points out that the issue was first made public in March 2010 at the CanSecWest conference in Vancouver by researcher Collin Mulliner. The proxying by O2 is not particularly surprising, indeed all mobile networks probably do it to optimise web traffic to cross their hard-pressed 3G networks efficiently. The question is why O2 thinks it important to insert a sensitive piece of information such as a mobile phone number into data sent to websites. It could just be inserted automatically without the intention having been to give websites the ability to see phone numbers.

O2 later released a statement confirming the forwarding issue had occurred due to a routine maintenance error between 10 and 25 January 2012 which it said it had now rectified. "We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused," O2 said.

• http://www.ibtimes.com/articles/286628/20120124/computer-hackers-hijack-trains-tsa-memo.htm

Source: http://news.techworld.com/security/3332617/o2-caught-sending-mobile-phone-numbers-websites

Rupert Murdoch's News International wilfully deleted emails that could have shown its journalists' participation in phone and computer hacking, according to the words of a High Court judge yesterday as he ordered a forensic search of the company's computers. The comments demonstrate clear lessons for companies on the importance of email retention. Data and law experts have told Computerworld UK that any company that decides to deliberately delete email or destroy computers in the face of legal proceedings likely to struggle in court.

On a day that High Court judge Mr Justice Vos turned up the heat on the newspaper group, News International agreed payouts to 37 people, including Sara Payne, the mother of murdered schoolgirl Sarah; as well as actor Jude Law and former deputy prime minister Lord Prescott. But the company said that the aggravated damages payouts do not indicate an admission of guilt. News International also agreed compensation after admitting hacking into the email account of Christopher Shipman, son of mass murderer Dr Harold Shipman. The company has previously told government's culture committee in carefully worded language that "technological corruptions" of its database "resulted in some data being lost", and allegedly told victims' lawyers that it ditched some computers as part of an office move in 2010.

Legal experts have said that email deletion is perfectly legal, but that it could raise troubling questions during a time of legal investigations. "Emails are treated like any other document and there is no law around how long they should be kept," said Danvers Baillieu, a senior associate at law firm Pinsent Masons, as the allegations grew last year. But he added : "If a company senses the faintest whiff [of criminal or civil proceedings], then they have to keep the documents. Otherwise the deletion of such emails could weigh against them in the eyes of a judge or jury." Anthony Nagle, an of Counsel lawyer at Morrison & Foerster, agreed: "If a [court] issue has arisen and you're shown to have deleted your data, you'll be asked why you did so."

Yesterday in the High Court, the judge, visibly angry, said News International had taken "a rather startling approach" to email management and data deletion, adding that there were important questions around whether it had "actively tried to get off scot-free" by destroying "a very substantial number of emails and computers of journalists".

• http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2012/01/20/bloomberg_articlesLY242A6S972901-LY3M2.DTL
• http://www.guardian.co.uk/media/2012/jan/19/judge-orders-search-news-world-computers

More on this story can be found at: http://www.computerworlduk.com/news/it-business/3331552

Symantec has issued an advisory, warning users that its pcAnywhere remote screen sharing software is vulnerable to a man-in-the-middle attack, and urging them to disable it until a security update is rolled out. The company said pcAnywhere users are at an increased risk due to the theft of source code from its servers that took place in 2006. The Symantec breach also exposed the source code of early versions of Norton Antivirus Corporate Edition, Norton Internet Security and SystemWorks surfaced.

The 2006-era software poses no risk to current Norton customers, but the security giant said its pcAnywhere users can be targeted by attackers. The pcAnywhere remote access software is used by some enterprises for help desk support and issue resolution. Companies can use the software in conjunction with the pcAnywhere Access Server for multiple connections and to avoid issues with company firewalls or NAT devices. “Our current analysis shows all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers using prior versions of the product,” Symantec said in its advisory.

Companies may have pcAnywhere deployed because it is bundled with numerous Symantec products, according to the advisory.  “The full standalone product is bundled in a number of Altiris-based solutions. A remote access component of pcAnywhere, called the pcAnywhere Thin Host, is also bundled with a number of Symantec backup and security products,” Symantec said.

Symantec issued a patch on Monday addressing three vulnerabilities in pcAnywhere running on Windows. Additional patches are planned this week for pcAnywhere versions 12.0, 12.1 and 12.5. The company said additional patches will be issued until a new version of pcAnywhere is released.

In a white paper entitled, “Symantec pcAnywhere Security Recommendations”, Symantec said the encoding and encryption elements within pcAnywhere are vulnerable. “It is possible that successful man-in-the-middle attacks may occur depending on the configuration and use of the product,” Symantec said. “If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.” A Symantec spokesperson said the company is unaware of any ongoing attacks.

It is also possible that an attacker can obtain the cryptographic key and launch unauthorized remote control sessions, gaining access to other systems using Active Directory credentials, Symantec said. Company environments that use pcAnywhere internally are also at risk, Symantec said. The attack would have to be carried out by a malicious insider. Symantec advises users to block pcAnywhere assigned ports and use secure VPN tunnels for remote access.

• http://www.v3.co.uk/v3-uk/news/2141452/symantec-advises-users-pcanywhere-hack-aftermath

Source: http://searchsecurity.techtarget.com/news/2240114367/Symantec-pulls-pcAnywhere-man-in-the-middle-attacks-are-possible

Koobface Botnet Goes Silent As Its Creators are Named

After Facebook released their identities, the five hackers behind the Koobface worm have apparently taken down their “Mothership” server and have started deleting their social networking accounts. All five people are Russians.  Shortly after the suspects were named, the Koobface network went silent.  The suspects have been identified as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk, and Stanislav Avdeiko.

• http://www.theregister.co.uk/2012/01/18/koobface_prime_suspect_outed/
• http://www.h-online.com/security/news/item/Koobface-C-C-goes-silent-after-alleged-controllers-exposed-1416869.html
• http://www.v3.co.uk/v3-uk/news/2139429/alleged-koobface-gang-exposed
• http://www.eweek.com/c/a/Security/Facebook-Security-Investigators-Unmask-Five-Men-Behind-Koobface-Crime-Ring-476256/
• http://www.zdnet.com/blog/facebook/koobface-gang-pulls-server-after-facebook-exposes-hackers/7705
• http://betanews.com/2012/01/17/koobface-hackers-are-easily-found-on-facebook-elsewhere/

Written by: D Gray VCSL

Anonymous says it is in the process of staging its "largest attack ever" -- more than 5,000 loosely associated hackers taking down websites belonging to government and recording industry organizations in response to [last] Thursday's shutdown of the file-sharing site Megaupload.com. The Department of Justice unsealed an indictment against Megaupload.com on Thursday, arresting its founder -- Kim Dotcom, formerly known as Kim Schmitz -- in New Zealand and charging him and at least five other company executives with violating privacy laws.

In response, the hacker collective known as Anonymous announced a collaborative attack against government and recording industry websites, successfully taking down the site of the Department of Justice -- which coordinated the case against Megaupload -- and the Recording Industry Association of America. As of 4 p.m. Pacific time, Justice.gov and RIAA.org were failing to load, along with other stated targets such as UniversalMusic.com.

Anonymous said on a Twitter account it has used regularly -- @YourAnonNews -- that the assault is "The Largest Attack Ever by Anonymous -- 5,635 People Confirmed Using #LOIC to Bring Down Sites!" In other messages, the group said it was aiming to take down more sites throughout the night.

Members of Anonymous posted a statement to file-hosting site Pastebin.com late Thursday afternoon, according to the Twitter feed. The statement makes reference to the Megaupload arrests and indictment, and reiterates the members' earlier statement that they were "launching our largest attack ever on government and music industry sites." The statement provides a list of the sites targeted by the effort: justice.gov, universalmusic.com, riaa.org, mpaa.org, copyright.gov, hadopi.fr, wmg.com, usdoj.gov, bmi.com and fbi.gov. Many of the sites named in the statement were still managing to load at times late Thursday afternoon, though in a slow fashion and with mixed results as to the content, including the home pages of the FBI, the Motion Picture Association of America and music publishing company BMI.

In a statement, the Department of Justice acknowledged that its website faced service problems and said it was approaching the issue as if it was the result of an intentional disruption.

• http://technolog.msnbc.msn.com/_news/2012/01/19/10193724-anonymous-says-it-takes-down-fbi-doj-entertainment-sites?chromedomain=usnews
• http://www.washingtonpost.com/business/economy/federal-indictment-claims-popular-web-site-shared-pirated-material/2012/01/19/gIQA4rDwBQ_story.html

More on this story at: Http://www.mercurynews.com/nation-world/ci_19777444

Fresh off the last few days' worth of Web attacks, designed as a kind of cyber-retribution for the demise of file-sharing site Megaupload at the hands of the FBI, members of the "hacktivist" group have taken to Twitter to claim accountability for an attack on CBS.com this morning.

And by CBS.com, we mean all of CBS.com. As in, the attackers didn't just force the site offline using a barrage of distributed denial-of-service attacks (DDOS) delivered by the group's "Low Orbit Ion Cannon" tool – which has now been transformed into a Web-based attack vector that unsuspecting users can unknowingly participate in. It was first assumed that Anonymous somehow acquired root access to CBS.com in this morning's attack, as the site's files and directories appeared to have been wiped. However, additional investigation reveals that the attackers used a technique called DNS poisoning to redirect visitors to different web servers than those hosting CBS' site. "Anonymous did not take down #CBS .com ; the IP for their web host changed from 92.122.127.27 to 198.99.118.36 & 37; looks like poisoned DNS," wrote Twitter user @jeremiahfelt.

Users attempting to access the main CBS index page were instead shown a directory structure containing just one file – foundry.html. Any attempts to access any of CBS.com's sub-sites, like bookmarked pages for its litany of television shows, for example, were met with 404 Not Found errors.

• http://www.it-networks.org/2012/01/22/anonymous-deletes-cbs-and-universal-music-websites-backups-prevail
• http://www.itproportal.com/2012/01/23/anonymous-takes-down-cbscom-over-megaupload-takedown
• http://www.abc57.com/home/top-stories/Hacker-group-Anonymous-takes-down-major-website-137861073.html
• http://www.nextgov.com/nextgov/ng_20120123_7859.php?oref=topnews

More on this story at: http://www.pcmag.com/article2/0,2817,2399185,00.asp

THE REST OF THE WEEK’S NEWS

A leading anti-virus software firm says a flaw in one of its programs has exposed its customers' computers to the risk of being hijacked by spammers. McAfee said it planned to release a patch for its SaaS for Total Protection service by the end of Thursday [26th]. The software is marketed as a "peace of mind" solution offering "complete email and web protection". McAfee said there had been at least one related attack, but stressed that users' data had not been put at risk.

The problem was exposed on British art firm Kaamar Limited's blog earlier this week. Keith and Annabel Morrigan posted a warning to other owners of the product after receiving a message alerting them to the fact that their server had been sending out spam emails. They said that further research had revealed their computer had been sending out the equivalent of what would have been 10 months' worth of normal traffic in one day.

After linking the botnet attack to a problem with their anti-malware software's "Rumor Service" they said that they had alerted McAfee to the problem on 5 January. The owners of the Staffordshire-based business noted that their email address had been flagged up as a threat as a consequence of the attack, meaning that even their legitimate messages were now being blocked from delivery. "As an ultimate insult, even McAfee, whose software is at the root of our problems, now rate our email IP as 'High Risk': we can't email them as they have blacklisted us!" they wrote.

McAfee's director of security research, David Marcus, confirmed the problem with the firm's software on the firm's blog on Wednesday. He acknowledged "a misuse of our 'rumor' technology to allow an attacker to use an affected machine as an 'open relay', which could be used to send spam". "The... issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them. Although this issue can allow the relaying of spam, it does not give access to the data of an affected machine. "The forthcoming patch will close this relay capability."

• http://news.cnet.com/8301-1009_3-57361542-83/mcafee-to-plug-spammer-hole-this-week/
• http://asia.cnet.com/crave/mcafee-software-lets-scammers-hijack-pcs-to-send-spam-62213097.htm

More on this story at: http://www.bbc.co.uk/news/technology-16627713

If your company were hit with a cyberattack today, would it be able to foot the bill? The entire bill, including costs from regulatory fines, potential lawsuits, damage to your organizations' brand, and hardware and software repair, recovery and protection? It's a question worth careful consideration, given that the price of cyberattacks is rising at an alarming rate. The second annual Cost of Cyber Crime study, released last August by the Ponemon Institute, reported that the median annualized cost of cybercrime for a company is $5.9 million -- a 56% increase from the 2010 median figure. A growing number of insurance companies are offering policies that provide protection in the event of data breaches and other malicious hacks. But they're having some difficulty making many sales -- in part because the cost of premiums can be staggering.

Lawyers and information security leaders say many executives mistakenly believe that standard corporate insurance policies or general liability policies cover losses related to hacking, or that their cyberpolicies, if they have them, will cover all costs related to a breach. Most of the time, they won't. A February 2011 paper by Forrester Research analyst Khalid Kark indicates that many companies are still trying to understand the basics of these policies, which are offered by such carriers as ACE USA, Chubb, The Hartford and St. Paul Travelers Cos. The most common questions revolve around what types of polices are out there, what they cover, how to select the right policy and whether such insurance is even needed.

IT leaders are particularly likely to get confused, because tech execs have not traditionally made decisions about corporate insurance. Likewise, the risk management and legal teams that typically do make insurance decisions have not customarily sought out their IT counterparts for advice. Yet, IT's input is crucial when it comes to deciding whether to purchase cyberinsurance and determining what coverage to buy, security experts say.

"The IT people and the risk people desperately need to get together to talk about risk in terms of information technology and the likelihood and outcomes of a breach," says Don Fergus, an IT risk consultant and 2012 chairman of the IT Security Council for the security professionals organization ASIS International.

• http://www.scribd.com/doc/64020942/Annual-Ponemon-Cost-of-Cyber-Crime-Study

More on this story at: http://www.computerworld.com.au/article/413142/do_need_cyberumbrella

Megaupload, the popular file-sharing site, was shuttered Thursday and its executives indicted by the Justice Department in what the authorities said was “among the largest criminal copyright cases ever brought by the United States.” Seven individuals connected to the Hong Kong-based site were indicted on a variety of charges, including criminal copyright infringement and conspiracy to commit money laundering. Four of the members of what the authorities called a five-year “racketeering conspiracy” were arrested Thursday in Auckland, New Zealand, the authorities said.

One of those arrested was Kim Schmitz, aka Kim Dotcom, Megaupload’s founder. His attorney, Ira Rothken of California, said neither he nor his 37-year-old client, who resides in Hong Kong and New Zealand, was given the opportunity to surrender. Dotcom was arrested without notice, he said. “We’re looking into what’s going on,” Rothken said in a telephone interview.

Visitors to the Megaupload site, which gets about 50 million hits daily and claims 4 percent of all internet traffic, were greeted with a message from the Justice Department. ”This domain name associated with the website Megaupload.com has been seized pursuant to an order issued by a U.S. District Court.”

Swizz Beatz, Megaupload’s chief executive, was not implicated in the indictment but is embroiled in a legal spat with Universal Music over a Megaupload promotional video.

The government said the site facilitated copyright infringement of movies “often before their theatrical release, music, television programs, electronic books, and business and entertainment software on a massive scale.” The government said Megaupload’s “estimated harm” to copyright holders was “well in excess of $500 million.”

Unsealed Thursday, the five-count indictment from the Eastern District of Virginia came as the Justice Department said it seized 18 domains in all connected to Megaupload. The agency said it executed more than 20 search warrants in the United States and eight countries, seizing $50 million in assets.

Megaupload, which often charges its 150 million registered members for its file-sharing service, was on the recording and movie industries’ most-hated lists, often being accusing of facilitating wanton infringement of their members’ copyrights. The indictment claims it induced users to upload copyrighted works for others to download, and that it often failed to comply with removal notices from rights holders under the Digital Millennium Copyright Act. But the site routinely removed uploaded child pornography, according to the indictment.

The money laundering charges are connected to allegations Megaupload paid users for uploading infringing content under an “uploader rewards” program.

• http://www.computerworld.com/s/article/9223557/Feds_charge_7_in_massive_case_against_Megaupload_online_piracy_ring?taxonomyId=82
• http://www.informationweek.com/news/security/management/232500213
• http://arstechnica.com/tech-policy/news/2012/01/if-the-feds-can-shut-down-megaupload-why-do-they-need-sopa.ars
• http://arstechnica.com/tech-policy/news/2012/01/explainer-how-can-the-us-seize-a-hong-kong-site-like-megaupload.ars

More on this story at: http://www.wired.com/threatlevel/2012/01/megaupload-indicted-shuttered

Andrew Crossley, the controversial solicitor who sent thousands of letters to alleged illegal file-sharers, has been suspended from the profession for two years. At a disciplinary tribunal he was also ordered to pay costs of £76,326.55.

The court heard how Mr Crossley used his law firm ACS: Law to demand money in recompense for alleged copyright infringements. The scheme unravelled when several cases went to court. The Solicitors' Regulation Authority (SRA), which brought the case against Mr Crossley, welcomed the decision to uphold the allegations against Mr Crossley. "Some of those affected were vulnerable members of the public and this matter has caused them significant distress," said an SRA spokesman. "We hope that it serves as a warning to others. Solicitors have a trusted position in society and therefore have a duty to act with integrity, independence and in the best interests of their clients," he added. It has taken two-and-a-half years for the case to come before the Solicitors' Disciplinary Tribunal.

The allegations included "acting in a way that was likely to diminish the trust the public places in him or in the legal profession" and "using his position as a solicitor to take unfair advantage of the recipients of the letters for his own benefit". In mitigation, Mr Crossley said that he had already suffered as a result of the work he had undertaken and was now bankrupt. He said he was in danger of having his house repossessed and that his 15-year relationship had broken down because of the case.

Mr Crossley began the so-called speculative invoicing scheme in May 2009. In total he sent about 20,000 letters to people identified as having downloaded content, often pornography, without paying for it. He claimed he was acting on behalf of MediaCAT, which in turn represented the copyright owners. The letters threatened court action unless the recipient paid a one-off fee of about £500. Consumer group Which? was one of the first to highlight the cases of people who claimed that they had been wrongly accused and had been upset by the threatening nature of the letters.

When a handful of cases came to court, the scheme came in for widespread derision, angering the presiding judge, Judge Birss, who turned the spotlight on Mr Crossley, accusing him of abusing the court process. The lawyer for the defendants likened the case to Charles Dickens' Bleak House.

In a further twist, the ACS: Law website was hacked and huge amounts of sensitive data were exposed during attempts to get it up and running again. Mr Crossley was fined by the Information Commissioner's Office for the data breach. James Bench, founder of campaign group Being Threatened?, set up to represent those who received letters from ACS: Law, said he was pleased by the findings of the disciplinary hearing. "The judgement will provide some satisfaction to those innocent members of the public that Mr Crossley relentlessly bullied in the operation of this scheme," he said. "It was clear to all that Mr Crossley's speculative invoicing scheme lacked any legal merit," he added. But he said that he was disappointed that the case had taken nearly three years to reach a conclusion.

It was revealed during the hearing that the SRA had asked Mr Crossley to stop the scheme within days of him setting it up, but he had refused.

• http://www.guardian.co.uk/technology/2012/jan/18/acslaw-solicitor-internet-piracy-suspended

Source: http://www.bbc.co.uk/news/technology-16616803

A computer programmer has been charged with stealing source code worth $9.5m from the Federal Reserve Bank of New York, according to the FBI and prosecutors. Bo Zhang, a 32-year-old from Queens in New York, was cuffed on suspicion of swiping the Government-wide Accounting and Reporting (GWA) software, used to help keep track of the US government's finances.

"Among other things, the GWA handles ledger accounting for each appropriation, fund, and receipt within the Department of the Treasury, and provides federal agencies with an account statement - similar to bank statements provided to bank customers - of the agencies’ account balances with the United States Treasury," the US attorney's office for the Southern District of New York said in an official statement.

Zhang was hired as a contractor to work on the code where it's held in an access-controlled electronic repository in New York. During last summer he allegedly stole the GWA code, which has so far cost the US $9.5m to develop. "According to the complaint, Zhang admitted that in July 2011, while working at the Fed, he checked out and copied the GWA code onto his hard drive at the Fed; he subsequently copied the GWA code onto an Fed-owned external hard drive; and he connected that external hard-drive to his private office computer, his home computer, and his laptop," the US attorney's office added. "Zhang stated that he used the GWA Code in connection with a private business he ran training individuals in computer programming."

Despite Zhang's rather innocuous purported use for the code, he was arrested by the FBI on Wednesday morning and now faces up to ten years in prison and fines of up to $250,000. "Zhang took advantage of the access that came with his trusted position to steal highly sensitive proprietary software. His intentions with regard to that software are immaterial. Stealing it and copying it threatened the security of vitally important source code," FBI assistant director-in-charge Janice K Fedarcyk said.

A New York Fed spokesperson told Reuters and others that the bank had investigated the breach as soon as it was uncovered and promptly referred the case to the authorities. "The New York Fed has further strengthened its already considerable protections as a result of this incident," the spokesman said.

• http://news.cnet.com/8301-27080_3-57361559-245/man-charged-with-stealing-ny-fed-reserve-bank-source-code/
• http://www.msnbc.msn.com/id/46048400/ns/us_news/

Source: http://www.theregister.co.uk/2012/01/19/feds_arrest_programmer_for_software_theft

Hackers were able to break into a  northwest U.S, rail company's network and take control of passenger trains in December, the Transport Security Administration disclosed. According to a report by TechEye, the TSA - which is responsible for protecting all US transportation systems - found that a train on an unnamed stretch of railway "was slowed for a short while" and rail schedules were then delayed for 15 minutes. The following day a "second event occurred" before rush hour, but it is not believed that this second hack affected schedules, the TSA confirmed.

The TSA report said that investigators became suspicious that the hack was an intentional act rather than a computer glitch, and then acted under the assumption that the hackers could present a broader danger to the US transport system. TechEye reports that two IP addresses for found which are believed to be connected to the attacks, but the TSA has not said where the IPs are located, although it is believed that they are outside of the US.

A government memo, obtained by NextGov, read: "the conclusion that rail was affect [sic] by a cyberattack is very serious." While the Homeland Security Department - which oversees the TSA - is not sure if the railway infiltration was a targeted attack or not, but the event has posed enough of a threat to encourage the TSA to begin educating train companies on the dangers of computer hacks.

NextGov continues: "Investigators discovered two Internet access locations, or IP addresses, for the intruders on Dec. 1 and a third on Dec. 2, the document noted, but it does not say in which country they were located."

Source: http://www.ibtimes.com/articles/286628/20120124/computer-hackers-hijack-trains-tsa-memo.htm

A Romanian hacker who admitted breaking into NASA's network has avoided jail, receiving a three-year suspended prison sentence instead. Robert Butyka, 26, from Cluj-Napoca, Romania, still faces a civil lawsuit over disputed damages of $500,000 against the space agency's computer systems in a case due to be heard in March. Butyka, who was arrested by Romanian cyber-cops back in November, admitted hacking into NASA's network in December 2010 at a hearing earlier this month prior to a sentencing hearing this week where he was put on probation for seven years.

• http://www.pcworld.com/businesscenter/article/248339/romanian_nasa_hacker_gets_a_threeyear_suspended_prison_sentence.html
• http://nakedsecurity.sophos.com/2012/01/20/romanian-nasa-hacker-gets-suspended-three-year-sentence/

Source: http://www.theregister.co.uk/2012/01/23/romanian_nasa_hacker_jailed

Eric McNeal, a 38-year-old information technology specialist from Atlanta, Ga., has been sentenced for hacking into the patient database of a former employer, stealing patient information, and then deleting the information from the system. For his crime, McNeal was sentenced on Jan. 10 to serve 13 months in prison with three years of supervision after his release. McNeal also was ordered to perform 120 hours of community service.

"The circumstances of this case and resulting patient data breach is very common," and can happen in any size of practice, Rick Kam, president and co-founder of ID Experts told InformationWeek Healthcare. According to court documents, McNeal, who pleaded guilty to the charge on Sept. 28, worked as an information technology specialist for APA, a perinatal medical practice in Atlanta. He left APA in November 2009, and subsequently joined a competing perinatal medical practice, which was located in the same building as APA.

In April 2010, McNeal used his home computer to hack into APA's patient database; download the names, telephone numbers, and addresses of APA's patients; and then delete all the patient information from APA's system. McNeal used the patient names and contact information he stole to launch a direct-mail marketing campaign for his new employer. There is no evidence that McNeal downloaded or misused specific patient medical information.

Christine Marciano, president of Cyber Data Risk Managers, said medical facilities looking at this case should ask themselves how they can realistically protect against similar hacking attempts. "Having an exit strategy in place when an employee leaves or is terminated should be strictly enforced," Marciano told InformationWeek Healthcare. "The exit strategy needs to include cutting off the employee's access to all of the facility's databases in order to prevent unauthorized access."

Richard Santalesa, senior counsel at InfoLawGroup, said because McNeal pleaded guilty his sentence was reduced, and noted that McNeal could have received a five-year federal prison sentence for his crimes. "Anyone who gives their personal information to a doctor or medical facility does not expect that their information will be hacked and used to make money," U.S. Attorney Sally Quillian Yates, said in a statement. "The cost of medical care is already high enough without patients having to pay a heavier cost with the loss of their privacy."

Source: http://www.informationweek.com/news/healthcare/security-privacy/232400459

Israeli hackers downed the website administered by the Central Bank of the United Arab Emirates on Thursday as the financial institution hosted European Central Bank chief Mario Draghi. The attack was apparently conducted by a group calling itself "IDF Team," which also claimed responsibility for knocking the Arab Bank offline on Thursday.

UAE Central Bank officials downplayed the incident, emphasizing that talks with the European delegation remained the top priority of the day. "We have been busy here," Sultan bin Nasser al-Suwaidi, governor of the UAE Central Bank told the Financial Times. "There are IT technicians who will take care of it."

Meanwhile, a second Israeli hacker group known as "Nuclear" posted details of 4,800 credit cards extracted from various accounts held in Saudi Arabia on Wednesday evening. Information included card numbers, passwords, security codes, code types and expiration dates. The Saudi credit card data was leaked online just one day after Israeli hackers downed the websites of both the Saudi Stock Exchange (Tadawul) and the Abu Dhabi Securities Exchange (ADX). However, Saudi officials denied that Tadawul experienced downtime, stating that "sophisticated security protection" had been enforced.

The "IDF Team" operation against Tadawul and ADX was reportedly conducted in retaliation for the hacking of two prominent Israeli sites on Monday: the Tel Aviv Stock Exchange (TASE) and El Al (Israel Airlines).

It should be noted that various forms of cyber warfare have been waged by civilians in the Middle East for a number of years - and can be traced back to the early days of IRC (Internet Relay Chat) when rival parties battled each other with channel takeovers, scripts, automated bots and flooding attacks.

• http://www.thenational.ae/news/world/middle-east/israeli-hackers-release-arab-credit-card-details-in-cyber-attacks

Source: http://www.tgdaily.com/security-features/60896-hackers-hit-uae-central-bank-website

A new strain of cybercrime Trojan is targeting Facebook users by taking over their machines and shaking them down for cash. Carberp, like its predecessors ZeuS and SpyEye, infects machines by tricking punters into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites.

A new configuration of the Carberp Trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer, can be considered something of an escalation. The Carberp variant replaces any Facebook page the user navigates to with a fake page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page asks the mark for their first name, last name, email, date of birth, password and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account.

Trusteer warns the cash voucher attack is in some ways worse than credit card fraud, because with e-cash it is the account-holder, not the financial institution, who assumes the liability for fraudulent transactions. Trusteer said it does not have any concrete data on how many people might have been hit by this particular attack. But it warns social networking users, particular those with e-cash accounts, to be wary of this particular scam and potential follow-up frauds along the same lines, which might easily trap the unwary.

Amit Klein, CTO at Trusteer, commented: "The fraud technique is quite effective. Keep in mind that the user gets an authentic-looking message in the context of a genuine, deliberate log-in to Facebook. We do know that this is exactly where users are most susceptible to divulging personal information and following additional instructions, as their trust in the content is maximal."

The use of anti-debugging and rootkit techniques make Carberp Trojan difficult to detect, warns security consultancy Context Information Security. Context said: "Carberp is also part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks." Context adds that Carberp, which creates a backdoor on infected machines, can be controlled from a central administrator control panel, allowing botnet herders to more easily mine stolen data.

Trusteer said it had reported the attack to Facebook, and shared malware samples prior to giving live with its blog, a day after Facebook boasted it had been free of the Koobface worm for more than nine months. "I don't think that this incident contradicts their "virus free" statement, since Carberp only infects the victim PCs without any modification of the victim's profile in Facebook or any other alteration of the Facebook site," Trusteer's CTO told El Reg. "And to the best of our knowledge, Carberp does not propagate through Facebook."

• http://www.h-online.com/security/news/item/Bot-blackmails-Facebook-users-1417073.html
• http://www.v3.co.uk/v3-uk/news/2139895/carberp-malware-targets-facebook-users
• http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/232500102/new-version-of-carberp-trojan-targets-facebook-users.html?itc=edit_stub

Source: http://www.theregister.co.uk/2012/01/18/carberp_steals_e_cash_facebook