Close

This website uses cookies. For further information, please see our Legal and Cookie Notice

Threat Weekly – A Situational Awareness Report from our Technical Security Team

Volume 2, Issue 5 – 2 February 2012

ThreatCon 2: Heightened

Drive-by exploitation seen in the wild against newly released vulnerability MS12-004.

TOP OF THE NEWS

Israel tops cyber-readiness poll but China lags behind

Israel, Finland and Sweden are seen as leading the way in "cyber-readiness", according to a major new security report. The McAfee-backed cyberdefence survey deemed China, Brazil and Mexico as being among the least able to defend themselves against emerging attacks. The rank is based on leading experts' perception of a nation's defences. The report concluded that greater sharing of information globally is necessary to keep ahead of threats. It also suggests giving more power to law enforcement to fight cross-border crime.

The UK, with a grading of four out of five, ranks favourably in the survey - along with the USA, Germany, Spain and France. The rankings are based on the perceived quality of a country's cyber-readiness - the ability to cope with a range of threats and attacks. "The subjectiveness of the report is its biggest strength," explained Raj Samani, McAfee's chief technology officer.  "What it does is give the perception of cyber-readiness by those individuals who kind of understand and work in cyber security on a day-in, day-out basis." A good score depends on having basic measures like adequate firewalls and antivirus protection, and more complex matters including well-informed governance and education.

Sweden, Finland and Israel all impressed the report's experts - despite the fact that the latter receives reportedly over 1,000 cyber-attacks every minute. Isaac Ben-Israel, senior security advisor to Israel's prime minister Benjamin Netanyahu, is quoted in the report as saying: "The hacktivist group Anonymous carries out lots of attacks but they don't cause much damage. The real threat is from states and major crime organisations." He added that the country has set up a cyber-taskforce responsible for assessing threats to key infrastructure such power production and water supplies.

At the other end of the security scale, Mexico ranked as least prepared to cope with the cyber threat - a situation which is blamed on the country's authorities needing to overwhelmingly focus on the country's gang and drugs problems. China is regarded by some Western observers as an aggressor in cyberspace. But one expert Peiran Wang said the country was itself vulnerable because it lacked a joined up strategy. Mexico's drug problems means available resource is put into real world policing - and not on cybercrime "The Ministry of Public Security, the Ministry of Industry, the Ministry of State Security and even the military are involved and they don't communicate well," said Peiran Wang, a visiting scholar at Brussels' Free University.

In the UK, the report praised a £650m investment programme in cyber security. However, the Home Office's plans were criticised by information security expert Peter Sommer. "A great deal depends on co-operation from the private sector, which controls about 80% of the critical national infrastructure. “Over half of the new funding will go to the 'secret vote', the intelligence agencies, where value for money will be difficult to investigate. I would have preferred more emphasis on public education - helping potential victims help themselves."

Among the report's conclusions is the recommendation that greater efforts be made to improve cross-border law enforcement. "Cybercriminals route their connection through multiple different countries," said Mr Samani. "If criminals are particularly clever, they go through countries where they know there isn't any co-operation." "The bad guys share information - we need to do the same as well."

Dr Joss Wright from the Oxford Internet Institute welcomed the report's findings. However, he had serious doubts over the feasibility of its suggestions. "They're recommendations that people have been saying for maybe 10 years," he told the BBC. "I would love to see good information sharing - but when you're talking about national security, there's a culture of not sharing. “They’re not suddenly going to change 70, 100, 1000 years of military thinking."

Source: http://www.bbc.co.uk/news/technology-16787509

Technology firms create DMarc to fight phishing

A crackdown on "phishing" scams has been announced by 15 of the top technology companies. Email providers such as Google and Microsoft will work with companies like Paypal and the Bank of America to improve authentication. Phishing attacks typically involve scammers posing as familiar companies in an attempt to trick users into sharing personal information. This co-ordinated effort aims to make this more difficult.

The Domain-based Message Authentication, Reporting and Conformance (DMarc) - as the coalition is known - has released plans to produce a "feedback loop" between email receivers and senders. The initiative is the first significant attempt to bring together both email and service providers along with key security organisations. DMarc said this industry-wide involvement - which covers the receivers, senders and intermediaries of email use - will mean email providers will for the first time be able to reliably filter out unwanted emails, rather than use "complex and imperfect measurements" to determine threats. It will mean an agreed standard for authenticating legitimate emails arriving at the inboxes of AOL, Gmail, Hotmail and Yahoo customers. It will verify messages from Facebook, Paypal, American Greetings, Bank of America, Fidelity and LinkedIn.

"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the internet as a whole," explained Paypal's Brett McDowell, chair of DMarc. "Industry co-operation - combined with technology and consumer education - is crucial to fight phishing." Email security firms Agari, Cloudmark, eCert, Return Path and Trusted Domain Project complete the collaboration. More companies will join the open standard as it is developed.

Paypal spokesman Rob Skinner explained how the initiative is intended to make things easier for the most vulnerable part of the security chain - the human. "Half the problem is, with the best will in the world and improving technology, ultimately it's still down to the user to decide [to open an email]," he told the BBC. "The key point is trying to block emails from getting to someone's inbox - taking the worry and concern out of people's minds and doing it for them." As one of the internet's most ubiquitous payment companies, Paypal often finds itself impersonated by scammers. "We've acknowledged it's been an issue," Mr Skinner said. "We've had a stack of initiatives over the years to cut down on it. Fraudsters target any company that is well known, has a lot of customers, and operates across the globe.  "We recognise our responsibility to do something about it."

Source: http://www.bbc.co.uk/news/technology-16787503

I Spy Your Company’s Boardroom

It’s a good thing Rupert Murdoch’s News of the World reporters are out of business, because they would have loved the hacking opportunity recently uncovered by two security professionals. HD Moore and Mike Tuchen of Rapid7 discovered that they could remotely infiltrate conference rooms in some of the top venture capital and law firms across the country, as well as pharmaceutical and oil companies and even the boardroom of Goldman Sachs — all by simply calling in to unsecured videoconferencing systems that they found by doing a scan of the internet. “These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them,” Moore told the New York Times. Moore found he was able to listen in on meetings, remotely steer a camera around rooms as well as zoom in on items in a room to discern paint flecks on a wall or read proprietary information on documents.

Despite the fact that the most expensive systems offer encryption, password protection and the ability to lock down the movement of cameras, the researchers found that administrators were setting them up outside firewalls and failing to configure security features to keep out intruders. Some systems, for example, were set up to automatically accept inbound calls so that users didn’t need to press an “accept” button when a caller dialed into a videoconference, opening the way for anyone to call in and eavesdrop on a meeting. Using a program that Moore wrote, the researchers found the conference rooms by scanning the Internet for videoconference systems that were set up outside firewalls and configured to automatically answer calls.

In less than two hours, they found systems installed in 5,000 conference rooms around the country, including an attorney-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital company where prospects were pitching their companies while laying out their financial details on a screen in the room. Companies sometimes set up their systems outside firewalls so that other companies can easily call into the videoconferencing system without having to set up complex, but safer configurations.

But as a result, Moore found not only that he could easily hijack systems, but he could also access systems that he otherwise couldn’t find through an internet scan. For example, after gaining access to one law firm’s system, he was able to open its address book and see dialing information for conference rooms at other companies, even if ones behind firewalls. That’s how he found the Goldman Sachs boardroom. It’s unclear whether it’s actually illegal under anti-hacking laws to call into an unsecured conference line that doesn’t require a password, but Moore said he refrained from calling the Goldman Sachs boardroom out of fear he might be “crossing a line.”

Source: http://www.wired.com/threatlevel/2012/01/videoconferencing-hijacked/

Data leaks cost Midlothian a record £140k fine

Midlothian Council has been handed the largest fine yet for five data protection breaches, including one where a failure to keep its database updated meant sensitive documents were sent to the wrong people. The council was fined a record £140,000 for mishandling sensitive child protection and care data on five occasions in 2011, the Information Commissioner's Office (ICO) said on Monday.

In one incident, a Midlothian Council employee sent details of a child protection conference to an out-of-date address held for the child's mother's partner, according to ICO enforcement documents, as a result of the council not keeping the database current. The conference minutes were read by the partner's former partner, who may have discussed the information within the local community, according to the ICO. "Checking and double checking that information is being sent to the right recipient is a simple measure and one that could prevent many of the data breaches cases that come to the ICO," a spokeswoman for the privacy authority told ZDNet UK.

Midlothian Council discovered the five data breaches in June, plus three further instances now under investigation by the ICO.

More on this story at: http://www.zdnet.co.uk/news/security-management/2012/01/30/data-leaks-cost-midlothian-a-record-140k-fine-40094935/?s_cid=168

THE REST OF THE WEEK’S NEWS

European Parliament Site Hit With DDoS Attack Over ACTA Anti-Piracy Treaty

The European Parliament's website fell under a distributed denial-of-service attack (DDOS) on Thursday in what the organization classified as retaliation for the shutdown of the Megaupload file-sharing site and an anti-counterfeiting trade agreement.  The Parliament issued a statement saying it had acted to reduce the impact of the attacks, but the site was still down as of mid-afternoon Thursday.

Anonymous, a loose-knit group of hackers and digital activists, has undertaken a series of DDOS attacks against government websites and other organizations following last week's international take-down of Megaupload, whose operators are wanted by U.S. authorities for alleged copyright infringement related offenses. Anonymous, which has sought to corral support from Internet users, created Web-based tools that allow non-technical people to participate in DDOS attacks, which bombard websites with an excessive amount of traffic, causing them to be unreachable.

Targets in the last week have included Universal Music, the U.S. Department of Justice and the Recording Industry Association of America. The hacktivist group has also been stirred to action by the Anti-Counterfeiting Trade Agreement (ACTA), a treaty that establishes a framework for how countries should deal with what are considered significant infringement of intellectual property rights. The treaty is in the process of being ratified by countries. Several European Union countries -- including Poland, which saw widespread protests over the treaty -- signed the treaty on Thursday in Japan. Eight other countries -- Australia, Canada, Japan, South Korea, Morocco, New Zealand, Singapore, and the United States -- signed ACTA last October.

Source: http://www.networkworld.com/news/2012/012612-european-parliament-says-its-website-255359.html

Hackers pounce on just-patched Windows Media vulnerability

If you haven’t gotten around to patching that Windows Media Player vulnerability fixed in the last Microsoft Patch Tuesday batch, you might want to immediately fire up Windows Update. Just a few weeks after Microsoft shipped MS12-004, a “critical” bulletin with fixes for two serious flaws in the way Windows Media handles certain media files, hackers have pounced and are exploiting this issue to plant malware on unpatched computers.

According to a warning from Trend Micro, the in-the-wild attacks are being launched via web sites rigged with booby-trapped Windows media files. Trend Micro said the infection vector is a malicious HTML which exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file and a JavaScript, the company said. The end result is a malicious Trojan with rootkit capabilities.  The attack happens silently in the background and all the user sees is a blank WMP application playing a file.

Researchers at IBM ISS are also reporting increased chatter around the simplicity of exploiting this particular vulnerability:

In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen. The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it.

This particular threat doesn’t appear to be widespread at the moment but it’s very likely that this bug could be fitted into popular exploit kits so it’s important to apply this patch as soon as possible.

Source: http://www.zdnet.com/blog/security/hackers-pounce-on-just-patched-windows-media-vulnerability/10213

Never Mind About Playstations or Zappos; Are You Ready for Your Car to Be Hacked?

The recent hacking of Zappos, on top of a seemingly endless series of high-profile cyber-security breaches and hackavist attacks, demonstrate that cyberspace is an insecure frontier, where consumers, corporations and even governments are vulnerable to attack. Recent research, however, shows that cyber-vulnerabilities extend far beyond online targets like banks, commerce sites and social networks. Researchers at the University of California, San Diego, and the University of Washington recently demonstrated, for example, that it is possible to remotely hack into cars—even as they are being driven.

The researchers took a “representative, moderately priced sedan” and found numerous ways to remotely hack into it. But they did not stop there.  They imagined car hacking that paralleled the evolution of computer hacking, which began as individual attacks, then evolved to mass exploitation via worms and viruses, and has now led to markets where hackers sell access to compromised hosts. This led them to demonstrate three truly scary scenarios under which car vulnerabilities might be exploited on a large scale:

Theft — Instead of attacking a particular car, enterprising hackers might compromise a large group of cars. The hackers could monitor the location of the most valuable ones (through VIN numbers and GPS coordinates) and sell unlocked cars with running engines to other thieves.  Imagine this sort of customer inquiry to a hacker: “I’m looking for late-model BMWs or Audis within a half mile of 4th and Broadway. Do you have anything for me?”

Surveillance — Once compromised, a car’s location and movements can easily be tracked. It is also possible to eavesdrop on in-car conversations through in-cabin microphones (normally reserved for hands-free calling).  Imagine someone wishing to eavesdrop on Google executives. He might filter a set of compromised cars down to those that are both expensive and located in the Google parking lot at 10 a.m. He could listen in on those cars during the day, to see what he picked up. The hacker could also track where those cars were at 2 a.m., which would likely be the drivers’ residences. The attacker could use commercial records to identify the owner of the home or the vehicle and learn the addresses of Google’s senior executives.

Cyber War or Terrorism — Hackers might infect large numbers of cars en masse via war dialing or a popular audio file and then, later, trigger them to simultaneously disengage the brakes when driving at high speed. Now there’s a horror-movie theme for you.

The researchers found that cars could be hacked in several ways: “We discovered that remote exploitation is feasible via a broad range of attack vectors (including mechanics’ tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long-distance vehicle control, location tracking, in-cabin audio exfiltration and theft. For example, the researchers compromised the car’s radio and uploaded custom firmware via a doctored CD.  They successfully hacked technicians’ diagnostic devices, and thereby were able to compromise cars subsequently connected to these devices.  And they were able to call the car’s cellular phone number and gain remote control over the car’s telematics unit, which, among other things, provided the car’s location and controlled a number of car functions.

To be fair, the researchers do not believe that consumers need to be alarmed (at the moment).  They write: “It requires significant sophistication to develop the capabilities described in our papers and we are unaware of any attackers who are even targeting automobiles at this time. They also credit the automotive industry and relevant governmental agencies for quickly addressing the particular issues uncovered in their research, and they say that “industry is now taking automotive security more seriously.”

At the same time, however, the results need to be a wake-up call—and not just for car companies. Companies at the epicentre of our society’s virtualization—information technology, online commerce and financial services companies—have failed to staunch online security threats.

Now consider what could happen with medical devices, smart electricity meters, alarm systems, smart thermometers, and other control systems, which are all being connected to the Internet and thus will face the same vulnerabilities as cars do. Will the makers of these new connected products do any better than Microsoft, Sony, Amazon, Zappos, eBay, and the many other sophisticated information technology companies that have been compromised?

Source: http://www.forbes.com/sites/chunkamui/2012/01/20/never-mind-about-playstations-or-zappos-are-you-ready-for-your-car-to-be-hacked/

Microsoft's Kelihos kingpin suspect: It wasn't me

The Russian man named by Microsoft as the mastermind behind the Kelihos botnet has stepped forward to plead his innocence. Microsoft filed suit in the US last week accusing Andrey Sabelnikov, of St Petersburg, of writing the Kelihos botnet agent and maintaining the network of zombie machines created using the malware to send billions of spam messages. At its peak, the Kelihos botnet included a legion of 41,000 infected machines capable of spewing out 3.8 billion spam emails per day. The network was effectively decapitated by a Microsoft-led takedown operation targeting command & control nodes last September.

Sabelnikov, a former employee of Russian security software firm Agnitum, stepped forward late last week to insist he is "absolutely not guilty [and has] never been involved in handling botnets or any other similar programs". Sabelnikov told the BBC he was "surprised and shocked" at the accusation, adding: "I will prove my innocence." Microsoft is standing by its accusation that "Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware". In addition, the software giant accuses the Russian of "using the malware to control, operate, maintain and grow the Kelihos botnet". More specifically the lawsuit alleges that Sabelnikov registered more than 3,700 "cz.cc" subdomains from Czech firm dotFREE Group before using these subdomains to operate and control the Kelihos botnet.

Source: http://www.theregister.co.uk/2012/01/30/kelihos_suspect_denial/

DHS Says Computer Problems at Rail Company Were Not a Targeted Attack

 

Following on from last week’s story “Computer Hackers Hijack US Trains - TSA Memo” more information has come to light and yet again we are seeing a predictable cycle. Incidents are reported without full examination of the facts leading to overhype. When the root cause is identified more often than not there is a less alarming explanation. In this case the US Department of Homeland Security (DHS) said that further analysis indicated that it was not a targeted attack, but appeared to be more likely a random incident of malware infection. A spokesperson for the American Association of Railroads (AAR) reiterated that “there was no targeted computer-based attack on a railroad”.

Written by D Gray Finmeccanica Cyber Solutions

Students busted for hacking computers, changing grades

Three high school juniors have been arrested after they devised a sophisticated hacking scheme to up their grades and make money selling quiz answers to their classmates. The students are accused of breaking into the janitor’s office of California's Palos Verdes High School and making a copy of the master key, giving them access to all the classrooms. They then attached keylogging hardware to the computers of four teachers, and harvested the passwords needed to access the central files of the school network. They then used that access to change their grades slightly, nudging them up by increments so that all three got As. At the time they were caught, keyloggers were found on three other teachers’ systems, indicating the group was expanding its efforts.

"They were pretty smart," Palos Verdes Estates police Sgt. Steve Barber told the Daily Breeze. "They knew exactly what to do with the computers. The scores wouldn't go up a whole lot, but enough to change their grade. They didn't want to make it real apparent something was going on."  The three didn’t just confine themselves to computer hacking. They're also accused of using the master key to pilfer around 20 tests before they were given – they then worked out the answers and sold them to other students. This scam only came to light when another student heard of the offer and snitched to the school principal. "They were very bright kids," said Principal Nick Stephany. "They were in AP and honors classes. Am I shocked? Yeah. Definitely by the extent of it. None of these kids had any real trouble before."

Two students have been expelled over the incident, and others are to be disciplined for receiving stolen goods. The school has also upgraded its security and has advised teachers to change their passwords.

Source: http://www.theregister.co.uk/2012/01/27/students_hack_teachers_computers/

And Finally……. Brit pair deported from US for 'destroy America' tweet

A couple of Brits were unceremoniously ejected from the US last week after one of them ill-advisedly tweeted he was off to "destroy America". Leigh Van Bryan, 26, and pal Emily Bunting, 24, jetted into Los Angeles last Monday ahead of what they hoped would be a lively Stateside holiday. Their shorter-than-expected trip certainly delivered, although the pair weren't expecting to be arrested, internally probed and thrown in a cell for 12 hours with hungry Mexican narcos.

The Department of Homeland Security had already earmarked Van Bryan and Bunting for a warm welcome before they even touched down at LAX. The agency had picked up on a couple of Van Bryan's tweets, which suggested they intended to wipe out the US and disinter Marilyn Monroe. The first, posted on 3 January, said: "3 weeks today, we're totally in LA pissing people off on Hollywood Blvd and diggin' Marilyn Monroe up!" The second, written on 16 January, declared: "Free this week, for quick gossip/prep before I go and destroy America."

Van Bryan and Bunting had their collars felt after clearing passport control. They were first quizzed for five hours, during which they failed to convince the authorities of the innocent nature of the tweets. According to the Daily Mail, Bunting said: "The officials told us we were not allowed in to the country because of Leigh's tweet. They wanted to know what we were going to do. They asked why we wanted to destroy America and we tried to explain it meant to get trashed and party. "I almost burst out laughing when they asked me if I was going to be Leigh's lookout while he dug up Marilyn Monroe. I couldn't believe it because it was a quote from the comedy Family Guy which is an American show." She added: "It got even more ridiculous because the officials searched our suitcases and said they were looking for spades and shovels. They did a full body search on me too." Van Bryan described the ordeal as "almost funny" but "really scary". He said: "The Homeland Security agents were treating me like some kind of terrorist. I kept saying to them they had got the wrong meaning from my tweet but they just told me 'you've really fucked up with that tweet boy'."

The two then spent the night in jail, where the Mexican drug cartels put Van Bryan on involuntary hunger strike. He explained: "When we arrived at the prison I was shoved in a cell on my own but after an hour two huge Mexican men covered in tattoos came in and started asking me who I was. "They told me they'd been arrested for taking cocaine over the border. When the food arrived on the tray they took it all and just left me with a carton of apple juice."

Van Bryan and Bunting were deported back to the UK the next day. Van Bryan's rap sheet, explaining why he was refused entry, says: "Mr Bryan confirmed that he had posted on his Tweeter [sic] website account that he was coming to the United States to dig up the grave of Marilyn Monroe. Also on his tweeter account Mr Bryan posted that he was coming to destroy America."

Source: http://www.theregister.co.uk/2012/01/30/tweet_deportation/