Threat Weekly – A Situational Awareness Report from our
Technical Security Team
Volume 2, Issue 6 – 9 February 2012
ThreatCon 2:
Normal
Both Microsoft and Adobe have released
important security patches this week. Computer devices are at
elevated risk until they are patched.
TOP OF THE NEWS
UK Cyber Security skills are 'wholly inadequate', says
former Security Minister
“[The UK cyber security skills base]
is wholly inadequate,” Neville-Jones said in a lecture at the
Global Strategy Forum in London yesterday [Tuesday 7th].
“[Education minister] Michael Gove
has rightly, in my opinion, just swept away the existing ICT
course. We need to revert to teaching programming [and to] create a
perception of a career in this area. We need to have British
graduates in our universities, not just Chinese.”
The private sector, academics and
professional organisations all have a role to play in constructing
the necessary education courses and raising the profile of cyber
security careers, Neville-Jones added. She believes that in
government, particularly, security is regarded more as a cost than
an enabler. “Part of the problem is that cyber security skills are
not recognised. Cyber security ought to be a module that everyone
takes at business school,” she said. But making cyber security an
issue that businesses should take seriously is also difficult,
Neville-Jones has admitted.
Private companies need to have a
statement on their cyber security strategy in their financial
reports, she said. However, despite the government’s efforts to get
cyber security onto the agenda of UK boardrooms, many still think
it is too technical. “The Financial Reporting Council and
professional organisations ought to give guidance and obligations
to their companies,” Neville-Jones said.
The private sector would also
benefit from sharing more information on cyber attacks and threats,
she said. “If they don’t do that, the likelihood of being tripped
up by the supply chain is just as [high]. The two-part attack – a
decoy and a real attack – is becoming more common. “Do not think
that it is in the long-term interest of the industry to be coy with
each other,” Neville-Jones warned.
In November, the government
announced a pilot of a cyber security ‘hub’ that enables public and
private sectors to exchange information on cyber threats. This was
one of the key announcements of the UK’s Cyber Security Strategy. A
joint public/private sector ‘hub’ will pool government and private
threat information and pass that out to ‘nodes’ in key business
sectors, helping them identify what needs to be done and providing
a framework for sharing best practice,” the government said in its
strategy.
Source:
http://www.computerworlduk.com/news/security/3335646/uk-cyber-security-skills-are-wholly-inadequate-says-former-security-minister/
FBI Investigating Leaked
Phone Call About Anonymous
Members of Anonymous have released an intercept
of a conference call between investigators at the FBI and Scotland
Yard during which operations against hacktivist group were
discussed. During the 17-minute call – which was released as an MP3
file and distributed on YouTube and elsewhere – investigators can
be heard discussing various Anonymous and LulzSec-related cases.
Information discussed in the call reportedly included details of
evidence against suspects (sometimes referred to by their hacker
handles), plans for legal action and court dates. The hacktivist
group also published what it said was an FBI email detailing the
addresses of invited call participants: 40 law enforcement
officials in the UK, US, France, Ireland, The Netherlands and
Sweden.
It is unconfirmed how the 17 January call was
intercepted but the "leaked email" includes the time, dial-in
number and access code, so it could be that members of the group
simply dialled into the number and recorded the call directly. The
FBI confirmed the leak, saying the information "was intended for
law enforcement officers only and was illegally obtained," AP
reports. The agency has reportedly launched an investigation into
the leak, the BBC adds.
Meanwhile, a Met spokesman said: We are aware of
the video which relates to an FBI conference call involving a PCeU
[Police Central e-Crime Unit] representative. The matter is being
investigated by the FBI.
At this stage no operational risks to the MPS
have been identified; however we continue to carry out a full
assessment. We are not prepared to discuss (this) further. The
interception of the conference call is a serious operation security
breach, especially because it affects an ongoing high-profile
investigation, and is a major coup for the rag-tag hactivist
collective.
A Twitter account linked to Anonymous –
AnonymousIRC – boasted: The #FBI might be curious how we're able to
continuously read their internal comms for some time now.
#OpInfiltration.
Hints that hackers may have had an inside track
on police investigations into their activities came late last month
when "Anonymous Sabu" (leader of the LulzSec group) correctly
predicted the postponement of trial against Jake Davis, an alleged
member of LulzSec, F-Secure notes.
The cases against Jake Davis (allegedly
"Topiary", the public face of the Anonymous and LulzSec hacktivist
groups) and Ryan Cleary (who is alleged to have run a DDoS attack
on the Serious Organised Crime Agency's website) are discussed
during the conference call.
Source:
http://www.wired.com/threatlevel/2012/02/anonymous-scotland-yard/
DNSChanger Trojan Still Needs to be Cleaned from Fortune
500 and US Government Systems
More than two months after authorities shut down
a massive Internet traffic hijacking scheme, the malicious software
that powered the criminal network is still running on computers at
half of the Fortune 500 companies, and on PCs at nearly 50 percent
of all federal government agencies, new research shows.
The malware, known as the “DNSChanger Trojan,”
quietly alters the host computer’s Internet settings to hijack
search results and to block victims from visiting security sites
that might help scrub the infections. DNSChanger frequently was
bundled with other types of malware, meaning that systems infected
with the Trojan often also host other, more nefarious digital
parasites.
In early November, authorities in Estonia
arrested six men suspected of using the Trojan to control more than
four million computers in over 100 countries — including an
estimated 500,000 in the United States. Investigators timed the
arrests with a coordinated attack on the malware’s infrastructure.
The two-pronged attack was intended to prevent miscreants from
continuing to control the network of hacked PCs, and to give
Internet service providers an opportunity to alert customers with
infected machines.
But that cleanup process has been slow-going,
according to at least one security firm. Internet Identity, a
Tacoma, Wash. company that sells security services, found evidence
of at least one DNSChanger infection in computers at half of all
Fortune 500 firms, and 27 out of 55 major government entities.
More on this story at:
http://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/
To establish if your computers DNS settings have
been altered visit: http://www.dns-ok.us/
Global Cybersecurity Is Possible But Unlikely For
Now
It’s a sobering experience to read the Security
and Defense Agenda’s (SDA) just-released report, Cybersecurity: The
Vexed Question of Global Rules. The report, sponsored by McAfee,
culls together interviews with 80 cyber-security experts in
government, business, international organizations, and academia
with a survey of 250 senior security practitioners, to get a handle
on the cybersecurity challenges nations face today and the measures
they must take to protect the Internet and its business,
government, and other users tomorrow. The report also rates the
cybersecurity preparedness of 21 countries, including the United
States. The U.S. comes out very well, though behind Israel, Sweden,
and Finland,
The conclusion is best summed up in this
sentence, “For the moment, the “bad guys” have the upper hand …
because the lack of international agreements allows them to operate
swiftly and mostly with impunity.” And, the more you read the
report, the more you conclude that “for the moment” really means
for the foreseeable future.
Global cooperation and information sharing are
the keys to managing this threat, according to the report, yet the
parade of new technologies such as mobile devices and the cloud,
competing interests, and lack of agreement on what that cooperation
should look like are huge challenges that won’t be solved any time
soon.
More on this story at:
http://blogs.mcafee.com/enterprise/security-connected/global-cybersecurity-is-possible-but-unlikely-for-now
Symantec Issues Hotfixes for pcAnywhere
Symantec has said its pcAnywhere remote control
software is once again safe to use, following the release of its
latest security patch. The security giant made the highly unusual
move last week of advising customers to avoid using older but still
widely used versions of pcAnywhere as a precaution, after it
emerged that the product's source code was swiped by
Anonymous-affiliated hackers.
The "Lords of Dharmaraja" bragged that they had
obtained copies of Symantec's source code and threatened to
publicly disclose it in order to facilitate the hunt for unpatched
vulnerabilities. Source code for pcAnywhere was put up as the first
candidate for this bug hunt, hence the heightened security concern
over this product. After initially blaming the leak on a security
breach by an "unnamed third party", Symantec eventually admitted
the breach was the result of a previously undisclosed theft of
source code from its systems dating back to 2006. Older versions of
the source code of a range of enterprise and consumer security
products from Symantec was exposed.
At this point – a fortnight ago – Symantec
issued a statement warning that "customers of Symantec’s pcAnywhere
product may face a slightly increased security risk as a result of
this exposure if they do not follow general best practices."
Symantec released a patch for pcAnywhere
versions 12.0 and 12.1 on Friday 27 January – just days after
patching vulnerabilities in the latest (pcAnywhere 12.5) version of
the software on Monday 23 January. In the days in between, Symantec
advised users of older versions of its remote-control software to
suspend the use of the technology of their environments pending the
availability of a fix, which it has now delivered.
The initial version of Symantec's best practice
white paper reportedly advised customers to disable pcAnywhere,
unless it was required for business-critical purposes (surely the
last thing you'd want to do with it).
More on this story at:
http://www.theregister.co.uk/2012/02/02/pcanywhere_source_code_leak_sheanigans
Trojan smuggles out nicked blueprints as Windows Update
data
Security watchers have uncovered a new highly
targeted email-borne attack that uses a supposed conference
invitation as a lure - and disguises extracted data as Microsoft
Update traffic. The spearphishing attempts, which have been levied
against several government-related organisations worldwide, try to
use alleged unfixed security flaws in Adobe software to implant a
Trojan on compromised machines - ultimately opening a backdoor for
hackers to take over systems.
Once loaded, the malware also cunningly attempts
to escape detection by posing as a benign Windows Update utility.
The attack was independently discovered by security researchers
from Seculert and Zscaler, who issued a joint warning about the
so-called MSUpdater Trojan assault on Tuesday. "We were able to
track similar attacks, from the same group of attackers, back to
2009," Aviv Raff, CTO at Seculert told El Reg. "The method of
operation of many of the attacks is similar – a spearphishing email
is sent with a PDF attachment of a fake industry related
'Conference Invitation'. The PDF file exploits zero-day
vulnerabilities in Adobe Reader, and then installs the RAT [Remote
Access Trojan] malware. The malware tries to stay under the radar
of security products by pretending to be a 'Microsoft Windows
Update' - hence the name 'MSUpdater' Trojan."
"One variant is using Windows Update-like HTTP
requests to communicate with the command-and-control server. The
other drops a file named msupdate.exe," he added. "The attacks'
purpose was indeed industrial espionage, mainly for stealing
intellectual property. One of the main functions of a variant of
this malware was to steal specific files and upload them to the
C&C server."
Analysis of the attack is ongoing, and Raff is
yet to form a clear opinion on the likely perpetrators of the
assault. "We don't have information about the people behind those
attacks, however as all of them are targeting government-related
organisations, it is highly reasonable to suspect that the
attackers are high profile, maybe even a country," he
concluded.
Source: http://www.theregister.co.uk/2012/02/01/spear_phishing_rats/
Romanian cops cuff suspected serial hacker TinKode
Romanian police have arrested a man suspected
of breaking into the websites of NASA and the Pentagon in a series
of high-profile hack attacks. Razvan Manole Cernaianu, 20, from
Timisoara, is accused of publishing details of the SQL injection
vulnerabilities discovered on the targeted websites under the
hacker handle TinKode. The Romanian Directorate for Investigating
Organized Crime and Terrorism (DIICOT) further alleges that
Cernaianu, an IT student, sold hacking tools from his personal
site.
TinKode bragged about breaking into the Royal
Navy's official website in November 2010 and making off with site
passwords. Other attacks claimed by TinKode include breaking into
the MySQL site (using a SQL injection vulnerability) and the
European Space Agency. These alleged targets fail to appear on the
rap sheet, which concentrates on the NASA hack and an assault of US
Army systems that allegedly resulted in the extraction of
confidential data. Investigating officers from the FBI and NASA
took part in the investigation that led to Cernaianu's arrest.
The motive for all the attacks was all about
claiming high-profile scalps, obtaining bragging rights in the
process, plus a heady mix of intellectual curiosity and pure
devilment, rather than any form of money-making scam.
Source:
http://www.theregister.co.uk/2012/02/01/tinkode_nasa_hack_suspect_cuffed/
Verisign Admits Breaches in SEC Filing
Internet giant VeriSign was hacked repeatedly
in 2010 resulting in the theft of undisclosed information and
raising questions about the integrity of security certificates
issued by the company as well as its domain name service. The
breaches were disclosed in vague language in a Securities and
Exchange Commission filing last October in accordance with new SEC
guidelines requiring companies to report intrusions to investors,
according to Reuters.
The filing doesn’t say when in 2010 the
breaches occurred, but administrators didn’t alert top management
until September 2011, although the document indicates
administrators were aware of, and responded to, the breaches
shortly after they occurred in 2010. The company’s former chief
technology officer, Ken Silva, who was with VeriSign until November
2010, was unaware of the breaches until Reuters contacted him for
its story.
VeriSign told Reuters the company did “not
believe these attacks breached servers that support our Domain Name
System Network.” DNS is responsible for delivering web surfers to
the correct sites they’re seeking. DNS converts requested URLs,
such as www.amazon.com, into the correct IP address so that users
trying to reach the retailer will have their browsers directed to
that company’s website. A breach of the DNS network could allow
attackers to redirect users to malicious web pages or redirect and
intercept e-mail communications.
Just as important are the security
certificates that VeriSign issued at the time. Such certificates
verify the legitimacy of secure web pages such as
https://google.com, so that browsers know they’ve reached a
legitimate site. An attacker who manages to subvert a
certificate-issuing authority can issue a bogus certificate that
would allow him to pose as a legitimate site and trick people into
entering usernames and passwords into an impostor site.
VeriSign sold its certificate-issuing
business to Symantec in August 2010. A Symantec spokeswoman told
Reuters that “there is no indication” that the breach “was related
to the acquired SSL product production systems.” The spokeswoman
did not indicate how the company could be sure this part of the
business was not affected, however.
VeriSign would not be the first certificate
authority hacked. Dutch certificate authority DigiNotar was hacked
in July 2011. The attackers were able to obtain several hundred
fraudulent certificates for top internet entities such as Google,
Mozilla, Yahoo and even the privacy and anonymizing service Tor.
Fraudulent certificates also played an important role in the super
worm Stuxnet, which used certificates stolen from two companies in
Taiwan. The authors of the worm, which was designed to attack
centrifuges in Iran’s uranium enrichment program, used the
certificates to sign a driver in their malware so that systems the
worm was trying to infect would believe that the malicious file was
a legitimate one from these two companies.
Source:
http://www.wired.com/threatlevel/2012/02/verisign-hacked-in-2010/
THE REST OF THE WEEK’S NEWS
Regional cybercrime hubs launched across England
Three police cybercrime teams have been
launched as part of a £6m regional effort to combat growing
threats. Yorkshire and the Humber, the Northwest and East Midlands
will each get its own dedicated unit. They will work alongside the
Metropolitan Police Centre e-crime Unit which deals with national
online security. The funding is part of £30m targeted at bolstering
e-crime prevention nationally over the next four years. The new
centres will consist of three members of staff - a detective
sergeant and two detective constables. The initiative was announced
at the Association of Chief Police Officers (ACPO) e-crime
conference in Sheffield on Wednesday.
A training period is required before the hubs
will be fully operational, Deputy Assistant Commissioner Janet
Williams, who heads ACPO's e-crime efforts, said. "These three
additional policing units are going to play a critical role in our
ability to combat the threat," she added. "It is anticipated
the hubs will make a significant contribution to the 'national harm
reduction' target of £504m." Harm reduction is calculated using a
"harm matrix" - a system which factors in costs such as how much
the criminal stood to gain, how much money was invested in the
crime, and the potential cost to the victim. "In the first six
months of the new funding period alone we have already been able to
show a reduction of £140m with our existing capability," Ms
Williams said.
Britain's e-crime efforts were exposed last
week after a conference call in which Met officers discussed
operations against hackers with the FBI was itself intercepted by
hackers. Details about active investigations into hackers who
identified themselves with the activist collective Anonymous were
posted online. At one point in the tape, a British detective can be
heard saying: "We're here to help. We've cocked things up in the
past, we know that."
The move to increase funding and reach of
e-crime prevention efforts has been praised by security
professionals. "It seems to me to be a positive move towards
enhancing the national response to cybercrime," said David
Emm, a security researcher for
Kaspersky. "Until now, most of the police's expertise in
computer-based crime has been concentrated in the Serious Organised
Crime Agency and the Met. "Clearly, the
government is keen to widen the field of expertise, and this is
part of that initiative."
Source: http://www.bbc.co.uk/news/technology-16945859
Google to Block Blogs on a Country-by-Country
Basis
Google has quietly announced changes to its
Blogger free-blogging platform that will enable the blocking of
content only in countries where censorship is required. Twitter
announced technology last week addressing the same topic. It said
it had acquired the ability to censor tweets in the countries only
where it was ordered removed, instead of on an internet-wide
basis.
Twitter’s announcement via its blog sparked a
huge online backlash. The microblogging service was accused of
becoming a censoring agent. Yet Google’s announcement three weeks
ago — buried in a Blogger help page — went unnoticed until it was
highlighted by TechDows on Tuesday.
Google wrote Jan. 9 it would begin
redirecting Blogger traffic to country-specific URLs, meaning
whatever country you’re in, you’ll get that country’s domain for
Blogger-hosted blogs. TechDows reports that this is now happening
in India, for example. So when you’re there and click on a Blogger
blog, the URL will end ".in". Doing that, Google wrote, means
content can be removed “on a per country basis.”
“Migrating to localized domains will allow us
to continue promoting free expression and responsible publishing
while providing greater flexibility in complying with valid removal
requests pursuant to local law,” Google wrote.
Twitter did not announce how its new
technology functions, but said Twitter has the ability to remove
tweets only in countries where that content was barred.
Source:
http://www.wired.com/threatlevel/2012/01/google-censoring-blogger
Hackers may be able to 'outwit' online banking security
devices
Hackers may already able to use malware to
outwit the latest generation of online banking security devices,
security watchers warn. An investigation by BBC Click underlines
possible shortcomings in the extra security provided by banking
authentication devices such as PINSentry from Barclays and
SecureKey from HSBC. Using such two-factor authentication devices
means that even if hackers trick consumers into handing over their
bank login passwords they still won't be able to raid online
banking accounts.
But although basic phishing attacks will
fail, it might still be possible to hackers to monitor and alter a
user's communication with a banking site using malware. Hackers
could set up a fake banking website and prompt users attempting to
log into their account for both their online login credential and,
for example, a PINSentry code, a pseudo-random number that changes
every minute or so. This information would allow cybercrooks to log
onto the genuine banking website, posing as a customer, before
authorising fraudulent transfers or other payments.
This variant of a classic
man-in-the-middle-attack is known in security circles as a
man-in-the-browser attack. Isolated incidents of this type of fraud
have cropped up over recent years, so the attack isn't new.
Phishers have been having a pop at two-factor authentication
devices since at least 2006, if not earlier. Targets over the years
have included customers at Citibank and some Nordic banks, among
others.
While the tactic is understood in security
circles, it is doubtful that many consumers are aware of it, so the
BBC Click investigation is welcome in helping to publicise the
issue. The investigation – which does not highlight new instances
of fraud or include quotes from victims – makes it clear that the
threat is not tied to the technology supplied by any particular
bank.
More on this story at: http://www.theregister.co.uk/2012/02/06/online_banking_security
Camera phones pose security threat to aircraft carrier
project
Mobile phones with cameras have become a
major security concern at Cochin Shipyard Limited (CSL) where the
construction of India's first indigenous aircraft carrier has
entered its crucial phase. Though the shipyard has been put under
tight security, mobile phones of employees are troubling
authorities who want to maintain a high level of secrecy about this
project.
After floating the vessel on December 29, the
shipyard has been working on crucial features of the vessel which
includes interior mechanical system and integration of other
devices. There are unconfirmed reports that some trainee employees
have uploaded a few pictures of the carrier on social media sites
like Facebook and Orkut.
However, the authorities have totally
rejected this possibility. "We have not come across any such
reports. There is a mechanism that checks whether the employees are
using mobile phones in restricted areas. Above all, access is the
key and the shipyard has prepared a list of employees who can
access the construction site of the vessel," said CSL company
secretary V Kala.
The security wing has also framed tougher
regulations on mobile phone usage inside the shipyard from January
2012. According to CSL security officer in charge M D Varghese,
procedures are on to hologram the mobile phones of all employees
who will be allowed to carry it inside the shipyard. "Only mobile
phones having the particular hologram will be allowed inside.
Employees have been directed to submit an application form along
with their mobile phones for fixing the hologram," he said. The
officer said, restrictions are also imposed on usage of mobile
phones with cameras. "Only officials above the rank of supervisors
will be allowed to use mobile phones at sites where the
construction activities of the aircraft carrier are progressing,"
he said.
Source:
http://articles.timesofindia.indiatimes.com/2012-02-06/kochi/31031109_1_mobile-phones-aircraft-carrier-cochin-shipyard-limited
Via G Forbes @OCEANUSlive
Manning to Face All Charges in Court Martial
WikiLeaks suspect Bradley Manning is headed
for a general court-martial, according to the commander of the U.S.
Army Military District of Washington in an announcement released
late Friday. Maj. Gen. Michael Linnington, the general convening
authority for the district, made the determination that Manning
will face all 22 charges levelled against him, include aiding the
enemy, wrongfully causing intelligence to be published on the
internet knowing that it is accessible to the enemy, theft of
public property or records, transmitting defence information, and
fraud and related activity in connection with computers.
The most serious charge — aiding the enemy —
carries a possible death penalty. Prosecutors have said they will
not seek the death penalty. Instead, Manning faces life in prison
if convicted of all the charges.
More on this story at:
http://www.wired.com/threatlevel/2012/02/manning-to-be-court-martialed
Prison terms in Pirate Bay trial stand as Supreme Court
refuses hearing
The Swedish Supreme Court will not hear an
appeal from the founders of The Pirate Bay against prison sentences
and fines imposed by the Swedish Court of Appeals, the court said
on Wednesday. Over a year ago, the Court of Appeals sentenced
Fredrik Neij, Peter Sunde, and Carl LundstrAPm to 10 months, eight
months and four months of jail time, respectively. The court also
said they must collectively pay a 46 million kronor ($6.7 million)
fine.
The Supreme Court hears cases that are
considered important for the direction of Swedish law enforcement,
or when there are special circumstances. The court has reviewed the
material in the Pirate Bay case and found that neither reason to
hear the case exists, it said.
Separately, Gottfrid Swartholm Warg has been
sentenced to one year in prison. Due to illness, Warg never showed
up at the appeals trial, and recently had his verdict in the
district court confirmed. The Pirate Bay case has been contentious
from day one, and not everyone thinks Wednesday's decision was the
right choice. "The Pirate Bay case is fundamentally important and
it is unfortunate that the Supreme Court chooses not to hear the
case," said Anna Troberg, leader of the Pirate Party in Sweden, in
a statement. The case has been handled inadequately since the raid
back in May 2006, and it would have been desirable that the Supreme
Court heard the case, she said.
The entertainment industry is happier. The
verdict is a defining moment in the battle over copyright on the
Internet, according to the industry-funded Anti-Piracy Office. The
Supreme Court has made it clear that all involved are responsible
for any violations, including those that deliver the Internet
connection, said the industry group.
Now that the sentence has been confirmed,
Anti-Piracy Office will act against the nearly 150 illegal
file-sharing services that have Swedish connections, it said.
Source:
http://www.computerworld.com/s/article/9223874/Prison_terms_in_Pirate_Bay_trial_stand_as_Supreme_Court_refuses_hearing
Kelihos Botnet Regaining Momentum
Although Microsoft struck a massive blow at
the Kelihos/Hlux botnet last year, Microsoft's ally in the strike,
Kaspersky Labs, has now found new variants of the Kelihos bots,
calling into question whether the operation was effective. The
Kelihos/Hlux botnet was previously dealt a blow through a method
called sinkholing. During normal operation, botnets communicate
with one or more command-and-control centres. The compromised
computers need to know where the command-and-control centres are,
so the botnet's operators set up domains and modify their DNS
entries to point to the IP address of the command-and-control
centre's servers.
Sinkholing comes into effect when researchers
contact the domain registrars, prove that the domains are being
used for malicious purposes and take control of their DNS entries,
substituting their own server IP addresses. This fools infected
computers into communicating with the researchers' server instead.
At this point, no further instructions are sent out to compromised
clients, as attempts to self-cleanse the botnets have numerous
ethical and legal considerations. Although being cut off from the
command-and-control servers effectively neutralises infected
computers from being able to conduct illegal activities, the PCs
are still left open to future exploitation by criminals.
The method was seen as a better alternative
than attempting to gain control of the command-and-control servers.
The latter strategy required a highly coordinated surprise attack,
since operators could always modify the DNS entries of their
domains and point to new servers if they ever realised or suspected
that their physical infrastructure was being compromised. However,
Kaspersky has said that sinkholing may not be very effective if the
botnet's operators are not apprehended. It found that shortly after
the announcement made by Microsoft and itself last year, new
versions of the bot's code had begun to surface, either written by
the existing yet-to-be-caught operators, or by a new player that
had obtained the botnet source code.
The presence of two different keys used to
encrypt communications in the new version of the botnet code
indicates that there may be two different groups controlling the
botnet, the company wrote in a blog post. The company said that
sinkholing might still be used to neutralise botnets, but it would
require slightly different techniques, including pushing tools on
to infected machines to remove infection, and forcing operators to
re-infect if they want to build another botnet. Ultimately, though,
the company said that the most effective way to disable botnets is
to find the operators.
Source:
http://www.zdnet.com.au/kelihos-variants-slipped-microsofts-noose-339330987.htm
Kernell's Appeal to Overturn Obstruction of Justice
Conviction Denied
A federal appeals court will not overturn the
conviction of a 24-year-old found guilty last year of illegally
accessing the personal email account of Sarah Palin while she was a
vice presidential candidate. David Kernell, who is free from jail
after serving time at a federal prison camp in Kentucky, lost his
appeal to have one of his convictions, for obstruction of justice,
thrown out. He did not file an appeal against the other count under
which he was found guilty, for the unauthorized access of
electronic information.
Kernell, the son of Mike Kernell, a member of
the Tennessee House of Representatives, was convicted of the two
charges by a Knoxville jury in April. He was a 20-year-old
economics student at the University of Tennessee in 2008 when he
hacked his way past security questions to access then-Alaska Gov.
Palin's personal email account. He gained access by providing
Palin's birth date and ZIP code to Yahoo's password retrieval
system. At that time, she had been recently recruited to run as
vice president in the 2008 presidential bid of Sen. John McCain,
R-Ariz.
Once Kernell got into Palin's personal
account, he published messages from it. Subsequently, anticipating
an FBI investigation, he attempted to disguise his activities by
deleting evidence from his computer, which resulted in the
obstruction-of-justice charge. Despite deleting his web browser's
cache and defragmenting his hard drive, the FBI still found a
connection to Palin's email account, including a letter he posted
to the message board 4chan touting his hack, according to court
documents.
Kernell's lawyers argued to a three-judge
appeals panel that the portion of the Sarbanes-Oxley Act under
which he was convicted was “unconstitutionally vague,” and that it
was unconstitutional to convict someone for obstruction of justice
before an investigation was initiated, according to court
documents. The panel ruled on Monday, however, that Kernell's
acknowledging online that he anticipated an investigation supported
the conviction.
"Kernell expressly states [posting on 4chan]
that he deleted the information on his computer out of a fear that
the FBI would find it, plainly showing that he took his actions
with the intent to hinder an investigation," according to the
judges' ruling.
Kernell's attorney, Wade Davies, has said
Kernell's access of Palin's account was merely a prank, according
to reports. Davies could not be reached for comment.
Source:
http://www.scmagazine.com/palin-hacker-appeal-rejected/article/225872
Apple Issues Security Updates
Apple has released a security update for its
OS X Lion, Snow Leopard and Server platforms. The company said that
the OS X 10.7.3 release would patch Lion systems, while the
2012-001 security update would be made available to Snow Leopard
and OS X server machines. The update, Apple's first major OS X
security fix of the year, will include some 38 patches for security
vulnerabilities in the operating system.
Among the applications and components patched
in the update are Apple's QuickTime multimedia tool. The software
received fixes for six vulnerabilities which could allow for remote
code execution by way of specially crafted image and video files.
Apple also issued updates for the OS X Apache and PHP components,
along with fixes for a vulnerability in Time Machine and an update
which blocks poorly-secured root certificates from Diginotar
Malaysia. While none of the flaws addressed in the update are known
to be used by malware in the wild, OS X users find themselves
facing an increasing number of threats.
The emergence of the Mac Defender platform
has led some researchers to conclude that Mac OS will be a more
popular target than ever in 2012. Users can obtain the update by
running the OS X software update tool or by manually downloading
the package form Apple's support site. The release comes as Apple
is seeing some of its strongest ever Mac sales. The company
estimated that last quarter some 5.2 million Macs were sold, up 26
per cent over the previous year.
Source:
http://www.v3.co.uk/v3-uk/news/2143131/apple-issues-security-update