Archive for April, 2012

Stuxnet worm reportedly planted by Iranian double agent using memory stick

Friday, April 13th, 2012

The Stuxnet computer worm used to sabotage Iran’s nuclear program was planted by a double agent working for Israel. The agent used a booby-trapped memory stick to infect machines deep inside the Natanz nuclear facility, according to a report published on Wednesday.

Once the memory stick was infected, Stuxnet was able to infiltrate the Natanz network when a user did nothing more than click on an icon in Windows, ISSSource reported. They cited former and serving US intelligence officials who requested anonymity because of their proximity to the investigations. Covert operators from Israel and the US wanted to use a saboteur on the ground to spread the infection to insure the worm burrowed into the most vulnerable machines in the system, reporter Richard Sale added.

The double agent was probably a member of an Iranian dissident group, possibly from the Mujahedeen-e-Khalq group. This group is believed to be behind the assassinations of key Iranian nuclear scientists. In October, a huge blast destroyed an underground site near the town of Khorramabad in western Iran that housed most of Iran’s Shehab-3 medium-range missiles capable of reaching Israel and Iraq. Former and current US officials told ISSSource that the MEK was behind the attack, and one of the officials said “computer manipulations” caused the blast. “Given the seriousness of the impact on Iran’s (nuclear) program, we believe it took a human agent to spread the virus,” the source told the publication.

As Wired.com senior reporter Kim Zetter chronicled last year, Stuxnet made history as the most advanced—if not the first—real cyber weapon. It ultimately exploited four previously unknown vulnerabilities in Windows and masterfully took advantage of weaknesses buried deep inside Siemens’s Simatic WinCC Step7 software, which was used to control machinery inside Natanz. Stuxnet disrupted the Iranian nuke program by sabotaging the centrifuges used to enrich uranium. While the worm was designed to spread widely, it was programmed to execute its malicious payload against a highly selective list of targets.

According to ISSSource, Stuxnet wasn’t the first malware the US military has used against opponents. In the 1980s, it planted viruses inside a Soviet military-industrial structure that could be activated in time of war. A similar process against China is continuing today, the publication said. In late 1991, just prior to the Desert Storm operation against Iraq, the CIA and British Government Communication Headquarters implanted bugs into hardware that was smuggled into Baghdad. US planes destroyed the targeted command and control network where the infected equipment was inserted before the malware was able to spread.

Source:  arstechnica.com

Apple to release Flashback removal software, working to take down botnet

Wednesday, April 11th, 2012

Apple plans to release software that will detect and remove Flashback malware infections on the Mac, the company announced Tuesday. In a knowledge base link published late in the day, Apple explained that it’s aware of the infection—which takes advantage of a previously unpatched Java vulnerability—saying that the software was coming, but no specific release date was given.

In addition to the Flashback detection software, Apple said that it’s “working with ISPs worldwide” to disable the botnet’s command and control (C&C) servers. Kaspersky researcher Kurt Baumgartner told Forbes earlier on Tuesday that “Apple is taking appropriate action by working with the larger Internet security community to shut down the Flashfake [also known as Flashback] C2 domains,” and Apple’s latest efforts seem to coincide with Baumgartner’s statement.

“Apple is developing software that will detect and remove the Flashback malware,” Apple wrote. “In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.”

We have been covering the Mac Flashback trojan since 2011, but the malware recently picked up steam. Last week, Russian security firm Dr. Web reported that it had infected more than half a million Macs worldwide. (The aforelinked Forbes report claimed Apple tried to take down Dr. Web’s sinkhole server for Flashback, but it seems most likely that this was an accidental inclusion in Apple’s attempts to take down the botnet’s C&Cs.)

There are already a couple ways to detect and remove a Flashback infection, but they involve some Terminal kung-fu that less experienced users might not feel comfortable with. Apple’s solution will undoubtedly target mainstream users who have heard about Flashback and want to ensure their Macs remain malware-free.

Source:  arstechnica.com

Command line switches for Microsoft Outlook 2010

Wednesday, April 11th, 2012

Microsoft Outlook 2010 can be opened with a variety of command line options, or switches.  The list below is courtesy of Microsoft.

Available switches

Switch

Description

/a

Creates an item with the specified file as an attachment.

Example:

·      “c:\program files\microsoft office\office14\outlook.exe” /a “c:\my documents\labels.doc”

If no item type is specified, IPM.Note is assumed. Cannot be used with message classes that are not based on Outlook.

/altvba otmfilename

Opens the VBA program specified in otmfilename, instead of %appdata%\microsoft\outlook\vbaproject.otm.

 Note    This command line switch is only available if the following Windows registry DWORD value is set to 1. HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security\EnableAltVba

/c messageclass

Creates a new item of the specified message class (Outlook forms or any other valid MAPI form).

Examples:

·      /c ipm.activity creates a Journal entry

·      /c ipm.appointment creates an appointment

·      /c ipm.contact creates a contact

·      /c ipm.note creates an e-mail message

·      /c ipm.stickynote creates a note

·      /c ipm.task creates a task

/checkclient

Prompts for the default manager of e-mail, news, and contacts.

/cleanautocompletecache

Removes all names and e-mail addresses from the Auto-Complete list.

/cleancategories

Deletes any custom category names that you have created. Restores categories to the default names.

/cleanclientrules

Starts Outlook and deletes client-based rules.

/cleanconvongoingactions

Deletes the Conversations Actions Table (CAT). CAT entries for a conversation thread usually expire 30 days after no activity. The command-line switch clears all conversation tagging, ignore, and moving rules immediately stopping any additional actions.

/cleandmrecords

Deletes the logging records saved when a manager or a delegate declines a meeting.

/cleanfinders

Resets all Search Folders in the Microsoft Exchange mailbox for only the first profile opened.

/cleanfreebusy

Clears and regenerates free/busy information. This switch can be used only when you are able to connect to the server that runs Exchange.

/cleanfromaddress

Removes all manually added From entries from the profile.

/cleanmailtipcache

Removes all MailTips from the cache.

/cleanreminders

Clears and regenerates reminders.

/cleanroamedprefs

All previous roamed preferences are deleted and copied again from the local settings on the computer where this switch is used. This includes the roaming settings for reminders, free/busy grid, working hours, calendar publishing, and RSS rules.

/cleanrules

Starts Outlook and deletes client-based and server-based rules.

/cleanserverrules

Starts Outlook and deletes server-based rules.

/cleansharing

Removes all RSS, Internet Calendar, and SharePoint subscriptions from Account Settings, but leaves all the previously downloaded content on your computer. This is useful if you cannot delete one of these subscriptions within Outlook 2010.

/cleansniff

Overrides the programmatic lockout that determines which of your computers (when you run Outlook at the same time) processes meeting items. The lockout process helps prevent duplicate reminder messages. This switch clears the lockout on the computer it is used. This enables Outlook to process meeting items.

/cleansubscriptions

Deletes the subscription messages and properties for subscription features.

/cleanviews

Restores default views. All custom views that you created are lost.

/embedding

Used without command-line parameters for standard OLE co-create.

/f msgfilename

Opens the specified message file (.msg) or Microsoft Office saved search (.oss).

/finder

Opens the Advanced Find dialog box.

/hol holfilename

Opens the specified .hol file.

/ical icsfilename

Opens the specified .ics file.

/importNK2

Imports the contents of an .nk2 file which contains the nickname list that is used by both the automatic name checking and Auto-Complete features.

/importprf prffilename

Starts Outlook and opens/imports the defined MAPI profile (*.prf). If Outlook is already open, queues the profile to be imported on the next clean start.

/launchtraininghelp assetid

Opens a Help window with the Help topic specified in assetid displayed.

/m emailname

Provides a way for the user to add an e-mail name to the item. Only works together with the /c command-line parameter.

Example:

·      Outlook.exe /c ipm.note /m emailname

/nopreview

Starts Outlook with the Reading Pane off.

/p msgfilename

Prints the specified message (.msg).

/profile profilename

Loads the specified profile. If your profile name contains a space, enclose the profile name in quotation marks (” “).

/profiles

Opens the Choose Profile dialog box regardless of the Options setting on the Tools menu.

/promptimportprf

Same as /importprf except that a prompt appears and the user can cancel the import.

/recycle

Starts Outlook by using an existing Outlook window, if one exists.

/remigratecategories

Starts Outlook and starts the following commands on the default mailbox:

·      Upgrades colored For Follow Up flags to Outlook 2010 color categories.

·      Upgrades calendar labels to Outlook 2010 color categories.

·      Adds all categories used on non-mail items into the Master Category List

 Note    This is the same command as Upgrade to Color Categories in each Outlook mailbox properties dialog box.

/resetfolders

Restores missing folders at the default delivery location.

/resetfoldernames

Resets default folder names (such as Inbox or Sent Items) to default names in the current Office user interface language.

For example, if you first connect to your mailbox in Outlook by using a Russian user interface, the Russian default folder names cannot be renamed. To change the default folder names to another language, such as Japanese or English, you can use this switch to reset the default folder names after you change the user interface language or install a different language version of Outlook.

/resetformregions

Empties the form regions cache and reloads the form region definitions from the Windows registry.

/resetnavpane

Clears and regenerates the Navigation Pane for the current profile.

/resetquicksteps

Restores the default Quick Steps. All user-created Quick Steps are deleted.

/resetsearchcriteria

Resets all Instant Search criteria so that the default set of criteria is shown in each module.

/resetsharedfolders

Removes all shared folders from the Navigation Pane.

/resettodobar

Clears and regenerates the To-Do Bar task list for the current profile. The To-Do Bar search folder is deleted and re-created.

/restore

Attempts to open the same profile and folders that were open prior to an abnormal Outlook shutdown.

/rpcdiag

Opens Outlook and displays the remote procedure call (RPC) connection status dialog box.

/safe

Starts Outlook without the Reading Pane or toolbar customizations. Both native and managed Component Object Model (COM) add-ins are turned off.

/safe:1

Starts Outlook with the Reading Pane off.

/safe:3

Both native and managed Component Object Model (COM) add-ins are turned off.

/select foldername

Starts Outlook and opens the specified folder in a new window. For example, to open Outlook and display the default calendar, use: “c:\program files\microsoft office\office14\outlook.exe” /select outlook:calendar.

/share feed://URL/filename

/share stssync://URL

/share web://URL/filename

Specifies a sharing URL to connect to Outlook. For example, use stssync://URL to connect a SharePoint list to Outlook.

/sniff

Starts Outlook, forces a detection of new meeting requests in the Inbox, and then adds them to the calendar.

/t oftfilename

Opens the specified .oft file.

/v vcffilename

Opens the specified .vcf file.

/vcal vcsfilename

Opens the specified .vcs file.

Researchers release new exploits to hijack critical infrastructure

Friday, April 6th, 2012

Researchers have released two new exploits that attack common design vulnerabilities in a computer component used to control critical infrastructure, such as refineries and factories.

The exploits would allow someone to hack the system in a manner similar to how the Stuxnet worm attacked nuclear centrifuges in Iran, a hack that stunned the security world with its sophistication and ability to use digital code to create damage in the physical world.

The exploits attack the Modicon Quantum programmable logic controller made by Schneider-Electric, which is a key component used to control functions in critical infrastructures around the world, including manufacturing facilities, water and wastewater management plants, oil and gas refineries and pipelines, and chemical production plants. The Schneider PLC is an expensive system that costs about $10,000.

One of the exploits allows an attacker to simply send a “stop” command to the PLC.

The other exploit replaces the ladder logic in a Modicon Quantum PLC so that an attacker can take control of the PLC.

The module first downloads the current ladder logic on the PLC so that the attacker can understand what the PLC is doing. It then uploads a substitute ladder logic to the PLC, which automatically overwrites the ladder logic on the PLC. The module in this case only overwrites the legitimate ladder logic with blank ladder logic, to provide a proof of concept demonstration of how an attacker could easily replace the legitimate ladder logic with malicious commands without actually sabotaging the device.

The exploits take advantage of the fact that the Modicon Quantum PLC doesn’t require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC—essentially trusting any computer that can talk to the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a “stop” command to halt the system from operating.

The attack code was created by Reid Wightman, an ICS security researcher with Digital Bond, a computer security consultancy that specializes in the security of industrial control systems. The company said it released the exploits to demonstrate to owners and operators of critical infrastructures that “they need to demand secure PLC’s from vendors and develop a near-term plan to upgrade or replace their PLCs.”

The exploits were released as modules in Metasploit, a penetration testing tool owned by Rapid 7 that is used by computer security professionals to quickly and easily test their networks for specific security holes that could make them vulnerable to attack.

The exploits were designed to demonstrate the “ease of compromise and potential catastrophic impact” of vulnerabilities and make it possible for owners and operators of critical infrastructure to “see and know beyond any doubt the fragility and insecurity of these devices,” said Digital Bond CEO Dale Peterson in a statement.

But Metasploit is also used by hackers to quickly find and gain access to vulnerable systems. Peterson has defended his company’s release of exploits in the past as a means of pressuring companies like Schneider into fixing serious design flaws and vulnerabilities they’ve long known about and neglected to address.

Peterson and other security researchers have been warning for years that industrial control systems contain security issues that make them vulnerable to hacking. But it wasn’t until the Stuxnet worm hit Iran’s nuclear facilities in 2010 that industrial control systems got widespread attention. The makers of PLCs, however, have still taken few steps to secure their systems.

“[M]ore than 500 days after Stuxnet the Siemens S7 has not been fixed, and Schneider and many other ICS vendors have ignored the issues as well,” Peterson said.

Stuxnet, which attacked a PLC model made by Siemens in order to sabotage centrifuges used in Iran’s uranium enrichment program, exploited the fact that the Siemens PLC, like the Schneider PLC, does not require any authentication to upload rogue ladder logic to it, making it easy for the attackers to inject their malicious code into the system.

Peterson launched a research project last year dubbed Project Basecamp, to uncover security vulnerabilities in widely used PLCs made by multiple manufacturers.

In January, the team disclosed several vulnerabilities they found in the Modicon Quantum system, including the lack of authentication and the presence of about 12 backdoor accounts that were hard coded into the system and that have read/write capability. The system also has a web server password that is stored in plaintext and is retrievable via an FTP backdoor.

At the time of their January announcement, the group released exploit modules that attacked vulnerabilities in some of the other products, and have gradually been releasing exploits for other products since then.

Source:  arstechnica.com

Spam levels still low a year after Rustock botnet takedown

Friday, April 6th, 2012

In March 2011, a Microsoft-led team targeted and decapitated the Rustock botnet, and a dramatic decrease in spam traffic was noticed almost immediately. It turns out that a full year later, spammers have not been able to fill the gaping hole left by Rustock’s absence.

Just before the Rustock takedown, “spam levels were around the 150 billion mark daily,” security vendor Commtouch said in a new analysis. “Spam levels dropped immediately after that takedown and have continued to decrease ever since. In the first quarter of 2012, an average of 94 billion spam emails were sent per day… There is no sign of a return to pre-Rustock spam levels.”

Rustock was responsible for sending 30 billion spam e-mails a day, and thus its takedown alone can’t account for the entire drop in spam volume. Commtouch said the sustained improvement was a combination of multiple botnet takedowns, as well as “increased prosecution of spammers and the source industries such as fake pharmaceuticals and replicas.”

Spam accounted for 75 percent of all e-mails sent in the first three months of 2012, according to Commtouch’s “April 2012—Internet Threats Trend Report.” Commtouch said it is “tempting” to conclude that a decade-long growth in spam has been permanently reversed, but the signs are not all good. Commtouch estimates that 270,000 zombie computers were activated each day for the purposes of sending spam in the first quarter of 2012, up from 209,000 in the last quarter of 2011. There had been a drop in November because of the “Esthost” botnet takedown, but “spammers have worked to source new zombies since the start of 2012,” Commtouch said.

Commtouch’s estimates are based on traffic going through its GlobalView Cloud service, which handles more than 10 billion transactions each day, including “URL and spam queries from millions of endpoints.” The data does not include internal corporate traffic.

Source:  arstechnica.com

IBM’s Big Data Challenge: A Telescope That Generates More Data Than the Whole Internet

Thursday, April 5th, 2012

radio-telescope-600There’s a massive telescope on the drawing board that hasn’t even started construction yet, but when it’s finished in 2024, it’ll generate more data in a single day than the entire Internet. For scientists to ensure they’ll be able to handle all that raw information, they need to start working on new computing technologies now. Fortunately, IBM is on it.

The computing giant is collaborating with ASTRON (the Netherlands Institute of Radio Astronomy) to develop the next-generation computer tech needed to handle the colossal amount of data captured by the Square Kilometer Array (SKA), a new radio telescope that will spread sensing equipment over a span 3,000 kilometers wide, or about the width of the continental U.S.A.

“One of the goals is to search what happened at the time of the Big Bang, 13 billion years ago,” IBM researcher Ronanld Luijten told Mashable. “We need to figure out what technology needs to be chosen in order to build this large antenna.”

The project is called DOME, and it’s challenged with finding a way to capture and process approximately one exabyte every day, which works out to about twice the amount of data that’s generated every day by the World Wide Web, IBM says. To do that in a way that doesn’t consume a massive amount of energy, IBM will need to develop some entirely new processing architectures before construction on the telescope begins in 2017.

“We need to be very creative,” says Luijten. “If we were to use standard servers of today, we’d need millions of them. They would use so much space and use so much energy that we couldn’t afford to build the machines let alone operate them.”

While the project has only just been announced, IBM already has some ideas in the hopper. Specifically, it’ll be looking at novel ways of stacking chips (today’s chips are flat, though stacking or “3D” tech is around the corner) and using optical technology for interconnects, something the company has already had some success with. The promising new conductive material graphene, however, probably won’t play a part.

“Graphene will not be available in time to build something we start in 2017,” says Luijten. “But it might be available for a later generation. The expectation is that we will go with the traditional CMOS process.”

Even though the new computing tech hasn’t even been invented yet, it’ll ironically still rely on one of the oldest storage technologies in existence: magnetic tape. Luijten says tape simply can’t be matched by newer storage mediums since it’s so cost-, space- and power-efficient. The project won’t exclusively use tape for storage, though, also relying on phase-change media and solid-state drives.

“We’re looking at new memory technologies,” says Luijten, “but at the end of the day most of the data likely will remain on tape because it’s still the most cost-effective storage medium. Tape will be around for a long time.”

The SKA isn’t planned to be completed until 2024, but the technologies that IBM creates to service it will have the potential to change entire industries in the meantime, dealing with big-data problems that the world is just now encountering. It’s possible the social networks and search engines of the future will be powered by IBM’s coming tech or something like it, enabling them to process an entire Internet’s worth of data for anyone and everyone.

Source:  mashable.com

More than 600,000 Macs infected with Flashback botnet

Thursday, April 5th, 2012

Russian antivirus company says half the computers infected with malware designed to steal personal information are in the U.S. — with 274 located in Cupertino

More than half a million Macs are infected with the Flashback Trojan, a malware package designed to steal personal information, according to a Russian antivirus company.

The company — Dr. Web — originally reported today that 550,000 Macintosh computers were infected by the growing Mac botnet. But later in the day, Dr. Web malware analyst Sorokin Ivan announced on Twitter that the number of Macs infected with Flashback had increased to 600,000, with 274 of those based in Cupertino, Calif.

 

Dr. Web estimates that half a million Macs were infected by the Flashback trojan. averysawaba.blogspot.com/2012/04/over-h… We can’t confirm or deny the figure.

@mikko, at this moment botnet Flashback over 600k, include 274 bots from Cupertino and special for you Mikko – 285 from Finland

More than half of the Macs infected are in the United States (57 percent), while another 20 percent are in Canada, Dr. Web said.

The malware was initially found in September 2011 masquerading as a fake Adobe Flash Player plug-in installer, but in the past few months it has evolved to exploiting Java vulnerabilities to target Mac systems. A new variant that surfaced over the weekend appears to be taking advantage of Java vulnerability for which Apple released a patch yesterday.

As CNET blogger Topher Kessler explains, simply visiting a malicious Web site containing Flashback on an OS X system with Java installed will result in one of two installation routes. The malware will request an administrator password, and if one is supplied, it will install its package of code into the Applications folder. If a password is not offered, the malware will install to the user accounts where it can run in a more global manner.

Once installed, the Flashback will inject code into Web browsers and other applications like Skype to harvest passwords and other information from those program’s users.

Security company F-Secure has published instructions on how to determine whether a Mac is infected with Flashback.

Source:  CNET

Up to 1.5M credit card numbers stolen from Global Payments

Sunday, April 1st, 2012

Payments processor believes no names, addresses, or Social Security numbers were stolen in the security breach

As many as 1.5 million Visa and MasterCard accounts may have been compromised by the recent Global Payments security breach, the payment processor announced this evening.

Credit card numbers may have been exported, but no customer names, addresses, or Social Security numbers were accessed, the company said in a statement. The company believes the breach, which was revealed Friday, was confined to North America.

The nature of the breach, which was originally pegged at 50,000 accounts, has not been revealed. The company also did not say whether it knew of any fraudulent charges resulting from the breach on Global Payments, which processes payments from credit, debit, and gift cards between merchants and banks.

The company said it believes the incident has been contained and it is working with third parties to investigate the incident and minimize impact on customers, although it did not describe those efforts.

“We are making rapid progress toward bringing this issue to a close,” CEO Paul Garcia said in the statement.

MasterCard and Visa have already sent out notices to their customers who may have been affected, informing them of the possible risk.

As a result of the breach, Visa removed Global Payments from its list of approved service providers. Visa told The Wall Street Journal (subscription required) that the move was in response to “Global Payments’ reported unauthorized access.” Visa said it has invited Global Payments to re-apply for validation by submitting evidence that its security is in compliance with Visa’s standards.

Source:  CNET