Archive for December, 2012

Android malware mimics Play, performs DDoS attacks, sends text spam

Monday, December 31st, 2012

Those of you with an Android device should be on the lookout — the security firm Dr. Web is warning users of a new trojan that disguises itself using the Google Play icon. Dubbed Android.DDoS.1.origin, the malware creates an application icon that looks just like the Google Play icon. When opened, the malware actually opens Google Play, helping disguise the malicious activity taking place in the background.

Google Play iconOnce Android.DDoS.1.origin is running, it attempts to connect to a remote server and sends the device’s phone number down the pipeline. If successfully connected, the device is now compromised, and remains in a state awaiting commands from whoever is on the receiving end of the phone number. The cyber hooligans can then make the compromised device send SMS messages, or perform DDoS attacks on a specified target.

Aside from having your device compromised and responsible for a DDoS attack, the criminals controlling the device could also run up SMS and data charges depending on how frequently they send messages and perform DDoS attacks. Of course, the frequency and intensity of this malicious activity could affect the performance of a compromised device, based on simple processor and memory allocations and usage.

At the moment, Dr. Web reports that how the trojan spreads is unclear, but is most likely spread through social media tactics, getting users to download the code themselves in some manner.

As one might expect of a security company, Dr. Web notes that users running Dr. Web products for Android will be protected from the trojan. If you aren’t cool with that, just pay attention to what you download, or don’t enable the feature that allows you to download apps that didn’t come from the Google Play store.

Microsoft says IE 6, 7, and 8 vulnerable to remote code execution

Monday, December 31st, 2012

Attack on users who visited the Council of Foreign Relations website discovered

On Saturday, Microsoft published a security advisory warning users of Internet Explorer 6, 7, and 8 that they could be vulnerable to remote code execution hacks. The company said that users of IE 9 and 10 were not susceptible to similar attacks and recommended that anyone using the older browsers upgrade. Still, customers who still run Windows XP can not upgrade to IE 9 and 10 without upgrading their OS.

Microsoft’s confirmation comes after reports from several security groups that the attack sprung from the Council of Foreign Relations website, creating a “watering hole attack” that left people who visited the site through older versions of the browser open to further attack.

The company has released a workaround for the problem, and said that it is working on a patch for IE 6, 7, and 8, but did not give a time period as to when those patches would be released. The Council of Foreign Relations told The Washington Free Beacon that it was investigating the situation and working to prevent security breaches like this down the line.

According to The Next Web, the CFR website was compromised with JavaScript that served malicious code to older IE browsers whose language was set to “English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.” The code then created a heap-spray attack using Adobe Flash Player.

While some reports claim that the attack was traced to Chinese hackers, this is unconfirmed. Computerworld describes the hack as highly targeted, however: “In a watering hole campaign, hackers identify their intended targets, even to the individual level, then scout out which websites they frequently visit. Attackers next compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for unwary wildebeests, wait for unsuspecting users to surf there.”

Computerworld also points out that this vulnerability is similar in timing to a vulnerability that occurred December 28 last year, which Ars reported as having compromised a long list of technologies, including Microsoft’s ASP.NET. Microsoft then published a workaround for ASP.NET website admins in the wake of the discovery of the exploit.


Symantec finds a new trojan that steals data from US banks, customers

Thursday, December 27th, 2012

Nearly half of detected infections are on financial institutions’ servers.

Symantec has discovered a new piece of malware that appears to be targeting financial institutions and their customers in the US. Dubbed Trojan.Stabuniq by Symantec, the malware has been collecting information from infected systems—potentially for the preparation of a more damaging attack.

According to a post on Symantec’s blog contributed by Symantec employee Alan Neville, Trojan.Stabuniq appears to be aimed at a very specific set of victims. While the number of reported systems compromised by the Trojan are relatively low, nearly 40 percent of the systems are financial institutions’ mail servers, firewalls, proxies, and gateways. Half of the systems infected are consumer PCs, and the remainder of the detected infections are on systems belonging to network security companies—likely because they are evaluating the threat posed by the Trojan.

The malware appears to be spread by a “phishing” attack through spam e-mail containing a link to the address of a server hosting a Web exploit toolkit. Once installed, it changes the Windows registry to disguise itself—usually as a Microsoft Office or Java component, or in the guise of an Internet Explorer “helper” module, InstallShield update scheduler, or sound driver agent—and makes sure it is activated at reboot. Then it collects information about the computer it has infected (including its computer name, IP address, the operating system version and which service packs are installed, and the names of running processes on the computer), and dumps that data to a command and control server at one of eight domain names.

On the surface, this theft seems relatively benign, and Stabuniq is fairly easily removed and blocked once it is discovered. But it could be just a proof-of-concept for another attack in preparation for deployment of a much more malignant set of code.


Apache plugin turns legit sites into bank-attack platforms

Wednesday, December 19th, 2012

Module found operating in the wild causes sites to push malware on visitors.

A malicious Apache module found operating in the wild turns sites running the Internet’s most popular Web server into platforms that surreptitiously install malware on visitors’ computers.

The plugin, which was discovered by researchers from antivirus provider Eset, is an x64 Linux binary that streamlines the process of injecting malicious content into compromised websites. It was found running on an undisclosed website that exposed end users to a variety of exploits that installed the ZeuS banking trojan, also known as Win32/Zbot. It also pushed malware from Sweet Orange, a newer exploit kit hosted by servers in Lithuania that competes with ZeuS. When Eset discovered the plugin last month, it was connecting to command and control servers in Germany and was being used to target banking customers in Russia and elsewhere in Europe.

“This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate,” Pierre-Marc Bureau, Eset’s security intelligence program manager, wrote in a blog post. “It is not clear at this point in time if the same group of people are behind the whole operation, or if multiple gangs collaborated, perhaps with one to drive traffic to the exploit pack and sell the infected computers to another gang operating a botnet based on Win32/Zbot.”

The Apache plugin, which Eset software flags as Linux/Chapro.A, contains several features designed to make infections stealthy. To prevent being widely detected, it doesn’t serve malicious content when a visitor’s browser user agent indicates it’s coming from Google or another automated search-engine agent. It also holds its fire against IP addresses that connect to the Web server over SSH-protected channels, preventing site administrators from being exposed. It also uses browser cookies and IP logging to prevent visitors from being exposed to exploits more than once. By hiding the attacks from search engines and admins—and making it hard to determine how end-user machines are infected—the features make it harder to identify the site as compromised.

The compromised site found by Bureau was injecting invisible iframe tags into otherwise legitimate webpages. The iframes he observed attempted to exploit at least four previously patched security bugs in Microsoft Internet Explorer, Adobe Reader, and Oracle’s Java software framework. The plugin has the capability to inject malicious JavaScript into Web content, giving it another powerful avenue for attack.

Bureau didn’t say how the site running the plugin was hacked. Many legitimate websites used in malware attacks are commandeered after administrator credentials are compromised. He said the malicious Apache plugin is separate from a Linux rootkit discovered last month that also injects malicious content into otherwise legitimate webpages.

Engineers who develop and maintain Apache offer programming interfaces that allow anyone to write modules that give the Web server additional capabilities. The module discovered by Eset is almost certainly written by a third party that has no affiliation with the Apache Foundation.


Another data-wiping malware program found in Iran

Tuesday, December 18th, 2012

New Batchwiper malware is unsophisticated but can cause a lot of damage, security researchers say

A new piece of malware that deletes entire partitions and user files from infected computers has been found in Iran, according to an alert issued  by Maher, Iran’s Computer Emergency Response Team Coordination Center (CERTCC).

Maher Center described the new threat as a targeted attack, but said that it has a simple design and is not similar to other sophisticated targeted attacks previously seen in the region. “Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software,” the center said in its advisory.

Several security companies have confirmed Maher’s findings and said the threat is unsophisticated.

The malware is designed to delete all data from disk partitions identified with letters D to I, as well as files located on the desktop of the currently logged in user, security researchers from antivirus vendor Symantec said Monday in a blog post.

The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013. However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware’s configuration, suggesting that it may have been in distribution for at least two months.

The Maher Center said the malware’s installer, also known as the dropper, is called GrooveMonitor.exe. That filename was likely chosen as a disguise because it is normally associated with a legitimate Microsoft Office 2007 document collaboration feature called Microsoft Office Groove.

According to an analysis of the new threat by researchers from security firm AlienVault, when the installer is executed, it adds a registry entry that ensure the malware’s persistence across system reboots and creates a Windows batch file containing the data wiping routine.

Because of its use of batch files — script files to be executed by the Windows shell program — the malware has been dubbed “Batchwiper.”

It’s not clear how the malware is being distributed. The dropper could be deployed using several vectors, ranging from spearphishing emails, infected USB drives, some other malware already running on computers, or an internal actor uploading it to network shares, AlienVault Labs manager Jaime Blasco said via email.

Despite the fact that this malware is not sophisticated, if its wiping routines are executed, it can do a lot of damage, Blasco said.

Batchwiper is not the first data wiping malware found in the Middle East. Earlier this year, an investigation into a mysterious piece of malware that reportedly destroyed data from Iranian energy sector servers led to the discovery of the Flame cyberespionage threat.

In August, security researchers identified another unrelated piece of malware with data wiping capabilities called Shamoon. The malware is believed to have been used in an attack against Saudi Aramco, Saudi Arabia’s national oil company, and affected of thousands of computer systems.

“Kaspersky Lab is currently researching the latest form of data wiping malware that was reported on December 16, 2012 by the Iranian Maher CERT,” a representative of Kaspersky Lab said Monday via email. “Preliminary analysis suggests the malware is unsophisticated and does not appear to be related to the Wiper or Shamoon/DistTrack malware from earlier this year.”

The malware nonetheless points to a trend of destructive code being used in the Middle East region.

“I do agree that this is not common in other parts of the world, and it can suggest that in the Middle East it might be easier for attackers to decide to take such actions to cover their tracks,” Aviv Raff, chief technology officer of Israel-based IT security firm Seculert said via email. Seculert researchers have analyzed Batchwiper and confirm that it doesn’t appear to have any direct connection to Shamoon, he said.


Enterprise IT is on the losing end of Microsoft’s CAL price hike

Monday, December 17th, 2012

Struggling in the mobile market, the vendor still hopes to cash in on the BYOD trend with a 15% increase in the price of user client-access licenses, say analysts.

This month’s price increase for Microsoft client-access licenses (CAL) is a “lose-lose” deal for enterprise customers, but will likely yield a major revenue boost for Microsoft, analysts say.

On Dec. 1, Microsoft overhauled its enterprise license pricing, most notably raising the price of “user” CALs by 15%.

CALs are required for corporate workers to legally access Microsoft software running on application servers.

Microsoft previously priced its two categories of CALs — “device” and “user” — identically. Device CALs are tied to a specific device, typically a desktop or laptop PC. The user CALs allow an enterprise worker to access applications on servers from multiple devices, such as PCs, tablets or smartphones.

“Microsoft is looking for new revenue,” said Daryl Ullman, managing director of Emerset Consulting Group. “Changing licensing is always a way vendors deal with a revenue problem.”

Ullman and other experts see the user CAL price hike as a bid by Microsoft to cash in on the burgeoning bring-your-own-device (BYOD) movement, where people use three or four personal and/or company-owned devices on the job.

It’s no coincidence that the increased revenue will come mostly from mobile devices, experts said.

Today, Microsoft has virtually no mobile presence. So it’s looking to make a quick buck by sponging off the popularity of mobile devices running other vendors’ operating systems, Ullman said.

Jeff Muscarella, a partner with Atlanta-based consultancy NPI, wouldn’t speculate on how the price increase will affect Microsoft’s coffers. But in a report to clients, NPI said that the move “could mean billions” for the vendor.

He said the CAL hike is relatively small, but Microsoft’s licensing schemes remain complicated, which hurts users.

“Whenever licensing is complicated, it benefits the vendor,” he said. “A CFO once told me, ‘Mystery equals margin.’ That’s true with Microsoft.”

Thus, he called the CAL price increase a “lose-lose” proposition for Microsoft’s enterprise customers.

Paul DeGroot, an analyst at Pica Communications, described paying the 15% increase as the “lesser of two evils.”

DeGroot said many companies don’t realize they are obligated to buy client-access licenses for devices, so if Microsoft were to audit their licenses and find there aren’t enough, it could drop the hammer.

“It could get nasty,” DeGroot said. “All those sent emails with the helpful signature ‘Sent from my iPad,’ for example, are tip-offs to underlicensing.”

Even with the price hike, though, DeGroot said he will continue to recommend that clients buy user CALs, reasoning that as mobile devices proliferate, they’re still the better deal.

Some also see Microsoft’s new emphasis on user CALs to be part of a larger strategy to shift customers to subscription-based licensing. “They’ve thought this out,” said Ullman. “They are using the licensing push to get customers to join their cloud wagon, and once you’re hooked, they’ll want to move you to subscription-based licensing.”

Although the price increase went into effect Dec. 1, users will pay already-negotiated fees until their current contracts end.


China reinforces its ‘Great Firewall’ to prevent encryption

Monday, December 17th, 2012

It may be a real problem for Chinese citizens and Westerners, but that hasn’t stopped the Chinese government from using new technology to plug holes in the “Great Firewall of China.”

China has begun reinforcing its infamous firewall with new tech designed to prevent encrypted communication.

To prevent the more enterprising citizens of China from exploiting holes in the country’s firewall through the use of virtual private networks and circumventors, the Chinese government is using new technology to block encryption, according to The Guardian.

The publication reports that both consumers and businesses are being hit by the new Internet barrier, which is able to “learn, discover and block” encrypted channels provided by VPN companies. According to one company that has a customer base in the Asian country, one of the largest telecom providers in the area, China Unicorn, is now automatically killing connections to the Internet when a virtual private network is detected.

For Chinese residents, this could mean that access to Western reading material and Web sites, including social networks, could become even harder to access. By using, you can see which sites are currently inaccessible through standard Internet access — and this includes Facebook, Twitter, and YouTube — which may contain content that goes against China’s policies or ethos.

Companies that run a VPN business that reaches out to a Chinese audience must register with the Ministry of Industry and Information Technology, according to The Global Times. In addition, only Chinese companies and Sino-foreign joint ventures are allowed to apply to begin a VPN business in China, possibly due to registration regulations which keep the “Great Firewall of China” operating properly.

The alleged VPN-detection and blocking technology will not only hit audiences that want to access social networks, but will also affect businesses. One executive at a multinational tech firm in China told the publication:  “You can’t block all VPNs without blocking businesses, including Chinese businesses. China wants businesses to put regional headquarters in China. It has these economic and business goals that are reliant on modern business infrastructure.”

Source:  CNET

Global telecom treaty without Net controls signed by 89 nations

Friday, December 14th, 2012

An international telecommunications treaty signed by 89 countries out of a possible 144 on Friday will have little impact on how carriers operate or how consumers surf the web or make calls around the world when it comes into effect in 2015.

But the acrimonious debate over the treaty – and refusal of so many countries, including the United States and much of Europe, to sign up immediately – have exposed a deep split in the international community.

A U.S.-led bloc advocated a hands-off approach to the Internet, while Russia, China and much of Africa and the Middle East sought greater governmental oversight of cyberspace.

About 150 nations met in Dubai, under the auspices of the International Telecommunication Union (ITU), to update a set of telecom rules dating back to 1988, before the Internet and mobile phones transformed communications. Their failure to find a consensus may herald a new fight over cyberspace.

“The world will still be around and countries will still cooperate along the lines they have done for decades,” said Paul Budde, managing director of Sydney-based consultancy BuddeCom. “However, they have clearly drawn a line under how far they believe the ITU can go in relation to regulations that include the Internet.”

As in a prior version, the International Telecom Regulations spell out guidelines on technical issues such as how carriers charge each other for incoming international phone calls, as well as taxation and accounting.

Countries that sign the treaty are supposed to be guided by its principles, although these have no force of law.

Users in countries that block certain content will still experience the same version of the Internet, while telecom operators will feel little impact because international call charges are decided via commercial contracts between them.

The new version added passages that became flash points: for example, four lines pushed by Russia and China on how governments should protect the security of networks.

The United States took a no-compromise position throughout negotiations, refusing to consider any references to the Internet in the treaty. Other countries instead agreed to restrict any explicit Internet provisions to a non-binding resolution that accompanies the treaty.

In the end, the debate over the Internet overshadowed all else at the summit, despite the ITU insisting that regulating cyberspace was not on the agenda.

As a result, some countries in Africa and the Middle East felt the controversy overshadowed important reforms, such as provisions to improve broadband access to landlocked and island nations, which may be weakened by fewer countries signing the treaty.

Other measures include a call for greater transparency in roaming charges, which the ITU hopes will end “bill shock”, plus commitments to improve disabled access to telecom services and for governments to reduce telecom equipment waste.

A clause calling for countries to stop “unsolicited bulk electronic communications” – spam – drew the ire of the U.S. bloc, which said it could be interpreted by governments to block emails, an accusation the ITU vehemently denied.

“Whatever is in place now doesn’t seem to be working and this treaty calls on governments – it’s a dirty word for some, but somebody has to do it – to cooperate to see what we can do better in that area,” said Richard Hill, chief counselor for International Telecommunication Union’s Dubai summit.

These issues are more vital in developing countries, with other countries having already addressed them to a large extent, so richer nations had less incentive to sign the treaty.

“That’s certainly the case, but it’s no secret they’re not signing for political reasons,” added Hill.

After 12 days of rancorous, largely private negotiations, the bad feeling between the two opposing camps may take some time to ease. Delegates from the pro-treaty group accused the United States and Europe of reneging on a compromise agreement that fell apart on Thursday.

ITU officials on Friday gave an upbeat interpretation of the summit, predicting many of the countries that had yet to sign the treaty would do so once they have consulted with their respective legislatures. But the failed attempts by some member states to significantly extend the ITU’s remit into the Internet have weakened the 147-year-old organization.

“The ITU won’t become irrelevant but it tried to claim some of the Internet without having the mandate to do so,” said a European delegate who declined to be identified. “It saw an opportunity, but both the triumph and the curse of the ITU is that it can’t instigate anything, it depends on member states – some said let’s expand the mandate and others said let’s not.”

Source:  reuters

Intruders hack industrial heating system using backdoor posted online

Friday, December 14th, 2012

Same control systems are used by FBI, IRS, and Pentagon.

Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a “Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the memo, which was issued in July. “All areas of the office were clearly labeled with employee names or area names.”

An IT contractor for the unnamed business told FBI agents the “Niagara control box was directly connected to the Internet with no interposing firewall,” according to the memo, which was published Saturday by Public Intelligence. The website has an established track record of posting authentic government documents. Barbara Woodruff, a spokeswoman in the Newark, New Jersey division of the FBI, where the memo originated, said the document appeared to be authentic.

The unauthorized access began in February, a few weeks after someone using the Twitter handle @ntisec posted comments indicating hackers were targeting SCADA—or supervisory control and data acquisition—systems. One tweet included a list of Internet addresses, including one that was assigned to the heating system belonging to the New Jersey business. The hack came five months before security researchers Billy Rios and Terry McCorkle blew the whistle on serious vulnerabilities in the Niagara system, which is marketed by Tridium, a company with US offices located in Richmond, Virginia.

Only getting worse

The revelation that Niagara vulnerabilities have been actively exploited in the wild is significant because the system is widely used to control critical equipment used around the world. Further, the number of Internet-facing Niagara systems appears to be growing. A search using the Shodan computer search engine late last year found about 16,000 systems, with more than 12,000 of those based in the US, according to Billy Rios, one of the security researchers who documented the vulnerabilities in the industrial control system. This year, the same search returned more than 20,000 systems, with about 16,000 of them in the US. While patches released earlier this year apply only to versions 3.5 and 3.6 of Niagara, Shodan continues to show “tons” of systems running earlier versions, including 1.1, Rios said.

“These things keep popping up,” he told Ars. “It’s not going away. It’s getting worse.”

Perhaps the only other documented case of an industrial control system being breached in the US came in 2009, when a security guard abused his physical access to breach computers that controlled air-conditioning systems at a Texas hospital. The intrusion came to light after he posted a screenshots and other evidence showing he had control of the systems that cool operating rooms and other critical areas of the Texas facility, where temperatures regularly hit the triple digits. He has spent most of his time since in federal prison.

The FBI’s “Situational Information Report” referred to the hacked company as US Business 1 and described it as a New Jersey air conditioning company. The report said the system the hackers intruded on controlled the company’s internal heating, ventilation and air conditioning units.

“The main control box for the HVAC system of US Business 1 was a Tridium brand, Niagara model controller,” the memo stated. “US Business 1 actively used this system in-house, but also installed the control system for customers, which included banking institutions and other commercial entities. An IT contractor of US Business 1 confirmed the Niagara control box was directly connected to the Internet with no interposing firewall.”

The memo continued: “US Business 1 had a controller for the system that was password protected, but was set up for remote/Internet access. By using the link posted by the hacktivist, the published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login. The backdoor required no password and allowed direct access to the control system.”

The incident underscores the prevalence of industrial control systems that are connected to the Internet. Security consultants have long considered the practice to be unsafe. Sadly, they say, the convenience of IT employees get from being able to administer those systems from home or other remote locations often trumps security concerns. There are about 300,000 instances of the Niagara framework installed worldwide, according to Tridium’s website.


FCC moves to open wireless spectrum to commercial and military uses

Thursday, December 13th, 2012

The U.S. Federal Communications Commission has voted to move forward on plans to have the U.S. military share wireless spectrum in the 3.5GHz band with commercial users.

The FCC on Wednesday voted to approve a notice of proposed rulemaking to allow small cells to operate in the 3.5GHz band, now used by high-power military radar services.

The proposed citizens broadband service would include 100MHz from the 3.5GHz band and another 50MHz from the 3.6GHz band, which is now used by wireless Internet service providers.

In the notice, the FCC proposed new rules and asked for public comment on them. The FCC late Wednesday also moved to make another 50MHz of spectrum available for commercial mobile uses.

The U.S. National Telecommunications and Information Administration (NTIA) first recommended in 2010 that the FCC look at sharing in the 3.5GHz spectrum, but the plan received a cool reception because high-band spectrum isn’t generally seen as good for mobile broadband and because radar uses would limit the use of the spectrum in many areas.

However, in July, the President’s Council of Advisors on Science and Technology (PCAST), an advisory group to President Barack Obama, pushed spectrum sharing, including the 3.5GHz band, as a way to deal with upcoming spectrum shortages.

Because of the PCAST recommendations, “rather than discarding this spectrum as junk, we are staring at new opportunities for small cells,” said Commissioner Jessica Rosenworcel. “This is a big deal.”

What might change

The 3.5GHz band could drive new innovations in small-cell technology, said FCC Chairman Julius Genachowski. “We shouldn’t lose sight of the fact that this is a 100-megahertz proceeding,” he said. “This has enormous potential for the country.”

Under the FCC proposal, military radar users would have priority on the shared spectrum, with protection from interference. A second group of users, including hospitals and public safety agencies, would have the second highest priority, with other commercial uses subject to interference from the two priority groups. The FCC proposes to use a spectrum-use database to prevent interference.

The Telecommunications Industry Association, a trade group, and Qualcomm both praised the FCC vote. “Small cells, when deployed in conjunction with macro cells using smart network technology, will expand capacity substantially, enhance network coverage and reliability, and even improve position location accuracy. Small cells will require a predictable quality of service, and, therefore, the spectrum must be shared on an authorized basis,” Qualcomm said in a statement.

Also, the commission late Wednesday voted to free up 40MHz of satellite spectrum for land-based mobile broadband service. The commission, outside public meeting, voted to free up the AWS-4 band, which owner Dish Network plans to use to build an LTE network by 2016, and the FCC also approved a notice of proposed rulemaking to auction the so-called H Block in the 1900MHz PCS spectrum in 2013.

Sprint Nextel has expressed interest in the H block but had long expressed concerns that mobile broadband in the nearby AWS-4 spectrum would cause interference. The FCC made a “balanced and equitable decision” to deal with the AWS-4 and H blocks, Sprint said in a statement.


Microwave vies with fiber for high-frequency trading

Tuesday, December 11th, 2012

Stock traders turning to legacy microwave technologies for faster communications

In the world of high-frequency trading, where being ahead of the competition by a few milliseconds can mean profits worth millions of dollars, finance firms are increasingly looking to decades-old microwave technologies for a competitive edge.

Such firms are finding that wireless microwave technology, despite being in use for more than half a century, can deliver data a few milliseconds faster than fiber-optic cable. As a result, the once-stagnant industry of microwave communications is finding itself in an “arms race” among vendors of new competitive offerings, said Mike Persico, CEO of financial exchange service provider Anova Technologies.

“If you want to transport a little bit of data very fast, physics tells you that you have to go through air. Fiber is just not a good idea. It will slow you down,” explained StA(c)phane Ty , co-founder of Quincy Data, which provides microwave services to financial firms.

Ty was one of a number of speakers who discussed the increasing use of microwave technologies at the Quant Invest conference last week in New York.

For financial services firms, getting some piece of competitive intelligence a few milliseconds faster than their competitors can be worth the cost of securing a faster link. Stock trades can take less than a millisecond to execute.

Microwave technologies have been in use for point-to-point connections for decades by the military and by broadcast television stations. Point-to-point wireless microwave transmissions, which operate in the 1.0GHz to 30GHz part of the spectrum, require line of site, though signals can be repeated along the route. A good signal — such as between two mountaintops — can travel as much as 300 kilometers, or around 186 miles.

Microwave use has declined in the past few decades as fiber-optics communications has been able to offer greater bandwidth. These days, the largest microwave link can offer only 150Mbps, though work is being done to develop gigabit microwave technologies.

One advantage microwave still possesses, however, is speed of transmission. Electromagnetic waves travel faster through air than through glass. Light, an electromagnetic wave, can travel at 300,000 kilometers (186,000 miles) per second in a vacuum, and nearly that quickly through air. Light, however, can only travel at about 200,000 kilometers per second in even the clearest glass.

Another speed advantage microwave technologies offer is that their paths tend to be shorter, because signals can be beamed across the most direct path between two points. The length of fiber-optic routes tend to be elongated due to the inability to get right-of-way along the most optimum routes.

One new hot market for microwave providers is between New York and Chicago, both cities with many financial services firms. In 2010, Quincy Data had applied with the U.S. Federal Communications Commission to secure a pathway between Chicago and New York. It found only one other provider that had also submitted a similar request. Since then dozens of other carriers have submitted requests to the agency. Quincy Data has been operational since July selling throughput between the two cities.

Based on the speed of light, the theoretical limit for sending information between New York and Chicago is 7.96 milliseconds. Right now, the state-of-the-art among microwave service providers is about 8.5 milliseconds, Persico said, noting how different providers are trying to secure the fastest rights-of-way and are developing technologies with the lowest latencies, all in an effort to offer the fastest sub-millisecond services for financial firms.

“We’ve been looking at [microwave technologies] for about a year now, in both Europe and the U.S.,” said Ian Jack, head of the U.S. infrastructure business for the New York Stock Exchange, during a panel discussion on the topic. “We’re looking at what the vendor community is doing and trying to leverage that as much as possible.”

Performance is still a big factor, Jack said. Performance “is one of our big challenges as a potential buyer. If you look at the actual uptime for services, it’s not brilliant. Every vendor has a new change, a revelation just around the corner, but we have yet to see that.”

Rain can hamper performance with microwave technologies. So can low-lying clouds. “Interference can bring an entire network down, and you don’t have that with fiber-optic networks,” Persico said. He noted that, eventually, microwave technology vendors will compete more on how robust their networks are, once they offer approximately the same latency times.


Japanese team targets 24Tbps optical fiber by 2014

Tuesday, December 11th, 2012

Fujitsu, NTT and NEC have created a research group which aims to transmit 60 channels of 400Gbps each over a fiber

Three of Japan’s tech giants will work together to increase data transmission speeds over optical fiber, aiming for 400Gbps per channel by 2014.

Fujitsu, NTT and NEC said Tuesday they will aim to combine 60 channels using the new technology, to achieve a total data transmission rate of around 24Tbps over a single optical fiber. The companies said they will advance current techniques for multiplexing and modulation of signals, and tackle the degradation of optic signals over large distances.

In addition to brute speed, an obvious requirement as more data is exchanged online, the companies said they would try to make the new network technology as adaptable as possible to handle sudden fluctuations and changes in the network. The earthquakes that regularly rock Japan are a major test for its networks, both because of the physical damage they cause and the sudden spikes in traffic that follow as the population tries to connect and get the latest news.

A major goal of the project will be to slash power consumption to less than half of that of technologies in use today, mainly by cutting down on the amount of hardware required, the companies said in a joint news release. They will also aim to develop a single device that can both modulate and demodulate traffic, for more overall network flexibility.

Faster fiber speeds have been achieved in the past under research conditions. NTT announced it set a world record in September when it hit one petabit per second in transfers over a single 50-kilometer fiber, which it said is the equivalent of sending 5,000 two-hour high-definition videos per second.

The same companies previously teamed up, starting in 2009, to develop transmission technology that can yield 100Gbps per channel. A product based on that research went on sale earlier this year, and the companies said their chip implementation for converting signals at those speeds is the global market leader.

The new research will be sponsored by Japan’s Ministry of Internal Affairs and Communications as part of a larger project to promote Japanese network technology. The government’s “Research and Development Project for the Ultra-high Speed and Green Photonic Networks” is partly aimed at establishing networks that are fast and flexible enough to quickly recover when base stations are knocked out by large-scale natural disasters.


Hacktivists Ghost Shell dump 1.6m log-in details on web

Tuesday, December 11th, 2012

Log-in details from 1.6 million accounts have been posted on the web by hacktivist group Ghost Shell.

The group gathered the data during a series of attacks on Nasa, the FBI, the European Space Agency and many other government agencies and contractors.

Included in the dump were log-in names, passwords, email addresses and CVs, plus the contents of online databases.

The group said it had sent messages to security bosses about 150 insecure servers it had targeted in the attacks.

In a statement posted to the Pastebin website, Ghost Shell said the attacks were part of its #ProjectWhiteFox campaign to promote freedom of information online.

The data stolen was posted on several different sites to stop it being swiftly found and deleted.

Images posted to the Pastebin page suggest the hacking group accessed some sites by attacking the databases many companies use to catalogue and curate website content.

With cleverly crafted queries, attackers can make these databases cough up data they should be concealing.

As well as mounting attacks on government agencies, the group also targeted contractors and firms working for the US Department of Defense.

In all, 37 separate organisations, agencies and businesses were hit during the campaign.

The group, which is an offshoot of the Anonymous hacking collective, has carried out a series of attacks in 2012.

Details from millions of accounts held at businesses, universities and Russian government departments and companies have all been posted by the group.

It said #ProjectWhiteFox was the last operation it would carry out in 2012.

Source:  BBC

25-GPU cluster cracks every standard Windows password in <6 hours

Monday, December 10th, 2012 password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It’s an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft’s LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.

The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.

“What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly accelerated rate,” Jeremi Gosney, the founder and CEO of Stricture Consulting Group, wrote in an e-mail to Ars. “We can attack hashes approximately four times faster than we could previously.”

Gosney unveiled the machine last week at the Passwords^12 conference in Oslo, Norway. He previously used a computer equipped with four AMD Radeon HD6990 graphics cards that could make about 88 billion guesses per second against NTLM hashes. As Ars previously reported in a feature headlined “Why passwords have never been weaker—and crackers have never been stronger,” Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. In addition to the power of his hardware, his attack was aided by a 500 million-strong word list and a variety of advanced programming rules.

Using the new cluster, the same attack would moved about four times faster. That’s because the machine is able to make about 63 billion guesses against SHA1, the algorithm used to hash the LinkedIn passwords, versus the 15.5 billion guesses his previous hardware was capable of. The cluster can try 180 billion combinations per second against the widely used MD5 algorithm, which is also about a four-fold improvement over his older system.

The speeds apply to so-called offline cracks, in which password lists are retrieved by hackers who exploit vulnerabilities on website or network servers. The passwords are typically stored using one-way cryptographic hash functions, which generate a unique string of characters for each unique string of plaintext. In theory, hashes can’t be mathematically reversed. The only way to crack them is to run guesses through the same cryptographic function. When the output of a particular guess matches a hash in a compromised list, the corresponding password has been cracked.

The technique doesn’t apply to online attacks, because, among other reasons, most websites limit the number of guesses that can be made for a given account.

The advent of GPU computing over the past decade has contributed to huge boosts in offline password cracking. But until now, limitations imposed by computer motherboards, BIOS systems, and ultimately software drivers limited the number of graphics cards running on a single computer to eight. Gosney’s breakthrough is the result of using VCL virtualization, which spreads larger numbers of cards onto a cluster of machines while maintaining the ability for them to function as if they’re on a single computer.

“Before VCL people were trying lots of different things to varying degrees of success,” Gosney said. “VCL put an end to all of this, because now we have a generic solution that works right out of the box, and handles all of that complexity for you automatically. It’s also really easy to manage because all of your compute nodes only have to have VCL installed, nothing else. You only have your software installed on the cluster controller.”

The precedent set by the new cluster means it’s more important than ever for engineers to design password storage systems that use hash functions specifically suited to the job. Unlike, MD5, SHA1, SHA2, the recently announced SHA3, and a variety of other “fast” algorithms, functions such as Bcrypt, PBKDF2, and SHA512crypt are designed to expend considerably more time and computing resources to convert plaintext input into cryptographic hashes. As a result, the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt and 364,000 guesses against SHA512crypt.

For the time being, readers should assume that the vast majority of their passwords are hashed with fast algorithms. That means passwords should never be less than nine characters, and using 13 or even 20 characters offers even better security. But long passwords aren’t enough. Given the prevalence of cracking lists measured in the hundreds of millions, it’s also crucial that passwords not be names, words, or common phrases. One easy way to make sure a passcode isn’t contained in such lists is to choose a text string that’s randomly generated using Password Safe or another password management program.

Slides of Gosney’s Passwords^12 presentation are here.


Sophisticated botnet steals more than $47M by infecting PCs and phones

Wednesday, December 5th, 2012

Intercepts SMS messages from bank, defeating two-factor authentication.

A new version of the Zeus trojan—a longtime favorite of criminals conducting online financial fraud—has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks’ use of two-factor authentication for transactions by intercepting messages sent by the bank to victims’ mobile phones.

The malware and botnet system, dubbed “Eurograbber” by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims’ bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday (PDF).

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack. Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim’s browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a “security upgrade” from the site, offering to protect their mobile device from attack. The JavaScript captures their phone number and their mobile operating system information—which are used in the second level of Eurograbber’s attack.

With the phone number and platform information, the attacker sends a text message to the victim’s phone with a link to a site that downloads what it says is “encryption software” for the device. But it is, in fact, “Zeus in the mobile” (ZITMO) malware—a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software. With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim’s balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan’s command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

Both Checkpoint and Versafe have added signature and behavior detection to their malware protection products that can block Eurograbber. Updating software that is a frequent target for Web “driveby download” exploits—such as Adobe Flash, Java, and Web browsers—can help prevent infection by the malware, as can a healthy amount of paranoia about clicking links in e-mails.


Android devices in U.S. face more malware attacks than PCs

Tuesday, December 4th, 2012

Android devices are now attacked more often by malware than PCs, according to a report released Tuesday by a cyber security software maker.

The 2013 Security Threat Report from Sophos revealed that almost 10 percent of Android devices in the U.S. have experienced a malware attack over a three-month period in 2012, compared to about 6 percent of PCs.

The situation is worse in Australia, where more than 10 percent of Android devices have been attacked by malware, compared with about 8 percent for PCs.

With 52.2 percent of the smartphone market in the United States, Android has become a tempting target, Sophos reported. “Targets this large are difficult for malware authors to resist,” the report said. “And they aren’t resisting – attacks against Android are increasing rapidly.”

Sophos noted that the most common malware attack on Android involves installing a fake app on a handset and secretly sending expensive messages to premium-rate SMS services.

Cyber criminals have also found ways to subvert two-factor authentication used by financial institutions to protect mobile transactions, according to the report. They do that by planting eavesdropping malware on a handset to obtain the authentication code sent to a phone by a bank to complete a transaction.

During 2012, the report said, hackers showed ambition by attacking more platforms – social networks, cloud services and mobile devices – and nimbleness by rapidly responding to security research findings and leveraging zero-day exploits more effectively.

In addition, hackers attacked thousands of badly configured websites and databases, using them to expose passwords and deliver malware to unsuspecting Internet users, the report noted.

More than 80 percent of all “drive-by” attacks on unsuspecting Web surfers occur at legitimate websites, according to the report.

It explained that attackers hack into legitimate websites and plant code that generates links to a server distributing malware. When a visitor arrives at the legitimate site, their browser will automatically pull down the malicious software along with the legitimate code from the website.

The Sophos report also identified the five riskiest and safest countries in the world for experiencing malware attacks. Hong Kong was the riskiest country, with 23.54 percent of its PCs experiencing a malware attack over a three-month period in 2012. It was followed by Taiwan (21.26 percent), the United Arab Emirates (20.78 percent), Mexico (19.81 percent) and India (17.44 percent).

Norway (1.81 percent) was the safest country against malware attacks, followed by Sweden (2.59 percent), Japan (2.63 percent), the United Kingdom (3.51 percent) and Switzerland (3.81 percent).


“Security really is about more than Microsoft,” the report said. “The PC remains the biggest target for malicious code today, yet criminals have created effective fake antivirus attacks for the Mac.


“Malware creators are also targeting mobile devices as we experience a whole new set of operating systems with different security models and attack vectors,” it added. “Our efforts must focus on protecting and empowering end users – no matter what platform, device, or operating system they choose.”


Japan’s space agency hit by malware for second time in a year

Tuesday, December 4th, 2012

Epsilon rocket programme details reportedly breached

Japan’s Aerospace Exploration Agency (JAXA) has reportedly suffered its second major malware incident in under a year after an attack that has resulted in the leaking of details of the country’s top-secret Epsilon rocket programme.

According to unconfirmed reports, on 21 November JAXA discovered an unidentified data-stealing “virus” on a computer at the Tsukuba Space Centre used to store details of the country’s prestigious solid fuel rocket programme.

No further malware was found on nearby systems, officials reported, which has raised the question of whether this was a conventional malware attack or something more targeted.

If it is a conventional attack, it would be a remarkable coincidence.

Japanese Government agencies have suffered an embarrassing string of attacks in the last three years, but the most obvious precedent is a Trojan attack that affected JAXA itself as recently as January 2012.

In that attack, attackers compromised data relating to the H-II ‘Konotori’ space vehicle used to supply the International Space Station (ISS), about as embarrassing an outcome as it is possible to imagine for a national space programme with global ambitions.

News of a second breach won’t go down well with the country’s prospective partners. Due for launch in 2013, The Epsilon programme includes the M-5, H2A and H2B rockets.

The chief suspect for the attacks will be China, a country that has in the past been quietly blamed for a string of attacks on politicians, the country’s Parliament, and a range of defence and infrastructure companies since 2010.


Security firms warn of spreading Windows AutoRun malware

Tuesday, December 4th, 2012

The significant increase in infections is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files

Antivirus vendors are warning customers of a spreading malware that can infect computers through a well-known bug in the Windows AutoRun software used to automatically launch programs on a DVD or USB device.

The significant increase in infection is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files, and Microsoft has released two patches for older systems. Therefore, security experts believe infections are happening through a combination of unpatched computers, shared folders and files, and social media.

Someone inserting a USB drive or memory stick carrying the malware can infect unpatched PCs. On other systems, an infection can occur once the malware travels to a network share and someone clicks on an infected file or folder. Trend Micro reported that malware was also spreading on Facebook.

Other vendors tracking the malware include McAfee, Symantec and Sophos. While it is interesting that cyber criminals are still exploiting a four-year-old AutoRun bug, Sophos says most corporate PCs are being infected through network sharing.

Clicking the malware on Facebook would certainly open a quick path to a shared folder on a corporate network, said Chester Wisniewski, a senior security adviser for Sophos.

“I would say the AutoRun part of it is probably not the source of the majority of infections,” Wisniewski said on Friday. “It’s just an interesting note that [criminals] are still using it. I think spreading through the file shares is probably the primary vector to get people in trouble.”

Microsoft released an AutoRun patch in 2009, a month after the U.S. Computer Emergency Readiness Team (US-CERT) issued a warning that Windows 2000, XP and Server 2003 did not properly disable the feature. Microsoft had patched AutoRun a year earlier in Vista and Windows Server 2008.

The infamous Stuxnet malware created an autorun.inf file to infect computers via USB drives. Stuxnet, created jointly in 2009 by U.S. and Israel, reports The New York Times, damaged Iranian nuclear facilities.

The latest malware disguises itself as files and folders in writeable network shares and removable devices, while hiding the originals. The application will also create .exe files named “porn” and “sexy” and a folder called “passwords,” to entice people to click on them, Sophos said.

The malware adds a registry key, so it can start when a PC is booted up. Variants of the application will disable Windows Update to prevent the victim from downloading patches to disable the malware.

Once a PC is infected, the application follows the typical procedure for such malicious software. It contacts a command-and-control server for instructions and to receive other applications. Malware downloaded include Trojans in the Zeus/Zbot family, which steals online banking credentials, Sophos said

To combat the malware, security experts recommend disabling AutoRun on all Windows operating systems and restricting write permissions to file shares. Depending on the AV vendor, the malware has several names, including W32/VBNA-X, W32/Autorun.worm.aaeb, W32.ChangeUp and WORM_VOBFUS.

The latest outbreak arrives about a year and a half after Microsoft reported big declines in AutoRun infection rates. In the first five months of 2011, the number of AutoRun-related malware detected by Microsoft fell 59 percent on XP computers and 74 percent on Vista PCs, compared with 2010.


ITU packet inspection standard raises serious privacy concerns

Saturday, December 1st, 2012

The Center for Democracy and Technology says the standard suggests a world where even encrypted communications may not be safe from prying eyes

The UN’s telecommunications standards organization has approved a standard for deep packet inspection (DPI) that raises serious concerns about privacy, the Center for Democracy and Technology said.

That ITU-T, is showing an interest in deep packet inspection suggests some governments hope for a world where even encrypted communications may not be safe from prying eyes, according to the CDT.

The adoption of the standard — officially known as “Requirements for Deep Packet Inspection in Next Generation Networks” or “Y.2770” — happened last week during the World Telecommunication Standardization Assembly (WTSA), which is held every four years and defines what the ITU-T should focus on.

The biggest concern is that the standard holds very little in reserve when it comes to privacy invasion, the CDT wrote on its website/a> Wednesday.

“There is a general lack of attention to design considerations we think are important to Internet users, namely privacy and security. Obviously DPI has the potential to be an extremely invasive technology,” said Alissa Cooper, chief computer scientist at the CDT.

The standard barely even acknowledges that there is a privacy risk at all, according to Cooper.

“What we like to see, at the very least, is a thorough analysis of what the pros and cons are, and how you can build in mitigation for some of the more invasive aspects of the technology. But this has none of that,” Cooper said.

For example, the standard document optionally requires DPI systems to support inspection of encrypted traffic, which is “antithetical to most norms, policies, and laws concerning privacy of communications,” the CDT wrote.

The CDT’s concerns are backed by European digital rights group EDRi.

“The problem with the ITU is that it is a large bureaucracy that doesn’t have enough to do, and rather than sitting quietly in their office counting paper clips, they are trying to find things to do that generally aren’t helpful,” Joe McNamee, executive director at EDRi, said.

In the Western world, there is an urgent need to make decisions about deep packet inspection, because it is extremely invasive and is being rolled out without any particular thought, according to McNamee.

Some involved in the standardization work have also indicated concerns — earlier this year Germany delayed the approval process because it had objections to a draft version of the standard.

For example, Germany believes that the ITU-T should not standardize any technical means that would increase the exercise of control over telecommunications content, according to a Word document published on the CEPT website. The CEPT consists of European state telecommunications and postal organizations.

What the ITU’s powers should be and if its standards, or recommendations as they are officially called, should in some cases become mandatory will be up for discussion at next week’s World Conference on International Telecommunications (WCIT) conference in Dubai.

It’s not clear whether companies will build new DPI equipment to meet the ITU-T requirements or what further DPI standards the ITU-T will approve, according to CDT. But the standard approved at WTSA provides further evidence of why proposals for mandatory standards should be struck down during WCIT, the CDT said.

The ITU-T did not respond to a request for comment.