Monday, 25 January 2010

China hacks used as lure for more targeted attacks

By Jaikumar Vijayan
Computerworld
January 22, 2010

Malicious hackers have begun using the recent cyberattacks against Google and more than 30 other companies as lures for launching even more targeted attacks, security firm F-Secure said in a blog post today.

The company reported spoofed e-mails purporting to contain details on the alleged Chinese attacks that contain a PDF attachment. When opened, it installs and runs the Acrobat.exe backdoor on the user's machine.

A screen shot posted on F-Secure's Web site showed an e-mail designed to look like it came from George Washington University. The e-mail, with the subject header 'Chinese cyberattack,' offered the target a review of an article on the recent attacks that the purported author had just written for the Far Eastern Economic Review.

When the attached PDF is opened in Acrobat Reader, it exploits a known vulnerability in the doc.media.newPlayer function of the reader to install a back door on the user's system, F-Secure said. The flaw was patched by Adobe last week.

Microsoft, Aurora and something about forest and trees?

By jericho
1.24.2010
OSVDB Blog

Perhaps it is the fine tequila this evening, but I really don't get how our industry can latch on to the recent 'Aurora' incident and try to take Microsoft to task about it. The amount of news on this has been overwhelming, and I will try to very roughly summarize:

News surfaces Google, Adobe and 30+ companies hit by "0-day" attack

Google uses this for political overtones

Originally thought to be Adobe 0-day, revealed it was MSIE 0-day

Jan 14, confirmed it is MSIE vuln, shortly after dubbed "aurora"

Jan 21, uproar over MS knowing about the vuln since Sept

Now, here is where we get to the whole forest, trees and some analogy about eyesight. Oh, I'll warn (and surprise) you in advance, I am giving Microsoft the benefit of the doubt here (well, for half the blog post) and throwing this back at journalists and the security community instead. Let's look at this from a different angle.

The big issue that is newsworthy is that Microsoft knew of this vulnerability in September, and didn't issue a patch until late January.
What is not clear, is if Microsoft knew it was being exploited. The wording of the Wired article doesn't make it clear: "aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies" and "Microsoft confirmed it learned of the so-called 'zero-day' flaw months ago". Errr, nice wording. Microsoft was aware of the vulnerability (technically), before hackers exploited it, but doesn't specifically say if they KNEW hackers were exploiting it. Microsoft learned of the "0-day" months ago?
No, bad bad bad. This is taking an over-abused term and making it even worse. If a vulnerability is found and reported to the vendor before it is exploited, is it still 0-day (tree, forest, no one there to hear it falling)?

Short of Microsoft admitting they knew it was being exploited, we can only speculate. So, for fun, let's give them a pass on that one and assume it was like any other privately disclosed bug. They were working it like any other issue, fixing, patching, regression testing, etc. Good Microsoft!

Bad Microsoft! But, before you jump on the bandwagon, bad journalists!
Bad security community!

Botnets: "The Democratization of Espionage"

By Brian Krebs
CSO Online
January 22, 2010

The cyber attacks against Google, Adobe and a raft of other top U.S.
corporations late last year were by most accounts sophisticated and targeted attempts to steal proprietary data. But lost in all of the resulting media hoopla over who the remaining victims were and whether Chinese hackers or indeed the Chinese government itself were responsible is the simple, terrifying truth that individual hackers now have access to the same arsenal of cyber weapons once reserved only for nation states.

The weapons at issue are, of course, botnets -- agglomerations of remotely controlled, hacked computers that are used for a variety of criminal purposes, from spam, to high-powered, distributed online attacks against virtual targets. In these attacks, the botnets acted as a sort of "cloud" data collection and storage network.

I caught up recently with Roland Dobbins, a solutions architect with the Asia Pacific division of Arbor Networks, a company that specializes in helping customers defend against botnet attacks. Dobbins said the Google incident a perfect example of how the botnet has enabled what he calls the democratization of espionage.


Brian Krebs: What does that mean."the democratization of espionage"?

Roland Dobbins, Arbor Networks: Well, ten to fifteen years ago, if you were going to be the target of state sponsored or corporate espionage, you yourself were going to be a government or a large corporation that had intellectual property or information that an adversary was going to have to invest a lot of time and effort to pry out of you. What we have seen over the last five to seven years is that the botnet has democratized that process, so that now an individual can commit his own intelligence reconnaissance and espionage, whether at arms legth on behalf of a state, on his own, or whether he's doing it for corporate espionage. This whole process has tons of implications for national and corporate security, and for individual privacy.

[...]

Hackers strike again in attack on eateries

January 25, 2010
joongang.co.kr

Hackers cracked into the credit card processing networks of several popular restaurant chains in Korea from December through early this year, obtaining personal information from customers to make fake cards and ring up millions of won in purchases.

Authorities said the resulting monetary damage could exceed similar high-profile hacking incidents over the past two years, though they did not provide data on the chains involved or the estimated number of consumers affected.

The cyber crime unit of the national policy agency and local financial authorities said yesterday that the hackers manufactured fake credit cards based on the stolen information, charging roughly 190 million won
($165,794) in purchases abroad.

A Financial Supervisory Service official said the hacker made a total of 460 transactions with the fake credit cards.

Authorities alerted the credit card providers about the latest development, and the firms are now contacting affected customers and reissuing cards with new numbers.

It's the latest incident in a string of hacking attacks on local credit card payment networks over the past two years, deepening concern among consumers and companies alike.

Similar hacking attacks on several local retail chains - whose names were not revealed - in April 2008 forced some 20,000 Koreans to get new credit cards.

Hackers used the information gleaned in the attacks to produce fake cards, making 310 purchases worth 166 million won.

In August through September of last year, hackers obtained the credit card information of about 2,360 people who swept their cards in local restaurants and bar chains. In these cases, the hackers made purchases worth 78 million won using fake cards.

Industry officials said that the smaller chain businesses are particularly susceptible to these types of attacks, as they don't have as advanced security systems in place as their larger peers.

"The [credit card payment] processing networks of large business chains like big discount stores are relatively well protected in this regard,"
said one official at the Credit Finance Association of Korea. "But small and midsized chains are far more vulnerable in terms of securities measures."

In the face of intensifying hacking threats, the Financial Supervisory Service, the Credit Finance Association and credit card companies last month formed a joint task force team to come up with possible solutions to prevent such attacks.

Swiss Army Encryption Challenge Worth More Than $100K

By Andy Cordial
businesscomputingworld.co.uk
January 21st, 2010

News that am encrypted swiss army knife from manufacturers Victorinox remained uncracked - and a $100,000 prize went unclaimed - at the Consumer Electronics Show in Las Vegas this month comes as no surprise.

Even if someone had cracked the 2010 version of the famous Swiss Army knife, they would have obtained a lot more than $100,000 from other sources.

Victorinox, the manufacturers of the Swiss Army knife, which dates back to the late 1800s in its various forms, has made much of the unit's tamper-proof self-destruct mode, but the reality is that the crypto USB drive supports elliptical curve and AES encryption, which makes it almost impervious to crackers using current known technology.

The reputation of encryption technology has taken a battering with the revelations that the A5/1 and A5/3 crypto systems used on cellular networks have been compromised in the last few weeks, but the elliptical curve and especially the AES systems are still, I'm pleased to report, uncracked.

The AES encryption system is likely to remain uncracked for some time to come, as even Bruce Schneier - the renowned ITsec industry sceptic and researcher - said in his research last summer that "AES-128 provides more than enough security margin for the foreseeable future."

China denies involvement in Google cyberattacks

By Steven Musil
Security
CNet News
January 24, 2010

After warning of strained U.S.-China relations, China's government has issued a statement denying any state involvement in the cyber attacks on Google and some 30 other companies.

The statement, issued Monday Beijing time by China's Ministry of Industry and Information Technology and carried on the state news agency Xinhua, comes at a time of heightened tension between China and the United States over Internet censorship and security in China.

The "accusation that the Chinese government participated in (any) cyberattack, either in an explicit or inexplicit way, is groundless and aims to denigrate China," an unidentified ministry spokesman told Xinhua, according to an Agence France Presse report. "We are firmly opposed to that."

U.S. Secretary of State Hillary Rodham Clinton formally denounced Internet censorship in a speech Thursday that was directed both at the private and public sectors. For corporations, she said, "Censorship should not be accepted by any company from anywhere. American companies need to make a principled stand."

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News