CyberInsecure.com

Archive for the ‘Offline’ Category

Manchester City Council was prevented from issuing hundreds of motoring penalty notices in time after the infamous Conficker worm knocked out parts of its IT systems.

Drivers caught on camera driving in bus lanes escaped punishment after the town hall fine processing system was taken offline in February, following infection by the infamous worm. Failure to issue 1,609 tickets within the statutory limit of 28 days left the city £43,000 out of pocket.

Clean up costs and consultancy fees were a far more significant cost, resulting in costs estimated at £600k. In additional, council IT chiefs spent a further £600k on Wyse thin client terminals as part of an enhanced backup strategy.

Town hall chiefs also spent a further £169,000 on extra staff needed to handle a backlog of benefits claims. Compensation payments to benefit claimants piled on the financial pain.

In total the incident cost the council an estimated £1.5m, the Manchester Evening News reports. Infection by the worm left council workers unable to send emails or print documents, and struggling with extra red tape after they were obliged to keep additional back-up paper records in case data was lost.

Council chiefs have banned the use of memory sticks, which were blamed (extracts from memos here) for causing the infection, as well as disabling all USB ports in response to the incident. Albert Square IT chiefs have also promised to revamp the council’s disaster recovery strategy, which the incident exposed as hopelessly inadequate.

Steve Park, Head of ICT at Manchester city council, told the MEN: “I’d like to reassure the public that we’ve built on and improved our disaster recovery strategy, which covers all our main networks.”

“This means that in the event of an emergency those key systems can be recovered with minimal disruption to the services involved.”

The fallout from the Conficker worm infection represents the second time in a week that Manchester City Council has made headlines following IT cock-ups. Data Watchdogs at the ICO put the council on notice over breaches of the Data Protection Act last week following the earlier loss of two unencrypted laptops from council premises. One of the stolen machines contained personal details on hundreds of teachers and support workers at local schools.

Previous victims of the Conficker worm have included the UK’s Houses of Parliament and hospitals in Sheffield, as well as many other organisations outside the UK.

Credit: The Register

The Iranian opposition coordinated a cyber attack yesterday that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there’s no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people’s information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return “server is too busy” error messages:

Ahmadinejad.ir - Mahmoud Ahmadinejad’s Official Blog - under attack
Leader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attack
President.ir - Presidency of The Islamic Republic - under attack
Farsnnews.com - Fars News Agency - under attack
Irib.ir - Islamic Republic of Iran Broadcasting - under attack
Kayhannews.ir - News Portal - “Service Unavailable”
Irna.ir - Islamic Republic News Agency - “service unavailable”
Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attack
Moi.ir - Ministry of Interior - under attack
Police.ir - National Police - under attack
Justice.ir - Ministry of Justice - under attack
Presstv.ir - Iranian Press TV - “server is too busy”

Among the first web-based denial of service attack used, is a tool called “Page Rebooter” which is basically allowing everyone to set an interval for refreshing a particular page, in this case it’s 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

“Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei.”

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com, irna.ir and rajanews.com. The script has since changed its location and is advertised under a new domain.

The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.

The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors. The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it.

SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously - khamenei.ir; presstv.ir; irna.ir; president.ir; mfa.gov.ir; moi.ir; police.ir; justice.ir; live.irib.ir.

There have already been speculations that the magnitude of these local attacks — Iranian users targeting Iranian web sites – is contributing to the “strange changes in Iranian traffic transit” reported during the last couple of days. The attacks are still ongoing.

Credit: ZDNet.com Security Blogs

Security experts have discovered a family of data-stealing trojans that have burrowed into automatic teller machines in Eastern Europe over the past 18 months.

The malware logs the magnetic-stripe data and personal identification number of cards used at an infected machine and provides an intuitive interface for retrieving the information using the ATM’s receipt printer, according to analysts from SpiderLabs, the research arm of security firm Trustwave. Since late 2007 or so, there have been at least 16 updates to the software, an indication that the authors are working hard to perfect their tool.

“They’re following more of a rapid development lifecycle,” Nicholas Percoco, vice president and head of SpiderLabs, said. “They’re seeing what works and putting out new versions.”

SpiderLabs researchers delved into four of the more recent versions and what they found was a highly capable family malware written with professional standards. Once installed, it monitors the ATM’s transaction message queue for track 2 data stored on inserted cards. If it contains data belonging to a banking customer, it logs it, along with the PIN code that was entered.

The software also works with controller cards that allow the attackers to operate infected machines. When such a card is inserted, the ATM’s display shows a window offering 10 command options that can be selected using the keypad. Options include the ability to print collected data, restore log files to the condition prior to the malware installation, and uninstall the malware altogether.

A secondary menu also allows the person to force the machine to dispense all its cash. There is also documentation for another feature that would upload intercepted card data to a chip on the controller card, but that capability doesn’t seem to work yet. Controller cards include both master and single function. The former is presumably for people higher up in the organization while the latter would be used by mules who are not fully trusted.

The findings build on a report issued in March by Sophos that documented card-sniffing trojans that targeted ATMs made by Diebold. The ATM manufacturer said several suspects had been apprehended following an incident “isolated in Russia” in which attempts were made to use the malware.

SpiderLabs’ Percoco said he didn’t know if the malware his researchers studied was tied to the Sophos report. Both malicious programs can be installed only by people with physical access to the machines, making some level of insider cooperation necessary. But unlike the Sophos report, SpiderLabs said the software targeted ATMs made by multiple vendors, though Percoco declined to say which ones. The SpiderLabs report said only that the targeted ATMs ran on the Windows XP operating system.

“These are systems that are connected to financial networks that are literally sitting out in the open, and they are vulnerable,” Percoco said. “All these systems are unattended, or most of them are. You often walk by when they’re being serviced.”

Credit: The Register

Gears, an open-source Google’s project allows data normally stored on a webserver to be stashed instead on end users’ computers. Last month, Gmail allowed users to read and write email even when they’re not connected to the interwebs. As a result, a single cross-site scripting (XSS) error or SQL injection vulnerability on the web server is all it takes to gain full access to the contents, a security researcher warns.

Like almost all other offline web applications, offline Gmail works by creating the equivalent of a relational database on the client PC. Over the past year, dozens of web-based services have adopted new features that allow them to be used even when an internet connection isn’t available. The technologies making this possible may offer plenty of convenience, but they also make end users susceptible to powerful new attacks, says Michael Sutton, vice president of research at web security firm Zscaler.

“It really changes the landscape from an attacker’s perspective,” Sutton says. “I as an end user can have a fully patched system surfing a reputable site and still be vulnerable because there is a weakness on the page I’m viewing. You are actually made vulnerable if the site has a vulnerability in it.”

To prove his point, Sutton identified a SQL injection vulnerability in a time-keeping service offered by a website called Paymo. By embedding select commands into various Paymo URLs, he was able to pluck information stored on a PC that had been using the service’s offline feature, he says.

Paymo promptly fixed the bug. But Sutton says the vulnerability amounts to a proof of concept for a new class of attacks that targets users of offline web services. Such “persistent client side storage” attacks, as he has dubbed them, have the potential to target victims each time they interact with a vulnerable service, he warns.

What’s more, because the services are generally available to anyone for free, it’s possible for attackers to have detailed knowledge of exactly how the databases are configured, an understanding that could go a long way to improving the odds of successfully exploiting the vulnerability.

Because it works on Windows, OS X, and Linux, Gears is by far the most popular way of bringing offline functionality to web services. But it’s not the only way websites can make such offerings available. HTML 5, which is still under development, also describes ways for browsers to have local databases that interact with websites. Apple’s Safari browser has already implemented part of that.

That has led Sutton to envision a day when most internet users have a wealth of locally stored data on their PCs that seamlessly interacts with websites. Suddenly, XSS exploits - which typically allow attackers to steal only limited amounts of data, such as authentication cookies - could be used to purloin entire databases, he warns.

Credit: The Register

Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses.

The $250 proof-of-concept device, which researcher Chris Paget built in his spare time, operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners.

Paget’s contraption builds off the work of researchers at RSA and the University of Washington, which last year found weaknesses in US passport cards and so-called EDLs, or enhanced drivers’ licenses. So far, about 750,000 people have applied for the passport cards, which are credit card-sized alternatives to passports for travel between the US and Mexico, Canada, the Caribbean, and Bermuda. EDLs are currently offered by Washington and New York states.

Paget’s device consists of a Symbol XR400 RFID reader (now manufactured by Motorola), a Motorola AN400 patch antenna mounted to the side of his Volvo XC90, and a Dell 710m that’s connected to the RFID reader by ethernet cable. The laptop runs a Windows application Paget developed that continuously prompts the RFID reader to look for tags and logs the serial number each time one is detected. He bought most of the gear via auctions listed on eBay. The device has a range of about 30 feet, making it ideal for discretely skimming the EDL and passport card tags of people who pass by his vehicle. With modifications, Paget says his device could read RFID identifiers that are more than a mile away. The antenna was concealed by the vehicle’s tinted window, and the PC and RFID reader fit well below the eye line, making it virtually undetectable by passersby.

“It’s one thing to say that something can be done, it’s another thing completely to actually do it,” Paget said in explaining why he built the device. “It’s mainly to defeat the argument that you can’t do it in the real world, that there’s no real-world attack here, that it’s all theoretical.”

Use of the cards is expected to rise as US officials continue to encourage their adoption. Civil liberties groups have criticized the cards and a travel industry association has called on the federal government to suspend their use until the risks can be better understood.

The cards make use of the RFID equivalent of optical barcodes known as electronic product code tags, which are widely used to track cattle and merchandise as it’s shipped and then stored in warehouses. Because the technology employs no encryption and can be read from distances of more than a mile, the tags are highly susceptible (PDF) to cloning and tracking, researchers have concluded.

Officials with the US Customs and Border Protection Department say they have no plans to overhaul the technology used in passport cards. RFID signals allow border agents to process travelers more quickly and bring an added level of security to the process, spokeswoman Kelly Ivahnenko said. The cards come with protective sleeves that prevent the RFID tags from being readable, she added, and even if they are captured, she said there is little anyone can do with the information. A spokesman from the US State Department - which processes applications for passport cards and then issues them - declined to comment.

Paget plans to release the software’s source code during a demonstration at the Shmoocon hacker convention to be held later this month in Washington.

Credit: The Register

Visa cards with a built in one-time code generator are to be trialled by four European banks. The technology is designed to tackle the growing problem of online credit card fraud. MBNA, a Bank of America company in the UK, Corner Bank in Switzerland, Cal in Israel and IW Bank in Italy are to take part in limited trials of Visa’s new one-time code card.

The next-generation cards feature a numeric keypad on the back of a plastic card. Customers enter their PIN code to generate a one-time password. This code, displayed on a card’s display panel, is then used to authenticate online purchases. The approach is an alternative to using a password when authenticating online purchases through the much-criticised Verified by Visa scheme. As previously reported, VbyV passwords can often be easily reset knowing only card details and a user’s birthday.

The new cards, developed in conjunction with Australian firm Emue Technologies, are far more secure - though not infallible. Some banks have already introduced two-factor authentication technologies, which grew up in the corporate remote access market, to provide extra protection to online banking transactions.

The approach means that basic phishing attacks aimed at tricking users into handing over online credentials are insufficient to compromise accounts because the code, typically generated by a separate token or other piece of kit, is also needed to log into accounts. That still leaves open the possibility of man-in-the-middle attacks, where hackers set up websites that pose as the real thing, tricking users into handing over one-time passwords which are relayed to genuine banking sites in real-time.  More sophisticated attacks of this type have already targeted Citibank customers.

A spokesman for Emue explained that its card has the ability to digitally sign transactions, hence the ability to mitigate MITM (”man in the middle”) attacks. “This is just one of the features that can be pre-loaded on the card”, he added.

Although one-time code technology in general is no silver bullet capable of slaying online fraud it is a big improvement on using passwords, which as Visa Europe points out can easily be forgotten. Bundling the one-time password technology into a card also means users don’t have to deal with multiple items of kit.

Problems in getting out a personal calculator-style keypad delayed the introduction of Barclays’ PINsentry scheme, which like the one-time code generator is also designed to combat online fraud. Emue has managed to develop technology with a three-year battery lifetime, overcoming one of the potential stumbling blocks to the scheme.

Corner Bank has invited 500 to take part in the trials. Other banks will be running the trials with up to 3,000 punters, a Visa spokeswoman explained.

The trials will start in the next few weeks and last from six-12 months, depending on the banks.

Credit: The Register

For the last two years until its shutdown earlier this month DarkMarket.ws posed as a forum where identity thieves, credit card fraudsters, crackers and other ne’er do wells could hang out and exchange tips as well as trading hacker tools and stolen data. DarkMarket offered a place to flog stolen credit card information and identities, hardware, and credit card magstripe swipes. The English-language site looked like somewhere the bad guys could get pointers on the quality of stolen information, harvested through phishing scams and the like, before buying goods.

In reality, the site was run by Federal agents based in Pittsburgh. Leaked documents have confirmed that carder forum DarkMarket was actually an FBI sting operation. The true identity of the site was revealed by Südwestrundfunk, a German public radio station, Wired reports. The station unearthed documents showing that one of the site’s overlord, Master Splynter, who posed as a spammer, was senior cybercrime agent J Keith Mularski. The DarkMarket sting was instrumental in trapping a German credit card hacker active on its forums.

Leaked documents show that the FBI had run DarkMarket as a sting since November 2006. A memo from FBI to their German counterparts boasts that the “FBI has been successful in penetrating the inner ‘family’ of the carding forum, DarkMarket”. In an email dating from March 2007 FBI agent Mularski bluntly states “Master Splynter is me”. The FBI said the site, at its peak, had more than 2,500 members. The Feds said investigations were continuing thanks to leads from the forum, which was closed earlier this month.

Federal agents used intelligence from the site to develop intelligence reports and mount investigations. It’s unclear how many miscreants were busted as a result of the sting. Further arrests may follow and cybercrooks that frequented the forum are likely to be peering nervously over their shoulders.

Master Splynter announced his intention to close the site from 4 October, supposedly because a Turkish ATM fraudster was drawing “unwelcome attention” to the site. The Turkish hacker (Cha0) was marketing an ATM skimming device - fairly standard activity on the site - but he became famous after allegedly kidnapping and torturing a police informant. Local police arrested a suspect, named as Cagatay Evyapan, last month.

Rumours that DarkMarket was a federal sting were known to more clued-up crackers since the latter part of 2006, after a hacker reported evidence that Master Splynter had logged in from the National Cyber Forensics Training Alliance in Pittsburgh. Some dismissed the warning by Max Ray Butler as mud-slinging and continued to use the forum, even after Butler was arrested last year in a case handled by the FBI’s Pittsburgh office.

According to latest news, Police have arrested five people in the UK in the last few days in connection with a web forum used to trade credit card details and personal information. Some 56 people have been arrested worldwide - 11 in total in the UK - in connection with the DarkMarket forum. The Serious Organised Crime Agency ran the UK part of a worldwide investigation led by the FBI.

Details about world’s most widely deployed radio frequency identification (RFID) smartcard vulnerability have finally been published Monday. RFID smartcards are used to control access to many transportation systems, military installations, and other restricted areas, and it can be cracked in a matter of minutes using inexpensive tools.

The first among the 2 papers about this issue was published by researchers from Radboud University in Nijmegen, Netherlands. It describes in detail how to clone cards that use the Mifare Classic. The chip is used widely throughout the world, including in London’s Oyster Card, Boston’s Charlie Card, and briefly by a new Dutch transit card.

Manufacturer NXP and the Dutch government had tried in vain to prevent the researchers from disclosing their findings, arguing that the findings would enable abuse of security systems that rely on the card. In July, a Dutch judge rejected the request and allowed the researchers to publish their paper. It is titled Dismantling MIFARE Classic and was released at the European Symposium on Research in Computer Security (Esorics) 2008 security conference in Malaga, Spain.

It came the same day that Henryk Plötz, a PhD student at Humboldt University in Berlin, published a document that includes the full implementation of the algorithm used in the Mifare Classic. The two documents combined mean that virtually anyone with the time and determination can carry out the attacks. The weakness can now be verified independently by really anybody.

Over the past six months, many organizations that rely on the Mifare Classic have upgraded their systems, but there are systems used by government agencies or large multinational companies that have been unable to make the necessary changes because of the logistical challenges of issuing new badges to employees.

The main flaw in the Mifare Classic is a proprietary encryption scheme dubbed crypto1. It contains a weakness that causes it to produce outputs that are so cryptographically weak that attackers can guess the key in a matter of minutes. All that’s required is an RFID reader, a modest-strength PC, and about 10 minutes. NXP has said it has sold about 2 billion Mifar Classic cards.

The Radboud researchers have already used the discovery to clone Oyster cards and adjust the amount of credit stored on the pre-pay card. Separate students at the Massachusetts Institute of Technology claim to have found gaping holes in the Charlie Card used to collect fares for the Boston subway.

NXP Semiconductor has downplayed the significance of the flaw, saying the card alone should not be relied on for secured access to buildings and other restricted areas. A more robust card made by the company, the Mifare Plus, can use the so-called Advanced Encryption Scheme (AES), a time-tested algorithm that is widely believed to be secure.

The Los Alamos National Laboratory (LANL), world’s most sensitive and sophisticated research institution, is marred by cybersecurity weaknesses that compromise the way information on its unclassified network is protected. The venerable LANL was ground zero for the Manhattan Project and also the birth place for the hydrogen bomb.

According to an audit by the US Government Accountability Office (GAO), the New Mexico-based LANL recently began implementing measures to shore up information security. But vulnerabilities remain on its unclassified network, which contains sensitive information involving controlled nukes, export control, and personal details of lab employees. Physical security was also found to be lacking at the facility, one of only three US National Nuclear Security Administration (NNSA) labs.

“A successful physical or cyber attack on NNSA sites containing nuclear weapons, the material used in nuclear weapons, or information pertaining to the people who design and maintain the US nuclear deterrent could have devastating consequences for this site, its surrounding communities, and the nation’s security, the report (PDF) warns. “Because of these risks, NNSA sites need effective physical and cyber security programs.”

This isn’t the first time security at LANL has been found to be lacking. In 2006, a drug raid on a private residence uncovered classified documents and information that had been improperly removed from the lab by a contract employee. An investigation into the incident later revealed a “serious breakdown in core laboratory physical and cyber security controls” contributed to the breach.

A security evaluation earlier this year by investigators from the Department of Energy concluded there were “significant weaknesses” in LANL’s security program. The recent report issued 52 recommendations for improvement. Among other things, they are aimed at “ensuring that LANL’s risk assessment for its unclassified network evaluates all known vulnerabilities and is revised periodically.”

Last week’s GAO report identified several critical areas inside LANL where physical and cyber security were flawed. They included the identifying and authenticating of users, the encryption of sensitive information and the monitoring and auditing of compliance with established security policies. The GAO also faulted policies for granting access to LANL’s unclassified network by foreign nationals, some from countries considered “sensitive.”

Ehud Tenenbaum, a 29-Israeli known online as “the Analyzer” and living in Montreal, was arrested after investigators spent nine months and found out that him and three other suspects allegedly stole $1.8 million from a Calgary company. The operation involved the U.S. Secret Service and municipal police in Calgary and Vancouver - as well as in Montreal, where investigators arrested four Quebec-based suspects. All four suspects were arrested in Montreal and brought to Calgary on Tuesday.

In 1998, a 19-year-old Israeli named Ehud Tenenbaum accessed computers belonging to the Pentagon. After his conviction, Tenenbaum used his expertise to help Israeli organizations protect their computer networks against cyber attacks.

Investigators are now working to verify the one-time hacker known as “the Analyzer” is one of the four Montrealers accused of stealing close to $2 million by using computers to falsely inflate the value of prepaid debit cards. Calgary police didn’t name the business that was targeted, but said it’s a national company that offers short-term credit and other financial services - such as prepaid debit cards. The U.S. Secret Service has an ongoing investigation that might find additional victims in the United States.

The fraud was committed by someone who hacked into the company’s Calgary computers from Montreal and changed the value of the debit cards to an amount higher than their face price. Cash was then withdrawn from bank machines at several locations across Canada and abroad. Most of the Canadian withdrawals occurred in Montreal.

Investigators in Calgary began their investigation after being contacted by the Vancouver Police Department. The Vancouver police, in turn, were working with the U.S. Secret Service on a separate probe that led them to Calgary.  It’s possible the investigation may widen to include more charges. Computer-based crime investigations can be difficult for law-enforcement agencies, because they often span several jurisdictions and require special expertise to track down suspects who can use the technology to cover their tracks. Investigators in Montreal searched four properties and seized computers and business records that will now be analyzed for evidence.

Tenenbaum, who has been charged with six counts of fraudulent use of credit card data and one count of fraud over $5,000, is the only one who remains in custody. Priscilla Mastrangelo, 30, of Montreal, has been charged with 23 counts of fraudulent use of credit-card data and one count of fraud over $5,000.  Jean Francois Ralph, also known as Ralph Jean-Francois, 28, of Montreal, has been charged with four counts of fraudulent use of credit-card data and two counts of fraud over $5,000. Spyros Xenoulis, 33, of Montreal, has been charged with one count of fraudulent use of credit-card data and one count of fraud under $5,000. All four are scheduled to appear in Calgary provincial court Friday.