Monthly Archives: July 2012

DNS Changer Malware: What to Do If Your Computer’s Hit

Security researchers are warning of yet another Android malware outbreak which has spread to nine app stores and infected 100,000 with code designed to covertly purchase apps and content from China Mobile’s Mobile Market.

Mobile security firm TrustGo explained that the MMarketPay.A Trojan could be hidden in a number of legitimate-looking applications, including those from Sina and media streaming company Funinhand, as well as travel and weather apps.

The malware has already been placed in nine different third party Android app markets in China, infecting over 100,000, the firm said.

Once downloaded, the Trojan will automatically place orders for paid content and apps at China Mobile’s official Mobile Market online store without informing the user.

It is able to intercept China Mobile’s verification SMS and post the code to the Mobile Market web site in order to complete the purchase, said TrustGo.

In the event of CAPTCHA being triggered at this stage, the malware will apparently send the relevant image to a remote server for analysis.

The advice from the security experts at TrustGo is for users to only download Android apps from trusted app stores and to have some form of real-time mobile security scanner installed on their device to prevent any dodgy downloads.

Visiting an apparently legit app store is no guarantee you’re going to get a malware-free experience, however.

Malware is frequently turning up on the official Android marketplace Google Play – although admittedly less frequently than on some of the more dubious third party sites.

The latest discovery came at the tail end of last week when researchers found malware that lifts the victim’s location data and address book info.

China in particular has been a hotbed of malicious Android activity for some time.

In April, the Chinese authorities were forced to publically reprimand the country’s two biggest mobile carriers, China Mobile and China Telecom, after uncovering “many problems” in their respective app stores.

Globally too, Android continues to be a favourite with cyber criminals.

Security firm Trend Micro is predicting the discovery of 129,000 malicious apps by the end of the year and has compiled this handy infographic detailing the main threats. ®

Retrieved from The Register

10 crazy IT security tricks that actually work

IT security threats are constantly evolving. It’s time for IT security pros to get ingenious

 Network and endpoint security may not strike you as the first place to scratch an experimental itch. After all, protecting the company’s systems and data should call into question any action that may introduce risk. But IT security threats constantly evolve, and sometimes you have to think outside the box to keep ahead of the more ingenious evildoers.

And sometimes you have to get a little crazy.

Charles Babbage, the father of the modern computer, once said, “Propose to a man any principle, or an instrument, however admirable, and you will observe the whole effort is directed to find a difficulty, a defect, or an impossibility in it. If you speak to him of a machine for peeling a potato, he will pronounce it impossible: If you peel a potato with it before his eyes, he will declare it useless, because it will not slice a pineapple.”

The world of network security is no different. Offer a new means for IT defense, and expect to meet resistance. Yet, sometimes going against the wave of traditional thinking is the surest path to success.

In that vein, we offer 10 security ideas that have been — and in many cases still are — shunned as too offbeat to work but that function quite effectively in helping secure the company’s IT assets. The companies employing these methods don’t care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.

Innovative security technique No. 1: Renaming adminsRenaming privileged accounts to something less obvious than “administrator” is often slammed as a wasteful, “security by obscurity” defense. However, this simple security strategy works. If the attacker hasn’t already made it inside your network or host, there’s little reason to believe they’ll be able to readily discern the new names for your privileged accounts. If they don’t know the names, they can’t mount a successful password-guessing campaign against them.

Even bigger bonus? Never in the history of automated malware — the campaigns usually mounted against workstations and servers — has an attack attempted to use anything but built-in account names. By renaming your privileged accounts, you defeat hackers and malware in one step. Plus, it’s easier to monitor and alert on log-on attempts to the original privileged account names when they’re no longer in use.

Innovative security technique No. 2: Getting rid of adminsAnother recommendation is to get rid of all wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group that has built-in, widespread, privileged permissions by default.

When this is suggested, most network administrators laugh and protest, the same response security experts got when they recommended local Administrator accounts be disabled on Windows computers. Then Microsoft followed this recommendation, disabling local Administrator accounts by default on every version of Windows starting with Vista/Server 2008 and later. Lo and behold, hundreds of millions of computers later, the world hasn’t come crashing down.

True, Windows still allows you to create an alternate Administrator account, but today’s most aggressive computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still, many network admins see this as going a step too far, an overly draconian measure that won’t work. Well, at least one Fortune 100 company has eliminated all built-in privileged accounts, and it’s working great. The company presents no evidence of having been compromised by an APT (advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user side or from IT. Why would they? They aren’t getting hacked.

Innovative security technique No. 3: HoneypotsModern computer honeypots have been around since the days of Clifford Stoll’s “The Cuckoo’s Egg,” and they still don’t aren’t as respected or as widely adopted as they deserve. A honeypot is any computer asset that is set up solely to be attacked. Honeypots have no production value. They sit and wait, and they are monitored. When a hacker or malware touches them, they send an alert to an admin so that the touch can be investigated. They provide low noise and high value.

The shops that use honeypots get notified quickly of active attacks. In fact, nothing beats a honeypot for early warning — except for a bunch of honeypots, called a honeynet. Still, colleagues and customers are typically incredulous when I bring up honeypots. My response is always the same: Spend a day spinning one up and tell me how you feel about honeypots a month later. Sometimes the best thing you can do is to try one.

Innovative security technique No. 4: Using nondefault portsAnother technique for minimizing security risk is to install services on nondefault ports. Like renaming privileged accounts, this security-by-obscurity tactic goes gangbusters. When zero-day, remote buffer overflow threats become weaponized by worms, computer viruses, and so on, they always — and only — go for the default ports. This is the case for SQL injection surfers, HTTP worms, SSH discoverers, and any other common remote advertising port.

Recently Symantec’s pcAnywhere and Microsoft’s Remote Desktop Protocol suffered remote exploits. When these exploits became weaponized, it was a race against the clock for defenders to apply patches or block the ports before the worms could arrive. If either service had been running on a nondefault port, the race wouldn’t even begin. That’s because in the history of automated malware, malware has only ever tried the default port.

Critics of this method of defense say it’s easy for a hacker to find where the default port has been moved, and this is true. All it takes is a port scanner, like Nmap, or an application fingerprinter, like Nikto, to identify the app running on the nondefault port. In reality, most attacks are automated using malware, which as stated, only go for default ports, and most hackers don’t bother to look for nondefault ports. They find too much low-hanging fruit on default ports to be bothered with the extra effort.

Years ago, as an experiment, I moved my RDP port from 3889 to 50471 and offered a reward to the first person to find the new port. Two people discovered the port right away, which was no surprise; because I told them what I did, it’s easy to discover the right spot. What blew me away is that tens of thousands of hacker wannabes, scanning my system for the new port using Nmap, didn’t realize that Nmap, if left to its own defaults, doesn’t look on nondefault ports. It proved that by doing a simple port move you significantly reduce your risk.

Innovative security technique No. 5: Installing to custom directoriesAnother security-by-obscurity defense is to install applications to nondefault directories.

This one doesn’t work as well as it used to, given that most attacks happen at the application file level today, but it still has value. Like the previous security-by-obscurity recommendations, installing applications to custom directories reduces risk — automated malware almost never looks anywhere but the default directories. If malware is able to exploit your system or application, it will try to manipulate the system or application by looking for default directories. Install your OS or application to a nonstandard directory and you screw up its coding.

On many of my honeypots, I install the OS to nondefault folders — say, in C:/Win7 instead of C:/Windows. I usually create the “fake” folders that mimic the real ones, had I installed the software and taken the defaults. When my computers get attacked, it’s easy to find complete and isolated copies of the malware hanging out in the C:/Windows/System32 folder.

Changing default folders doesn’t have as much bang for the buck as the other techniques mentioned here, but it fools a ton of malware, and that means reduced risk.

Innovative security technique No. 6: TarpitsMy first experience with a tarpit product was LaBrea Tarpit. It was developed during the outbreak of the Code Red IIS worm of 2001. Worms readily replicate to any system that matches their exploit capabilities. LaBrea worked by answering connection attempts for addresses not already assigned to legitimate machines. It would then answer and tell the worm to connect, then spend the rest of the time trying to slow down the worm, using various TCP protocol tricks: long timeouts, multiple retransmissions, and so on.

Today, many networks (and honeypots) have tarpit functionality, which answers for any nonvalid connection attempt. When I penetration-test these networks, my attacks and network sweep scanning attacks slow to a crawl — they’re unusable, which is exactly the purpose. The only downside: Tarpits can cause problems with legitimate services if the tarpits answer prematurely because the legitimate server responded slowly. Remember to fine-tune the tarpit to avoid these false positives and enjoy the benefits.

Innovative security technique No. 7: Network traffic flow analysisWith foreign hackers abounding, one of the best ways to discover massive data theft is through network traffic flow analysis. Free and commercial software is available to map your network flows and establish baselines for what should be going where. That way, if you see hundreds of gigabytes of data suddenly and unexpectedly heading offshore, you can investigate. Most of the APT attacks I’ve investigated would have been recognized months earlier if the victim had an idea of what data should have been going where and when.

Innovative security technique No. 8: ScreensaversPassword-protected screensavers are a simple technique for minimizing security risk. If the computing device is idle for too long, a screensaver requiring a password kicks in. Long criticized by users who considered them nuisances to their legitimate work, they’re now a staple on every computing device, from laptops to slates to mobile phones.

I remember one time leaving my smartphone in a cab, right after an argument with the cab driver over the bill (he had taken me on a much longer, more circuitous route than necessary). I immediately considered that phone long gone. I was worried because I had just chatted with my wife, so the phone was open and exposed. I store my passwords and other personal information on the phone, although slightly modified so that anyone reading it directly wouldn’t know the true passwords or numbers. I was more worried about the contact information for my wife, daughters, and other loved ones. Luckily, I knew my screensaver would kick in momentarily. I never found the phone, but I didn’t get any weird calls or charges either.

Innovative security technique No. 9: Disabling Internet browsing on serversMost computer risk is incurred by users’ actions on the Internet. Organizations that disable Internet browsing or all Internet access on servers that don’t need the connections significantly reduce that server’s risk to maliciousness. You don’t want bored admins picking up their email and posting to social networking sites while they’re waiting for a patch to download. Instead, block what isn’t needed. For companies using Windows servers, consider disabling UAC (User Account Control) because the risk to the desktop that UAC minimizes isn’t there. UAC can cause some security issues, so disabling it while maintaining strong security is a boon for many organizations.

Innovative security technique No. 10: Security-minded developmentAny organization producing custom code should integrate security practices into its development process — ensuring that code security will be reviewed and built in from day one in any coding project. Doing so absolutely will reduce the risk of exploitation in your environment.

This practice, sometimes known as SDL (Security Development Lifecycle), differs from educator to educator, but often includes the following tenets: use of secure programming languages; avoidance of knowingly insecure programming functions; code review; penetration testing; and a laundry list of other best practices aimed at reducing the likelihood of producing security bug-ridden code.

Microsoft, for one, has been able to significantly reduce the number of security bugs in every shipping product since instituting SDL. It offers lessons learned, free tools, and guidance at its SDL website.

Retrieved from Computerworld

DNS Changer Malware: What to Do If Your Computer’s Hit

Planning on using the Internet Monday? You might want to join the thousands of people who are checking their computers to make sure they won’t lose connection.

The FBI’s temporary Internet servers will go dark Monday, leaving thousands of unsuspecting malware-infected individuals without online access.

What temporary Internet servers, you ask? They might have been connecting you to Facebook, YouTube, and — ahem! — ABCNews.com for the last month, and you didn’t even know it. Really.

Why is this happening? It all has to do with a piece of computer malware called DNS Changer.

It started in 2007, when a group of hackers — six Estonians and one Russian — allegedly started masquerading as Internet advertisers who were paid by the click, according to an 2011 indictment from the U.S. Attorney General’s Office in the Southern District of New York. In other words, if an ad got more clicks, they pocketed more cash.

So they figured out a way to beat the system, according to the indictment. They created a piece of malware, called DNS Changer, that tampered with the DNS — the thing that takes a website address and finds the numerical IP address to connect you to that website — redirecting millions of Internet users to sites they didn’t search for.

The FBI is shutting down temporary internet servers, leaving unsuspecting malware-infected individuals without internet.
For instance, if your computer was infected and you clicked a link to go to Netflix, you would wind up at “BudgetMatch,” according to the FBI. The practice is called “click hijacking.”

Once the FBI got around to fixing the problem in 2011, it realized it couldn’t simply shut down the rogue servers because infected computers would be left without a functioning DNS, leaving them virtually Internet-less. So it set up temporary servers to give malware-infected Internet users time to fix their computers.

And time runs out on Monday, July 9.

(There isn’t a planned attack this Monday that will shut down the Internet; those whose computers are already infected will lose the Band-Aid the FBI put on the problem more than a year ago.)

Who Is Affected?

Initially, there were more than 4 million infected computers in 100 countries, including 500,000 in the United States, according to the indictment.

As of July 4, there were only about 46,000 in the United States, FBI spokeswoman Jenny Shearer told ABCNews.com today. (That’s out of nearly 300,000 worldwide.)

PCs and Apple Macs have been infected. Routers and iPads were hit, too.

As of June, the United States had more infected computers than any other country, according to data from the DNS Changer Working Group, or DCWG, a group working on cleanup resulting from the malware.

How Do I Know if My Computer Is Infected?

You can check to see whether your computer is infected by clicking on this link, which is run by DCWG.

If the page is green, you’re in the clear. If it’s red, your computer is infected.

On Thursday the site got 2 million hits, but very few of those computers were infected, DCWG volunteer Barry Greene told ABCNews.com.

Google and Facebook say they have also set up notifications for infected users. If you type in a search term and see a message that says, “Your computer appears to be infected” at the top of your screen, guess what. Your computer is infected.

Comcast, AT&T and Verizon are among the other organizations notifying customers if they have infected machines.

Important: According to DCWG, you should not need to scan, make changes or download anything to tell whether your computer is infected.

My Computer Is Infected. Now What?

The good news is DCWG has put together a page of trusted tools and a step-by-step guide for how to fix your computer.

The bad news is it can take a day or two actually to fix the problem, Greene told ABCNews.com. That’s because the malware is in a deep section of the hard drive called the “boot sector.”

“The malware problem out there is nasty, and it’s impacted society on multiple levels,” Greene said. “It’s extremely hard to get rid of. In most companies, if they get infected with it, they throw away the hard drive.”

If you can’t do that, follow the instructions. They include backing up your files and reinstalling your operating system.

What Do I Do if I Lose Internet on Monday?

The FBI and DCWG recommend contacting your Internet service provider. They’ll be able to give you instructions on what to do next.

Retrieve from ABC news

Cisco Changes Privacy Policy in Cloud Connect Service

The networking giant responds to complaints from users about the automatic firmware updates to their new Linksys WiFi routers and privacy policy for Cloud Connect.

Cisco Systems officials are trying to repair the damage from the ham-fisted rollout of its Connect Cloud service, which angered users of some of the company€™s Linksys wireless routers who suddenly found they could no longer log in after an update, and then were told that Cisco was collecting their Internet histories.

The problems started after Cisco made its new Connect Cloud service available June 27. The service is designed to make it easy for consumers to connect their myriad mobile devices to their WiFi networks, and to manage those networks remotely via the mobile devices. Cisco officials said the service takes care of the various tasks involved with setting up and connecting devices to the network.

However, when the service went live, Cisco automatically pushed out an update for its new Linksys Smart WiFi routers, which the company introduced several months ago and has since reportedly sold more than 500,000. According to users, the update automatically connected the routers to the Cisco Connect Cloud, and users were unable to log in using the passwords they had used for their network management interface. Instead, they were asked to sign up for Connect Cloud.

At the same time, security concerns were quickly raised over a graph in the privacy policy for Connect Cloud. According to the policy, Cisco essentially could collect a wide variety of information on users, from their Internet histories to the status of the network to the Connect Cloud-related apps they€™re using. The information was needed to help Cisco better respond to concerns and requests, or improve the service.

At a time when Web users are particularly keyed into issues of privacy€”as illustrated by the uproars caused by Facebook, Google and similar Web companies when they make changes in their policies€”the reaction to Cisco€™s maneuvers was quick and strident on such Websites as Slashdot.

€œThis is typical of the short-term thinking that is all too common among corporations today,€ one user wrote on Slashdot. €œThey’re throwing away their credibility with professional users€”you know, the ones who buy the expensive Cisco gear that generates most of their profits€”so they can grab a few quick bucks by data-mining the consumer market.€

€œI’ll never buy another Linksys product,€ said another person. €œI don’t want remote administration from the public Internet side of a router.€

Cisco officials have been trying to calm the roiling waters since. The company has replaced the original offending security policy graph with a more benign one€”including removing the part about collecting users€™ Internet histories. In addition, in a blog post June 29, Brett Wingo, vice president and general manager of Cisco€™s Home Networking unit, assured users that the company did not intend to violate their sense of privacy.

€œCisco prides itself on offering the best customer experiences, and privacy and security are at the core of everything we do,€ Wingo wrote. €œThat goes for Cisco Connect Cloud, too. When a customer signs up for a Cisco Connect Cloud account, personal information is used only to establish an account in order to provide customer support. Consistent with Cisco€™s practices, Cisco Connect Cloud does not actively track, collect or store personal info or usage data for any other purposes, nor is it transmitted to third parties.€

Cisco officials also are looking to better explain issues surrounding the automatic firmware updates and Connect Cloud options. On the company€™s Website, officials laid out instructions for returning the router€™s firmware to its original status and ensuring that users no longer get automatic upgrades. Users also can call Linksys customer support at 800-326-7114, and a customer service agent will walk them through the process of reverting the router back to its traditional set up.

Wingo also addressed it in his blog. €œCisco Connect Cloud was delivered only to consumers who opted in to automatic updates,€ he said. €œHowever, we apologize that the opt-out process for Cisco Connect Cloud and automatic updates was not more clear in this product release, and we are developing an updated version that will improve this process.€

Wingo said that Cisco takes the feedback it€™s gotten seriously, but hoped that despite the problems, users will €œgive Cisco Connect Cloud a try, though. I think you€™ll find it€™s a great way to simplify how you connect, control and interact with your connected devices, including personal entertainment and home appliances.€

Retrieved from eweek

Malware may knock thousands off Internet on Monday

WASHINGTON —

The warnings about the Internet problem have been splashed across Facebook and Google. Internet service providers have sent notices, and the FBI set up a special website.

But tens of thousands of Americans may still lose their Internet service Monday unless they do a quick check of their computers for malware that could have taken over their machines more than a year ago.

Despite repeated alerts, the number of computers that probably are infected is more than 277,000 worldwide, down from about 360,000 in April. Of those still infected, the FBI believes that about 64,000 are in the United States.

Users whose computers are still infected Monday will lose their ability to go online, and they will have to call their service providers for help deleting the malware and reconnecting to the Internet.

The problem began when international hackers ran an online advertising scam to take control of more than 570,000 infected computers around the world. When the FBI went in to take down the hackers late last year, agents realized that if they turned off the malicious servers being used to control the computers, all the victims would lose their Internet service.

In a highly unusual move, the FBI set up a safety net. They brought in a private company to install two clean Internet servers to take over for the malicious servers so that people would not suddenly lose their Internet.

But that temporary system will be shut down at 12:01 a.m. EDT Monday, July 9.

Most victims don’t even know their computers have been infected, although the malicious software probably has slowed their Web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

But popular social networking sites and Internet providers have gotten more involved, reaching out to computer users to warn of the problem.

According to Tom Grasso, an FBI supervisory special agent, many Internet providers are ready for the problem and have plans to try to help their customers. Some, such as Comcast, already have reached out.

The company sent out notices and posted information on its website. Because the company can tell whether there is a problem with a customer’s Internet server, Comcast sent an email, letter or Internet notice to customers whose computers appeared to be affected.

Grasso said other Internet providers may come up with technical solutions that they will put in place Monday that will either correct the problem or provide information to customers when they call to say their Internet isn’t working. If the Internet providers correct the server problem, the Internet will work, but the malware will remain on victims’ computers and could pose future problems.

In addition to individual computer owners, about 50 Fortune 500 companies are still infected, Grasso said.

Both Facebook and Google created their own warning messages that showed up if someone using either site appeared to have an infected computer. Facebook users would get a message that says, “Your computer or network might be infected,” along with a link that users can click for more information.

Google users got a similar message, displayed at the top of a Google search results page. It also provides information on correcting the problem.

To check whether a computer is infected, users can visit a website run by the group brought in by the FBI: http://www.dcwg.org .

The site includes links to respected commercial sites that will run a quick check on the computer, and it also lays out detailed instructions if users want to actually check the computer themselves.

Retrieved from UTICA OD

Cisco Changes Privacy Policy in Cloud Connect Service

The networking giant responds to complaints from users about the automatic firmware updates to their new Linksys WiFi routers and privacy policy for Cloud Connect.

Cisco Systems officials are trying to repair the damage from the ham-fisted rollout of its Connect Cloud service, which angered users of some of the company€™s Linksys wireless routers who suddenly found they could no longer log in after an update, and then were told that Cisco was collecting their Internet histories.

The problems started after Cisco made its new Connect Cloud service available June 27. The service is designed to make it easy for consumers to connect their myriad mobile devices to their WiFi networks, and to manage those networks remotely via the mobile devices. Cisco officials said the service takes care of the various tasks involved with setting up and connecting devices to the network.

However, when the service went live, Cisco automatically pushed out an update for its new Linksys Smart WiFi routers, which the company introduced several months ago and has since reportedly sold more than 500,000. According to users, the update automatically connected the routers to the Cisco Connect Cloud, and users were unable to log in using the passwords they had used for their network management interface. Instead, they were asked to sign up for Connect Cloud.

At the same time, security concerns were quickly raised over a graph in the privacy policy for Connect Cloud. According to the policy, Cisco essentially could collect a wide variety of information on users, from their Internet histories to the status of the network to the Connect Cloud-related apps they€™re using. The information was needed to help Cisco better respond to concerns and requests, or improve the service.

At a time when Web users are particularly keyed into issues of privacy€”as illustrated by the uproars caused by Facebook, Google and similar Web companies when they make changes in their policies€”the reaction to Cisco€™s maneuvers was quick and strident on such Websites as Slashdot.

€œThis is typical of the short-term thinking that is all too common among corporations today,€ one user wrote on Slashdot. €œThey’re throwing away their credibility with professional users€”you know, the ones who buy the expensive Cisco gear that generates most of their profits€”so they can grab a few quick bucks by data-mining the consumer market.€

€œI’ll never buy another Linksys product,€ said another person. €œI don’t want remote administration from the public Internet side of a router.€

Cisco officials have been trying to calm the roiling waters since. The company has replaced the original offending security policy graph with a more benign one€”including removing the part about collecting users€™ Internet histories. In addition, in a blog post June 29, Brett Wingo, vice president and general manager of Cisco€™s Home Networking unit, assured users that the company did not intend to violate their sense of privacy.

€œCisco prides itself on offering the best customer experiences, and privacy and security are at the core of everything we do,€ Wingo wrote. €œThat goes for Cisco Connect Cloud, too. When a customer signs up for a Cisco Connect Cloud account, personal information is used only to establish an account in order to provide customer support. Consistent with Cisco€™s practices, Cisco Connect Cloud does not actively track, collect or store personal info or usage data for any other purposes, nor is it transmitted to third parties.€

Cisco officials also are looking to better explain issues surrounding the automatic firmware updates and Connect Cloud options. On the company€™s Website, officials laid out instructions for returning the router€™s firmware to its original status and ensuring that users no longer get automatic upgrades. Users also can call Linksys customer support at 800-326-7114, and a customer service agent will walk them through the process of reverting the router back to its traditional set up.

Wingo also addressed it in his blog. €œCisco Connect Cloud was delivered only to consumers who opted in to automatic updates,€ he said. €œHowever, we apologize that the opt-out process for Cisco Connect Cloud and automatic updates was not more clear in this product release, and we are developing an updated version that will improve this process.€

Wingo said that Cisco takes the feedback it€™s gotten seriously, but hoped that despite the problems, users will €œgive Cisco Connect Cloud a try, though. I think you€™ll find it€™s a great way to simplify how you connect, control and interact with your connected devices, including personal entertainment and home appliances.€

Retrieved from eweek

FBI to kill servers supporting DNSChanger virus victims

Hundreds of thousands of people around the world could lose access to the Internet on July 9 when the FBI plans to kill temporary servers servicing victims of a virus. That virus is called DNSChanger, and the FBI plans to shut down the temporary DNS servers that were being used to assist victims of the Internet theft ring. Any computer that still uses the servers won’t be able to go online starting July 9.

Before people with infected systems will be able to get back online, they will have to clear the computer of the DNSChanger virus. The shutdown of the temporary servers is the final move in an FBI operation called Ghost Click that spanned two years and officially ended in November 2011. The virus changed victim’s DNS servers, routing them to websites of the hacker’s choosing.

Some of those websites were fraudulent in nature according to authorities. Six Estonians behind the fraud ring were arrested by the FBI during the course of the investigation. The virus was originally disseminated via traditional channels, including e-mail and malware. The FBI had replaced the hacker’s nefarious servers with “clean” servers to keep PCs infected by the virus online.

Retrieved from Slash Gear

US defence biz fined for busting China arms embargo

No need for cyber-spying – just buy the damn software

A top US defence contractor has been fined $75m (£47.8m) for flogging software to China that was a vital component in the country’s first attack helicopter.

United Technologies and its two subsidiaries Pratt & Whitney Canada (PWC) and Hamilton Sundstrand ‘fessed up to more than 500 violations of export restrictions in a federal court at the tail end of last week.

The headline grabber, however, involves the engine control software without which China could not have completed development of its Z-10 attack chopper – a battlefield-ready beast capable of carrying 30mm cannons, anti-tank guided missiles, air-to-air missiles and unguided rockets.

According to US Immigration and Customs Enforcement (ICE), which carried out the investigation, PWC turned a blind eye to the potential military use of the software in hope of securing a lucrative contract for civilian choppers from China – a $2bn deal that never appeared.

PWC had previously sold the Asian nation ten commercial development engines that did not require export licenses. However, the biz then wilfully followed that up with electronic engine control software made by Hamilton Sundstrand and modified it for use in a military helicopter, ICE said.

The export of “defence articles and associated technical data” has been banned by the US since the 1989 Tiananmen Square massacre.

The companies did themselves no favours by failing to disclose the illegal exports for several years and then making numerous false statements to the US State Department.

“PWC exported controlled US technology to China, knowing it would be used in the development of a military attack helicopter in violation of the US arms embargo with China,” said US Attorney David Fein.

“PWC took what it described internally as a ‘calculated risk’, because it wanted to become the exclusive supplier for a civil helicopter market in China with projected revenues of up to $2 billion. Several years after the violations were known, UTC, HSC and PWC disclosed the violations to the government and made false statements in doing so.”

United Technologies CEO and chairman Louis Chênevert issued the following canned statement:

Export controls are an integral part of safeguarding US national security and foreign policy interests. As a supplier of controlled products and technologies to the Department of Defense and other domestic and international customers, we are committed to conducting business in full compliance with all export laws and regulations. We accept responsibility for these past violations and we deeply regret they occurred.

The fine, $20m of which can be used by United towards a compliance programme, is unlikely to financially affect a firm with revenues exceeding $50bn, but the case will be a huge embarrassment to the US.

Politicians and military officials had been increasingly vocal in their criticism of China’s state-sponsored cyber espionage activities – much of which is directed at stealing military intelligence – when another national security threat, the private sector simply selling restricted technology, was in fact much closer to home.

China’s inexorable rise will soon see it take America’s crown as preeminent global superpower and in the end it is this new economic reality, and incidents like this which it gives rise to, which could yet prove the biggest threat to US hegemony.

Retrieved from The Register