Monthly Archives: August 2013

Major DDoS attacks .cn domain; disrupts Internet in China

China’s Internet was hit with a major distributed denial of service (DDoS) attack Sunday morning that briefly disrupted and slowed access to sites in the .cn domain.

The DDoS attack was the largest in history against the domain servers for China’s .cn ccTLD (country code top level domain), according to the China Internet Network Information Center (CNNIC), which administers the domain.

The first attack started Sunday around midnight Beijing time, and was then succeeded by a larger attack at 4 a.m, the CNNIC said in an Internet posting. A number of sites were affected, but Internet service to the sites had been gradually restored by 10 a.m. Sunday

It’s unclear where the attack originated from or if it was still continuing. A CNNIC spokeswoman said on Monday it would update the public once more information was gathered. Chinese regulators have already launched unspecified measures to protect the domain system, while CNNIC has apologized for the disruption.

China has often been accused of launching DDoS attacks. In this year’s first quarter, it was the top source country for DDoS attacks, according to security vendor Prolexic. The U.S. was ranked second.

DDoS attacks can commonly work by deploying armies of hacked computers to send traffic to a website, saturating it with data so that it becomes inaccessible to normal users.A

China, however, has said its facing a surge of Trojan and botnet attacks against the country. Many of those attacks are coming from the U.S., South Korea and Germany. China has also denied the country sponsors hacking, despite claims brought by U.S. officials and security vendor Mandiant that its government actively conducts cyber-espionage.

Retrieved from Computerworld


NSA collected thousands of e-mails by Americans

WASHINGTON — The nation’s top intelligence official on Wednesday declassified three secret U.S. court opinions and other classified documents that reveal how the National Security Agency intercepted thousands of e-mails from Americans with no connection to terrorism.

Director of National Intelligence James Clapper authorized the release and the agency published the documents on a newly created Tumblr page dubbed IC on the Record.

The latest revelations come amid growing criticism from members of Congress and privacy groups about the NSA surveillance programs and charges that the agency has far overstepped its bounds in collecting information on U.S. citizens. There are already bipartisan efforts in Congress to rein in the programs and increase oversight of  the intelligence agencies.

The declassification of documents also follows President Obama’s call on Clapper in June to release more information about U.S. surveillance programs in response to public outcry, triggered by former National Security Agency contractor Edward Snowden’s leaking of details of previously secret intelligence gathering programs.

Some of the documents shine a harsh light on how the NSA operated.

The Foreign Intelligence Surveillance Court, authorized to oversee surveillance requests, first learned in 2011 of problems involving “upstream collection” that led to the intelligence community unlawfully scooping up thousands of emails from U.S. accounts over a three-year period. One opinion shows that the NSA reported to the FISA court in 2011 that it inadvertently collected as many as 56,000 Internet communications by Americans with no connection to terrorism.

In the strongly worded 86-page opinion, U.S. District Judge John Bates, who was then the court’s chief judge, wrote that the “volume and nature of the information it has been collecting is fundamentally different from what the court had been led to believe.”

Bates blasted the NSA for mishandling thousands of e-mails from Americans over those three years, and said the NSA’s disclosures about its e-mail collection effort “fundamentally alters the court’s understanding of the scope of the collection … and requires careful re-examination of many of the assessments and presumptions underlying prior approvals.”

Sen. Richard Blumenthal, D-Conn., said the latest revelation underscores the need for greater oversight of the intelligence community. Blumenthal has proposed legislation calling for a special advocate to represent the public’s interest in the secret FISA court proceedings.

“Now, the question is how many other such unconstitutional practices occurred without the court knowing, and without a special advocate to blow the whistle?” Blumenthal said. “This highly intrusive breach highlights the need for reforming the FISA court system to assure greater respect for constitutional rights, and to ensure that the American people have faith and trust in the institutions charged with keeping us safe.”

Retrieved from USA Today


Hackers Tweak Tactics to Maximize Profits, Send Android Malware Soaring


Malware on Google’s (GOOG)  Android grew 35% in the second quarter, the fastest pace since early 2012, as  hackers infiltrated systems using malicious apps and SMS stealing and tweaked  tactics to maximize profits, according to Intel’s (INTC) McAfee.

The security division’s research arm, which unveiled its second-quarter  threats report on Wednesday, also registered an alarming increase in mobile  ransomware samples in the second quarter and said spam continued to accelerate,  with more than 5.5 trillion spam messages being sent representing roughly 70% of  total global email volume.

“The mobile cybercrime landscape is becoming more defined as cybergangs  determine which tactics are most effective and profitable,” said Vincent Weafer,  senior vice president of McAfee Labs. “As in other mature areas of cybercrime,  the profit motive of hacking bank accounts has eclipsed the technical challenges  of bypassing digital trust.”

Among the primary methods used by thieves through Android devices were  SMS-stealing banking malware, fraudulent dating and entertainment apps,  legitimate apps laced with malicious weaponry and malicious apps posing as  useful tools.

The banking scheme takes advantage of commercial banks’ two-factor  authentication, capturing the traditional usernames and passwords then  intercepting the SMS that contains a log-in code so that hackers gain direct  access to accounts.

Fraudulent dating and entertainment apps dupe users into signing up for  non-existent services. Hackers augment profits by selling user information and  other personal data stored on devices.

Outside of mobile threats, the second quarter recorded a 16% increase in  suspicious URLs, a 50% increase in digitally-signed malware samples and notable  events in the cyber-attack and espionage areas.

The report comes amid ongoing attacks on the digital currency Bitcoin and  Operation Troy’s targeting of  U.S. and South Korean military assets,  McAfee said, as well as a resurgence of reported denial of service attacks  against major U.S. banks as well as an onslaught of attacks that have downed the  sites of several mainstream media outlets, including Washington Post and  CNN.

The increased pace of infiltration is a reflection of hackers adapting their  tactics to stay ahead of evolving security mechanisms and tweaking schemes to  drive the greatest profit.

Part of that includes using more ransomware, a type of extortion where  malware restricts access to the system it infects and demands ransom paid to the  creator. The number of new samples of ransomware exceeded 320,000 last quarter,  more than twice as many in the previous period.

It’s a “creative combination of disruption, distraction and destruction to  veil advanced targeted attacks,” McAfee said in the report.

Retrieved from Fox News



Cloud Is Actually Expanding The Role Of Information Technology Departments, Cisco-Intel Survey Finds

We’ve been hearing about it for several years now: that IT departments will shrink or disperse as cloud computing takes hold in enterprises. A new survey, however, suggests that IT departments are actually expanding, and IT leaders are taking on elevated roles within businesses as a result of cloud.

The survey of 4,226 IT leaders across the globe, conducted by Cisco Consulting Services, in partnership with Intel, finds that while cloud adoption within enterprises is growing — now accounting for 23 percent of IT spending, and expected to rise to 27 percent over the next three years — there is no discernible reduction in on-premises IT taking place. In fact, a majority, 57%, see the size of IT increasing in terms of full-time IT headcount.                                                           Photo credit: CERN Press Office

Rather than viewing IT as marginalized, 76 percent of respondents see IT as taking on a new role as a “broker,” or intermediary, of cloud services, orchestrating the planning and procurement process for lines-of-business (LOBs) across internal and external clouds while managing third-party complexity.

The study’s authors note that while the increased centralization and elevation of IT resources may seem counterintuitive in an era in which many LOBs are taking on their own technology budgets and initiatives. Indeed, the survey also finds that LOBs are funding 44 percent of total IT spending globally, and  69 percent predict that this share will only increase over the next three years. “Rogue” or “shadow” IT spending may imply an even higher percentage of IT spending by LOBs — 55 percent say they have witnessed a “somewhat” or “significantly increasing” incidence of so-called “shadow IT spending” over the past two years.

However, IT leaders provide a  ”level of coordination, consistency, and security atop what is clearly a fragmented innovation landscape among LOBs, including both customers and partners,” the study states. This calls for greater partnership and coordination between business and IT leaders as cloud adoption accelerates within enterprises.

Much of the purchasing of IT services is shifting directly to business managers — but they still need and seek the guidance of their technology leaders to make sure their investments are going to the right places.

Retrieved from Forbes


Android Malware uses Google Cloud Messaging; infected over 5 Million Devices

Android Malware using Google Cloud Messaging Service infected over 5 Million Devices

The Kaspersky Lab researchers recently have discovered a  number of Android malware apps are abusing the Google  Cloud Messaging Service (GCM) as  Command and Control server. The GCM  service allows Android  app developers to send messages using JSON  Format for installed apps, but hackers exploited it for malicious  Purposes.
Using Google Cloud Messaging Service (GCM) as Command and Control server  for Android Malware is not a new concept, as last year Security researcher and  Hacker ‘Mohit Kumar‘ demonstrated ‘Android Malware Engine‘ – One of the Most  Sophisticated Android  malware during Malcon conference.

The Kaspersky Lab researchers have detected at  least five  Different Android Trojans that used JSON format:

  1. 1. SMS.AndroidOS.FakeInst.a
  2. 2.
  3. 3. SMS.AndroidOS.OpFake.a
  4. 4. Backdoor.AndroidOS.Maxit.a
  5. 5.
The authors of the malware in  Every case took advantage of Google Cloud Messaging Service  to  Exchange  messages between C&C  services and the malicious app. Once  Gained a Google Cloud Messaging  Service (GCM) ID, malware updates are distributed exploiting directly the Google  cloud services and also any  Command to the malicious agent is sent is  exploiting the service and using  JSON format.

Android Malware using Google Cloud Messaging Service

Google Cloud Messaging Service (GCM) act as Command  and Control server for the Trojans, which makes the malware updates as the  official  Updates via Google.

Furthermore,  The execution of commands  received from the Google Cloud Messaging Service  GCM is performed by the GCM  system and it is impossible to block them  Directly on an infected device. The  only way to cut this channel off  From virus writers is to block developer  accounts with IDs linked to the  Registration of malicious  programs.
SMS.AndroidOS.FakeInst.a  Is the most diffused  agent, according Kaspersky experts more than  4,800,000 installers have been  detected and around 160000 attempted  Installation was blocked in  2012.
It  Can send text messages to premium  numbers, delete incoming text  Messages, generate shortcuts to malicious sites,  and display  Notifications advertising other malicious programs that are spread  under  The guise of useful applications or games” states the Kaspersky blog Post.  is presented as  a porn app and has the primary intent to send messages  to premium numbers,  meanwhile the SMS.AndroidOS.OpFake.a malware is the typical SMS malicious  application of which have been detected also more than 1 million installers.

This last malware is also able to steal  Sensitive  information from the victim’s handset such as  contacts and it is also able to  self-update its code, the agent appeared very active  And was detected in 97  different countries, the majority in Russia and  Eastern countries.
The  Kaspersky team has blocked more than 60,000  Attempted installs, it sends  several commands from both the GCM and its  Own C&C servers such as:

  • Sending premium text messages to a specified number
  • Sending text messages
  • Performing self-updates
  • Stealing text messages
  • Deleting incoming text messages that meet the criteria set by the  C&C
  • Theft of contacts
  • Replacing the C&C or GCM numbers
  • Stopping or restarting its operations
Backdoor.AndroidOS.Maxit trojan  was very dated, first instance was detected in late 2011 and  Appears to be  continuously updated, today the experts counted more than  40 different variants  most often in Malaysia, Thailand, the Philippines  And Burma.
All of  These modifications are very  similar to one another,” “the app opens  Websites with games, while  malicious operations are executed in the  Background.” It has been found  most often in Malaysia, but also in  Thailand, the Philippines and Burma.
The  The first thing the backdoor sets out  to do is collect information about  The phone and the SIM card, including the  phone number and the mobile  Provider. All of this data is uploaded to the  C&C. This is the server that manages all of the  Trojan’s primaries  Functions.
The  Last trojan,, was detected for the first time in  May 2012 and  is a shell app for a Vietnamese porn website which is able  Also to send text  messages to a premium number.
The number of malware that exploits the Google  Cloud Messaging Service is  Destined to increase despite it is still relatively  low, the data on  Their diffusion demonstrated it. These malware are prevalent  in Western  Europe, the CIS, and Asia, virus writers know very well that  execution  Off commands received from GCM is performed by the Google Cloud  Messaging  Service system and it is impossible to block them directly on an   Infected device.
Actually  The only option for security experts  is to block developer accounts  With IDs linked to the registration of malicious  applications.


Retrieved from The Hacker News


Silent Circle Preemptively Shuts Down Encrypted Email Service To Prevent NSA Spying



“We knew USG would come after us”. That’s why Silent Circle CEO Michael Janke tells TechCrunch his company shut down its Silent Mail encrypted email service. It hadn’t been told to provide data to the government, but after Lavabit shut down today rather than be “complicit” with NSA spying, Silent Circle told customers it has killed off Silent Mail rather than risk their privacy.

The Silent Circle blog posts explains “We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now.” It’s especially damning considering Silent Circle’s co-founder and president is Phil Zimmermann, the inventor of widely-used email encryption program Pretty Good Privacy.

Silent Circle reportedly had revenue increase 400% month-over-month in July after corporate enterprise customers switched to its services in hopes of avoiding surveillance. The company giddily told Forbes it planned to nearly double staff and significantly increase revenue this year in part thanks to the NSA’s practices coming to light. In light of those comments, today’s news about shutting down Silent Mail seems a bit sobering.

Silent CircleSilent Circle’s other secure services including Silent Phone and Silent Text will continue to operate as they do all the encryption on the client side within users’ devices. But it explained that “Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has.” With too many opportunities for information and metadata leaks in the SMTP, POP3, and IMAP email protocols, the company believes there was no way to live up to its promise of total privacy.

In a statement to TechCrunch about whether the shut down was only because Silent Circle felt email was insecure, CEO Michael Janke tells us

“It goes deeper than that. There are some very high profile people on Silent Circle- and I mean very targeted people- as well as heads of state, human rights groups, reporters, special operations units from many countries. We wanted to be proactive because we knew USG would come after us due to the sheer amount of people who use us- let alone the “highly targeted high profile people”. They are completely secure and clean on Silent Phone, Silent Text and Silent Eyes, but email is broken because govt can force us to turn over what we have. So to protect everyone and to drive them to use the other three peer to peer products- we made the decision to do this before men on [SIC] suits show up. Now- they are completely shut down- nothing they can get from us or try and force from us- we literally have nothing anywhere.”

Silent Circle says it had been considering a more conservative slow shut-down of Silent Mail or ceasing to take on new customers, but was inspired to shut down by Lavabit.

That company was reportedly PRISM whistleblower Edward Snowden’s email provider, likely because of its claims of high security. But Lavabit was told by the government to turn over user data, and received a gag order preventing it from publicizing details of the situation. Today Lavabit owner Ladar Levison posted a note to the company’s site saying “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.” He chose the latter.

The move has bolstered critics who are becoming increasingly vocal about how the U.S. government’s surveillance efforts are jeopardizing American technology businesses. They fear international customers may take their cloud business elsewhere in an attempt to avoid the NSA. Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society, wrote that ”the U.S. government, in its rush to spy on everybody, may end up killing our most productive industry. Lavabit may just be the canary in the coal mine.”

Now it seems that the negative impact won’t just be in the form of lost customers or businesses shut down upon receiving data demands. The destruction could reach as far as companies unwilling to even risk compromising their values. At this point, the nation’s best hope for reform of spying practices might be making a case that it hurts the economy.

Retrieved from TechCrunch


What to do when data’s too big to just transfer to the cloud

big data

As government agencies consider moving their enterprise data to the cloud, their first question might be: How does it get to the cloud? In most cases, data can be transmitted  via FTP or HTTP protocols, but for some applications — like life sciences, sensor and video surveillance applications — the data is just too big to fit through the pipe. What’s the best option?

Pack it up and ship it out.

Some major cloud vendors now offer a service whereby clients can ship physical media to the data center, where it can be uploaded, eliminating overly long data transfer times. Bulk imports are especially useful when data is first ported to the cloud or for backup and offsite storage. The fees for this service vary, and some cloud providers will also download data from the cloud and ship it via physical media.

AWS Import/Export accelerates transferring large amounts of data between the AWS cloud and portable storage devices that clients ship to Amazon. It uses the company’s multimodal content delivery network that can transmit terabytes of data faster than a T-3 leased line to transfer data from physical media to Amazon S3, Amazon EBS or Amazon Glacier. Amazon charges $80 for each device handled; other costs depend on which Amazon cloud is used as well as the time it takes Amazon to upload the data or decrypt the device. For more information, see the AWS Import/Export documentation.

Google Cloud Storage Offline Disk Import is an experimental feature that is currently available in the United States only. The service gives clients the option to load data into Google Cloud Storage by sending Google physical hard drives that it loads into an empty Cloud Storage bucket. Google requires that the data be encrypted. Because the data is loaded directly into Google’s network, this approach might be faster or less expensive than transferring data over the Internet. According to Google, import pricing is based on a flat fee of $80 per HDD irrespective of the drive capacity or data size. After that, standard Google Cloud Storage pricing fees apply for requests, bandwidth and storage related to the import and subsequent usage of the data, according to the company.

HP Bulk Import Service is still in private beta, but it allows users to load their data into HP Cloud Block Storage or HP Cloud Object Storage. The new service, which is expected to be released in fall 2013, will let users send hard drives directly to HP’s data centers, where data can be rapidly uploaded and transferred.

Rackspace’s Bulk Import to Cloud Files is a service that lets clients send Rackspace physical media to be uploaded directly at the data centers, where “migration specialists” connect the device to a workstation that that has a direct link to Rackspace’s Cloud Files infrastructure. Rackspace will not decrypt data, though the company plans to offer that option in the future. Rackspace charges $90 per drive for bulk imports.

For cases where the data is consistently too large to transmit and access demands won’t allow the latency inherent in shipping data, Apsera offers its Fast Adaptive Secure Protocol (FASP) data transfer technology that eliminates the shortcomings of TCP-based file transfer technologies such as FTP and HTTP, the company’s website explains. On a gigabit WAN, FASP can achieve 700-800 megabits/sec transfers with high-end PCs and 400-500 megabits/sec with commodity PCs, the company said.

Aspera said its software is in use and accredited for SIPRnet, JWICS and FIPS 140-2, and it has been vetted by the intelligence community for large data transfers over military networks. It is also used in the 1000 Genomes Project that exchanges data between the National Center for Biotechnology Information and the European Bioinformatics Institute.

Retrieved from GCN


U.S. carriers put a damper on SMS premium texting scams


SEATTLE — Here is something the phone companies got right.

U.S. carriers have quietly instituted policies that largely protect American consumers from a teeming industry of cyberscammers who’ve perfected SMS premium texting scams.

This involves tricking victims into downloading a corrupted mobile app that causes an Android handset to begin placing premium text messages that can cost victims as much as  $20 per text.

The scale of what these scammers have accomplished is astounding.

“Mobile malware is a global problem,” says Michael Callahan, a product marketing vice president at switch maker Juniper Networks. “It can be found and downloaded from users from any country.”

Mobile security company Lookout has traced the activities of 10 groups in Russia and Eastern Europe behind complex affiliate programs that match the efficiency of any multilevel marketing scheme you care to name.

These gangs have been in operation for at least three years and likely raked in millions of dollars.

SMS premium texting scams continue to run rampant in Europe and Asia, and earlier this year even seeped into Google Play and spread to some U.S. Android users.

“We notified Google and they promptly removed all apps and suspended the associated developer accounts,” says Kevin Mahaffey, Lookout’s chief technology officer.

However, U.S. consumers are less exposed than the Android users in Russia, Eastern Europe and China. That’s because U.S. carriers give consumers 60 days to complain about fraudulent phone charges.

“In Russia, there is nothing much you can do when you are a fraud victim, and therefore it is much more profitable to commit fraud,” says Andrew Conway, a researcher at messaging security firm Cloudmark.

Also, most Americans get their Android apps from Google Play,  the search giant’s official application store, which Google aggressively polices. In parts of Europe and Asia, Android users are more likely to get their apps from third-party sources, which the open Android platform permits.

According to Lookout, here is how the bad guys have adopted multilevel marketing methodology to create a robust cottage industry:

First, the organizers invest in developing malware that can be easily hidden in popular apps distributed mainly via independent app stores.

Next, they set up full-blown online marketing campaigns offering cash and prizes to “affiliates” willing to use social media and online ads to steer victims to the tainted apps.

The affiliates get creative with social engineering ploys, often using scare tactics, such as tweeting  bogus warnings to install urgent updates for Adobe Flash, Skype, Opera Browser and Google Play.

Once a phone gets infected and starts placing, and billing, SMS premium texts, everybody gets paid.

“Many campaigns don’t use scare tactics at all,  but instead entice users with free versions of paid apps, pornography or mp3 downloads,” says Ryan Smith, a senior researcher at Lookout.  “Each affiliate has the flexibility to choose a campaign tactic that works best for their target audience.”

Juniper’s Callahan, for one, won’t be surprised if premium texting scams resurface in the U.S.

“As the volume and sophistication of mobile malware continues to increase, so, too, does the likelihood that consumers and businesses will encounter these threats around the world,” he says.

Bottom line: Play it safe. Download only from the official app stores policed by Google, Apple, Microsoft and BlackBerry, respectively. Pay for and use a mobile antivirus program and keep it updated. And inquire about corporate policies and protection for personally owned devices used for work.

Retrieved from USA Today


Wi-Fi routers: More security risks than ever

LAS VEGAS — More major brand-name Wi-Fi router vulnerabilities continue to be discovered, and continue to go unpatched, a security researcher has revealed at Defcon 21.

Jake Holcomb, a security researcher at the Baltimore, Md.-based firm Independent Security Evaluators and the lead researcher into Wi-Fi router vulnerabilities, said that problem is worse than when ISE released its original findings in April.

The latest study continues to show that the small office and home office Wi-Fi routers are

“They’re not a means to protect your network and your digital assets,” he cautioned.

Holcomb is a relatively young researcher, in his mid-20s, who turned his lifelong interest in computer security into a professional career only in the past year. Previously, he was doing network security for a school district in Ohio.

The new report details 56 new Common Vulnerabilities and Exposures, or CVEs, that Holcomb and the other ISE researchers have found in popular routers. These include the Asus RT-AC66U, D-Link DIR-865L, and TrendNet TEW-812DRU, for which Holcomb plans on demonstrating vulnerabilities at Defcon on Saturday and Sunday.

Requests for comment from the affected vendors were not immediately returned. CNET will update this story when we hear from them.

You might not think that the router security holes could affect you, or would be easy to exploit, but Holcomb explained that because the vulnerabilities appear to affect most routers, and are hard to fix, these could put nearly every person who connects to a vulnerable router at risk.

The scenario he explained from the noisy hallways of the Rio Convention Center here was a common one. Small-business and home Wi-Fi router administration often employs weak passwords, or static passwords that are the same across multiple stores, like a Starbucks.

The Asus RT-AC66U, one of the routers that has been discovered to have vulnerabilities.

(Credit: Dong Ngo)

All an attacker has to do is go to his favorite Seattle-based coffee joint, buy a venti latte and a low-fat pumpkin ginger muffin, and get the establishment’s Wi-Fi password. Then, equipped with access to the Wi-Fi network, all that attacker would have to do is use one of the exploits that ISE has uncovered. The router would be compromised, including all the Web traffic flowing through it.

Holcomb compared the problem of fixing routers to traditional PCs. “In most cases, automatic updates are enabled for Windows and Mac,” he said. But, he added, “even if a router manufacturer were to implement a similar feature, most people don’t log into their routers.”

Basically, because people have been trained to think of the router as a set-it-and-forget-it device, and one without security flaws, it’s nearly impossible to get them to update router firmware.

The TrendNet TEW-812DRU, another of the routers that has been discovered to have vulnerabilities.

(Credit: Dong Ngo/CNET)

The fix won’t be an easy one, at least not logistically. “I think the solution is for routers to automatically update, and give users the ability to opt out of it,” Holcomb said. But given the reluctance of some major router manufacturers to address the problems, these exploits could exist unpatched in the wild for years to come.

Holcomb said that while TP-Link fixed all the vulnerabilities that ISE reported to it, D-Link has never responded. And Linksys, he said, chose not to repair many of the vulnerabilities reported to it.

In the case of the Linksys EA-6500, someone can place their own code in the router’s configuration file and overwrite it. “It’s an attack that relies heavily on social engineering,” said Holcomb, “but it’s an example of the vendors not resolving a vulnerability. Why [not], I don’t know.”

Under the guidelines of responsible disclosure, Holcomb says that ISE notified all router manufacturers of the vulnerabilities discovered before going public with them, giving them a chance to fix them.

The D-Link DIR-865L, also discovered to have vulnerabilties.

(Credit: D-Link)

Holcomb will be demonstrating how to take control of three different routers using a different vulnerability in each.

For the aforementioned Asus router, he plans to demonstrate a buffer overflow exploit; for the D-Link he plans to use Web-based and symlink directory traversal exploits; and he will attack the TrendNet router using a cross-site scripting forgery and command injection exploit.

“All three give us a root shell,” he said, meaning access to the router’s lowest levels of code.

Holcomb will be speaking at Defcon’s Wall of Sheep Speaker Workshop on Saturday from 3 to 4 p.m. PT, and at the conference’s Wireless Village on Sunday.

Retrieved from CNet


Feds are Suspects in New Malware That Attacks Tor Anonymity


Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gathers information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predator, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.

The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.

The broad Freedom Hosting deployment of the malware coincides with the arrest of Eric Eoin Marques in Ireland on Thursday on an U.S. extradition request. The Irish Independent reports that Marques is wanted for distributing child pornography in a federal case filed in Maryland, and quotes an FBI special agent describing Marques as “the largest facilitator of child porn on the planet.”

Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network.

Freedom Hosting is a provider of turnkey “Tor hidden service” sites – special sites, with addresses ending in .onion, that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network.

Tor hidden services are ideal for websites that need to evade surveillance or protect user’s privacy to an extraordinary degree – which can include human rights groups and journalists. But it also naturally appeals to serious criminal elements.

Shortly after Marques’ arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail.

Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.

By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.

Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user friendly package for using the Tor anonymity network.

“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based,” the non-profit Tor Project wrote in a blog post Sunday. “We’re investigating these bugs and will fix them if we can.”

The inevitable conclusion is that the malware is designed specifically to attack the Tor browser. The strongest clue that the culprit is the FBI, beyond the circumstantial timing of Marques’s arrest, is that the malware does nothing but identify the target.

The heart of the malicious Javascript is a tiny Windows executable hidden in a variable named “Magneto”. A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box.

But the Magneto code doesn’t download anything. It looks up the victim’s MAC address – a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request.

“The attackers pent a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsrklevich, who reverse-engineered the Magneto code.

The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.

In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.

But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it?

Retrieved from Wired