In brief
1
NEWS 4 Computer Fraud & Security May 2013 New security centre A new Security and Software Engineering Research Centre (S2ERC) has been established alongside the recently formed Georgetown Centre for Secure Communications (GCSC). The aim of the centre is to provide a link between academic researchers and the information security industry. It’s funded partly by a grant from the National Science Foundation and has already established links with a number of commercial organisations, including Symantec, Check Point Software Technologies, Edgewater Networks and IID. Pro-Syrian forces mount Twitter account hijacks The Syrian Electronic Army (SEA), a hacker group that supports the Assad regime in Syria, has been involved in multiple hijackings of Twitter accounts. UK newspaper The Guardian had several accounts hijacked, and other victims included the BBC, NPR, CBS, Al-Jazeera and FIFA. When the Associated Press had its Twitter credentials stolen, a tweet issued on its account suggesting that there had been an explosion at the White House led to a temporary dip in the Dow Jones index. The Twitter account of The Onion – the satirical ‘news’ website – was also breached, with the SEA issuing a number of humorous tweets before the account was reclaimed by its rightful owner. The Onion then continued the fun with tweets such as “Syrian Electronic Army has a little fun before inevitable upcoming deaths at hands of rebels”. Given the nature of the website, many observers believed that all of the tweets were, in fact, the work of the Onion’s ‘journalists’. Phishing attacks appear to be the most likely method by which the accounts were hijacked – and that was certainly the case at the Onion. Media organisations often provide access to such accounts to multiple people, meaning that only one person needs to fall for a phishing email for it to work. Twitter has since issued guidelines to media firms, with most of the advice being fairly basic, such as not sending passwords via email. Google changes Play rules In future, applications submitted to Google’s Play app store will not be allowed to include mechanisms to update themselves directly from the vendors’ own (or third-party) sites. Instead, they must use Play’s update service. This goes some way to fixing a serious security loophole on Android. Cyber-criminals were able to upload innocuous apps to Play which would then pass inspection by Google’s anti- malware checks (such as Bouncer). Once downloaded on to a victim’s Android device, they could then perform an ‘update’ to download malicious components. However, the new terms of use will also affect legitimate apps: Facebook has been testing the use of silent downloads to provide additional features and security improvements. These were provided directly from its own servers, but it now will not be able to do this. It’s not yet apparent what Facebook’s response to this will be, especially in the light of Facebook Home – an app that effectively takes over a user’s device. Google building hackable, say researchers The offices of Google Australia are vulnerable to hacking, according to two researchers. Billy Rios and Terry McCorkle of security firm Cylance said that the building management system for the Wharf 7 offices in Sydney is built on top of a platform – Tridium Niagara AX – with known vulnerabilities. Tridium has released patches for the system but Google has not yet installed them. The researchers were able to obtain the admin password for the system (‘anyonesguess’) and gain access to a number of administration panels. As well as having access to a number of controls, the researchers were also able to obtain blueprints of floor and roof plans. Google confirmed the flaw and said it has now disconnected the system from the Internet. While the two researchers have detailed a number of vulnerabilities in the platform, which is used by a wide variety of customers, including hospitals, US federal agencies and the military, Tridium said it believes that the security concerns are minor because of the system’s obscurity and the fact that such platforms are not traditional targets for hackers. Web vulnerabilities drop, but still serious The number of exploitable vulnerabilities on websites dropped in 2012, and yet 86% of sites tested had flaws that could allow an attacker to take some level of control over the server. These are the conclusions of research by WhiteHat Security which found that the most common flaws were cross-site scripting (XSS) and information leakage. Overall, the number of serious vulnerabilities per site – flaws that would allow an attacker to take control over all or part of the site, compromise user accounts, access sensitive data or violate compliance requirements – dropped from 79 in 2011 to 56 in 2012. The figures are based on more than 650 sites examined by WhiteHat. On average, it took 193 days to resolve the flaws, from the moment the organisations were notified of them. Less than 18% of the sites were vulnerable for fewer than 30 days. Around 61% of the flaws were finally resolved, on average. The report is available here: https://whitehatsec.com/assets/ WPstatsReport_052013.pdf. Hackers breach dam defences The US Army Corps of Engineers’ National Inventory of Dams, which holds data on 79,000 dams across the US, has been breached by an unknown attacker. The database includes information about known flaws in the dams and data such as the estimated damage, including deaths, if they were to fail. Much of the information is publicly available anyway but the more sensitive data isn’t, and it seems that this is what the attacker has accessed. Unnamed sources inevitably blamed Chinese hackers, and there has been a suggestion that this was a reconnaissance to gather information for potential cyber-attacks against critical infrastructure, but there has been no official comment nor any evidence offered to support these claims. Queen promotes IPv6 The recent Queen’s Speech, in which the UK Government laid out its agenda for the coming year, included a reference to the Internet Protocol (IP) – almost certainly the first time this has happened in the long tradition of the Opening of Parliament. It confirmed what had previously been hinted – that the Government will push for laws that will help the police trace Internet traffic to individual devices. This will depend on the greater application of IPv6, as there aren’t enough IPv4 addresses to do this. However, the controversial Communications Data Bill, which had been broadly condemned as a ‘snooper’s charter’, was conspicuously absent from the speech, suggesting that it has been killed off – for now. Pump & dump is back The scam of promoting near-worthless shares via spam email, and then selling out when the share price rises, has made a comeback, according to Commtouch. In its ‘Internet Threats Trend Report’ for Q1 2013, it says the so-called ‘pump & dump’ scam accounted for nearly 46% of spam messages in March. The trick involves the spammers buying large stocks of ‘penny’ shares, then encouraging others to do likewise. If enough people fall for it, the price rises, at which point the spammers sell. This drops the price again, often enough to make the shares valueless. It was a popular scam in 2006-2008, but then virtually disappeared. The report also says that malware-bearing or spam emails increased in volume dramatically in the first quarter of 2013, with daily levels reaching an average of 97.4 billion spam messages and 973 million malware emails. In brief
Transcript of In brief
NEWS
4Computer Fraud & Security May 2013
New security centreA new Security and Software Engineering Research Centre (S2ERC) has been established alongside the recently formed Georgetown Centre for Secure Communications (GCSC). The aim of the centre is to provide a link between academic researchers and the information security industry. It’s funded partly by a grant from the National Science Foundation and has already established links with a number of commercial organisations, including Symantec, Check Point Software Technologies, Edgewater Networks and IID.
Pro-Syrian forces mount Twitter account hijacksThe Syrian Electronic Army (SEA), a hacker group that supports the Assad regime in Syria, has been involved in multiple hijackings of Twitter accounts. UK newspaper The Guardian had several accounts hijacked, and other victims included the BBC, NPR, CBS, Al-Jazeera and FIFA. When the Associated Press had its Twitter credentials stolen, a tweet issued on its account suggesting that there had been an explosion at the White House led to a temporary dip in the Dow Jones index. The Twitter account of The Onion – the satirical ‘news’ website – was also breached, with the SEA issuing a number of humorous tweets before the account was reclaimed by its rightful owner. The Onion then continued the fun with tweets such as “Syrian Electronic Army has a little fun before inevitable upcoming deaths at hands of rebels”. Given the nature of the website, many observers believed that all of the tweets were, in fact, the work of the Onion’s ‘journalists’. Phishing attacks appear to be the most likely method by which the accounts were hijacked – and that was certainly the case at the Onion. Media organisations often provide access to such accounts to multiple people, meaning that only one person needs to fall for a phishing email for it to work. Twitter has since issued guidelines to media firms, with most of the advice being fairly basic, such as not sending passwords via email.
Google changes Play rulesIn future, applications submitted to Google’s Play app store will not be allowed to include mechanisms to update themselves directly from the vendors’ own (or third-party) sites. Instead, they must use Play’s update service. This goes some way to fixing a serious security loophole on Android. Cyber-criminals were able to upload innocuous apps to Play which would then pass inspection by Google’s anti-malware checks (such as Bouncer). Once downloaded on to a victim’s Android device, they could then perform an ‘update’ to
download malicious components. However, the new terms of use will also affect legitimate apps: Facebook has been testing the use of silent downloads to provide additional features and security improvements. These were provided directly from its own servers, but it now will not be able to do this. It’s not yet apparent what Facebook’s response to this will be, especially in the light of Facebook Home – an app that effectively takes over a user’s device.
Google building hackable, say researchersThe offices of Google Australia are vulnerable to hacking, according to two researchers. Billy Rios and Terry McCorkle of security firm Cylance said that the building management system for the Wharf 7 offices in Sydney is built on top of a platform – Tridium Niagara AX – with known vulnerabilities. Tridium has released patches for the system but Google has not yet installed them. The researchers were able to obtain the admin password for the system (‘anyonesguess’) and gain access to a number of administration panels. As well as having access to a number of controls, the researchers were also able to obtain blueprints of floor and roof plans. Google confirmed the flaw and said it has now disconnected the system from the Internet. While the two researchers have detailed a number of vulnerabilities in the platform, which is used by a wide variety of customers, including hospitals, US federal agencies and the military, Tridium said it believes that the security concerns are minor because of the system’s obscurity and the fact that such platforms are not traditional targets for hackers.
Web vulnerabilities drop, but still seriousThe number of exploitable vulnerabilities on websites dropped in 2012, and yet 86% of sites tested had flaws that could allow an attacker to take some level of control over the server. These are the conclusions of research by WhiteHat Security which found that the most common flaws were cross-site scripting (XSS) and information leakage. Overall, the number of serious vulnerabilities per site – flaws that would allow an attacker to take control over all or part of the site, compromise user accounts, access sensitive data or violate compliance requirements – dropped from 79 in 2011 to 56 in 2012. The figures are based on more than 650 sites examined by WhiteHat. On average, it took 193 days to resolve the flaws, from the moment the organisations were notified of them. Less than 18% of the sites were vulnerable for fewer than 30 days. Around 61% of the flaws were finally resolved, on average. The report is
available here: https://whitehatsec.com/assets/WPstatsReport_052013.pdf.
Hackers breach dam defencesThe US Army Corps of Engineers’ National Inventory of Dams, which holds data on 79,000 dams across the US, has been breached by an unknown attacker. The database includes information about known flaws in the dams and data such as the estimated damage, including deaths, if they were to fail. Much of the information is publicly available anyway but the more sensitive data isn’t, and it seems that this is what the attacker has accessed. Unnamed sources inevitably blamed Chinese hackers, and there has been a suggestion that this was a reconnaissance to gather information for potential cyber-attacks against critical infrastructure, but there has been no official comment nor any evidence offered to support these claims.
Queen promotes IPv6The recent Queen’s Speech, in which the UK Government laid out its agenda for the coming year, included a reference to the Internet Protocol (IP) – almost certainly the first time this has happened in the long tradition of the Opening of Parliament. It confirmed what had previously been hinted – that the Government will push for laws that will help the police trace Internet traffic to individual devices. This will depend on the greater application of IPv6, as there aren’t enough IPv4 addresses to do this. However, the controversial Communications Data Bill, which had been broadly condemned as a ‘snooper’s charter’, was conspicuously absent from the speech, suggesting that it has been killed off – for now.
Pump & dump is backThe scam of promoting near-worthless shares via spam email, and then selling out when the share price rises, has made a comeback, according to Commtouch. In its ‘Internet Threats Trend Report’ for Q1 2013, it says the so-called ‘pump & dump’ scam accounted for nearly 46% of spam messages in March. The trick involves the spammers buying large stocks of ‘penny’ shares, then encouraging others to do likewise. If enough people fall for it, the price rises, at which point the spammers sell. This drops the price again, often enough to make the shares valueless. It was a popular scam in 2006-2008, but then virtually disappeared. The report also says that malware-bearing or spam emails increased in volume dramatically in the first quarter of 2013, with daily levels reaching an average of 97.4 billion spam messages and 973 million malware emails.
In brief
