Home Tags News
One of the worst examples of financial malware appears to have fallen silent after operators were reportedly arrested in Moscow after a rare raid by the Federal Security Service of the Russian Federation (FSB). Reuters reports Russian police raided Moscow film studio 25th Floor and a neighbouring office in November. Western law enforcement authorities are apparently aware of the incident but Moscow has kept mum with requests to the FSB for comment unanswered at the time of writing. The Register has inquired with police and threat intelligence sources previously tracking the malware group. Little is known about the gang behind the Dyre malware. It is understood to have links to the FBI's most wanted cyber criminal Evgeniy Mikhailovich Bogachev aka Slavik ,who switched over to the crimeware after his pet project Gameover was take down in raids by authorities. The malware is an advanced trojan capable of evading white hat analysis tools and antivirus products and was spreading rapidly last year. But Dyre became less so as 2015 wore on, then fell silent in November. It is known to be responsible for inflicting tens of millions of dollars in damages to Western banks and businesses in the US, the UK, and Australia, spreading through dozens of separate spam and phishing campaigns since June 2014. In May Dyre was fingered for stealing some US$5.5 million from budget carrier RyanAir and has fleeced individual businesses of up to $1.5 million each in large scale wire transfers using stolen online banking credentials. Dyre flatlines. Image: IBM. IBM analysis shows the Dyre activity flatlined in November after a steady decline since October. Sudden silence from malware operators is generally a hallmark of arrests in the cybercrime world but an intentional hiatus it is not without precedent. Researchers from Russia's Kaspersky Labs reported the Carbanak gang had resumed campaigns with renewed gusto after falling silent for five months last year during which time analysts assumed the gang had disbanded. Dyre's domination. Image: IBM. IBM security expert Limor Kessem suggests the death in activity gives credibility to the possible arrests. "It has been close to three months now since Dyre went silent," Kessem says. "This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time. "But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble." Kessem says the arrests if confirmed would be one of the most significant in Russia's history. "A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks," she says. "But Dyre’s absence will also give a bigger market share to other malware." ® Sponsored: Building secure multi-factor authentication
The White House calls for more investment in protecting data and proposes to spend $19 billion this year on a variety of security initiatives, including educating consumers to use two-factor authentication. President Barack Obama on Feb. 9 proposed spending more than $19 billion over the next year on cyber-security initiatives as part of a new plan to better protect the computers, networks and data of United States’ citizens, businesses and government agencies. The initiatives, which the administration wove together in its 2016 budget proposal as the Cybersecurity National Action Plan (CNAP), aim to secure government computers and increase the security of corporate networks and citizens’ data. The White House earmarked $19 billion in its proposed budget for cyber-security, an increase of 35 percent over the previous year, Michael David, special assistant to the President and cyber-security coordinator, said in a statement posted to the official White House site. “The President believes that meeting these new threats is necessary and within our grasp,” David said. “But it requires a bold reassessment of the way that we approach security in the digital age and a significant investment to ensure we can implement the best security strategies.” The cyber-security spending increase is part of the $4.1 trillion federal budget proposal Obama sent to Congress on Feb. 9. The plan follows yet another abysmal year for American citizens’ efforts to protect their personal data. The U.S. Office of Personnel Management reported in June that hackers had compromised its systems and stolen extremely sensitive information on federal employees and job seekers—information which included the contents of background checks. In November, federal authorities charged three men with infiltrating and stealing data from nine financial institutions and publishers, including JPMorgan, Dow Jones, Scottrade and eTrade. Information on more than 100 million customers was compromised in the breaches. A variety of initiatives make up the Cybersecurity National Action Plan. The Obama administration plans to establish a panel of experts to advise the government on ways to improve its cyber-security and to protect citizens’ data. The administration also proposed a federal chief information security officer (CISO) to identify weak spots in the infrastructure. The White House also intends to expand education initiatives to make consumers more security aware, such as teaching people that passwords are not enough. Security firms applauded the Obama administration’s efforts, but also pointed out numerous shortcomings of the plan. The CISO, for example, will be ineffective, unless given direct power over the government's cyber-security infrastructure. “The CISO needs to be both a leader and a recognized cyber-security expert who can move the needle quickly and make decisions on behalf of the entire federal government,” Mark Weatherford, chief strategist for cyber-security firm vArmour, said in a statement sent to eWEEK. “Without this level of authority, there is no chance for any real success.” Before joining vArmour, Weatherford served in the Department of Homeland Security as its first deputy undersecretary for cyber-security. Avivah Litan, research vice president with business intelligence firm Gartner, agreed that a federal CISO needs to have power to require agencies to secure their infrastructure. “Obviously it is a step in the right direction, but in many ways, it is just one more level of bureaucracy,” she told eWEEK. Pointing to reports from last year that showed the Internal Revenue Service paid out more than $5 billion to fraudsters as part of tax-refund fraud schemes, Litan argued that security improvements at the IRS could easily pay for themselves in reduced losses due to fraud. “They should not have to allocate extra money for the civilian agencies,” she said.
Don't pretend you can invent a strong enough, memorable password to protect your Bitcoins: crypto-boffins can crack the so-called "brain wallet." In research published at the International Association for Cryptologic Research (IACR), University College London's Nicolas Courtois and Guangyan Song and White Ops' Ryan Castellucci benchmarked the Bitcoin secp256k1 elliptic curve, with depressing results. The group managed to retrieve more than 18,000 Bitcoin passwords, they claim, using an Amazon EC2 m4.4xlarge instance. That yielded a rather stunning 17.9 billion passwords tested per US$1 spent, or less than $60 to check a trillion passwords. As is so often the case, one reason pass-phrases are recoverable is that they're relatively predictable. Examples of recovered pass-phrases include "say hello to my little friend," "to be or not to be," "Walk Into This Room," "party like it's 1999," "yohohoandabottleofrum," and the all-too-obvious "Arnold Schwarzenegger." The Register presumes that the person or people using "andreas antonopoulos" as a password are merely admirers of the Bitcoin entrepreneur, rather than Antonopoulos himself using his own name as a password. While not the first study to look into brute-forcing Bitcoin passwords, the researchers reckon their attack more than doubles the speed of password tests against secp256k1 achieved by the attack first disclosed at last August's DEFCON 23. Their conclusion is simple – you almost certainly can't invent a password too complex to be brute-forced: "Our research demonstrates again that brain wallets are not secure and no one should use them." In other words, generating a genuinely strong password and keeping it somewhere safe is irritating, but absolutely necessary. ® Sponsored: Building secure multi-factor authentication
Classic, defanged files at archive.org won't actually wipe your hard drive.
Carbon emissions regs shelved until legal wrangling is over—which could take years.
Startup Cato Networks, which emerged from stealth mode, is building a cloud-delivered security-as-a-service technology. Gur Shatz, founder and former CEO of security vendor Incapsula, spent years building cloud-based Web application firewall technology. Now, as the CTO of startup Cato Networks, he is building a cloud-delivered security-as-a-service platform. At the helm of Cato Networks is CEO Shlomo Kramer, who is well-known in the information security community, both as an investor and as the founder of Check Point. Cato Networks just emerged from stealth mode. Cato Networks' technology is built on the premise that existing networking security models are too complex to maintain and are inadequate to defend against modern threats. A primary challenge for enterprises of all sizes is the fact that, with cloud and mobility, legacy models of security, such as traditional firewalls, no longer are entirely effective. "What we're doing is taking the local network and rebuilding it in the cloud," Shatz told eWEEK. The Cato Network model includes a cloud-based overlay network with a virtual LAN for an organization's traffic. The Cato approach aims to simplify networking and security by providing a single logical network, Shatz said. "Everything flows through Cato, so organizations get logical control over what is flowing in and what is flowing out," he said. Cato Networks has points of presence (POPs) throughout the world that are interconnected. Rather than using Border Gateway Protocol, the interconnected POPs provide a multi-point networking model. "We are using our own protocols, which are data-path-aware, so we can select the best route to different points," Shatz explained. "It's a software-defined infrastructure that is built on our own hardware throughout the world." The Cato technology was built from the data packet level up to be software-defined, which enables the fast, data-aware network, he said. For an organization's LAN, that local traffic in a branch office works much the same as it does before Cato is engaged, Shatz said. Cato's current network focus is the WAN and inter-site communications across a distributed enterprise. Cato can integrate with ActiveDirectory, which provides user access and authentication controls. "Since we take over the whole DNS [Domain Name System] process, we can forward traffic to ActiveDirectory," Shatz explained. "We are ActiveDirectory-aware, and that's where we can really know what's going on." The entire Cato enabled network becomes an application-aware network, which can provide security visibility, he said. A next-generation firewall is built into the Cato platform, but rather than needing to look at multiple networks, there is a single logical network, making it easier to maintain and control. A Web services gateway that is part of the platform can perform URL filtering. Looking forward, additional security controls that will be added to the platform include malware protection and cloud access security broker, or CASB, capabilities. By having the network as a "choke point" for visibility and control, it's possible to improve security, Shatz said. "What we're doing now is building a security stack, including security controls that can be collapsed into our network," he said. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Web hosting biz Linode broke the security in its customers' virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. Nodes that installed Linode's Ubuntu 15.10 image between November 10, 2015, and February 4, 2016, all use the same SSH server key. Usually, a unique key is generated during installation of a Linux distro, but that doesn't appear to have happened for months in this case. With that key in hand, a man-in-the-middle attacker could set up a malicious server that masquerades as your vulnerable virtual machine, allowing the hacker to quietly intercept passwords, commands, and other sensitive data sent to and from you and your real server. People who used the dodgy image received earlier today the following email from Linode's Alex Fornuto, who urging them to regenerate their SSH server keys. Here's an extract of the message: It has come to our attention that there is an issue with the Ubuntu 15.10 image we offered from November 10th, 2015, through February 4th, 2016. Any Linodes deployed using this image within this time frame are using identical SSH server keys. If you're receiving this ticket, you have a disk image currently affected by this issue. For those unfamiliar with these terms, consider this fuller explanation: Each Linux server running the SSH daemon should have a set of unique keys, used to generate the encryption between client and server. While this traffic is still secure against an attempt to access data by "wire sniffing," someone could use those keys to institute a "man in the middle" attack. The network rules on our infrastructure prevent such an attack from a neighboring Linode, but connections made from insecure wifi-networks or clients with compromised DNS could be vulnerable. The steps required to resolve this issue are easy and few. First, from your Linode terminal, as root or with the sudo prefix, run: rm -f /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server service ssh restart If you have any questions regarding this issue, please feel free to reply to this ticket. Furthermore, you can be confident that we have implemented new processes to ensure that this sort oversight doesn’t happen again. Linode corrected its Ubuntu 15.10 image on February 4. This blooper comes after the New Jersey-based Linux server hoster weathered a ten-day distributed denial-of-service attack on its data centers after Christmas, and reset its users' account passwords after a hack attack scare in January. As it happens, Linode is advertising for Linux technical support workers... ® Sponsored: Building secure multi-factor authentication
A full scholarship comes with multi-year commitment to battle entrenched bureaucracy.
Microsoft has patched 41 CVE-listed security vulnerabilities in its software this month. The second Patch Tuesday monthly update of the year brings with it fixes for security flaws in both Internet Explorer and Edge that could allow remote-code-execution attacks simply by visiting a webpage. Also fixed are remote-code-execution holes in the Windows PDF Viewer and Microsoft Office. The full list is as follows: MS16-009 A cumulative update for Internet Explorer 9 through 11. The update includes fixes for 13 CVE-listed issues, including remote-code-execution flaws and information disclosure vulnerabilities. As with all IE updates, the fixes are considered a lower risk for Windows Server installations. MS16-011 An update for the Edge browser in Windows 10 comprising six fixes for CVE-listed issues, four of which are remote-code-execution vulnerabilities. MS16-012 A fix for two remote-code-execution vulnerabilities in Windows PDF Library and Reader for Windows 8.1, Server 2012 and Windows 10. MS16-013 A memory-corruption vulnerability in Windows Journal potentially allowing remote code execution in Windows Vista, Server 2008, Windows 7, Windows 8.1, Server 2012 and Windows 10. MS16-014 Five security holes in Windows, including two remote-code-execution holes and a denial-of-service condition in Windows DLL Loading. Also fixed were an elevation-of-privilege error in Windows and a Kerberos security bypass flaw. MS16-015 Six memory-corruption vulnerabilities in Office, each of which could allow for remote code execution. The update covers Office 2007, 2010, 2013, 2013 RT, and Office 2016 as well as Office for Mac 2011 and 2016. MS16-016 One elevation-of-privilege flaw in WebDAV for Windows Vista, Server 2008, Windows 7, Server 2008 R2, Windows 8.1, Server 2012, Windows RT 8.1 and Windows 10. MS16-017 An elevation-of-privilege flaw in Remote Desktop Protocol that could allow an attacker to log in to systems that have enabled Remote Desktop, which is turned off by default. The issue affects Windows 7, Windows 8.1, Server 2012 and Windows 10. MS16-018 An elevation-of-privilege flaw in the Win32k component for Windows Vista, Server 2008 and 2008 R2, Windows 7, Windows 8.1 and 8.1 RT, Server 2012 and 2012, and Windows 10. MS16-019 Updates for a denial-of-service flaw in .NET Framework and an information disclosure hole in Windows Forms. The fix covers Windows Vista, Server 2008 and 2008 R2, Windows 7, Windows 8.1 and 8.1 RT, Server 2012 and 2012 R2, and Windows 10. MS16-020 A fix for one denial-of-service vulnerability in Windows Server 2012 R2. Other versions of Windows and Windows Server are not affected. MS16-021 A denial-of-service vulnerability in the Network Policy Server Radius Implementation on Windows Server 2008, Server 2008 R2 and Server 2012. After installing the Microsoft updates, users and administrators would be wise to install monthly fixes issued Tuesday by Adobe for Flash Player. The updates cover a total of 22 CVE-listed flaws for Flash, all of which could potentially be targeted for remote-code-execution attacks. The Flash Player update also affects versions for OS X and Linux boxes. ® Sponsored: Building secure multi-factor authentication
Plot thickens for former pharma CEO, now accused of copyright violations.
With the acquisition of IID, Infoblox's network security technologies are set to get a boost from threat intelligence. Network security vendor Infoblox is expanding its capabilities by way of a $45 million acquisition of privately held cyber-threat intelligence vendor IID. The deal will provide Infoblox with new security features that address the growing threat intelligence needs to help protect network security. Infoblox is what is known as a DDI—DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol) and IP address—vendor, helping organizations manage those core network services. In a call with press and analysts discussing the acquisition, Jesper Andersen, president and CEO of Infoblox, said that IID's technology will help his company differentiate itself from other DDI vendors. "This acquisition brings together IID's superior cyber-intelligence and our best-in-class network control infrastructure to provide customers with truly context-aware security and improved operational viability," Andersen said. The plan is for IID's technology to complement Infoblox's DDI products, providing better security that can detect malicious threats both inside and outside of an organization. The Infoblox portfolio currently includes a hardened DNS appliance that does not overlap with IID's technology. In addition, Infoblox has a DNS Firewall, which includes a continuous feed of threat intelligence that can be used to help protect against malicious DNS queries and block bad traffic. The plan is to make use of the IID threat feeds to enable the next generation of Infoblox's DNS Firewall. The idea of combining threat intelligence with DDI is not a new one for Infoblox. Andersen noted that Infoblox has been selling a DNS firewall technology for more than a year, which is currently powered by a ThreatStop threat feed that is pulled into an Infoblox DNS control point. "ThreatStop has been a great partner of ours," he said. "Going forward, we now have our own threat feed, so that's what we'll be basing our solutions on." In addition to a machine-readable threat intelligence feed, IID also has a cloud-based platform for threat intelligence federation, according to Andersen. With the IID cloud platform, customers and organizations can share threat intelligence, which is another large opportunity for growth at Infoblox, he said. The threat intelligence space is a very crowded one, with multiple vendors and technologies all aiming to help organizations gain insight into cyber-threats. One such vendor is iSight, which was acquired by FireEye for $200 million on Jan. 20. "iSight and IID are actually partners with each other and Infoblox is a partner with FireEye, and I don't see that changing," Andersen said. "The threat intelligence space is one where many vendors share information to have the best possible intelligence for the customer." Infoblox's existing partnership with FireEye enables DNS-level threats detected by Infoblox to be used by FireEye's protection technologies. "We're not trying to be the end-all, be-all security vendor," Andersen said. "We're just laser-focused on doing the best possible job in securing DNS." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Hackers have reportedly offered Apple employees north of $20,000 for login credentials to Cupertino's internal systems. Hackers want to break into Apple's systems so bad that they're willing to pony up tens of thousands of dollars for employee login details, according to a new report. Business Insider recently spoke to an unnamed Apple employee in Ireland, who said hackers have offered north of $20,000 for login credentials to Cupertino's internal systems. "You'd be surprised how many people get on to us, just random Apple employees," the source told Business Insider. "You get emails offering you thousands [of euros] to get a password to get access to Apple. "I could sell my Apple ID login information online for €20,000 (£15,000 / $23,000) tomorrow. That's how much people are trying." Meanwhile, another former Apple employee told the publication that hackers typically target newer employees. "They look for someone who has jumped diagonally into a junior managerial position, so not a lifer working their way up, and not a lifer who has been there a long time," the source told Business Insider. As for what the hackers are really after, it could be any number of things — like access to individual Apple user accounts, the company's extremely valuable intellectual property, or internal corporate strategy information, the report notes. Apple has reportedly set up an employee security program dubbed "Grow Your Own" to address the issue, though details about it are scant. Apple did not immediately respond to a request for comment about the report. In other Apple security news, iOS 9 and third-party fixes are reportedly to blame for Error 53, a bug that will brick your iPhone 6 and make the device unusable. Those who upgrade to iOS 9 and have their Touch ID button fixed by someone other than Apple may encounter the vexing Error 53, which makes their device largely useless.