uncompiled.com

Authorities in Spain have arrested three men accused of operating a massive botnet composed of 12.7 million PCs that stole credit card and bank log-in data and infected computers in half of the Fortune 1,000 companies and more than 40 banks, according to published reports.

The botnet “Mariposa,” which means butterfly in Spanish, first appeared in December 2008 and grew to be one of the largest botnets ever, The Associated Press reported. It spread the Butterfly worm via removable drives, MSN Messenger, and peer-to-peer programs and targets Windows XP and older systems.

Unlike many underground hackers, the alleged ringleaders of the operation were not skilled programmers, but had contacts who were, authorities said.

“They’re not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits–the most frightening thing is they are normal people who are earning a lot of money with cybercrime,” Cesar Lorenza, a captain with Spain’s Guardia Civil, which is investigating the case, told the news service.

In Spain, names and mug shots of arrested citizens are not released to protect their privacy, though they were identified by their Internet aliases: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25. They face up to six years in prison if convicted of the hacking charges.

More arrests are expected, authorities said. The botnet is no longer operating, according to the AP report.

Source

Cryptome, the whistleblower site that serves as a repository for “documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance”, has been taken down on Wednesday afternoon by its hosting provider, Network Solutions, which also had the domain “legally locked”.

What it means is that domain information can’t be modified and the domain name transferred – only the registration can be renewed. This action from Network solutions was motivated by a Digital Millennium Copyright Act (DMCA) complaint filed by Microsoft against Cryptonome and its owners, regarding the publication of their Global Criminal Compliance Handbook, a document that reveals to users things that Microsoft would not like to become common knowledge.

In it you can find information about what records are retained and for how long, and what information can and will be given to law enforcement and intelligence agencies if requested by subpoena. Microsoft is not the only company whose “spy guide” has been published by Cryptome, but it’s apparently the one with the most clout.

ReadWriteWeb reports that once the complaint was filed and they requested of Paul Young, one of the owners of Cryptome, to take the document off the website, he refused. So the ISP intervened with a warning that said that if the document wasn’t removed by Thursday, they would disable the site. And so they did – one day before the imposed deadline.

In the complaint, Microsoft states as the reason for their request an infringement of copyright laws. The Electronic Frontier Foundation (EFF), the well-known international digital rights watchdog group, spoke up: “We find it troubling that copyright law is being invoked here. Microsoft doesn’t sell this manual. There’s no market for this work. It’s not a copyright issue. John’s copying of it is fair use. We don’t do this anywhere else in speech law.”

Cryptome has been active since 1996, and this is the first time that someone has succeeded in their mission to shut it down. Young has filed a counter-notification, and we probably won’t have to wait long for the next installment of this story. If Microsoft doesn’t forward a notice of litigation, Network Solutions will reactivate the Website and unlock the domain in no more than 14 business days. In the meantime, the website is temporarily available here.

If you want to read Microsoft’s “spy guide”, you can download it at Wikileaks, who has also offered to to host Cryptome on their multi-jurisdictional network-outside the US.

Source

In a US Senate Committee on Commerce, Science and Transportation hearing, security experts have expressed extreme concern about US defences against cyber-attacks. Former vice-admiral and head of National Intelligence Michael McConnell even went as far as claimingPDF that the US would be on the losing side should a hostile power launch a cyber war against it. This is not, according to McConnell, because US security staff are less talented or because its technology is inferior, but rather the US is vulnerable because it is the best networked country – for which reason it also has the most to lose.

It is precisely this state of affairs which the recently passed Cybersecurity Enhancement Act of 2009 is intended to resolve. It aims to ensure, by means of training, research and better coordination, that the government and government agencies are better protected against attacks originating from cyberspace. The Act still has to pass through the US Senate.

James Lewis of the Center for Strategic and International Studies (CSIS) also emphasisedPDF US vulnerability to attacks. According to Lewis, it is known that countries such as China and Russia are already carrying out espionage to determine how they can disable the US electricity grid. He believes that they and other countries are now in a position to be able to knock out the electricity grid in the event, for example, of a conflict over Taiwan or Georgia. However he thinks that it unlikely that China or Russia would go down this route, as it would be too great a risk politically, comparable to bombing a power plant, and would trigger a vigorous US reaction. In addition, he notes, even hostile states would suffer should, for example, Wall Street be knocked out.

However Lewis plays down concerns about terrorist attacks, saying that If terrorists were really in a position to carry out cyber-attacks, they would already have done so. The belief that they are in a position to do so, but have so far held back for whatever reason is “ridiculous”. Terrorists are, in his opinion, crazy people. Lewis warns that this situation could change if hostile powers were to provide terrorists with the requisite knowledge and skills. Lewis feels that at present, neither China nor Russia would cooperate with extremists.

Nonetheless, the US and the US economy is already being bled by constant small-scale cyber-attacks. According to Lewis, theft of important information and attacks by cyber-criminals are already doing immense damage to both business and government. If no action is taken, the patient will, Lewis told the hearing, eventually bleed to death – therefore he considers passage of the Act to be an urgent necessity.

Source

John Johansen, a developer with commercial Ubuntu sponsor Canonical, has submitted an updated version of the AppArmor security framework to the Linux kernel developers for inspection. Johansen writes that, like the SELinux and Tomoyo solutions already integrated into the kernel, this fourth general posting of AppArmor uses Linux Security Modules (LSM) to hook into the kernel. Some, but not all of the characteristics criticised by the kernel developers when AppArmor was posted last have reportedly been corrected in the new posting – known for his rather direct comments, however, the maintainer of the Virtual File System (VFS) of Linux soon also found various inconsistencies in the newly posted code.

Novell had bought the company that originally developed AppArmor and released the code under the GPL in 2006. Despite various attempts by Novell developers, however, the code was not integrated into the main development branch of Linux because the kernel developers didn’t approve of some of the security framework’s properties. With things having gone quiet around AppArmor and Novell also experimenting with SELinux, Canonical began to put more effort into preparing the technology for integration a few months ago. As reported by Johansen at the end of his email, the code is now hosted at kernel.org and launchpad.net rather than Novell Forge.

Source

The Government is spending £4.3 million in fighting cybercrime over three years.

The funding, announced by Consumer Minister Kevin Brennan, will go towards creating a new “cyber enforcement team” at the Office of Fair Trading (OFT). The OFT has already set up a laboratory featuring specialist equipment using the funds, and the new team will be trained by an international expert in fighting internet and email scams.

New, trained trading standards enforcers with specialist equipment will also be placed in every region of England and in Scotland and Wales. Scams cost three million UK consumers £3.5 billion a year, according to the OFT.

Its enforcement teams will focus on scams including fake products and traders who try to hide their identity, ticket scams for non-existent events, and scam websites selling counterfeit goods.

Heather Clayton, OFT senior director, said: “The enforcement team will be looking at the activities of a wide range of commercial websites and taking action in cases where consumers’ rights are being abused.”

Meanwhile, the OFT will continue to pass on cases to the Police, Serious and Organised Crime Agency and Companies Investigations Branch when appropriate.

The new enforcement team will work alongside other organisations that tackle online crime, including the Government’s National Fraud Authority, the City of London Police’s National Fraud Reporting Centre and the National Fraud Intelligence Bureau. The Metropolitan Police also has a Police Central eCrime Unit, which also aims to tackle large scale internet crime.

Source

Many CSOs view ShmooCon as an event of small importance. You don’t see the suits and ties that are on display at RSA. In fact, to those who haven’t attended, this conference is just a place where twenty-something hackers come to get drunk and throw TVs out hotel windows. Another crazy Black Hat/Defcon-caliber conference, more than one high-level security exec has told me in the past.

As with any security event, things can get rough around the edges. The security podcasters’ meet-up on Saturday night was more like a Motley Crue concert than anything else. The podcasters on stage resembled the head table at a Klingon wedding. But drunken antics conference-wide were minimal, and some decent food for thought came out of the podcasting event despite the rowdiness.

The larger reality is that a lot of important talks happen here that have implications up and down the IT security food chain. It’s also important to note that a lot of the young ruffians who come here are the very people who find the security holes so they can be fixed. They also build a lot of the technology CSOs lobby their upper management to invest in.

Some examples:
# Tyler Shields of the Veracode Research Lab gave a talk about those BlackBerry phones security execs can no longer live without. His message: The BlackBerry is full of weaknesses an attacker can exploit to target the larger enterprise network.
# Many CSOs have become equally dependent on their iPhones, and they are increasingly being used to conduct business. Guess what? Those devices are equally at risk, according to Trevor Hawthorn, founder and managing principal at Stratum Security. He gave a presentation on how the bad guys can attack through your iPhone apps and tap into your GPS to track your whereabouts.
# Presenters also offered new insight into how attackers are targeting the P2P and social networking platforms your employees use all the time on company-owned computers. [See Inside FarmVille's Sinister Underbelly and P2P Snoopers Know What's In Your Wallet]
# Another running theme this year was about the failure of security spending; where companies spend millions to acquire all the best-of-breed security technology they can find in the rush to check off all the boxes on a compliance checklist but install it all so haphazardly that they actually increase their risk.

While most of the talks were tech-heavy, a lot of the discussion in the presentations and in the hallways were about the language disconnect that often exists between IT and upper management and how best to close the gap.

Source

The House today overwhelmingly passed a bill aimed at building up the United States’ cybersecurity army and expertise, amid growing alarm over the country’s vulnerability online.

The bill, which passed 422-5, requires the Obama administration to conduct an agency-by-agency assessment of cybersecurity workforce skills and establishes a scholarship program for undergraduate and graduate students who agree to work as cybersecurity specialists for the government after graduation.

As officials puzzle over how to defend the nation from enemies that are often impossible to pinpoint, the lawmakers behind the bill said education and recruitment are crucial.

“Investing in cybersecurity is the Manhattan Project of our generation,” Representative Michael Arcuri, Democrat of New York, a sponsor of the bill said on the House floor Wednesday. “But this time around we are facing far greater threat. Nearly every high school hacker has the potential to hamper our unfettered access to the Internet. Just imagine what a rogue state could do.”

Mr. Arcuri said that the federal government will need to hire between 500 and 1,000 more “cyber warriors” each year to keep up with potential enemies. Troops online “are every bit as important to our security as a soldier in our field,” he said.

The Cybersecurity Enhancement Act, H.R. 4061, a major information security bill, closely follows a warning by Dennis Blair, the director of National Intelligence, who told lawmakers this week that computer-related attacks were becoming increasingly malicious.

The government’s four-year review of Defense Department strategies, also issued this week, stated that large-scale cyberattacks could massively disable or hurt international financial, commercial and physical infrastructure.

Mr. Obama has said cybersecurity is one of his top priorities and between the fallout from the attack on Google’s computers in January and the more modest hacking of Web sites of 49 House members and committees last week, the risk is felt acutely in Washington.

Still, the budget proposal the administration delivered to Congress Monday cut funding for the Homeland Security Department’s cybersecurity division.

There is no companion bill in the Senate, but senators are working on several unrelated information security bills.

The bill is based on a review of Mr. Obama’s review of cyberspace policies across the federal government in May, 2009. It authorizes one single entity, the director of the National Institute of Standards and Technology, to represent the government in negotiations over international standards and orders the White House office of technology to convene a cybersecurity university-industry task force to guide the direction of future research.

It also directs the National Science Foundation to research the social and behavioral aspects of cybersecurity, like how people interact with their computers and manage their online identities, in order to establish a new, more accessible awareness and education campaign.

Source

German encryption firm SecurStar has strenuously denied being behind an apparently independent test of voice encryption products that found many of its rivals could be hacked using a $100 phone-tapping program.

In a blog on the subject, Fabio Pietrosanti, founder and CTO of Swiss encryption startup Khamsa, alleges that a supposedly independent test of 15 encryption products was in fact a marketing exercise designed to publicise one of only three products to pass the hacking test, SecurStar’s PhoneCrypt.

The tests by an anonymous researcher, ‘Notrax’, found that all but three programs and hardware products looked at could be bypassed by installing a simple wiretapping Trojan called FlexiSPY to record voice output without the programs giving the user any indication that security had been compromised.

Khamsa’s own GSM security software was not part of the test but the encryption technology it uses, ZRTP, came in for criticism. The moving force behind that system and its implementation in a program called Zfone is encryption pioneer and inventor of Pretty Good Privacy, Phil Zimmermann, who is also listed as being on Khamsa’s scientific board.

According to Pietrosanti, the unnamed ‘Notrax’ was subsequently traced to an IP address connected to SecurStar after the individual followed a link embedded in a blog Pietrosanti had posted.

“The SecurStar GmbH PBX is open on the internet, it contains all the names of their employee and confirm us that the author of http:/infosecurityguard.com [the domain used to post the original test] is that company and is the anonymous hacker called Notrax,” says Pietrosanti.

He adds that SecuStar also appeared to be logging Google keywords related to the topic so as to have some idea of how the tests were being discussed.

When contacted, SecurStar denied any involvement with the tests. “We do not have anything to do with these tests and I have no idea about him [Notrax],” said SecurStar CEO, Wilfried Hafner in a call to Techworld.

According to Hafner, that Notrax used a SecurStar IP address was because the individual concerned had probably used the company’s anonymity service that hides real IPs behind his company’s.

“We have two million people using this product. Or he may have been an old customer of ours,” said Hafner.

As far as they go, the tests do appear to find a legitimate weakness in the programs under test even if a connection to one of the companies involved would represent a huge conflict of interest and discredit them in the eyes of the security community. Pietrosanti is certainly correct to say that researchers are normally keen to be identified with their testing, something ‘Notrax’ has avoided doing so far.

Source

For Logiq³ Inc., the decision to go with a cloud-based provider of IT infrastructure as a service (IaaS) was a matter of cost and flexibility.

A start-up that began operations in 2006, the Toronto-based life reinsurance management firm could not afford to build and staff a data center from scratch, according to David Westgate, Logiq³’s vice president of technology. So Logiq³ instead chose cloud computing and managed IT services provider BlueLock LLC to handle its data needs in the cloud.

BlueLock’s virtualized environment allowed data and volumes to move between systems in a dynamic, low-cost way that would be impossible with a traditional, hosted environment, Westgate says.

There were, however, security concerns to be addressed before Logiq³ would entrust its critical systems to BlueLock’s cloud. The life reinsurance company handles death records, which include personal information like social security numbers, as well as financial data and information about major assets that its large financial customers have on their books. Although Logiq³ isn’t regulated by the U.S. government’s Sarbanes-Oxley Act, its customers in the financial sector are, “so they’ll be auditing us,” says Westgate. As a result, Logiq³ needed potential cloud vendors to demonstrate that they were in compliance with applicable regulations and could provide high levels of security.

Logiq³ is far from alone. While security and compliance issues crop up in any Web-based outsourcing arrangement, businesses are justifiably concerned about putting everything in a virtualized cloud. It’s a comparatively new service area where risks are unknown — “which in itself is a risk,” says Jay Heiser, an analyst at Gartner Inc. “If I can’t figure out how risky something is, I have to assume it isn’t secure.”

5 tips for effective cloud security

* Find out as much as you can about a software-as-a-service provider’s security measures and infrastructure. If you are going with an infrastructure-as-a-service provider, ask what tools it can provide you to protect your virtual environment.

* Encrypt data at rest and in transit; otherwise, don’t put sensitive information in the cloud.

* Divvy up responsibilities between your administrators and the service provider’s administrators, so no one has free access across all security layers.

* Check whether a vendor has been accredited as meeting SAS 70 Type 2 and ISO 27001 security standards. If you are an international company, check for European Safe Harbor accreditation as well.

* Go with a high-end service provider with an established security record. “You get what you pay for,” says Gartner analyst Jay Heiser.

The extent to which hackers can take advantage of unique cloud vulnerabilities is being hotly debated at Web sites like Linkedin.com’s Cloud Computing Alliance. So far, there have been few instances of a successful, large-scale data breach on a public cloud. Just recently, however, someone managed to set up the Zeus password-stealing botnet inside Amazon.com Inc.’s EC2 cloud computing infrastructure by first hacking into a Web site that was hosted on Amazon servers.

Source

SecureCloud 2010 is a premier educational and networking event hosted by ENISA, the Cloud Security Alliance and ISACA, three of the leading organizations shaping the future of cloud computing security. The event takes place in Barcelona, Spain in March 2010.

It is the first event to focus specifically on state of the art practices to promote security, privacy and trust within cloud computing from technical, assurance and governance perspectives.

SecureCloud 2010 will feature presentations by thought leaders from industry, academia and government, including keynote speeches by Dr Udo Helmbrecht, Executive Director of ENISA; and Dave Cullinane, CISO at eBay, and Chairman of the Board of the CSA.

Jim Reavis, Executive Director, Cloud Security Alliance commented for Help Net Security: “Cloud Computing represents a important milestone in the history of technology, as we begin the shift towards the adoption of computing as a utility. Securing the cloud is a shared, global responsibility, and Secure Cloud 2010 provides a forum for a truly global dialogue of cloud providers, government, enterprise users and other key stakeholders to achieve this mission”.

Source