Roll out the welcome mat to hackers and crackers

A clear and easy to read policy is key to developing a good internal bug bounty program, according to BugCrowd which has published guidelines to help businesses encourage the security community to report vulnerabilities.
Bug bounties are an increasingly popular means to provide a legally safe avenue for security researchers to report bugs they find in hardware, software and services. Such programs help to overcome a prevailing fear that reporting flaws could prompt affected vendors to return the favour with legal action as result of unauthorised hacking.
BugCrowd suggests cash - not tee shirts - are the best way to encourage researchers to more regular and intense testing of products and services.
BugCrowd engineer Drew Sing (Drew_Sing) published the open source guidelines on Github and emphasised the need for simplicity and executive awareness.
"A high priority security issue handled improperly could damage the reputation of the organisation ... the development, IT and communications team are all critical components to a successful program," Sing wrote.
"Receiving your first vulnerability report from the outside world can be a scary and confronting experience, but keep in mind that the researcher is pro-actively trying to help you."
Sing's guide suggests a bug bounty program should be published in an obvious location on websites, preferably located with the /security subdomain, and sport a dedicated security contact who is well-briefed in handling disclosures.
The page should detail what vulnerabilities were in scope and those deemed off-limits.
When a bug arrives, acknowledgement is key. "Acknowledge initial receipt of any report, and set expectations for a response," Sing says in the guidelines. "Keep the researcher informed during each stage of the validation process."
Correspondence should be clear, purposeful and keep the bug hunter abreast of any updates, vulnerability triage or planned patching. Emails are the preferred medium for disclosures since they provide a paper trail. Those who run bug bounty programs should expect that correspondence about bugs will be made public.
"Make sure you resolve the vulnerability quickly. For most researchers, this is the most important part - seeing the positive impact of their work," Sing advises.
Researchers often allow the afflicted one to three months to fix vulnerabilities, making developments of patches or work-arounds was a priority. Failure to do act can land a vulnerable organisation in mailing lists like Full Disclosure or splattered across social media and news sites.
Rewards can take the form of a vulnerability hall of fame, where bug hunters were named for their contributions, and cash or prizes.
Vulture South recommends organisations offer rewards appropriate to the size of the business. A laudable bug bounty initiative by an individual security bod at Yahoo! became laughable after a serious security vulnerability that allowed accounts to be easily compromised was rewarded with a $12.50 voucher for tat in the Yahoo! store. Following a smattering of bad press, the Purple Palace setup a formal bug bounty.
Sing's efforts to define a good bounty program are not unique. Last year, Kiwi security bods under the New Zealand Internet Task Force published draft guidelines (PDF) they hoped would be adopted by business and government across the country.
Readers can tune in to a podcast (created in your correspondent's past life) detailing that draft and bug bounties more broadly, including tips for researchers, as part of a Kiwicon presentation by Lateral Security's Nick von Dadelszen and Department of Internal Affairs analyst Ben Creet.

Dell ignoring critical flaws in router and server-management systems

Dell is refusing to publicly acknowledge a flaw in a number of its products that could theoretically be used by hackers to steal control of victims' systems.
The vulnerabilities were first discovered in IBM keyboard, video and mouse (KVM) switches in May by independent security researcher Alejandro Alvarez Bravo.
Alvarez Bravo said the vulnerability – while originally found in IBM systems – is also prevalent in several other companies' products, including Dell's, in a post on the Full Disclosure forum.
"The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerable. Note that this vulnerability is also present in some Dell and probably other vendors of this rebranded KVM," he wrote.
"[The] improperly sanitised input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch."
KVM switches let IT departments remotely manage equipment such as servers and routers.
IBM issued patches for the vulnerabilities on 14 July but Bravo told V3 that despite contacting Dell two months ago about the danger its customers face, he is yet to receive a reply from the firm.
"Dell was informed two months ago via security@dell.com but no response nor acknowledgement has been received. Unfortunately I don't have a list of affected KVM switches. I only know that they all share the same firmware with branding modifications. The original firmware was made by Emerson's Avocent," he said.
"In a previous vulnerability for this KVM (CVE-2013-0526), people from OpenVAS pointed me to look at Shodan for ‘AEWS+%2B301+Moved+Permanently' to locate some of them. I've checked that these KVMs are also prone to new vulnerabilities."
Researchers at Kaspersky Labs reported suffering similar issues with contacting Dell in a blog post. At the time of publishing Dell had not responded to V3's request for comment.
Dell and IBM are two of many firms to have flaws found in their products in recent weeks. Cisco was forced to release a security update on Friday for multiple versions of its Small Office/Home Office (SoHo) routers, fixing a critical flaw that left users open to attack by hackers.

Hackers raise fee of Android Simplocker ransomware and teach it English

Hackers have expanded the infamous Android Simplocker ransomware campaign to target English-speaking Android users and have raised the ransom demand.
ESET security intelligence team lead Robert Lipovsky reported uncovering the evolved malware in a blog post, revealing that the ransomware has received a variety of technical upgrades.
"Last week we spotted a variant of the ransomware that featured a few significant improvements. The first change that meets the eye in Android/Simplocker is that the ransom message is now in English rather than Russian," read the post.
"Secondly, the malware now asks to be installed as Device Administrator, which makes it a lot more difficult to remove."
Ransomware is a form of malware that locks infected machines to a specific screen. The attackers usually demand payment from the victim before unlocking the machine.
The new Simplocker reportedly demands that victims pay USD $300 using a MoneyPak voucher to unlock infected devices, a marked increase on the $21 demanded by many previous variants.
Lipovsky said the malware is doubly dangerous as it encrypts files stored on handsets' SD cards, as well as their internal storage and attempts to scare the user by hijacking control of the phone's front camera.
"In addition to encrypting documents, images and videos on the device's SD card, the Trojan now also encrypts archive files: ZIP, 7z and RAR. This ‘upgrade' can have very unpleasant consequences," read the post.
"This one also uses the scareware tactic of displaying the camera feed from the device."
Like past ransomware, the new Simplelocker variant attempts to dupe the victims into paying by masquerading as a message from the US FBI.
"The victim is led to believe that the device was blocked by the FBI after detecting illegal activity – child pornography and so on – typical behavior of police ransomware that we've seen many times before," explained Lipovsky.
Ransomware is increasingly common, and Microsoft reported in May that the number of cyber attacks using the infamous Reveton ransomware have doubled over the past year.

US warns of Huawei WiFi modem XSS security threat

The US Computer Emergency Response Team (CERT) has issued a warning alerting businesses of a flaw in Huawei's popular E355 wireless broadband modem that could be leveraged by hackers to mount cross-site scripting attacks.
The CERT team issued the warning on Monday, revealing that the flaw could leave people connecting to the internet or a cellular network using the modem vulnerable to cyber strikes.
"Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network," explained the advisory.
"The web interface is vulnerable to a stored cross-site scripting vulnerability. The vulnerability can be exploited if a victim views SMS messages that contain JavaScript using the web interface. A malicious attacker may be able to execute arbitrary script in the context of the victim's browser."
Huawei released an advisory on the issue in June and confirmed it is working on a fix. “Huawei has analysed and investigated the vulnerability and informed involved customers. Huawei has prepared a fixing plan and started the development and test of fixed versions. Huawei will update the Security Notice if any progress is made," read the advisory.
FireEye director of technology strategy Jason Steer told V3 hackers could use the flaw for a variety of purposes. "Is it bad? Yes, XSS is a high-severity software flaw, because of its prevalence and its ability be used by attackers to trick users into giving away sensitive information such as session cookies," he said.
"By allowing hostile JavaScript to be executed in a user's browser they can do a number of things. The most popular things are performing account takeovers to steal money, goods and website defacement. If you could get an admin account then you can start changing settings and having other impacts as well."
It is currently unclear if hackers are actively exploiting the flaw but Steer said he would be surprised if it was not.
"I think it's likely hackers are targeting it. I could think of a number of scenarios where having access to the hotspot configuration might be helpful, especially if I wanted to create public hotspot and start to eavesdrop on other users looking for free WiFi to go online," he said.
The CERT team recommended people using the Huawei model temporarily disable scripting in their web browser to avoid falling victim to attack while Huawei works on its fix. "We are currently unaware of a practical solution to this problem. In the meantime, please consider disabling scripting in your web browser," it said.
ESET senior research fellow David Harley mirrored CERT's sentiment and told V3 that, if left unchecked, the flaw definitely has the potential to cause harm.
"If a malicious script was reflected back to the victim's browser and executed, it might be serious: XSS attacks have wide scope in principle. If I was using the vulnerable modem, I'd certainly make sure I had scripting disabled or use an add-on that whitelists scripts," he said.
Huawei is one of many telecoms technology providers to have flaws found in its products in recent weeks. Cisco patched a security flaw affecting multiple versions of its Small Office/Home Office (SoHo) routers on Friday.

DDoS attackers turn attention to SaaS and PaaS systems, Akamai reports

The latest report from Akamai has revealed an increase in DDoS attacks and a resurgence of botnets to carry out server-based attacks.
The Q2 2014 Global DDoS Attack Report from Prolexic Technologies, now part of Akamai, revealed that DDoS activity has increased by 22 percent, putting it close to the record-breaking levels set in the year's first quarter.
A 72 percent increase in the average bandwidth of attacks means DDoS activity has become stronger and more capable of overwhelming targets with data packets.
Prolexic revealed that DDoS activity was mostly fuelled by reflection-based attacks that abuse common web protocols, and server-side botnets that exploit the web vulnerabilities in Windows, Linux and content-management systems.

Jay Coley, senior director of Line Services at Akamai, put the increase in botnets down to the current political climate and the ease of exploitable vulnerabilities in traditional internet services, such as the Network Time Protocol and Domain Name System. 

"Attackers are able to use these services to 'reflect' attacks and increase the strength of traditional botnets by 100 to 400 percent," he explained. 

"These tools also add a layer of obscurity to the botnets as they are never actually touching the targets directly, but 'reflecting' and increasing their attacks using these exploits."
Nearly half of the DDoS attacks were aimed at IT infrastructure rather than websites or applications. Vendors of cloud services such as Platform-as-a-Service (PaaS) and Software-as-a-service (SaaS) were identified as common targets. 
The researchers warned that such attacks could exhaust incoming network bandwidth and essentially cripple entire data centres.
Stuart Scholly, senior vice president of security at Akamai Technologies, said that behind these powerful attacks are evolving tactics to build, conceal and deploy dangerous botnets.
"Server-side botnets are preying on web vulnerabilities, and reflection and amplification tactics are allowing attackers to do more with less," explained Scholly.
While Akamai said that server-side botnets have only been observed in the most sophisticated and orchestrated DDoS attacks, high-volume infrastructure attacks bear the hallmarks of being specifically tailored to avoid DDoS mitigation technology.
Given the rise of cloud computing and adoption of service-based IT infrastructure, Akamai believes that the effectiveness of such DDoS attacks pose a significant threat to businesses and even government organisations.
Worryingly, the itsoknoproblembro (Brobot) botnet - once thought to be extinct - is still causing problems. Server infection attacks in the second quarter indicated that the botnet was still in place and being stealthily maintained.
Brobot's revival could be troubling for financial organisations given how the infamous Operation Abigail, executed between 2012 and 2013, saw companies such as JPMorgan and the New York Stock Exchange targeted by powerful DDoS attacks.
Cyber attacks are a common occurrence despite growing concerns and awareness over cyber security. In April, Verizon revealed that analysis of 10 years' worth of data found that 92 percent of all security incidents recorded were from nine basic cyber attacks.
Recently, V3 reported that cyber attacks cost UK businesses a massive £1.5m per data breach, according to research from PwC and BIS. PwC said this highlighted a need for companies to invest more in IT defences and train employees to follow cyber-security best practices.

ICO fines travel firm £150,000 after hacker steals card details from more than a million customers

The Information Commissioner’s Office (ICO) has fined an online travel company called Think W3 £150,000, after a hacker accessed credit card details due to a coding error on its website.
The hacker was able to retrieve data as far back as 2006, as the system had never been updated, and the ICO report on the case also found that the system used was never subject to any post-build testing.
“The data controller did not subject the web server to appropriate penetration test or internal vulnerability scans and checks, which took place on other servers on the basis that the website and web server were not external facing,” it said.
“However the website (and therefore the associated system and web server) could still be discovered and accessed over the internet by anyone with sufficient technical knowledge.”
This happened on 21 December 2012, when the hacker uncovered a coding error in the website and used an SQL injection to log in to the administrators’ interface, the report explained.
The hack was discovered on Christmas Eve, just three days later, when the data controller at Think W3 performed a routine server check that threw up a notification from some antivirus software installed on the server.
By this time, though, the hacker had accessed 1,163,996 credit and debit card records. Of these 430,599 were identified as current and 733,397 as expired.
Stephen Eckersley, head of enforcement, said the incident was a “staggering lapse” in security and underlined the fact firms of shape and size must take the issue of data protection seriously.
“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information,” he said.
The owner of Think W3 at the time of the incident, Thomas Cook Group, said it would pay the fine and claimed no customers were affected by the incident.
"No customers have suffered any loss as a  result of the breach which our security systems detected immediately. The Essential Travel [a subsidiary of Think W3] computer system that was breached was a legacy system used by Think W3 Ltd/Essential Travel and is not used by any other part of the Thomas Cook Group."

Jon Knowles, head of Information Security at Thomas Cook, added: "We take customer data security very seriously and are proud of the exemplary way our teams dealt with this issue to avoid any possible impact on our customers."
The current owners of Think W3, Holiday Extras, also moved to reassure customers there details remain safe. Matthew Pack, CEO of Holiday Extras, said: “We acquired Essential Travel [a brand of Think W3] on 24 January 2014, at which point all payment processing migrated to the main Holiday Extras system.
"Security of customer data is one of our top priorities and we continue to invest significantly in this area to ensure customer peace of mind.”
The fine comes after the ICO urged the government to give it more funding to help it deal with its ever-growing case load as data breaches continue to plague businesses, councils and other organisations, despite the threat of heavy fines.

How Thieves Can Hack and Disable Your Home Alarm System

Logan Lamb

When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren’t even on the internet: wireless home alarms.
Two researchers say that top-selling home alarm setups can be easily subverted to either suppress the alarms or create multiple false alarms that would render them unreliable. False alarms could be set off using a simple tool from up to 250 yards away, though disabling the alarm would require closer proximity of about 10 feet from the home.
“An attacker can walk up to a front door and suppress the alarm as they open the door, do whatever they want within the home and then exfiltrate, and it’s like they were never there,” says Logan Lamb, a security researcher at the Oak Ridge National Lab, who conducted his work independent of the government.
Lamb looked at three top brands of home alarm systems made by ADT, Vivint and a third company that asked that their name not be identified. The Vivint system uses equipment manufactured by 2Gig, which supplies its equipment to more than 4,000 distributors.
Separately, Silvio Cesare, who works for Qualus, also looked, independent of his job, at more than half a dozen popular systems used in Australia, where he lives, including ones made by Swann, an Australian firm that also sells its systems in the U.S.

The Swann security system. Swann

No matter what the brand or where they’re sold, the two researchers found identical problems: All the wireless alarm systems they examined rely on radio frequency signals sent between door and window sensors to a control system that triggers an alarm when any of these entryways are breached. The signals deploy any time a tagged window or door is opened, whether or not the alarm is enabled. But when enabled, the system will trip the alarm and also send a silent alert to the monitoring company, which contacts the occupants and/or the police. But the researchers found that the systems fail to encrypt or authenticate the signals being sent from sensors to control panels, making it easy for someone to intercept the data, decipher the commands, and play them back to control panels at will. “All of the systems use different hardware but they are effectively the same,” Lamb says. “[They're] still using these wireless communications from the mid-90s for the actual security.”
The signals can also be jammed to prevent them from tipping an alarm by sending radio noise to prevent the signal from getting through from sensors to the control panel.
“Jamming the intra-home communications suppresses alarms to both the occupants and the monitoring company,” Lamb says.
Although some alarms use anti-jamming counter measures to prevent someone from blocking signals from sensors to control panels—if they detect a jamming technique, they issue an audible alarm to the occupant and send an automatic transmission to the monitoring company—but Lamb says there are techniques to beat the countermeasures as well, which he’ll discuss at his talk.
One of the Australian products that Cesare examined had an additional vulnerability: Not only was he able to intercept unencrypted signals, he could also discover the stored password on the devices—the password a homeowner would use to arm and disarm the whole setup.

Logan Lamb

The two researchers plan to present their findings separately next month at the Black Hat security conference in Las Vegas. Lamb will also present his research at the Def Con hacker conference. The researchers both focused on home-alarm systems, rather than commercial-grade models used to secure businesses. The two researchers each used a software-defined radio to intercept and replay communications. Lamb used a USRP N210, which costs about $1,700. For a serious home-burglary ring, this would be a small investment. Lamb says he was able to do a replay attack—copying signals and sending them back to the system to trigger false alarms—from 250 yards away using this device without a direct line of sight to the sensors. Software-defined radios are controlled with software and can be tweaked to monitor different frequencies. With minimal changes to the code in his SDR, Lamb was able to “have my way in all the systems.”
But he could also use an RTL-SDR—a device that costs about $10 from Amazon to monitor signals. These devices don’t transmit signals, so an attacker wouldn’t be able to disable the alarm system. But he could monitor the signals from up to 65 feet away. Because the transmissions contain a unique identifier for each monitored device and event, an attacker could identify when a window or door in a house was opened by an occupant and possibly use it to identify where victims are in the house—for example, when occupants close a bedroom door for the night, indicating they’ve gone to bed.
“So as people go about their days in their homes, these packets are being broadcast everywhere,” he says. “And since they’re unencrypted, adversaries can just sit around and listen in. Suppose you have a small [monitoring] device to chuck in a [rain] gutter. With minimal effort you could tell when someone leaves the house … and establish habits. I think there’s some value there and some privacy concerns.”

Logan Lamb

Cesare found that some systems used a remote that let homeowner to arm and disarm their alarms without entering a password on a control panel. This data is transmitted in the clear, also via radio frequency, and can be monitored. He found that most of the systems he examined used only a single code. “I captured the codes that were being sent and replayed them and defeated the security of these systems,” he says. Cesare notes that the systems could be made more secure by using rolling codes that change, instead of fixed ones, but the manufacturers chose the easier method to implement with their hardware, at the expense of security. Cesare was also able to physically capture stored passwords a system made by Swann. All he had to do was attach a microcontroller programmer to read data off the EEPROM. Although he says the firmware was protected, preventing him from reading it, the password was exposed, offering another attack vector to disable the alarm.
Cesare points out that commercial-grade systems are likely more secure than the home systems they examined. “In the home-alarm product, there is an expectation that you’re not going to have as strong security as a commercial-grade system,” he says. But customers still expect at least basic security. As Lamb and Cesare show, that’s debatable.

Here’s How Hackers Stole Over $1 Million From 1,600 StubHub Users

U.S. law enforcement charged 6 Russians and Americans who were allegedly part of a far-flung international hacking scheme

Six individuals in Russia and the United States have been charged with taking part in a broad international hacking scheme that attacked over 1,600 StubHub users’ accounts and fraudulently purchased more than $1 million in tickets.
In March 2013, StubHub discovered that more than 1,000 of its users’ accounts were compromised by hackers who were fraudulently purchasing thousands of tickets using the service. The tickets included Justin Timberlake concerts, expensive seats at Yankee Stadium behind the dugout, orchestra seats and sold-out Broadway shows. The tickets were worth over $1 million in total, law enforcement officials said.
StubHub told law enforcement officials of the breach, prompting a multi-national investigation into the hacking ring. Two Americans have been arrested and a third is expected to turn himself in over the coming days. Police are awaiting the extradition of a Russian national in Spain.
“Today’s law enforcement action reflect the increasingly global landscape in which financial and cybercriminals operate,” said Manhattan District Attorney Cyrus R. Vance, Jr. on Wednesday. “Financial crime is no longer local.”
Vadim Polyakov, the Russian national currently being held in Spain, allegedly hacked StubHub accounts to purchase more than 3,500 tickets. Police say Polyakov sent the tickets to three American fences, who resold them and laundered the profits through Russian nationals and others in London and Toronto.
Police say Gmail chats between two of the Americas, Daniel Petryszyn told Laurence Brinkmeyer, show the Americans knew the tickets had been stolen. “ … This guy [Polyakov] is pretty much admitting he is a hacker,” wrote Petryszyn. “I don’t give a f*** I will launder all the money they want.”
The Americans sent the ticket proceeds to bank accounts controlled by Polyakov and other individuals around the world.
During the months-long international investigation, law enforcement officials scoured the ticket purchases of over 1,000 fraudulent ticket sales, identified them with PayPal accounts and used search warrants to track associated email addresses.
One officer with knowledge of Russian used Facebook messages to discover that Polyakov was taking a vacation in Spain. On July 3^rd, Polaykov was tracked to a hotel to a hotel in Barcelona, where Spanish authorities and the U.S. Secret Service arrested him.
StubHub said that customers were refunded for unauthorized transactions, and that customers were assisted in changing their passwords.
The hackers obtained customers’ logins through other sources, StubHub said, not by hacking StubHub’s systems.
“Customer accounts were accessed by cyber criminals who had obtained the customers’ valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers’ PC,” StubHub said in a statement.
Vance said it was unclear how the hackers originally obtained users’ names and passwords, but the transaction records show there may be others involved in the hacking scheme.
“With cybercrime, it’s very hard to say you’ve got it boxed up entirely,” Vance said. “We’ve got the core actors, though many more may follow elsewhere.”

Sony's $15 million PSN hacking settlement pays out in free games

Way back in 2011, PlayStation Network services and websites went dark due to "an external intrusion." Anonymous claimed responsibility, names, passwords and possible payment information was lost in a data breach, and everybody in general had a bad time. Sony apologized for the fiasco with a "Welcome Back" package, handing out free (older) games to anybody willing to turn their PlayStation back on -- but that wasn't the end of it. The company still had to face a class action lawsuit for losses caused by identity thefts and the needs of gamers who failed to participate in its apology giveaway before it closed. Now the company has reached a $15 million settlement. The short version? More free stuff.
Claimants who didn't participate in the original "Welcome Back" program will be offered one of 14 PlayStation 3 or PlayStation Portable games and three PS3 themes, or a three-month subscription to PlayStation Plus. It's not all giveaways, though -- folks with documented identity theft charges will be able to reap up to $2,500 per claim, and users of Sony's old Qricity service will be able to get a month of Music Unlimited service in recompense. MMO gamers who lost time in virtual worlds are eligible for a $4.50 credit to their SOE accounts, too. You can check out the full court decision below. Forgot all about the 2011 breach? Well, "welcome back."