Somebody is snooping on CEOs by hacking hotel wi-fi

© Provided by Quartz You never know what's lurking in your hotel room.

“CEOs, senior vice presidents, sales and marketing directors and top R&D staff.” These are the people who have been targeted by Darkhotel, a sophisticated security threat, as they check into hotels around the world, according to a new report (pdf) by Kaspersky Labs, an online security firm. The vast majority of infections occurred in Japan, followed by Taiwan, China, Russia, South Korea, and other Asian nations. Germany and the US also figure on the list.

The attacks have been going on since 2007. Targeted executives come from a variety of fields, including electronics, pharmaceuticals, manufacturing, defense, law enforcement, military, and non-government organisations.

The attackers use hotel Wi-Fi to prompt people to download updates for software such as Adobe Flash, Google Toolbar, and Microsoft Messenger. The updates are in fact malware.

What makes the threat particularly interesting is that the attackers aren’t infecting victims at random. Though a basic version of the malware is distributed in a scattershot manner, it is only after a guest has entered a name and room number that a more advanced information-stealing tools are installed, suggesting a targeted campaign.

From the report:

At the hotels, these installs are selectively distributed to targeted individuals. This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the Internet.

The report does not say which hotels have been infected. The hotels themselves have been “uncooperative,” a Kaspersky source told Wired’s Kim Zetter.

According to Kaspersky, whoever is behind the attacks “employs methods and techniques which go well beyond typical cybercriminal behavior.” These include proficient use of previously undiscovered holes (known as zero days) in common software, the fact that executives are specifically targeted as they travel, and careful planning to hide the malicious activity: “As soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status.”

Kaspersky doesn’t speculate on the responsible party but there are signs the attacker may be Korean. The report notes that some components of the malware self-terminate on Windows when certain system defaults are set to Korean, and also notes the existence of Korean characters in some of the code.

8-Year-Old Indian-Origin CEO to Give Lecture at Cyber Security Summit

An eight-year old Indian-origin child prodigy is among experts who will address a cyber security conference starting Thursday, where Minister of State for External Affairs V K Singh is also listed as a keynote speaker.

In his address at the summit on November 14, the US-based whizkid Reuben Paul will highlight and demonstrate the need for developing the current generation with cyber security skills, according to the organisers of Ground Zero Summit to be held in New Delhi.

The organisers said, "8 year old Reuben Paul gives keynote at Houston Security Conference."

"I started learning about computer languages around one- and-a-half years back. Now I design my own projects," Reuben told PTI.

The prodigy has been trained by his father, Mano Paul, in Object C programming language and is now learning Swift programming for Apple's iOS platform. Mano Paul, born and raised in Odisha, moved to the US in 2000.

In August Reuben started Prudent Games, his own gaming firm and is designated as CEO of the company. Mano Paul is his partner in the company.

"This will be Reuben's fourth conference where he will be giving lecture on cyber security. He will talk about the need to create awareness about cyber security among young kids as well as demo white page hacking," Mano Paul said.

The other keynote speakers listed for the summit include Home Ministry Joint Secretary Nirmaljeet Singh Kalsi, Special Commissioner Police (Traffic) with Delhi Police Muktesh Chander and National Technical Research Organization Director of Cyber Security Operations Alok Vijayant.

Microsoft releases critical security fix for 19-year-old Windows flaw

Microsoft has released a series of critical security fixes in the latest Patch Tuesday update, including one that was 19 years old and present in all versions of Windows as far back as Windows 95.
The Patch Tuesday release contains four critical fixes, the most noteworthy of which is MS14-064. This relates to vulnerabilities in Microsoft Windows Object Linking and Embedding.
Microsoft was made aware of the problem last month and issued a quick fix at the time as criminals were using the exploit to infiltrate machines using modified PowerPoint files.
Microsoft’s full release says that Windows Vista, 7, RT, RT 8.1, 8 and 8.1 are all affected.
Furthermore, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 are also affected.
Microsoft said that those using Internet Explorer (IE) on these systems are most at risk from attackers.
“An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user,” Microsoft explained.
"If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
“Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The issue was found by Robert Freeman from the IBM X-Force security division. He explained in a blog post that Microsoft was first made aware of the issue in May this year. It had been present and exploitable for a staggering 18 years.
"The buggy code is at least 19 years old and has been remotely exploitable for the past 18 years," he said.
"Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript)."
He said the finding underlined the fact security vulnerabilities can always be uncovered in software and a keen eye is needed to spot them.
"In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32)."
The Patch Tuesday release also includes 17 fixes for various versions of IE, ranging in severity. The most serious of these could allow remote code execution if a user views a specially crafted webpage in IE.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” noted Microsoft.
The other critical fixes relate to the Microsoft Secure Channel security package and Microsoft XML Core Services 3.0.
The Patch Tuesday release for November also contains eight fixes rated 'important' and two related 'moderate'.
Microsoft will be hoping that the fixes do not cause problems themselves, as it had to pull last month's patch owing to errors in the release code.

Russian Government ‘Condoned’ Cyber Attacks on West

The Putin administration has effectively given its blessing to cyber attacks on Western banks and retailers, according to Mandiant founder Kevin Mandia.
The former Pentagon man, whose firm exposed Shanghai-based PLA Unit 61398 last year as the source of prolific hacking activity, said Russia had stepped up its activity of late.
“The Russians are much more aggressive right now across the board – both government and criminal elements – and we’re having a tough time distinguishing between the two,” he told the Australian Financial Review from Canberra.
“It stretches credulity that Russian law enforcement and intelligence services, who monitor a hell of a lot of what their people do online, are not aware of what Russian hackers are doing,” he added, saying that he was “certain the Russian government was condoning the compromises.”
Just a fortnight ago, Mandiant company FireEye released a new intelligence report detailing the activities of APT28. This new state-sponsored group has apparently been in operation since 2007 and is focused on geopolitical targets like Eastern European governments and NATO that betray Moscow’s hand.
Russian hackers are also thought to be behind the BlackEnergy attacks on US industrial control systems outlined by the ICS-CERT a fortnight ago.
Chris McIntosh, CEO of comms firm ViaSat UK, argued that the threat to CNI has grown as more systems become internet connected.
“The most effective approach now that the threat has been detected is to assume all IT security measures have already been compromised and working backwards on this basis,” he added.
“This forms part of a holistic approach to ensure that information is secure from point to point; that workers have peace of mind that they are not putting the organization, themselves or customers at threat and that organizations can be confident that their IT risks have been mitigated.”
News has also emerged that the Russian defense ministry may be throwing up to $500 million at a recruitment drive for a new division of the army focused on cyber threats.
Dan Holden, director of ASERT at Arbor Networks, claimed the news is to be expected, given the expansion of US capability in this area.
“France and other NATO countries have also announced and have been investing in these so called ‘cyber armies’,” he added.
“North Korea and Iran, both with significant sanctions against them, have also built up cyber forces. As we’ve seen for years now the geo-politics worldwide are now reflected in the cyber realm and Russia, like others, is modernizing to reflect this new reality.”

More than 400 Underground Sites seized by FBI in ‘Operation Onymous’

The joint operation by authorities of the U.S. Federal Bureau of Investigation (FBI) and European law enforcement seized Silk Road 2.0, an alternative to the notorious online illegal-drug marketplace last week, and arrested 26-year-old operator Blake Benthall, but that wasn’t the end.

US and European authorities over the weekend announced the seizure of 27 different websites as part of a much larger operation called Operation Onymous, which led to take-down of more than “410 hidden services” that sell illegal goods and services from drugs to murder-for-hire assassins by masking their identities using the Tor encryption network.

“The action aimed to stop the sale, distribution and promotion of illegal and harmful items, including weapons and drugs, which were being sold on online ‘dark’ marketplaces,” according to the Europol press release.

This globally-coordinated take down is the combined efforts of 17 nations which includes the law enforcement agencies in the U.S. and 16 member nations of Europol. The operation led to the arrest of 17 people, operators of darknet websites and the seizure of $1 million in Bitcoin, 180,000 Euros in cash, drugs, gold and silver.

According to U.S. authorities, Operation Onymous is the largest law enforcement action till now against the illegal websites operating on the Tor network, which helps users to communicate anonymously by hiding their IP addresses.

“We are not ‘just’ removing these services from the open Internet, said Troels Oerting, Head of Europol’s EC3 (European Cybercrime Centre) cyber crime unit. “This time we have also hit services on the Darknet using Tor where, for a long time, criminals have considered themselves beyond reach. We can now show that they are neither invisible nor untouchable. The criminals can run but they can’t hide. And our work continues.“

The authorities have not yet publicly disclosed the full list of the seized Tor websites, but it appears that less than 20% of the total darknet website have been shut down in the joint cyber crime operation including the seizure of Silk Road 2.0 earlier this week.

“Silk Road” was the notorious online illegal-drug marketplace that generated $8 million in monthly sales and attracted 150,000 vendors and customers. The FBI seized the darknet website in October of 2013 and after five weeks, Silk Road 2.0 was launched.

On Sunday, the Tor Project said it has no idea how the law enforcement authorities were able to identify the servers that were shut down last week as part of Operation Onymous. “We not contacted directly or indirectly by Europol nor any other agency involved,” a spokesperson for the Tor project “Phobos” said in a statement.

Cybersecurity? Nothing to do with us, mate – Google and Facebook

Google, eBay, Facebook, Yahoo! foursquare and Microsoft want nothing to do with the proposed new EU cybersecurity law.
In an open letter to Europe’s telco ministers last week, CCIA (the Computer & Communications Industry Association) said the proposed Network and Information Security (NIS) Directive should excluding internet enabling services and focus on “truly critical infrastructure”.

When the law was first proposed by the European Commission, it included rules for so-called "enablers of information society services" aimed at online giants such as Google, Amazon, Ebay and Skype. However the European Parliament changed the text so that the rules will now apply only to companies that own, operate or provide technology for critical infrastructure facilities.
National ministers, the European Commission and MEPs got together for the first time to try to nail down the wording in the proposed Network and Information Security (NIS) Directive last month.
In the text as it stands, so-called “market operators” are required to notify the authorities about any cybersecurity incidents. H however although it is broadly agreed that critical infrastructure must be included, there is a lot of argument about what should constitute a “market operator”.
The general consensus, as CCIA points out, is that online banking services would be included along with other financial institutions and it adds basic and essential telecom services are already regulated under the EU’s telecoms rules framework. However that still leaves a lot of room for debate on whether “internet enabling services” should be included.
CCIA says many of the requirements envisioned by the NIS Directive are already provided for by commercial contracts and service level agreements. However the new law goes beyond normal data breach notification rules and could require the reporting of major “incidents” even if no data is stolen.
Google et al’s mouthpiece claims this would swamp regulators: “Inclusion of broader information society services risks unleashing an avalanche of random personal data for often struggling regulatory agencies. Such massive reporting, and often double­ reporting, to poorly resourced authorities would expose citizens’ personal data to unnecessary risk at no significant security benefits,” says the CCIA letter.
The letter characterises “internet enabling services” as online gaming and social networks and says citizens expect “scarce economic resources and technical expertise” to focus on “truly critical infrastructure such as nuclear power plants and transportation facilities”.
Many internet enabling services are already regulated for cybersecurity incidents, and additional legislation would only introduce complexity and confusion, they argue ... and, which the CCIA coyly doesn’t add, cost.
“A broader scope of the NIS Directive risks undermining the law’s ability to protect what really needs protection,” says the letter.

iOS security hole allows attackers to poison already installed iPhone apps

Security researchers have warned of a security hole in Apple's iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data.
The "Masque" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning to replace banking, e-mail, or other types of legitimate apps already installed on a targeted phone with a malicious one created by the adversary. From there, the attacker can use the malicious app to access sent e-mails, login credential tokens, or other data that belonged to the legitimate app.
"Masque Attacks can replace authentic apps, such as banking and e-mail apps, using attacker's malware through the Internet," FireEye researchers wrote in a blog post published Monday. "That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached e-mails or even login-tokens which the malware can use to log into the user's account directly."
The attack works by presenting a targeted phone with a same sort of digital certificate large businesses use to install custom apps on employees' iPhones and iPads, as long as both the legitimate app and the malicious app use the same bundle identifier. The attack requires some sort of lure to trick a target into installing the malicious app, possibly by billing it as an out-of-band update or a follow-on to an already installed app. Recently, the researchers uncovered evidence the attacks may be circulating online, they said without elaborating. The technique doesn't work against iOS preinstalled apps such as Mobile Safari. FireEye researchers said they reported the vulnerability to Apple in July.
"By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like New Angry Bird), and the iOS system will use it to replace a legitimate app with the same bundle identifier," Monday's report stated. "Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from App Store." From there attackers can:

• Mimic the login interface of the replaced app to steal the victims' login credentials
• Access local data caches assigned to the replaced app to steal e-mails, login tokens, or other sensitive data
• Install custom programming interfaces not approved by Apple onto victims' phones
• Bypass the normal app sandbox architecture built into iOS and possibly get root access by exploiting known iOS vulnerabilities, such as those recently targeted by the Pangu team.

FireEye researchers documented the following proof-of-concept example attack:

In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird.” We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone.

Enlarge

FireEye

Figure 1 illustrates this process. Figure 1(a) (b) show the genuine Gmail app installed on the device with 22 unread e-mails. Figure 1(c) shows that the victim was lured to install an in-house app called “New Flappy Bird” from a website. Note that “New Flappy Bird” is the title for this app and the attacker can set it to an arbitrary value when preparing this app. However, this app has a bundle identifier “com.google.Gmail”.
After the victim clicks “Install”, Figure 1(d) shows the in-house app was replacing the original Gmail app during the installation. Figure 1(e) shows that the original Gmail app was replaced by the in-house app. After installation, when opening the new “Gmail” app, the user will be automatically logged in with almost the same UI except for a small text box at the top saying “yes, you are pwned” which we designed to easily illustrate the attack. Attackers won’t show such courtesy in real world attacks. Meanwhile, the original authentic Gmail app’s local cached e-mails, which were stored as clear-text in a sqlite3 database as shown in Figure 2, are uploaded to a remote server.
Note that Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.

An iOS weakness allowing installation of non-approved apps is no longer theoretical.

Monday's post comes a few days after researchers from Palo Alto Networks uncovered an active malware campaign that also abused enterprise certificates to install unwanted apps on iPhones and iPads. The FireEye post described WireLurker as a "limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker." The attacks can be prevented by installing only apps that come from Apple's official App Store. Users who encounter dialogue boxes from third-party websites asking for permission to update existing apps or install new ones should be especially suspicious. Users should immediately uninstall any apps that return an alert saying "Untrusted App Developer."

Iranian contractor named as Stuxnet 'patient zero'

Malware researchers have named five Iranian companies infected with Stuxnet , identifying one as 'patient zero' from which the worm leaked to the world after causing havoc in the Natanz uranium plant.
Joint research by Kaspersky Lab and Symantec found the organisations, contractors to Natanz, were targeted between June 2009 and March 2010 and suffered 12,000 infections from 3280 Stuxnet samples.

The two companies' latest findings, also published in Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon do not agree with accounts in a New York Times article that Stuxnet was delivered straight to Natanz from where it escaped into the wild to be picked up by researchers and re-purposed by malware writers.
Researchers were able to glean the new information published in January and updated with victims' names today because Stuxnet code retained information about the targets it infected, creating new executables for each.
"Stuxnet remains one of the most interesting pieces of malware ever created," Kaspersky analysts wrote. "The targeting of certain high profile companies was the solution" to infect Natanz.
Symantec reverse engineer (@Liam O Murchu) said it was confident Stuxnet leaked from the initial targets.
"Based on the analysis of the bread crumb log files, every Stuxnet sample we have ever seen originated outside of Natanz," O'Murchu said.
"... every sample can be traced back to specific companies involved in industrial control systems-type work."
The companies included Behpajooh identified as patient zero from where the worm leaked to the world; Foolad Technic Engineering Co which developed blueprints for Iran's industrial control systems; the sanctioned Neda Industrial Group; Control-Gostar Jahed Company, and Kala Electric a sanctioned firm that developed centrifuges.
The sophisticated malware was widely thought to be the work of the US and Israel created under Operation Olympic Games launched by the Bush Administration and continued under President Obama.
It contained four zero day vulnerabilities, making it both expensive in terms of the research typically required to discover the flaws, and highly targeted having been designed to target the specific systems used in the Natanz facility.