Quote of the day
Capitalism is the extraordinary belief that the nastiest of men for the nastiest of motives will somehow work for the benefit of all.
John Maynard Keynes
IT and Related Security News Update from Centre for Research and Prevention of Computer Crimes, India (www.crpcc.in) Courtesy - Sysman Computers Private Limited, Mumbai
Quote of the day
Capitalism is the extraordinary belief that the nastiest of men for the nastiest of motives will somehow work for the benefit of all.
John Maynard Keynes
rootkit
A rootkit is a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.
BGP REVEALED : The Internet's Biggest Security Hole
By Kim Zetter
August 26, 2008
http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.
The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.
The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness.
"It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail."
The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network.
Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one AT&T customer to another.
The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.
BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton "Tony" Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas.
The technique, devised by Pilosov, doesn't exploit a bug or flaw in BGP. It simply exploits the natural way BGP works.
"We're not doing anything out of the ordinary," Kapela told Wired.com. "There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working."
The issue exists because BGP's architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they're the quickest, most efficient route for the data to reach its destination. But BGP assumes that when a router says it's the best path, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic.
Here's how it works. When a user types a website name into his browser or clicks "send" to launch an e-mail, a Domain Name System server produces an IP address for the destination. A router belonging to the user's ISP then consults a BGP table for the best route. That table is built from announcements, or "advertisements," issued by ISPs and other networks -- also known as Autonomous Systems, or ASes -- declaring the range of IP addresses, or IP prefixes, to which they'll deliver traffic.
The routing table searches for the destination IP address among those prefixes. If two ASes deliver to the address, the one with the more specific prefix "wins" the traffic. For example, one AS may advertise that it delivers to a group of 90,000 IP addresses, while another delivers to a subset of 24,000 of those addresses. If the destination IP address falls within both announcements, BGP will send data to the narrower, more specific one.
To intercept data, an eavesdropper would advertise a range of IP addresses he wished to target that was narrower than the chunk advertised by other networks. The advertisement would take just minutes to propagate worldwide, before data headed to those addresses would begin arriving to his network.
The attack is called an IP hijack and, on its face, isn't new.
But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed. That's what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss.
Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.
Ordinarily, this shouldn't work -- the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.
"Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"
Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago.
Kapela said network engineers might notice an interception if they knew how to read BGP routing tables, but it would take expertise to interpret the data.
A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic's path. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. There are reasons traffic that ordinarily travels one path could suddenly switch to another -- say, if companies with separate ASes merged, or if a natural disaster put one network out of commission and another AS adopted its traffic. On good days, routing paths can remain fairly static. But "when the internet has a bad hair day," Kent said, "the rate of (BGP path) updates goes up by a factor of 200 to 400."
Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said.
"Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive."
Filtering also requires ISPs to disclose the address space for all their customers, which is not information they want to hand competitors.
Filtering isn't the only solution, though. Kent and others are devising processes to authenticate ownership of IP blocks, and validate the advertisements that ASes send to routers so they don't just send traffic to whoever requests it.
Under the scheme, the five regional internet address registries would issue signed certificates to ISPs attesting to their address space and AS numbers. The ASes would then sign an authorization to initiate routes for their address space, which would be stored with the certificates in a repository accessible to all ISPs. If an AS advertised a new route for an IP prefix, it would be easy to verify if it had the right to do so.
The solution would authenticate only the first hop in a route to prevent unintentional hijacks, like Pakistan Telecom's, but wouldn't stop an eavesdropper from hijacking the second or third hop.
For this, Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop.
"That means that nobody could put themselves into the chain, into the path, unless they had been authorized to do so by the preceding AS router in the path," Kent said.
The drawback to this solution is that current routers lack the memory and processing power to generate and validate signatures. And router vendors have resisted upgrading them because their clients, ISPs, haven't demanded it, due to the cost and man hours involved in swapping out routers.
Douglas Maughan, cybersecurity research program manager for the DHS's Science and Technology Directorate, has helped fund research at BBN and elsewhere to resolve the BGP issue. But he's had little luck convincing ISPs and router vendors to take steps to secure BGP.
"We haven't seen the attacks, and so a lot of times people don't start working on things and trying to fix them until they get attacked," Maughan said. "(But) the YouTube (case) is the perfect example of an attack where somebody could have done much worse than what they did."
ISPs, he said, have been holding their breath, "hoping that people don’t discover (this) and exploit it."
"The only thing that can force them (to fix BGP) is if their customers ... start to demand security solutions," Maughan said.
NEXT TARGET : Hackers prepare supermarket sweep
Reformed hacker Jacques Erasmus of security firm Prevx explains the scam
2008/08/28
BBC NEWS
http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/7584258.stm
Self-checkout systems in UK supermarkets are being targeted by hi-tech criminals with stolen credit card details.
A BBC investigation has unearthed a plan hatching online to loot US bank accounts via the checkout systems.
Fake credit cards loaded with details from the accounts will be used to get cash or buy high value goods.
The supermarkets targeted said there was little chance the fraudsters would make significant gains with their plan.
With the help of computer security experts the BBC found a discussion on a card fraud website in which hi-tech thieves debated the best way to strip money from the US accounts.
The thieves claim to have comprehensive details of US credit and debit cards passed to them from an American gang who tapped phone lines between cash machines and banks.
'Cashing out'
The gang plans to copy card details onto the magnetic stripes of fake cards and then use them in UK stores. In the discussion on the card site those co-ordinating the fraud say they are seeking places to "cash out", meaning strip funds from the bank accounts using fake cards.
In the forum they are asking for information about Asda and Tesco stores in which it is possible to use self-service systems that mules could visit with the fake cards to get at the cash.
The fraudsters are looking for self-service systems to avoid contact with store staff who may spot the fake cards.
Over the period of a month from mid-August the ringleader claims he will have details from 2300 cards to handle.
In the forum he declares: "Its (sic) shopping spree guys help me out and I will take care of you."
The information found by the BBC has been passed to the Dedicated Cheque and Plastic Crime Unit so it can investigate the ongoing fraud.
Andrew Moloney, security evangelist at RSA, said the gang were involved in "classic" card fraud by cloning details on to magnetic stripes.
He said it was an example of a long observed trend in fraud.
"We've seen a shift from card-present fraud to card-not-present to fraud abroad," he said.
"The internet is the global marketplace," he said. "It's not difficult to take compromised cards from one country and exploit them in another. It's a simple and routine procedure for these guys these days."
Jacques Erasmus, from security firm Prevx, agreed that cashing out abroad was a well established method. "They do not normally cash out in the same country," he said, "just because it makes the law enforcement job that much harder."
He said many criminal gangs even offer their fraudulent services via the web.
"They will do it for you in India and China," he said.
Sweeping up
Armed with fake cards and a list of shops and supermarkets that can be hit the fraudsters could make £5-8000 per day, according to Mr Erasmus.
The funds would be split between the mules who actually carry out the transactions, those organising the mules and the hi-tech thieves who stole the original card numbers.
Representatives from both Tesco and Asda argue that payment systems automatically contact the banks when a card is swiped instead of using chip-and-pin. The banks must authorise the acceptance of a signature.
"If the card has not been reported as having been cloned, yes, it can go through," said a spokeswoman for Tesco. However, she pointed out that swipe and sign transactions represent a tiny fraction of the supermarket chain's trade.
"We would hope this will bring further pressure on the States to introduce chip-and-pin," said Jemma Smith of the UK payments organisation Apacs. "Until that happens we will still see fraud on US cards happening in our shops and our cash-machines and also fraud on our cards happening in the US."
BREAK : iPhone Password can be Broken Easily
iPhone passwords not worth the paper they're written on
By Bill Ray
27th August 2008
http://www.theregister.co.uk/2008/08/27/iphone_password/
iPhones protected by a password aren't actually protected at all, as just by pressing a few keys a miscreant can access all the phone's functions without needing the password at all.
The trick, reported (http://forums.macrumors.com/showthread.php?t=551617) by MacRumours, is simply a press of the "Emergency Call" key from the passcode entry screen, followed by a double-tap on the home button. That takes the miscreant into favourites, from which they can access the address book, from which they can get into the e-mail client (by tapping a contact's e-mail address) or the browser (by tapping a URL).
Clearly Apple has missed a trick here, and a fix should be quickly forthcoming, but it bodes badly for a device which is trying to sell itself into the enterprise and is already under fire for lacking important security features.
Concerned users can secure their devices by disabling the home button double-tap (Settings > General > Home Button > Checkmark Home), though it really shouldn't be working at all at that point.
Users might argue that a device password should never be relied upon, but one that is so trivial to bypass makes a mockery of the very concept. It's unlikely that this security problem will do more than attract ridicule to the iPhone security model, but it's ridicule that Apple could do without while they're trying so hard to have the iPhone taken seriously as a business device.
UNSECURED : Password Stealing Worm Attack NASA Laptops
By Richard Adhikari
August 28, 2008
www.internetnews.com/security/article.php/3768196
You'd think the United States' space agency, which conducts highly sensitive research and has had its servers hacked before would be extremely thorough about computer security, but that does not appear to be the case. A worm that steals online gamers' user names and passwords has been running rampant on laptops on the International Space Station (ISS).
Fortunately, there is no risk of the ISS hurtling out of control back to Earth. Antivirus vendor Symantec's malware database entry said the code is only used to steal account information to online games.
The worm, known as W32.Gammima.AG, is spread through removable media such as USB drives and external hard drives. Gamimma steals sensitive information for various online games, including ROHAN, R2 (Reign of Revolution), Talesweaver, Seal Online, and several games popular mainly in China, including ZhengTu and HuangYi Online, according to Symantec, which wrote up the Gamimma worm on August 27, the day it was discovered.
In its paper on Gamimma, Symantec said the worm offers a very low risk. It affects all Windows systems, copying itself to all drives from C through Z and modifying the registry so it executes whenever Windows starts.
This is not the first infection at the space agency, either. "It has happened before, but it's not a frequent occurrence," National Aeronautics and Space Administration (NASA) spokesperson Kelly Humphries told InternetNews.com. He confirmed that NASA is a high-security organization, but would not discuss why its computers keep on getting infected if that's the case. "We continually refine and update our procedures and do our best to protect the systems on the station," Humphries said.
However, Humphries would not discuss how the laptops were infected. "I'm not going to speculate on how this could have happened," Humphries said. He would not confirm the type of malware that hit the laptops either, "because of IT security."
Humphries said that security would be tightened up. "Our Expedition 17 crew on the station is working with flight control and engineering teams and with our international partners to identify and eradicate the virus that's on board and we'll look for any actions we can take to prevent that from happening again," he added.
NASA partners with the Russians, Canadians, the Japanese Space Agency and the European Space Agency. Humphries said the European Space Agency is a multinational organization.
Perhaps NASA should try harder, said one security researcher. "This issue could be a whole lot worse," security research organization McAfee Avert Labs' director of security research and communications, Dave Marcus, told InternetNews.com. "Gamers are the second most targeted group malware authors go after, and chances are that any password and account combination that's stolen could be reused on other sites."
Password stealing malware accounts for 90 to 95 percent of the approximately 3,000 pieces of malware Avert Labs sees every day, Marcus said. NASA "needs to look at this as a wake up call, and they need to look closely at their policies."
According to a white paper by Avert Labs researcher Igor Muttik, data-stealing Trojans (like Gamimma) record user IDs and passwords as well as the IP addresses or the names of the servers they use. This information lets cybercriminals log into the victims' accounts and steal anything of value, which they then sell.
Because NASA computers have been infected before, the agency needs to take a very close look at what it's doing, Marcus said. "Things are not locked down or as tight as they should be," and Marcus recommended NASA "look at real strong management and real strong policy enforcement."
Media reports say the infected laptops were used to run nutritional programs and let the astronauts e-mail their families back on Earth occasionally, but Humphries declined comment.
The Expedition 17 crew on board the ISS consists of flight commander Sergei Volkov; flight engineer Oleg Kononenko; and the only American in the crew, flight engineer Gregory Chamitoff. The crew launched for the ISS April 8.
On October 12, the next crew, consisting of Commander Mike Finks and flight engineer Yuri Lonchekov, will take off for the ISS with a passenger, video game developer Richard Garriott, according to NASA's Humphries. After a week, Volkov, Kononenko and Garriott will return to Earth and the rest will stay on the station.
FEAR : Britain 'under constant attack in cyberwar' : Security Minister
The Government has warned a cyberwar is being waged against Britain with key computer networks coming under attack every day.
By Chris Irvine
23 Aug 2008
http://www.telegraph.co.uk/news/2605021/Britain-under-constant-attack-in-cyberwar.html
Lord West of Spithead, the Security Minister, said a mixture of state-sponsored hackers and "those operating at a terrorist level" regularly tried to break into key networks such as banking, electricity and telecommunications.
Although he said the Government was confident about its cyber-defences, he said: "If you take the whole gamut of threats, from state-sponsored organisations to industrial espionage, private individuals and malcontents, you're talking about a remarkable number of attempted attacks on our system - I'd say in the thousands.
"Some are spotted instantly. Others are much, much cleverer."
Lord West said the most serious threat came from terrorist-backed hackers trying to break into systems such as the National Grid.
Meanwhile state-sponsored organisations were more likely to want to conduct industrial espionage and steal commercial secrets.
He did concede threats to the national infrastructure were assessed as part of the National Risk Register, and the Government was confident about the country's cyber-defences.
Earl Zmijewski, an analyst with Renesys, a company that monitors internet traffic, said: "We're building this house of cards at the moment - connecting elements of our financial systems, as well as the systems which control nuclear power or water distribution, to the internet, and it's a very open environment. I can launch an attack on you from anywhere."
Lord West's warning comes as security experts in the US said they had uncovered evidence of Russia have carried out state-sponsored cyber-warfare against Georgia by attacking government computer networks during the recent conflict.
The Russian Government admitted the possibility that individuals based in Russia might have been responsible for the attacks - overloading several sites based in the central town of Gori, causing them to collapse - but denied state involvement.
TREND : US Data breaches already surpass 2007 total
Sue Marquette Poremba
August 26 2008
The number of reported data breaches has already surpassed 2007's total, according to a report from Identity Theft Resource Center.
Jay Foley, the nonprofit's executive director, told SCMagazineUS.com on Tuesday that so far in 2008, there have been 449 breaches reported by businesses, government, and universities, compared to 446 for all of last year.
“The breach list, however, doesn't reveal exactly how many records were compromised,” Foley said.
The reason the 2008 number is so high has to do with changes in regulations.
“More states and organizations are required to report breaches,” he said, “and more consumers want to hear about them.”
More than 40 states have enacted breach notification laws.
The increasing numbers of reported breaches is a result of a confluence of factors, said Alexander Southwell, a former federal prosecutor and cybercrime expert.
“They include an increasing number of data breach notification laws, increasing enforcement of privacy and data integrity issues by regulators, law enforcement, and civil plaintiffs' attorneys, and the ongoing digitization of society, where more and more personal identifying information is captured and stored,” he said.
Kevin Mandia, founder of security intelligence firm Mandiant, told SCMagazineUS.com that the number of data compromises is increasing.
“That increase is likely due to the development of SQL injections, which made breaches much easier to do,” Mandia said. “Human intervention is not as necessary for data theft as it once was.”
He added that compliance regulations are forcing more companies to discover breaches.
“Instead of the ‘ignorance is bliss' approach that was the norm in the past, firms are becoming more diligent about investigating breaches,” Mandia said.
CARELESS : Probe after one million bank customers sold on eBay
By Dan Newling
Daily Mail
27th August 2008
The eBay computer scandal which saw the loss of personal data on a million bank customers is to be investigated by the Information Commissioner.
The firms involved - the Royal Bank of Scotland, NatWest and American Express - have also promised to launch probes.
The Mail revealed today that the data was found on a second-hand computer sold for £35 in an eBay auction.
'A thief's treasure chest': Andrew Chapman with the hard disk drive he bought on eBay containing the private bank details of more than a million people
It had belonged to Graphic Data, which stores financial information for organisations at its archive in Shoeburyness, Essex.
A spokesman for Mail Source, which owns Graphic Data, put the situation down to an 'honest mistake'.
She added: 'We know which employee took the server and sold it, but we believe it was an honest mistake and it was not intentional to sell it without the server being cleared.
'We want to stress that this is an isolated incident and we are investigating how the server was removed and sold.
'This is a very unfortunate incident and we are taking measures to ensure it will never happen again.'
The Mail Source employee sold the computer to Andrew Chapman, a 56-year-old IT manager from Oxford.
It held account numbers, phone numbers, signatures and other personal details, none of which are thought to have been handed to any third parties.
RBS, NatWest and American Express are expected to contact customers once they have analysed the data at risk.
The Information Commissioner's Office is investigating an apparent breach of the Data Protection Act.
A spokesman said: 'A data breach is very serious. Our investigation will look at the circumstances of how this happened, and we will be seeking an urgent explanation from Graphic Data to establish what has gone wrong and the steps that are being taken to prevent a similar incident occurring.'
American Express said it was working 'as a matter of priority' to establish which of its card holders could have been affected.
A spokesman said: 'We have strict guidelines for suppliers around the security of information. We are currently working as a matter of priority to establish exactly what data is impacted and identify the card members who may be affected.'
An RBS spokesman said: 'We take this issue extremely seriously and are working to resolve this regrettable loss with Graphic Data as a matter of urgency.'
The computer and a second server sold with it to Mr Chapman were tonight returned to Graphic Data.
Identity fraud is one of the fastest growing areas of crime in Britain and Home Office figures show it costs the economy £1.3billion a year.
But Marc Kirby, an IT lecturer at Cranfield University, said today that some firms did not realise how hard it was to delete computer files.
'You can't escape leaving a data trail in the 21st century, and it will only get worse,' he warned. 'People think they have deleted emails or documents but it is usually very easy to retrieve them.
'In most circumstances you can buy software on the internet for £25 that will retrieve almost anything, unless the computer has been totally wiped or the hard drive is destroyed.'
Case study
As someone with a limit of more than £20,000 on his credit card, Christopher Tomlins was shocked to learn that NatWest has lost the information that could give anyone access to his account.
When told about the breach by the Daily Mail, Mr Tomlins, 32, said: 'It is like they have given my house keys to a stranger and then said, "Help yourself".'
Mr Tomlins's personal information is revealed in a photograph of an application for a NatWest 'black' credit card he made on April 14, 2005.
The completed application form contains his name, address, date of birth, mobile phone number and home phone number.
It also reveals his mother's maiden name, signature, annual income, bank account number, bank sort code and the 16-digit number of the credit card he was granted.
Mr Tomlins, who runs his own lighting company in Ealing, West London, said: 'I am amazed that NatWest have let this information get out. If the company looking after the information was getting rid of the computer, they should have destroyed the hard drive.'
Mr Tomlins's details were contained on one of 227 photographs of separate credit card application forms found on just one of 32 computer files containing NatWest card information.
TECHNOLOGY : Road Tolls Hacked
A researcher claims that toll transponders can be cloned, allowing drivers to pass for free.
By Duncan Graham-Rowe
Technology Review 2008.
August 25, 2008
http://technologyreview.com/Infotech/21301/?a=f
Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA.
Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.
This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."
Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.
So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.
The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."
In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.
But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.
By copying the IDs of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.
What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.
"Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."
Lawson says that using each stolen ID just once would make it difficult to track down a fraudster. A better solution, he believes, would be to require toll readers and transponders to carry out some form of secure authentication. But this would require changes by MTC. As an alternative, Lawson is working on a privacy kit to let drivers turn their transponders on and off so that they are only vulnerable for a brief period as they pass a toll.
There is another way, he says. "It's probably in the user's best interest to just leave it at home." This is because FasTrak uses license-plate recognition as a backup.
Ross Anderson, a professor of security engineering at Cambridge University, in the U.K., says that "very many embedded systems are totally open to tampering by anyone who can be bothered to spend some time studying them."
Competent use of encryption is the exception rather than the norm, Anderson adds, and the situation is unlikely to change soon. "One industry after another is embracing digital technology, and none of them realize that they need computer security expertise until it's too late and they get attacked," he says.
Bruce Schneier, chief security technology officer at BT, based in Mountain View, CA, says that it is too easy for companies to get away with lousy computer security. "Honestly, the best way is for the transportation companies to sue the manufacturers," he says. "Then they'll think twice about selling shoddy products in the future."
rogue wireless device
A wireless networking term used to describe unauthorized devices connected to the network that poses a significant risk to the organization. Rogue wireless devices can be broken down into two categories: access point (AP) based threats (rogue access points) and computer based threats (rogue peers).
Only the winners decide what were war crimes
Gary Wills
HACK : Master hacker ran a parallel company
TNN
25 Aug 2008
http://timesofindia.indiatimes.com/Cities/Jaipur_Infocomm_software_hacked/articleshow/3400931.cms
JAIPUR: An IT wizard, who had hacked into the high-tech security of Reliance Infocomm, however could not escape from the trap laid by police.
Even the city police had no idea how the case might turn out to be when officials of Reliance Infocomm filed a complaint earlier this month saying their mobile numbers were being cloned in the city. Investigations have revealed that master hacker Akil alias Akeel Ahmed had hacked into the main software of Reliance Infocomm called 'Clearify’ and had been cloning platinum numbers (numbers that end with a series of particular digits) issued by the company for the past two years. Police officials are also probing possibilities of his having any nexus with the terror network. According to the police, Akil had hacked the company’s software to such an extent that he was literally able to run a parallel company.
According to the police, 28-year-old Akil, a resident of a village near Nuh town in Haryana, had completed B-Tech from an institute in Faridabad. His father works as a cashier with a sugar mill in Palwal. He has a big political clout in Haryana as many of his relatives have held key ministerial posts with the state government. Police said that one of his relatives is a deputy speaker of Haryana Assembly and another is a chairman of state handloom corporation.
According to the police, the software 'Clearify' is accessible only to authorized internet café administrators and top officials of the company. He being an internet café administrator, three years ago, had the knowledge of the software and had created three fake identities to access the software. With help of these fake identities, he was able to hack the company's database and clone the platinum numbers that come at a price ranging between Rs l lakh and 3 lakh.
The police said, "Not only did he have access to the software but he was also able to get himself supreme rights that enabled him complete control over the system. He was able to allot new numbers, cancel existing ones, change user profiles and even write bills of any amount. He believed in upgrading his skills and every time the company introduced a new feature he added it to his access panel."
"Posing as a company representative, he used to approach the internet cafés administrators and gain control over their servers. From the server he would download all the required information and softwares provided by the company. He later sold them to mobile users. He also sold large number of cloned chips in the market whose numbers and details are expected to be revealed in further investigations. Though the exact size of the damage caused to the company by him is not clear but it is expected to run into millions of rupees," added the police.
According to police, he had been duping the company for the last two years operating from various locations in Haryana and Delhi before shifting to Jaipur nearly a month ago. He hacked many softwares at a web world in Vaishali Nagar area here from July 29 to August 6 following which an FIR was lodged with the Vaishali Nagar police station by the company on August 8.
EXPOSED : 8 million victims in the world's biggest cyber heist
The Sunday Herald
23rd August 2008
AN international criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.
A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.
It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.
Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.
"They've pulled off a masterstroke here," said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx. "There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there's enough data there to spark a major European crime wave."
Although the security breach was closed on Friday after Best Western was alerted by the Sunday Herald, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies.
These include:
v Armed with the numbers and expiry dates of customers' credit cards, fraudsters are equipped to make multiple high-value purchases in their victims' names before selling on the goods.
v Bundled together with home addresses and other personal details, the stolen data can be used by professional organised criminal gangs which specialise in identity theft to apply for loans, cards and credit agreements in the victims' names.
v Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell "burglary packs", giving the home addresses of local victims and the dates on which they are expected to be away from their home.
Although the nature of internet crime makes it extremely difficult to track the precise details of the raid, the Sunday Herald understands that a hacker from India - new to the world of cyber-crime - succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.
"Large corporate companies rely on anti-virus products to protect their infrastructure, but the problem with this approach is that these products only detect around 60% of threats out there. In the right hands, viruses can easily bypass these programs, as was the case here," explained Erasmus.
The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity. Once the information was online, experts estimate that it would take less than an hour to write and run a software bot' - a simple computer programme - capable of harvesting every record on Best Western's European reservation system.
With eight million people staying in the hotel group's 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center's reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn.
After thanking the Sunday Herald for exposing the raid on its systems, Best Western Hotels closed the breach at around 2pm on Friday afternoon. Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action.
"Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected," said a spokesman.
"We continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information."
On the other hand, in an email sent to various media, Best Western refuted the story claiming 8 million customer records were breached. Hotel chain confirms that intrusion took place but only 13 records at a single hotel were exposed. Best Western claims to be PCI complaint but does not specify – what and which facilities are PCI complaint - whether only data center is PCI complaint or all hotels and reservation facilities.
BACK-TO-CASH : Card fraud-fearing Brit Tourists Carry Cash
By John Leyden
22nd August 2008
http://www.theregister.co.uk/2008/08/22/card_fraud_abroad_fears/
Four in five of Brits are worried about possible fraud if they use their cards overseas with many (60 per cent) choosing to carry cash instead.
Card cloning tops the list of fraud worries (46 per cent) followed by card not present fraud (42 per cent) among a sample of 1,700 Brits quizzed on behalf of marketing and travel assistance services firm CPP earlier this month. The survey follows recent figures from banking association APACS that show fraud abroad accounts for 39 per cent of theft and fraud on UK-issued cards. International fraud losses rose from £117.1m in 2006 to £207.6m in 2007, a big rise that helped push overall losses up to £535.2m.
Between July 2007 and July 2008, 6,984 incidents of plastic cards being stolen abroad were reported to CPP by distressed Brits. More than a quarter of these cases occurred in Spain (28 per cent), followed by France (13 per cent) and the USA (10 per cent). These figures probably reflect the travelling habits of Brits more than inherent risk. It's also worth noting that people carrying large wads of cash abroad put themselves at higher risk on losing a bundle to pickpockets.
CPP reports that people who use their cards abroad (at cash machines or in shops) often fail to double-check their receipts against card statements when they return home.
Kerry D'Souza, card fraud expert at CPP, said: "Awareness about card fraud abroad is growing but consumers are still not taking the basic security steps needed to protect themselves. Given overseas losses from card fraud was a staggering £207.6m in 2007 and criminals are becoming more ingenious, it is vital that the financial sector continues to educate Brits about the risk it presents and the safety measures they can put in place."
RISKY : SSDs are hot, but come with security risks
SSDs are vulnerable to hacks from light sources like an ultraviolet laser
Agam Shah
IDG News Service
August 22, 2008 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113239&source=NLT_SEC&nlid=38
Solid-state drives are fast becoming popular replacements for hard drives, especially in laptops, but experts caution that SSDs aren't as secure as commonly thought.
SSDs may offer better data security than traditional hard drives, but they do not completely erase data and are vulnerable to physical hacks from light sources like an ultraviolet laser, experts say.
Despite their relatively high cost and concerns about durability, SSDs are gaining popularity, particularly for use in laptops, because they consume less power and access data more quickly. Securing data on SSDs could become a larger issue when the technology becomes more widely used and reaches other portable devices like smart phones, experts said.
Many SSDs use industry-standard NAND flash chips that were designed for cameras and MP3 players, so they have no physical security hooks that prevent them from being removed from enclosures, said Jim Handy, director of Objective Analysis, a semiconductor research and consulting firm. A hacker could easily unsolder NAND chips from an SSD and read the data using a flash chip programmer.
Once the data is read, the files could be reassembled using data recovery software, Handy said. "There's really nothing sophisticated about this process," he said.
Another physical hack involves using an ultraviolet laser to wipe out lock bits -- or encryption locks -- from fuses on chips that secure SSDs, said a chip hacker who prefers to be called Bunnie and runs the blog site bunnie studios. Data arrays from SSDs can be read using standard means after the lock bits are wiped.
"No fancy equipment is required to read the [data] array once it is unlocked," Bunnie said. For example, the data arrays can be read using conventional ROM readers, devices typically meant to burn and verify unsecured ROM devices.
To lessen chances of hackers stealing data, encryption keys could be integrated inside the SSD controller device to handle disk encryption at the hardware level, said Craig Rawlings, marketing director at Kilopass. Kilopass sells products using XPM (extra permanent memory) technology that stores keys in system-on-chip devices.
Encryption keys can be hacked, but experts agreed that encryption is the necessary first step to secure data on SSDs. Many companies, including Safend and Encryptx, have products that encrypt data on storage devices including SSDs.
Encryption adds another barrier so that hackers have to bypass encryption layers, the controller and then reassemble raw data for a successful hack, said Sean Barry, senior data recovery engineer at Kroll Ontrack. This takes time, during which data may become invalid or useless.
Encryption also makes files on SSDs a lot easier to erase. Like hard drives, SSDs create multiple file copies, but encryption software can help erase secured files, said Kyle Wiens, CEO of iFixIt.
"Every time you write data it might write ... to a different part of the disk and then change the directory table around. So it forgets where the data was written before," Wiens said. Users may delete one file, but a replica could remain untouched in another sector.
The wear-leveling feature of SSDs -- based on an algorithm that erases and writes data evenly across all the cells on a memory chip to prevent some from wearing out faster than others -- makes files harder to completely erase, Wiens said.
Some encryption software monitors the wear-leveling process to track file remnants, which can then be deleted using the secure erase command, said Knut Grimsrud, an Intel Fellow. Secure erase is a command for secure file deletion that needs to be supported by the encryption software.
"If all the software does is write over the top of the LBAs, I don't think it'll be as [effective] on an SSD as it may have missed remnants from the previous wear-leveling or something like that because the software doesn't know about that," Grimsrud said. LBA (logical block addressing) specifies the location of data blocks on storage devices.
Overall, it's easier to delete data from SSDs than from hard drives, which can be a good or bad. Data is stored on electrons in SSDs, and getting rid of electrons flushes out the data, Kroll Ontrack's Barry said. In hard drives, the data has to be overwritten or physically damaged to prevent it from being read.
The data flush could have its own advantage in terms of quickness, but in the wrong hands data on SSDs could be carelessly and easily lost, Barry said.
rogue peer
A rogue peer is an end-user computer—usually a laptop—that has both bridging and wireless enabled. Since the basic functions of an access point are bridging and wireless access, any laptop that has these capabilities presents a similar vulnerability or worse. The vulnerability with a rogue peer can be much more severe than with a rogue AP, because laptops provide almost no security features to prevent connections from other unauthorized users.
A rogue peer is one of two categories of rogue wireless devices, with the other being rogue access points.
Luck marches with those who give their very best.
REVISIT : Unsecured wi-fi used again to send terror e-mail
Ankur Goyal and CRPCC Team
25 August 2008
Terrorists sent another terror e-mail to a media house in Mumbai on Saturday 23 August 2008 at 7:05 pm. Anti-Terror Squad (ATS) of Mumbai Police has traced the email to Matunga's Khalsa College. Further investigation revealed that it was sent using unsecured wi-fi router of Khalsa College. The router is installed in college computer center with signal range reaches even across the busy junction of 4 educational institute - Don Bosco, IICT (UDCT), VJTI and Khalsa College.
Preliminary investigations show that the terrorist would have undertaken the wardrive to find the open wi-fi connection and discovered or appeared to knew that the router settings were on default mode, which means that the default administrative log-in and password were not changed for the wi-fi router. These default setting parameters are easily available with technologists.
Terrorist created the email-id just 6 minutes before the e-mail was sent with an attachment.
Further, the terrorists also deleted the log entries of the wi-fi connection.
“The logs have been remotely accessed. Once they finished making the email ID and sending it, they deleted their entries. So in this case, though the logs were not disabled, things look difficult as everything is deleted,” said an ATS official. The router and some computers were seized by the ATS for forensic probes.
THE terror e-mail was sent from alarbi.alhindi@gmail.com, claimed to be members of the Indian Mujahideen.
The mail shows the photos of cars stolen from Navi Mumbai for terror activities.
The mail is full of sarcastic remarks about investigations into earlier emails investigations, nicknaming Intelligence Bureau as the "Ignorance Bureau" and forensic experts as “foren-sick”. The seven page mail with the attachment ‘haha.pdf” is titled ‘Mood for Destruction’. It says those named as masterminds of the Ahmedabad blasts are “innocent brothers”.
The email states that their ideology is supported by people who are technologically very far superior.
The seven-page mail concludes, without explanation, with gratitude to “Ken Haywood and associates”
CHALLENGE : Robust Russian GOST Crypto Standard attacked
European cryptologists attack hash functions
Christian Rechberger
21 August 2008
http://www.heise-online.co.uk/security/European-cryptologists-attack-hash-functions--/news/111370
Progress in attacking hash functions was presented by cryptologists at Crypto 2008. They explained their attack on the GOST Russian hash standard – usage of GOST is mandatory in Russian government offices. They also demonstrated the first practical inversion attack against reduced variants of SHA-1 that could be used to back calculate a password from the hash.
The GOST hash function was established as part of the GOST standard at around the same time SHA-1 was established in 1995 and until now has been considered very secure. Russian information security standards, like their aerospace standards, are very conservatively designed.
But now an Austrian/Polish team of cryptologists at the Graz University of Technology and the Military University of Technology in Warsaw have found an unexpected technical vulnerability and exploited it for an attack. The result is a collision attack that is 2^23 times faster than expected. A collision attack is one where the attacker finds two arbitrary messages that generate the same hash.
By comparison, the first successful collision attack in 2005 against SHA-1 made the attack faster than expected, by a factor of 2^11 – 2^69 instead of 2^80. No meaningful attacks on the GOST hash function can be expected yet, though. The 256-bit output value means that 2^105 operations are still necessary – considerably more than can currently be realistically performed.
All of the known attacks in recent years against hash functions, such as SHA-1 and now the GOST hash function, have been collision attacks. But these attacks are mainly relevant to signature applications where the attacker has access to the document before the signature is calculated. In that scenario, it is not possible to change the document after signature calculation and preserve the validity of the signature. Many other applications of hash functions, like secure password storage, are not affected, which is why the US standards organisation NIST, for instance, continues to recommend the SHA-1 hash function for those applications.
At Crypto, researchers from the Graz University of Technology and the ENS Paris presented, for the first time, approaches to attacking SHA-1, which do affect the wider set of hash function applications. These are attacks that allow a password to be determined when only its SHA-1 hash value is known, or that permit signed documents to be changed after the signature has already been generated. The attacks work for reduced round versions of SHA-1 up to a maximum of 45 of the 80 rounds, which is comparable to collision attacks on SHA-1 four years ago, when theoretical attacks of up to 53 rounds were possible. It does not appear, at this time, that these attacks can be extended to the full 80 rounds. There is another parallel to the earlier attacks though; these new inversion attacks, as was the case with the early collision attacks before 2004, have many unused degrees of freedom. The latest collision attacks – after 2007 – now exploit all of the available degrees of freedom.
Even if many of the current attacks are still theoretical in nature, we have to remember that the analysis of cryptographic hash functions is still far from adequately researched and that new breakthroughs in the future cannot be ruled out. With entries being accepted, till October 2008, for the upcoming competition to select the new SHA-3 hash standard for 2012, it is even more important to favour hash functions with effective security arguments, which is not the case with SHA-1 or the GOST hash function.
Dan Raywood
August 20 2008
http://www.scmagazineuk.com/Germany-hit-by-data-protection-scare/article/115680/
German data protection officials have called for privacy laws to be tightened.
The call follows a scandal over the illegal sales of personal data when officials claimed that they could buy six million items online. This included bank account details and phone numbers and was set to cost only €850.
This follows a data protection office in north Germany claiming that it had received CDs containing thousands of personal data items, including bank account details, dates of birth and addresses, collected by a call centre.
Head of the office, Thilo Weichert, told Germany's Sueddeutsche Zeitung newspaper that up to 20 million pieces of data from people's bank accounts had been sold on to third parties. He said: “The sale of bank account data is just as illegal as unsolicited telephone marketing - so-called ‘cold calling'. Lawmakers can do more to protect consumers. The transfer of data for marketing purposes should be made universally conditional on the customer's approval.”
He said that firms that discover illegal use of customers' data should be obliged to inform the affected customers.
IGNOMINY : Thousands of criminal files lost in data fiasco
Sean O’Neill and Richard Ford
The Times, UK
August 22, 2008
http://www.timesonline.co.uk/tol/news/politics/article4583747.ece
Confidential records and sensitive intelligence on tens of thousands of the country’s most prolific criminals have been lost in a major breach of data security at the heart of Whitehall.
Scotland Yard is investigating the loss of the information, which was taken from the Police National Computer and entrusted by the Home Office to a private consultancy firm.
The data had been encrypted for security reasons but was decoded by staff at PA Consulting Group and placed on a computer memory stick that was subsequently lost. The device contains personal details and intelligence on 33,000 serious offenders, dossiers on 10,000 “priority criminals” and the names and dates of birth of all 84,000 prisoners in England and Wales. There is also information on an unspecified number of people enlisted on drug intervention programmes.
The disappearance of such a massive amount of secret information has widespread implications. Police informants could be at risk of reprisals. Named offenders may seek rehousing or police protection from vigilantes, and individuals who believe that their personal data has been compromised could seek compensation.
Jacqui Smith, the Home Secretary, was informed on Tuesday and was said to have been furious. The loss is a major setback for her efforts to reform a department described by her predecessor John Reid as “not fit for purpose”. The police were contacted yesterday and detectives from the Serious Economic Crime Command at Scotland Yard began conducting searches, viewing CCTV material and interviewing potential witnesses.
Ministers had promised to tighten security controls. The latest loss is particularly embarrassing because the data originated at the Home Office’s headquarters, where Ms Smith, her ministers and their senior officials work.
David Ruffley, the Shadow Minister for Police Reform, said: “This shambles proves that this accident-prone Home Secretary hasn’t even got a grip of what goes on in her own building.” He said that it would be outrageous if criminals were able to claim compensation as a result.
The information from the secure police computer had been collated as part of JTRack, a programme to track persistent and prolific offenders through the criminal justice system. Access is supposed to be limited to police forces, crime reduction partnerships and other official bodies. PA Consulting, which helped to develop the national ID card scheme, was brought in to work on the project last year.
A Home Office spokesman said: “We have been made aware of a serious breach of security at the offices of external contractors. A full search has been conducted and both the police and Information Commisioner have been informed.”
A spokesman for Scotland Yard said that it had been asked to review the circumstances of the loss. He added that there was no evidence that any offence had been committed.
David Smith, the Deputy Information Commissioner, said: “It is deeply worrying that after a number of major data losses and two government reports on high-profile breaches of the Data Protection Act more personal information has been reported lost. It is vital that sensitive information is held securely at all times.”
No one at PA Consulting, which reported the loss of the memory stick to the Home Office on Monday, was available to comment.
rogue access point
A rogue access point, also called rogue AP, is any Wi-Fi access point that is installed on a network but is not authorized for operation on that network, and is not under the management of the network administrator. Rogue access points often do not conform to wireless LAN (WLAN) security policies, and additionally can allow anyone with a Wi-Fi device to connect to your network.
A rogue access point is one of two categories of rogue wireless devices, with the other being rogue peers.
Peace is filled with pure thoughts, pure feelings and pure wishes. When the energy of thought, word and action is balanced and stable, the individual is at peace with the self, in relationships and with the world.
Thanks for your Visit