US-CERT warns about free BlackBerry spyware app

The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.
The PhoneSnoop application must be installed on the phone by someone who has physical access to it or by tricking the user into downloading it, the CERT advisory said.
The author of the app, Sheran Gunasekera, director of security for Hermis Consulting in Jakarta, Indonesia, says it wasn't written to do any actual harm, but rather to warn of the dangers that still exist with the BlackBerry.
The application can be used by anyone to spy on any BlackBerry user's phone. However, Gunasekera says it is not hidden on the device after it's installed, so users should be able to easily see it.
"My intention was to raise awareness that even though the BlackBerry is one of the more secure platforms, there are still means where its users can be spied upon," Gunasekera wrote in an e-mail on Tuesday. "I wanted to highlight that even with such technical security controls, the human element can be exploited through social engineering."
To aid BlackBerry users who asked him how they could protect themselves from being snooped on, he said he released on Tuesday another free tool called "Kisses" that will detect and display hidden programs on the device.
On his blog, Gunasekera explains how PhoneSnoop works.
"PhoneSnoop sets up a PhoneListener and waits for an incoming call from a specific number. Once it detects a call from that specific number, it automatically answers the victims' phone and puts the phone into SpeakerPhone mode," he said in the post.
US-CERT said BlackBerry users should only download applications from trusted sources and password protect and lock the devices to prevent someone from installing unwanted software.
The issue of BlackBerry snooping made headlines this summer when Etisalat, a carrier in the United Arab Emirates, sent SMS messages to BlackBerry subscribers encouraging them to download a patch that security experts said was spyware.
SMobile Systems did a technical analysis of the software and concluded that the "true nature of the spyware is to intercept BlackBerry users' e-mail messages and forward the messages to a monitoring agent inside the Etisalat network," according to the BlackBerry Cool blog.

China Expands Cyberspying in U.S.

The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing.
The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are "straining the U.S. capacity to respond," the report concludes.
The bipartisan commission, formed by Congress in 2000 to investigate the security implications of growing trade with China, is made up largely of former U.S. government officials in the national security field.
The commission contracted analysts at defense giant Northrop Gruman Corp. to write the report. The analysts wouldn't name the company described in the case study, describing it only as "a firm involved in high-technology development."
The report didn't provide a damage assessment and didn't say specifically who was behind the attack against the U.S. company. But it said the company's internal analysis indicated the attack originated in or came through China.

Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks

• 
  
• 
  

A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue.
Time Warner acknowledged the problem to Threat Level on Tuesday, and says it’s in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon.
“We were aware of the problem last week and have been working on it since,” said Time Warner spokesman Alex Dudley.
The vulnerability lies with Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The device is one of several options Time Warner offers to customers who don’t want to install their own modem and router to use with the company’s broadband service. The device is installed with default configurations, which customers can alter only slightly through its built-in web server. The most customers can do through this page is add a list of URLs they want their router to block.
But blogger David Chen, writing at chenosaurus.com, recently discovered he could easily gain remote access to an administrative page served by the router that would allow him greater control of the device.
Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s configuration file.
That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner’s network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.

All of this means that a hacker who wanted to target a specific router and change its settings could access a customer’s admin panel from anywhere on the net through a web browser, log in with the master password, and then start tinkering. Among the possibilities, the intruder could alter the router’s DNS settings — for example, to redirect the customer’s browser to malicious websites — or change the Wi-Fi settings to open the user’s home network to the neighbors.
The attacker would need the router’s IP address to conduct the attack. But Chen found a dozen customer SMC8014 series cable modem/Wi-Fi routers by simply running a port scan on a subnet of 255 Time Warner IP addresses. An evil hacker could easily automate a scanning tool to sweep through Time Warner’s address space and hack every SMC8014 it finds.
“From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks,” Chen wrote on his blog. “Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.”
Chen said he contacted Time Warner’s security department four weeks ago and was told that the company was aware of the security vulnerability but “cannot do anything about it.”
He says he’s relieved to hear the company is now addressing the problem.
It’s unclear if other Time Warner customers would be affected by the same issues.
Time Warner’s Dudley says the SMC8014 modem/routers are just a small portion of the 14 million devices its customers are using.
“We are working to determine if it affects other models,” he says.

S'pore looking to improve online security

The Monetary Authority of Singapore (MAS) is exploring ways to enhance security for online purchases, according to an industry player, who adds that dynamic authentication will be a good step toward that direction.
Ingo Noka, Visa's Asia-Pacific head of data security and enterprise risk management, explained that dynamic authentication uses passwords that are generated every 10 seconds. This helps ensure passwords, even when stolen, will no longer be valid for use in online transactions after a time limit, Noka said in an interview with ZDNet Asia.
These passwords can be generated by a token or sent via SMS to the consumer, he added. The payment structure is similar to Internet banking transactions in Singapore, where local banks support dynamic passwords as part of the two-factor authentication process.
He said Visa is prepared to support this implementation, having spent efforts building an infrastructure it calls 3-D Secure (three domain secure), also known as Verified by Visa. Noka explained that this system will enable card-issuing banks to implement their own dynamic authentication without affecting the merchant's bank authorization process.
For the merchant, supporting the infrastructure would involve installing a plugin, he said. According to Visa, the plugin facilitates the delivery of authentication requests to an access control server, which then carries out the authentication policy as defined by the issuer bank.
Chipping at card security
The MAS is also exploring ways to beef up security for credit card payments and is closely looking at moving Singapore to chip-based cards, Noka said, adding that these offer better security than magnetic strips as data on chips is more difficult to clone.
He acknowledged that the deployment of chip cards have been touted for several years, but noted that it takes time for the necessary infrastructure to be rolled out, locally and globally, so payments can be supported regardless of where the consumers use the cards.
Asked what components are essential to safeguard against credit card fraud, he replied that it would take a combination of dynamic authentication for online transactions, chip cards to combat offline fraud and the deployment of Payment Card Industry (PCI) Data Security Standard (DSS).
Governed by the PCI Security Standards Council, the PCI DSS comprises a set of guidelines aimed at enhancing data security, combating fraud and eliminating security vulnerabilities for payments made by credit and debit cards.
Zoka added that merchants also play an important role in keeping credit card payments secured. "There is no point in giving customers a chip card when no merchants are installing the terminals [to support such payments]," he said.
He noted that credit card fraud related to lost or stolen cards is currently "kept very well under control" via various security policies, including what Visa calls advanced authorization. This system checks a transaction against a set of parameters, gives a score to indicate the risk of the transaction and sends that data to the card issuer.
"The issuer can take this into account. They might let that one transaction go through depending on the amount, for example, or they can call the cardholder immediately to ensure it is a legal transaction. If the cardholder says, 'That's not me', the issuer can block every subsequent transaction," said Noka.
Asked if hand-written signatures should be replaced as a form of authorization for credit card payments, Zoka said some customers remain "psychologically" attached to the signature. "They want to have the feeling [of assurance] that the transaction will only be charged to their card after they have signed on it," he said, adding that as such, signatures will likely remain a component of the authorization process.

Missing dot drops Sweden off the Internet

What was essentially a typo last night resulted in the temporary disappearance from the Internet of almost a million Web sites in Sweden -- every address with a .se top-level down name.

According to Web monitoring company Pingdom, which happens to be based in Sweden, the disablement of an entire top-level domain "is exceptionally rare. ... Usually it's a single domain name that has been incorrectly configured or the DNS servers of a single Web host having problems. Problems that affect an entire top-level zone have very wide-ranging effects as can be seen by the .se incident. ... Imagine the same thing happening to the .com domain, which has over 80 million domain names."
The total blackout of .se lasted for about an hour and a half, Pingdom says, although aftershocks are expected to continue.
"The .SE registry used an incorrectly configured script to update the .se zone, which introduced an error to every single .se domain name," says Pingdom. "We have spoken to a number of industry insiders and what happened is that when updating the data, the script did not add a terminating '.' to the DNS records in the .se zone. That trailing dot is necessary in the settings for DNS to understand that '.se" is the top-level domain. It is a seemingly small detail, but without it, the whole DNS lookup chain broke down."
Sweden's Internet Infrastructure Foundation, which administers .se, issued this statement: "The cause was an incorrect software update, which, despite our testing procedures were not detected. Thanks to well-functioning surveillance system .SE discovered the error immediately and a new file with the DNS data (zone file) was produced and distributed within one hour. ... The false information that was sent out affected accessibility to all .se domains for a short time. However, there may still be some name servers that have not changed out of misinformation against the real."
A spokesperson for .se, Maria Eklund told a Swedish press outlet that the issues may not be completely resolved before Wednesday. "This little mistake is going to affect Internet traffic for two days," she told the newspaper.
"I suspect there will be ongoing discussions for weeks here in Sweden," Pingdom's Peter Alguacil told me this morning in an e-mail. "These things just can't be allowed to happen."
(Speculation that it's really the fault of newly "internationalized" ICANN begins in 3 ... 2 ... 1.)

Hacked Web mail accounts used to send spam

There has been a marked increase in the amount of spam e-mail being sent from Yahoo, Gmail and Hotmail accounts, according to analysts at Websense Security Labs.
Websense said last week that personalized spam e-mail had been sent from the compromised accounts to all of each user's contacts. The e-mail contain links to fake shopping sites, intended to capture sensitive information from the reader.
Earlier this week, Microsoft acknowledged that 30,000 Hotmail accounts had breached, and suggested the passwords for the accounts had been obtained in a phishing scam.
However, some security experts believe that the password breach cannot be attributed to phishing. Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet Asia's sister site, ZDNet UK last week that the information was likely to have been obtained through key logging.
"The quantity of people hit makes me think that it was key logging--the success rate for phishing is only about one in 1,000," said Shulman. "Secondly, when I went through the list of e-mail account credentials, there were entries with the same username, but a slightly different password, which suggests that they're typos."
"I don't think people would keep falling for a phishing scam and entering their details, it looks more like people are making mistakes and the key-logging software is recording them," he said.
Mary Landesman, senior security consultant at ScanSafe, said in a blog post last week that a data-theft Trojan is likely to have been used. Many of the victims appeared to be taking reasonable precautions with the length and complexity of their passwords, she said.
In addition, there were errors throughout the list that appeared to be the result of improper extraction of data, Landesman suggested.
Patrick Runald, security research manager at Websense, said that as yet, there is no proof to suggest it was either a phishing or key-logging scam, although he suspected it could be both. He added that considering the number of compromised accounts, the attack is likely to date back months.
"We've been looking through our systems to try and locate an e-mail that is credible enough to fool so many people, and so far we haven't found one," said Runald. "Generally phishing is declining and being replaced by key logging, and considering the number of compromised accounts, it could be a combination of both."
Runald urged users to change the passwords to their e-mail accounts, and any other accounts that the same password might be used for, on a six-monthly basis. Websense also encouraged people to check that Web sites are properly encrypted and start with the secure version of hypertext transfer protocol, 'https'.
Carole Theriault, senior security consultant at Sophos, said Sophos customers had experienced no significant increase in spam over the past four days. However, she said forum phishing attacks had taken place.
"Some of the most popular passwords that were posted were words like 'neopets', 'tigger' and 'princess'--words that children would use. So not only should parents change their account passwords, they should make sure their kids do, too," she said.

Businesses targeted by small botnets

The majority of botnets in enterprises are small and targeted, according to security firm Damballa.
Enterprise botnets typically consist of a network of fewer than 100 machines, in contrast to botnets in the general internet population, according to Damballa researchers Gunter Ollmann and Erik Wu. For example, the Zeus botnet encompasses millions of machines, according to security researchers.
"While we often observe plenty of stats pertaining to just how big some of the largest internet-based botnets are (reaching in to the tens-of-millions), the spectrum of enterprise botnets appear to be different," Ollmann wrote in a blog post on Tuesday.
"Based upon Damballa's observations of some 600 different botnets encountered and examined within global enterprise businesses over three months, we found that botnets [with fewer than 100 bots] account for 57 percent of all botnets," Ollmann said.
Compromised networks of over 10,000 machines accounted for just five percent of those botnets found in large companies, according to the research. Attackers monitor the compromised machines to harvest high-value data such as source code or copies of customer databases, or to extract directly usable data such as authentication details for large money transfers.
Ollmann wrote that the majority of malicious code on the machines had been built using kits available on the internet, including the Zeus and Poison Ivy kits.
While most of the companies were likely to have become compromised through specially tailored, targeted attacks, Ollmann said that in some cases malicious employees could have deliberately installed the software in order to bypass corporate security.
"It looks to me as though these small botnets are highly targeted at particular enterprises [or vertical sectors], typically requiring a sizable degree of familiarity of the breached enterprise itself," Ollmann wrote. "I suspect that in some cases we're probably seeing the handiwork of employees effectively backdooring critical systems so that they can 'remotely manage' the compromised assets and avoid antivirus detection."
Thorsten Holz, a botnet researcher at the Vienna University of Technology, told ZDNet Asia's sister site, ZDNet UK on Wednesday that he had never heard of employees knowingly installing bots on their systems. However, he agreed it was feasible that most botnets in large companies were small, and that the machines had been targeted.
"If someone attacks a company, they want to stay below the radar," said Holz. "They would try to have a couple of hundred infections at most, so companies don't realize they are infected, antivirus companies don't get signatures, and attacks [to harvest information] can be more stealthy."
Holz added that, in a company with over 10,000 users, there is a good chance many users' systems would be infected with software that could make them part of a botnet. "Employees click on a malicious link, or use laptops at home, get infected and bring the machines back in," he said. "The threat is real."

BlackBerry smartphones open to SMS attack

BlackBerry mobile devices are open to attack due to a certificate notification flaw in the smartphone's software, according to Research In Motion.
The problem lies in the BlackBerry Browser, specifically in the dialog box that alerts users if the URL they have clicked on does not match the domain they are being sent to, the company warned in an advisory on Monday.
To exploit the flaw, a hacker could craft a malicious website that spoofs a trusted website, then send users a link to that site using text messaging or email. If the malicious domain name contains a null character and the user chooses to access the site, the certificate-handling software on the device will note that there is a mismatch, but the warning dialog box will not display the null character in the link.
For example, the URL 'zd[null character]net.co.uk' will generate an alert, which will tell the user they are about to visit 'zdnet.co.uk'. BlackBerry users may ignore this alert, as malicious websites could appear benign, RIM said.
"RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages," the company said in its advisory. "If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection."
BlackBerry Device Software from version 4.5 onwards is affected. RIM has provided a software update, available from the BlackBerry updates site, to mitigate the issue.