News, Token, Tokenless, Vulnerability

Researcher says 100,000 passwords exposed on IEEE site


Info on workers at Apple, Google, NASA, Stanford, and elsewhere was easily accessible owing to an oversight by the association for tech pros, a computer scientist in Denmark says.

All the allegedly compromised IEEE members plotted on a world map based on geolocation of their IP address.

All the allegedly compromised IEEE members plotted on a world map based on geolocation of their IP address.

(Credit: Radu Dragusin)

A computer scientist says he discovered that a server of the IEEE (Institute of Electrical and Electronics Engineers) had about 100,000 usernames and passwords stored in plaintext and publicly accessible.

Radu Dragusin, a computer scientist who works at FindZebra and is a teaching assistant at the University of Copenhagen, writes in a blog post that he discovered the problem last week and notified the IEEE about his findings, enabling them to “at least partially” fix the problem.

The data was publicly available on the IEEE FTP (File Transfer Protocol) server for at least a month, potentially exposing usernames and passwords of people who work at Apple, Google, IBM, Oracle, Samsung, NASA, Stanford, and other organizations and firms, he said. The glitch exposed all the actions the users performed on the site, as well as, he added.

The IEEE provided CNET with a statement late this afternoon. “IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” the organization said. “IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.”

News, Vulnerability

If you see ‘URGENT tax rebate download’ in an inbox, kill it with fire


FireEye has put together a list of the most common words and phrases that appear in fake emails designed to infect corporate networks and steal data.

The security firm said that the list spotlights the social engineering techniques that feature as a key component of so-called spear phishing attacks. Hackers tend to use words that create a sense of urgency in a bid to trick unsuspecting recipients into downloading malicious files.

The top word category in email-based attacks relates to express shipping. Words such as “DHL”, “UPS”, and “delivery” featuring in a quarter of overall attacks. Urgent terms such as “notification” and “alert” are included in about 10 per cent of attacks. Some attacks mix and match terms from these two popular categories such as “”, one example cited by FireEye.

Email-based attacks increased 56 per cent between Q1 2012 and Q2 2012, according to FireEye. The security firm claims these attacks often get through multiple layers of defence – including anti-virus, firewalls and intrusion prevention systems – to reach corporate desktops.

Cybercrooks and spies are also fond of finance-related words, such as the names of financial institutions and an associated transaction such as “Lloyds TSB – Login Form.html”, and tax-related words, such as “”. Travel and billing words including “American Airlines Ticket” and “invoice” are also popular spear phishing email attachment keywords.

FireEye warns that crooks often use phrases from social engineering sites to “personalise” booby-trapped emails and make them look more authentic.

Attackers primarily use zip files in order to hide malicious code, but other file types, including PDFs and executable files, also feature in attacks ultimately aimed at gaining access to corporate networks before stealing intellectual property, customer information, and other valuable data. It’s hard to believe that executables, in particular, aren’t routinely blocked at corporate email gateways, but FireEye’s research suggests otherwise.


News, Vulnerability

New Java flaw could hit 1 billion users


A new Java vulnerability has surfaced that apparently affects all Java runtimes and therefore puts close to a billion users at risk.

It’s just a proof of concept for now, but a newly revealed Java vulnerability could have very widespread repercussions.

Security research company Security Explorations has issued a description of a new critical security flaw in Java SE 5 build 1.5.0_22-b03, Java SE 6 build 1.6.0_35-b10, and the latest Java SE 7 build 1.7.0_07-b10. This error is caused by a discrepancy with how the Java virtual machine handles defined data types (a type-safety error) and in doing so violates a fundamental security constraint in the Java runtime, allowing a complete bypass of the Java sandbox.

Security Explorations conducted tests on a fully patched Windows 7 machine, and was able to exploit the bug using the Java plugin in the latest versions of most popular browsers (Internet Explorer, Firefox, Chrome, Safari, and Opera). While the error was only tested on Windows 7 32-bit, being in Java means it is not limited to the Windows platform and will affect anyone with Java installed on their systems, be it Windows, Linux, Mac, or Solaris.

Adam Gowdiak, CEO of Security Explorations, said in a blog post that Oracle has been alerted to the matter and that the company needs to pay attention:


 We hope that a news about one billion users of Oracle Java SE software [3] being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison’s [4] morning…Java.


In an interview with ComputerWorld, Gowdiak explained that this is a new flaw in Java that has persisted even after Oracle’s most recent patch, and when exploited would allow an attacker to use a malicious Java applet to install programs, or read and change data on the system with the privileges of the current user.

Gowdiak also stresses that this is a zero-day flaw; however, zero-day means the flaw is used in active exploits on the same day of its findings (giving developers “zero days” to issue a patch), but there is no mention of an active exploit for this bug, and Gowdiak’s descriptions of it both on the Security Explorations’ blog and in ComputerWorld’s interview suggest it is more of a proof-of-concept at its current state.

So far Oracle has been provided with a technical overview of the bug and example code outlining the flaw, but has not yet acted upon it. It unfortunately is not yet known when Oracle might do so. While for the most recent zero-day vulnerability Oracle broke its quarterly update schedule to address the problem, this action was the first such steps taken and it is possible the company may fall back to its quarterly schedule and issue an update in just less than a month on October 16.

While this bug is more widespread than other recently found Java exploits, so far there is no concrete evidence of it being used in any malware exploits; however, it does stress the importance of reducing the number of active runtimes (code execution environments) on your system. If you do not need Java, then you might be best off uninstalling or disabling it. If you are unsure whether or not you need Java, then you might also remove it and then only reinstall it if any of your activities prompt you for a Java runtime requirement.

News, Vulnerability

Symantec source code leak becomes torrent

Hacktivists once again poked fun at Symantec after previously leaked source code for Symantec’s Norton Utilities 2006 software was made available as a torrent on Monday. Symantec downplayed the significance of the leak, saying it only involved obsolete code that had already been exposed.

AntiSec tacked a mocking note onto the release of a 52MB file, which was uploaded to The Pirate Bay and other torrent tracker sites on Monday. “Anyhow with this release is nothing really to prove, just stop making shitty software in the name of god! Your [sic] are only killing our CPU’s! [sic]”

“Respect & greetings to @AnonymousIRC @Par_AnoIA.”

Back in January, a hacking group calling itself The Lords Of Dharmaraja boasted about stealing the source code for Symantec’s security products from Indian government systems.

The security giant initially blamed the leak of source code for older enterprise products on a breach at the network of an unnamed third party, before later admitting that the source code of pcAnywhere and consumer products had also been exposed. It also confessed that the leak was actually down to an earlier (previously undetected) breach of its own systems back in 2006.

It said source code for the 2006-era versions of the following products had been exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

Symantec took the highly unusual step in early February of advising customers of pcAnywhere to suspend use of the older versions of remote control desktop management software pending the release of a patch. Shortly after the patch became available, The Lords Of Dharmaraja leaked portions of pcAnywhere source code, together with an invitation for hackers everywhere to pour over the code in order to identify exploits against systems running Symantec’s remote control software.

In a statement, Symantec said this week’s release is tied to the earlier breach but is less significant than the pcAnywhere leak because it involves only obsolete code.

“Symantec is aware of the claims made online that a group has posted the source code for Norton Utilities 2006. We have analyzed the code that was posted and have concluded that it is the same code that was already posted by another group in January 2012.As we stated at that time, the 2006 version of Norton Utilities is no longer sold or supported. The current version of Norton Utilities has been completely rebuilt and shares no common code with Norton Utilities 2006. The code that has been posted for the 2006 version poses no security threat to users of the current version of Norton Utilities. Furthermore, we have no indications that the posting of this old code impacts the functionality or security of any other Symantec or Norton solutions.

Independent security experts, such as Imperva, have described the Lords Of Dharmaraja hack and subsequent source code leak saga as more of a trophy scalp for hacktivists than a serious risk to Symantec’s customers.

“The implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers,” Rob Rachwald, director of security strategy at Imperva, wrote at the time. “After all, there isn’t much hackers can learn from the code which they hadn’t known before [because] most anti-virus product is based on attack signatures.” ®

Mobile, News, Vulnerability

Researcher offers quick fix for Samsung remote wipe vuln

Although Samsung has yet to issue patches for most of the phones affected by a recently discovered remote-wipe vulnerability, a German security researcher has released an app that he says can block the exploit.

As El Reg reported on Tuesday, a flaw in Samsung’s dialing software causes its phones to execute some tel protocol URIs (universal resource identifiers) without the user even pressing the Dial button. At worst, this allows a remote attacker to send the Unstructured Supplementary Service Data (USSD) code that resets the phone to its factory state, wiping all the data in the process.

On Wednesday, Samsung issued a firmware fix that resolved the issue in the Galaxy S III, its flagship Android handset. But no other phones have yet received a similar patch, and it’s not clear just how many mobiles may be affected.

For those whose phones may still be vulnerable, security researcher Collin Mulliner has issued an app that he says slaps a quick fix over the problem. Called TelStop, it works by publishing a URI handler for the tel protocol. The result is that whenever a tel URI is activated, the Android OS asks the users whether to open it using the phone app or TelStop.

Screenshot of TelStop app to block Samsung remote-wipe exploit

Block that call!

“If you suddenly see the application selector that includes Phone and TelStop you know something just invoked a TEL URI,” Mullinerexplains on his website. “If you didn’t click a TEL link or tried to dial a number it is likely to be an attack.”

TelStop also attempts to interpret the contents of tel URIs to offer the user some guidance as to whether they might be malicious. Links that just contain digits are probably legitimate phone numbers, but ones that contain special characters such as asterisks or per cent signs trigger an additional warning.

On his Twitter feed, Mulliner describes the current version of TelStop as a “quick and dirty fix,” and says a more user-friendly version is in the works (although the current version does block the exploit).

Owners of Samsung phones can download the latest version of TelStop either directly from Mulliner’s website or from the Google Play store. Mulliner recommends the latter method, since users who install it from Google Play will be automatically notified of future

News, Vulnerability

Maker of smart-grid software discloses hack


Files were affected during compromise, says company that makes software used in the “smart” electric grid.

Telvent Canada says someone sneaked past its internal firewall, installing malicious software and stealing files related to control software it makes that’s used to manage the electric grid in various countries.

The company warned customers last week that it learned of a breach of its network on September 10, according to the KrebsOnSecurity blog. Project files associated with the firm’s OASyS SCADA (supervisory control and data acquisition) software were stolen, the post says.

“Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent,” the company said this week in a letter to customers, which was cited by the blog.

A Telvent spokesman confirmed the breach to Wired today but wouldn’t comment on whether files had been downloaded or altered. “We are aware of a security breach of our corporate network that has affected some customer files,” spokesman Martin Hannah is quoted as saying. “We’re working directly with our customers, and they are taking recommended actions with the support of our Telvent teams. And Telvent is actively working with law enforcement, with security specialists, and with customers to ensure that this breach has been contained.”

Meanwhile, malware used in the attack is believed to be associated with a Chinese hacker group called “Comment Group,” the KrebsOnSecurity post reports.

Dale Peterson, CEO of industrial control system (ICS) security firm Digital Bond, says his Web site was attacked recently too. “If this Comment Group is the same as Comment Crew, then this is likely the same people that sent spear phishing e-mail to Digital Bond and EnergySec,” he wrote in a blog post. “They are going after the ICS energy sector, and Telvent is almost certainly not the only vendor being targeted or compromised. In fact, I would be worried if a large asset owner or vendor in the energy sector is not detecting these attacks.”

Two days after Telvent says it noticed the breach, the company announced a partnership with security firm Industrial Defender to “expand its cybersecurity capabilities within Telvent’s key utility and critical infrastructure solutions.”

SCADA systems, which were not meant to be connected to the public-facing Internet, are being increasingly linked to the outside world so engineers can access the systems remotely. While it makes it convenient for critical-infrastructure operators, it can provide a way in for attackers.

News, Vulnerability

Japanese Web sites attacked in tense dispute with China


A Japan-China dispute over the Senkaku Islands has led to cyberattacks, say Japan-based reports. A Japan-China dispute over the Senkaku Islands has led to cyberattacks, say Japan-based reports.

(Credit: Wikimedia Commons)

A tense territorial dispute with China has triggered cyberattacks, according to Japan-based reports.

Web sites at 19 Japanese banks and universities, among other institutions, have been hit with attacks in the wake of Japan’s nationalization of the Senkaku Islands on September 11, according to Kyodo News Agency and other reports.

The Web site of the Internal Affairs and Communications Ministry statistics bureau, for example, has come under a distributed denial of service (DDoS) attack, Kyodo said.

Tohoku University, an elite science and engineering university, has also been targeted, Kyodo said.

It’s not clear who’s behind the attacks. So far, the Chinese government hasn’t publicly addressed the reports in Japan.

The attacks were triggered on September 11 when the Japanese government purchased theSenkaku islands from private owners for about $30 million, effectively nationalizing the territory.

China disputes Japan’s claim to the islands and sent Chinese navy surveillance vessels to the area last week.

And Japan’s taking of the islands have sparked protests across China, according to the English-language China Daily, which wrote in an editorial dated September 20 that the “islands have belonged to China since ancient times.”

And tensions were further inflamed this week on the 81st anniversary of the Manchurian Incident (also known as the Mukden Incident). In 1931, the Imperial Japanese Army bombed a Japanese railway as a pretense for invading China.

And, in related news, Japanese companies have been forced to close factories in China. Those companies include Panasonic, Canon, and Toyota.