London police charge third member of ATM hacking gang

London police have charged a man believed to be a member of an eastern European ATM hacking gang that stole more than £1.5m from malware-infected bank cash machines in the UK in 2014.

The 30-year-old Ionut Emanual Leahu was charged with conspiracy to defraud after being arrested in Bacau, Romania by officers of the London Regional Fraud Team run by the City of London Police and the Metropolitan Police. In 2014, Grigore Paladi was sentenced to five years in jail for his role in the gang, and in 2015, Teofil Bortos was sentenced to seven years in jail.

Leahu appeared at the City of London Magistrates Court and was remanded in custody until the 28 October 2016, when he will appear at Inner London Crown Court. The gang targeted 51 cash machines in standalone public places across the UK over the 2014 May Bank Holiday weekend.

Each machine was physically broken into and infected with malware before large amounts of cash was withdrawn. The malware subsequently deleted itself, making it difficult to identify the cause of the attacks, but police said the physical nature of the infiltration meant customer data was not compromised.

Police are still seeking a third suspect for whom a European Arrest Warrant has been issued. Commenting on the latest arrest, London Regional Fraud Team head, detective inspector Matthew Mountford, said it demonstrated his team’s determination to track down the gang members.

“Operating across borders has its challenges, but overseas law enforcement have been extremely co-operative, especially in Romania. Working together we will continue to ensure that organised criminal gang members have nowhere to hide,” he said.

In January 2016, European police arrested eight cyber criminals who raided ATMs across the continent using Tyupkin malware. The malware enabled the gang of Romanian and Moldovan nationals to manipulate ATMs and empty cash cassettes.

An investigation by security firm Kaspersky Lab in 2014 found that the Tyupkin ATM malware was found mainly in Eastern Europe, but was also in use in the US, India and China. Speaking at IPExpo 2016 in London, Kaspersky Lab chief Eugene Kaspersky described ATMs as “computers with cash”.

“We are living in a dangerous world, where we can’t trust anything. Cyber is now just about everywhere, and it is vulnerable. Everything can be stolen and is open to compromise,” he said. According to Europol, there has been a major increase in ATM attacks using malicious software in the past few years.

By Warwick Ashford


TalkTalk has been hit with a record £400,000 fine for the cyber attack in 2015 that exposed personal details of more than 150,000 customers.

The new information commissioner, Elizabeth Denham, said the telecoms provider had failed to apply “the most basic cyber security measures”, leaving its database vulnerable to a SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.

In May 2016, TalkTalk revealed that the attack lost the broadband provider 100,000 customers, and cost more than £40m to rectify.

“Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action,” said Denham, who took up her post in July.

The Information Commissioner’s Office (ICO) also published a detailed breakdown of how TalkTalk was hit and the mistakes it made.

“The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages in the inherited infrastructure,” it said.

“TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.

“TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.

“The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data.”

Denham said: “In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting.”

“The record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

By Bryan Glick


Terror groups likely to be first to unleash cyber weapons

Terror groups, not nation states, are the most likely to unleash devastating cyber weapons, according to Eugene Kaspersky, chief executive and co-founder of security firm Kaspersky Lab.

“I am 99.99% sure some nation states have developed top secret cyber weapons,” he told attendees of IPExpo at Excel in London. Unlike traditional weapons, cyber weapons can be reverse engineered, improved and used on those who developed them, so nation states are unlikely to use them on each other.

“But I am really afraid some terrorist group will pay cyber criminals to develop and deploy such weapons on their behalf,” he said, noting that some cyber criminals work like mercenaries, providing cyber crime services to anyone who is willing to pay.

Kaspersky said cyber weapons are likely to fall in one of three categories: those aimed at causing physical damage, destroying critical data and telecommunications.

He cited Stuxnet and attacks on power suppliers in Ukraine as examples of the first, the attack on Saudi Aramco an example of the second, and the telecommunication blackout in Estonia in 2007 an example of the third.

“We are living in a dangerous world, where we can’t trust anything. Cyber is now just about everywhere, and it is vulnerable. Everything can be stolen and is open to compromise,” said Kaspersky.

Critical infrastructure is the most “problematic” and probably the “scariest” area, he said, because cyber criminals are well-resourced and can attack even well-protected networks.

“Cyber criminal groups are very professional and have shown that they can get past the security of well-known companies that typically invest a lot in cyber defence,” said Kaspersky.

He warned that all operating systems are under attack. “It is not only Microsoft Windows, but also Android, Mac OS, Linux and iOS,” he said.

According to Kaspersky, the vast majority (384 million) of malicious files detected are aimed at Windows, compared with Android (18 million) and Mac OS (30,000).

There are still only around 600 aimed at iOS, but Kaspersky believes nation states are behind most of those. He also blamed the lack of Mac OS threat on the lack of good Mac OS engineers.

“We struggle to find good Mac OS engineers to work for us, and I am guessing that cyber criminals have the same problem.”

Despite painting a gloomy picture, Kaspersky said the situation was far from hopeless because there are things that can be done to reduce the likelihood and impact of cyber attacks.

According to Kaspersky, essential practices for enterprises for protecting critical data include regular security audits and sound cyber security strategies, minimising all network connections by allowing only those that are absolutely necessary for the business to function, and allowing only trusted applications and processes because “endpoint security controls are not enough on their own”.

Essential practices for operators of industrial control systems, particularly operators of critical infrastructure, include air-gapping critical systems, continually monitoring trusted processes using a secure operating system, and putting all new equipment onto secure operating systems.

In support of this approach, Kaspersky Lab has developed a secure operating system for it process monitoring system, which is a combination critical infrastructure operators can use until they are able to migrate all systems to a secure operating system.

“This migration process will take years, but the sooner we start, the sooner we will be in a position that is much more secure,” he said.

By Warwick Ashford


FBI confirms more state voter databases targeted by attackers

A patch for a low-severity OpenSSL vulnerability issued last week actually made things worse and created a new, more severe vulnerability in the open source cryptographic library.

In an unusual move, the OpenSSL Project bypassed its usual process for announcing vulnerabilities and patch availability, and it instead rushed out a new set of emergency patches to fix the new critical vulnerability.

“This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016,” the OpenSSL Project wrote. “Given the critical severity of one of these flaws, we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification.”

The original flaw, one of 14 fixed in the OpenSSL patch release on Sept. 22, enabled a transitory denial-of-service attack through memory exhaustion and had a low severity rating; the new vulnerability introduced by the patch could allow an attacker to execute arbitrary code on a victim system.

“Due to the way memory is allocated in OpenSSL, this could mean an attacker could force up to 21 MB to be allocated to service a connection. This could lead to a denial of service through memory exhaustion,” according to the original OpenSSL vulnerability advisory. “However, the excessive message-length check still takes place, and this would cause the connection to immediately fail.” Although, the excessive memory allocation is freed immediately, as long as the application uses the SSL_free() function to free up that allocated memory. “Therefore, the excessive memory allocation will be transitory in nature.”

The new critical OpenSSL vulnerability opened by the patch “resulted in an issue where if a message larger than approximately 16 KB is received, then the underlying buffer to store the incoming message is reallocated and moved,” OpenSSL wrote. “Unfortunately, a dangling pointer to the old location is left, which results in an attempt to write to the previously freed location. This is likely to result in a crash; however, it could potentially lead to execution of arbitrary code.”

By Peter Loshin


DNS monitoring can help deanonymize Tor users

New research claims the efforts expended on the Tor project may be focusing on the wrong issues because “its use of DNS has received little attention,” and researchers have proven DNS monitoring can be used to deanonymize Tor users.

The finding, published in the paper “The Effect of DNS on Tor’s Anonymity,” was a collaborative effort between researchers at the KTH Royal Institute of Technology in Stockholm, Sweden; Karlstad University in Karlstad, Sweden; and Princeton University in Princeton, N.J.

In a blog post on the topic, one of the researchers, Philipp Winter, postdoctoral researcher in computer science at Princeton University, said a significant fraction of Tor exit relays send DNS requests to Google’s public domain name resolvers, which creates a centralized point of control and observation where DNS monitoring can be used in an attack — something Tor was designed to avoid.

“It is well-understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries,” Winter wrote. “We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network. Then the adversary can run a correlation attack, meaning that it can match packets that go into the network to packets that leave it, or in other words, it can link a client’s identity (her IP address) to her activity (e.g., visiting Facebook), and thus, break anonymity.”

Lance James, chief scientist at Flashpoint, told SearchSecurity DNS monitoring attacks have commonly been an issue for Tor.

“This attack isn’t completely new in nature. There is research from multiple parties that have known this for a while, specifically using Google’s [resolver,]” James said. “In reality, Google’s DNS probably has the widest view of Tor-leaked traffic on the internet, and with a data set of that size and detail one can do amazing research with traffic analysis — not that they would per se.”

According to the research, Google’s public DNS servers can at times comprise 40% of exit bandwidth of Tor users, which they said is “an alarmingly high number for a single organization” and that Tor relay operators “should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.”

“We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks,” researchers wrote. “Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites.”

James said these DNS monitoring techniques aren’t trivial and require access to controlling the autonomous system network like Google or an ISP.

“This attack will likely be deployed at a specific target, not a general Tor user. In many cases in the U.S., if you are targeted specifically it is due to breaking the law or doing something that causes concern to national security,” James said. “In other countries this rule tends to apply as well. Dissidents that expect protection from Tor could be in danger, but in the reality, using Tor in itself is already a fingerprint and this attack would not matter if the adversary is at the ISP level.”

Winter said this research shouldn’t necessarily create immediate cause for concern.

“Adversaries that can already monitor large fractions of the internet — for many people, the biggest threat — will not do any better with our attack,” Winter wrote. “Instead, we investigate how ‘semi-global’ adversaries can get the most out of the data they have. Finally, the Tor Project is already working on techniques to make website fingerprinting attacks harder.”

By Michael Heller


Release of Mirai IoT botnet malware highlights bad password security

The malware code behind the IoT botnet responsible for the recent, massive DDoS attacks has been released. And although there are lessons to be learned from it, experts suspect the release will cause more harm than good.

The Mirai botnet malware was released in the hacking-community website Hack Forums by a user named Anna-senpai, who claims to be the author of the code. Mirai was the botnet malware used in the distributed denial-of-service (DDoS) attack that took down the site of infosec journalist Brian Krebs and was clocked at 620 Gbps. Both names Anna and Mirai reference Japanese anime. Anna-senpai adopted the honorific senpai because the hacker sees himself or herself as a teacher for those wanting to use the Mirai malware. But the Japanese word for teacher is sensei, not senpai.

Anna-senpai did not take responsibility for that attack and said it was time to leave the game. In the forum post, Anna-senpai wrote, when he or she first got into the DDoS industry, “I wasn’t planning on staying in it long. I made my money,” and now it’s time to get out. “So, today, I have an amazing release for you. With Mirai, I usually pull max 380k [380,000] bots from Telnet alone. However, after the Kreb [sic] DDoS, ISPs [have] been slowly shutting down and cleaning up their act. Today, max pull is about 300k [300,000] bots and dropping.”

Anna-senpai went on to describe the system requirements for running the malware and tips for configuring the Mirai botnet malware. Anna-senpai claimed someone should be able to set up a working botnet in under one hour with the scripts and code provided.

Experts said the malware does take skill to implement properly, but Rick Holland, vice president of strategy for San Francisco-based Digital Shadows Ltd., said the “code release is particularly dangerous, since it once again lowers the barrier to entry for threat actors.”

“This release will cause more harm than good. The good that will come out of it is that it will raise awareness around denial-of-services attacks,” Holland told SearchSecurity. “Of course, awareness isn’t a security control and won’t be able to prevent DDoS attacks. Organizations will need to move from awareness to actual mitigation.” MalwareTech said on Twitter it might not be so easy for threat actors to get started with the code.

Jean-Philippe Taggart, senior security researcher at Malwarebytes, based in Santa Clara, Calif., said this opens the possibility of more large botnets, as well as the possibility that “a less experienced attacker might accidentally damage these IoT [internet of things] devices through poor coding and lack of experience.”

“Mitigating against an IoT DDoS is difficult, as these machines can have legitimate IP addresses, making filtering bona fide traffic difficult,” Taggart told SearchSecurity. “A more advanced threat actor could also patch these IoT devices in such a way as to only allow them to be accessible by them.”

Gunter Ollmann, CSO of Vectra Inc., based in San Jose, Calif., said the Mirai IoT botnet malware could be modified in unknown ways in the future.

“The botnet agent is particularly versatile and has a number of precoded install packages for a wide variety of common system-on-chip platforms,” Ollmann told SearchSecurity. “This means that copycat botnet operators will not need to learn or understand the differences of the platforms, but can target them anyway; in essence, dumbing down the skill level needed to launch such attacks going forward.”

Anna-senpai said the Mirai malware propagated by brute-forcing IoT device passwords via Telnet in a way that is 80 times faster and 20 times less resource-intensive than traditional botnet malware Qbot.

Ollmann said one impressive feature of the malware was the ability to use multiple IP address to bypass port exhaustion in Linux.

“The purpose here is to increase the total number of outbound connections that can be created and to overload the receiving device by exhausting their number of inbound connections, which will likely be maxed out at 65k [65,000] for a single port or protocol,” Ollmann said. “DDoS caused by connection saturation is often preferred as an attack vector because it doesn’t require high volumes of traffic. Therefore, a DDoS state can be achieved using a smaller number of attacking devices and requires less bandwidth to achieve the desired goals.”

Jerry Gamblin, lead security analyst at CARFAX, based in Centreville, Va., said the Mirai code highlighted troubles with users leaving the default passwords on IoT devices.

“The fact that devices are still running Telnet should be shocking, but, unfortunately, it isn’t,” Holland said. “The same is true for admin:admin credentials. All too often, we see nonexistent or poor security on these types of devices.”

Ollmann said this is a design flaw that IoT makers will have to consider in the future.

“All such devices need to ship with some kind of default credentials, so that the purchaser can configure the device for their own network environment. The real problem is that the owners are negligent in not changing these accounts after installation,” Ollmann said. “Future vendors of products like this should perhaps adopt practices which force the owner of the device to change the default password before they’re allowed to proceed further with configuration — and also to do some basic password integrity checking to prevent common or reused passwords. This would be pretty easy to do.”

Ollmann suggested a few basic security procedures to mitigate risk.

“The obvious advice for reducing the probability of compromise today is change the default admin credentials on the IoT device, or change or remove any other nonadmin credentials on the device,” Ollmann said. “And ensure that the IoT device sits behind a firewall and that the firewall is configured to drop by default all protocols not absolutely required for the operation of the IoT device.”

Holland said the first step toward mitigating the risk of having your IoT devices used in a DDoS botnet is to be aware of your IoT footprint.

“Far too often, organizations aren’t aware of the actual IoT inventory within their environments. The next step is to understand the available configuration settings of the devices that are deployed. These could be quite limited, given the lack of security practices within IoT,” Holland said. “Ultimately, we will need to apply pressure to IoT vendors that security must be built into the devices, because unlike many traditional IT assets — like endpoints or servers — bolting on security isn’t an option.”

by Michael Heller