http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2013-05-17T10:07:00ZSyrian hackers claim to battle American imperialism, media bias and Angelina Jolie.http://www.informationweek.com/security/attacks/who-is-syrian-electronic-army-9-facts/240155028?cid=SBX_iwk_related_commentary_Policy_educationBeware patriotic Syrian hackers holding a media grudge. <P> That's one takeaway from the ongoing exploits of the Syrian Electronic Army, a self-described group of grassroots Syrian hackers who support Syrian President Bashar al-Assad. <P> During the country's two-year -- and counting -- civil war, the Syrian Electronic Army has been deployed as a propaganda tool to correct perceived slights or misinformation being disseminated via media outlets that the group sees as sympathetic to Syrian rebels. Its modus operandi is to compromise the Twitter and Facebook accounts of its targets, which are predominantly media outlets. The group's most well-known exploit to date was seizing control of multiple Associated Press (AP) Twitter feeds, then using them to issue bogus messages, including the <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">following alert</a> on April 23: "Breaking: Two Explosions in the White House and Barack Obama is injured." <P> In the wake of that tweet, the White House confirmed that the president was unharmed, that there had been no explosions and that the FBI was investigating the hoax tweets. Due to automated high-speed trading systems set to monitor Twitter feeds, however, the news triggered a temporary downturn in the U.S. stock market that briefly erased $200 billion in value. According to <a href="http://blog.thepro.sy/" target="_blank">Th3 Pr0</a> (pronounced "the pro"), the self-described 18-year-old "leader of special operations department" for the Syrian Electronic Army -- personal website tagline: "proud to be pro-Assad hacker" -- the hack was in retaliation for Network Solutions having seized the group's domain names, as well as for the United States "supporting the terrorist groups in Syria." <P> "We generally target the most malicious media, especially those who refuse to cover both sides of the war," a member of the SEA's "Special Operations Division," known as the Shadow, <a href="http://www.vice.com/en_ca/read/speaking-with-the-sea-about-hacking-the-onions-twitter-account" target="_blank">told <em>Vice</em></a> magazine. <P> Other media outlets targeted by the group have included CBS, AFP, Sky News Arabia and E! Online, with the hackers using a seized Twitter feed at the celebrity news site to announce earlier this month that Justin Bieber was gay, before telling Bieber fans they'd been "trolled." That followed its March compromise of multiple BBC Twitter accounts, which the group used to post anti-Semitic rants as well as to offer the following report via the BBC's Twitter weather feed: "Saudi weather station down due to head-on collision with camel." <P> In May, meanwhile, the group <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">seized control of the Twitter account for satire site the <em>Onion</em></a>. "UN retracts report of Syrian chemical weapon use: 'Lab tests confirm it is Jihadi body odor,'" reported one hoax tweet. Another said that the Onion's CEO said he regretted "taking Zionist money to defame Syria." <P> Obviously, the hacking group has its own perspective on not only the Syrian conflict, but what constitutes balanced reporting. For example, another hoax tweet -- posted to a <a href="http://www.informationweek.co.uk/security/vulnerabilities/5-steps-to-prevent-twitter-hacks/240005178">hacked a Reuters Twitter account</a> last year -- read: "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria." <P> As that tweet illustrates, the Syrian Electronic Army persistently attempts to reframe the country's civil war as a conflict perpetrated by foreign powers that are arming terrorists and bringing them into the country in a bid to overthrow the legitimate Syrian government. <P> The hackers' perspective parallels more widespread, pro-Assad propaganda based on accusing many Western media outlets of not just bias, but also "persistent media warmongering, faking news and fabricating &#8230; stories." That's according to a report on the <a href="http://www.syrianews.cc/western-mainstream-propaganda-outlets-falling/" target="_blank">Syria News website</a>, which claimed that "terror NATO sponsors" were "airlifting, training, arming, financing and smuggling Al-Qaeda terrorists" into Syria. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/christiaantriebert/7955551210/" target="_blank">Christiaan Triebert</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army emerged soon after the Syrian uprising began in 2011, defacing Facebook pages with pro-Assad messages that ranged from sweet -- "I love Bashar" -- to threatening. Anti-Assad activists said at the time that the group was founded by former intelligence agents and hardcore Assad supporters. <P> In September 2011, the group defaced Harvard University's website with a picture of Assad, and threatened retaliation against the United States for supporting the uprising. The defacement was signed with this message: "Syrian Electronic Army were here." The group also targeted the websites for <em>Newsweek</em>, Oprah Winfrey and Brad Pitt, after his partner, <a href="http://www.huffingtonpost.com/2011/09/27/syrian-electronic-army_n_983750.html" target="_blank">Angelina Jolie</a> -- a U.N. special envoy -- visited Syrian refugees in Turkey. <P> A subsequent hoax tweet said that Angelina Jolie -- after she visited a Syrian refugee camp in Jordan in December 2012 -- had admitted that "Jordan is to blame for the Syrian refugees' atrocious conditions." Links included with the tweets redirected to malicious websites, as the group had done with its CBS Twitter account takeover. <P> Jolie appears to be an ongoing source of anger for the SEA. "We know the likes of Jolie, who under the 'humanitarian' cover, only serve American imperialism," said the Shadow. <P> <em>UNHCR Special Envoy Angelina Jolie meets with a young Syrian refugee in the Bekaa Valley, Lebanon.</em> <P> <em>Photograph courtesy of &copy;UNHCR/J. Tanner.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The bigger picture is that the Syrian Electronic Army is serving as a propaganda tool in the ongoing, bloody two-year Syrian civil war. To date, the conflict has likely killed at least 94,000 people, although new information suggests that combatants are underreporting causalities, and more than 120,000 people may have been killed, according to the <a href="http://syriahr.com/en" target="_blank">Syrian Observatory for Human Rights</a> (SOHR). <P> "The number of documented casualties since the beginning of the Syrian uprising [March 18, 2011] exceeds 94,000 people," according to a <a href="https://www.facebook.com/syriaohr/posts/369140923194252">post to the group's Facebook account</a>. "The SOHR estimates that the actual number of violent deaths is more than 120,000, due to the tens of thousands of captives, detainees and forcibly disappeared persons. As well as the secrecy of all combatant sides about the actual number of dead during clashes." <P> At least 41,000 of the soldiers and civilians killed were Alawites, which is the sect of President Bashar al-Assad, <a href="http://www.reuters.com/article/2013/05/14/us-syria-crisis-deaths-idUSBRE94D0L420130514" target="_blank">reported Reuters</a>. The <a href="http://www.reuters.com/article/2011/12/23/us-syria-religion-alawites-idUSTRE7BM1J220111223" target="_blank">Alawite sect</a> spun off from Shi'ite Islam and comprises about 12% of Syria's population. The Alawites were an oppressed minority until 1970, when President Assad's father Hafez took control of the country via a coup. <P> The Syrian civil war grew out of nonviolent protests against four decades of rule by the Assad family. The 2011 protests were comprised largely of Sunni Muslims, a sect that comprises about 70% of Syria's population, as well as Syrian Kurds, who are an ethnic minority. The government's violent crackdown on the so-called Arab Spring protests helped trigger a full-blown conflict between the Assad regime and factions seeking to remove his Ba'ath Party from power. <P> <em>Image courtesy of Flickr user <a href="http://www.flickr.com/photos/freestylee/5553097042/" target="_blank">Freestylee</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army most likely wasn't created to serve as a social media nuisance operation for revenging perceived slights against the Assad regime, perpetrated by Western media. So, where did it come from? <P> By <a href="http://english.al-akhbar.com/node/14718" target="_blank">some accounts</a>, the group began as a grassroots movement, staffed by "volunteers without any known backing" who proved their mettle, gaining the support of Assad "loyalists" as well as the head of the country himself. <P> But according to a <a href="http://www.npr.org/2013/03/13/174121130/syrian-cyber-rebel-wages-war-one-hack-at-a-time" target="_blank">National Public Radio report</a> in March 2013, the Syrian Electronic Army was launched by the Syrian government in 2011 to use Facebook to identify, track and facilitate the arrest -- and according to critics of the regime, torture -- of anti-government activists. <P> Syrian hacker Ahmad Heidar ("Harvester") told NPR that in the summer of 2011, as protests in Syria began to spread and intensify, a government recruiter signed him up to the new unit, which operated from an underground bunker filled with state-of-the-art computer equipment. Heidar was told that working for the unit would count toward his mandatory national military service, and one of his tasks was to hack into the Facebook and Skype accounts of arrested activists, to remove all traces of their anti-government work. <P> In response to the report, the Syrian Electronic Army last month <a href="http://www.informationweek.co.uk/security/attacks/anonymous-takes-down-north-korean-websit/240152985">hacked into the National Public Radio Twitter feed</a>. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/james_gordon_losangeles/7436274754" target="_blank">James Gordon</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army has more than passing ties to Assad. Although the Syrian leader trained in Britain as an eye doctor, in the 1990s he headed Syria's Computer Society -- pushing for better computer education for the country's children -- before succeeding his father as president of the country in 2000. Interestingly, the Syrian Electronic Army's first domain name "was registered by the Syrian Computer Society," Helmi Noman, a senior researcher at the Citizen Lab at Toronto University, <a href="http://edition.cnn.com/2013/04/24/tech/syrian-electronic-army/index.html" target="_blank">told CNN</a>. <P> In addition, the domain is "hosted on the network of the Syrian government, which is interesting because it's the first time we've seen a group with questionable activities being hosted on a national computer network," he said, though he also noted that it's not proof that the hackers are government-funded. <P> A recent <em>Guardian</em> report, however, said the Syrian Electronic Army is bankrolled by <a href="http://www.guardian.co.uk/world/2011/jun/17/syria-richest-man-promises-giveaway" target="_blank">Assad's billionaire cousin Rami Makhlouf</a>, and that the group recently relocated from Syria to Dubai. "Makhlouf pays the pro-regime hackers for their activities, and they typically earn $500-$1,000 for a successful attack," according to the <em>Guardian</em>. "They also get free accommodation and food. Sometimes Syrian government officials tell the SEA which western sites to hack; on other occasions the SEA selects its own targets." <P> In response to that report, the Syrian Electronic Army <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">seized more than 11 <em>Guardian</em> Twitter feeds</a>, using them to decry the British paper's "lies and slander about Syria." <P> A <a href="http://www.syrianews.cc/western-mainstream-propaganda-outlets-falling/" target="_blank">pro-Assad media outlet</a> likewise dismissed the paper's reporting. "Dubai is located in the United Arab Emirates, some 3,000 kilometers away from Damascus, but sitting in London thinking how to amuse the readers with fancy tales, our best guess is the authors, especially Mr. Harding, thought Dubai is somewhere in Syria, or Damascus is somewhere near Dubai." <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/wwworks/4006194802/" target="_blank">woodleywonderworks </a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>Is the Syrian Electronic Army based in Syria? After <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria reestablished its Internet connection</a> last week -- following a blackout that lasted approximately 24 hours -- security experts wondered when the hackers might resume their attacks. <P> With that question floating around the Internet, the group responded: "But wait ... we are in Dubai!" read a <a href="https://twitter.com/Official_SEA12/status/332256636624334848">tweet</a> from the @Official_SEA12 Twitter account. <P> The Dubai quip was made in response to the aforementioned <a href="http://www.guardian.co.uk/technology/2013/apr/29/hacking-guardian-syria-background" target="_blank"><em>Guardian</em> report</a> last month that "according to defectors from inside its ranks, the group moved last year from Damascus to a secret base in Dubai." <P> The group's members later clarified that they were in Syria, and had been affected by the Internet outage. "Unfortunately it is true, though mobile phones worked intermittently due to a large number of Syrians using them as an alternate form of communication," said the Shadow. "These kinds of cuts do not affect the terrorists operating in Syria as they have their own US-supplied communication equipment. The blackout effectively shut down our operations, we are glad to be back." <P> Ditto, no doubt, for an eight-hour blackout that -- according to data provided by Arbor Networks -- began at about 8:30 a.m. Eastern Time on May 15, and lasted until just after 4 p.m. The cause of the blackout isn't known, although Internet monitoring firms suspect last week's blackout was due to the civil-war-torn country's weak infrastructure. <P> <em>Zones of control in Syria courtesy of <a href="http://www.flickr.com/photos/edans/5400848923/" target="_blank">Wikipedia</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>How does the Syrian Electronic Army compromise targeted Twitter or Facebook accounts? According to an <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">account published by the <em>Onion</em></a>, the attackers used spear-phishing emails that included an apparent link to a <em>Washington Post</em> story, but which really lead to a malicious website that requested users input their Gmail credentials. Attackers then used that information to gain access to Twitter accounts with that email on file. <P> While no other media outlets have offered details of how they were compromised, security experts suspect that phishing attacks were also <a href="http://bits.blogs.nytimes.com/2013/05/10/details-emerge-about-syrian-electronic-armys-recent-exploits/" target="_blank">used against AP and Human Rights Watch</a>, with the phishing email links redirecting to Google or Microsoft webmail sites. <P> In the wake of the AP breach, Twitter was reportedly testing a two-factor authentication system. Once implemented, such a system should make it more difficult for attackers to compromise accounts via spear-phishing attacks. <P> The Syrian Electronic Army, however, has promised to continue compromising Twitter accounts. "It will definitely make it harder on Twitter, but this was never our primary attack vector," said the Shadow. "Nevertheless, there are still some security holes in Twitter's model that we hope to exploit in the future so no one should get too comfortable, we are not going to give up." <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army's hacking remit has limits. Notably, the group last week denied reports that it claimed to have hacked into a primary Israeli critical infrastructure system. "We would like to announce that in response to the unfair and illegal attacks, taken place by Israel on DATE, SEA has penetrated one of the main infrastructural systems (SCADA) in Haifa and managed to gain access to some sensitive data. Also SEA is now able to cause irrecoverable damages to the Israeli's infrastructural systems," read an email sent to some news outlets and signed as being from the Syrian Electronic Army (SEA), which included a link to a PDF file meant to <a href="https://cdn.anonfiles.com/1367855605244.pdf" target="_blank">validate the supposed control system intrusion</a>. <P> But a member of the Syrian Electronic Army <a href="http://news.softpedia.com/news/Syrian-Electronic-Army-Claims-to-Have-Hacked-Israeli-Critical-Infrastructure-Systems-351779.shtml">told Softpedia</a> that the email was a fake, and said the group never emails media outlets. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/christiaantriebert/7955548656/" target="_blank">Christiaan Triebert</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>Beyond hoax hacking reports, the Syrian Electronic Army has faced a few other recent challenges, such as having multiple domains seized by its domain registration firm. "After we communicated with the host/domain names company 'Network Solutions' [it] ... said that the reason for shut down the domains names is 'U.S. sanctions,'" according to a <a href="http://sea.sy/article.php?id=1939&lang=en" target="_blank">post</a> to the group's subsequently launched site, <a href="http://sea.sy" target="_blank">sea.sy</a>. It said the seized domains were syrian-es.org, syrian-es.com and syrian-es.net, and that it would continue to use its backup domain, syrianelectronicarmy.com. <P> "Current domain registration information for syrian-es.com, syrian-es.org, and syrian-es.net shows that the current registrant is OFAC Holding," according to a <a href="http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Understanding-the-Syrian-Electronic-Army-SEA/ba-p/6040559" target="_blank">report </a> published by HP Security Research. "OFAC is the Treasury Department Office of Foreign Assets Control under their Office of Terrorism and Financial Intelligence." <P> Domain names aren't the only online real estate that the Syrian Electronic Army is having difficulty retaining. As the group has used Twitter accounts to publicize attacks, Twitter has <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">suspended those accounts</a>, creating a whack-a-mole situation that saw the introduction of new account "@Official_SEA," which Twitter subsequently froze, leading to multiple variations. Currently the count stands at @Official_SEA12, which the group has held for a relatively long time, suggesting that it has stopped using the account to announce its latest Twitter hacks. <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>2013-05-17T09:06:00ZWhile mobile network operators are creating a global database to track stolen smartphones, some police say that's not enough. http://www.informationweek.com/security/mobile/smartphone-theft-what-is-best-defense/240155038?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /><div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span></div><!-- /KINDLE EXCLUDE -->The latest smartphones might feature screens with unparalleled colors and clarity, cutting-edge cameras, and the ability to run a bewildering array of apps. But why don't they build in better loss prevention? <P> That's the gist of a plea issued this week by New York attorney general Eric T. Schneiderman, who's written to the CEOs of Apple, Google, Microsoft and Samsung, urging them to "help crack down on cell phone theft" by making it more difficult for thieves to wipe stolen devices' memory and resell the devices. <P> "This is a multi-billion dollar industry that produces some of the most popular and technologically advanced consumer electronic products in the world," said Schneiderman in a statement. "Surely we can work together to find solutions that lead to a reduction in violent street crime targeting consumers." <P> <strong>[ Fend off gadget thieves with these tips. Read <a href="http://www.informationweek.com/security/mobile/ipad-heist-at-jfk-highlights-mobile-tech/240142140?itc=edit_in_body_cross">iPad Heist At JFK Highlights Mobile Tech Risks</a>. ]</strong> <P> Apple, Google, Microsoft and Samsung -- <a href="http://www.informationweek.com/mobility/smart-phones/google-not-impressed-with-motorola-smart/240149714">plus Motorola</a>, which is owned by Google -- control 90% of the U.S. smartphone market. All four except Google build some type of recovery capabilities into their devices. For Android, there are add-ons available in the Google Play online store. <P> But Schneiderman is not satisfied. He said his office is investigating whether the manufacturers -- such as Apple, which advertises its products' "safety and security by design" -- have engaged in deceptive trade practices by not combating the theft problem more forcefully. "I seek to understand why companies that can develop sophisticated handheld electronics and operating systems ... cannot also create technology to render stolen devices inoperable and thereby eliminate the expanding black market on which they are sold," wrote Schneiderman in his letters to the manufacturers. <P> Wielding both carrot and stick, Schneiderman in his letter suggested that he'll be seeking details of how much each of the four smartphone manufacturers earns from consumers paying to replace products that have been stolen. "I would be especially concerned if device theft accrues to your company's financial benefit through increased sales of replacement devices," he said. <P> Schneiderman's outreach comes as <a href="http://online.wsj.com/article/SB10001424127887324031404578481420456602076.html">mobile network operators are in the process of creating a global database for tracking stolen smartphones</a>, <em>The Wall Street Journal</em> reported this week. But some police officials have said that the voluntary database won't do enough to deter smartphone theft. <P> Violent smartphone and tablet robberies are on the rise. According to the Attorney General's office, comparing all of 2011 to the first nine months of 2012, smartphone thefts in New York City increased by 40%. Such robberies have been dubbed "Apple picking," given thieves' apparent penchant for iOS products. But according to a 2011 New York Police Department study, only 30% of devices stolen from subways and buses were manufactured by Apple. <P> New York City ranked ninth in a list of the top 10 cities that reported the greatest numbers of 2011 phone thefts, which was <a href="https://www.lookout.com/news-mobile-security/lookout-lost-phones-30-billion">compiled by security vendor Lookout Mobile Security</a>. The study found that phone theft was most prevalent in Philadelphia, followed by Seattle and Oakland. The most likely place for a New Yorker to lose his phone was in a fast-food restaurant. By Lookout's estimates, based on its finding that the average consumer loses or misplaces one device per year, stolen cell phones could cost U.S. consumers $30 billion in replacement costs. <P> Schneiderman's office said that Lookout will be advising the New York state government -- pro bono -- on approaches to combating device theft.2013-05-16T13:26:00ZGroup's 50-day hacking spree compromised websites run by Sony, CIA, Arizona State Police, Westboro Baptist Church and more.http://www.informationweek.com/security/attacks/lulzsec-hackers-sentenced-in-london/240155060?cid=SBX_iwk_related_commentary_Policy_educationLulzSec Hacker "Topiary" famously tweeted: "You cannot arrest an idea." <P> Perhaps not, but in the case of Topiary, revealed to be <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">Jake Davis</a>, now 20, you can be sentenced to 24 months in a "young offenders institute" for two counts of conspiracy to impair the operation of a computer, to be followed by a five-year <a href="http://www.cps.gov.uk/legal/s_to_u/serious_crime_prevention_orders_(scpo)_guidance/">serious crime prevention order</a> that can restrict where he can travel and which jobs he'll be allowed to take. <P> Davis' sentence was handed out in a London courtroom Thursday, where he appeared this week for sentencing with Ryan Cleary (<a href="http://www.informationweek.com/security/attacks/lulzsec-takes-hit-keeps-on-hacking/231000223">Viral</a>), Mustafa al-Bassam (<a href="http://www.informationweek.com/security/cybercrime/scotland-yard-arrests-lulzsec-anonymous/231600755">Tflow</a>) and Ryan Ackroyd (<a href="http://www.informationweek.com/security/attacks/lulzsecs-top-3-hacking-tools-deconstruct/231000983">Kayla</a>). All were participants in the Anonymous spin-off known as LulzSec, which launched online attacks against numerous organizations' websites, including the CIA, Britain's Serious Organized Crime Agency (SOCA) and National Health Service (NHS), 20th Century Fox, News International, and <a href="http://www.informationweek.com/security/attacks/fbi-busts-suspected-lulzsec-hacker-in-so/231602040">Sony Pictures Entertainment</a>, from which it also leaked customer credentials and credit card numbers. <P> <strong>[ Want to know how the feds are trying to stop hacktivists? Read <a href="http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858?itc=edit_in_body_cross">FBI Briefs Bank Executives On DDoS Attack Campaign</a>. ]</strong> <P> Cleary, 21, was sentenced to 32 months in prison followed by a five-year serious crime prevention order. Ackroyd, 26, was sentenced to 30 months. Al-Bassam, meanwhile, who was only 16 -- and still a high school student -- when LulzSec embarked on its 50-day hacking spree, received a 20-month suspended sentence. The 18-year-old was also ordered to perform 300 hours of community service, and must submit to a <a href="http://en.wikipedia.org/wiki/Sentencing_in_England_and_Wales ">supervision order</a> -- aka probation -- for six months. <P> At the four men's sentencing hearing Wednesday, prosecutor Sandip Patel accused them of <a href="http://www.informationweek.com/security/attacks/lulzsec-hacker-pirates-face-sentencing/240154940">being "latter-day pirates."</a> (In fact, one ASCII art logo used by LulzSec, aka "The Lulz Boat," featured a pirate ship with a "LOL" flag.) "This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cybercriminal," Patel said. <P> British police arrested Cleary on June 20, 2011, followed by al-Bassam on July 19, Davis on July 27 and Ackroyd on September 1. All four men subsequently <a href="http://www.informationweek.com/security/attacks/lulzsec-hackers-plead-guilty-to-cia-sony/240152582">pleaded guilty</a> to some or all of the hacking charges filed against them. <P> "This has been a long and complex investigation conducted with the assistance of our international partners," said Charlie McMurdie, the London Metropolitan Police detective superintendent who heads the Police Central e-Crime Unit. "After initially being alerted by the FBI to criminal activity on British soil, we came to arrest Ryan Cleary and quickly began unpicking LulzSec, who had been running riot, causing significant harm to businesses and people." <P> According to investigators, Ackroyd took the lead on researching and executing many of the group's hack attacks, and Cleary assisted by offering the use of his botnet to generate <a href="http://www.informationweek.com/security/attacks/ddos-tools-flourish-give-attackers-many/232600497">distributed denial-of-service attacks</a> that disrupted targeted sites and servers. Meanwhile, al-Bassam trolled for exploitable vulnerabilities in websites and maintained LulzSec's website, while Davis acted as spokesman, managing <a href="https://twitter.com/LulzSec">the group's Twitter account</a> and issuing press releases. <P> "Theirs was an unusual campaign in that it was more about promoting their own criminal behavior than any form of personal financial profit," McMurdie said. "In essence, they were the worst sort of vandal -- acting without care of cost or harm to those they affected, whether that was to cause a company to fold and so costing people their jobs, or to put at threat the thousands of innocent Internet users whose logins and passwords they made public." <P> "In the case of the police force whose employee details they revealed, the group's reckless publication of confidential material could very well have threatened lives," he said. <P> A police digital forensic investigation of computers seized during LulzSec raids found "indecent material" relating to child pornography on one of Cleary's computers. Cleary has pleaded guilty to two counts of making indecent images of children, and one count of possessing those images. He's due to be sentenced on those charges on June 12, 2013. <P> LulzSec's leader, U.S. hacker Sabu, whose real name is Hector Xavier Monsegur, was arrested by the FBI in June 2011 and <a href="http://www.informationweek.com/security/attacks/lulzsecs-sabu-was-identity-thief-not-rob/232602184">turned informer</a>. At the request of U.S. prosecutors, who said he's assisting in investigations, he has yet to be sentenced.2013-05-16T10:31:00ZDHS proposal would give private businesses access to the government's stockpile of zero-day secrets for a fee.http://www.informationweek.com/security/vulnerabilities/dhs-eyes-sharing-zero-day-intelligence-w/240154972?cid=SBX_iwk_related_commentary_Policy_educationThe Department of Homeland Security (DHS) Wednesday offered to help private businesses zero in on the zero-day vulnerabilities being used to compromise their networks. The DHS pitch: We'll share intelligence gleaned from the U.S. government's vast stockpile of zero-day vulnerabilities -- purchased from bug hunters and resellers -- to help block zero-day threats. <P> "It is a way to share information about known vulnerabilities that may not be commonly available," Homeland Security secretary Janet Napolitano said Wednesday at the Reuters Cybersecurity Summit in Washington, D.C., <a href="http://mobile.reuters.com/article/article/idUSBRE94E11B20130515?irpc=932">reported Reuters</a>. <P> Private businesses would pay for the service, which would be offered by telecommunications firms and defense contractors. <P> The DHS proposal is a continuation of the February 2013 <a href="http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858">executive order</a> and related presidential policy directive issued by President Obama, which created a public-private cyber-threat <a href="http://www.informationweek.com/government/security/white-house-cybersecurity-executive-orde/240148460">information sharing regime</a>, as well as voluntary private sector cybersecurity standards. <P> The executive order expanded the Enhanced Cybersecurity Services program -- formerly known as the <a href="http://www.informationweek.com/government/security/feds-isps-team-on-cybersecurity-for-defe/230800180">Defense Industrial Base pilot</a> -- to share threat information, including classified intelligence, with defense contractors, telecommunications and other critical-infrastructure firms that have appropriate security clearances. <P> Enhanced Cybersecurity Services participants include AT&T, Northrop Grumman and Raytheon. <P> <strong>[ Threat-intelligence sharing must balance security against privacy. Read <a href="http://www.informationweek.com/security/management/cispa-20-house-intelligence-committee-fu/240152923?itc=edit_in_body_cross">CISPA 2.0: House Intelligence Committee Fumbles Privacy Again</a>. ]</strong> <P> Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, lauded the DHS plan because the black-box approach wouldn't expose U.S. threat intelligence to other countries. "This can't happen if you post it on a website," he said. "We have to find a forum in which we can share it, and 10 providers serve 80% of the market. We have classified relationships with a good number of them." <P> Rogers is also the co-author of the Cyber Intelligence Sharing and Protection Act (CISPA), the second version of which recently passed in the House but stalled in the Senate. The legislation has proposed indemnifying any business that shares network scans with U.S. government agencies, in a bid to crowdsource threat detection. But the suggestion has drawn the <a href="http://www.informationweek.com/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">ire of privacy and civil rights groups</a>, which object to giving blanket immunity to any business that shares customer and employee information -- potentially including full texts of all emails sent and received via business networks -- with intelligence agencies. <P> Outsourcing zero-day-vulnerability scanning to a private business, however, would seem to obviate related privacy concerns, since network providers already scan their customers' network traffic for some signs of attack. <P> The offer of shared threat intelligence is a <a href="http://www.informationweek.com/government/security/cybersecurity-executive-order-leaves-tou/240148510">crucial incentive</a> for getting private businesses to agree to participate in the government's cybersecurity program, which is designed in large measure to better secure the critical infrastructure, which is largely owned by private businesses. <P> To date, the <a href="http://www.informationweek.com/security/vulnerabilities/so-you-want-to-be-a-zero-day-exploit-mil/231902813">large sums of money</a> on offer for buying zero-day vulnerabilities have seen the bug-buying restricted to organizations, <a href="http://www.informationweek.com/security/vulnerabilities/blackhole-botnet-creator-buys-up-zero-da/240145769">criminal gangs</a> or governments with deep enough pockets, and presumably a need to put the vulnerabilities to use. "The only people paying are on the offensive side," former NSA employee and <a href="http://www.informationweek.com/security/mobile/apple-excommunicates-ios-cracker/231902576">renowned smartphone hacker Charlie Miller</a>, who's now a security researcher at Twitter, told Reuters. <P> Furthermore, some <a href="http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510">information security experts have warned</a> that the move to share threat intelligence gathered by the NSA and other agencies could further bolster the <a href="http://www.informationweek.com/security/attacks/weaponized-bugs-time-for-digital-arms-co/240008564">bug vulnerability marketplace</a> and potentially direct tax dollars to anti-U.S. hackers who are expert bug hunters, as opposed to spending that money on defense. <P> Others have said that the United States has an obligation to serve Americans by disclosing what it knows about zero-day threats. "If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," former White House cybersecurity advisor Richard Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't." <P> The U.S. government's apparent emphasis on playing cyber offense comes as critics have accused the government of lagging on defense. "NSA, CIA and military are now #1 buyers of exploits, while DHS, which is responsible for cyber defense, has lost most of its top officials," said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, via <a href="https://twitter.com/csoghoian/status/334150855085391872">Twitter</a>.2013-05-15T11:38:00ZFour members of Anonymous spinoff faced sentencing Wednesday for leaking data and launching distributed denial of service attacks against Sony.http://www.informationweek.com/security/attacks/lulzsec-hacker-pirates-face-sentencing/240154940?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->Four men accused of launching online attacks under the banner of LulzSec appeared in a London courtroom Wednesday for sentencing. <P> Ryan Cleary, 21; Jake Davis, 20; Ryan Ackroyd, 26; and Mustafa Al-Bassam, 18, had previously plead guilty to hacking charges as part of LulzSec's online attack sprees, which caused tens of millions of dollars in damages. All had been remanded on bail pending their sentencing hearing. <P> "<a href="http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.html">The defendants are colloquially known as cyber attackers</a> based in the U.K. and elsewhere and they waged what was an undoubtedly sophisticated and orchestrated campaign between February and September 2011," prosecutor Sandip Patel told the sentencing hearing, reported Britain's <em>Daily Mail</em>. <P> <strong>[ Busted! Sometimes hackers make mistakes. Read <a href="http://www.informationweek.com/security/attacks/how-south-korea-traced-hacker-to-pyongya/240152702?itc=edit_in_body_cross">How South Korea Traced Hacker To Pyongyang</a>. ]</strong> <P> At press time, lawyers for the four LulzSec participants had yet to present mitigating factors to the sentencing hearing, over which Judge Deborah Taylor is presiding. The hearing is expected to conclude Wednesday or Thursday. <P> Patel told the court Wednesday that the men's information security attacks were "anarchic self-amusement" that lacked even the political ethos espoused by some Anonymous participants, reported Reuters. <a href="http://news.yahoo.com/lulzsec-hackers-cutting-edge-cyber-crime-court-told-135823354.html">"They saw themselves as latter-day pirates,"</a> he said. "They identified vulnerable computer systems, when they found them they would break into them and pillage them." <P> The damage that resulted from the group's exploits could be extensive. <a href="http://www.informationweek.com/security/attacks/pwnie-award-highlights-sony-epic-fail-an/231300255">Sony said it cost $20 million</a> in clean-up costs after LulzSec hacked into Sony servers and published customers' credentials and credit card numbers. The Pentagon said it spent $120,000 on cleanup following a LulzSec hack. <P> "This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cyber-criminal," Patel said. <P> Over the course of its short existence, LulzSec compromised numerous sites, defacing some, launching <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">distributed denial-of-service (DDoS) attacks</a> against others, and sometimes seizing and publishing sensitive data to Pastebin, Pirate Bay or its own site. <P> The group's <a href="http://www.informationweek.com/security/cybercrime/lulzsec-claims-credit-for-cia-site-taked/230800019">DDoS targets included the CIA</a>, News International, Britain's Serious Organized Crime Agency, Sony and <a href="http://www.informationweek.com/security/attacks/anonymous-continues-westboro-church-atta/240145120">Westboro Baptist Church</a>. Other victims included the Arizona State Police, 20th Century Fox, News International, Britain's National Health Service, and the Serious Organized Crime Agency (SOCA), which is responsible for investigating computer crimes in Britain. <P> Patel said that LulzSec was lead by U.S. hacker <a href="http://www.informationweek.com/security/vulnerabilities/hacker-sabu-worked-nonstop-as-government/232602334">Sabu</a>, whose real name is Hector Xavier Monsegur. Unbeknownst to his fellow LulzSec participants, Sabu was <a href="http://www.informationweek.com/security/attacks/lulzsecs-sabu-was-identity-thief-not-rob/232602184">quietly busted</a> by the FBI in June 2011 and immediately turned informer. Despite LulzSec participants' attempts to <a href="http://www.informationweek.com/security/privacy/lulzsec-suspect-learns-even-hidemyasscom/231602248">mask their true identities</a> -- even to each other -- Sabu helped the bureau and its overseas cybercrime investigation counterparts round up the other members. <P> According to prosecutors, Davis (aka Topiary) was in charge of LulzSec's communications strategy, and maintained its Twitter feed and website. <a href="http://www.independent.co.uk/news/uk/crime/british-lulzsec-hactivists-stole-passwords-and-credit-card-details-from-hundreds-of-thousands-of-people-court-told-8617450.html">He "smirked in the dock"</a> Wednesday when prosecutors detailed his role in LulzSec, reported Britain's <em>The Independent</em>. <P> Ackroyd, a former soldier who pretended to be a 16-year-old girl named Kayla, helped select targets and conduct reconnaissance. He was "probably the most sophisticated known conspirator," said Patel, and had a reputation for being a "highly sophisticated rooter." Meanwhile, Bassam (tFlow) also helped identify <a href="http://www.informationweek.com/security/attacks/anonymous-hackers-helper-it-security-neg/232602226">websites sporting known vulnerabilities</a> that could be exploited. Authorities said he was still a high school student when LulzSec was in operation. <P> Prosecutors told the court that Cleary (aka Viral) -- unlike Sabu, Ackroyd, Davis and Bassam -- wasn't a core member of the group, but was desperate to take part, and <a href="http://www.informationweek.com/security/attacks/lulzsecs-top-3-hacking-tools-deconstruct/231000983">provided his botnet</a>, built over six years, for LulzSec's exploits. "At any one time he had up to 100,000 computers directly and actively under his control," said Patel. <P> Cleary previously plead guilty to possessing "indecent images" relating to child pornography, which investigators found on hard drives seized during the investigation. After being granted conditional bail in June 2011, he was again -- temporarily -- taken into custody after attempting to contact Sabu in December 2011. <P> Patel, who characterized Cleary as being "trigger happy," said the LulzSec participant earned up to $4,500 per month by <a href="http://www.informationweek.com/security/vulnerabilities/cheap-botnets-a-boon-to-hackers/225200501">renting his botnet out</a> to other attackers.2013-05-14T13:14:00ZFBI expedited security clearances so it could share classified info on Operation Ababil, a distributed denial of service attack.http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->The FBI recently granted one-day clearances to security officers and executives at numerous banks so it could share classified intelligence on the Operation Ababil campaign that's been disrupting U.S. financial websites for almost a year. <P> The videoconference briefings detailed "who was behind the keyboards" of the attacks, FBI executive assistant director Richard McFeely told the Reuters Cybersecurity Summit Monday, <a href="http://www.reuters.com/article/2013/05/13/us-cyber-summit-fbi-banks-idUSBRE94C0XH20130513">reported</a> Reuters. McFeely is in charge of the bureau's criminal and cyber investigations. <P> The Operation Ababil distributed-denial-of-service (DDoS) attacks, which typically target a handful of the country's top banks every week, have disrupted the websites of such financial institutions as Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. The attacks have resulted in customers sometimes being unable to access online or mobile banking services. <P> <strong>[ What's happening when bank sites go down? Read <a href="http://www.informationweek.co.uk/security/attacks/bank-hacks-7-misunderstood-facts/240008566?itc=edit_in_body_cross">Bank Hacks: 7 Misunderstood Facts</a>. ]</strong> <P> Banks targeted as part of Operation Ababil have been frustrated by the lack of arrests or apparent progress in the case, McFeely said. But he said that some indictments -- currently under seal -- have been issued for suspects' arrest. Suggesting that the suspects are operating in countries that have no extradition treaty with the United States, he said that the hackers might be caught when they travel to other countries. "The first time we bring someone in from out of the country in handcuffs, that's going to be a big deal," he said. <P> McFeely said the bureau has been attempting to keep cybercrime victims up-to-date in the past, admitting that the FBI was "terrible" about doing so in the past. "That's 180 degrees from where we are now," he said. <P> The self-proclaimed Muslim hacktivist group Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the banking website disruptions, which it said are retaliation for the posting to YouTube in July 2012 of a film that mocks the founder of Islam. U.S. government officials, however, have accused the group of <a href="http://www.informationweek.co.uk/security/attacks/banks-hit-downtime-milestone-in-ddos-att/240152267">being a front for Iran</a>. Members of the group have responded by saying they're apolitical and hail from multiple countries. <P> Despite the bank attacks having been previewed in advance and now more often than not simply occurring every week, banks -- after spending millions of dollars on <a href="http://www.informationweek.co.uk/security/attacks/ddos-attack-bandwidth-jumps-718/240153084">countermeasures</a> -- have been unable to fully block the DDoS campaign. In part, that's because attackers have managed to <a href="http://www.informationweek.co.uk/security/attacks/bank-attackers-used-php-websites-as-laun/240144413">exploit thousands of PHP websites</a> that include known vulnerabilities and install attack toolkits, which they remotely control to queue up attacks against designated banks. <P> The sheer scale of the DDoS attacks and the number of compromised websites is astounding. The Department of Homeland Security and FBI have reportedly been liaising with cybersecurity officials in 129 other countries and shared details of a total of 130,000 IP addresses that have been used in the attacks. <P> The bureau's classified bank executive briefing comes in the wake of President Obama's <a href="http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity">"Improving Critical Infrastructure Cybersecurity" executive order</a>, issued in February, which instructed the Department of Homeland Security to "expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators." Critical infrastructure, the vast majority of which is privately owned, refers to the energy, oil, water, telecom, finance and transportation industries. <P> Some members of Congress have been calling for new laws to <a href="http://www.informationweek.co.uk/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">indemnify businesses that share cyber-attack information</a> with law enforcement agencies. But the FBI's outreach effort suggests that public-private information sharing is already occurring. <P> McFeely did, however, report that the bureau has faced difficulty gathering information about online attacks from victims, for example from defense contractors wary of speaking to the FBI. Interestingly, recent news reports suggest that online attacks against defense contractors -- attributed to China -- have been <a href="http://www.informationweek.co.uk/security/government/china-tied-to-3-year-hack-of-defense-con/240154064">much more successful than previously disclosed</a> in public, and resulted in the compromise of data relating to the latest drone and robot technologies, and might have undermined the combat reliability of the Lockheed Martin F-22 Raptor.2013-05-14T11:30:00ZApple's waiting list to bypass security controls on latest-generation iPhone and iPad devices means months-long delays for law enforcement investigators.http://www.informationweek.com/security/encryption/apple-iphone-decryption-backlog-stymies/240154842?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Apple is overwhelmed by requests from law enforcement agencies to decrypt seized iPhones, and its waiting list is so long that it <a href="http://news.cnet.com/8301-13578_3-57583843-38/apple-deluged-by-police-demands-to-decrypt-iphones/">may take months</a> before new requests get handled. <P> That revelation, first reported by CNET, was gleaned from a search warrant affidavit for a seized iPhone last summer by a federal agent who was investigating a Kentucky man on crack cocaine distribution charges. <P> The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) agent, Rob Maynard, said in court documents that he'd "attempted to locate a local, state or federal law enforcement agency with the forensic capabilities to unlock" an iPhone 4S seized during the investigation, but every contacted law enforcement agency said that it "did not have the forensic capability." Apple, meanwhile, told him that the wait time for recovering data from an iPhone -- which the technology firm copied to a USB key then provided to investigators -- was approximately seven weeks, though Maynard ultimately had to wait about four months. <P> The ATF case highlights that technology companies, including Apple, must comply with court orders to unlock devices they build or sell. But it also revealed that Apple is somehow able to bypass the security controls built into its latest-generation devices. "That is something that I don't think most people realize," Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project, told CNET. "Even if you turn on disk encryption with a password, these firms can and will provide the government with a way to get your data." <P> <strong>[ Who can you trust? Check out <a href="http://www.informationweek.com/security/client/microsoft-tech-support-scams-why-they-th/240154756?itc=edit_in_body_cross">Microsoft Tech Support Scams: Why They Thrive</a>. ]</strong> <P> Does court-ordered data retrieval <a href="http://www.informationweek.com/security/privacy/7-facts-about-geolocation-privacy/240005824">infringe on people's privacy rights</a>? "It's important to note that both cops and legislation tend to trail criminals in the adoption of new technologies," said Nick Selby, a Texas police officer and the CEO of StreetCred Software, which provides fugitive case management software to law enforcement agencies, via email. "It's important to question whether police may be going too far, but it is equally important to consider criminals' use of these technologies to abet, and in some cases actually commit, crimes." <P> Many judges have granted warrants to law enforcement agencies to retrieve data from -- or that's associated with -- mobile devices or their radio frequency (RF) communications. "Recent rulings encourage law enforcement to better develop their mobile device and RF chops. For example, in <a href="http://www.informationweek.com/security/mobile/lose-the-burners-court-okays-prepaid-pho/240005614">U.S. vs. Skinner</a> last August, the U.S. Court of Appeals for the 6th Circuit ruled that police may track the signals emanating from wireless devices like a cellphone owned by a person," Selby said. "The fact that the court found that users do not have a reasonable expectation of privacy in the data given off by a voluntarily procured, pay as-you-go cellphone means that we can expect to see more use cases like these." <P> Is Apple putting cases at risk by not complying more quickly with court orders? In the ATF investigation, the attorney for the 24-year-old defendant, Mark Edmond Brown, filed a motion to suppress the evidence gathered from the defendant's iPhone, given the delay in retrieving it. <P> But U.S. district court judge Karen Caldwell wrote in an opinion that the ATF was "placed on a waiting list by the company" -- referring to Apple -- for what had been a court-ordered seizure, meaning it was backed by a warrant. "The court finds nothing in the record to demonstrate any evidence of bad faith or unnecessary delay in procuring assistance from Apple to unlock the phone," she wrote. <P> In October 2012, Brown -- a convicted felon -- <a href="http://www.justice.gov/usao/kye/news/2012/2012-10-31-lawton.html">pleaded guilty</a> to possessing firearms, and according to CNET, last month pleaded guilty to a charge of conspiracy to distribute less than five kilograms of crack cocaine. <P> If Apple didn't unlock iPhones for law enforcement agencies in response to a court order, would police have any other options? Some police forces have been testing <a href="http://www.informationweek.com/mobility/smart-phones/london-police-test-smartphone-data-dump/240000766">smartphone data dump kits</a> to allow investigators to easily retrieve data without having to use an external lab or appeal to a device manufacturer or carrier. <P> But recent iOS devices appear tough to crack. For example, Russian digital forensics toolmaker Elcomsoft says its <a href="http://www.informationweek.com/security/mobile/ios-4-hardware-encryption-cracked-by-for/229700041">iOS Forensic Toolkit</a> -- only sold to law enforcement agencies, <a href="http://www.informationweek.com/security/encryption/cracking-bin-ladens-hard-drives/229402923">intelligence agencies</a> and professional forensic investigators -- can "acquire bit-precise images of Apple iOS devices in real time" from all iPhone, iPad and iPod Touch devices that run iOS 3, iOS 4 and iOS 5. But the iPhone 5, released last year, and which ships with iOS6, doesn't appear to be unlockable with the Elcomsoft tool.2013-05-13T12:09:00ZReaders detail "frozen DNS Trojan" cold calls and "repairs" that lead to $882 in unauthorized wire transfers.http://www.informationweek.com/security/client/microsoft-tech-support-scams-why-they-th/240154756?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/windows/operating-systems/8-things-microsoft-should-fix-in-windows/240154570"><img src="http://twimgs.com/informationweek/galleries/automated/991/Windows-Blue-Blue-1st-screen_tn.jpg" alt="Windows Blue" title="LinkedIn: 10 Important Changes" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view and for slideshow)</span><br /> <div class="storyImageTitle">8 Things Microsoft Should Fix In Windows Blue</div> </div> <!-- /KINDLE EXCLUDE --> Consumers: Hang up on anyone who cold-calls offering Windows technical support, never believe an Internet pop-up that reports your PC is infected with malware, and, above all, don't ever install software from an untrusted source who offers to rid your PC of viruses, perhaps for free. <P> If people followed those precepts, they'd avoid the hassle and expense of scammers out to make a quick buck. But Microsoft technical support scams continue to be alive and well, sticking victims with bills of between $50 and $450 for security smoke and mirrors, or sometimes perpetrating financial fraud that costs far more. <P> According to a 2011 Web survey of 1,298 people conducted by British consumer rights watchdog <em>Which?</em>, 3% of respondents said they'd <a href="http://conversation.which.co.uk/technology/microsoft-phone-scam-cold-calling-protect-yourself/">allowed scammers to log onto their PC</a> and 2% gave them money. Interestingly, 3% said they weren't sure if a technical support cold call had really been a scam or not. <P> Here's a hint: Cold callers offering tech support advice are scammers. Here are six recent examples of how these fraudsters operate. <P> <strong>1. Scammers Reuse Scripts.</strong> <P> The con artists behind telephone repair scams often <a href="http://www.informationweek.com/security/management/microsoft-windows-support-call-scams-7-f/240005023">reuse the same script</a>, which often begins: "I'm calling from Microsoft. We've had a report from your Internet service provider of serious virus problems from your computer." <P> <strong>[ Tired of being stuck in password hell? See <a href="http://www.informationweek.com/security/client/10-top-password-managers/240153906?itc=edit_in_body_cross">10 Top Password Managers</a>. ]</strong> <P> One reader emailed Saturday to say that he'd received "an almost word for word phone call on my landline." After hanging up, he alerted his telephone company. "All they could offer was ... a call trace, and to notify my local police. Which I may pursue," he said. <P> <strong>2. South African Targeted By StartControl.</strong> <P> Another reader, a retired South African systems programmer, emailed last week to report that he'd been targeted by telephone scammers offering technical support. First, they asked him to press the Windows start button, then enter this URL: www.startcontrol.com. That took his browser to a site labeled as <a href="http://www.startcontrol.com/pin.php">BeAnywhere support express</a>, which prominently features the following message: "Please insert the reference supplied to you," with the reference referring to a six-digit PIN. "They even give you a six-digit PIN, that's where I stopped them, 19 minutes later," he said. <P> <a href="http://www.beanywhere.com/">BeAnywhere</a> is legitimate remote-control software. But who is Startcontrol.com? According to Alexa, <a href="http://www.alexa.com/siteinfo/startcontrol.com">Startcontrol.com has been operating for 10 years</a> and ranks in the top 3.8 million of all websites globally. It appears that 77% of search engine traffic to the site involves Arabic speakers. A link to the website's "Termos of Service," however, lead to a "server error: 404 - File or directory not found" message. <P> The site's whois listing says that the domain was registered by GoDaddy, which lists the site's administrative and technical contact as being based in Portugal. But an email sent to the listed whois contact bounced back with an error message that the account didn't exist. Likewise, the telephone number listed in the whois entry appears to be bogus; a call to that number lead to BSPI - Intelligent Business Solutions. An employee at the firm said his company, which resells Sophos security products, has no affiliation with startcontrol.com, and that he'd never before heard of the company. <P> GoDaddy.com didn't immediately respond to an abuse report filed Friday morning for www.startcontrol.com. <P> <strong>3. Support Routines Might Be Real-Time Smokescreens.</strong> <P> One risk from allowing scammers to install software on your PC is that the "support application" might be used to disguise fraudulent activities. In April, for example, a reader emailed to say he'd been cold-called by someone claiming to be a Microsoft representative, warning that he had numerous viruses on his computer. The caller offered to remove the viruses and get the PC "running like new" for free, provided he "renew" his software. <P> "He then [asked] for card info which I gave him. Then I [got] an email from Western Union of a transfer of money which I did not authorize so I [checked] my account and found he had taken $882 out," said the reader. "I called Western Union about it and they said there was nothing they could do as the money was picked up and they could not give me the name of who got it." <P> The supposed virus-killing offer seemed to mask fraudulent activity. "He went so far as to show me all the errors he found but, while the program was supposed to be loading, my screen was black and I suspect that was when he was hitting my account," he said.<strong>4. Telephone Scams: Cheap, Easy, Repeatable.</strong> <P> Microsoft support scams succeed in part because they're cheap and easy to run. International call centers -- think boiler rooms -- are often used, situated in an inexpensive labor market such as India, and facilitated via low-cost VoIP telephony. <P> Thankfully, consumer watchdogs have been mobilizing. Last year, the Federal Trade Commission <a href="http://www.informationweek.com/security/privacy/ftc-disconnects-tech-support-telemarketi/240008480">cracked down on some tech support scams</a>, filing charges and freezing assets associated with 14 businesses and 17 people. It said the scam operations had successfully conned tens of thousands of English-speaking consumers in the United States, as well as Australia, Canada, Ireland, New Zealand and the United Kingdom, into paying between $49 and $450 for fake services. <P> At the time, the FTC detailed how many of these scam artists operate: "When consumers agreed to pay the fee for fixing the 'problems,' the telemarketers directed them to a website to enter a code or download a software program that allowed the scammers remote access to the consumers' computers," according to the FTC. "Once the telemarketers took control of the consumers' computers, they 'removed' the non-existent malware and downloaded otherwise free programs." <P> <strong>5. Technobabble Warnings: "Frozen DNS Trojan."</strong> <P> Obviously, support scams often succeed because many consumers don't understand Windows information security intricacies. But con artists often operate on the edge of believability, slowly reeling in even technologically savvy targets, who they might have caught unaware with an impromptu phone call. <P> One reader, for example, emailed earlier this year to say the lure of "free" technical support -- no apparent harm there -- initially caught her off guard. "I just received one of those scam calls from an 800 number obviously from someone in India trying to tell me my computer was infected with a 'frozen DNS Trojan' -- originally he said 'virus' but switched to 'Trojan' later in the call," she said. "I didn't fall for it at all but was curious enough to find out exactly what he was up to. Eventually I told him I knew he was a scammer and didn't believe a word he was saying and hung up." <P> Technobabble aside, she reported almost falling for the scam. "I'm relatively computer savvy and for a brief second I wondered if this was for real," she said. "So if I could be duped (even for a split second) I can see how people get pulled into this type of scam especially when the scammer tries to tell you this is all 'free' for him to show you are infected with this virus or Trojan." <P> <strong>6. Virus Scanners Fake Results.</strong> <P> To try to get their way, scammers might bring psychological pressure to bear. For example, when Jerome Segura, senior malware research at Malwarebytes, was cold-called by tech support con artists he gave them access to a virtual machine. <a href="http://blog.malwarebytes.org/intelligence/2013/04/phone-scammers-call-the-wrong-guy-get-mad-and-trash-pc/">They flew into repair rage</a> when he refused to pay $229 following their fake ministrations. "They got mad and deleted documents and pictures from my (virtual) machine before cutting me off in a very rude way," he said in a blog post. <P> Fake bells and whistles might also be employed. This month, for example, Segura said he decided to call a tech-support number that flashed up in a pop-up advertisement window, <a href="http://blog.malwarebytes.org/intelligence/2013/05/online-pc-support-scams-turning-the-tables/">just to see where it might lead</a>. As before, he gave the tech support person who answered remote access to his PC -- not telling him it was a fully cleaned and isolated virtual machine -- on which he installed, as instructed, <a href="http://www.informationweek.com/security/vulnerabilities/unpatched-remote-access-tools-your-gift/240151523">TeamViewer software</a>, through which the supposed tech-support agent accessed the PC, then ran a downloaded scanner. Just two seconds later, the scanner reported extensive virus infections. Segura said his analysis of the scanner's database found that it was "stuffed with false positives which aren't just accidents, but clearly used to add some drama." <P> Added drama or not, don't fall for tech-support scams. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-10T11:30:00ZCompany founder denies that Huawei employees would ever be forced to spy for China.http://www.informationweek.com/security/vulnerabilities/huawei-ceo-dismisses-security-spying-con/240154630?cid=SBX_iwk_related_commentary_Policy_educationThe founder and CEO of Chinese networking equipment manufacturer Huawei, in his first-ever media interview, Thursday dismissed allegations that backdoors may have been built into the company's products to facilitate Chinese espionage. <P> "Huawei has no connection to the cybersecurity issues the U.S. has encountered in the past, current and future," Huawei CEO Ren Zhengfei, 68, told local reporters -- through an interpreter -- while on a visit to New Zealand this week, according to news reports. <P> Since founding the company 26 years ago, Ren had previously refused to conduct media interviews. But during his visit this week to New Zealand, he <a href="http://www.bbc.co.uk/news/business-22460962">agreed to meet</a> with reporters from four of the country's news outlets. <P> In response to reporters' questions, <a href="http://www.stuff.co.nz/business/industries/8651260/Huawei-CEO-gives-first-ever-interview">Ren dismissed allegations</a> that his employees might be colluding with state security services, instead likening the relationship between his company and the Chinese government to that between New Zealand companies and their government, reported Fairfax Media in New Zealand. Furthermore, he said he was confident that his employees would be free to refuse any request from a Chinese intelligence service to spy on a foreign entity. <P> <strong>[ U.S. officials are trying to ratchet up pressure on China. See <a href="http://www.informationweek.com/quickview/senate-bill-calls-for-cyberespionage-wat/3271?wc=4?itc=edit_in_body_cross">Senate Bill Calls For Cyberespionage 'Watch List'</a>. ]</strong> <P> Ren's comments can be read as a criticism of the U.S. singling out Chinese firms Huawei (the world's second-largest telecommunications manufacturer) and ZTE last year in a Congressional report warning that the two companies "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." Accordingly, the U.S. House of Representatives Permanent Select Committee on Intelligence's Oct. 2012 report <a href="http://www.informationweek.com/security/vulnerabilities/what-huawei-zte-must-do-to-regain-trust/240009190">"strongly encouraged" all U.S. businesses</a> "to seek other vendors for their projects." <P> American businesses appear to be listening. A recent survey of 454 IT professionals conducted by <em>InformationWeek</em> found that the U.S. government's recommendation to avoid Huawei equipment would influence their buying decision-making. Indeed, 37% of surveyed businesses cited the warning as a major concern, and 34% said it would be a deal-breaker. <P> But Ren Thursday downplayed his company's presence in the American market. "Huawei equipment is almost non-existent in networks currently running in the U.S. We have never sold any key equipment to major U.S. carriers, nor have we sold any equipment to any U.S. government agency," he said. <P> His comments echoed those of Huawei executive VP Eric Hu, who last month said, "We are not interested in the U.S. market any more," <a href="http://www.networkcomputing.com/data-networking-management/huawei-quits-us-market/240153472">according to</a> the <em>Financial Times</em>. <P> Despite that apparent vow to quit the U.S. market, the company subsequently <a href="http://www.informationweek.com/quickview/huawei-changes-its-us-market-story/3182">changed its story</a>, saying it would continue to actively sell its products in the United States. "We continue to sell in the U.S. in all three business areas: Device, Carrier Network and Enterprise," Huawei spokesperson Jannie Luong told <em>Network Computing</em> in April. <P> In the wake of the Oct. 2012 Congressional report, Australia, India and the United Kingdom were already evaluating whether they would continue to work with Huawei and ZTE. Notably, India's Research and Analysis Wing -- the government's main intelligence service -- issued a report warning that "Huawei Technologies is known to have links with the People's Liberation Army (PLA) and the ministry of state security of China." <P> In response, Huawei proposed that <a href="http://www.informationweek.com/government/security/huawei-proposes-security-test-center/240009701">Australia create an information security test center</a> to vet the company's products. <P> But fears of Chinese espionage were further compounded this week, after an annual report from the Pentagon to Congress <a href="http://online.wsj.com/article/SB10001424127887323687604578467442670389684.html">directly accused China</a> of running a military cyber-espionage operation that directly accessed U.S. government systems. "China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic and defense industrial base sectors that support U.S. national defense programs," according to the report. <P> In the wake of that warning, Huawei and ZTE appear to be facing fresh scrutiny by Indian government officials, who said this week that they're creating a testing lab to assess all foreign-built telecommunications and networking equipment. "We know about the concerns of intelligence agencies and are expediting developing [a] system for testing the telecom equipments of foreign manufacturers in networks," an India government telecommunications official <a href="http://www.hindustantimes.com/News-Feed/Chunk-HT-UI-BusinessSectionPage-Infotech/Huawei-ZTE-under-scanner/Article1-1057038.aspx">told India's <em>Hindustan Times</em></a>. <P> Information security experts, however, say that backdoors purposefully built into networking hardware can be <a href="http://www.informationweek.com/security/vulnerabilities/darpa-looks-for-backdoors-malware-in-tec/240143043">notoriously difficult to detect</a>, and warned that devices could also be <a href="http://www.theregister.co.uk/2013/05/10/india_to_test_huawei_and_zte_kit/">clean when purchased</a> but later updated with firmware that enables spying. <P> Furthermore, in a 2012 teardown of the Huawei AR8 and ARE 29 series routers, Felix "FX" Lindner, who heads Berlin-based Recurity Labs, found that the <a href="http://www.informationweek.com/security/management/huawei-zte-4-security-fears/240009248">firmware contained sufficient numbers of coding errors</a> that anyone studying the code base might find ways of remotely compromising the devices without needing to resort to purpose-made backdoors. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-10T09:47:00ZState officials don't know when attackers accessed up to 160,000 Social Security and 1 million driver's license numbers stored in unencrypted format.http://www.informationweek.com/security/attacks/washington-state-courts-reveal-security/240154638?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Attackers hacked into Washington state's Administrative Office of the Courts (AOC) servers and obtained copies of up to 160,000 social security numbers and 1 million driver's license numbers, state officials said Thursday. <P> Officials don't know exactly when the breach occurred or how many records -- which could be used to commit identity theft -- were stolen. But they nonetheless attempted to downplay the severity of the incident in media interviews. "The hackers were probably opportunistic," Mike Keeling, IT operations and maintenance manager for the court system, told reporters on a conference call, <a href="http://www.reuters.com/article/2013/05/09/us-usa-hack-washingtonstate-idUSBRE9480YY20130509">reported</a> Reuters. "They were more than likely just fishing for data." <P> Keeling said the failure to store sensitive personal information on a better-protected server, encrypt the data or better lock down servers to prevent network traversal "was an oversight on our part." <P> <strong>[ Is the state spending enough on IT security? Read <a href="http://www.informationweek.com/global-cio/interviews/why-it-spending-is-stuck-in-a-vicious-ci/240154096">Why IT Spending Is Stuck In A Vicious Circle</a>. ]</strong> <P> Washington's court administrator Callie T. Dietz said in a statement: "We regret that this breach has occurred and we have taken immediate action to enhance the security of these sites." <P> Attackers breached the Washington state court systems by exploiting a flaw in Adobe ColdFusion software, which has since been patched by the court's IT department. State officials didn't disclose whether attackers exploited a zero-day vulnerability or a known vulnerability in ColdFusion, or whether a version of the patched software from Adobe was already available at the time of the breach. Answering those questions might be difficult, however, since state officials don't know exactly when the breach occurred, saying only that it seemed to happen after September 2012 and before February 2013. <P> The breach was discovered in February by an unnamed business on the east coast, which was attacked in a similar manner, after which it somehow found signs of a similar intrusion against the Washington state court servers. "They recognized our information in their breach log," Keeling said. <P> State officials at first thought their attackers had only accessed public data. By April, however, investigators at Washington State Consolidated Technology Services and the <a href="http://msisac.cisecurity.org/">Multi-State Information Sharing and Analysis Center</a> found that information exposed during the breach included people's names, as well as social security numbers or driver's license numbers. All of the exposed information related to people who received a DUI citation between 1989 and 2011; were booked into a city or county jail between September 2011 and December 2012; were involved in a traffic case in 2011 or 2012; or were involved in a criminal case filed against them in superior court in 2011 or 2012. <P> To date, state officials said they've identified 94 people whose information was likely stolen by attackers, and said all have been contacted by letter. "We found specific [hacker] footprints in the area where those 94 Social Security numbers were located, so that's why we're reasonably sure that the data was accessed," Keeling said. <P> None of those 94 people were offered data-breach-monitoring services or credit protection, although state officials said they might do so if the data breach victims request them. The state has set up a hotline (1-800-448-5584) and website (<a href="http://www.courts.wa.gov/databreach">www.courts.wa.gov/databreach</a>) to answer questions pertaining to the breach. <P> Washington state's CIO, Michael Cockrill, said the breach hadn't affected the state's executive branch, which is on a separate network. Cockrill also said that Gov. Jay Inslee has charged his office -- together with the state's Consolidated Technology Services department -- with improving the information security posture of the judicial systems. "The AOC data breach is a sobering reminder for every branch and every level of government, that protection of personal and confidential data entrusted to government is a paramount responsibility," he said. <P> Washington joins a list of growing list of states -- including <a href="http://www.informationweek.com/security/attacks/texas-data-breach-exposed-35-million-rec/229401489">Texas</a> and <a href="http://www.informationweek.com/security/attacks/9-lessons-from-utah-data-breach/240000747">Utah</a> -- that in recent years have exposed people's personal information because of state officials' failure to properly secure it.2013-05-09T11:13:00ZAntivirus pioneer and former fugitive from justice in Belize John McAfee shares more about his code-slinging and drug-smuggling past.http://www.informationweek.com/security/antivirus/mcafee-avs-king-of-crazy-resurfaces/240154538?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Remember John McAfee? <P> In November, the information security genius and resident of Belize <a href="http://www.informationweek.com/security/government/6-wacky-mcafee-facts-from-guatemala-with/240144062">turned fugitive from justice</a> after his neighbor was murdered. McAfee alleged that he was being framed by government authorities in retaliation for refusing to satisfy their extortion demands. <P> McAfee subsequently <a href="http://www.informationweek.com/security/antivirus/mcafee-to-be-released-from-guatemalan-pr/240144273">fled to Guatemala</a>, where his <a href="http://www.informationweek.com/security/management/guatemala-arrests-rogue-av-founder-mcafe/240143971">location was revealed</a> by GPS data attached to an uploaded iPhone snap, after which point he was arrested, requested asylum and faked a heart attack, before being <a href="http://www.informationweek.com/security/antivirus/mcafee-back-in-us-crazy-like-a-fox/240144326">denied asylum</a> and deported to Miami. Since then, he relocated to Portland, Ore., where he's been working with a screenwriter, biographer and graphic novelist, while <a href="http://pandodaily.com/2013/01/26/we-hit-portland-strip-clubs-with-john-mcafee/">visiting strip clubs and house-hunting</a>. <P> McAfee offered those tidbits -- and more -- in a Wednesday <a href="http://features.slashdot.org/story/13/05/07/2017203/interview-john-mcafee-answers-your-questions">Q&A with Slashdot</a>. As with his previous blog posts <a href="http://www.whoismcafee.com/">documenting life on the run</a>, McAfee's answers displayed a predilection for hard-boiled fiction, if not gonzo embellishment. <P> <strong>[ A satire site is the first outlet to detail serious news about recent Twitter account takeovers. Read <a href="http://www.informationweek.com/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504?itc=edit_in_body_cross">How Syrian Electronic Army Unpeeled The Onion</a>. ]</strong> <P> With those caveats, here are five of the most interesting takeaways: <P> <strong>1. Belizean Politician Demanded Millions</strong> <P> Asked to comment on reports that he'd suffered harassment and death threats after refusing to "donate" $30,000 to a Belizean politician, McAfee said that there had been an extortion attempt, but for a significantly larger amount of money. "Had it been $30,000 I would have paid it in an instant," he said. "However it was not. It was $2 million." <P> As a result of his failure to pay up, McAfee has claimed that the government killed his dogs, then murdered his neighbor -- fellow U.S. citizen Gregory Viant Faull, 52 -- in a case of mistaken identity. Belizean authorities have <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-says-belize-framing-him-f/240124914">denied all of McAfee's allegations.</a>. <P> <strong>2. Guatemalan Hideout Accidentally Revealed</strong> <P> McAfee's subsequent flight from justice in Belize -- where he was sought for questioning as part of the investigation into Faull's murder, although never charged with any crime -- was documented by <em>Vice</em> editor Rocco Castoro and photographer Robert King. But McAfee's <a href="http://www.informationweek.com/security/mobile/mcafee-av-king-turned-fugitive-surfaces/240143769">arrival in Guatemala was revealed</a> when <em>Vice</em> posted iPhone photographs from which GPS-coordinate-revealing EXIF data hadn't been expunged. At the time, said McAfee, the journalists worried the gaffe would be read as a stunt, allowing them to document the McAfee's resulting incarceration. <P> "To calm things down and to get everyone focused on our need to hastily scram, I told Rocco and Robert that I would take the fall and claim that I manipulated the exif data myself and they would be in the clear," he said. "Satisfied, they got packed, we left 10 minutes before the soldiers arrived, and I did what I said I would do. It was a stupid plan but it did clear the minds of the two journalists long enough to allow them to function properly in the shaky circumstances." <P> <strong>3. Staying Weird In Portland</strong> <P> After being deported to Miami, McAfee said the decision to relocate to Portland, Ore., where he's been <a href="http://pandodaily.com/2013/02/09/we-take-john-mcafee-to-a-gun-shop-where-he-scares-the-hell-out-of-a-jackass/">living large</a>, centered on there being a critical mass of Asian restaurants and good coffee</a>, backed by the "Keep Portland Weird!" ethos regularly espoused on bumper stickers, as well as its proximity to two people who are documenting his life. "The gentleman producing the comic novel of my life (Chad Essley) and the screenwriter for the feature movie of the Belize incident both live here," he said. That <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-sells-rights-to-life-stor/240144207">feature movie</a>, provisionally titled <em>Running in the Background</em>, is different from a separate production that's being developed by the team behind the Warner Bros. comedy <em>Crazy, Stupid, Love</em>, which will be <a href="http://www.informationweek.com/security/antivirus/mcafees-escape-from-belize-turns-movie/240146436">based on "John McAfee's Last Stand,"</a> a story written by Joshua Davis for <em>Wired</em>. <P> <a href="http://www.whoismcafee.com/boston-george-jung-writing-the-official-john-mcafee-biography-titled-no-domain/">McAfee also confirmed</a> that he's tapped former cocaine player and convicted drug trafficker <a href="http://en.wikipedia.org/wiki/George_Jung">George "Boston George" Jung</a> -- the subject of the 2001 biopic <em>Blow</em> -- to write his biography, provisionally titled <em>No Domain</em>. <P> <strong>4. Born To Run, Not Code</strong> <P> In the wide-ranging Q&A, McAfee said that despite launching a pioneering antivirus software business -- the first to distribute antivirus as shareware -- his code-writing prowess would win no awards. "I haven't written code in 20 years. In truth I was a terrible programmer," he said. "I was just good enough though to be able to spot the truly outstanding programmers. At McAfee I hired the best and then stayed out of their hair." <P> Asked to by a reader to comment on the security software that still bears his name, McAfee said he's not been associated with the company, which is now part of Intel, for 21 years. "It's barely a blip in the ocean of associations -- madman, paranoid, child molester, murderer, drug addict, unstable, liar, to name but a few," he said. "Thank god I'm 67 and will probably be too hard of hearing soon enough to have to listen to them rattling around wherever I go. Amy, thankfully, did half the job already by bursting my left eardrum when she tried to shoot me in the head while I slept back in 2011." He didn't specify <a href="http://www.whoismcafee.com/frequently-asked-questions/ ">exactly which Amy</a> he was referring to. <P> <strong>5. Drug-Free 30 Years And Counting</strong> <P> Despite the drug-addict "associations" -- no doubt driven both by his behavior and freely dropped references to the <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-sells-rights-to-life-stor/240144207">designer drug known as bath salts</a> -- McAfee said he's been sober for 30 years. "All this madness stopped in 1982 when my life disintegrated. I joined AA in 1982 and stopped drinking and drugging. [I] have not used any drugs, except for caffeine, nicotine and adrenaline, since," he said in response to a Slashdot question. <P> McAfee emphasized that his eccentricities aren't evidence of recent recreational drug use. "It's odd that people focus on the possibility that I might now be doing drugs (I'm not) and totally ignore the fact that from 1971 to 1982, 99% of my income came from smuggling and selling drugs," he said. "It's a well documented feature of my past life. I was also taking more drugs weekly than most of you will do in a lifetime, and I was a totally indiscriminate user." <P> McAfee said his drug-distribution habit had come at a personal cost. "I had my right testicle shattered by a hammer in 1974 when I ran afoul of some local drug barons in Oaxaca. Its the size of a grape now and shaped like a small frisbee," he said. <P> "I have been in Mexican jails on three separate occasions and, frankly, I cannot recommend them," he added. <P> <i>E2 is the only event of its kind, bringing together business and technology leaders across IT, marketing, and other lines of business looking for new ways to evolve their enterprise applications strategy and transform their organizations to achieve business value. Join us June 17-19 for three days of 40+ conference sessions and workshops across eight tracks and discover the latest insights in enterprise social software, big data and analytics, mobility, cloud, SaaS and APIs, UI/UX and more. <a href="http://www.e2conf.com/boston/?_mc=MP_BTMEDIWKAXE">Register for E2 Conference Boston today</a> and save $200 off Full Event Passes, $100 off Conference, or get a FREE Keynote + Expo Pass! </i>2013-05-09T10:35:00ZSatire site The Onion details multi-pronged Twitter account takeover strategies used by hacktivists.http://www.informationweek.com/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Satire site <em>The Onion</em> has offered a glimpse into the techniques used by the Twitter account takeover artists known as the Syrian Electronic Army. <P> The campaign launched by the hacktivist group wasn't complex, although it did involve several waves of attacks, resulting in multiple compromised systems and credentials, according to "<a href="http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/">How the Syrian Electronic Army Hacked The Onion</a>," posted Wednesday to the satire site's Tech Blog. <P> Here's how the attack commenced: Starting Friday, May 3, a handful of <em>Onion</em> employees received emails that asked them to read a story, and included an apparent <em>Washington Post</em> link. In reality, the link led to a hacked WordPress site, which redirected to a googlecom.comeze.com site that requested their Google Apps credentials, which, if entered, redirected users to their Gmail account. <P> "These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack," according to the <em>Onion's</em> attack overview. "At least one <em>Onion</em> employee fell for this phase of the phishing attack." <P> <strong>[ Is it easier to catch a hacker with honey? <a href="http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross ">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> Early Monday morning, attackers used the compromised account to send the same phishing message to more employees. "Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts," according to the <em>Onion's</em> recap. <P> The same day, attackers <a href="http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">defaced the <em>Onion's</em> Twitter account page</a> and began issuing bogus tweets. In response, the <em>Onion's</em> IT team issued a company-wide alert, telling all employees to reset their Google Apps passwords. But attackers used another account that they'd compromised to issue their own <a href="http://www.informationweek.com/security/attacks/linkedin-users-change-password-now/240001623">password-reset warning</a>. To make this third wave of attacks more difficult to detect, attackers cleverly didn't send the phishing email -- which included a "password-reset link" that instead redirected to the malicious phishing website that requested a user's Google Apps credentials -- to any IT employees. <P> "This third and final phishing attack compromised at least two more accounts," according to the attack overview. "One of these accounts was used to continue owning our Twitter account." At that point, the IT department forced all employees to reset their Google Apps passwords, which allowed them to finally regain control of the accounts and begin a mop-up operation. <P> The Syrian Electronic Army is allied to the regime of President Bashar Al-Assad, and hacktivist group member "Th3 Pr0" told <em>The New York Times</em> that the <em>Onion</em> Twitter account takeover was <a href="http://bits.blogs.nytimes.com/2013/05/06/no-joke-syrians-hack-the-onion/">meant to be revenge</a> for its recent Assad-attributed editorial titled "Hi, In The Past 2 Years, You Have Allowed Me To Kill 70,000 People." <P> What lessons can be learned from the successful Syrian Electronic Army phishing attack against the <em>Onion</em>? The company's IT team reported that "a few simple security measures" would have blocked the attacks. For starters, the attacker connected to compromised accounts from the IP address 46.17.103.125, which is the same domain used to host a <a href="http://46.17.103.125/en/site/index">Syrian Electronic Army leaks website</a>. Obviously, blocking all connections from that IP address, or other sites associated with the group, would be a good start. <P> To help block phishing attacks, the IT team also recommended using one email address system for everyday emails, and an entirely different one for Twitter accounts. In addition, it said that employing an intermediary social media management system such as <a href="http://www.informationweek.com/social-business/news/social_networking_consumer/hootsuite-improves-workflow-approvals-fo/232901555">Hootsuite</a> would make it much more difficult for an attacker to fully compromise an organization's Twitter accounts. <P> For an industry that's predicated on reporting, it's notable that the <em>Onion</em> is the first news outlet -- satirical or straight -- to detail exactly how its Twitter accounts were owned by the Syrian Electronic Army. That's despite the hacktivist group having exploited the Twitter feeds of such organizations as National Public Radio, Reuters, the BBC <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800"> and the <em>Guardian</em></a>. <P> But the Syrian Electronic Army's most infamous outing to date was its compromise of multiple AP Twitter feeds, which it used to issue a hoax alert that President Obama had been <a href="http://www.informationweek.com/security/attacks/twitter-preps-two-factor-authentication/240153539">injured in explosions</a> at the White House. The compromise led to reports that Twitter was finally <a href="http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672">prepping two-factor authentication</a> to help users block some types of account takeovers. <P> According to the Syrian Electronic Army, it seized control of the AP accounts via a phishing campaign that compromised at least 50 employees at the news agency, including social media editors. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-08T13:10:00ZMeanwhile, hackers behind Cdorked malware that targets Apache servers now have extended it to infect open-source Nginx and Lighttpd server software.http://www.informationweek.com/security/vulnerabilities/nginx-patches-critical-vulnerability-web/240154480?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10-things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->The developers behind the popular open-source Web server software Nginx have released updates to patch a serious vulnerability. <P> Nginx Tuesday announced the <a href="http://nginx.org/en/">release of nginx-1.4.1</a> -- as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow vulnerability that attackers could exploit to execute arbitrary code on a Ngnix server and completely compromise it. In a <a href="http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html">security advisory</a> issued Tuesday, Nginx said <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028">the bug</a> is present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx 1.5.0 [and] 1.4.1," it said. <P> The vulnerability rates as "highly critical," according to a <a href="https://secunia.com/advisories/53248/">security advisory</a> issued by vulnerability research firm Secunia. "The vulnerability is caused due to an error within [a] function ... when parsing an HTTP chunk and can be exploited to cause a stack-based buffer overflow," it said. <P> <strong>[ Another U.S. hack leads back to China. Read <a href="http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064?itc=edit_in_body_cross">China Tied To 3-Year Hack Of Defense Contractor</a>. ]</strong> <P> Nginx -- <a href="https://en.wikipedia.org/wiki/Nginx">pronounced "engine X"</a> -- is an open-source Web server, reverse proxy server, and load balancer designed for a large number of concurrent connections and high levels of performance but with a low memory footprint. It runs on Unix, Linux, Solaris and Windows, as well as AIX, BSD variants, HP-UX and Mac OS X. <P> Nginx is now the third most popular HTTP Web server software, behind Apache and Microsoft ISS, although its popularity continues to increase. "Nginx reached a new milestone this month: it is now used by more than 100M websites, and within the million busiest websites has overtaken Microsoft IIS to take second place with a market share of 13.5%," said a <a href="http://news.netcraft.com/archives/2013/05/03/may-2013-web-server-survey.html">May 2013 Web server report</a> released by Netcraft. <P> "Overall, Nginx's market share now stands at 15.5%, just 1.2 percentage points behind Microsoft, helped by a growth of 8.3M sites this month," it said. <P> The growing popularity of Nginx, however, has made it a target for attackers. Notably, the developers behind the <a href="http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922">Cdorked malware</a> that targets Linux systems running Apache HTTP server software recently updated the malware to exploit Nginx, as well as open-source Lighttpd ("lighty") Web server software. <P> To date, Cdorked infections have been confirmed in about 400 Web servers, 50 of which rank in the <a href="http://www.alexa.com/topsites">Alexa index of the top 100,000 websites</a>. But security researchers don't yet know how attackers are infecting servers with the backdoor malware. <P> "We still don't know for sure how this malicious software was deployed on the Web servers," said Marc-Etienne M. Leveille, a malware researcher at security firm ESET, in a blog post. "We believe <a href="http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/">the infection vector is not unique</a>. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software." <P> "One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software," he said. "Linux/Cdorked.A is a backdoor, used by [a] malicious actor to serve malicious content from legitimate websites." <P> Interestingly, the malware "is even more stealthy than we first thought," he said. "By analyzing how the attackers are configuring the backdoor, we found it will not deliver malicious content if the victim's IP address is in a very long list of blacklisted IP ranges, nor if the victim's Internet browser's language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian." In those cases, the malware is instead set to redirect users to a "page with links to pornographic websites," said Leveille. <P> ESET researchers have also <a href="http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922#">clarified the relationship between CDorked and the Apache-targeting Darkleech</a> (aka Chapro) malware attacks, which has continued to intensify in recent months. "While both target Apache servers, they are distinct pieces of code and send visitors to different instances of the Blackhole kit," said ESET malware researcher S&#233;bastien Duquette. "However this does not change the fact that this trend is quite concerning."2013-05-08T11:26:00ZAll Internet traffic from the war-torn country -- via overland and submarine connections -- went offline Tuesday.http://www.informationweek.com/security/management/syria-back-online-after-internet-blackou/240154412?cid=SBX_iwk_related_commentary_Policy_education"Breaking news: traffic from Syria disappears from Internet." <P> So read a Tuesday alert issued by Umbrella Security Labs, which reported that all outbound Internet traffic from Syria had disappeared. The country's Internet connection remained offline for about 24 hours, before appearing to come online again about 11 a.m. Eastern Time Wednesday. <P> Multiple Internet monitoring firms corroborated the outage. "Since 18:45 UTC on May 7th, Renesys hasn't seen a flicker of activity," <a href="http://www.renesys.com/blog/2013/05/syrian-internet-fragility.shtml">said Jim Cowie, CTO of Renesys, in a blog post</a> Wednesday morning, before the country's Internet connection appeared to come back online. "We haven't been able to successfully send a ping or a traceroute to any host inside Syria. Government websites, universities, domain name servers, core infrastructure routers, banks, businesses, DSL customers, smartphones: all silent." <P> Akamai likewise confirmed the "traffic drop to Syria" with a chart that shows hits and megabits of data being delivered to the country <a href="https://twitter.com/akamai_soti/status/331858414684749825/photo/1">plummeting to zero</a> after 2 p.m. Eastern time Tuesday. Akamai confirmed that <a href="https://twitter.com/akamai_soti/status/332104033479299074/photo/1">traffic levels remained at zero</a> early Wednesday morning. <P> <strong>[ Is it easier to catch a hacker with honey? Read <a href="http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> The blackout occurred after both of the top-level domain name servers for Syria -- ns1.tld.sy and ns2.tld.sy -- became unreachable. "Routing on the Internet relies on the Border Gateway Protocol (BGP). BGP distributes routing information and makes sure all routers on the Internet know how to get to a certain IP address," according to a <a href="http://labs.umbrella.com/2013/05/07/breaking-news-traffic-from-syria-disappears-from-internet/">blog post from Dan Hubbard</a>, CTO of Umbrella Security Labs, which is the threat research division of OpenDNS. "When an IP range becomes unreachable it will be withdrawn from BGP, this informs routers that the IP range is no longer reachable," he said. But in the case of Syria, "currently there are just three routes in the BGP routing tables for Syria, while normally it's close to 80." <P> "Effectively, the shutdown disconnects Syria from Internet communication with the rest of the world," Hubbard said. "It's unclear whether Internet communication within Syria is still available. Although we can't yet comment on what caused this outage, past incidents were linked to both government-ordered shutdowns and damage to the infrastructure, which included fiber cuts and power outages." <P> <!-- Image Aligning Right --> <div class="inlineStoryImageManual inlineStoryImageRight" style="width:300px;"> <a href="http://twimgs.com/informationweek/news/2013/05/syrias-3-submarine-cables-renasys_300.png"><img src="http://twimgs.com/informationweek/news/2013/05/syrias-3-submarine-cables-renasys_300.jpg" alt="Syria's 3 Submarine Cables" title="Syria's 3 Submarine Cables" width="300" /></a> <div class="storyImageCaption">Image courtesy of Renasys</div> </div> <!-- / Image Aligning Right --> This isn't the first time the Syrian Internet has blacked out. In November 2012, the Syrian government may have <a href="http://www.informationweek.com/security/attacks/syria-hits-internet-kill-switch-blackout/240142977">hit a "kill switch"</a>, taking the country's Internet services offline for two days, or else the infrastructure may have simply failed. Prior Syrian Internet outages occurred in July and August 2012, as well as June 2011. <P> According to Renasys, Syria's Internet connections comprise overland connections from its northern neighbor, Turkey, as well as three different submarine communications cables from Cyprus, Egypt and Lebanon. All told, Syria works with four different telecommunications providers, it said, although one of those connections -- <a href="https://twitter.com/renesys/status/331868678075330562/photo/1">with Turk Telekom</a> -- has been offline for almost two weeks. <P> Renesys CTO Cowie said the latest Syrian Internet blackout shouldn't be surprising, given that the country remains in the midst of a <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">bloody civil war</a>. "In the middle of the chaos and tragedy of civil war, why is anyone surprised when the Internet stops working?" he said. "Isn't it actually more shocking and noteworthy that the Internet in Syria actually functions pretty well 360 days out of the year?" <P> The Internet outage may temporarily slow the efforts of the Syrian Electronic Army hacktivist group that's allied to the regime of Syrian president Bashar al-Assad. The group recently compromised Associated Press Twitter accounts and tweeted hoax messages about <a href="http://www.informationweek.com/security/attacks/twitter-battles-syrian-hackers/240153424">explosions at the White House</a>. It later compromised the Twitter feeds for the <em>Guardian</em> and on Monday, <a href="http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">satire site <em>The Onion</em></a>. <P> "To be flippant for a second, this outage might at least shed some light as to whether the Syrian Electronic Army -- who have been causing quite a nuisance by hacking media organizations lately -- are really based in Syria, or not, as some tend to suspect," <a href="http://nakedsecurity.sophos.com/2013/05/07/syria-disappears-off-internet/">said Graham Cluley</a>, senior technology consultant at Sophos, in a blog post. <P> <i>Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The <a href="http://www.darkreading.com/AdvancedThreats/util/9727/download.html?k=a xxe&cid=article_axxe">How To Detect Zero-Day Malware And Limit Its Impact</a> report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)</i>2013-05-07T13:11:00ZDHS predicts Tuesday's hackathon will involve little more than nuisance exploits. Meanwhile, Syrian Electronic Army hacks Twitter feeds of The Onion.http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div> <span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div> <!-- /KINDLE EXCLUDE -->Will the Anonymous-lead Operation USA (#OpUSA) scheduled for Tuesday disrupt leading U.S. government and banking websites? <P> An <a href="http://pastebin.com/LXHKjsfg">"#OpUSA target list" posted to Pastebin</a> two weeks ago named nine government websites -- the White House and Department of Defense's public-facing websites among them -- and 133 banks and credit unions as primary targets. "We will now wipe you off the cyber map," read the Pastebin post, signed by N4M3LE55 CR3W. "Do not take this as a warning. You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs." <P> In a show of solidarity, the distributed-denial-of-service bank-attack outfit known as al-Qassam Cyber Fighters, which as part of Operation Ababil has been <a href="http://www.informationweek.com/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">successfully disrupting financial websites</a> for months, Monday <a href="http://pastebin.com/vpP9KZ6P">promised to take the week off</a>. "Due to the simultaneity of OpUSA with Operation Ababil, and to abstain from ambiguity in the intentions of our operation, this week we will not run any attack," read a statement posted to the group's Pastebin. <P> By Tuesday afternoon, however, despite a <a href="http://www.hackersnewsbulletin.com/2013/05/list-of-websites-affected-under-opusa.html">plethora of hacked-site reports</a>, the OpUSA attacks appeared to be targeting low-level -- and possibly random -- sites in the United States and abroad, arguably causing little damage. <P> <strong>[ Could fake passwords help keep your database secure? Read <a href=" http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> The Tunisian Hackers Team, for example, claimed to have dumped a SQL database for the <a href="http://bloodbanker.com">Blood Bank of America</a> that appeared to contain about 3,000 usernames and hashed passwords. Among other attacks, AnonGhost members BilalSbXtra & Dr.SaMiM_008 posted what they said were 10,000 credit card numbers, including expiration dates and security codes, as well as account holders' names and addresses -- that were apparently stolen from an online store. Some of the published information also included social security numbers, bank account routing numbers and answers to secret questions. The group also claimed to have hacked 29 Israeli websites. <P> Meanwhile, Mauritania Attacker Tuesday claimed to be preparing to release "all governments emails of USA." It <a href="https://twitter.com/An0nGhost/status/331255767644655617">published a teaser</a> showing some doxed addresses -- which included both microsoft.com and cia.gov addresses, as well as numerous accounts with service providers -- but with obscured passwords. <P> Hacking groups or collectives claiming to participate in OpUSA include Anonymous and affiliates <a href="http://www.informationweek.com/security/attacks/anonymous-hackers-helper-it-security-neg/232602226">AntiSec</a> and <a href="http://www.informationweek.com/security/attacks/lulzsec-reborn-claims-military-dating-si/232700290">LulzSec Reborn</a>. Other groups that have pledged their assistance include Ajax Team, Mauritania Attacker, Muslim Liberation Army, Redhat, Team Poison Reborn and ZHC. <P> Not all OpUSA-related attacks began Tuesday. Hacking group <a href="https://twitter.com/YourAnonNews/status/331196545556946946">X-Blackerz Inc claimed</a> Monday to have released 23 emails and passwords for Honolulu Police Department staff. Meanwhile, AnonGhost Team got an early start Saturday, <a href="http://pastebin.com/zftTrrrh">claiming via Pastebin</a> that it had defaced about 900 pages, which included multiple Web pages in the domain of <a href="http://www.hack-db.com/">Hack-DB</a>, which tracks hacktivism and cybercrime. A message posted to defaced sites read "we are everywhere" and left a scrolling list of the group's official members. <P> Many of the groups that pledged to take part in the one-day hackathon had previously joined forces for the ongoing <a href="http://www.informationweek.com/security/attacks/anonymous-launches-opisrael-ddos-attacks/240142149">Operation Israel (#OpIsrael) campaign</a>, which last month promised to "erase" Israel from the Internet. "We promised to take Israel off the cyber map. We succeeded," read a recent OpUSA target list post. OpIsrael attackers last month claimed to have disrupted 100,000 Israeli websites and caused $3 billion in damage. But <a href="http://www.informationweek.com/security/attacks/anonymous-claims-100000-israel-site-disr/240152448">Israeli officials disputed hacktivists' claims</a>, saying while there had been a lot of bluster there was little "real damage," and that the country's critical infrastructure remained unaffected. <P> Likewise, in the lead-up to OpUSA, the U.S. Department of Homeland Security appeared to expect similar low-level attacks aimed to publicize attackers' anti-U.S. grievances but that would cause little lasting damage. In a confidential DHS memo issued last week and <a href="http://krebsonsecurity.com/2013/05/dhs-opusa-may-be-more-bark-than-bite/">obtained by security reporter Brian Krebs</a>, DHS said the attacks "likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation." <P> Not all hacktivist activity this week has been conducted under the OpUSA banner. The <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Electronic Army</a> resurfaced Monday when it <a href="http://www.syrianews.cc/syrian-electronic-army-pays-visit-onion/">seized control of the Twitter feed for the satirical news outlet <em>The Onion</em></a>. The group posted fake news headlines relating to Israel's recent missile strikes against military targets in Syria. Another tweet suggested that the Israeli government was allied with Al Qaeda. <P> In the wake of the Twitter account takeover, <em>The Onion</em> <a href="http://www.theonion.com/articles/onion-twitter-password-changed-to-onionman77,32323/">responded in typical fashion</a>: "Following today's incident in which the Syrian Electronic Army hacked into The Onion's Twitter account, sources ... confirmed that its Twitter password has been changed to OnionMan77 in order to prevent any future cyber-attacks." The story quoted "Onion IT specialist Nick Abersold" as saying that the new password would be "virtually impenetrable." <P> Satire aside, in the wake of the <a href="http://www.informationweek.com/security/attacks/twitter-battles-syrian-hackers/240153424">numerous news organizations' Twitter account takeovers</a> by the Syrian Electronic Army, Twitter last week issued a memo last week <a href="http://www.informationweek.com/security/intrusion-prevention/twitter-to-news-outlets-more-takeovers-a/240154094">warning media outlets</a> to take appropriate security precautions, as it expected the account takeovers to continue. <P> <P> <i>Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The <a href="http://www.darkreading.com/AdvancedThreats/util/9727/download.html?k=a xxe&cid=article_axxe">How To Detect Zero-Day Malware And Limit Its Impact</a> report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)</i>2013-05-07T11:20:00ZTo improve detection of database breaches, businesses should store multiple fake passwords and monitor attempts to use them, say RSA researchers.http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE -->Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information. <P> That's the thinking behind the "honeywords" concept first proposed this month in <a href="http://people.csail.mit.edu/rivest/pubs/JR13.pdf">"Honeywords: Making Password-Cracking Detectable,"</a> a paper written by Ari Juels, chief scientist at security firm RSA, and MIT professor Ronald L. Rivest, who <a href="http://en.wikipedia.org/wiki/Ron_Rivest">co-invented the RSA algorithm</a> (he's the "R"). <P> The term "honeywords" is a play on "honeypot," which in the information security realm refers to creating fake servers and then <a href="http://www.darkreading.com/vulnerability/honeypot-stings-attackers-with-counterat/240151740">learning how attackers</a> attempt to exploit them -- in effect, using them to help detect more widespread intrusions inside a network. <P> "[Honeywords are] a simple but clever idea," said Bruce Schneier, chief security technology officer of BT, in a <a href="https://www.schneier.com/blog/archives/2013/05/honeywords.html">blog post</a>. "Seed password files with dummy entries that will trigger an alarm when used. That way a site can know when a hacker is trying to decrypt the password file." <P> The honeywords concept is also elegant because any attacker who's able to steal a copy of a password database won't know if the information it contains is real or fake. "An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword," Juels and Rivest pointed out. "The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the "honeychecker") can distinguish the user password from honeywords for the login routine and will set off an alarm if a honeyword is submitted." <P> <strong>[ Two-factor authentication is a good first step, but it's not enough. Here's why. <a href=" http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672?itc=edit_in_body_cross">Twitter Two-Factor Authentication: Too Little, Too Late?</a> ]</strong> <P> The researchers recommend honeywords as a step beyond creating fake accounts. "Sometimes administrators set up fake user accounts ("honeypot accounts") so that an alarm can be raised when an adversary who has solved for a password for such an account by inverting a hash from a stolen password file then attempts to login," they said. "Since there is really no such legitimate user, the adversary's attempt is reliably detected when this occurs." But they said that attackers may find viable techniques for spotting bogus accounts. <P> Accordingly, they recommend adding multiple fake passwords to every user account and creating a system that allows only the valid password to work and that alerts administrators whenever someone attempts to use a honeyword. "This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by brute-force solving a hashed password," they said. <P> If honeyword use is detected, that doesn't mean that the password database has been compromised. Instead, attackers may simply be launching brute-force-guessing attacks against the site. On the other hand, if numerous attempted logins are made using honeywords, or if honeyword login attempts are made to admin accounts, then it's more likely that the password database has been stolen. <P> One benefit of the RSA researchers' approach is that businesses could improve their security posture without any user intervention. "Honeywords aren't visible to users and don't in any way change their experience when they log in using passwords," read a <a href="http://people.csail.mit.edu/rivest/honeywords/faq.pdf">related FAQ</a>. <P> The researchers acknowledge that attackers might subvert their system by launching a denial-of-service attack against a honeychecker server. In such an event, they recommend using a failsafe: if a honeychecker server becomes unavailable, temporarily allow honeywords to become valid logins. <P> Honeywords aren't meant to serve as a replacement for good password security practices. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users' passwords have been compromised. Last month, for example, <a href="http://www.darkreading.com/privacy/livingsocial-says-cyberattack-puts-data/240153819">LivingSocial said that attackers stole</a> information relating to 50 million users, and stolen passwords were reportedly published in underground forums. Two state attorneys general are <a href="http://www.ct.gov/ag/cwp/view.asp?Q=523856&A=2341">now investigating</a>. In March, meanwhile, <a href="http://www.informationweek.co.uk/security/attacks/evernote-breach-7-security-lessons/240149911">Evernote reset all 50 million users' passwords</a> after the company's security team discovered and blocked suspicious activity on the Evernote network. <P> Those are hardly isolated incidents. In the space of a single week last year, 6.5 million LinkedIn, 1.5 million eHarmony and an estimated 17 million Last.fm users' <a href="http://www.informationweek.co.uk/security/client/7-tips-to-toughen-passwords/240001775">password hashes were uploaded to hacking forums</a>. Although security experts suspect the passwords may have been stolen as early as 2011 or 2010, the affected businesses appeared to learn about the breaches only after the hashes were posted. <P> Many businesses -- including Evernote -- used encryption algorithms to protect passwords, sometimes also with salt for added protection. But that approach is insecure, and password-security experts have long recommended that businesses <a href="http://www.informationweek.co.uk/security/application-security/password-police-cite-evernote-mistakes/240150250">use built-for-purpose password hashing algorithms</a> such as bcrypt, scrypt or PBKDF2, which if properly implemented are much more resistant to brute-force attacks. <P> Regardless, no password security system is foolproof. That's why an early warning system such as the use of honeywords might buy breached businesses valuable time to expire passwords after a successful attack, before attackers have time to put the stolen information to use. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-02T13:20:00ZU.S. defense contractor QinetiQ ignored persistent attack warning signs, lost terabytes of secret information, say investigators.http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->For three years, boutique defense contractor QinetiQ was compromised by an advanced persistent threat (APT) attack group operating from China. During that time, attackers accessed information about cutting-edge U.S. military drone and robot weapons systems and brought competing products to market. <P> Those allegations surfaced against <a href="http://en.wikipedia.org/wiki/Qinetiq">QinetiQ North America</a> Wednesday in a <a href="http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html">report</a> from Bloomberg, which cited investigators hired by QinetiQ -- as well as HBGary emails that were stolen and <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">leaked by Anonymous</a> -- as sources. HBGary was one of several firms hired by the defense contractor to investigate apparent intrusions. <P> Investigators told Bloomberg that the ongoing attacks against QinetiQ (pronounced "kinetic") were launched by the Shanghai-based Comment Crew. Earlier this year, a report from security firm Mandiant <a href="http://www.informationweek.com/security/attacks/china-denies-us-hacking-accusations-6-fa/240149058">tied the group</a> -- which it dubbed APT1 -- to attacks that compromised 141 businesses, none of which it named, across 20 industries. According to Mandiant, the attackers weren't just supported by China, but actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit. Chinese officials denied those allegations. <P> <strong>[ How should your business react to the Chinese allegations? Read <a href="http://www.informationweek.com/security/attacks/china-hack-attacks-play-offense-or-defen/240150482?itc=edit_in_body_cross">China Hack Attacks: Play Offense Or Defense?</a> ]</strong> <P> Investigators hired by QinetiQ said that despite ongoing warnings from numerous organizations, including NASA and the Naval Criminal Investigative Unit, that the defense contractor's networks had been compromised, QinetiQ officials failed to realize that attackers were maintaining a persistent presence in their network and react accordingly. <P> "We found traces of the intruders in many of their divisions and across most of their product lines," Christopher Day -- until February, a senior VP at Verizon&#8217;s Terremark security division, which QinetiQ twice hired to investigate apparent intrusions -- told Bloomberg. "There was virtually no place we looked where we didn't find them." <P> As a result, investigators said that terabytes of data, including classified information relating to military robotics, drones and the Army's helicopter fleet, including PIN codes that could now be used to identify helicopters' deployment and combat-readiness, were stolen. <P> A QinetiQ spokesman didn't immediately respond to an emailed request for comment on the report, or what information security changes the business might have made as a result. <P> Attacks that aim to <a href="http://www.informationweek.com/security/attacks/securid-customers-advised-to-prepare-for/229301337">steal military secrets from defense contractors</a> and their subcontractors are nothing new. A 2010 report from the Defense Security Service branch of the Department of Defense warned that "the United States' technical lead, competitive edge, and strategic military advantage are at risk; and our national security interests could be compromised" by what it said were an escalating number of "pervasive, relentless, and unfortunately, at times, successful" information security attacks against defense contractors. <P> But many reported incidents, such as the <a href="http://www.informationweek.com/government/security/web-probes-on-defense-contractors-rising/224201454">theft of information relating to the advanced Lockheed Martin F-35 stealth fighter jet</a> in 2009, have been far more extensive than public accounts have suggested. Interestingly, China conducted the first test flight of its <a href="http://www.telegraph.com/news/worldnews/asia/china/9647722/China-makes-first-test-flight-of-new-stealth-fighter-jet.html">own stealth fighter</a> in November 2012. Meanwhile, Bloomberg reported that the theft of information relating to the Lockheed Martin F-22 Raptor lead some intelligence officials to suggest that it might be unsuitable for combat because stolen information might be used to compromise critical systems. <P> The QinetiQ hack attack campaign recalls the <a href="http://www.informationweek.com/security/attacks/8-lessons-from-nortels-10-year-security/232601092">10-year breach of Nortel</a>, during which time attackers maintained a persistent presence inside the company's network. Attackers stole numerous telecommunications and networking secrets, despite persistent signs that the Nortel network had been compromised.2013-05-02T11:35:00ZTwitter memo warns of ongoing account takeover attempts, urges media businesses to prepare. Should Twitter be doing more?http://www.informationweek.com/security/intrusion-prevention/twitter-to-news-outlets-more-takeovers-a/240154094?cid=SBX_iwk_related_commentary_Policy_educationTwitter this week warned news and media outlets to expect ongoing attempts to take over their Twitter accounts and offered detailed guidance for how businesses could improve their security posture. <P> "There have been several recent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers," read a memo distributed this week by Twitter and <a href="http://www.buzzfeed.com/jwherrman/twitter-warns-journalists-we-believe-that-these-attacks-will">reprinted by Buzzfeed</a>. <P> Twitter's security outreach campaign comes in the wake of the Syrian Electronic Army this week compromising more than a dozen Twitter accounts <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">maintained by the <em>Guardian</em></a> to decry its "lies and slander about Syria." That followed the hacktivist group last week compromising multiple Associated Press accounts and issuing a hoax tweet claiming that <a href="http://www.informationweek.co.uk/security/attacks/ap-twitter-hack-lessons-learned/240153626">explosions at the White House</a> had injured President Obama. The tweet led to a brief downturn in the stock market. The group's previous Twitter account compromises have affected Al-Jazeera English, BBC, CBS, France24, National Public Radio, Reuters and Sky News. <P> How does Twitter recommend that businesses at high risk of having their Twitter accounts compromised -- by a hacktivist group that's strongly aligned to Syrian President Bashar al-Assad, or anyone else with a grudge -- protect themselves? <P> For starters, it recommended employee training, pointing out that recent account takeovers appear to be spear-phishing attacks that target corporate email. Thus it recommends that businesses promote individual awareness of these attacks within the organization. In other words, <a href="http://www.darkreading.com/hacked-off/on-security-awareness-training/240151108">train your employees to recognize fake emails</a>. <P> <strong>[ Two-factor authentication is a step in the right direction, but it's just a start. Read <a href="http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672?itc=edit_in_body_cross">Twitter Two-Factor Authentication: Too Little, Too Late?</a> ]</strong> <P> Twitter also recommends that businesses set a randomly generated password that's at least 20 characters in length, to never distribute passwords via email, use <a href="http://www.informationweek.co.uk/security/client/10-top-password-managers/240153906">password managers</a>, regularly change passwords and also ensure that all "authorized applications" that are allowed to access a Twitter account are recognized. It also recommends tying the Twitter account email to an email system that <a href="http://www.informationweek.com/security/vulnerabilities/google-enables-two-factor-authentication/229216897">uses two-factor authentication</a> -- be it Gmail, Hotmail or a corporate email system -- to make it harder for attackers to use password resets to gain control of accounts. <P> Finally, Twitter also suggested that high-risk businesses consider setting aside one computer for tweeting and little else. "Don't use this computer to read email or surf the Web, to reduce the chances of malware infection," Twitter recommended. "This helps keep your Twitter password from being spread around." <P> Twitter's guidance to businesses aside, is there more that the company could do to protect its users? Notably, Twitter is reportedly <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">beta-testing two-factor authentication</a> for its site. But two-factor authentication won't protect Twitter users from having their credentials intercepted via malware or phishing attacks</a>. That's why many security experts have been <a href="http://www.informationweek.co.uk/security/management/twitter-two-factor-authentication-too-li/240153672">calling on Twitter to put more robust defenses in place</a> for blocking account takeovers -- for example, by taking a page from Facebook and allowing users to register machines as "trusted," or requiring additional login credentials when someone tries to access an account from a new geographic region for the first time. <P> Twitter may also need to begin encrypting the session tokens it issues. "Not all account hijacks are based on phishing and spear-phishing. Sometimes tweets are sent out because an unencrypted session is hijacked and while this may not be the case in this instance, it's sometimes convenient for service providers to assume that security breaches are the fault of the user," said David Harley, senior research fellow at security firm ESET, in a <a href="http://www.welivesecurity.com/2013/04/30/twitter-blames-spear-phishing-for-recent-hacks-and-warns-news-companies-to-expect-more/">blog post</a>. <P> "There are limits to what Twitter [or the user] can do about this issue," Harley added. "However, the risk can be reduced by browsing from VPN connections and/or accessing sites via SSL, but that's not always convenient. What might also help is not having a Twitter account running permanently in the background, but that may not be convenient for many Twitter users either." <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-01T13:35:00ZGovernment proposal would expand wiretap laws to cover not just service providers, but also the likes of Facebook and Google.http://www.informationweek.com/security/privacy/fbi-seeks-real-time-facebook-google-wire/240154011?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->Should Facebook, Google and similar sites be forced to adapt their infrastructure so that the FBI and other law enforcement agencies can easily tap suspects' communications in real time? <P> That's the <a href="http://www.washingtonpost.com/world/national-security/proposal-seeks-to-fine-tech-companies-for-noncompliance-with-wiretap-orders/2013/04/28/29e7d9d8-a83c-11e2-b029-8fb7e977ef71_story.html">impetus behind new wiretap guidelines</a> being drawn up by a government panel, according to the <em>Washington Post</em>. <P> The draft guidelines, championed by the FBI, would allow courts to impose escalating fines on any business that didn't immediately comply with a court-ordered request for real-time communications interception, regardless of whether the Web service provider said such interception was technically feasible. Any business that fails to comply with the wiretap request could face fines that start at tens of thousands of dollars, then double daily after 90 days of noncompliance. The White House reportedly hasn't yet signed off on the proposals. <P> <strong>[ Questions about employee surveillance? Read <a href="http://www.informationweek.com/global-cio/personnel/watching-workers-wheres-the-line/240150904?itc=edit_in_body_cross">Watching Workers: Where's The Line?</a> ]</strong> <P> "Today, if you're a tech company that's created a new and popular way to communicate, it's only a matter of time before the FBI shows up with a court order to read or hear some conversation," Perkins Coie attorney Michael Sussmann, a former federal prosecutor, told the <em>Post</em>. "If the data can help solve crimes, the government will be interested." <P> In 2005, in an expansion of the Communications Assistance for Law Enforcement Act (CALEA), the Federal Communications Commission ruled that service providers, as well as VoIP providers, had to overhaul their networks to allow real-time interception. But that doesn't apply to businesses such as Facebook and Google. Accordingly, the FBI now tends to back off when those companies or their peers say they can't easily comply with an intercept request for technical reasons, rather than attempting to initiate contempt proceedings, reported the <em>Post</em>. <P> But the bureau would like that to change. "The importance to us is pretty clear," the FBI's general counsel, Andrew Weissmann, <a href="http://www.c-spanvideo.org/program/NewTechnolo">last month said in a speech</a> to the American Bar Association's Standing Committee on Law and National Security. "We don't have the ability to go to court and say, 'We need a court order to effectuate the intercept.' Other countries have that. Most people assume that's what you're getting when you go to a court." <P> The bureau's push for expanded wiretapping powers is far from unexpected. Indeed, reports surfaced last year that the <a href="http://www.informationweek.co.uk/security/management/new-fbi-surveillance-backdoors-6-key-poi/240000653">FBI was meeting with Facebook</a>, Google, Microsoft and Yahoo, among other companies, to query how the bureau could best conduct surveillance of their services while causing minimal disruption. <P> In 2011, meanwhile, longtime FBI director Robert S. Mueller III urged Congress to give the bureau <a href="http://www.informationweek.co.uk/government/security/fbi-seeks-expanded-web-wiretapping-capab/229218950">greater wiretapping capabilities</a>, warning that to do otherwise meant there would be "a very real risk of the government 'going dark,' resulting in an increased risk to national security and public safety." <P> But civil rights groups have warned that the proposal to fine businesses that don't proactively aid FBI surveillance of their communications services risks wiretap capabilities being abused by attackers. "At the very time when the nation is concerned about cybersecurity, the FBI proposal has the potential to make our communications less secure," said Joe Hall, a senior staff technologist for the Center for Democracy and Technology, in a statement. "Once you build a wiretap capability into products and services, the bad guys will find a way to use it." <P> Another unanswered question is how new intercept capabilities would be tested or vetted. Would changes to popular services -- such as Facebook or Gmail -- first require a corresponding sign-off from IT staff at the FBI before they could be put into production? <P> "What the FBI is proposing sounds benign, but it comes with such onerous penalties that it would force developers to seek pre-approval from the FBI," said CDT president Leslie Harris in a statement. "No one is going to want to face fines that double every day, so they will go to the FBI and work it out in advance, diverting resources, slowing innovation, and resulting in less secure products." <P> <i>In the wake of a zero-day vulnerability being exploited by multiple active attacks, IT teams wait for Oracle to respond. Again. Here's how to keep your systems safe. Get our <a href="http://www.darkreading.com/ApplicationSecurity/util/10426/download.html?k=axxe&cid=article_axxe">Insecurity With Java</a> report today. (Free registration required.)</i> <P>2013-05-01T11:41:00ZAttack bears strong similarities to previous campaigns executed by Chinese APT attack group "DeepPanda," reports security expert.http://www.informationweek.com/security/attacks/us-labor-dept-website-hacked-serves-malw/240153984?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->The U.S. Department of Labor website was hacked Tuesday evening to launch drive-by attacks at visitors' Web browsers. <P> That warning was sounded Wednesday morning by Jaime Blasco, director of AlientVault Labs, as well as Anup Ghosh, CEO of Invincea, both of whom reported that the Department of Labor servers had been infected by malicious code. <P> A Department of Labor spokeswoman, reached by phone, declined to comment on the attack reports. But Blasco said via email: "Several people within the U.S. government have been contacted so they should be working on it right now. We published this information because the exploit is still there and we are tying to warn people not to visit the website." <P> <strong>[ Redact throws down a security gauntlet. Read <a href="http://www.informationweek.com/mobility/security/can-you-hack-this-smartphone-app-for-100/240153918?itc=edit_in_body_cross">Can You Hack This Smartphone App For &#163;10,000?</a> ]</strong> <P> By late Wednesday morning, the malware campaign appeared to have been stopped. "The site has since been fixed and <a href="http://www.invincea.com/2013/05/k-i-a-us-dol-website-pushing-poison-ivy-cve-2012-4792/">law enforcement is investigating</a>," said Invincea's Ghosh in a blog entry posted late Wednesday morning. <P> <a href="http://labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/">How did the attack work?</a> If a system was successfully compromised by the malicious code running on the Department of Labor's website, it would "phone home" to a command-and-control (C&C) server that's disguised as a Microsoft update server. "The C&C protocol matches with a backdoor used by a known Chinese actor called DeepPanda," Blasco said in a blog post. <P> In addition, Blasco said the attack code used strongly resembled a previous exploit seen against a <a href="http://labs.alienvault.com/labs/index.php/2012/thailand-ngo-site-hacked-and-serving-malware/">Thai nongovernmental organization</a> that focuses on human rights under the auspices of the <a href="http://en.wikipedia.org/wiki/Association_of_Southeast_Asian_Nations">Association of Southeast Asian Nations</a>. <P> Security intelligence firm CrowdStrike has <a href="http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf">tied DeepPanda</a> to a number of <a href="http://www.informationweek.com/security/cybercrime/advanced-persistent-threats-get-more-res/232600562">advanced persistent threat (APT) attacks</a>, noting that the group's attacks "target various strategic interests of the United States including high tech/heavy industry, non-governmental organizations (NGOs), state/federal government, defense industrial base (DIB), and organizations with vast economic interests." <P> The malware served by the Department of Labor website targeted a vulnerability that's been patched by Microsoft. According to Blasco, "after a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year." According to a <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792">related vulnerability summary</a> from NIST, the flaw involves a "use-after-free vulnerability in Microsoft Internet Explorer 6 through 8" which attackers can use to remotely execute arbitrary code in a vulnerable browser. The vulnerability was first discovered in December 2012, when it was seen in zero-day attacks. <P> The malware loaded onto the Department of Labor server also attempted to execute JavaScript code in a browser, with the code being served up directly from the Department of Labor website. The malware also attempted to execute a malicious PHP script that's downloaded from an external server that's currently <a href="http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=96.44.136.115">hosted by OC3 Networks & Web Solutions</a> in Los Angeles, and which also received information about compromised systems. <P> If the malware was successfully able to exploit the IE vulnerability, it downloaded an attack payload from a remote server. Blasco said that as of early Wednesday morning, <a href="https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/">according to VirusTotal</a>, the downloaded code was being flagged as malicious by only two out of 46 antivirus scanners. But by later that morning, 13 antivirus scanners had been updated to identify the attack. <P> The PHP script used in the attack "will collect a lot of information from the system and then it will upload the information collected to the malicious server," said Blasco. In particular, the script checks to see if Flash or Java browser plug-ins are installed on the system, and if so, which versions. Other routines, meanwhile, look for the presence of BitDefender security software, and if they find it, attempt to deactivate it. The script also searches for the presence of other information security software, including AVG, Avira, Dr.Web, ESET, F-Secure, Kaspersky Lab, McAfee, Microsoft Security Essentials and Sophos. The script also looks for the Google Chrome plug-ins for the Avast or Avira antivirus, and checks to see if Microsoft Office is installed. <P> <P>2013-04-30T13:57:00ZSecurity researchers discover hard-to-detect, memory-resident Linux malware compromising Apache servers and redirecting browsers to other infected sites.http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922?cid=SBX_iwk_related_commentary_Policy_educationHundreds of servers running Apache HTTP server software have been infected with a new malicious Linux backdoor known as "Cdorked." The malware appears to be connected to the so-called <a href="http://www.informationweek.co.uk/security/attacks/darkleech-attacks-hit-20000-websites/240152215">Darkleech attack campaign</a> that's been using compromised servers and malicious Apache modules to launch drive-by attacks that target known browser vulnerabilities. <P> While Darkleech has been running for at least two months, attackers appear to still be upping their game. "Linux/Cdorked is one of the most sophisticated Apache backdoors we have seen so far," said Pierre-Marc Bureau, security intelligence program manager for security firm ESET, in a blog post that details <a href="http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/">how to identify and remediate servers</a> infected by the malware. <P> Cdorked uses JavaScript to attack anyone browsing the website. If the attack is successful, the malware redirects the browser to another malicious website, where a crimeware toolkit attempts to further compromise the PC. As part of the handoff, interestingly, Cdorked adds useful attack information to the invoked link, such as the URL from which the browser has been redirected and, according to Bureau, whether or not the request was originally to a JavaScript file so the server [can] provide the right [attack] payload. <P> <strong>[ Have a D-Link IP camera? Upgrade your firmware now. For more details, read <a href=" http://www.informationweek.com/security/vulnerabilities/d-link-camera-security-flaw-upgrade-now/240153917?itc=edit_in_body_cross">D-Link Camera Security Flaw: Upgrade Now</a>. ]</strong> <P> Unfortunately, detecting servers that are infected with Cdorked isn't straightforward. "The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis," Bureau explained, noting that the malware stores no data on a server's hard drive. "All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren't logged in normal Apache logs. This means that no command and control information is stored anywhere on the system." <P> Attackers access a "backdoored server" either <a href="http://en.wikipedia.org/wiki/Shellcode">by using a reverse shell</a> or by using HTTP requests to relay commands. The reverse shell -- or connect-back-shellcode -- requests, however, leave traces that can help administrators identify servers that have been compromised by attackers. "[When] the shell is used by the attacker, the HTTP connection creating it is hung [the backdoor code does not implement forking]," said Bureau. "This implies that malicious shells can be found if one has access to the server and checks for long-running HTTP connections. On the other hand, the HTTP request does not appear in Apache's log file due to the way the malicious code is hooked into Apache." <P> But the best way to identify infected servers, Bureau said, is to scan servers for the presence of shared memory created by the malware, which will comprise about 6 MB and store the malware's state and configuration information. <P> The Darkleech campaign was first spotted in early March, when a security researcher at Sophos found that malicious modules added to Apache installations were using iFrames and JavaScript to redirect visitors to websites infected with the <a href="http://www.informationweek.co.uk/security/vulnerabilities/blackhole-botnet-creator-buys-up-zero-da/240145769">Blackhole crimeware toolkit</a>. <P> Early this month, meanwhile, Cisco security researcher Mary Landesman warned that an estimated 20,000 legitimate websites that use Apache HTTP server software had been compromised as part of Darkleech. Those attacks -- as with Cdorked -- have focused on infecting vulnerable Apache installations with an SSHD backdoor. Attackers were able to load malicious modules onto the servers, which then served up drive-by attacks against website visitors. <P> Which Apache vulnerabilities are attackers exploiting? Cisco last week reported that Darkleech attackers may be exploiting a <a href="http://kb.parallels.com/en/113374">Horde/IMP Plesk Webmail bug</a> that's present in unpatched versions of the Parallels Plesk control panel software used by many Web hosting providers. "By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server," said Craig Williams, who works in Cisco's Security Intelligence Operations threat research group for (SIO), in a <a href="http://blogs.cisco.com/security/possible-exploit-vector-for-darkleech-compromises/">blog post</a>. <P> To help block Darkleech attacks, Williams <a href="http://www.darkreading.com/attacks-breaches/possible-exploit-avenue-discovered-for-d/240153697">recommended that website administrators</a> keep their Apache server software fully patched and updated. <P> <strong>Update:</strong> A Parallels spokeswoman said via email that a patch is available for the Plesk vulnerability identified by Cisco. "The exploit warned about by a Cisco researcher was in the third-party Horde webmail for Plesk 9.3 and earlier (products circa 2009 and earlier), not in the Plesk control panel itself," she said. "These Plesk versions are end-of-lifed now, but <a href="http://kb.parallels.com/en/113374">a patch was promptly issued</a> in February 2012. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-04-30T12:33:00Z16 vulnerable D-Link IP camera models have password issue that provides a back door, so attackers could intercept live video feed.http://www.informationweek.com/security/vulnerabilities/d-link-camera-security-flaw-upgrade-now/240153917?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->Multiple models of Internet-connected D-Link cameras have vulnerabilities that could be remotely exploited by attackers to bypass authentication and gain direct access to live video feeds. <P> That warning was sounded Monday by Core Security, which released a <a href="http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities">security bulletin</a> detailing five vulnerabilities in the firmware used by a variety of D-Link Internet protocol (IP) cameras. <P> D-Link <a href="http://www.dlink.com/us/en/support">released updated firmware</a> Thursday to address the vulnerabilities. At least 16 different D-Link IP cameras, including one Tesco-branded model, are susceptible to one or more of the vulnerabilities. <P> <strong>[ Afraid your Twitter account will be hacked? Read <a href="http://www.informationweek.com/security/management/twitter-trouble-9-social-media-security/240153648?itc=edit_in_body_cross">Twitter Trouble: 9 Social Media Security Tips</a>. ]</strong> <P> According to Core Security, the identified vulnerabilities include an operating system command injection flaw that "allows an unauthenticated remote attacker to execute arbitrary commands through the camera's web interface," as well as two authentication bypasses, one of which would allow an attacker to access a device's video stream via HTTP, and another that attackers could use to access the <a href="http://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol">Real Time Streaming Protocol</a> (RTSP) video stream. Another bug would allow attackers to access a live, black-and-white ASCII video stream -- designed for low-bandwidth connections -- built using the luminance (light levels) seen by the device. As an example, Core Security included an ASCII video still of a coffee pot in its <a href="http://seclists.org/fulldisclosure/2013/Apr/253">Full Disclosure mailing list</a>. <P> Finally, all 16 vulnerable D-Link models contain a hardcoded password -- "?*" -- that provides a back door to the devices, which would enable attackers to access their live RTSP video stream. <P> Paul Ducklin, head of technology for Sophos in the Asia Pacific region, <a href="http://nakedsecurity.sophos.com/2013/04/30/what-were-they-thinking-internet-enabled-cameras-under-the-security-lens-once-again">responded to the detailed security flaws</a> with four words: "What were they thinking?" <P> "Hardwired passwords were a design blunder back in the 1970s; in the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code," he said in a blog post. "And never create backdoors by setting up emergency logins with well-known username/password pairs 'just in case,' because that amounts to the same thing, though at least it is a blunder that can be fixed without a code update." <P> Also Monday, Core Security released a security bulletin identifying multiple vulnerabilities in at least <a href="http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities">two different models of Vivotek IP cameras</a>. "Several Vivotek cameras store wireless keys and third-party credentials in clear text allowing a remote attacker to obtain sensitive information which might be valuable to perform further attacks," said Core Security. This sensitive information includes FTP and shared folder access credentials, as well as wireless access point keys, among other credentials. Other vulnerabilities identified could be used to trigger a remote buffer overflow and execute arbitrary code on a device or access a device's live video stream via RTSP without having to first authenticate. <P> Core Security said that after six failed attempts to alert Vivotek to the vulnerabilities -- the first time on March 6, and the last on April 24 -- it had received "no official answer from Vivotek." Accordingly, Core Security released its security bulletin, which includes full vulnerability details, to warn end users about the flaws in Vivotek's firmware. <P> Vivotek didn't immediately respond to a request for comment emailed to its headquarters in Taiwan, asking if the company was aware of the vulnerability report, if it could confirm the flaws, and if it was working to create updated firmware and notify affected customers. <P> The news of the D-Link and Vivotek vulnerabilities follows warnings released earlier this month that <a href="http://www.informationweek.co.uk/security/vulnerabilities/wireless-camera-flaws-allow-remote-explo/240153001">firmware flaws in some Foscam IP cameras</a> would allow an attacker to remotely access the devices without having to authenticate, as well as to steal the authentication credentials stored on the devices. <P> Although Foscam has released updated firmware to address the vulnerabilities, security firm Qualys, which uncovered the flaws, reported earlier this month that 99% of vulnerable devices were still using an old version of the firmware. In part, that's because many Internet-connected devices -- and especially cameras used for surveillance purposes -- tend to be plugged in and left to run. "Security patches for hardware devices like routers, printers and cameras are often overlooked," said Ducklin, despite the fact that many of these devices tend to have built-in Web servers. <P> What's the risk? "Always-on devices like routers and cameras are typically part of your security infrastructure, so a compromise on one of them could facilitate the compromise of your whole network," he said, referring to the possibility that an attacker could load malicious code onto a vulnerable device, then use the device to distribute malware to other network-connected or Internet-connected devices. From a monitoring standpoint, meanwhile, businesses face a physical security threat if attackers are able to access surveillance cameras that monitor sensitive facilities, or if <a href="http://www.informationweek.com/news/security/vulnerabilities/231602113">unscrupulous competitors access documents</a> stored by Internet-connected multi-function printers.2013-04-29T11:01:00ZCyberbunker leader traveled Spain in a van, accessed Wi-Fi hotspots to launch DDoS attacks against anti-spam opponents, Dutch authorities allege.http://www.informationweek.com/security/attacks/spamhaus-ddos-suspect-arrested/240153788?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div> <span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Police in the Netherlands Friday announced the arrest of a 35-year-old Dutchman on charges of having launched "unprecedented heavy attacks on the non-profit organization Spamhaus." <P> The suspect, <a href="http://www.om.nl/actueel/nieuws-persberichten/@160856/nederlander/">identified only as "S.K."</a> by Dutch police, has been named in multiple news reports as Sven Kamphuis, the leader of Amsterdam-based "bulletproof hosting provider" Cyberbunker, as well as service provider CB3ROB. Kamphuis has been a vocal proponent of -- <a href="http://www.informationweek.com/security/attacks/ddos-spam-feud-backfires-bulletproof-cyb/240151895">although not, he's claimed, participant in</a> -- the Stophaus.com movement that seeks to undercut anti-spam intelligence service Spamhaus. <P> "S.K." was arrested Thursday on a European arrest warrant by Spanish police, 22 miles north of Barcelona, after a 25-day investigation that was coordinated via <a href="http://www.eurojust.europa.eu/">Eurojust</a>, which is a collaboration between European Union law enforcement agencies. As part of the arrest, Spanish police also seized two laptops, as well as multiple mobile phones and storage devices. <P> According to a statement released by Spain's Interior Ministry, "the suspect was traveling across Spain in a van that he used as mobile computing office," which was "equipped with various antennas to scan frequencies," which allowed him to access Wi-Fi networks, through which authorities said he not only conducted media interviews but also launched DDoS attacks. <P> <strong>[ What are your takeaways from the "Stophaus" DDoS campaign? Read <a href="http://www.informationweek.com/security/vulnerabilities/spamhaus-ddos-attacks-what-business-shou/240151933?itc=edit_in_body_cross">Spamhaus DDoS Attacks: What Business Should Learn</a>. ]</strong> <P> Spanish police said that upon his arrest, the suspect identified himself as a diplomat, saying he was the Minister of Telecommunications and Foreign Affairs for the Republic of Cyberbunker. <P> According to the High Tech Crime Team police unit in the Netherlands, the DDoS attacks launched against Spamhaus -- of which Kamphuis is being accused -- targeted servers in the United States, United Kingdom and the Netherlands, and employed fake IP addresses. The DDoS attacks gained notoriety by <a href="http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/240151862/misconfigured-open-dns-servers-used-in-record-breaking-ddos-attack.html">peaking at an unprecedented 300 gigabits per second</a>, leading some commentators to falsely assert that <a href="http://www.informationweek.com/security/attacks/ddos-attack-doesnt-spell-internet-doom-7/240151921">the attacks slowed down the Internet</a>. <P> The Spamhaus Project maintains real-time spam-blocking databases used by a variety of service providers, as well as government and military network operators, to help them block spam. According to Matthew Prince, CEO of DDoS prevention service CloudFlare -- of which Spamhaus is a customer -- 80% of spam traveling across the Internet gets filtered thanks to Spamhaus. <P> The dispute between Cyberbunker and Spamhaus stems from the anti-spam service previously requesting that Cyberbunker block <a href="http://www.informationweek.com/security/client/3-banks-service-majority-of-spam-driven/229625599">pharmaceutical spam</a> and <a href="http://www.informationweek.com/security/attacks/online-criminals-best-friends-malnets/240008264">botnet communications</a> emanating from its networks. <P> "A year ago, we started seeing pharma and botnet controllers at Cyberbunker's address ranges, so we started to list them," an anonymous <a href="http://krebsonsecurity.com/2013/04/dutchman-arrested-in-spamhaus-ddos/">Spamhaus member</a> told security reporter Brian Krebs Friday. "We got a rude reply back, and he made claims about being his own independent country in the Republic of Cyberbunker, and said he was not bound by any laws and whatnot. He also would sign his emails 'Prince of Cyberbunker Republic.' On Facebook, he even claimed that he had diplomatic immunity." <P> That response led Spamhaus to request that Cyberbunker's service provider, DataHouse, and ultimately its service provider, A2B Internet, block all of Cyberbunker's traffic. When they refused to do so, however, Spamhaus added both service providers to its spam-blocking list. Even as the service providers complied by blocking Cyberbunker's traffic, they decried what they saw as strong-arm tactics. <P> "Cyberbunker isn't even a customer of ours, but is rather a customer of DataHouse (who also has their own network and IP addresses) and to move up two ISPs and start complaining there is just insane," said A2B Internet director Erik Bais at the time. "On top of that, putting the IPs of that ISP on a blacklist to 'make your point' is something I don't have a good word for." <P> Ultimately, Stophaus last month launched a DDoS attack against Spamhaus. But both Stophaus and Cyberbunker soon found themselves at the receiving end of a DDoS attack that disrupted their own operations. <P> <i>E2 is the only event of its kind, bringing together business and technology leaders across IT, marketing, and other lines of business looking for new ways to evolve their enterprise applications strategy and transform their organizations to achieve business value. Join us June 17-19 for three days of 40+ conference sessions and workshops across eight tracks and discover the latest insights in enterprise social software, big data and analytics, mobility, cloud, SaaS and APIs, UI/UX and more. <a href="http://www.e2conf.com/boston/?_mc=MP_BTMEDIWKAXE">Register for E2 Conference Boston today</a> and save $200 off Full Event Passes, $100 off Conference, or get a FREE Keynote + Expo Pass! </i> <P>2013-04-29T09:33:00ZPro-Assad hacktivist group takes over 11 Twitter feeds belonging to British news group, decries "lies and slander about Syria."http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800?cid=SBX_iwk_related_commentary_Policy_education<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10-things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_Edans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175"/></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div> <span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> The Syrian Electronic Army (SEA) announced Sunday that it took over 11 Twitter feeds belonging to Britain's <em>Guardian</em> newspaper, including its book, film, photography and travel feeds, as well as multiple journalists' accounts. It also posted passwords -- composed of 15 randomized characters -- it claimed were for four of the compromised accounts. <P> By Monday, many of the accounts were suspended by Twitter, although SEA appeared to still be compromising additional accounts, including the <em>Guardian's</em> business feed. "Follow the Syrian Electronic Army ... Follow the truth!" read a message posted to some compromised Twitter accounts. <P> "We are aware that a number of Guardian Twitter accounts have been compromised and we are working actively to resolve this," said a Guardian News & Media spokeswoman via email. She declined to comment on how the accounts had been compromised. <P> <strong>[ Worried about your Twitter account getting hacked? Read <a href="http://www.informationweek.com/security/management/twitter-trouble-9-social-media-security/240153648?itc=edit_in_body_cross">Twitter Trouble: 9 Social Media Security Tips</a>. ]</strong> <P> The SEA said the disruptions were made to protest the newspaper's "lies and slander about Syria," according to a <a href="http://syrianelectronicarmy.com/article.php?id=1951&lang=en">statement posted to the group's website</a>. Some accounts also had their profiles changed to display a graphic of an eagle bearing the <a href="http://en.wikipedia.org/wiki/Flag_of_Syria#Flag_used_by_the_Assad_government">flag of the Syrian Arab Republic</a>, which is used by parties loyal to the current Syrian regime, which is led by President Bashar al-Assad and the Ba'ath Party. <P> A two-year civil war in Syria has claimed an estimated 70,000 lives to date. The White House in recent days said that U.S. intelligence reports have suggested that the nerve agent sarin may have been used on a "small scale" by Assad supporters against their opponents, <a href="http://www.guardian.co.uk/world/middle-east-live/2013/apr/26/syria-chemical-weapons-red-line-live">reported</a> the <em>Guardian</em>. <P> The SEA has previously attacked news organizations -- including the BBC and Qatari-backed al-Jazeera TV -- over coverage that the group deemed to be unfavorable to the current Assad regime. Tuesday, notably, the SEA posted a hoax tweet via an Associated Press Twitter feed <a href="http://www.informationweek.com/security/attacks/twitter-battles-syrian-hackers/240153424">saying that President Obama had been injured in explosions</a> at the White House. The tweet has been blamed for triggering a temporary downturn in the stock market. <P> The AP has yet to confirm how its Twitter accounts were compromised, although some news reports said that an <a href="http://www.informationweek.com/security/management/twitter-trouble-9-social-media-security/240153648">SEA-conducted phishing campaign</a> was responsible. Security experts, however, have said that the group has employed a variety of account-takeover tactics. "In many cases, the SEA carries out their attacks in a manner that is difficult to detect," said Ted Ross, the executive technologist at HP Security's Office of Advanced Technology, in a recent blog post rounding up <a href="http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Understanding-the-Syrian-Electronic-Army-SEA/ba-p/6040559">what's known about the Syrian Electronic Army</a>. <P> The group's tactics also continue to evolve. "The SEA has kind of shifted from actively defacing websites they perceive hostile to the Syrian regime to mostly compromising Twitter accounts of media organizations," Helmi Noman, a senior researcher at Toronto University's Citizen Lab, <a href="http://www.nbcnews.com/technology/technolog/ap-latest-victim-string-twitter-break-ins-syrian-electronic-army-6C9567459">told</a> NBC News. <P> The AP account compromise lead to reports that Twitter is now <a href="http://www.informationweek.com/security/attacks/twitter-preps-two-factor-authentication/240153539">testing a two-factor authentication system internally</a>, which it plans to roll out at an unspecified date. But security experts have warned that such a system <a href="http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672">still wouldn't protect Twitter users</a> from having their accounts compromised via malware or phishing attacks. <P> The SEA has recently been engaging in a cat-and-mouse game with Twitter, which has been suspending the group's own accounts -- recently named "@Official_SEA" followed by a number -- almost as quickly as they've been used to boast of compromised targets. <P> That level of account churn has left the Syrian Electronic Army vulnerable to its opponents. "The Syrian Electronic Army use to be Pro-Assad, since he used chemical weapons against our brothers and sisters, no more, Assad is a Ass!" read a Saturday tweet from the @Official_SEA7 account Saturday. "OK so you need to unfollow @SEA_Official8 and @SEA_Official7, the correct one is @Official_SEA7." <P> But a message posted Monday to @Official_SEA12 -- an account registered late Sunday and cross-referenced from the SEA's own website -- said that @Official_SEA7 was "a fake account."2013-04-26T12:38:00ZUpdate to 1986 Electronic Communications Privacy Act would require police to demonstrate probable cause before accessing someone's email or stored cloud data.http://www.informationweek.com/security/government/email-without-a-warrant-senators-not-sol/240153731?cid=SBX_iwk_related_commentary_Policy_educationThe Senate has advanced legislation that would require law enforcement agencies to obtain a warrant from a judge before they could access someone's email or other data stored in the cloud. <P> Currently, under the Electronic Communications Privacy Act (ECPA), law enforcement agencies can subpoena any email that's been opened by a recipient or that's more than 180 days old; no warrant -- and accompanying requirement to first demonstrate probable cause -- required. <P> But the Leahy-Lee ECPA Amendments Act, approved Thursday by the Senate Judiciary Committee, would prohibit warrantless access to stored, online communications. "The bill would require law enforcement agents to obtain a warrant in order to gain access to the contents of email and of documents, pictures and other information stored in the cloud," said Greg Nojeim, senior counsel at the civil rights group Center for Democracy & Technology (CDT), in a <a href="https://www.cdt.org/blogs/greg-nojeim/2504ecpa-reform-takes-giant-leap-forward">blog post</a>. <P> <strong>[ Why can't lawmakers seem to get privacy legislation right? Read <a href="http://www.informationweek.com/security/management/cispa-20-house-intelligence-committee-fu/240152923?itc=edit_in_body_cross">CISPA 2: House Intelligence Committee Fumbles Privacy Again</a>. ]</strong> <P> "I have long believed that our government should obtain a search warrant -- issued by a court -- before gaining access to private communications," Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) said earlier this month, <a href="http://thehill.com/blogs/hillicon-valley/technology/295221-this-week-in-tech-congress-moves-on-email-privacy-bill">reported</a> <em>The Hill</em>. "I have worked over the last several years to update our federal privacy laws to better safeguard our privacy rights in the digital age." <P> The bill, co-sponsored by Leahy and Sen. Mike Lee (R-Utah), appears to enjoy strong bipartisan support, including that of ranking Senate Judiciary Committee member Sen. Chuck Grassley (R-Iowa). <P> Law enforcement, business and academic representatives have been <a href="http://www.informationweek.co.uk/government/policy/congress-weighs-online-privacy-law-updat/240151282">urging Congress to revise</a> the ECPA -- which was passed in 1986 and updated in 1994 and in 2001 -- for years, albeit not always in the same way. While civil rights groups have called for greater privacy protections to be extended to emails, for example, the Justice Department has <a href="http://www.informationweek.com/security/privacy/justice-department-opposes-changes-to-el/229401192">lobbied Congress to leave ECPA unchanged</a>. <P> Congressional efforts to reform ECPA seemed to <a href="http://www.informationweek.co.uk/security/privacy/petraeus-snoop-7-privacy-facts/240142247">gain renewed vigor</a> last year, however, after the FBI's investigation into allegedly threatening emails sent anonymously to Jill Kelly, a friend of then-director of the CIA David H. Petraeus. The investigation revealed that Petraeus was having an extramarital affair with his biographer, Paula Broadwell. The pair coordinated their affair, at least in part, by <a href="http://www.informationweek.co.uk/security/privacy/petraeus-fallout-5-gmail-security-facts/240124937">saving draft emails to each other</a> in a shared Gmail account, which the FBI would have been able to access without a warrant. <P> While ECPA was designed to balance people's privacy rights with the needs of law enforcement agencies investigating crimes, privacy rights groups have accused the Department of Justice of taking an overly broad interpretation to ECPA, based on the agency's reading that old emails aren't subject to the protection of the <a href="http://www.informationweek.com/security/privacy/7-facts-about-geolocation-privacy/240005824">Stored Communications Act</a>, which limits the ability of police to compel service providers to disclose data without a warrant. <P> After the Ninth Circuit Court of Appeals, which covers the western United States -- including California -- ruled that the Stored Communications Act did apply to emails, the Justice Department advised investigators that when accessing emails more than 180 days old without using a warrant, they should do so outside the court's jurisdiction. <P> <i>A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital <a href="http://www.informationweek.com/gogreen/031813gov?k=axxe&cid=article_axxt_os">Secure The Data Center</a> issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)</i>