http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2013-05-21T13:16:00ZAttackers were after U.S. government surveillance requests for undercover Chinese operatives, say former government officials.http://www.informationweek.com/security/attacks/google-aurora-hack-was-chinese-counteres/240155268?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->A high-profile information security attack against Google in late 2009 -- part of what was later dubbed Operation Aurora -- was a counterespionage operation being run by the Chinese government. <P> Former government officials with knowledge of the breach said attackers successfully accessed a database that flagged Gmail accounts marked for court-ordered wiretaps. Such information would have given attackers insight into active investigations being conducted by the FBI and other law enforcement agencies that involved undercover Chinese operatives. <P> "Knowing that you were subjects of an investigation <a href="http://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html">allows them to take steps to destroy information</a>, get people out of the country," a former U.S. government official with knowledge of the breach told the <em>Washington Post</em>, which first reported the news. But the official cautioned that the attack also could have been a subterfuge operation by Chinese intelligence agencies designed to trick U.S. intelligence agencies into believing false or misleading information. <P> <strong>[ What are the facts behind Chinese hacks? Read <a href="http://www.informationweek.com/security/attacks/china-denies-us-hacking-accusations-6-fa/240149058?itc=edit_in_body_cross">China Denies U.S. Hacking Accusations: 6 Facts</a>. ]</strong> <P> The new Operation Aurora revelations came after a Microsoft official last month disclosed that his company had apparently been targeted by the same attackers -- unsuccessfully, he said -- at the same time as Google. <P> "What we found was the <a href="http://www.cio.com/article/732122/_Aurora_Cyber_Attackers_Were_Really_Running_Counter_Intelligence">attackers were actually looking for the accounts that we had lawful wiretap orders on</a>," David W. Aucsmith, senior director of Microsoft's Institute for Advanced Technology, told a government IT conference hosted by Microsoft in Redmond, Wash., last month, CIO.com first reported. <P> "So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way," said Aucsmith. "Presumably that's difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That's essentially what we think they were trolling for, at least in our case." <P> <a href="http://googleblog.blogspot.co.uk/2010/01/new-approach-to-china.html">Microsoft's recounting of the attacks stood in sharp contrast to Google's</a> disclosure, published in early January 2010. "In mid-December [2009], we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google," said a blog post by Google's chief legal officer, David Drummond. <P> At the time, having a major business publicly blame the Chinese government for having launched an information security attack against its systems was rare. <P> The successful attack against Google was dubbed Operation Aurora by security firm McAfee because attackers reportedly employed the Aurora (a.k.a. Hydraq) Trojan horse application. At the time, however, Google said its investigation into the attack found that "at least twenty other large companies from a wide range of businesses -- including the Internet, finance, technology, media and chemical sectors -- have been similarly targeted." Google also disclosed that a second branch of the attack had compromised multiple <a href="http://www.informationweek.co.uk/security/vulnerabilities/google-hackers-targeted-chinese-and-viet/224200944">Chinese and Vietnamese activists' Gmail accounts</a>. <P> All told, the Operation Aurora attacks reportedly <a href="http://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html">targeted at least 34 companies</a>, including Adobe, Juniper, Rackspace, Symantec, Northrop Grumman, Morgan Stanley and Yahoo. <P> At the time, Bruce Schneier, chief security technology officer of BT, said that the <a href="http://www.schneier.com/blog/archives/2010/01/me_on_chinese_h.html ">Google attackers exploited wiretap backdoors</a> mandated by the U.S. government to access the activists' accounts. "In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access," according to Schneier. "Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic." <P> The Operation Aurora attacks became the basis for what's now known as an <a href="http://www.informationweek.com/security/cybercrime/advanced-persistent-threats-get-more-res/232600562">advanced persistent threat (APT) attack</a>. <P> Last year, Symantec reported that the <a href="http://www.informationweek.co.uk/security/attacks/google-aurora-attackers-still-on-loose-s/240006930 ">Aurora gang was still at work</a>, and operating with a <a href="http://www.informationweek.com/security/vulnerabilities/so-you-want-to-be-a-zero-day-exploit-mil/231902813">large budget</a>. "The group seemingly has an unlimited supply of zero-day vulnerabilities," according to Symantec. "The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent."2013-05-21T11:32:00ZGuantanamo Bay Naval Base authorities turn off Wi-Fi and social media after Anonymous threatened to shut them down.http://www.informationweek.com/security/cybercrime/anonymous-threatens-gitmo-us-locks-down/240155262?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know " title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div> </div> <!-- /KINDLE EXCLUDE --> A threat by the Anonymous hacktivist collective has led to all Wi-Fi communications at the Guantanamo Bay Naval Base in Cuba being disabled. <P> Army Lt. Col. Samuel House <a href="http://hosted.ap.org/dynamic/stories/C/CB_GUANTANAMO_HACKING_DEFENSE?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2013-05-20-14-10-34">told the Associated Press</a> that disabling the Wi-Fi across the base was a preventive measure, designed to address a threatened disruption by Anonymous. Authorities at the base also blocked all access to Facebook, Twitter and other social media services. <P> "You shut the Wi-Fi down in GTMO, we will shutdown Guantanamo," read a subsequent post to the <a href="https://www.facebook.com/Crypt0nymous/posts/588729937824732">Crypt0nymous News Network's Facebook page</a>. <P> The initial threat arrived earlier this month, with Anonymous announcing via Pastebin that <a href="http://pastebin.com/0VaQ3cJK">"#OpGTMO" would run</a> from May 17 to May 19. It also detailed a related "Twitter Storm package," urging people to flood Twitter with related messages using preset hashtags, as well as "phonebomb" their senators and representatives. <P> "We, the people and Anonymous, will not allow the most expensive prison on earth to be run without any respect for international laws," read an Anonymous press release, referring to the <a href="http://en.wikipedia.org/wiki/Guantanamo_Bay_detention_camp">Guantanamo Bay detention camp</a>. "We stand in solidarity with the Guantanamo hunger strikers. We will shut down Guantanamo." <P> <strong>[ Is India in the security hotseat usually reserved for China? Read <a href="http://www.informationweek.com/security/attacks/apt-attacks-trace-to-india-researcher-sa/240155225?itc=edit_in_body_cross">APT Attacks Trace To India, Researcher Says</a>. ]</strong> <P> The Anonymous operation was meant to highlight the 100th day of a hunger strike being held at the base by prisoners protesting their length of incarceration, as well as conditions at the base. According to news reports, as of Monday, 103 of 166 prisoners at the base were continuing a hunger strike. <P> It's not clear whether the Army's disabling of all Wi-Fi on Guantanamo may have been the disruption that Anonymous was intending. <P> The threats from Anonymous aren't the first information security concerns to confront Guantanamo Bay Naval Base. Last month, a Guantanamo war court judge ordered pretrial hearings to be delayed after defense attorneys reported that since February, key documents had gone missing from their systems and prosecutors' files -- which they didn't open -- had suddenly appeared on their systems, <a href="http://newsandinsight.thomsonreuters.com/Legal/News/2013/04_-_April/Guantanamo_pretrial_hearing_delayed_as_legal_files_vanish/ ">Reuters reported</a>. Defense attorneys also reported signs that their internal base emails and Internet searches were being monitored by a third party. In response, the chief defense counsel for the tribunals, Col. Karen Mayberry, ordered all defense attorneys -- civil and military -- to immediately stop using government-issued computers. <P> In other Anonymous news, the collective earlier this month announced Operation Petrol (#OpPetrol), in conjunction with SaudiAnonymous and a hacker known as AnonGhost, who was a key figure in this month's #OpUSA attacks, which multiple critics <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">derided as "FlopUSA"</a> for being more bark than bite. <P> First announced on May 10 via Pastebin, <a href="http://pastebin.com/8KWUwJdy">#OpPetrol is designed</a> to target oil-producing nations as well as petroleum companies, and scheduled for June 20. <P> The operation's stated raison d'etre is to avenge an alleged "petro-dollar" conspiracy involving Muslim countries selling oil in dollars, rather than local currency. "The new world order installed their own rules so that they can control us like robots," according to the post. <P> Countries designated as targets for attack include the United States, Canada, England, Israel, China, Italy, France, Russia and Germany. The campaign's organizers also designated as targets the governments of Saudi Arabia, Kuwait and Qatar. <P> Some related attacks have already been disclosed, including a purported leak of 16 Saudi government email access usernames and passwords in plaintext, which was uploaded on May 12 to Pastebin. <P> As that suggests, organizations that might be targeted by these attacks shouldn't wait until June 20 to perform a threat assessment and lock down vulnerable systems. "As we know from past events, actors may be compromising sites now only to release the results as part of the operation," according to a blog post from <a href="http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/What-to-Expect-from-OpPetrol/ba-p/6071747">security researchers at HP</a>. "Potential targets may have already seen activity that could later be associated with this announcement." <P> That said, many security experts expect #OpPetrol to be a non-starter. "Given the trends so far, we anticipate that this operation will mirror #OpUSA," said HP. "We do not anticipate #OpPetrol to be a large success."2013-05-21T09:37:00ZMulti-year hacking campaign targeted mining companies, legal firms, Pakistan, Angolan dissidents and others in Pakistan, the U.S., Iran, China and Germany.http://www.informationweek.com/security/attacks/apt-attacks-trace-to-india-researcher-sa/240155225?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div> <!-- /KINDLE EXCLUDE --> A multi-year advanced persistent threat (APT) campaign that targeted the government of Pakistan, as well as global businesses operating in mining, automotive, engineering, military and finance sectors, among others, appears to have been run from India. Organizations targeted for industrial espionage were located in numerous countries, including the United States, Iran, China and Germany. <P> Those findings come from <a href="http://enterprise.norman.com/resource_center/unveiling_an_indian_cyberattack_infrastructure-a_special_report">"Unveiling an Indian Cyberattack Infrastructure,"</a> a new report from Norwegian security software vendor Norman that documents an <a href="http://www.informationweek.com/security/cybercrime/advanced-persistent-threats-get-more-res/232600562">APT campaign</a> that began in 2010, if not earlier. According to the report, the APT campaign and related, malicious infrastructure has served "primarily as a platform for surveillance against targets of national security interest that are mostly based in Pakistan and possibly in the United States." <P> Report co-author Snorre Fagerland, a principal security researcher in the Malware Detection Team at Norman Shark in Norway, said in an interview: "What we found surprised us a little bit, because we started out anticipating the Chinese, but the indicators we found pointed toward India." <P> <strong>[ Would better passwords have made a difference? Read <a href="http://www.informationweek.com/security/management/how-password-strength-meters-can-improve/240155209?itc=edit_in_body_cross">How Password Strength Meters Can Improve Security</a>. ]</strong> <P> Researchers also found multiple references to Appin, an Indian information security software vendor and "ethical hacking" training company. References included "appin" and "appinbot" in "cleartext project and debug path strings," according to Norman's report, and some domains used in the APT attacks appeared to have been registered with a corporate Appin email address before being hidden. <P> Norman's report said the Appin name-dropping is no smoking gun. "Maybe someone has tried to hurt Appin by falsifying evidence to implicate them," said the report. "Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations." But Adam Meyers, director of intelligence at CrowdStrike, <a href="http://www.darkreading.com/attacks-breaches/commercialized-cyberespionage-attacks-ou/240155245">told DarkReading</a>: "I think it is highly unlikely Appin is not involved." <P> Contacted for comment, a spokesman for Appin in New Delhi strongly dismissed any suggestion that his company was connected with the APT campaign. "The Appin Security Group is no manner connected or involved with the activities as sought to be implied in the alleged report," he said in an emailed statement. "The reference to Appin Security Group in the report is malafide and made purely with an intention to slur the good name of Appin Security Group in the industry." <P> This isn't Norman's first foray into malware research. In Nov. 2012, the company discovered an unrelated, <a href="http://www.informationweek.co.uk/security/attacks/espionage-malware-network-targets-israel/240115326">botnet-driven malware espionage campaign</a> focused on Middle Eastern targets in Israel and Palestine. <P> Norman undertook a similar investigation -- on its own initiative -- after Norwegian telecommunications company Telenor reported experiencing a network breach on March 17, 2013. "We arrived at the conclusion that Telenor was not an isolated case, but part of a much larger attack pattern emanating from India," said Fagerland in a related <a href="http://blogs.norman.com/2013/security-research/the-hangover-report">blog post</a>. "This conclusion is backed up by indicators found in malware, similar related cases, domain registrations, hosting details and other available data from our own extensive dataset as well as public data." <P> The APT attackers chiefly employed spear-phishing emails to compromise targets. Some emails tried to trick recipients into opening attached, malicious documents that attempted to exploit <a href="http://www.symantec.com/connect/blogs/operation-hangover-qa-attacks">known vulnerabilities</a>. Other emails included a link to a website designed to launch a phishing attack. According to Norman, no <a href="http://www.informationweek.co.uk/security/attacks/microsoft-hacked-joins-apple-facebook-tw/240149323">watering hole attacks</a> have been seen. <P> The APT campaign is sizeable: more than 600 domains have been spotted and over 800 samples of malware -- some customized for specific targets -- recovered. "As far as I know, this is one of the largest command and control infrastructures I've seen by any APT group, certainly outside of China," said Fagerland. Norman's report said all signs point to the campaign being "conducted by private threat actors with no evidence of state sponsorship." <P> Malware developers used relatively simple development tools and techniques, and outsourced some work to freelancers, for example via the Elance virtual marketplace. "I like the use of Elance for tool development. Way to keep those costs down," the Bangkok-based vulnerability buyer and seller known as "the Grugq" said <a href="https://twitter.com/thegrugq/status/336398189886316544">via Twitter</a>. <P> Furthermore, "the attackers were not very good at covering their tracks," said Fagerland. "We found for example several open drop folders where they had uploaded stolen data." Attackers often left their project management notes behind too. "Curiously, many of the executables we uncovered from related cases contained cleartext project and debug path strings," according to the report. "It is not very common to find malware with debug paths, but these particular threat actors did not seem to mind leaving such telltale signs, or maybe they were unaware of their presence." Language used in the project notes further suggests that at least some of the project team was Indian. <P> Fagerland said that a <a href="http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/">report published last week</a> by ESET malware researcher Jean-Ian Boutin, describing an APT campaign that appeared to be targeting Pakistan, was part of the APT campaign analyzed in Norman's report. ESET likewise ascribed the attack to India based on numerous fronts, including the hours worked by attackers and reference to "Ramu Kaka," which "is a typical Bollywood-style servant in a house," according to Boutin. "Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit." <P> Norman's researchers found that the command-and-control infrastructure used by the APT attackers was used to target the Chicago Mercantile Exchange, which publicly reported that a failed phishing attempt had been launched against it. The malicious infrastructure was also used to infect an Angolan activist's OS X systems with a Trojan backdoor, which wasn't discovered until the activist attended last week's Oslo Freedom Forum, according to a <a href="http://www.f-secure.com/weblog/archives/00002554.html">blog post</a> from Sean Sullivan, security advisor at F-Secure Labs, which is analyzing the malware. Sullivan said the malware was signed with a legitimate Apple developer ID in the name of "Rajinder Kumar." <P> What can be deduced from the finding that the same attack infrastructure used against Pakistan government targets was also used to infect an Angolan activist's Mac with a backdoor Trojan? "That's an interesting side branch of this operation," said Fagerland. It suggests the botnet's controllers "could be hiring out the infrastructure to other attackers," or offering targeted attacks as a service. <P> Norman shared its findings with Norwegian law enforcement agencies in advance of releasing its report. Although the timing may be coincidental, attackers' behavior has since changed. "We have reason to believe that at least some information from this report was known to some people in India some time ago, and since then, some things have changed," said Fagerland. "Whole branches of this command and control infrastructure have gone silent." <P> But he said that the timing could just be a coincidence.2013-05-20T12:31:00ZYahoo breach could have compromised 10% of all Yahoo user credentials. Meanwhile, Syrian Electronic Army targets <i>The Financial Times</i>.http://www.informationweek.com/security/attacks/yahoo-japan-data-breach-22m-accounts-exp/240155216?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know " title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div> </div> <!-- /KINDLE EXCLUDE -->Yahoo disclosed Friday that a breach at Yahoo Japan may have exposed 22 million login names to attackers. <P> "We don't know if the file [containing 22 million user IDs] was leaked or not, but we can't deny the possibility, given the volume of traffic between our server and external terminals," read a statement issued Friday by Yahoo Japan. Yahoo is the country's most-visited website, and is jointly owned by Yahoo and Japanese network operator <a href="http://www.informationweek.co.uk/mobility/3g/what-softbank-sees-in-sprint/240008446">Softbank</a>. <P> Yahoo Japan posted a link to a related breach notification on its homepage, and said it was contacting affected users and had strengthened network security in the wake of the attack. Yahoo Japan also recommended all users -- as of last year, the company had about 24 million users -- change their passwords, and added a tool on its homepage that allowed users to check if their ID was at risk from the suspected breach. <P> <strong>[ Defense Department and Google are partnering to tighten cloud user authentication. Read more at <a href="http://www.informationweek.com/government/security/google-disa-launch-user-id-pilot/240155181?itc=edit_in_body_cross">Google, DISA Launch User ID Pilot</a>. ]</strong> <P> Yahoo Japan's users, however, can't change their login IDs -- which sometimes appear publicly; for example, when users post comments on shopping sites -- without losing access to their current account's email and stored data, <a href="http://www.pcadvisor.co.uk/news/security/3448048/yahoo-japan-says-22-million-user-ids-may-have-been-stolen/">reported</a> <em>PC Advisor</em>. But after Yahoo Japan discovered malware on its servers last month that had extracted -- but not exfiltrated -- information relating to 1.27 million of its users, the company added a "Secret ID" capability, which allows users to use a separate ID only for logging on. <P> Yahoo officials said they discovered the unauthorized access Thursday. The potential data breach affects 10% of Yahoo's user base. <P> Yahoo was last in the data breach headlines in July 2012, when the company confirmed that an "older file" containing <a href="http://www.informationweek.co.uk/security/attacks/yahoo-password-breach-new-risks/240003653">450,000 usernames and passwords</a> associated with its Yahoo Voices service had been leaked online. At the time, it said that only 5% of the leaked passwords were still valid. "D33Ds Company" took credit for the hack, saying it had been accomplished via SQL injection attack. The group said it had leaked the information "as a wake-up call, and not as a threat" to Yahoo to fix the vulnerability, the specifics of which the hackers didn't publicly detail. <P> In other hacking news, the <em>Financial Times</em> (FT) Friday became the latest victim of Syrian hackers, after its website and multiple Twitter accounts were compromised via spear-phishing attacks. "Syrian Electronic Army Was Here," read 12 posts to various <em>FT</em>Twitter feeds. Multiple fake messages were also posted to the newspaper's Twitter account. <P> The Syrian Electronic Army <a href="https://twitter.com/Official_SEA12/status/335397478352449536">claimed</a> to have compromised 17 of the newspaper's Twitter accounts as well as its website, and posted what it said was the username and password ("Gar1eth") for a marketing executive at the paper. <P> "We have now locked those accounts and are grateful for Twitter's help on this," said Robert Shrimsley, the managing editor of FT.com, <a href="http://www.ft.com/cms/s/0/7a091972-bef3-11e2-a9d4-00144feab7de.html">reported</a> the <em>FT</em>. <P> The newspaper is the latest media organization to have seen its Twitter feeds hacked by the <a href="http://www.informationweek.com/security/attacks/who-is-syrian-electronic-army-9-facts/240155028">Syrian Electronic Army</a>, which supports Syrian President Bashar al-Assad. The group has preciously compromised an Associated Press feed, which it used to issue a <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">fake alert that explosions had occurred</a> in the White House. Other targets have included the BBC, the <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800"><i>Guardian</i></a>, National Public Radio and <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">satire site <em>The Onion</em></a>. <P> Earlier this month, Twitter <a href="http://www.informationweek.co.uk/security/intrusion-prevention/twitter-to-news-outlets-more-takeovers-a/240154094">warned news and media outlets</a> to expect further attacks. <P> To halt Twitter account takeovers, security experts have recommended using a dedicated PC for tweeting, or employing an intermediary social media management such as Hootsuite to block the spear-phishing attacks the group often uses to obtain credentials. They've also <a href="http://www.informationweek.co.uk/security/management/twitter-two-factor-authentication-too-li/240153672">called on Twitter</a> to implement two-factor authentication. But a "secret ID" service of the Yahoo Japan variety would also help Twitter users, since all Twitter usernames are already public, meaning would-be attackers only need to obtain a password to hack into an account. <P> As with previous Syrian Electronic Army takeovers, some of its <em>FT</em> tweets advanced the group's stated aim "[defending] the Syrian nation against the vicious lying media campaign," referring to perceived inaccuracies in reporting on the Syrian civil war. One bogus <em>FT</em> tweet, for example, read: "Jabhet A-Nosra terrorists executed innocent citizens," referring to the militant jihadist group that currently controls large parts of the rebel-held areas of northern Syria. Some leaders of that group recently <a href="http://www.telegraph.co.uk/news/worldnews/middleeast/syria/10067318/Syria-Jabhat-al-Nusra-split-after-leaders-pledge-of-support-for-al-Qaeda.html">pledged allegiance to al-Queda</a>. <P> Interestingly, the <em>FT</em> last month <a href="http://www.ft.com/cms/s/0/2f67e77a-acf8-11e2-9454-00144feabdc0.html">interviewed</a> a self-described member of the Syrian Electronic Army who calls himself "Th3Pr0." "All the countries who support the terrorists groups in Syria are targets for us -- their media/government website/social media accounts," Th3Pr0 said. "Our demands [are] to stop suspending our accounts and domain names so we can enjoy the 'Freedom speech of America.'" <P> <i>Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The <a href="http://www.darkreading.com/AdvancedThreats/util/9727/download.html?k=axxe&cid=article_axxe">How To Detect Zero-Day Malware And Limit Its Impact</a> report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)</i>2013-05-20T11:01:00ZColor-coded password-strength meters nudge users to improve the strength of their important passwords, but have little effect on unimportant ones.http://www.informationweek.com/security/management/how-password-strength-meters-can-improve/240155209?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /><div class="storyImageTitle">10 Top Password Managers</div><span class="inlinelargerView">(click image for slideshow)</span></div><!-- /KINDLE EXCLUDE -->Want your site's users to build better passwords? Then provide "password strength" meters to show if a proposed password carries a low (red), medium (yellow) or high (green) level of security. <P> According to the first-ever study of password meters' effectiveness -- delivered this month at the CHI human-computer interaction conference in Paris -- such meters aren't just window dressing or empty <a href="http://en.wikipedia.org/wiki/Security_theater">security theater</a>. Meters result in stronger passwords when users are forced to change existing passwords on "important" accounts, according to the <a href="http://research.microsoft.com/apps/pubs/?id=192108">"Does My Password Go up to Eleven?" research study </a> from researchers at the University of California at Berkeley, University of British Columbia and Microsoft Research. In addition, they found that graphical design variations between different types of meters "likely have a marginal impact" on user adoption. <P> The usefulness of password meters wasn't a given; no previous research had explored whether they led people to pick stronger passwords. "The original purpose of the experiment was to see whether meters based on social pressure would yield an improvement, since we didn't expect existing meters to be effective," said primary report author and University of California at Berkeley <a href="http://guanotronic.com/~serge/">research scientist Serge Egelman</a> via email. "We were surprised that one, meter design doesn't appear to matter much, and two, meters do work under certain circumstances." <P> <strong>[ Honeywords, or fake passwords, could help businesses better detect breach attempts. Read more at <a href="http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> As emphasized by the report title's <a href="http://en.wikipedia.org/wiki/Up_to_eleven">"This Is Spinal Tap" film reference</a>, when it comes to passwords, more (entropy) equals more (security). That's why standard <a href="http://www.informationweek.co.uk/security/client/passwords-tips-for-better-security/231000545">password security advice</a> -- at least currently -- is to pick a password that has at least 12 characters, mixing letters, numbers and symbols. Whatever the rules, however, password meters provide simple and immediate visual feedback about what constitutes "strong enough." <P> The researchers' conclusions are based on comparing forced password resets in the presence of password meters to those without such meters. "We performed a laboratory experiment to examine whether these meters influenced users' password selections when they were forced to change their real passwords," the researchers explained. "We observed that the presence of meters yielded significantly stronger passwords." <P> They also found that the meters didn't seem to cause memorability problems for users, and suggested that people forgetting passwords was more related to forced expiration dates, which <a href="http://www.schneier.com/blog/archives/2010/11/changing_passwo.html">not all cryptography experts see as always necessary</a>. <P> The researchers' password-meter findings, however, come with a caveat. In a second study they conducted, users were asked to create a password for an unimportant account. "In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts," they said. <P> Egelman said that although password meters are effective when used for important passwords, perhaps they shouldn't be used at all for unimportant passwords. "People have a finite amount of memory, which shouldn't be wasted protecting resources that are unimportant -- e.g., low-value accounts. I think the bigger problem is that most passwords are highly susceptible to offline attacks," he said. "Whereas when users do not select popular passwords -- e.g., [in] the top 100/1,000/10,000 -- online attacks are relatively unsuccessful. This suggests that a much more efficient solution is to prevent offline attacks from occurring." <P> Using proper network security controls and <a href="http://www.informationweek.co.uk/security/application-security/password-police-cite-evernote-mistakes/240150250">strong cryptography to secure passwords</a> so that they can't be retrieved by hackers and decrypted offline, however, has nothing to do with password-strength meters. "This responsibility lies solely with the websites who store the passwords, not the users," Egelman said. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-17T10:07:00ZSyrian hackers claim to battle American imperialism, media bias and Angelina Jolie.http://www.informationweek.com/security/attacks/who-is-syrian-electronic-army-9-facts/240155028?cid=SBX_iwk_related_slideshow_Smartphones_mobilityBeware patriotic Syrian hackers holding a media grudge. <P> That's one takeaway from the ongoing exploits of the Syrian Electronic Army, a self-described group of grassroots Syrian hackers who support Syrian President Bashar al-Assad. <P> During the country's two-year -- and counting -- civil war, the Syrian Electronic Army has been deployed as a propaganda tool to correct perceived slights or misinformation being disseminated via media outlets that the group sees as sympathetic to Syrian rebels. Its modus operandi is to compromise the Twitter and Facebook accounts of its targets, which are predominantly media outlets. The group's most well-known exploit to date was seizing control of multiple Associated Press (AP) Twitter feeds, then using them to issue bogus messages, including the <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">following alert</a> on April 23: "Breaking: Two Explosions in the White House and Barack Obama is injured." <P> In the wake of that tweet, the White House confirmed that the president was unharmed, that there had been no explosions and that the FBI was investigating the hoax tweets. Due to automated high-speed trading systems set to monitor Twitter feeds, however, the news triggered a temporary downturn in the U.S. stock market that briefly erased $200 billion in value. According to <a href="http://blog.thepro.sy/" target="_blank">Th3 Pr0</a> (pronounced "the pro"), the self-described 18-year-old "leader of special operations department" for the Syrian Electronic Army -- personal website tagline: "proud to be pro-Assad hacker" -- the hack was in retaliation for Network Solutions having seized the group's domain names, as well as for the United States "supporting the terrorist groups in Syria." <P> "We generally target the most malicious media, especially those who refuse to cover both sides of the war," a member of the SEA's "Special Operations Division," known as the Shadow, <a href="http://www.vice.com/en_ca/read/speaking-with-the-sea-about-hacking-the-onions-twitter-account" target="_blank">told <em>Vice</em></a> magazine. <P> Other media outlets targeted by the group have included CBS, AFP, Sky News Arabia and E! Online, with the hackers using a seized Twitter feed at the celebrity news site to announce earlier this month that Justin Bieber was gay, before telling Bieber fans they'd been "trolled." That followed its March compromise of multiple BBC Twitter accounts, which the group used to post anti-Semitic rants as well as to offer the following report via the BBC's Twitter weather feed: "Saudi weather station down due to head-on collision with camel." <P> In May, meanwhile, the group <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">seized control of the Twitter account for satire site the <em>Onion</em></a>. "UN retracts report of Syrian chemical weapon use: 'Lab tests confirm it is Jihadi body odor,'" reported one hoax tweet. Another said that the Onion's CEO said he regretted "taking Zionist money to defame Syria." <P> Obviously, the hacking group has its own perspective on not only the Syrian conflict, but what constitutes balanced reporting. For example, another hoax tweet -- posted to a <a href="http://www.informationweek.co.uk/security/vulnerabilities/5-steps-to-prevent-twitter-hacks/240005178">hacked a Reuters Twitter account</a> last year -- read: "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria." <P> As that tweet illustrates, the Syrian Electronic Army persistently attempts to reframe the country's civil war as a conflict perpetrated by foreign powers that are arming terrorists and bringing them into the country in a bid to overthrow the legitimate Syrian government. <P> The hackers' perspective parallels more widespread, pro-Assad propaganda based on accusing many Western media outlets of not just bias, but also "persistent media warmongering, faking news and fabricating &#8230; stories." That's according to a report on the <a href="http://www.syrianews.cc/western-mainstream-propaganda-outlets-falling/" target="_blank">Syria News website</a>, which claimed that "terror NATO sponsors" were "airlifting, training, arming, financing and smuggling Al-Qaeda terrorists" into Syria. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/christiaantriebert/7955551210/" target="_blank">Christiaan Triebert</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army emerged soon after the Syrian uprising began in 2011, defacing Facebook pages with pro-Assad messages that ranged from sweet -- "I love Bashar" -- to threatening. Anti-Assad activists said at the time that the group was founded by former intelligence agents and hardcore Assad supporters. <P> In September 2011, the group defaced Harvard University's website with a picture of Assad, and threatened retaliation against the United States for supporting the uprising. The defacement was signed with this message: "Syrian Electronic Army were here." The group also targeted the websites for <em>Newsweek</em>, Oprah Winfrey and Brad Pitt, after his partner, <a href="http://www.huffingtonpost.com/2011/09/27/syrian-electronic-army_n_983750.html" target="_blank">Angelina Jolie</a> -- a U.N. special envoy -- visited Syrian refugees in Turkey. <P> A subsequent hoax tweet said that Angelina Jolie -- after she visited a Syrian refugee camp in Jordan in December 2012 -- had admitted that "Jordan is to blame for the Syrian refugees' atrocious conditions." Links included with the tweets redirected to malicious websites, as the group had done with its CBS Twitter account takeover. <P> Jolie appears to be an ongoing source of anger for the SEA. "We know the likes of Jolie, who under the 'humanitarian' cover, only serve American imperialism," said the Shadow. <P> <em>UNHCR Special Envoy Angelina Jolie meets with a young Syrian refugee in the Bekaa Valley, Lebanon.</em> <P> <em>Photograph courtesy of &copy;UNHCR/J. Tanner.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The bigger picture is that the Syrian Electronic Army is serving as a propaganda tool in the ongoing, bloody two-year Syrian civil war. To date, the conflict has likely killed at least 94,000 people, although new information suggests that combatants are underreporting causalities, and more than 120,000 people may have been killed, according to the <a href="http://syriahr.com/en" target="_blank">Syrian Observatory for Human Rights</a> (SOHR). <P> "The number of documented casualties since the beginning of the Syrian uprising [March 18, 2011] exceeds 94,000 people," according to a <a href="https://www.facebook.com/syriaohr/posts/369140923194252">post to the group's Facebook account</a>. "The SOHR estimates that the actual number of violent deaths is more than 120,000, due to the tens of thousands of captives, detainees and forcibly disappeared persons. As well as the secrecy of all combatant sides about the actual number of dead during clashes." <P> At least 41,000 of the soldiers and civilians killed were Alawites, which is the sect of President Bashar al-Assad, <a href="http://www.reuters.com/article/2013/05/14/us-syria-crisis-deaths-idUSBRE94D0L420130514" target="_blank">reported Reuters</a>. The <a href="http://www.reuters.com/article/2011/12/23/us-syria-religion-alawites-idUSTRE7BM1J220111223" target="_blank">Alawite sect</a> spun off from Shi'ite Islam and comprises about 12% of Syria's population. The Alawites were an oppressed minority until 1970, when President Assad's father Hafez took control of the country via a coup. <P> The Syrian civil war grew out of nonviolent protests against four decades of rule by the Assad family. The 2011 protests were comprised largely of Sunni Muslims, a sect that comprises about 70% of Syria's population, as well as Syrian Kurds, who are an ethnic minority. The government's violent crackdown on the so-called Arab Spring protests helped trigger a full-blown conflict between the Assad regime and factions seeking to remove his Ba'ath Party from power. <P> <em>Image courtesy of Flickr user <a href="http://www.flickr.com/photos/freestylee/5553097042/" target="_blank">Freestylee</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army most likely wasn't created to serve as a social media nuisance operation for revenging perceived slights against the Assad regime, perpetrated by Western media. So, where did it come from? <P> By <a href="http://english.al-akhbar.com/node/14718" target="_blank">some accounts</a>, the group began as a grassroots movement, staffed by "volunteers without any known backing" who proved their mettle, gaining the support of Assad "loyalists" as well as the head of the country himself. <P> But according to a <a href="http://www.npr.org/2013/03/13/174121130/syrian-cyber-rebel-wages-war-one-hack-at-a-time" target="_blank">National Public Radio report</a> in March 2013, the Syrian Electronic Army was launched by the Syrian government in 2011 to use Facebook to identify, track and facilitate the arrest -- and according to critics of the regime, torture -- of anti-government activists. <P> Syrian hacker Ahmad Heidar ("Harvester") told NPR that in the summer of 2011, as protests in Syria began to spread and intensify, a government recruiter signed him up to the new unit, which operated from an underground bunker filled with state-of-the-art computer equipment. Heidar was told that working for the unit would count toward his mandatory national military service, and one of his tasks was to hack into the Facebook and Skype accounts of arrested activists, to remove all traces of their anti-government work. <P> In response to the report, the Syrian Electronic Army last month <a href="http://www.informationweek.co.uk/security/attacks/anonymous-takes-down-north-korean-websit/240152985">hacked into the National Public Radio Twitter feed</a>. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/james_gordon_losangeles/7436274754" target="_blank">James Gordon</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army has more than passing ties to Assad. Although the Syrian leader trained in Britain as an eye doctor, in the 1990s he headed Syria's Computer Society -- pushing for better computer education for the country's children -- before succeeding his father as president of the country in 2000. Interestingly, the Syrian Electronic Army's first domain name "was registered by the Syrian Computer Society," Helmi Noman, a senior researcher at the Citizen Lab at Toronto University, <a href="http://edition.cnn.com/2013/04/24/tech/syrian-electronic-army/index.html" target="_blank">told CNN</a>. <P> In addition, the domain is "hosted on the network of the Syrian government, which is interesting because it's the first time we've seen a group with questionable activities being hosted on a national computer network," he said, though he also noted that it's not proof that the hackers are government-funded. <P> A recent <em>Guardian</em> report, however, said the Syrian Electronic Army is bankrolled by <a href="http://www.guardian.co.uk/world/2011/jun/17/syria-richest-man-promises-giveaway" target="_blank">Assad's billionaire cousin Rami Makhlouf</a>, and that the group recently relocated from Syria to Dubai. "Makhlouf pays the pro-regime hackers for their activities, and they typically earn $500-$1,000 for a successful attack," according to the <em>Guardian</em>. "They also get free accommodation and food. Sometimes Syrian government officials tell the SEA which western sites to hack; on other occasions the SEA selects its own targets." <P> In response to that report, the Syrian Electronic Army <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">seized more than 11 <em>Guardian</em> Twitter feeds</a>, using them to decry the British paper's "lies and slander about Syria." <P> A <a href="http://www.syrianews.cc/western-mainstream-propaganda-outlets-falling/" target="_blank">pro-Assad media outlet</a> likewise dismissed the paper's reporting. "Dubai is located in the United Arab Emirates, some 3,000 kilometers away from Damascus, but sitting in London thinking how to amuse the readers with fancy tales, our best guess is the authors, especially Mr. Harding, thought Dubai is somewhere in Syria, or Damascus is somewhere near Dubai." <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/wwworks/4006194802/" target="_blank">woodleywonderworks </a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>Is the Syrian Electronic Army based in Syria? After <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria reestablished its Internet connection</a> last week -- following a blackout that lasted approximately 24 hours -- security experts wondered when the hackers might resume their attacks. <P> With that question floating around the Internet, the group responded: "But wait ... we are in Dubai!" read a <a href="https://twitter.com/Official_SEA12/status/332256636624334848">tweet</a> from the @Official_SEA12 Twitter account. <P> The Dubai quip was made in response to the aforementioned <a href="http://www.guardian.co.uk/technology/2013/apr/29/hacking-guardian-syria-background" target="_blank"><em>Guardian</em> report</a> last month that "according to defectors from inside its ranks, the group moved last year from Damascus to a secret base in Dubai." <P> The group's members later clarified that they were in Syria, and had been affected by the Internet outage. "Unfortunately it is true, though mobile phones worked intermittently due to a large number of Syrians using them as an alternate form of communication," said the Shadow. "These kinds of cuts do not affect the terrorists operating in Syria as they have their own US-supplied communication equipment. The blackout effectively shut down our operations, we are glad to be back." <P> Ditto, no doubt, for an eight-hour blackout that -- according to data provided by Arbor Networks -- began at about 8:30 a.m. Eastern Time on May 15, and lasted until just after 4 p.m. The cause of the blackout isn't known, although Internet monitoring firms suspect last week's blackout was due to the civil-war-torn country's weak infrastructure. <P> <em>Zones of control in Syria courtesy of <a href="http://www.flickr.com/photos/edans/5400848923/" target="_blank">Wikipedia</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>How does the Syrian Electronic Army compromise targeted Twitter or Facebook accounts? According to an <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">account published by the <em>Onion</em></a>, the attackers used spear-phishing emails that included an apparent link to a <em>Washington Post</em> story, but which really lead to a malicious website that requested users input their Gmail credentials. Attackers then used that information to gain access to Twitter accounts with that email on file. <P> While no other media outlets have offered details of how they were compromised, security experts suspect that phishing attacks were also <a href="http://bits.blogs.nytimes.com/2013/05/10/details-emerge-about-syrian-electronic-armys-recent-exploits/" target="_blank">used against AP and Human Rights Watch</a>, with the phishing email links redirecting to Google or Microsoft webmail sites. <P> In the wake of the AP breach, Twitter was reportedly testing a two-factor authentication system. Once implemented, such a system should make it more difficult for attackers to compromise accounts via spear-phishing attacks. <P> The Syrian Electronic Army, however, has promised to continue compromising Twitter accounts. "It will definitely make it harder on Twitter, but this was never our primary attack vector," said the Shadow. "Nevertheless, there are still some security holes in Twitter's model that we hope to exploit in the future so no one should get too comfortable, we are not going to give up." <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army's hacking remit has limits. Notably, the group last week denied reports that it claimed to have hacked into a primary Israeli critical infrastructure system. "We would like to announce that in response to the unfair and illegal attacks, taken place by Israel on DATE, SEA has penetrated one of the main infrastructural systems (SCADA) in Haifa and managed to gain access to some sensitive data. Also SEA is now able to cause irrecoverable damages to the Israeli's infrastructural systems," read an email sent to some news outlets and signed as being from the Syrian Electronic Army (SEA), which included a link to a PDF file meant to <a href="https://cdn.anonfiles.com/1367855605244.pdf" target="_blank">validate the supposed control system intrusion</a>. <P> But a member of the Syrian Electronic Army <a href="http://news.softpedia.com/news/Syrian-Electronic-Army-Claims-to-Have-Hacked-Israeli-Critical-Infrastructure-Systems-351779.shtml">told Softpedia</a> that the email was a fake, and said the group never emails media outlets. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/christiaantriebert/7955548656/" target="_blank">Christiaan Triebert</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>Beyond hoax hacking reports, the Syrian Electronic Army has faced a few other recent challenges, such as having multiple domains seized by its domain registration firm. "After we communicated with the host/domain names company 'Network Solutions' [it] ... said that the reason for shut down the domains names is 'U.S. sanctions,'" according to a <a href="http://sea.sy/article.php?id=1939&lang=en" target="_blank">post</a> to the group's subsequently launched site, <a href="http://sea.sy" target="_blank">sea.sy</a>. It said the seized domains were syrian-es.org, syrian-es.com and syrian-es.net, and that it would continue to use its backup domain, syrianelectronicarmy.com. <P> "Current domain registration information for syrian-es.com, syrian-es.org, and syrian-es.net shows that the current registrant is OFAC Holding," according to a <a href="http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Understanding-the-Syrian-Electronic-Army-SEA/ba-p/6040559" target="_blank">report </a> published by HP Security Research. "OFAC is the Treasury Department Office of Foreign Assets Control under their Office of Terrorism and Financial Intelligence." <P> Domain names aren't the only online real estate that the Syrian Electronic Army is having difficulty retaining. As the group has used Twitter accounts to publicize attacks, Twitter has <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">suspended those accounts</a>, creating a whack-a-mole situation that saw the introduction of new account "@Official_SEA," which Twitter subsequently froze, leading to multiple variations. Currently the count stands at @Official_SEA12, which the group has held for a relatively long time, suggesting that it has stopped using the account to announce its latest Twitter hacks. <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>2013-05-17T09:06:00ZWhile mobile network operators are creating a global database to track stolen smartphones, some police say that's not enough. http://www.informationweek.com/security/mobile/smartphone-theft-what-is-best-defense/240155038?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /><div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span></div><!-- /KINDLE EXCLUDE -->The latest smartphones might feature screens with unparalleled colors and clarity, cutting-edge cameras, and the ability to run a bewildering array of apps. But why don't they build in better loss prevention? <P> That's the gist of a plea issued this week by New York attorney general Eric T. Schneiderman, who's written to the CEOs of Apple, Google, Microsoft and Samsung, urging them to "help crack down on cell phone theft" by making it more difficult for thieves to wipe stolen devices' memory and resell the devices. <P> "This is a multi-billion dollar industry that produces some of the most popular and technologically advanced consumer electronic products in the world," said Schneiderman in a statement. "Surely we can work together to find solutions that lead to a reduction in violent street crime targeting consumers." <P> <strong>[ Fend off gadget thieves with these tips. Read <a href="http://www.informationweek.com/security/mobile/ipad-heist-at-jfk-highlights-mobile-tech/240142140?itc=edit_in_body_cross">iPad Heist At JFK Highlights Mobile Tech Risks</a>. ]</strong> <P> Apple, Google, Microsoft and Samsung -- <a href="http://www.informationweek.com/mobility/smart-phones/google-not-impressed-with-motorola-smart/240149714">plus Motorola</a>, which is owned by Google -- control 90% of the U.S. smartphone market. All four except Google build some type of recovery capabilities into their devices. For Android, there are add-ons available in the Google Play online store. <P> But Schneiderman is not satisfied. He said his office is investigating whether the manufacturers -- such as Apple, which advertises its products' "safety and security by design" -- have engaged in deceptive trade practices by not combating the theft problem more forcefully. "I seek to understand why companies that can develop sophisticated handheld electronics and operating systems ... cannot also create technology to render stolen devices inoperable and thereby eliminate the expanding black market on which they are sold," wrote Schneiderman in his letters to the manufacturers. <P> Wielding both carrot and stick, Schneiderman in his letter suggested that he'll be seeking details of how much each of the four smartphone manufacturers earns from consumers paying to replace products that have been stolen. "I would be especially concerned if device theft accrues to your company's financial benefit through increased sales of replacement devices," he said. <P> Schneiderman's outreach comes as <a href="http://online.wsj.com/article/SB10001424127887324031404578481420456602076.html">mobile network operators are in the process of creating a global database for tracking stolen smartphones</a>, <em>The Wall Street Journal</em> reported this week. But some police officials have said that the voluntary database won't do enough to deter smartphone theft. <P> Violent smartphone and tablet robberies are on the rise. According to the Attorney General's office, comparing all of 2011 to the first nine months of 2012, smartphone thefts in New York City increased by 40%. Such robberies have been dubbed "Apple picking," given thieves' apparent penchant for iOS products. But according to a 2011 New York Police Department study, only 30% of devices stolen from subways and buses were manufactured by Apple. <P> New York City ranked ninth in a list of the top 10 cities that reported the greatest numbers of 2011 phone thefts, which was <a href="https://www.lookout.com/news-mobile-security/lookout-lost-phones-30-billion">compiled by security vendor Lookout Mobile Security</a>. The study found that phone theft was most prevalent in Philadelphia, followed by Seattle and Oakland. The most likely place for a New Yorker to lose his phone was in a fast-food restaurant. By Lookout's estimates, based on its finding that the average consumer loses or misplaces one device per year, stolen cell phones could cost U.S. consumers $30 billion in replacement costs. <P> Schneiderman's office said that Lookout will be advising the New York state government -- pro bono -- on approaches to combating device theft.2013-05-16T13:26:00ZGroup's 50-day hacking spree compromised websites run by Sony, CIA, Arizona State Police, Westboro Baptist Church and more.http://www.informationweek.com/security/attacks/lulzsec-hackers-sentenced-in-london/240155060?cid=SBX_iwk_related_slideshow_Smartphones_mobilityLulzSec Hacker "Topiary" famously tweeted: "You cannot arrest an idea." <P> Perhaps not, but in the case of Topiary, revealed to be <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">Jake Davis</a>, now 20, you can be sentenced to 24 months in a "young offenders institute" for two counts of conspiracy to impair the operation of a computer, to be followed by a five-year <a href="http://www.cps.gov.uk/legal/s_to_u/serious_crime_prevention_orders_(scpo)_guidance/">serious crime prevention order</a> that can restrict where he can travel and which jobs he'll be allowed to take. <P> Davis' sentence was handed out in a London courtroom Thursday, where he appeared this week for sentencing with Ryan Cleary (<a href="http://www.informationweek.com/security/attacks/lulzsec-takes-hit-keeps-on-hacking/231000223">Viral</a>), Mustafa al-Bassam (<a href="http://www.informationweek.com/security/cybercrime/scotland-yard-arrests-lulzsec-anonymous/231600755">Tflow</a>) and Ryan Ackroyd (<a href="http://www.informationweek.com/security/attacks/lulzsecs-top-3-hacking-tools-deconstruct/231000983">Kayla</a>). All were participants in the Anonymous spin-off known as LulzSec, which launched online attacks against numerous organizations' websites, including the CIA, Britain's Serious Organized Crime Agency (SOCA) and National Health Service (NHS), 20th Century Fox, News International, and <a href="http://www.informationweek.com/security/attacks/fbi-busts-suspected-lulzsec-hacker-in-so/231602040">Sony Pictures Entertainment</a>, from which it also leaked customer credentials and credit card numbers. <P> <strong>[ Want to know how the feds are trying to stop hacktivists? Read <a href="http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858?itc=edit_in_body_cross">FBI Briefs Bank Executives On DDoS Attack Campaign</a>. ]</strong> <P> Cleary, 21, was sentenced to 32 months in prison followed by a five-year serious crime prevention order. Ackroyd, 26, was sentenced to 30 months. Al-Bassam, meanwhile, who was only 16 -- and still a high school student -- when LulzSec embarked on its 50-day hacking spree, received a 20-month suspended sentence. The 18-year-old was also ordered to perform 300 hours of community service, and must submit to a <a href="http://en.wikipedia.org/wiki/Sentencing_in_England_and_Wales ">supervision order</a> -- aka probation -- for six months. <P> At the four men's sentencing hearing Wednesday, prosecutor Sandip Patel accused them of <a href="http://www.informationweek.com/security/attacks/lulzsec-hacker-pirates-face-sentencing/240154940">being "latter-day pirates."</a> (In fact, one ASCII art logo used by LulzSec, aka "The Lulz Boat," featured a pirate ship with a "LOL" flag.) "This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cybercriminal," Patel said. <P> British police arrested Cleary on June 20, 2011, followed by al-Bassam on July 19, Davis on July 27 and Ackroyd on September 1. All four men subsequently <a href="http://www.informationweek.com/security/attacks/lulzsec-hackers-plead-guilty-to-cia-sony/240152582">pleaded guilty</a> to some or all of the hacking charges filed against them. <P> "This has been a long and complex investigation conducted with the assistance of our international partners," said Charlie McMurdie, the London Metropolitan Police detective superintendent who heads the Police Central e-Crime Unit. "After initially being alerted by the FBI to criminal activity on British soil, we came to arrest Ryan Cleary and quickly began unpicking LulzSec, who had been running riot, causing significant harm to businesses and people." <P> According to investigators, Ackroyd took the lead on researching and executing many of the group's hack attacks, and Cleary assisted by offering the use of his botnet to generate <a href="http://www.informationweek.com/security/attacks/ddos-tools-flourish-give-attackers-many/232600497">distributed denial-of-service attacks</a> that disrupted targeted sites and servers. Meanwhile, al-Bassam trolled for exploitable vulnerabilities in websites and maintained LulzSec's website, while Davis acted as spokesman, managing <a href="https://twitter.com/LulzSec">the group's Twitter account</a> and issuing press releases. <P> "Theirs was an unusual campaign in that it was more about promoting their own criminal behavior than any form of personal financial profit," McMurdie said. "In essence, they were the worst sort of vandal -- acting without care of cost or harm to those they affected, whether that was to cause a company to fold and so costing people their jobs, or to put at threat the thousands of innocent Internet users whose logins and passwords they made public." <P> "In the case of the police force whose employee details they revealed, the group's reckless publication of confidential material could very well have threatened lives," he said. <P> A police digital forensic investigation of computers seized during LulzSec raids found "indecent material" relating to child pornography on one of Cleary's computers. Cleary has pleaded guilty to two counts of making indecent images of children, and one count of possessing those images. He's due to be sentenced on those charges on June 12, 2013. <P> LulzSec's leader, U.S. hacker Sabu, whose real name is Hector Xavier Monsegur, was arrested by the FBI in June 2011 and <a href="http://www.informationweek.com/security/attacks/lulzsecs-sabu-was-identity-thief-not-rob/232602184">turned informer</a>. At the request of U.S. prosecutors, who said he's assisting in investigations, he has yet to be sentenced.2013-05-16T10:31:00ZDHS proposal would give private businesses access to the government's stockpile of zero-day secrets for a fee.http://www.informationweek.com/security/vulnerabilities/dhs-eyes-sharing-zero-day-intelligence-w/240154972?cid=SBX_iwk_related_slideshow_Smartphones_mobilityThe Department of Homeland Security (DHS) Wednesday offered to help private businesses zero in on the zero-day vulnerabilities being used to compromise their networks. The DHS pitch: We'll share intelligence gleaned from the U.S. government's vast stockpile of zero-day vulnerabilities -- purchased from bug hunters and resellers -- to help block zero-day threats. <P> "It is a way to share information about known vulnerabilities that may not be commonly available," Homeland Security secretary Janet Napolitano said Wednesday at the Reuters Cybersecurity Summit in Washington, D.C., <a href="http://mobile.reuters.com/article/article/idUSBRE94E11B20130515?irpc=932">reported Reuters</a>. <P> Private businesses would pay for the service, which would be offered by telecommunications firms and defense contractors. <P> The DHS proposal is a continuation of the February 2013 <a href="http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858">executive order</a> and related presidential policy directive issued by President Obama, which created a public-private cyber-threat <a href="http://www.informationweek.com/government/security/white-house-cybersecurity-executive-orde/240148460">information sharing regime</a>, as well as voluntary private sector cybersecurity standards. <P> The executive order expanded the Enhanced Cybersecurity Services program -- formerly known as the <a href="http://www.informationweek.com/government/security/feds-isps-team-on-cybersecurity-for-defe/230800180">Defense Industrial Base pilot</a> -- to share threat information, including classified intelligence, with defense contractors, telecommunications and other critical-infrastructure firms that have appropriate security clearances. <P> Enhanced Cybersecurity Services participants include AT&T, Northrop Grumman and Raytheon. <P> <strong>[ Threat-intelligence sharing must balance security against privacy. Read <a href="http://www.informationweek.com/security/management/cispa-20-house-intelligence-committee-fu/240152923?itc=edit_in_body_cross">CISPA 2.0: House Intelligence Committee Fumbles Privacy Again</a>. ]</strong> <P> Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, lauded the DHS plan because the black-box approach wouldn't expose U.S. threat intelligence to other countries. "This can't happen if you post it on a website," he said. "We have to find a forum in which we can share it, and 10 providers serve 80% of the market. We have classified relationships with a good number of them." <P> Rogers is also the co-author of the Cyber Intelligence Sharing and Protection Act (CISPA), the second version of which recently passed in the House but stalled in the Senate. The legislation has proposed indemnifying any business that shares network scans with U.S. government agencies, in a bid to crowdsource threat detection. But the suggestion has drawn the <a href="http://www.informationweek.com/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">ire of privacy and civil rights groups</a>, which object to giving blanket immunity to any business that shares customer and employee information -- potentially including full texts of all emails sent and received via business networks -- with intelligence agencies. <P> Outsourcing zero-day-vulnerability scanning to a private business, however, would seem to obviate related privacy concerns, since network providers already scan their customers' network traffic for some signs of attack. <P> The offer of shared threat intelligence is a <a href="http://www.informationweek.com/government/security/cybersecurity-executive-order-leaves-tou/240148510">crucial incentive</a> for getting private businesses to agree to participate in the government's cybersecurity program, which is designed in large measure to better secure the critical infrastructure, which is largely owned by private businesses. <P> To date, the <a href="http://www.informationweek.com/security/vulnerabilities/so-you-want-to-be-a-zero-day-exploit-mil/231902813">large sums of money</a> on offer for buying zero-day vulnerabilities have seen the bug-buying restricted to organizations, <a href="http://www.informationweek.com/security/vulnerabilities/blackhole-botnet-creator-buys-up-zero-da/240145769">criminal gangs</a> or governments with deep enough pockets, and presumably a need to put the vulnerabilities to use. "The only people paying are on the offensive side," former NSA employee and <a href="http://www.informationweek.com/security/mobile/apple-excommunicates-ios-cracker/231902576">renowned smartphone hacker Charlie Miller</a>, who's now a security researcher at Twitter, told Reuters. <P> Furthermore, some <a href="http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510">information security experts have warned</a> that the move to share threat intelligence gathered by the NSA and other agencies could further bolster the <a href="http://www.informationweek.com/security/attacks/weaponized-bugs-time-for-digital-arms-co/240008564">bug vulnerability marketplace</a> and potentially direct tax dollars to anti-U.S. hackers who are expert bug hunters, as opposed to spending that money on defense. <P> Others have said that the United States has an obligation to serve Americans by disclosing what it knows about zero-day threats. "If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," former White House cybersecurity advisor Richard Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't." <P> The U.S. government's apparent emphasis on playing cyber offense comes as critics have accused the government of lagging on defense. "NSA, CIA and military are now #1 buyers of exploits, while DHS, which is responsible for cyber defense, has lost most of its top officials," said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, via <a href="https://twitter.com/csoghoian/status/334150855085391872">Twitter</a>.2013-05-15T11:38:00ZFour members of Anonymous spinoff faced sentencing Wednesday for leaking data and launching distributed denial of service attacks against Sony.http://www.informationweek.com/security/attacks/lulzsec-hacker-pirates-face-sentencing/240154940?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->Four men accused of launching online attacks under the banner of LulzSec appeared in a London courtroom Wednesday for sentencing. <P> Ryan Cleary, 21; Jake Davis, 20; Ryan Ackroyd, 26; and Mustafa Al-Bassam, 18, had previously plead guilty to hacking charges as part of LulzSec's online attack sprees, which caused tens of millions of dollars in damages. All had been remanded on bail pending their sentencing hearing. <P> "<a href="http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.html">The defendants are colloquially known as cyber attackers</a> based in the U.K. and elsewhere and they waged what was an undoubtedly sophisticated and orchestrated campaign between February and September 2011," prosecutor Sandip Patel told the sentencing hearing, reported Britain's <em>Daily Mail</em>. <P> <strong>[ Busted! Sometimes hackers make mistakes. Read <a href="http://www.informationweek.com/security/attacks/how-south-korea-traced-hacker-to-pyongya/240152702?itc=edit_in_body_cross">How South Korea Traced Hacker To Pyongyang</a>. ]</strong> <P> At press time, lawyers for the four LulzSec participants had yet to present mitigating factors to the sentencing hearing, over which Judge Deborah Taylor is presiding. The hearing is expected to conclude Wednesday or Thursday. <P> Patel told the court Wednesday that the men's information security attacks were "anarchic self-amusement" that lacked even the political ethos espoused by some Anonymous participants, reported Reuters. <a href="http://news.yahoo.com/lulzsec-hackers-cutting-edge-cyber-crime-court-told-135823354.html">"They saw themselves as latter-day pirates,"</a> he said. "They identified vulnerable computer systems, when they found them they would break into them and pillage them." <P> The damage that resulted from the group's exploits could be extensive. <a href="http://www.informationweek.com/security/attacks/pwnie-award-highlights-sony-epic-fail-an/231300255">Sony said it cost $20 million</a> in clean-up costs after LulzSec hacked into Sony servers and published customers' credentials and credit card numbers. The Pentagon said it spent $120,000 on cleanup following a LulzSec hack. <P> "This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cyber-criminal," Patel said. <P> Over the course of its short existence, LulzSec compromised numerous sites, defacing some, launching <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">distributed denial-of-service (DDoS) attacks</a> against others, and sometimes seizing and publishing sensitive data to Pastebin, Pirate Bay or its own site. <P> The group's <a href="http://www.informationweek.com/security/cybercrime/lulzsec-claims-credit-for-cia-site-taked/230800019">DDoS targets included the CIA</a>, News International, Britain's Serious Organized Crime Agency, Sony and <a href="http://www.informationweek.com/security/attacks/anonymous-continues-westboro-church-atta/240145120">Westboro Baptist Church</a>. Other victims included the Arizona State Police, 20th Century Fox, News International, Britain's National Health Service, and the Serious Organized Crime Agency (SOCA), which is responsible for investigating computer crimes in Britain. <P> Patel said that LulzSec was lead by U.S. hacker <a href="http://www.informationweek.com/security/vulnerabilities/hacker-sabu-worked-nonstop-as-government/232602334">Sabu</a>, whose real name is Hector Xavier Monsegur. Unbeknownst to his fellow LulzSec participants, Sabu was <a href="http://www.informationweek.com/security/attacks/lulzsecs-sabu-was-identity-thief-not-rob/232602184">quietly busted</a> by the FBI in June 2011 and immediately turned informer. Despite LulzSec participants' attempts to <a href="http://www.informationweek.com/security/privacy/lulzsec-suspect-learns-even-hidemyasscom/231602248">mask their true identities</a> -- even to each other -- Sabu helped the bureau and its overseas cybercrime investigation counterparts round up the other members. <P> According to prosecutors, Davis (aka Topiary) was in charge of LulzSec's communications strategy, and maintained its Twitter feed and website. <a href="http://www.independent.co.uk/news/uk/crime/british-lulzsec-hactivists-stole-passwords-and-credit-card-details-from-hundreds-of-thousands-of-people-court-told-8617450.html">He "smirked in the dock"</a> Wednesday when prosecutors detailed his role in LulzSec, reported Britain's <em>The Independent</em>. <P> Ackroyd, a former soldier who pretended to be a 16-year-old girl named Kayla, helped select targets and conduct reconnaissance. He was "probably the most sophisticated known conspirator," said Patel, and had a reputation for being a "highly sophisticated rooter." Meanwhile, Bassam (tFlow) also helped identify <a href="http://www.informationweek.com/security/attacks/anonymous-hackers-helper-it-security-neg/232602226">websites sporting known vulnerabilities</a> that could be exploited. Authorities said he was still a high school student when LulzSec was in operation. <P> Prosecutors told the court that Cleary (aka Viral) -- unlike Sabu, Ackroyd, Davis and Bassam -- wasn't a core member of the group, but was desperate to take part, and <a href="http://www.informationweek.com/security/attacks/lulzsecs-top-3-hacking-tools-deconstruct/231000983">provided his botnet</a>, built over six years, for LulzSec's exploits. "At any one time he had up to 100,000 computers directly and actively under his control," said Patel. <P> Cleary previously plead guilty to possessing "indecent images" relating to child pornography, which investigators found on hard drives seized during the investigation. After being granted conditional bail in June 2011, he was again -- temporarily -- taken into custody after attempting to contact Sabu in December 2011. <P> Patel, who characterized Cleary as being "trigger happy," said the LulzSec participant earned up to $4,500 per month by <a href="http://www.informationweek.com/security/vulnerabilities/cheap-botnets-a-boon-to-hackers/225200501">renting his botnet out</a> to other attackers.2013-05-14T13:14:00ZFBI expedited security clearances so it could share classified info on Operation Ababil, a distributed denial of service attack.http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->The FBI recently granted one-day clearances to security officers and executives at numerous banks so it could share classified intelligence on the Operation Ababil campaign that's been disrupting U.S. financial websites for almost a year. <P> The videoconference briefings detailed "who was behind the keyboards" of the attacks, FBI executive assistant director Richard McFeely told the Reuters Cybersecurity Summit Monday, <a href="http://www.reuters.com/article/2013/05/13/us-cyber-summit-fbi-banks-idUSBRE94C0XH20130513">reported</a> Reuters. McFeely is in charge of the bureau's criminal and cyber investigations. <P> The Operation Ababil distributed-denial-of-service (DDoS) attacks, which typically target a handful of the country's top banks every week, have disrupted the websites of such financial institutions as Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. The attacks have resulted in customers sometimes being unable to access online or mobile banking services. <P> <strong>[ What's happening when bank sites go down? Read <a href="http://www.informationweek.co.uk/security/attacks/bank-hacks-7-misunderstood-facts/240008566?itc=edit_in_body_cross">Bank Hacks: 7 Misunderstood Facts</a>. ]</strong> <P> Banks targeted as part of Operation Ababil have been frustrated by the lack of arrests or apparent progress in the case, McFeely said. But he said that some indictments -- currently under seal -- have been issued for suspects' arrest. Suggesting that the suspects are operating in countries that have no extradition treaty with the United States, he said that the hackers might be caught when they travel to other countries. "The first time we bring someone in from out of the country in handcuffs, that's going to be a big deal," he said. <P> McFeely said the bureau has been attempting to keep cybercrime victims up-to-date in the past, admitting that the FBI was "terrible" about doing so in the past. "That's 180 degrees from where we are now," he said. <P> The self-proclaimed Muslim hacktivist group Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the banking website disruptions, which it said are retaliation for the posting to YouTube in July 2012 of a film that mocks the founder of Islam. U.S. government officials, however, have accused the group of <a href="http://www.informationweek.co.uk/security/attacks/banks-hit-downtime-milestone-in-ddos-att/240152267">being a front for Iran</a>. Members of the group have responded by saying they're apolitical and hail from multiple countries. <P> Despite the bank attacks having been previewed in advance and now more often than not simply occurring every week, banks -- after spending millions of dollars on <a href="http://www.informationweek.co.uk/security/attacks/ddos-attack-bandwidth-jumps-718/240153084">countermeasures</a> -- have been unable to fully block the DDoS campaign. In part, that's because attackers have managed to <a href="http://www.informationweek.co.uk/security/attacks/bank-attackers-used-php-websites-as-laun/240144413">exploit thousands of PHP websites</a> that include known vulnerabilities and install attack toolkits, which they remotely control to queue up attacks against designated banks. <P> The sheer scale of the DDoS attacks and the number of compromised websites is astounding. The Department of Homeland Security and FBI have reportedly been liaising with cybersecurity officials in 129 other countries and shared details of a total of 130,000 IP addresses that have been used in the attacks. <P> The bureau's classified bank executive briefing comes in the wake of President Obama's <a href="http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity">"Improving Critical Infrastructure Cybersecurity" executive order</a>, issued in February, which instructed the Department of Homeland Security to "expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators." Critical infrastructure, the vast majority of which is privately owned, refers to the energy, oil, water, telecom, finance and transportation industries. <P> Some members of Congress have been calling for new laws to <a href="http://www.informationweek.co.uk/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">indemnify businesses that share cyber-attack information</a> with law enforcement agencies. But the FBI's outreach effort suggests that public-private information sharing is already occurring. <P> McFeely did, however, report that the bureau has faced difficulty gathering information about online attacks from victims, for example from defense contractors wary of speaking to the FBI. Interestingly, recent news reports suggest that online attacks against defense contractors -- attributed to China -- have been <a href="http://www.informationweek.co.uk/security/government/china-tied-to-3-year-hack-of-defense-con/240154064">much more successful than previously disclosed</a> in public, and resulted in the compromise of data relating to the latest drone and robot technologies, and might have undermined the combat reliability of the Lockheed Martin F-22 Raptor.2013-05-14T11:30:00ZApple's waiting list to bypass security controls on latest-generation iPhone and iPad devices means months-long delays for law enforcement investigators.http://www.informationweek.com/security/encryption/apple-iphone-decryption-backlog-stymies/240154842?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Apple is overwhelmed by requests from law enforcement agencies to decrypt seized iPhones, and its waiting list is so long that it <a href="http://news.cnet.com/8301-13578_3-57583843-38/apple-deluged-by-police-demands-to-decrypt-iphones/">may take months</a> before new requests get handled. <P> That revelation, first reported by CNET, was gleaned from a search warrant affidavit for a seized iPhone last summer by a federal agent who was investigating a Kentucky man on crack cocaine distribution charges. <P> The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) agent, Rob Maynard, said in court documents that he'd "attempted to locate a local, state or federal law enforcement agency with the forensic capabilities to unlock" an iPhone 4S seized during the investigation, but every contacted law enforcement agency said that it "did not have the forensic capability." Apple, meanwhile, told him that the wait time for recovering data from an iPhone -- which the technology firm copied to a USB key then provided to investigators -- was approximately seven weeks, though Maynard ultimately had to wait about four months. <P> The ATF case highlights that technology companies, including Apple, must comply with court orders to unlock devices they build or sell. But it also revealed that Apple is somehow able to bypass the security controls built into its latest-generation devices. "That is something that I don't think most people realize," Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project, told CNET. "Even if you turn on disk encryption with a password, these firms can and will provide the government with a way to get your data." <P> <strong>[ Who can you trust? Check out <a href="http://www.informationweek.com/security/client/microsoft-tech-support-scams-why-they-th/240154756?itc=edit_in_body_cross">Microsoft Tech Support Scams: Why They Thrive</a>. ]</strong> <P> Does court-ordered data retrieval <a href="http://www.informationweek.com/security/privacy/7-facts-about-geolocation-privacy/240005824">infringe on people's privacy rights</a>? "It's important to note that both cops and legislation tend to trail criminals in the adoption of new technologies," said Nick Selby, a Texas police officer and the CEO of StreetCred Software, which provides fugitive case management software to law enforcement agencies, via email. "It's important to question whether police may be going too far, but it is equally important to consider criminals' use of these technologies to abet, and in some cases actually commit, crimes." <P> Many judges have granted warrants to law enforcement agencies to retrieve data from -- or that's associated with -- mobile devices or their radio frequency (RF) communications. "Recent rulings encourage law enforcement to better develop their mobile device and RF chops. For example, in <a href="http://www.informationweek.com/security/mobile/lose-the-burners-court-okays-prepaid-pho/240005614">U.S. vs. Skinner</a> last August, the U.S. Court of Appeals for the 6th Circuit ruled that police may track the signals emanating from wireless devices like a cellphone owned by a person," Selby said. "The fact that the court found that users do not have a reasonable expectation of privacy in the data given off by a voluntarily procured, pay as-you-go cellphone means that we can expect to see more use cases like these." <P> Is Apple putting cases at risk by not complying more quickly with court orders? In the ATF investigation, the attorney for the 24-year-old defendant, Mark Edmond Brown, filed a motion to suppress the evidence gathered from the defendant's iPhone, given the delay in retrieving it. <P> But U.S. district court judge Karen Caldwell wrote in an opinion that the ATF was "placed on a waiting list by the company" -- referring to Apple -- for what had been a court-ordered seizure, meaning it was backed by a warrant. "The court finds nothing in the record to demonstrate any evidence of bad faith or unnecessary delay in procuring assistance from Apple to unlock the phone," she wrote. <P> In October 2012, Brown -- a convicted felon -- <a href="http://www.justice.gov/usao/kye/news/2012/2012-10-31-lawton.html">pleaded guilty</a> to possessing firearms, and according to CNET, last month pleaded guilty to a charge of conspiracy to distribute less than five kilograms of crack cocaine. <P> If Apple didn't unlock iPhones for law enforcement agencies in response to a court order, would police have any other options? Some police forces have been testing <a href="http://www.informationweek.com/mobility/smart-phones/london-police-test-smartphone-data-dump/240000766">smartphone data dump kits</a> to allow investigators to easily retrieve data without having to use an external lab or appeal to a device manufacturer or carrier. <P> But recent iOS devices appear tough to crack. For example, Russian digital forensics toolmaker Elcomsoft says its <a href="http://www.informationweek.com/security/mobile/ios-4-hardware-encryption-cracked-by-for/229700041">iOS Forensic Toolkit</a> -- only sold to law enforcement agencies, <a href="http://www.informationweek.com/security/encryption/cracking-bin-ladens-hard-drives/229402923">intelligence agencies</a> and professional forensic investigators -- can "acquire bit-precise images of Apple iOS devices in real time" from all iPhone, iPad and iPod Touch devices that run iOS 3, iOS 4 and iOS 5. But the iPhone 5, released last year, and which ships with iOS6, doesn't appear to be unlockable with the Elcomsoft tool.2013-05-13T12:09:00ZReaders detail "frozen DNS Trojan" cold calls and "repairs" that lead to $882 in unauthorized wire transfers.http://www.informationweek.com/security/client/microsoft-tech-support-scams-why-they-th/240154756?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/windows/operating-systems/8-things-microsoft-should-fix-in-windows/240154570"><img src="http://twimgs.com/informationweek/galleries/automated/991/Windows-Blue-Blue-1st-screen_tn.jpg" alt="Windows Blue" title="LinkedIn: 10 Important Changes" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view and for slideshow)</span><br /> <div class="storyImageTitle">8 Things Microsoft Should Fix In Windows Blue</div> </div> <!-- /KINDLE EXCLUDE --> Consumers: Hang up on anyone who cold-calls offering Windows technical support, never believe an Internet pop-up that reports your PC is infected with malware, and, above all, don't ever install software from an untrusted source who offers to rid your PC of viruses, perhaps for free. <P> If people followed those precepts, they'd avoid the hassle and expense of scammers out to make a quick buck. But Microsoft technical support scams continue to be alive and well, sticking victims with bills of between $50 and $450 for security smoke and mirrors, or sometimes perpetrating financial fraud that costs far more. <P> According to a 2011 Web survey of 1,298 people conducted by British consumer rights watchdog <em>Which?</em>, 3% of respondents said they'd <a href="http://conversation.which.co.uk/technology/microsoft-phone-scam-cold-calling-protect-yourself/">allowed scammers to log onto their PC</a> and 2% gave them money. Interestingly, 3% said they weren't sure if a technical support cold call had really been a scam or not. <P> Here's a hint: Cold callers offering tech support advice are scammers. Here are six recent examples of how these fraudsters operate. <P> <strong>1. Scammers Reuse Scripts.</strong> <P> The con artists behind telephone repair scams often <a href="http://www.informationweek.com/security/management/microsoft-windows-support-call-scams-7-f/240005023">reuse the same script</a>, which often begins: "I'm calling from Microsoft. We've had a report from your Internet service provider of serious virus problems from your computer." <P> <strong>[ Tired of being stuck in password hell? See <a href="http://www.informationweek.com/security/client/10-top-password-managers/240153906?itc=edit_in_body_cross">10 Top Password Managers</a>. ]</strong> <P> One reader emailed Saturday to say that he'd received "an almost word for word phone call on my landline." After hanging up, he alerted his telephone company. "All they could offer was ... a call trace, and to notify my local police. Which I may pursue," he said. <P> <strong>2. South African Targeted By StartControl.</strong> <P> Another reader, a retired South African systems programmer, emailed last week to report that he'd been targeted by telephone scammers offering technical support. First, they asked him to press the Windows start button, then enter this URL: www.startcontrol.com. That took his browser to a site labeled as <a href="http://www.startcontrol.com/pin.php">BeAnywhere support express</a>, which prominently features the following message: "Please insert the reference supplied to you," with the reference referring to a six-digit PIN. "They even give you a six-digit PIN, that's where I stopped them, 19 minutes later," he said. <P> <a href="http://www.beanywhere.com/">BeAnywhere</a> is legitimate remote-control software. But who is Startcontrol.com? According to Alexa, <a href="http://www.alexa.com/siteinfo/startcontrol.com">Startcontrol.com has been operating for 10 years</a> and ranks in the top 3.8 million of all websites globally. It appears that 77% of search engine traffic to the site involves Arabic speakers. A link to the website's "Termos of Service," however, lead to a "server error: 404 - File or directory not found" message. <P> The site's whois listing says that the domain was registered by GoDaddy, which lists the site's administrative and technical contact as being based in Portugal. But an email sent to the listed whois contact bounced back with an error message that the account didn't exist. Likewise, the telephone number listed in the whois entry appears to be bogus; a call to that number lead to BSPI - Intelligent Business Solutions. An employee at the firm said his company, which resells Sophos security products, has no affiliation with startcontrol.com, and that he'd never before heard of the company. <P> GoDaddy.com didn't immediately respond to an abuse report filed Friday morning for www.startcontrol.com. <P> <strong>3. Support Routines Might Be Real-Time Smokescreens.</strong> <P> One risk from allowing scammers to install software on your PC is that the "support application" might be used to disguise fraudulent activities. In April, for example, a reader emailed to say he'd been cold-called by someone claiming to be a Microsoft representative, warning that he had numerous viruses on his computer. The caller offered to remove the viruses and get the PC "running like new" for free, provided he "renew" his software. <P> "He then [asked] for card info which I gave him. Then I [got] an email from Western Union of a transfer of money which I did not authorize so I [checked] my account and found he had taken $882 out," said the reader. "I called Western Union about it and they said there was nothing they could do as the money was picked up and they could not give me the name of who got it." <P> The supposed virus-killing offer seemed to mask fraudulent activity. "He went so far as to show me all the errors he found but, while the program was supposed to be loading, my screen was black and I suspect that was when he was hitting my account," he said.<strong>4. Telephone Scams: Cheap, Easy, Repeatable.</strong> <P> Microsoft support scams succeed in part because they're cheap and easy to run. International call centers -- think boiler rooms -- are often used, situated in an inexpensive labor market such as India, and facilitated via low-cost VoIP telephony. <P> Thankfully, consumer watchdogs have been mobilizing. Last year, the Federal Trade Commission <a href="http://www.informationweek.com/security/privacy/ftc-disconnects-tech-support-telemarketi/240008480">cracked down on some tech support scams</a>, filing charges and freezing assets associated with 14 businesses and 17 people. It said the scam operations had successfully conned tens of thousands of English-speaking consumers in the United States, as well as Australia, Canada, Ireland, New Zealand and the United Kingdom, into paying between $49 and $450 for fake services. <P> At the time, the FTC detailed how many of these scam artists operate: "When consumers agreed to pay the fee for fixing the 'problems,' the telemarketers directed them to a website to enter a code or download a software program that allowed the scammers remote access to the consumers' computers," according to the FTC. "Once the telemarketers took control of the consumers' computers, they 'removed' the non-existent malware and downloaded otherwise free programs." <P> <strong>5. Technobabble Warnings: "Frozen DNS Trojan."</strong> <P> Obviously, support scams often succeed because many consumers don't understand Windows information security intricacies. But con artists often operate on the edge of believability, slowly reeling in even technologically savvy targets, who they might have caught unaware with an impromptu phone call. <P> One reader, for example, emailed earlier this year to say the lure of "free" technical support -- no apparent harm there -- initially caught her off guard. "I just received one of those scam calls from an 800 number obviously from someone in India trying to tell me my computer was infected with a 'frozen DNS Trojan' -- originally he said 'virus' but switched to 'Trojan' later in the call," she said. "I didn't fall for it at all but was curious enough to find out exactly what he was up to. Eventually I told him I knew he was a scammer and didn't believe a word he was saying and hung up." <P> Technobabble aside, she reported almost falling for the scam. "I'm relatively computer savvy and for a brief second I wondered if this was for real," she said. "So if I could be duped (even for a split second) I can see how people get pulled into this type of scam especially when the scammer tries to tell you this is all 'free' for him to show you are infected with this virus or Trojan." <P> <strong>6. Virus Scanners Fake Results.</strong> <P> To try to get their way, scammers might bring psychological pressure to bear. For example, when Jerome Segura, senior malware research at Malwarebytes, was cold-called by tech support con artists he gave them access to a virtual machine. <a href="http://blog.malwarebytes.org/intelligence/2013/04/phone-scammers-call-the-wrong-guy-get-mad-and-trash-pc/">They flew into repair rage</a> when he refused to pay $229 following their fake ministrations. "They got mad and deleted documents and pictures from my (virtual) machine before cutting me off in a very rude way," he said in a blog post. <P> Fake bells and whistles might also be employed. This month, for example, Segura said he decided to call a tech-support number that flashed up in a pop-up advertisement window, <a href="http://blog.malwarebytes.org/intelligence/2013/05/online-pc-support-scams-turning-the-tables/">just to see where it might lead</a>. As before, he gave the tech support person who answered remote access to his PC -- not telling him it was a fully cleaned and isolated virtual machine -- on which he installed, as instructed, <a href="http://www.informationweek.com/security/vulnerabilities/unpatched-remote-access-tools-your-gift/240151523">TeamViewer software</a>, through which the supposed tech-support agent accessed the PC, then ran a downloaded scanner. Just two seconds later, the scanner reported extensive virus infections. Segura said his analysis of the scanner's database found that it was "stuffed with false positives which aren't just accidents, but clearly used to add some drama." <P> Added drama or not, don't fall for tech-support scams. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-10T11:30:00ZCompany founder denies that Huawei employees would ever be forced to spy for China.http://www.informationweek.com/security/vulnerabilities/huawei-ceo-dismisses-security-spying-con/240154630?cid=SBX_iwk_related_slideshow_Smartphones_mobilityThe founder and CEO of Chinese networking equipment manufacturer Huawei, in his first-ever media interview, Thursday dismissed allegations that backdoors may have been built into the company's products to facilitate Chinese espionage. <P> "Huawei has no connection to the cybersecurity issues the U.S. has encountered in the past, current and future," Huawei CEO Ren Zhengfei, 68, told local reporters -- through an interpreter -- while on a visit to New Zealand this week, according to news reports. <P> Since founding the company 26 years ago, Ren had previously refused to conduct media interviews. But during his visit this week to New Zealand, he <a href="http://www.bbc.co.uk/news/business-22460962">agreed to meet</a> with reporters from four of the country's news outlets. <P> In response to reporters' questions, <a href="http://www.stuff.co.nz/business/industries/8651260/Huawei-CEO-gives-first-ever-interview">Ren dismissed allegations</a> that his employees might be colluding with state security services, instead likening the relationship between his company and the Chinese government to that between New Zealand companies and their government, reported Fairfax Media in New Zealand. Furthermore, he said he was confident that his employees would be free to refuse any request from a Chinese intelligence service to spy on a foreign entity. <P> <strong>[ U.S. officials are trying to ratchet up pressure on China. See <a href="http://www.informationweek.com/quickview/senate-bill-calls-for-cyberespionage-wat/3271?wc=4?itc=edit_in_body_cross">Senate Bill Calls For Cyberespionage 'Watch List'</a>. ]</strong> <P> Ren's comments can be read as a criticism of the U.S. singling out Chinese firms Huawei (the world's second-largest telecommunications manufacturer) and ZTE last year in a Congressional report warning that the two companies "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." Accordingly, the U.S. House of Representatives Permanent Select Committee on Intelligence's Oct. 2012 report <a href="http://www.informationweek.com/security/vulnerabilities/what-huawei-zte-must-do-to-regain-trust/240009190">"strongly encouraged" all U.S. businesses</a> "to seek other vendors for their projects." <P> American businesses appear to be listening. A recent survey of 454 IT professionals conducted by <em>InformationWeek</em> found that the U.S. government's recommendation to avoid Huawei equipment would influence their buying decision-making. Indeed, 37% of surveyed businesses cited the warning as a major concern, and 34% said it would be a deal-breaker. <P> But Ren Thursday downplayed his company's presence in the American market. "Huawei equipment is almost non-existent in networks currently running in the U.S. We have never sold any key equipment to major U.S. carriers, nor have we sold any equipment to any U.S. government agency," he said. <P> His comments echoed those of Huawei executive VP Eric Hu, who last month said, "We are not interested in the U.S. market any more," <a href="http://www.networkcomputing.com/data-networking-management/huawei-quits-us-market/240153472">according to</a> the <em>Financial Times</em>. <P> Despite that apparent vow to quit the U.S. market, the company subsequently <a href="http://www.informationweek.com/quickview/huawei-changes-its-us-market-story/3182">changed its story</a>, saying it would continue to actively sell its products in the United States. "We continue to sell in the U.S. in all three business areas: Device, Carrier Network and Enterprise," Huawei spokesperson Jannie Luong told <em>Network Computing</em> in April. <P> In the wake of the Oct. 2012 Congressional report, Australia, India and the United Kingdom were already evaluating whether they would continue to work with Huawei and ZTE. Notably, India's Research and Analysis Wing -- the government's main intelligence service -- issued a report warning that "Huawei Technologies is known to have links with the People's Liberation Army (PLA) and the ministry of state security of China." <P> In response, Huawei proposed that <a href="http://www.informationweek.com/government/security/huawei-proposes-security-test-center/240009701">Australia create an information security test center</a> to vet the company's products. <P> But fears of Chinese espionage were further compounded this week, after an annual report from the Pentagon to Congress <a href="http://online.wsj.com/article/SB10001424127887323687604578467442670389684.html">directly accused China</a> of running a military cyber-espionage operation that directly accessed U.S. government systems. "China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic and defense industrial base sectors that support U.S. national defense programs," according to the report. <P> In the wake of that warning, Huawei and ZTE appear to be facing fresh scrutiny by Indian government officials, who said this week that they're creating a testing lab to assess all foreign-built telecommunications and networking equipment. "We know about the concerns of intelligence agencies and are expediting developing [a] system for testing the telecom equipments of foreign manufacturers in networks," an India government telecommunications official <a href="http://www.hindustantimes.com/News-Feed/Chunk-HT-UI-BusinessSectionPage-Infotech/Huawei-ZTE-under-scanner/Article1-1057038.aspx">told India's <em>Hindustan Times</em></a>. <P> Information security experts, however, say that backdoors purposefully built into networking hardware can be <a href="http://www.informationweek.com/security/vulnerabilities/darpa-looks-for-backdoors-malware-in-tec/240143043">notoriously difficult to detect</a>, and warned that devices could also be <a href="http://www.theregister.co.uk/2013/05/10/india_to_test_huawei_and_zte_kit/">clean when purchased</a> but later updated with firmware that enables spying. <P> Furthermore, in a 2012 teardown of the Huawei AR8 and ARE 29 series routers, Felix "FX" Lindner, who heads Berlin-based Recurity Labs, found that the <a href="http://www.informationweek.com/security/management/huawei-zte-4-security-fears/240009248">firmware contained sufficient numbers of coding errors</a> that anyone studying the code base might find ways of remotely compromising the devices without needing to resort to purpose-made backdoors. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-10T09:47:00ZState officials don't know when attackers accessed up to 160,000 Social Security and 1 million driver's license numbers stored in unencrypted format.http://www.informationweek.com/security/attacks/washington-state-courts-reveal-security/240154638?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Attackers hacked into Washington state's Administrative Office of the Courts (AOC) servers and obtained copies of up to 160,000 social security numbers and 1 million driver's license numbers, state officials said Thursday. <P> Officials don't know exactly when the breach occurred or how many records -- which could be used to commit identity theft -- were stolen. But they nonetheless attempted to downplay the severity of the incident in media interviews. "The hackers were probably opportunistic," Mike Keeling, IT operations and maintenance manager for the court system, told reporters on a conference call, <a href="http://www.reuters.com/article/2013/05/09/us-usa-hack-washingtonstate-idUSBRE9480YY20130509">reported</a> Reuters. "They were more than likely just fishing for data." <P> Keeling said the failure to store sensitive personal information on a better-protected server, encrypt the data or better lock down servers to prevent network traversal "was an oversight on our part." <P> <strong>[ Is the state spending enough on IT security? Read <a href="http://www.informationweek.com/global-cio/interviews/why-it-spending-is-stuck-in-a-vicious-ci/240154096">Why IT Spending Is Stuck In A Vicious Circle</a>. ]</strong> <P> Washington's court administrator Callie T. Dietz said in a statement: "We regret that this breach has occurred and we have taken immediate action to enhance the security of these sites." <P> Attackers breached the Washington state court systems by exploiting a flaw in Adobe ColdFusion software, which has since been patched by the court's IT department. State officials didn't disclose whether attackers exploited a zero-day vulnerability or a known vulnerability in ColdFusion, or whether a version of the patched software from Adobe was already available at the time of the breach. Answering those questions might be difficult, however, since state officials don't know exactly when the breach occurred, saying only that it seemed to happen after September 2012 and before February 2013. <P> The breach was discovered in February by an unnamed business on the east coast, which was attacked in a similar manner, after which it somehow found signs of a similar intrusion against the Washington state court servers. "They recognized our information in their breach log," Keeling said. <P> State officials at first thought their attackers had only accessed public data. By April, however, investigators at Washington State Consolidated Technology Services and the <a href="http://msisac.cisecurity.org/">Multi-State Information Sharing and Analysis Center</a> found that information exposed during the breach included people's names, as well as social security numbers or driver's license numbers. All of the exposed information related to people who received a DUI citation between 1989 and 2011; were booked into a city or county jail between September 2011 and December 2012; were involved in a traffic case in 2011 or 2012; or were involved in a criminal case filed against them in superior court in 2011 or 2012. <P> To date, state officials said they've identified 94 people whose information was likely stolen by attackers, and said all have been contacted by letter. "We found specific [hacker] footprints in the area where those 94 Social Security numbers were located, so that's why we're reasonably sure that the data was accessed," Keeling said. <P> None of those 94 people were offered data-breach-monitoring services or credit protection, although state officials said they might do so if the data breach victims request them. The state has set up a hotline (1-800-448-5584) and website (<a href="http://www.courts.wa.gov/databreach">www.courts.wa.gov/databreach</a>) to answer questions pertaining to the breach. <P> Washington state's CIO, Michael Cockrill, said the breach hadn't affected the state's executive branch, which is on a separate network. Cockrill also said that Gov. Jay Inslee has charged his office -- together with the state's Consolidated Technology Services department -- with improving the information security posture of the judicial systems. "The AOC data breach is a sobering reminder for every branch and every level of government, that protection of personal and confidential data entrusted to government is a paramount responsibility," he said. <P> Washington joins a list of growing list of states -- including <a href="http://www.informationweek.com/security/attacks/texas-data-breach-exposed-35-million-rec/229401489">Texas</a> and <a href="http://www.informationweek.com/security/attacks/9-lessons-from-utah-data-breach/240000747">Utah</a> -- that in recent years have exposed people's personal information because of state officials' failure to properly secure it.2013-05-09T11:13:00ZAntivirus pioneer and former fugitive from justice in Belize John McAfee shares more about his code-slinging and drug-smuggling past.http://www.informationweek.com/security/antivirus/mcafee-avs-king-of-crazy-resurfaces/240154538?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Remember John McAfee? <P> In November, the information security genius and resident of Belize <a href="http://www.informationweek.com/security/government/6-wacky-mcafee-facts-from-guatemala-with/240144062">turned fugitive from justice</a> after his neighbor was murdered. McAfee alleged that he was being framed by government authorities in retaliation for refusing to satisfy their extortion demands. <P> McAfee subsequently <a href="http://www.informationweek.com/security/antivirus/mcafee-to-be-released-from-guatemalan-pr/240144273">fled to Guatemala</a>, where his <a href="http://www.informationweek.com/security/management/guatemala-arrests-rogue-av-founder-mcafe/240143971">location was revealed</a> by GPS data attached to an uploaded iPhone snap, after which point he was arrested, requested asylum and faked a heart attack, before being <a href="http://www.informationweek.com/security/antivirus/mcafee-back-in-us-crazy-like-a-fox/240144326">denied asylum</a> and deported to Miami. Since then, he relocated to Portland, Ore., where he's been working with a screenwriter, biographer and graphic novelist, while <a href="http://pandodaily.com/2013/01/26/we-hit-portland-strip-clubs-with-john-mcafee/">visiting strip clubs and house-hunting</a>. <P> McAfee offered those tidbits -- and more -- in a Wednesday <a href="http://features.slashdot.org/story/13/05/07/2017203/interview-john-mcafee-answers-your-questions">Q&A with Slashdot</a>. As with his previous blog posts <a href="http://www.whoismcafee.com/">documenting life on the run</a>, McAfee's answers displayed a predilection for hard-boiled fiction, if not gonzo embellishment. <P> <strong>[ A satire site is the first outlet to detail serious news about recent Twitter account takeovers. Read <a href="http://www.informationweek.com/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504?itc=edit_in_body_cross">How Syrian Electronic Army Unpeeled The Onion</a>. ]</strong> <P> With those caveats, here are five of the most interesting takeaways: <P> <strong>1. Belizean Politician Demanded Millions</strong> <P> Asked to comment on reports that he'd suffered harassment and death threats after refusing to "donate" $30,000 to a Belizean politician, McAfee said that there had been an extortion attempt, but for a significantly larger amount of money. "Had it been $30,000 I would have paid it in an instant," he said. "However it was not. It was $2 million." <P> As a result of his failure to pay up, McAfee has claimed that the government killed his dogs, then murdered his neighbor -- fellow U.S. citizen Gregory Viant Faull, 52 -- in a case of mistaken identity. Belizean authorities have <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-says-belize-framing-him-f/240124914">denied all of McAfee's allegations.</a>. <P> <strong>2. Guatemalan Hideout Accidentally Revealed</strong> <P> McAfee's subsequent flight from justice in Belize -- where he was sought for questioning as part of the investigation into Faull's murder, although never charged with any crime -- was documented by <em>Vice</em> editor Rocco Castoro and photographer Robert King. But McAfee's <a href="http://www.informationweek.com/security/mobile/mcafee-av-king-turned-fugitive-surfaces/240143769">arrival in Guatemala was revealed</a> when <em>Vice</em> posted iPhone photographs from which GPS-coordinate-revealing EXIF data hadn't been expunged. At the time, said McAfee, the journalists worried the gaffe would be read as a stunt, allowing them to document the McAfee's resulting incarceration. <P> "To calm things down and to get everyone focused on our need to hastily scram, I told Rocco and Robert that I would take the fall and claim that I manipulated the exif data myself and they would be in the clear," he said. "Satisfied, they got packed, we left 10 minutes before the soldiers arrived, and I did what I said I would do. It was a stupid plan but it did clear the minds of the two journalists long enough to allow them to function properly in the shaky circumstances." <P> <strong>3. Staying Weird In Portland</strong> <P> After being deported to Miami, McAfee said the decision to relocate to Portland, Ore., where he's been <a href="http://pandodaily.com/2013/02/09/we-take-john-mcafee-to-a-gun-shop-where-he-scares-the-hell-out-of-a-jackass/">living large</a>, centered on there being a critical mass of Asian restaurants and good coffee</a>, backed by the "Keep Portland Weird!" ethos regularly espoused on bumper stickers, as well as its proximity to two people who are documenting his life. "The gentleman producing the comic novel of my life (Chad Essley) and the screenwriter for the feature movie of the Belize incident both live here," he said. That <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-sells-rights-to-life-stor/240144207">feature movie</a>, provisionally titled <em>Running in the Background</em>, is different from a separate production that's being developed by the team behind the Warner Bros. comedy <em>Crazy, Stupid, Love</em>, which will be <a href="http://www.informationweek.com/security/antivirus/mcafees-escape-from-belize-turns-movie/240146436">based on "John McAfee's Last Stand,"</a> a story written by Joshua Davis for <em>Wired</em>. <P> <a href="http://www.whoismcafee.com/boston-george-jung-writing-the-official-john-mcafee-biography-titled-no-domain/">McAfee also confirmed</a> that he's tapped former cocaine player and convicted drug trafficker <a href="http://en.wikipedia.org/wiki/George_Jung">George "Boston George" Jung</a> -- the subject of the 2001 biopic <em>Blow</em> -- to write his biography, provisionally titled <em>No Domain</em>. <P> <strong>4. Born To Run, Not Code</strong> <P> In the wide-ranging Q&A, McAfee said that despite launching a pioneering antivirus software business -- the first to distribute antivirus as shareware -- his code-writing prowess would win no awards. "I haven't written code in 20 years. In truth I was a terrible programmer," he said. "I was just good enough though to be able to spot the truly outstanding programmers. At McAfee I hired the best and then stayed out of their hair." <P> Asked to by a reader to comment on the security software that still bears his name, McAfee said he's not been associated with the company, which is now part of Intel, for 21 years. "It's barely a blip in the ocean of associations -- madman, paranoid, child molester, murderer, drug addict, unstable, liar, to name but a few," he said. "Thank god I'm 67 and will probably be too hard of hearing soon enough to have to listen to them rattling around wherever I go. Amy, thankfully, did half the job already by bursting my left eardrum when she tried to shoot me in the head while I slept back in 2011." He didn't specify <a href="http://www.whoismcafee.com/frequently-asked-questions/ ">exactly which Amy</a> he was referring to. <P> <strong>5. Drug-Free 30 Years And Counting</strong> <P> Despite the drug-addict "associations" -- no doubt driven both by his behavior and freely dropped references to the <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-sells-rights-to-life-stor/240144207">designer drug known as bath salts</a> -- McAfee said he's been sober for 30 years. "All this madness stopped in 1982 when my life disintegrated. I joined AA in 1982 and stopped drinking and drugging. [I] have not used any drugs, except for caffeine, nicotine and adrenaline, since," he said in response to a Slashdot question. <P> McAfee emphasized that his eccentricities aren't evidence of recent recreational drug use. "It's odd that people focus on the possibility that I might now be doing drugs (I'm not) and totally ignore the fact that from 1971 to 1982, 99% of my income came from smuggling and selling drugs," he said. "It's a well documented feature of my past life. I was also taking more drugs weekly than most of you will do in a lifetime, and I was a totally indiscriminate user." <P> McAfee said his drug-distribution habit had come at a personal cost. "I had my right testicle shattered by a hammer in 1974 when I ran afoul of some local drug barons in Oaxaca. Its the size of a grape now and shaped like a small frisbee," he said. <P> "I have been in Mexican jails on three separate occasions and, frankly, I cannot recommend them," he added. <P> <i>E2 is the only event of its kind, bringing together business and technology leaders across IT, marketing, and other lines of business looking for new ways to evolve their enterprise applications strategy and transform their organizations to achieve business value. Join us June 17-19 for three days of 40+ conference sessions and workshops across eight tracks and discover the latest insights in enterprise social software, big data and analytics, mobility, cloud, SaaS and APIs, UI/UX and more. <a href="http://www.e2conf.com/boston/?_mc=MP_BTMEDIWKAXE">Register for E2 Conference Boston today</a> and save $200 off Full Event Passes, $100 off Conference, or get a FREE Keynote + Expo Pass! </i>2013-05-09T10:35:00ZSatire site The Onion details multi-pronged Twitter account takeover strategies used by hacktivists.http://www.informationweek.com/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Satire site <em>The Onion</em> has offered a glimpse into the techniques used by the Twitter account takeover artists known as the Syrian Electronic Army. <P> The campaign launched by the hacktivist group wasn't complex, although it did involve several waves of attacks, resulting in multiple compromised systems and credentials, according to "<a href="http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/">How the Syrian Electronic Army Hacked The Onion</a>," posted Wednesday to the satire site's Tech Blog. <P> Here's how the attack commenced: Starting Friday, May 3, a handful of <em>Onion</em> employees received emails that asked them to read a story, and included an apparent <em>Washington Post</em> link. In reality, the link led to a hacked WordPress site, which redirected to a googlecom.comeze.com site that requested their Google Apps credentials, which, if entered, redirected users to their Gmail account. <P> "These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack," according to the <em>Onion's</em> attack overview. "At least one <em>Onion</em> employee fell for this phase of the phishing attack." <P> <strong>[ Is it easier to catch a hacker with honey? <a href="http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross ">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> Early Monday morning, attackers used the compromised account to send the same phishing message to more employees. "Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts," according to the <em>Onion's</em> recap. <P> The same day, attackers <a href="http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">defaced the <em>Onion's</em> Twitter account page</a> and began issuing bogus tweets. In response, the <em>Onion's</em> IT team issued a company-wide alert, telling all employees to reset their Google Apps passwords. But attackers used another account that they'd compromised to issue their own <a href="http://www.informationweek.com/security/attacks/linkedin-users-change-password-now/240001623">password-reset warning</a>. To make this third wave of attacks more difficult to detect, attackers cleverly didn't send the phishing email -- which included a "password-reset link" that instead redirected to the malicious phishing website that requested a user's Google Apps credentials -- to any IT employees. <P> "This third and final phishing attack compromised at least two more accounts," according to the attack overview. "One of these accounts was used to continue owning our Twitter account." At that point, the IT department forced all employees to reset their Google Apps passwords, which allowed them to finally regain control of the accounts and begin a mop-up operation. <P> The Syrian Electronic Army is allied to the regime of President Bashar Al-Assad, and hacktivist group member "Th3 Pr0" told <em>The New York Times</em> that the <em>Onion</em> Twitter account takeover was <a href="http://bits.blogs.nytimes.com/2013/05/06/no-joke-syrians-hack-the-onion/">meant to be revenge</a> for its recent Assad-attributed editorial titled "Hi, In The Past 2 Years, You Have Allowed Me To Kill 70,000 People." <P> What lessons can be learned from the successful Syrian Electronic Army phishing attack against the <em>Onion</em>? The company's IT team reported that "a few simple security measures" would have blocked the attacks. For starters, the attacker connected to compromised accounts from the IP address 46.17.103.125, which is the same domain used to host a <a href="http://46.17.103.125/en/site/index">Syrian Electronic Army leaks website</a>. Obviously, blocking all connections from that IP address, or other sites associated with the group, would be a good start. <P> To help block phishing attacks, the IT team also recommended using one email address system for everyday emails, and an entirely different one for Twitter accounts. In addition, it said that employing an intermediary social media management system such as <a href="http://www.informationweek.com/social-business/news/social_networking_consumer/hootsuite-improves-workflow-approvals-fo/232901555">Hootsuite</a> would make it much more difficult for an attacker to fully compromise an organization's Twitter accounts. <P> For an industry that's predicated on reporting, it's notable that the <em>Onion</em> is the first news outlet -- satirical or straight -- to detail exactly how its Twitter accounts were owned by the Syrian Electronic Army. That's despite the hacktivist group having exploited the Twitter feeds of such organizations as National Public Radio, Reuters, the BBC <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800"> and the <em>Guardian</em></a>. <P> But the Syrian Electronic Army's most infamous outing to date was its compromise of multiple AP Twitter feeds, which it used to issue a hoax alert that President Obama had been <a href="http://www.informationweek.com/security/attacks/twitter-preps-two-factor-authentication/240153539">injured in explosions</a> at the White House. The compromise led to reports that Twitter was finally <a href="http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672">prepping two-factor authentication</a> to help users block some types of account takeovers. <P> According to the Syrian Electronic Army, it seized control of the AP accounts via a phishing campaign that compromised at least 50 employees at the news agency, including social media editors. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-08T13:10:00ZMeanwhile, hackers behind Cdorked malware that targets Apache servers now have extended it to infect open-source Nginx and Lighttpd server software.http://www.informationweek.com/security/vulnerabilities/nginx-patches-critical-vulnerability-web/240154480?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10-things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->The developers behind the popular open-source Web server software Nginx have released updates to patch a serious vulnerability. <P> Nginx Tuesday announced the <a href="http://nginx.org/en/">release of nginx-1.4.1</a> -- as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow vulnerability that attackers could exploit to execute arbitrary code on a Ngnix server and completely compromise it. In a <a href="http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html">security advisory</a> issued Tuesday, Nginx said <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028">the bug</a> is present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx 1.5.0 [and] 1.4.1," it said. <P> The vulnerability rates as "highly critical," according to a <a href="https://secunia.com/advisories/53248/">security advisory</a> issued by vulnerability research firm Secunia. "The vulnerability is caused due to an error within [a] function ... when parsing an HTTP chunk and can be exploited to cause a stack-based buffer overflow," it said. <P> <strong>[ Another U.S. hack leads back to China. Read <a href="http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064?itc=edit_in_body_cross">China Tied To 3-Year Hack Of Defense Contractor</a>. ]</strong> <P> Nginx -- <a href="https://en.wikipedia.org/wiki/Nginx">pronounced "engine X"</a> -- is an open-source Web server, reverse proxy server, and load balancer designed for a large number of concurrent connections and high levels of performance but with a low memory footprint. It runs on Unix, Linux, Solaris and Windows, as well as AIX, BSD variants, HP-UX and Mac OS X. <P> Nginx is now the third most popular HTTP Web server software, behind Apache and Microsoft ISS, although its popularity continues to increase. "Nginx reached a new milestone this month: it is now used by more than 100M websites, and within the million busiest websites has overtaken Microsoft IIS to take second place with a market share of 13.5%," said a <a href="http://news.netcraft.com/archives/2013/05/03/may-2013-web-server-survey.html">May 2013 Web server report</a> released by Netcraft. <P> "Overall, Nginx's market share now stands at 15.5%, just 1.2 percentage points behind Microsoft, helped by a growth of 8.3M sites this month," it said. <P> The growing popularity of Nginx, however, has made it a target for attackers. Notably, the developers behind the <a href="http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922">Cdorked malware</a> that targets Linux systems running Apache HTTP server software recently updated the malware to exploit Nginx, as well as open-source Lighttpd ("lighty") Web server software. <P> To date, Cdorked infections have been confirmed in about 400 Web servers, 50 of which rank in the <a href="http://www.alexa.com/topsites">Alexa index of the top 100,000 websites</a>. But security researchers don't yet know how attackers are infecting servers with the backdoor malware. <P> "We still don't know for sure how this malicious software was deployed on the Web servers," said Marc-Etienne M. Leveille, a malware researcher at security firm ESET, in a blog post. "We believe <a href="http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/">the infection vector is not unique</a>. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software." <P> "One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software," he said. "Linux/Cdorked.A is a backdoor, used by [a] malicious actor to serve malicious content from legitimate websites." <P> Interestingly, the malware "is even more stealthy than we first thought," he said. "By analyzing how the attackers are configuring the backdoor, we found it will not deliver malicious content if the victim's IP address is in a very long list of blacklisted IP ranges, nor if the victim's Internet browser's language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian." In those cases, the malware is instead set to redirect users to a "page with links to pornographic websites," said Leveille. <P> ESET researchers have also <a href="http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922#">clarified the relationship between CDorked and the Apache-targeting Darkleech</a> (aka Chapro) malware attacks, which has continued to intensify in recent months. "While both target Apache servers, they are distinct pieces of code and send visitors to different instances of the Blackhole kit," said ESET malware researcher S&#233;bastien Duquette. "However this does not change the fact that this trend is quite concerning."2013-05-08T11:26:00ZAll Internet traffic from the war-torn country -- via overland and submarine connections -- went offline Tuesday.http://www.informationweek.com/security/management/syria-back-online-after-internet-blackou/240154412?cid=SBX_iwk_related_slideshow_Smartphones_mobility"Breaking news: traffic from Syria disappears from Internet." <P> So read a Tuesday alert issued by Umbrella Security Labs, which reported that all outbound Internet traffic from Syria had disappeared. The country's Internet connection remained offline for about 24 hours, before appearing to come online again about 11 a.m. Eastern Time Wednesday. <P> Multiple Internet monitoring firms corroborated the outage. "Since 18:45 UTC on May 7th, Renesys hasn't seen a flicker of activity," <a href="http://www.renesys.com/blog/2013/05/syrian-internet-fragility.shtml">said Jim Cowie, CTO of Renesys, in a blog post</a> Wednesday morning, before the country's Internet connection appeared to come back online. "We haven't been able to successfully send a ping or a traceroute to any host inside Syria. Government websites, universities, domain name servers, core infrastructure routers, banks, businesses, DSL customers, smartphones: all silent." <P> Akamai likewise confirmed the "traffic drop to Syria" with a chart that shows hits and megabits of data being delivered to the country <a href="https://twitter.com/akamai_soti/status/331858414684749825/photo/1">plummeting to zero</a> after 2 p.m. Eastern time Tuesday. Akamai confirmed that <a href="https://twitter.com/akamai_soti/status/332104033479299074/photo/1">traffic levels remained at zero</a> early Wednesday morning. <P> <strong>[ Is it easier to catch a hacker with honey? Read <a href="http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> The blackout occurred after both of the top-level domain name servers for Syria -- ns1.tld.sy and ns2.tld.sy -- became unreachable. "Routing on the Internet relies on the Border Gateway Protocol (BGP). BGP distributes routing information and makes sure all routers on the Internet know how to get to a certain IP address," according to a <a href="http://labs.umbrella.com/2013/05/07/breaking-news-traffic-from-syria-disappears-from-internet/">blog post from Dan Hubbard</a>, CTO of Umbrella Security Labs, which is the threat research division of OpenDNS. "When an IP range becomes unreachable it will be withdrawn from BGP, this informs routers that the IP range is no longer reachable," he said. But in the case of Syria, "currently there are just three routes in the BGP routing tables for Syria, while normally it's close to 80." <P> "Effectively, the shutdown disconnects Syria from Internet communication with the rest of the world," Hubbard said. "It's unclear whether Internet communication within Syria is still available. Although we can't yet comment on what caused this outage, past incidents were linked to both government-ordered shutdowns and damage to the infrastructure, which included fiber cuts and power outages." <P> <!-- Image Aligning Right --> <div class="inlineStoryImageManual inlineStoryImageRight" style="width:300px;"> <a href="http://twimgs.com/informationweek/news/2013/05/syrias-3-submarine-cables-renasys_300.png"><img src="http://twimgs.com/informationweek/news/2013/05/syrias-3-submarine-cables-renasys_300.jpg" alt="Syria's 3 Submarine Cables" title="Syria's 3 Submarine Cables" width="300" /></a> <div class="storyImageCaption">Image courtesy of Renasys</div> </div> <!-- / Image Aligning Right --> This isn't the first time the Syrian Internet has blacked out. In November 2012, the Syrian government may have <a href="http://www.informationweek.com/security/attacks/syria-hits-internet-kill-switch-blackout/240142977">hit a "kill switch"</a>, taking the country's Internet services offline for two days, or else the infrastructure may have simply failed. Prior Syrian Internet outages occurred in July and August 2012, as well as June 2011. <P> According to Renasys, Syria's Internet connections comprise overland connections from its northern neighbor, Turkey, as well as three different submarine communications cables from Cyprus, Egypt and Lebanon. All told, Syria works with four different telecommunications providers, it said, although one of those connections -- <a href="https://twitter.com/renesys/status/331868678075330562/photo/1">with Turk Telekom</a> -- has been offline for almost two weeks. <P> Renesys CTO Cowie said the latest Syrian Internet blackout shouldn't be surprising, given that the country remains in the midst of a <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">bloody civil war</a>. "In the middle of the chaos and tragedy of civil war, why is anyone surprised when the Internet stops working?" he said. "Isn't it actually more shocking and noteworthy that the Internet in Syria actually functions pretty well 360 days out of the year?" <P> The Internet outage may temporarily slow the efforts of the Syrian Electronic Army hacktivist group that's allied to the regime of Syrian president Bashar al-Assad. The group recently compromised Associated Press Twitter accounts and tweeted hoax messages about <a href="http://www.informationweek.com/security/attacks/twitter-battles-syrian-hackers/240153424">explosions at the White House</a>. It later compromised the Twitter feeds for the <em>Guardian</em> and on Monday, <a href="http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">satire site <em>The Onion</em></a>. <P> "To be flippant for a second, this outage might at least shed some light as to whether the Syrian Electronic Army -- who have been causing quite a nuisance by hacking media organizations lately -- are really based in Syria, or not, as some tend to suspect," <a href="http://nakedsecurity.sophos.com/2013/05/07/syria-disappears-off-internet/">said Graham Cluley</a>, senior technology consultant at Sophos, in a blog post. <P> <i>Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The <a href="http://www.darkreading.com/AdvancedThreats/util/9727/download.html?k=a xxe&cid=article_axxe">How To Detect Zero-Day Malware And Limit Its Impact</a> report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)</i>2013-05-07T13:11:00ZDHS predicts Tuesday's hackathon will involve little more than nuisance exploits. Meanwhile, Syrian Electronic Army hacks Twitter feeds of The Onion.http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div> <span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div> <!-- /KINDLE EXCLUDE -->Will the Anonymous-lead Operation USA (#OpUSA) scheduled for Tuesday disrupt leading U.S. government and banking websites? <P> An <a href="http://pastebin.com/LXHKjsfg">"#OpUSA target list" posted to Pastebin</a> two weeks ago named nine government websites -- the White House and Department of Defense's public-facing websites among them -- and 133 banks and credit unions as primary targets. "We will now wipe you off the cyber map," read the Pastebin post, signed by N4M3LE55 CR3W. "Do not take this as a warning. You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs." <P> In a show of solidarity, the distributed-denial-of-service bank-attack outfit known as al-Qassam Cyber Fighters, which as part of Operation Ababil has been <a href="http://www.informationweek.com/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">successfully disrupting financial websites</a> for months, Monday <a href="http://pastebin.com/vpP9KZ6P">promised to take the week off</a>. "Due to the simultaneity of OpUSA with Operation Ababil, and to abstain from ambiguity in the intentions of our operation, this week we will not run any attack," read a statement posted to the group's Pastebin. <P> By Tuesday afternoon, however, despite a <a href="http://www.hackersnewsbulletin.com/2013/05/list-of-websites-affected-under-opusa.html">plethora of hacked-site reports</a>, the OpUSA attacks appeared to be targeting low-level -- and possibly random -- sites in the United States and abroad, arguably causing little damage. <P> <strong>[ Could fake passwords help keep your database secure? Read <a href=" http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> The Tunisian Hackers Team, for example, claimed to have dumped a SQL database for the <a href="http://bloodbanker.com">Blood Bank of America</a> that appeared to contain about 3,000 usernames and hashed passwords. Among other attacks, AnonGhost members BilalSbXtra & Dr.SaMiM_008 posted what they said were 10,000 credit card numbers, including expiration dates and security codes, as well as account holders' names and addresses -- that were apparently stolen from an online store. Some of the published information also included social security numbers, bank account routing numbers and answers to secret questions. The group also claimed to have hacked 29 Israeli websites. <P> Meanwhile, Mauritania Attacker Tuesday claimed to be preparing to release "all governments emails of USA." It <a href="https://twitter.com/An0nGhost/status/331255767644655617">published a teaser</a> showing some doxed addresses -- which included both microsoft.com and cia.gov addresses, as well as numerous accounts with service providers -- but with obscured passwords. <P> Hacking groups or collectives claiming to participate in OpUSA include Anonymous and affiliates <a href="http://www.informationweek.com/security/attacks/anonymous-hackers-helper-it-security-neg/232602226">AntiSec</a> and <a href="http://www.informationweek.com/security/attacks/lulzsec-reborn-claims-military-dating-si/232700290">LulzSec Reborn</a>. Other groups that have pledged their assistance include Ajax Team, Mauritania Attacker, Muslim Liberation Army, Redhat, Team Poison Reborn and ZHC. <P> Not all OpUSA-related attacks began Tuesday. Hacking group <a href="https://twitter.com/YourAnonNews/status/331196545556946946">X-Blackerz Inc claimed</a> Monday to have released 23 emails and passwords for Honolulu Police Department staff. Meanwhile, AnonGhost Team got an early start Saturday, <a href="http://pastebin.com/zftTrrrh">claiming via Pastebin</a> that it had defaced about 900 pages, which included multiple Web pages in the domain of <a href="http://www.hack-db.com/">Hack-DB</a>, which tracks hacktivism and cybercrime. A message posted to defaced sites read "we are everywhere" and left a scrolling list of the group's official members. <P> Many of the groups that pledged to take part in the one-day hackathon had previously joined forces for the ongoing <a href="http://www.informationweek.com/security/attacks/anonymous-launches-opisrael-ddos-attacks/240142149">Operation Israel (#OpIsrael) campaign</a>, which last month promised to "erase" Israel from the Internet. "We promised to take Israel off the cyber map. We succeeded," read a recent OpUSA target list post. OpIsrael attackers last month claimed to have disrupted 100,000 Israeli websites and caused $3 billion in damage. But <a href="http://www.informationweek.com/security/attacks/anonymous-claims-100000-israel-site-disr/240152448">Israeli officials disputed hacktivists' claims</a>, saying while there had been a lot of bluster there was little "real damage," and that the country's critical infrastructure remained unaffected. <P> Likewise, in the lead-up to OpUSA, the U.S. Department of Homeland Security appeared to expect similar low-level attacks aimed to publicize attackers' anti-U.S. grievances but that would cause little lasting damage. In a confidential DHS memo issued last week and <a href="http://krebsonsecurity.com/2013/05/dhs-opusa-may-be-more-bark-than-bite/">obtained by security reporter Brian Krebs</a>, DHS said the attacks "likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation." <P> Not all hacktivist activity this week has been conducted under the OpUSA banner. The <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Electronic Army</a> resurfaced Monday when it <a href="http://www.syrianews.cc/syrian-electronic-army-pays-visit-onion/">seized control of the Twitter feed for the satirical news outlet <em>The Onion</em></a>. The group posted fake news headlines relating to Israel's recent missile strikes against military targets in Syria. Another tweet suggested that the Israeli government was allied with Al Qaeda. <P> In the wake of the Twitter account takeover, <em>The Onion</em> <a href="http://www.theonion.com/articles/onion-twitter-password-changed-to-onionman77,32323/">responded in typical fashion</a>: "Following today's incident in which the Syrian Electronic Army hacked into The Onion's Twitter account, sources ... confirmed that its Twitter password has been changed to OnionMan77 in order to prevent any future cyber-attacks." The story quoted "Onion IT specialist Nick Abersold" as saying that the new password would be "virtually impenetrable." <P> Satire aside, in the wake of the <a href="http://www.informationweek.com/security/attacks/twitter-battles-syrian-hackers/240153424">numerous news organizations' Twitter account takeovers</a> by the Syrian Electronic Army, Twitter last week issued a memo last week <a href="http://www.informationweek.com/security/intrusion-prevention/twitter-to-news-outlets-more-takeovers-a/240154094">warning media outlets</a> to take appropriate security precautions, as it expected the account takeovers to continue. <P> <P> <i>Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The <a href="http://www.darkreading.com/AdvancedThreats/util/9727/download.html?k=a xxe&cid=article_axxe">How To Detect Zero-Day Malware And Limit Its Impact</a> report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)</i>2013-05-07T11:20:00ZTo improve detection of database breaches, businesses should store multiple fake passwords and monitor attempts to use them, say RSA researchers.http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE -->Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information. <P> That's the thinking behind the "honeywords" concept first proposed this month in <a href="http://people.csail.mit.edu/rivest/pubs/JR13.pdf">"Honeywords: Making Password-Cracking Detectable,"</a> a paper written by Ari Juels, chief scientist at security firm RSA, and MIT professor Ronald L. Rivest, who <a href="http://en.wikipedia.org/wiki/Ron_Rivest">co-invented the RSA algorithm</a> (he's the "R"). <P> The term "honeywords" is a play on "honeypot," which in the information security realm refers to creating fake servers and then <a href="http://www.darkreading.com/vulnerability/honeypot-stings-attackers-with-counterat/240151740">learning how attackers</a> attempt to exploit them -- in effect, using them to help detect more widespread intrusions inside a network. <P> "[Honeywords are] a simple but clever idea," said Bruce Schneier, chief security technology officer of BT, in a <a href="https://www.schneier.com/blog/archives/2013/05/honeywords.html">blog post</a>. "Seed password files with dummy entries that will trigger an alarm when used. That way a site can know when a hacker is trying to decrypt the password file." <P> The honeywords concept is also elegant because any attacker who's able to steal a copy of a password database won't know if the information it contains is real or fake. "An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword," Juels and Rivest pointed out. "The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the "honeychecker") can distinguish the user password from honeywords for the login routine and will set off an alarm if a honeyword is submitted." <P> <strong>[ Two-factor authentication is a good first step, but it's not enough. Here's why. <a href=" http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672?itc=edit_in_body_cross">Twitter Two-Factor Authentication: Too Little, Too Late?</a> ]</strong> <P> The researchers recommend honeywords as a step beyond creating fake accounts. "Sometimes administrators set up fake user accounts ("honeypot accounts") so that an alarm can be raised when an adversary who has solved for a password for such an account by inverting a hash from a stolen password file then attempts to login," they said. "Since there is really no such legitimate user, the adversary's attempt is reliably detected when this occurs." But they said that attackers may find viable techniques for spotting bogus accounts. <P> Accordingly, they recommend adding multiple fake passwords to every user account and creating a system that allows only the valid password to work and that alerts administrators whenever someone attempts to use a honeyword. "This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by brute-force solving a hashed password," they said. <P> If honeyword use is detected, that doesn't mean that the password database has been compromised. Instead, attackers may simply be launching brute-force-guessing attacks against the site. On the other hand, if numerous attempted logins are made using honeywords, or if honeyword login attempts are made to admin accounts, then it's more likely that the password database has been stolen. <P> One benefit of the RSA researchers' approach is that businesses could improve their security posture without any user intervention. "Honeywords aren't visible to users and don't in any way change their experience when they log in using passwords," read a <a href="http://people.csail.mit.edu/rivest/honeywords/faq.pdf">related FAQ</a>. <P> The researchers acknowledge that attackers might subvert their system by launching a denial-of-service attack against a honeychecker server. In such an event, they recommend using a failsafe: if a honeychecker server becomes unavailable, temporarily allow honeywords to become valid logins. <P> Honeywords aren't meant to serve as a replacement for good password security practices. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users' passwords have been compromised. Last month, for example, <a href="http://www.darkreading.com/privacy/livingsocial-says-cyberattack-puts-data/240153819">LivingSocial said that attackers stole</a> information relating to 50 million users, and stolen passwords were reportedly published in underground forums. Two state attorneys general are <a href="http://www.ct.gov/ag/cwp/view.asp?Q=523856&A=2341">now investigating</a>. In March, meanwhile, <a href="http://www.informationweek.co.uk/security/attacks/evernote-breach-7-security-lessons/240149911">Evernote reset all 50 million users' passwords</a> after the company's security team discovered and blocked suspicious activity on the Evernote network. <P> Those are hardly isolated incidents. In the space of a single week last year, 6.5 million LinkedIn, 1.5 million eHarmony and an estimated 17 million Last.fm users' <a href="http://www.informationweek.co.uk/security/client/7-tips-to-toughen-passwords/240001775">password hashes were uploaded to hacking forums</a>. Although security experts suspect the passwords may have been stolen as early as 2011 or 2010, the affected businesses appeared to learn about the breaches only after the hashes were posted. <P> Many businesses -- including Evernote -- used encryption algorithms to protect passwords, sometimes also with salt for added protection. But that approach is insecure, and password-security experts have long recommended that businesses <a href="http://www.informationweek.co.uk/security/application-security/password-police-cite-evernote-mistakes/240150250">use built-for-purpose password hashing algorithms</a> such as bcrypt, scrypt or PBKDF2, which if properly implemented are much more resistant to brute-force attacks. <P> Regardless, no password security system is foolproof. That's why an early warning system such as the use of honeywords might buy breached businesses valuable time to expire passwords after a successful attack, before attackers have time to put the stolen information to use. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-02T13:20:00ZU.S. defense contractor QinetiQ ignored persistent attack warning signs, lost terabytes of secret information, say investigators.http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->For three years, boutique defense contractor QinetiQ was compromised by an advanced persistent threat (APT) attack group operating from China. During that time, attackers accessed information about cutting-edge U.S. military drone and robot weapons systems and brought competing products to market. <P> Those allegations surfaced against <a href="http://en.wikipedia.org/wiki/Qinetiq">QinetiQ North America</a> Wednesday in a <a href="http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html">report</a> from Bloomberg, which cited investigators hired by QinetiQ -- as well as HBGary emails that were stolen and <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">leaked by Anonymous</a> -- as sources. HBGary was one of several firms hired by the defense contractor to investigate apparent intrusions. <P> Investigators told Bloomberg that the ongoing attacks against QinetiQ (pronounced "kinetic") were launched by the Shanghai-based Comment Crew. Earlier this year, a report from security firm Mandiant <a href="http://www.informationweek.com/security/attacks/china-denies-us-hacking-accusations-6-fa/240149058">tied the group</a> -- which it dubbed APT1 -- to attacks that compromised 141 businesses, none of which it named, across 20 industries. According to Mandiant, the attackers weren't just supported by China, but actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit. Chinese officials denied those allegations. <P> <strong>[ How should your business react to the Chinese allegations? Read <a href="http://www.informationweek.com/security/attacks/china-hack-attacks-play-offense-or-defen/240150482?itc=edit_in_body_cross">China Hack Attacks: Play Offense Or Defense?</a> ]</strong> <P> Investigators hired by QinetiQ said that despite ongoing warnings from numerous organizations, including NASA and the Naval Criminal Investigative Unit, that the defense contractor's networks had been compromised, QinetiQ officials failed to realize that attackers were maintaining a persistent presence in their network and react accordingly. <P> "We found traces of the intruders in many of their divisions and across most of their product lines," Christopher Day -- until February, a senior VP at Verizon&#8217;s Terremark security division, which QinetiQ twice hired to investigate apparent intrusions -- told Bloomberg. "There was virtually no place we looked where we didn't find them." <P> As a result, investigators said that terabytes of data, including classified information relating to military robotics, drones and the Army's helicopter fleet, including PIN codes that could now be used to identify helicopters' deployment and combat-readiness, were stolen. <P> A QinetiQ spokesman didn't immediately respond to an emailed request for comment on the report, or what information security changes the business might have made as a result. <P> Attacks that aim to <a href="http://www.informationweek.com/security/attacks/securid-customers-advised-to-prepare-for/229301337">steal military secrets from defense contractors</a> and their subcontractors are nothing new. A 2010 report from the Defense Security Service branch of the Department of Defense warned that "the United States' technical lead, competitive edge, and strategic military advantage are at risk; and our national security interests could be compromised" by what it said were an escalating number of "pervasive, relentless, and unfortunately, at times, successful" information security attacks against defense contractors. <P> But many reported incidents, such as the <a href="http://www.informationweek.com/government/security/web-probes-on-defense-contractors-rising/224201454">theft of information relating to the advanced Lockheed Martin F-35 stealth fighter jet</a> in 2009, have been far more extensive than public accounts have suggested. Interestingly, China conducted the first test flight of its <a href="http://www.telegraph.com/news/worldnews/asia/china/9647722/China-makes-first-test-flight-of-new-stealth-fighter-jet.html">own stealth fighter</a> in November 2012. Meanwhile, Bloomberg reported that the theft of information relating to the Lockheed Martin F-22 Raptor lead some intelligence officials to suggest that it might be unsuitable for combat because stolen information might be used to compromise critical systems. <P> The QinetiQ hack attack campaign recalls the <a href="http://www.informationweek.com/security/attacks/8-lessons-from-nortels-10-year-security/232601092">10-year breach of Nortel</a>, during which time attackers maintained a persistent presence inside the company's network. Attackers stole numerous telecommunications and networking secrets, despite persistent signs that the Nortel network had been compromised.2013-05-02T11:35:00ZTwitter memo warns of ongoing account takeover attempts, urges media businesses to prepare. Should Twitter be doing more?http://www.informationweek.com/security/intrusion-prevention/twitter-to-news-outlets-more-takeovers-a/240154094?cid=SBX_iwk_related_slideshow_Smartphones_mobilityTwitter this week warned news and media outlets to expect ongoing attempts to take over their Twitter accounts and offered detailed guidance for how businesses could improve their security posture. <P> "There have been several recent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers," read a memo distributed this week by Twitter and <a href="http://www.buzzfeed.com/jwherrman/twitter-warns-journalists-we-believe-that-these-attacks-will">reprinted by Buzzfeed</a>. <P> Twitter's security outreach campaign comes in the wake of the Syrian Electronic Army this week compromising more than a dozen Twitter accounts <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">maintained by the <em>Guardian</em></a> to decry its "lies and slander about Syria." That followed the hacktivist group last week compromising multiple Associated Press accounts and issuing a hoax tweet claiming that <a href="http://www.informationweek.co.uk/security/attacks/ap-twitter-hack-lessons-learned/240153626">explosions at the White House</a> had injured President Obama. The tweet led to a brief downturn in the stock market. The group's previous Twitter account compromises have affected Al-Jazeera English, BBC, CBS, France24, National Public Radio, Reuters and Sky News. <P> How does Twitter recommend that businesses at high risk of having their Twitter accounts compromised -- by a hacktivist group that's strongly aligned to Syrian President Bashar al-Assad, or anyone else with a grudge -- protect themselves? <P> For starters, it recommended employee training, pointing out that recent account takeovers appear to be spear-phishing attacks that target corporate email. Thus it recommends that businesses promote individual awareness of these attacks within the organization. In other words, <a href="http://www.darkreading.com/hacked-off/on-security-awareness-training/240151108">train your employees to recognize fake emails</a>. <P> <strong>[ Two-factor authentication is a step in the right direction, but it's just a start. Read <a href="http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672?itc=edit_in_body_cross">Twitter Two-Factor Authentication: Too Little, Too Late?</a> ]</strong> <P> Twitter also recommends that businesses set a randomly generated password that's at least 20 characters in length, to never distribute passwords via email, use <a href="http://www.informationweek.co.uk/security/client/10-top-password-managers/240153906">password managers</a>, regularly change passwords and also ensure that all "authorized applications" that are allowed to access a Twitter account are recognized. It also recommends tying the Twitter account email to an email system that <a href="http://www.informationweek.com/security/vulnerabilities/google-enables-two-factor-authentication/229216897">uses two-factor authentication</a> -- be it Gmail, Hotmail or a corporate email system -- to make it harder for attackers to use password resets to gain control of accounts. <P> Finally, Twitter also suggested that high-risk businesses consider setting aside one computer for tweeting and little else. "Don't use this computer to read email or surf the Web, to reduce the chances of malware infection," Twitter recommended. "This helps keep your Twitter password from being spread around." <P> Twitter's guidance to businesses aside, is there more that the company could do to protect its users? Notably, Twitter is reportedly <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">beta-testing two-factor authentication</a> for its site. But two-factor authentication won't protect Twitter users from having their credentials intercepted via malware or phishing attacks</a>. That's why many security experts have been <a href="http://www.informationweek.co.uk/security/management/twitter-two-factor-authentication-too-li/240153672">calling on Twitter to put more robust defenses in place</a> for blocking account takeovers -- for example, by taking a page from Facebook and allowing users to register machines as "trusted," or requiring additional login credentials when someone tries to access an account from a new geographic region for the first time. <P> Twitter may also need to begin encrypting the session tokens it issues. "Not all account hijacks are based on phishing and spear-phishing. Sometimes tweets are sent out because an unencrypted session is hijacked and while this may not be the case in this instance, it's sometimes convenient for service providers to assume that security breaches are the fault of the user," said David Harley, senior research fellow at security firm ESET, in a <a href="http://www.welivesecurity.com/2013/04/30/twitter-blames-spear-phishing-for-recent-hacks-and-warns-news-companies-to-expect-more/">blog post</a>. <P> "There are limits to what Twitter [or the user] can do about this issue," Harley added. "However, the risk can be reduced by browsing from VPN connections and/or accessing sites via SSL, but that's not always convenient. What might also help is not having a Twitter account running permanently in the background, but that may not be convenient for many Twitter users either." <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-01T13:35:00ZGovernment proposal would expand wiretap laws to cover not just service providers, but also the likes of Facebook and Google.http://www.informationweek.com/security/privacy/fbi-seeks-real-time-facebook-google-wire/240154011?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->Should Facebook, Google and similar sites be forced to adapt their infrastructure so that the FBI and other law enforcement agencies can easily tap suspects' communications in real time? <P> That's the <a href="http://www.washingtonpost.com/world/national-security/proposal-seeks-to-fine-tech-companies-for-noncompliance-with-wiretap-orders/2013/04/28/29e7d9d8-a83c-11e2-b029-8fb7e977ef71_story.html">impetus behind new wiretap guidelines</a> being drawn up by a government panel, according to the <em>Washington Post</em>. <P> The draft guidelines, championed by the FBI, would allow courts to impose escalating fines on any business that didn't immediately comply with a court-ordered request for real-time communications interception, regardless of whether the Web service provider said such interception was technically feasible. Any business that fails to comply with the wiretap request could face fines that start at tens of thousands of dollars, then double daily after 90 days of noncompliance. The White House reportedly hasn't yet signed off on the proposals. <P> <strong>[ Questions about employee surveillance? Read <a href="http://www.informationweek.com/global-cio/personnel/watching-workers-wheres-the-line/240150904?itc=edit_in_body_cross">Watching Workers: Where's The Line?</a> ]</strong> <P> "Today, if you're a tech company that's created a new and popular way to communicate, it's only a matter of time before the FBI shows up with a court order to read or hear some conversation," Perkins Coie attorney Michael Sussmann, a former federal prosecutor, told the <em>Post</em>. "If the data can help solve crimes, the government will be interested." <P> In 2005, in an expansion of the Communications Assistance for Law Enforcement Act (CALEA), the Federal Communications Commission ruled that service providers, as well as VoIP providers, had to overhaul their networks to allow real-time interception. But that doesn't apply to businesses such as Facebook and Google. Accordingly, the FBI now tends to back off when those companies or their peers say they can't easily comply with an intercept request for technical reasons, rather than attempting to initiate contempt proceedings, reported the <em>Post</em>. <P> But the bureau would like that to change. "The importance to us is pretty clear," the FBI's general counsel, Andrew Weissmann, <a href="http://www.c-spanvideo.org/program/NewTechnolo">last month said in a speech</a> to the American Bar Association's Standing Committee on Law and National Security. "We don't have the ability to go to court and say, 'We need a court order to effectuate the intercept.' Other countries have that. Most people assume that's what you're getting when you go to a court." <P> The bureau's push for expanded wiretapping powers is far from unexpected. Indeed, reports surfaced last year that the <a href="http://www.informationweek.co.uk/security/management/new-fbi-surveillance-backdoors-6-key-poi/240000653">FBI was meeting with Facebook</a>, Google, Microsoft and Yahoo, among other companies, to query how the bureau could best conduct surveillance of their services while causing minimal disruption. <P> In 2011, meanwhile, longtime FBI director Robert S. Mueller III urged Congress to give the bureau <a href="http://www.informationweek.co.uk/government/security/fbi-seeks-expanded-web-wiretapping-capab/229218950">greater wiretapping capabilities</a>, warning that to do otherwise meant there would be "a very real risk of the government 'going dark,' resulting in an increased risk to national security and public safety." <P> But civil rights groups have warned that the proposal to fine businesses that don't proactively aid FBI surveillance of their communications services risks wiretap capabilities being abused by attackers. "At the very time when the nation is concerned about cybersecurity, the FBI proposal has the potential to make our communications less secure," said Joe Hall, a senior staff technologist for the Center for Democracy and Technology, in a statement. "Once you build a wiretap capability into products and services, the bad guys will find a way to use it." <P> Another unanswered question is how new intercept capabilities would be tested or vetted. Would changes to popular services -- such as Facebook or Gmail -- first require a corresponding sign-off from IT staff at the FBI before they could be put into production? <P> "What the FBI is proposing sounds benign, but it comes with such onerous penalties that it would force developers to seek pre-approval from the FBI," said CDT president Leslie Harris in a statement. "No one is going to want to face fines that double every day, so they will go to the FBI and work it out in advance, diverting resources, slowing innovation, and resulting in less secure products." <P> <i>In the wake of a zero-day vulnerability being exploited by multiple active attacks, IT teams wait for Oracle to respond. Again. Here's how to keep your systems safe. Get our <a href="http://www.darkreading.com/ApplicationSecurity/util/10426/download.html?k=axxe&cid=article_axxe">Insecurity With Java</a> report today. (Free registration required.)</i> <P>2013-05-01T11:41:00ZAttack bears strong similarities to previous campaigns executed by Chinese APT attack group "DeepPanda," reports security expert.http://www.informationweek.com/security/attacks/us-labor-dept-website-hacked-serves-malw/240153984?cid=SBX_iwk_related_slideshow_Smartphones_mobility<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->The U.S. Department of Labor website was hacked Tuesday evening to launch drive-by attacks at visitors' Web browsers. <P> That warning was sounded Wednesday morning by Jaime Blasco, director of AlientVault Labs, as well as Anup Ghosh, CEO of Invincea, both of whom reported that the Department of Labor servers had been infected by malicious code. <P> A Department of Labor spokeswoman, reached by phone, declined to comment on the attack reports. But Blasco said via email: "Several people within the U.S. government have been contacted so they should be working on it right now. We published this information because the exploit is still there and we are tying to warn people not to visit the website." <P> <strong>[ Redact throws down a security gauntlet. Read <a href="http://www.informationweek.com/mobility/security/can-you-hack-this-smartphone-app-for-100/240153918?itc=edit_in_body_cross">Can You Hack This Smartphone App For &#163;10,000?</a> ]</strong> <P> By late Wednesday morning, the malware campaign appeared to have been stopped. "The site has since been fixed and <a href="http://www.invincea.com/2013/05/k-i-a-us-dol-website-pushing-poison-ivy-cve-2012-4792/">law enforcement is investigating</a>," said Invincea's Ghosh in a blog entry posted late Wednesday morning. <P> <a href="http://labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/">How did the attack work?</a> If a system was successfully compromised by the malicious code running on the Department of Labor's website, it would "phone home" to a command-and-control (C&C) server that's disguised as a Microsoft update server. "The C&C protocol matches with a backdoor used by a known Chinese actor called DeepPanda," Blasco said in a blog post. <P> In addition, Blasco said the attack code used strongly resembled a previous exploit seen against a <a href="http://labs.alienvault.com/labs/index.php/2012/thailand-ngo-site-hacked-and-serving-malware/">Thai nongovernmental organization</a> that focuses on human rights under the auspices of the <a href="http://en.wikipedia.org/wiki/Association_of_Southeast_Asian_Nations">Association of Southeast Asian Nations</a>. <P> Security intelligence firm CrowdStrike has <a href="http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf">tied DeepPanda</a> to a number of <a href="http://www.informationweek.com/security/cybercrime/advanced-persistent-threats-get-more-res/232600562">advanced persistent threat (APT) attacks</a>, noting that the group's attacks "target various strategic interests of the United States including high tech/heavy industry, non-governmental organizations (NGOs), state/federal government, defense industrial base (DIB), and organizations with vast economic interests." <P> The malware served by the Department of Labor website targeted a vulnerability that's been patched by Microsoft. According to Blasco, "after a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year." According to a <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792">related vulnerability summary</a> from NIST, the flaw involves a "use-after-free vulnerability in Microsoft Internet Explorer 6 through 8" which attackers can use to remotely execute arbitrary code in a vulnerable browser. The vulnerability was first discovered in December 2012, when it was seen in zero-day attacks. <P> The malware loaded onto the Department of Labor server also attempted to execute JavaScript code in a browser, with the code being served up directly from the Department of Labor website. The malware also attempted to execute a malicious PHP script that's downloaded from an external server that's currently <a href="http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=96.44.136.115">hosted by OC3 Networks & Web Solutions</a> in Los Angeles, and which also received information about compromised systems. <P> If the malware was successfully able to exploit the IE vulnerability, it downloaded an attack payload from a remote server. Blasco said that as of early Wednesday morning, <a href="https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/">according to VirusTotal</a>, the downloaded code was being flagged as malicious by only two out of 46 antivirus scanners. But by later that morning, 13 antivirus scanners had been updated to identify the attack. <P> The PHP script used in the attack "will collect a lot of information from the system and then it will upload the information collected to the malicious server," said Blasco. In particular, the script checks to see if Flash or Java browser plug-ins are installed on the system, and if so, which versions. Other routines, meanwhile, look for the presence of BitDefender security software, and if they find it, attempt to deactivate it. The script also searches for the presence of other information security software, including AVG, Avira, Dr.Web, ESET, F-Secure, Kaspersky Lab, McAfee, Microsoft Security Essentials and Sophos. The script also looks for the Google Chrome plug-ins for the Avast or Avira antivirus, and checks to see if Microsoft Office is installed. <P> <P>