The write-up on the Panda Research Blog, including technical analysis of the infector can be found here:

Vodafone distributes Mariposa botnet

How they managed to do it twice within the same month is beyond my comprehension, didn’t they learn anything the first time round – or do they just not care?

Vodafone Spain has again supplied a HTC Magic smartphone that came pre-infected with the Mariposa botnet client and other malware crud.

The second incident, involving an Android-based phone supplied to a researcher at S21Sec, comes a week after the mobile phone giant supplied the same type of infection on the identical model of phone to a worker at Spanish anti-virus firm Panda Security.

The S21Sec pre-pwned smartphone kerfuffle undermines Vodafone’s assurances at the time of the Panda flap that the incident was “isolated and local”. Both smartphones were ordered at around the same time towards the beginning of March.

It seems very likely the phone is from the same watch which rules out this being an isolated and local incident with the phone being infected outside of the delivery mechanism.

This second detection of an infection indicates that the phones are infected before delivery somehow, the infection is on the MicroSD card provided with the phone so the supplier of that item may be the culprit.

Yah there has been no infections outside of Spain..but then Vodafone UK did discontinue distribution of the HTC Magic in favour of supplying HTC Tattoo as its sole Android device.

The S21Sec worker detected the malware after he plugged it into his PC using a copy of AVG’s scanner. Aware of Panda’s previous work, he forwarded an infected microSD drive to PandaLabs Pedro Bustamante, who carried out an analysis published here.

“According to the dates of the files, it seems his Vodafone HTC Magic was loaded with the Mariposa bot client on March 1st, 2010 at 19:07, a little over a week before the phone was delivered to him directly from Vodafone,” Bustamante writes.

“The Mariposa botnet client itself is exactly the same as reported last week, with the same nickname and same Command & Control servers.”

The circumstances of the infection point to problems in Vodafone’s QA or with a specific batch of phones rather than a stray infection of a refurbished phone.

I wonder how many more of these infected phones are out there and how many people have been unwittingly turned into mariposa botnet zombies?

Not everyone works at an AV firm or a security research company and treats their devices so carefully.

It’ll be interesting to see if any more infections pop-up in the near future.

Source: The Register

Some rather smart fellas have found a way to extract the private SSL key from a device by creating fluctuations in the power supply and reading the output whilst the device was encrypting data using the private key.

In around 100 hours they could deduce the complete 1024-bit private key stored on the device.

Computer scientists say they’ve discovered a “severe vulnerability” in the world’s most widely used software encryption package that allows them to retrieve a machine’s secret cryptographic key.

The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms.

“Wherever you need to verify the origin of a piece of software or a piece of information, those building blocks come in handy,” said Karsten Nohl, an independent security researcher who in unrelated attacks has broken encryption in widely used smartcards and cordless phones. “The OpenSSL library provides much more than just SSL.”

Now although this flaw can be deemed extremely serious and the number of applications and operating systems that use OpenSSL is huge…the fact that they need physical access to the device the manipulate the power supply means the scope of the attack is limited.

It’s not something you could pull off on a remote server in a data center for example.

It would be interesting however for cracking private keys on consumer hardware devices to access the private network that the device hooks onto for updates/subscription packages etc.

The scientists, from the University of Michigan’s electrical engineering and computer science departments, said the bug is easily fixed by applying cryptographic “salt” to an underlying error-checking algorithm. The additional randomization would make the attack unfeasible. An OpenSSL official, who asked that his name not be published, said engineers are in the process of pushing out a patch and stressed the attack is difficult to carry out in real-world settings.

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device’s power supply as it was processing encrypted messages. In a little more than 100 hours, they were able to feed the device enough “transient faults” that they were able to assemble the entirety of its 1024-bit key.

“This is probably not as much of a threat to a server system as it is to a consumer device,” said Todd Austin, one of the scientists who devised the attack. “The place where this would be more applicable would be if you want to attack a Blu-ray player (where) you have an environment where someone is giving you a device that has a private key to protect intellectual property and you have physical access to the device.”

But as per usual for cryptographic attacks, they are usually researched and developed by scientists and work in the theoretical realm far better than they do in reality for practical exploitation.

Either way it’s an interesting attack and an interesting use of technology, of course OpenSSL will be patching the problem shortly (adding a simple salt will negate the attack).

What will they come up with next?

Source: The Register

It has actually turned into a class action lawsuit and there is a lot of debate surrounding the story, the school claims they were using the software and ’spycam’ functionality simply to recover lost laptops rather than actually spying on their students remotely.

The lawsuit deals with the issue of unauthorised access to the webcams and the actions could also possibly violate wiretapping laws. The lawsuit itself can be found here [PDF].

A suburban Philadelphia school district accused of secretly switching on laptop computer webcams inside students’ homes says it never used webcam images to monitor or discipline students and believes one of its administrators has been “unfairly portrayed and unjustly attacked.”

The Lower Merion School District, in response to a suit filed by a student, has acknowledged that webcams were remotely activated 42 times in the past 14 months, but only to find missing, lost or stolen laptops — which the district noted would include “a loaner computer that, against regulations, might be taken off campus.”

“Despite some reports to the contrary, be assured that the security-tracking software has been completely disabled,” Superintendent Christopher W. McGinley said in a statement on the district’s Web site late Friday. Officials vowed a comprehensive review that McGinley said should result in stronger privacy policies.

Harriton High School student Blake Robbins and his parents, Michael and Holly Robbins, filed a federal civil rights lawsuit Tuesday against the district, its board of directors and McGinley. They accused the school of turning on the webcam in his computer while it was inside their Penn Valley home, which they allege violated wiretap laws and his right to privacy.

It’s turning into a massive case and is generating press all over the globe, someone powerful technology was used by a perhaps over-zealous network admin named Mike Perbix.

You can also check out this very well-written and researched post on the technologies and methods used here: The Spy at Harriton High

There are people on all sides of the fence in this case, I personally think it was an interesting and effective use of technology but definitely should not have been implemented without disclosure. If you want to officially spy on people for theft prevention or asset tracking you should forewarn them.

The suit, which seeks class-action status, alleges that Harriton vice principal Lindy Matsko on Nov. 11 cited a laptop photo in telling Blake that the school thought he was engaging in improper behavior. He and his family have told reporters that an official mistook a piece of candy for a pill and thought he was selling drugs.

Neither the family nor their attorney, Mark Haltzman, returned calls this week seeking comment. A listed number for Matsko could not be found.

“We believe that the administrator at Harriton has been unfairly portrayed and unjustly attacked in connection with her attempts to be supportive of a student and his family,” the statement on the Lower Merion School District site said. “The district never did and never would use such tactics as a basis for disciplinary action.”

A district spokesman declined further comment on the statement Saturday.

Lower Merion, an affluent district in Philadelphia’s suburbs, issues Apple laptops to all 2,300 students at its two high schools. Only two employees in the technology department, not administrators, were authorized to activate the cameras, which captured still images but not sound, officials said.

“While certain rules for laptop use were spelled out … there was no explicit notification that the laptop contained the security software,” McGinley said. “This notice should have been given, and we regret that was not done.”

There is a plethora of information about this online including testimonies from current students, previous students and parents of both.

Many students suspected they were being spied on and taped up the cameras, wisely so it seems. But for the average computer using teenager if the school network admin tells them the green light next to the camera blinking now and then is a glitch they are going to believe it.

That right there is lying and makes the whole thing horribly suspicious, surely you only have the right to spy on kids if you have their parents consent..and even then it’s still a bit shady.

Either way this is a morally, legally and technically interesting case and I’m sure it’ll be heating up even more before it blows over.

Source: Yahoo! News

There have been rumours and some speculation about the PS3 finally being exploited with news breaking earlier this week about notorious iPhone hacker geohot (George Hotz) finally breaking the protection on the PS3.

I personally don’t own a PS3 so it’s not really news to me, but for some people it seems to have been a reason for them not to buy a PS3 yet.

On Monday, when we reported that the prolific hacker geohot had successfully penetrated the previously impervious PlayStation 3 gaming console, readers were understandably skeptical.

After all, the 20-year-old readily admitted his hack wasn’t reliable, and he provided no evidence he was able to do some of the things modders love to do most, such as run arbitrary code or peel open the device’s synergistic processing elements to take a peak at its most prized internal elements.

On Tuesday afternoon, geohot finally released his exploit so the world could see for itself exactly what the hack does and doesn’t accomplish

If you’re interested in the extremely technical explanation of how geohot achieved this you can check it out here, I’d imagine to understand it properly though you’d need to be fairly familiar with the inner workings of the PS3 and how it manages memory allocation.

The hack isn’t really reliable but it does work to some degree and some of the time and this is enough for others to get started on breaking the PS3 further.

There’s another good write-up here explaining the ins and outs of the system and what repercussions this has:

PS3: Hacked

According to the instructions, it involves compiling and running the kernel module and then pulsing a memory bus on the PS3’s motherboard.

“Try this multiple times,” his instructions state. “I rigged an FPGA button to send the pulse. Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!! If the module exits, you are now exploited.”

While the idea is sound, this hack is clearly not for the faint of heart.

From there, PS3 users get full memory access, including ring 0 access from OtherOS, geohot, whose real name is George Hotz, said here. He’s now turning follow-on work to the PS3 community, directing members to report their findings to the psDevWiki.

His instructions conclude: “The PS3 is hacked, its your job to figure out something useful to do with it.”

It’ll be interesting to watch how this develops over the next 2-3 months and see if anyone is able to successfully modify the OS or even install a new one.

If you are so inclined you can keep up with what is happening on the psDevWiki.

I’d imagine we should be seeing some homebrew code based on this exploit by the middle of year and of course Sony scrambling to come out with a new firmware that blocks this.

Source: The Register

Which in all honestly, doesn’t seem to be very smart at all. In basic terms they are trying to turn the power-grid into a two way communication medium so consumers homes can report back to the grid what they are using and they can be disconnected via software rather than requiring physical intervention.

The scary part is there’s no encryption and many things are done without authentication, meaning with a little reverse engineering you can probably shut down the power to anyone on the not-so-smart grid.

New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month.

The so-called smart meters for the first time provide two-way communications between electricity users and the power plants that serve them. Prodded by billions of dollars from President Obama’s economic stimulus package, utilities in Seattle, Houston, Miami, and elsewhere are racing to install them as part of a plan to make the power grid more efficient. Their counterparts throughout Europe are also spending heavily on the new technology.

There’s just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that’s easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse.

An embedded hardware system that will accept new firmware without authentication and nothing is encrypted? That is a hackers playground!

I hope they consider re-architecting the whole system ASAP on a secure platform and rolling that out as a software update. This is no small matter, this is the power grid we are talking about here – lives and business can be seriously effected by someone malicious who wanted to screw up the system.

Imagine if you work out the system and get in there first installing your own firmware which won’t accept any more updates from the main Grid system.

“For an embedded platform, they’re kind of scary,” he said. “It’s really not designed from the ground up for security. Just imagine if somebody is outside your house and has the unique identifier that’s printed on your meter.”

Companies that make gear for smart grids include GE Energy, The ABB Group, Sensus Metering, Itron and Landis+Gyr

One deficiency common among many of the meters is the use of insecure programming functions, such as memcpy() and strcpy(), which are two of the most common sources of exploitable software bugs. In many cases, the devices use general purpose hardware and software that aren’t designed for highly targeted or mission critical systems.

And all paid for by the new president and his generous stimulus packages. It seems like the whole thing has been taped together with band-aids.

There’s no excuse at all for using insecure programming functions in this day and age, I mean it’s 2009 for goodness sake.

How long has C programming been around now? And the concept of security and secure programming, especially for critical infrastructure systems like this.

Source: The Register (Thanks Alan)

Script kiddies going to war, or is it turning soldiers into script kiddies. Who knows.

Anyway, the US military has decided to make their soldiers walking hackers, with an all-in-one super hacking device that can penetrate satellite signals, VoIP networks and normal information systems.

As the US military strives to boost its ability to wage cyber warfare, it’s looking for ways to make it easier for non-expert soldiers on the front lines to wreak havoc on enemy networks.

Enter a new generation of attack devices that is packaged to be brought into the battlefield and used by non-specialists to penetrate satellites, voice over internet networks, and supervisory control and data acquisition systems. Aviation Week recently got a peek at one device and provided a rich description of its features.

The device is designed to allow US forces to test enemy networks for a wide range of vulnerabilities and then synthesize the results so they can be acted on quickly. It offers touch-screen dashboards and sliders to make enumeration and penetration more intuitive. One display shows a schematic of an enemy network and identifies its nodes. A sliding lever can be moved to increase an attack or dial it down to reduce collateral damage.

Seems like point and click hacking has been taken to a new level and can now be done with a mobile device on the move.

It takes virtually no skill at all with sliders and dials.

I’d love to get my hands on one of these devices just to check it out and see how it actually works, run some packet sniffer on the wire and see if it’s actually just a black box with Metasploit inside and a fancy interface.

The device is designed to take a slew of algorithms for monitoring and penetrating networks and put them into an easy-to-use package. Think of it as a hack-by-numbers gadget for combat forces.

“Right now, all that information is in the head of a few guys that do computer network operations and there is no training system,” one researcher told Aviation Week.

There’s much more here.

Sounds pretty interesting either way, I hope some more news pops up about this in the future and we can get a better look at the device.

I’d love to see some pictures and a video demonstration, I’d imagine though as always they will be rather secretive about it.

Anyway if anyone finds out more info on this, let us know!

Source: The Register (Thanks Simon)

If a company or organisation has a decent data/information security policy in place (Like ISO27001 for example) they should have a secure destruction/disposal policy as part of that.

The current fiasco reminds me of the digital camera sold on eBay containing terrorist information from the MI6!

The recent discovery of a computer on eBay with data on a U.S. missile system underscores the importance of securing data when it is time to retire and dispose of a machine. Enterprises need to have proper plans and oversight in place to protect their information.

When reports that data on a U.S. missile system was found on a computer auctioned on eBay, enterprises were provided another example of what happens when they fail to securely manage data at the end of its life.

In this case, the consequences were nil, as the computer in question was purchased as part of a research project and has been turned over to the FBI. Still, the situation underscores the importance of having policies in place to protect data that extend all the way to the “death” of an organization’s machines.

The kind of information floating around in computers really needs to be kept under a tighter control, how can missile systems data be left on a computer sold on eBay? It just seems ridiculous.

Companies dealing with confidential information generally have data disposal policies in place, why do government organisations dealing with World security not have tight policies regarding disposal of decommissioned hardware?

For sensitive data, it’s best to do it using a disk degausser or seven-way random write algorithm, which some operating systems support either through tools or the command line, noted Forrester analyst Andrew Jaquith. There are also third-party tools that do this as well, he said.

“There’s also the physical option,” he added. “A sledgehammer to the memory card or hard disk is quite effective. It’s also usually faster and arguably more satisfying.”

Another layer of protection can also be found in encryption. Deguassing or physically shredding a drive can be costly, said Seagate’s Gianna DaGiau said. Overwriting a drive also may be incomplete if it doesn’t cover reallocated sectors or is thwarted by drive errors.

“Some corporations have concluded the only way to securely retire drives is to keep them in their control, storing them indefinitely,” said DaGiau, Seagate’s senior manager of enterprise security. “This cannot be considered truly secure, as large numbers of drives in close proximity can easily tempt employees and lead to some drives being lost or stolen.”

A 7 pass overwrite will be good enough in most situations, tools are available to do this for free like DBAN and Eraser so there is really NO excuse not to do it.

Personally if it’s important I’d recommend 7-pass overwrite, then degauss then bang the shit out of it with a baseball bat then burn it up (a blowtorch would be good).

I’d say your data should be pretty secure then, downside is no-one would want it buy it on eBay after you did that.

Source: eWeek

The latest revelation is that used BlackBerries are being traded, not by the value of the phone but by the value of the data contained on the phone!

It just shows most companies still don’t have responsible disposal policies when it comes to releasing old equipment and making sure it’s wiped of data or destroyed.

A TV investigation has revealed that secondhand BlackBerries on Nigerian markets are priced according to the data held on them, not the age or the model of a phone.

Jon Godfrey, director of Sims LifeCycle Services, who is advising on a TV investigation into the trade due to screen later this year, said that BlackBerries sell for between $25 to $65 on Lagos markets. Details of the trade come from an agent in Nigeria unaffiliated to Sims’ technology recycling business.

Godfrey explained that the smart phones offered for sale come from the US, continental Europe and the UK. “It’s unclear as yet whether the phones are either sold, thrown away, lost or stolen,” Godfrey explained.

Other type of smartphone are also of potential interest to data thieves, but it is the trade in BlackBerries that seems to be the most active. Data retrieved from smartphones is itraded by crooks in Nigeria.

I’d imagine the phones are older models sold off by lot from companies upgrading to the newer versions of the BlackBerry.

The BlackBerry is a wise choice for data thieves as it’s more likely to be used for business purposes and contain important e-mail information.

Other smart phones would be used more for media and leisure purposes.

BlackBerries include technology to remotely wipe devices and come with built-in encryption. But this encryption is often left switched off because it is considered an inconvenience.

“Business critical data is left on unprotected devices,” Godfrey explained. “Anyone who gets these devices will obtain a snapshot of someone’s life.”

“People need to take residual data issues more seriously and have a policy on how to use and dispose of devices,” he added.

According to a survey by endpoint security firm Credant Technologies, four in five mobile phone users store information on their phones that might easily be used to steal their identities. A survey of 600 commuters at London railway stations revealed that 16 per cent kept their bank account details saved on their mobiles, while 24 per cent also saved their PIN numbers and passwords in the same insecure manner. One in 10 (11 per cent) keep social security and inland revenue details on their phone. Two in five fail to take even basic security precautions, such as password protecting their devices.

It’s scary the amount of people that keep really important stuff in their phones like their bank PIN numbers, banking passwords, passport numbers, social security info and much more.

And only 3 out of 5 take some basic security precautions like passwording their device, that means the number who actually encrypt their data and secure it properly would be less than 5%.

Source: The Register

You’d think most of these systems would be offline, or at least behind a solid DMZ. But as we’ve seen before they often get exposed by people plugging into the LAN then accessing the net through dial-up or nowadays through mobile data (HSDPA/3G etc.).

The sad thing is deaths have actually resulted from such intrusions.

The networks powering industrial control systems have been breached more than 125 times in the past decade, with one resulting in U.S. deaths, a control systems expert said Thursday.

Joseph Weiss, managing partner of control systems security consultancy Applied Control Solutions, didn’t detail the breach that caused deaths during his testimony before a U.S. Senate committee, but he did say he’s been able to find evidence of more than 125 control systems breaches involving systems in nuclear power plants, hydroelectric plants, water utilities, the oil industry and agribusiness.

“The impacts have ranged from trivial to significant environmental damage to significant equipment damage to deaths,” he told the Senate Commerce, Science and Transportation Committee. “We’ve already had a cyber incident in the United States that has killed people.”

More than 125 breaches? That’s quite a significant number. The scary part is the Nuclear plants, imagine if a cyberterrorist or hacker can cause a Nuclear meltdown or malfunction in a Nuclear facility?

I’d like to see the US government look into this area a little more and perhaps implement some new standards for Control System security.

It’s an area that really needs tighter security and legislation.

At other times, Weiss has talked about a June 1999 gasoline pipeline rupture near Bellingham, Washington. That rupture spilled more than 200,000 gallons of gasoline into two creeks, which ignited and killed three people. Investigators found several problems that contributed to the rupture, but Weiss has identified a computer failure in the pipeline’s central control room as part of the problem.

It could take the U.S. a long time to dig out from coordinated attacks on infrastructure using control systems, Weiss told senators. Damaged equipment could take several weeks to replace, he said. A coordinated attack “could be devastating to the U.S. economy and security,” he said. “We’re talking months to recover. We’re not talking days.”

The industrial control system industry is years behind the IT industry in protecting cybersecurity, and some of the techniques used in IT security would damage control systems, Weiss added. “If you penetration-test a legacy industrial control system, you will shut it down or kill it,” he said. “You will be your own hacker.”

The problem with these kind of attacks is they might involve multiple vectors in one attack which means it takes a long long time to investigate and work out what actually happened.

It’s backwards too because Industrial Control Systems are so important in our lives but their security is so so far behind.

Definitely an area to watch, I hope some positive improvements are made.

Source: CIO (Thanks Navin)

Tested on:

• Core Duo (1st gen) Macbook Pro 15″
• Core 2 Duo Macbook Pro 15″

Technical details on how it works here.

You can download EFIPW v0.1a here:

efipw_v0.1a.zip

Or read more here.