Posts Tagged ‘David V Dafinoiu’

New virus linked to makers of Flame detected across Mideast

Kaspersky internet security firm says new virus, named Gauss, based on Flame platform; infected computers found in Israel, Lebanon, PA, among other states.

The Kaspersky internet security firm announced on Thursday that it has detected of a new kind of computer virus that has been targeting computers in Lebanon, Israel, and the Palestinian Authority.

According to the firm, the new virus, called Gauss, was designed as a spy tool, and that it was programmed using the platform of another computer virus, Flames, which was exposed earlier this year.

In the past, Kaspersky officials have determined that there was a clear link between Flame, Stuxnet – the computer worm reportedly used to target Iran’s nuclear facilities – and another virus by the name of Doqu.

What this means, is that Gauss could be another in a chain of cyber assault tools developed by a single country, or by a many countries.

According to the security firm, Gauss injects code into different internet browsers in order to track the users’ activities and steal passwords, “cookie” files, and browser history. In addition, it also collects information on the computer’s network connections and attached devices, which he sends to the virus’ control servers.

Kaspersky indicated that Gauss was developed in 2011-2012, and was actively distributed throughout the Middle East in the last ten months. Most of the infected computers were in Lebanon (1,660), with Israel a distant second, housing 483 computers with the virus.

In addition, 261 infected computers were also found in the Palestinian Authority, along with a handful of computers in Egypt, Qatar, Syria, Jordan, and Saudi Arabia, as well as 43 in the United States and five in Germany.

The virus reportedly injured Microsoft operation systems, from Windows 7 to Windows XP.

Last month, the Iranian Students’ News Agency quoted an unnamed cyber security official as saying that the United States will face a “teeth-breaking” response if it continues to carry out cyber attacks against Iran. Iran has previously accused the United States and its allies of trying to sabotage its disputed nuclear program by using computer worms like Stuxnet, which caused centrifuges at the country’s main enrichment facility to fail in 2010.

In June, Iran said it had detected plans by the United States, Israel and Britain to launch what it said was a massive cyber strike, after diplomatic efforts to curb Tehran’s nuclear program broke down.

Western powers believe Iran wants to produce atomic bombs, a charge Tehran denies. It says it only wants the technology to generate medical isotopes to treat cancer patients.

Source: Haaretz


Chinese Espionage Campaign ‘Luckycat’ Targets Android

Luckycat, a gang of Chinese cybercriminals targeting executives in the aerospace, energy, and engineering industries, has been evolving its attacks since initial reports emerged in June 2011.

First they targeted Windows (easy). Then earlier this year, we saw Luckycat exploit a Javascript flaw to spy on Mac OS systems, with SabPub.

This summer, Trend Micro reports evidence that Luckycat is now targeting Android devices.

The company discovered two unfinished, and undelivered Android apps during a recent investigation of a Luckycat command and control center (Trend also discovered ongoing deliveries of SabPub via a Javascript exploit). The two apps were called “testService” and the only difference was that one of the icons was invisible. Clearly, the attackers were working on making this as stealthy as possible:

The apps exhibited behaviors similar to a Remote Access Trojan (RAT), like being able to locate sensitive data and upload them to a remote server. However the “remote shell” command was incomplete, meaning the attackers couldn’t take real-time control of the devices.

Tom Kellermann, director of cyber security at Trend Micro, illustrated the potential danger of being able to remotely control devices in real time.

“For example if I the attacker see in your [phone’s] calendar that you have a meeting in ten minutes, I could just pop the mic,” he said.

Lookout Mobile confirmed seeing the same malware samples, all clearly in debug (testing) mode since the output was all debug messages.

The key question now is, how do the attackers intend to deliver this malware to their targets? The attackers have several options, Trend Micro notes. One is an SMS or email containing a download URL disguised as something legit (spearphishing). Sabpub, for instance, was delivered through poorly-spellt emails appealing to Tibetan sympathizers.

Should You Worry?
You may not be a key target of Luckycat, but one day the same malware could be used to target your Android device. Some simple countermeasures we normal folk can take are, well, the same as always:

  1. Stick to the official Google Play and Amazon Android app Stores.
  2. Don’t click on strange links within emails.
  3. Use a mobile security app—free versions of Lookout, Trend Micro, avast!, and McAfee provide strong lines of defense.


Cyber-attack concerns raised over Boeing 787 chip’s ‘back door’


Two Cambridge experts have discovered a “back door” in a computer chip used in military systems and aircraft such as the Boeing 787 that could allow the chip to be taken over via the internet.
The discovery will heighten concerns about the risks of cyber-attacks on sensitive installations, coming on the heels of the discovery this week of the ’Flamer’ virus which has been attacking computer systems in Iran, Syria and Saudi Arabia.
In a paper that has been published in draft form online and seen by the Guardian, researchers Sergei Skorobogatov of Cambridge University and Chris Woods of Quo Vadis Labs say that they have discovered a method that a hacker can use to connect to the internals of a chip made by Actel, a US manufacturer.
“An attacker can disable all the security on the chip, reprogram cryptographic and access keys … or permanently damage the device,” they noted.
Woods told the Guardian that they have offered all the necessary information about how the hack can be done to government agencies – but that their response is classified.
“The real issue is the level of security that can be compromised through any back door, and how easy they are to find and exploit,” Woods said.
The back door may have been inserted by Actel itself, whose ProASIC3 chip is used in medical, automotive, communications and consumer products, as well as military use.
More here:

Chinese Spy Device in Hong Kong Cars: Apple Daily

Source: Daily Mail

Chinese authorities may be listening in on travelers’ conversations in Hong Kong, with a device that’s been installed on thousands of vehicles, according to Hong Kong’s Apple Daily newspaper.

Authorities in Shenzhen have been installing “inspection and quarantine cards” on dual-plate Chinese and Hong Kong vehicles since 2007. They’re apparently for tracking cars crossing the border. But Apple Daily says these devices are capable of much more. In fact, experts who examined the devices—taken apart by Apple Daily—say they can be used for eavesdropping, and can send signals up to 12 miles away.

Apple Daily says smugglers were the first to suspect these devices. They thought it was strange that border agents were able to precisely track down vehicles used for smuggling goods.

Shenzhen authorities denied the allegations, when Apple Daily approached them. But the claims have made travelers uneasy, especially those who discuss private business matters during their travels between Hong Kong and Mainland China.

LinkedIn’s Leaky Mobile App Has Access to Your Meeting Notes

LinkedIn mobile app subscribers may be surprised to learn that the calendar entries on their iPhones or iPads— which may include details about meeting locations, participants, dial-in information, passwords and sensitive meeting notes — are transmitted back to LinkedIn’s servers without their knowledge.

The researchers, Yair Amit and Adi Sharabani, discovered that LinkedIn’s mobile app for iOS, Apple’s mobile operating system, included an opt-in feature that allows users to view their iOS calendar entries within the app. Once users opt in to that feature, however, LinkedIn automatically transmits their calendar entries to its servers. LinkedIn grabs details for every calendar on the iOS device, which may include both personal and corporate calendar entries.

That practice, which is not communicated to users, may violate Apple’s privacy guidelines, which expressly prohibit any app from transmitting users’ data without their permission. A similar practice came to light earlier this year when a developer noticed that Path, the popular mobile social network, was uploading entire address books to its servers without users’ knowledge. That practice came under scrutiny by members of Congress. In response, Path said it would stop the practice and destroy the data it had collected.

More here:

Broken water pump in Illinois caused by cyber-attack from Russia (NEW YORK DAILY NEWS)

A broken water pump in a rural town near Springfield, Illinois could be the result of the first cyber attack on a public utility in the U.S., top security expert Joe Weiss reported on his blog.

Weiss posted a Nov. 8 report from the The Illinois Statewide Terrorism and Intelligence Center entitled “Public Water District Cyber Intrusion,” that suggests the “burn out of a water pump” could have been a deliberate, full scale security breach into the utility’s computer system from a computer in Russia.

The broken pump was quickly fixed and did not result in any water supply issues, but the incident has led to a deeper investigation, CNN reports.

The report says water district workers noted “glitches” in the system for nearly two months, and on Nov. 8 an employee noticed problems with the control systems.

“An information technology services and computer repair company checked the system logs and determined the computer had been hacked into from a computer located in Russia,” Weiss said on his blog.

Although cyber-attacks on a utility’s control systems had previously been unknown in the U.S., last week’s alleged attack sounded an alarm to those concerned about vulnerability of America’s civil infrastructures to terrorism.

Experts said the reported water-pump attack highlights the risk that hackers can infiltrate the Supervisory Control and Data Acquisition (SCADA) systems that control critical utilities from railroads and dams to chemical plants and nuclear reactors.

“Many (SCADA systems) are old and vulnerable,” said cyber policy expert Lani Kass. “There are no financial incentives for the utility owners to replace and secure these systems and the costs would be high.”

Disputing Weiss’ claims that the water-pump incident was a deliberate attack, government officials have not tied the incident to terrorism, and the Department of Homeland Security is downplaying any dangers.

“At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” DHS spokesman Peter Boogaard said in a statement.

“This is just one of many events that occur almost on a weekly basis,” said Sean McGurk, former director of the National Cybersecurity and Communications Integration Center. “While it may be nice to speculate that it was caused by a nation-state or actor, it may be the unintended consequence of maintenance,” he told CNN.

Meanwhile, the incident coincides with expansion of a project in the Pentagon that contracts cyber-experts to “hack” into computer systems to pinpoint security weaknesses in U.S. defense programs.

Official Syrian sites hacked

Several government websites hacked by Anonymous, as crackdown on protests in Homs and elsewhere continues.

The official websites of seven major Syrian cities and several government departments have been hacked, as the country’s government continues an extensive crackdown on anti-government protesters in the province of Homs and elsewhere.

A London-based rights group reported the deaths of four people in the crackdown on Sunday. The websites for the cities of Homs, Aleppo, Latakia, Damascus, Tartous, Deir Ezzor and Palmyra were hacked by members of the Anonymous Operation Syria group on Sunday, with the home pages replaced by an interactive map of Syria showing data on those killed in the government’s crackdown.

The map showed the names, ages and dates of death of those killed since the uprising began in March, putting the death toll at 2,316.

The websites have since been reset by their administrators, with each now only displaying a generic page.

Several other websites, including those of the ministry of transportation and the department of antiquities and museums, were also hacked. The hacked versions of the webpages included a link to a site advising activists within Syria on how to maintain anonymity on the internet in order to evade government tracking.

Homs crackdown

Meanwhile, the Syrian government’s crackdown on the province of Homs continued on Sunday, with a major deployment of troops there. Security forces were also deployed to the Douma suburb of Damascus, activists said. Syrian tanks hit a strategic highway in the al-Rastan area in the early hours of Monday morning, apparently attempting to dislodge army defectors who had taken refuge there, activists and residents said.

Activists reported hearing heavy explosions.

The army defectors have been supporting the pro-democracy protesters in al-Rastan, which is located about 20km north of the city of Homs, along the main highway leading to Turkey.

Activists also said that military reinforcements had been sent to Quseir, a town on the border with Lebanon.

The Syrian army had been strengthening its presence in Quseir on Saturday after civilians had attempted to flee violence in the country.

The initial deployments came a day after activists reported that security forces had killed 12 civilians in the town, and one more in Hama.

The Syrian Observatory for Human Rights, a London-based organisation, said that 12 people had been killed in Quseir during raids by government security forces earlier.

The observatory said that security forces had opened fire on protesters in neighbourhoods of Homs, but did not provide any further details or information on possible casualties.

On Sunday, the observatory reported the deaths of four more people, including that of Hassan Eid, the head of the surgery department at the state-run hospital in Homs. Syrian state television said that Eid had been killed by “armed terrorist gangs”.

Three inhabitants of the area were injured when troops loyal to Bashar al-Assad, the Syrian president, used heavy machine guns mounted on tanks to fire upon the town, after having surrounded it earlier in the night.

The observatory also reported that 10 students had been arrrested by security forces in Dael, a city in Deraa province, on Sunday.

The office of the United Nations High Commissioner for Human Rights in Geneva has put the number of people killed in the crackdown at more than 2,700 since March 15.

The Syrian authorities say 700 police and army personnel have been killed by “terrorists” and “mutineers”.

Damascus deployment

Also on Sunday, additional security forces were deployed to the Damascus suburb of Douma, which has seen several protests against Assad’s rule, activists said.

Syria has been gripped by almost daily anti-government protests since March 15. While the demonstrations initially called for democratic reform, the protesters’ stance has hardened in the face of a crackdown.

Damascus says that the protesters are not indicative of popular sentiment, and has blamed “armed gangs” and “terrorists” for the violence.

Political pressure on Syria to stop its crackdown on protest was given new life on Saturday as new European Union sanctions went into effect, and Turkey said that it had intercepted an sea-bound arms shipment bound for Syria.