Hackers can use Blu-Ray discs to breach networks.

An innocent-looking Blu-ray disc can be used by malicious actors to get a foothold in a targeted network, a researcher has warned.

According to Stephen Tomkinson of the NCC Group, both hardware and software Blu-ray players are plagued by vulnerabilities that can be leveraged to execute arbitrary files stored on the disc.

The advanced features provided by Blu-ray discs, such as dynamic menus and Web access, are built using BD-J (Blu-ray Disc Java). The specification is used to create interfaces and embedded applications called Xlets. Xlets are similar to Java applets, but they are specially designed for digital TV environments.

Xlets run in a Java VM and they use the SecurityManager class to implement security policies. Tomkinson noted that, in general, these security policies prevent discs from accessing elements outside of the virtual file system and prevent interaction with the underlying operating system.

In his tests, Tomkinson targeted PowerDVD, a popular Blu-ray player application developed by CyberLink. The researcher has found a way to disable the SecurityManager developed by CyberLink and gain access to methods that can be used to launch arbitrary executable files stored on the disc.

On systems where PowerDVD is installed, Blu-ray discs are automatically played with the application, which enables attackers to bypass autorun attack mitigations in Windows, the expert said.

As for physical Blu-ray players, the researcher used an exploit previously developed by Malcolm Stagg to get a shell on the device. From there, Tomkinson managed to come up with a way to execute arbitrary files located on the disc.

Both software and physical players can be targeted with a single disc, the researcher said. An attacker can create a disc that detects the player type and executes a malicious file specific to that platform. In order to avoid raising suspicion, a legitimate video file can be played right after the malicious files are launched.

“[The malicious] executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example,” Tomkinson explained in a blog post.

The researcher has pointed out that in the case of physical Blu-ray players, an attacker needs to ensure that the device doesn’t go to sleep after the victim has stopped viewing the video. This can be achieved by intercepting the power off request and by switching off the power LED in order to avoid raising suspicion.

In an attack targeted at a corporate network, if the player is configured for Wi-Fi access, malicious actors can easily obtain Wi-Fi settings because the information is stored on the device unencrypted.

The NCC Group says it’s working with affected vendors to get the vulnerabilities fixed, but “with varying degrees of success.” Until the vulnerabilities are addressed, Tomkinson advises users not to utilize discs from untrusted sources, and disable the autoplay feature. In the case of hardware players, they should not be connected to the network or the Internet unless necessary.

Using removable media to distribute malware is not unheard of. The Equation Group, an entity that is believed to have ties to the NSA, reportedly replaced CD-ROMs sent out by the organizers of a scientific conference with ones containing malware.

(Article Taken from SC Magazine)

Hackers Steal $1bn from Banks.

British banks are thought to have lost tens of millions of pounds after a gang of Russian based hackers spent the last two years orchestrating the largest cybercrime ever uncovered.

As much as £650 million is thought to have gone missing after the gang used computer viruses to infect networks in more than 100 financial institutions worldwide.

The hackers managed to infiltrate the bank’s internal computer systems using malware, which lurked in the networks for months, gathering information and feeding it back to the gang.

The illegal software was so sophisticated that it allowed the criminals to view video feeds from within supposedly secure offices as they gathered the data they needed to steal.

Once they were ready to strike, they were able to impersonate bank staff online in order to transfer millions of pounds into dummy accounts.

While the criminals behind the audacious electronic raid are thought to be based in Russia, the scale of their crime was truly global with banks in Japan, China, the United States and throughout Europe having been hit.

The scale of the losses by UK based financial institutions has not yet been disclosed, but is thought to run into tens of millions of pounds.

The scam was uncovered by the Russian cybersecurity firm, Kaspersky Lab, which was called in to investigate after a cash machine in Ukraine was found to have been spitting out money at random times.

As investigators began to look into the problem they were staggered by the scale of the crime they uncovered.

A spokesman for Kaspersky Lab said: “The plot marks the beginning of a new stage in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users.”

Despite the fact the plot has been uncovered, it is feared that banks may still find themselves falling victim as once installed the malware can operate almost independently and is extremely difficult to identify.

The cybercriminals would gain entry to an employee’s system through a process called spear phishing, where they would send an email which appeared to come from a trusted source.

Once the email was opened, the malware would infect their system allowing the hacker to jump into the bank’s network.

They would then gain access to an administrator’s computer providing video surveillance of everything on in the office.

They were able to monitor the screens of staff that serviced the cash transfer systems and after watching how they operated were able to mimic the process needed to move money around.

It is thought the largest sums stolen were taken in bold electronic raids, where hackers would break into computer system and transfer tens of millions of pounds in one go.

On average, each bank robbery took between two and four months, from infecting the first computer at the bank’s corporate network to making off with the stolen money.

Another method used was where the criminals would gain access to someone’s account and inflate the balance many times over.

They would then withdraw the amount they had increased it by and the person would never suspect because their original balance remained the same.

Sergey Golovanov of Kaspersky Lab said: “These bank heists were surprising because it made no difference to the criminals what software the banks were using.

“So even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks’ services. Once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.”

(Article taken from www.telegraph.co.uk)

Bots account for more than half of all 2014 web traffic, report shows

The majority of traffic on the internet this year was from bots, according to Incapsula's Bot Traffic Report 2014.

This year saw 56 percent of all website traffic coming from bots, with 29 percent of those bots being considered ‘bad,' and 27 percent being ‘good,' the research shows. Last year, bot visits accounted for 61.5 percent of all website traffic, according to Incapsula's Bot Traffic Report 2013.

“The bulk of the decrease in bot traffic is contributed to a decline in the good bot activity, mostly in the activity of the bots employed by RSS services,” Igal Zeifman, product evangelist and security researcher with Incapsula, told SCMagazine.com in a Wednesday email correspondence.

Good bots perform functions that may be useful to users and website operators, such as measuring site speed and indexing content, Zeifman said. One example, he explained, is Googlebot, which crawls websites to be indexed in Google Search. 

Conversely, bad bots are malware tools used by hackers and spammers, Zeifman said, adding bad bots are becoming increasingly sophisticated by mimicking human user behavior better and, therefore, becoming much harder to spot.

In the report, bad bots are broken down into four types: Hacking Tools, Scrapers, Spammers, and Impersonators. Of note, Impersonator bots have shown consistent growth over the past few years, increasing to 22 percent of bad bots in 2014 from 20.5 percent in 2013.

“Impersonator bots are browser-like bots that can really belong to any of the above categories,” Zeifman said. “The only difference is that these are more advanced malicious tools that were modified to create a browser-like HTTP fingerprint, to circumvent security measures.”

He continued, “For example, this could be a hacker bot with extra features that allow it to bypass security challenges that would stop a lesser/generic version. These are also DDoS bots used in Application Layer DDoS attacks.”

The smaller the website, the greater percentage of bot traffic, the report shows.

Bots account for 80.5 percent of traffic on small websites bringing in 10 to 1,000 visits per day, 63.2 percent of traffic on medium sites bringing in 1,000 to 10,000 visits per day, 56.2 percent of traffic on larger sites bringing in 10,000 to 100,000 visits per day, and 52.3 percent of Alexa MVP sites bringing in between 100,000 and more than a million visits per day.

“Most bots don't care if your site is popular or not and will crawl, scan and hack it regardless of its popularity,” Zeifman said. “As a result, in relative terms, the percentage of bot visits is much higher on smaller and less popular sites [that] get much less human visits but are still frequented by hype-immune bots.”

(Article taken from SCMagazine.com)

DDoS Attacks On Sony and Microsoft are just the beginning...

Sony's online PlayStation store was inaccessible to users for a short time on the 8th of December in the latest possible cyberattack on the electronics and entertainment company.

Sony Computer Entertainment in Tokyo said the problem lasted two hours before it was fixed globally. It said the cause is under investigation, but there is no sign of any material being stolen.

The previous week, the computer systems of Sony Pictures Entertainment were disrupted by a cyberattack and confidential information including unreleased movies was leaked on the Internet.

North Korea was among the suspects, but it has denied responsibility.

The FBI is investigating threatening emails sent to some employees of Sony Pictures Entertainment, and is trying to identify the person or group responsible.

There was no indication of a link between the PlayStation and Sony Pictures incidents.

A hacker group calling itself Lizard Squad appeared to take responsibility for the attack on its Twitter account, tweeting "PSN Login #offline."

Earlier this year, Lizard Squad warned that explosives might be on a flight that included a Sony executive among its passengers, and claimed responsibility for a disruption to the PlayStation network. American Airlines diverted the domestic US flight to a nearby airport.

In that incident, hackers orchestrated a so-called denial-of-service attack against Sony, which involved overwhelming the company's game network with fake visits so that legitimate users couldn't get through.

In 2011, hackers compromised the company's network including the personal data of 77 million user accounts. Since then, the company has repeatedly said its computer security has been upgraded.

A Denial-Of-Service attack (DDoS) attack is  Form of electronic attack involving multiple computers, which send repeated HTTP requests or pings to a server to load it down and render it inaccessible for a period of time.

Protection from these attacks is difficult because, as one expert put it: "DDoS is...simple, cheap, unsophisticated, and effective." 

Because of this simplicity, attacks could come from anywhere at anytime. If attacked, "folks that don't take active measures to ensure the resilience of their networks are going to get knocked over," said another expert. "They need to do everything they can to increase resiliency and availability." Accordingly, he recommends implementing "all of the industry best and current practices for their network infrastructure, as well as applications, critical supporting services, including DNS."

Sophisticated malware bug Regin detected

A sophisticated piece of malware believed to have been created by a government to obtain confidential information has been detected.

The bug, known as Regin, is believed to have been created in 2008 to spy on individuals, businesses and rival government organisations, according to computer security company Symantec.

Once the bug has breached a computer, it can gain control of the mouse pointer, recover deleted files and make copies of passwords.

Almost half of the attacks targeted individuals and small businesses, alongside telecoms companies in what appears to be an attempt to gain access to calls routed through their infrastructure.

Regin victims may have been tricked into using fake versions of well-known websites, resulting in the installation of the bug. The low-key nature of the bug means it could be used in espionage campaigns lasting several years, Symantec said in a blog post.

The news comes in the wake of the Information Commissioner calling for a website live-streaming scenes from 584 UK homes and businesses via internet-connected security cameras and webcams to be taken down.

A hacker gained control of the cameras through their remote log-in function, an easy function to abuse should the owner choose to keep using the default password the device was shipped with.

The anonymous creator of the Russian site told the Telegraph the hack was enabled by "laziness and IT ignorance" on the part of the public.

Stephen Bonner, a partner in KPMG’s Cyber Security practice, said Regin appeared to carry the fingerprints of a sophisticated cyber espionage operation, "possibly by a nation state".

"Firms need to think carefully about the how they protect their most sensitive information – their crown jewels– as well as being vigilant in detecting and being ready to respond to sophisticated attacks,” he said.

The bug has mainly infected computers in the Russian Federation, Saudi Arabia, Mexico and Ireland, according to research.

Symantec compared Regin with Stuxnet, a "large and complex" computer worm believed to have been developed to sabotage the Iranian nuclear research program by the US and Israel, making it the world's first digital weapon.

How to choose a secure password

• Do not keep the default password

• Choose a password with a combination of upper and lower case letters, numbers and keyboard symbols

• Choose a password containing at least eight characters - longer passwords are harder for criminals to guess or break

• Avoid using obvious passwords such as names or birthdays of people close to you or numerical passcodes or PINs that use ascending or descending number

• Don’t recycle passwords (for example password2, password3)

• Never disclose your passwords to anyone else, if you think that someone else knows your password, change it immediately

• Don't enter your password when others can see what you are typing

• Change your passwords regularly

• If you must write passwords down in order to remember them, make sure they are meaningless and unusable to other people by writing them in code.

(Article taken from telegraph.co.uk)

E-Cigarettes From China Spreading Malware Through USB Charger

Smoking will not only damage your health but also your computer as e-cigarettes manufactured in China are reportedly being used to spread malicious software through the USB connection used to charge the device.

A recent post to social news site Reddit detailed how the computer of an executive at a "large corporation" had been infected with malware from an undetermined source. Further investigation apparently revealed that it had stemmed from a $5 (£3.20) e-cigarette bought from the online auction site eBay.

"The executive's system was patched up to date, had antivirus and anti-malware protection, " Reddit user Jrockilla said. "Web logs were scoured and all attempts made to identify the source of the infection but to no avail. "Finally after all traditional means of infection were covered, IT started looking into other possibilities. They finally asked the executive: 'Have there been any changes in your life recently?' The executive answered: 'Well yes, I quit smoking two weeks ago and switched to e-cigarettes.' And that was the answer they were looking for."

The e-cigarette was found to have malware hard coded into the charger, which "phoned home" and infected the system when plugged into the computer's USB port. Pierluigi Paganini, chief information security officer at ID management firm Bit4Id, said that electronic cigarettes were just the latest vector to serve the spread of malicious software.

"Hackers are able to exploit any electronic device to serve a malware to compromise a poorly protected network," Paganini said in a blogpost."Despite the (fact the) idea could appear hilarious, many electronic cigarettes can be charged over USB using a special cable or by inserting one end of the cigarette directly into a USB port."

Paganini cites other examples of "apparently harmless" USB devices being used as a hacking tool in the past, including a charger for Apple iOS devices like iPhones and iPads.

(Article taken from ibtimes.com)

Has Business Intelligence Been Making False Promises?

Everyone thought business intelligence (BI) was going to take the business world by storm. Everyone thought it meant businesses would be strategically transformed for better decision-making and increased profitability. However, this just hasn’t happened.

BI has been used and deployed for over 20 years now, but the truth is: there are very organisations that are really getting the most out of this technology.

Making informed business decisions, increasing employee productivity and creating new revenue streams are key areas where BI can make some dramatic transformations to businesses.

Over the past two decades, the main stumbling block for the BI industry has been low adoption rates and an inability to make BI pervasive.

In fact, Gartner has stated that in the 20 years since BI became mainstream, less than 30% of an organisation’s potential users of standard BI tools actually use the technology today.

Traditional BI tools aren’t having as much impact in the enterprise because they’re harder to deploy. Given the proliferation of CRM systems and the amount of systems businesses use across various departments, a company’s data sets are harder to match up and it becomes more difficult to determine which data is accurate.

Organisations may be delving deeper into data, but they’re not looking across the business as a whole for a holistic view.

Within companies now, there are huge silos due to different departments working with different data sets. This has created a move away from working to achieve a 360 degree view of data through BI tools towards Excel chaos, where different departments keep their own figures in separate documents, often inputting data manually.

Excel is at the heart of this because traditional BI is static and end users have to fight the battle between viewing static reports and being able to make their own analysis.

Even new data visualisation tools being deployed can lead to the same problems. Traditional BI tools are seen as complicated in terms of deployment and integration – workers often don’t want to have to get IT teams involved in handling BI capabilities.

It means there’s no ‘self-service’ for employees. They can’t have access to core business data as and when they need it. It’s not open for the masses. It’s seen as being controlled by the C-suite and IT staff.

For a quick fix to this issue of data access, people go to Excel – something they can have control over. Spreadsheet upon spreadsheet with no real overarching process and policy in place for each department’s data creates a black hole in which company information becomes inaccurate.

Excel also doesn’t correlate data with other essential business information, like CRM systems or between business units.

To answer this, a more modern approach to BI is being increasingly adopted, where self-service, mass data consumption and access is critical. 

Not only this, but workers and consumers are facing two technology revolutions, simultaneously: the consumerisation of IT and the digitisation of society.

People want and need access to data on the go and on any device, and society has seen an evolution from computing to apps that are easier to use, any place, any time. The growth of the mobile workforce means data needs to be intuitive and users need it in real-time. The true value of data is a function of time and context.

Organisations are also facing a data deluge with volumes of data at their fingertips. What they need to be doing is leveraging this data to differentiate themselves in this competitive landscape. Being able to predict events with data is key.

For example, an airline misplacing a customer’s suitcase when they land. They could proactively send a message to the customer knowing it has been lost early through accurate data analysis and inform the customer they will send the suitcase to the hotel instead.

Businesses that want to strategically transform in the age of big data must become an analytical company that provides intelligence for everyone. The benefits to truly understanding company data are extensive, including cost reductions, the ability to find new revenue streams, higher ROI, increased employee productivity, better understanding of customers, and better customer satisfaction.

But businesses can only transform into this model if everyone is able to use the data, meaning the other 70% must be addressed.

There are a huge number of operational employees who don’t have access to data and should. Organisations are missing a trick by limiting data access just to analysts, management executives and power users.

The police force is a great example of this. With access to historical data, the police can now even predict where crimes are more likely to take place. This helps them to make decisions about police resources during large event such as the London Olympics, which cuts costs and could save lives. Giving employees the opportunity to look forward is essential to be nimble in business and get ahead of competitors.   

Intelligence for everyone

There are three areas to consider to achieve this: data monetisation, breaking down the silos, and the rise of the new information consumer.

Baseline predicts a mere 10% increase in data accessibility for employees can result in an additional net income of $65.7 million for a typical Fortune 1000 company.

Data monetisation enables businesses to generate new revenue streams from their data by making it accessible to all.

To think ahead here and transform strategically, businesses need to look to join the real-time data movement and offer data, on any device, to all relevant and trusted users.

They should include context to enrich the value of the information and break down operational silos to make sure all data is trusted and accurate from a single-view platform, rather than through Excel-tired eyes. 

They should also match up and transform the business through creating more efficient processes. Linking up the data available in their CRM, ERP and marketing systems will help limit their Excel woes.

This will enable them to get a hold on their big data to manage, correlate and standardise it for seamless and accurate data-driven decision-making.

They must put the data in the hands of the workers to use every day, not just open it up to the C-suite or power users. These days, modern BI platforms can allow companies to provide all users with the data they need, in each department, so everyone within the business is singing from the same hymn sheet.

Finally, businesses should adapt their business data consumption to digital natives.

There are vast differences in the way people consume data today than 20 years ago, like taking sound bites of data from constantly updated news feeds and statuses on social media. Businesses should replicate this with their analytics technologies and look to provide staff with easy-to-use apps, with highly relevant information.

Overall, it truly is a data minefield these days for businesses as they face an ongoing revolution with big data and the mobile workforce, in particular.

When data is put in the hands of those who require it, with the intelligence they need, businesses can become more cost effective, profitable and can stay ahead of the game in such a saturated, competitive landscape.

It’s all about strategically transforming a business to deliver intelligence for everyone. 

(Article Taken From information-age.com)