How hackers used Google to steal corporate data : Attackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

A group of innovative hackers used free services from Google and an Internet infrastructure company to disguise data stolen from corporate and government computers, a security firm reported.

FireEye discovered the campaign, dubbed Poisoned Hurricane, in March while analyzing traffic originating from systems infected with a remote access tool (RAT) the firm called Kaba, a variant of the better known PlugX.

The compromised computers were discovered in multiple U.S. and Asian Internet infrastructure service providers, a financial institution, and an Asian government organization. FireEye did not disclose the name of the victims.

The unidentified hackers had used spear-phishing attacks to compromise the systems, then used the malware to steal sensitive information and send it to remote servers, FireEye said.

What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Hurricane Electric, based in Fremont, Calif.

In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com, and outlook.com.
"It was a novel technique to hide their traffic," Ned Moran, senior threat intelligence researcher for FireEye, said Thursday.

The attackers' tactics were clever enough to trick a network administrator into believing the traffic was headed to a legitimate site, Moran said.

The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.

In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the "Police Mutual Aid Association" and with an expired certificate from an organization called "MOCOMSYS INC."

In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and edirect the traffic to that location.

Google Developers, formerly called Google Code, is the search engine's website for software development tools, APIs, and documentation on working with Google developer products. Developers can also use the site to share code.

With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company's hosted DNS service.

The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.

In addition, Hurricane did not check whether newly created zones were already registered or owned by other parties, FireEye said.

Google and Hurricane were notified of the malicious use of their services, Moran said. Both companies had removed the attack mechanisms.

"We appreciate FireEye discovering and documenting this unusual attack, so that we could immediately fix our service to eliminate the possibility of this type of abuse in the future," Mike Leber, a spokesman for Hurricane said in an email sent to CSOonline.

Moran believed the services were victims of hacker creativity versus a flaw.

"These are services offered online that can be used for good or ill," he said. "A gun can be used to protect and a gun can be used to hurt."

Microsoft, Google, others back Facebook in New York privacy dispute : Facebook is seeking important rulings on the collection of bulk user data under gag orders

Key technology companies including Google, Microsoft and Twitter on Friday filed in support of Facebook's dispute with the New York County District Attorney's office over the collection of user data in bulk under a gag order for a fraud investigation.

The New York Civil Liberties Union and the American Civil Liberties Union also filed an amicus curiae brief Friday in support of the Facebook plea.

Facebook said in June that a court in New York directed it to turn over to law enforcement virtually all records and communications for 381 accounts, including photos, private messages and other information. The social networking company was also prohibited from informing the targeted persons who included "high schoolers to grandparents, from all over New York and across the United States."

Of the 381 people whose accounts were covered under the warrants, 62 were later charged in a disability fraud case, Facebook said. The NYCLU in a statement Friday objected to "broad fishing expeditions" by government into personal and social conversations with family and friends with no regard to user privacy.

In its appeal in the appellate division of the New York State Supreme Court, Facebook is asking the court for the return or destruction of the data. It has also asked for a ruling on whether the warrants, which authorized collection of large amounts of personal information and communications without an "apparent connection to the crimes under investigation, or procedures requiring the return of the seized information," are in violation of the Fourth Amendment to the U.S. Constitution that prohibits unreasonable searches and seizures of property.

The company is also asking for a ruling on whether the gag provisions of the warrants violated the Stored Communications Act and the First Amendment, and as importantly whether it has standing to challenge the warrants on behalf of its users.

The trial court had ruled in the negative in September on these issues, according to a Facebook filing. The court documents and warrants were unsealed after Facebook's appeal.

Dropbox, Google, LinkedIn, Microsoft, Twitter and Yelp in their motion for leave to file an amicus curiae brief argue that the service provider has third-party standing to raise the constitutional rights of its subscribers, particularly as the provider is subject to a gag order.

"Unless Facebook is able to assert its subscribers' constitutional rights -- and any of its own rights -- the legality of the government's actions with respect to those subscribers will escape review altogether. And had the government chosen to indict no one, no one would have been the wiser," according to the filing.

Foursquare Labs, Kickstarter, Meetup and Tumblr separately filed a brief asking that the trial court's order should be reversed and the bulk warrants quashed. To act as custodians of their users' private information, Internet companies must have the choice to either object to unlawful government intrusions or notify users of such intrusions, according to the filing. "The Trial Court's order denying both options must be reversed," the companies said in an amicus curiae brief.

Describing themselves as the "New York Amici," the small and medium-size platforms said smaller companies may not have the resources to litigate each search warrant or court order, which makes it important to provide users with notice and an independent opportunity to object.

The New York County District Attorney's office could not be immediately reached for comment. Facebook said it did not have a comment beyond its remarks in June.

21 अगस्त से बुक कीजिए हिंदी में डोमेन नेम...

नई दिल्ली। सरकार वेबसाइट्स के देवनागरी लिपि में डोमेन नेम बुकिंग 21 अगस्त से शुरू करेगी। पहले इसे 15 अगस्त से शुरू किया जाना था।

देवनागरी लिपि का इस्तेमाल हिंदी, मराठी, डोगरी के अलावा आठ अन्य आधिकारिक भाषाओं में लिखने के लिए किया जाता है। इसमें एक्सटेंशन 'डॉट भारत' होगा। वेबसाइट के लिए डोमेन नेम की बुकिंग 350 रुपये में और सब-डोमेन नेम की बुकिंग 250 रुपये में होगी।

पहले दो महीने ट्रेडमार्क या कॉपीराइट वाली कंपनियां ही बुकिंग करवा सकेंगी।

Oracle issues fix for Java update that crippled some Web apps : A work-around is available for users who are unable to apply Java upgrades, Oracle says

There's relief available for users who applied a recent Java update that stopped some Web applications from being able to launch.

Oracle has issued Java 7 Update 67 which contains a fix for the problem that cropped up in Java 7 Update 65, according to an official blog post.

The issue only involves a number of Web Start and Applet applications, and not any client or server-side software, according to the blog. The new Java update "is not a security fix or Critical Patch," the blog states.

Administrators should direct their users to download and install the update, Oracle added. The blog also describes a manual work-around users can take if they're unable to upgrade Java.

Those in such a bind should open their Java control panel, select the Java tab, then click "view." Once there, they should enter the number 7 in the area marked "runtime parameters," and then backspace over it, according to the blog.

While the issue resolved by Java Update 67 doesn't involve security, Oracle has faced pressure from community members following the discovery of high-profile vulnerabilities in the widely used programming language, which it gained control of through the acquisition of Sun Microsystems in 2010.

Last year, Oracle's head of Java security promised the company would fix Java's issues and step up its community outreach efforts.

Oracle's most recent quarterly Java security update, issued in July, contained 20 fixes. That total was down significantly from the 37 Java fixes shipped in the April update and 36 issued in January.

5 reasons Internet crime is worse than ever : Why does Internet crime remain a menace? These five reasons have enabled us to accept it -- but that complacency may not last

I've been fighting Internet crime for more than 20 years. In the old days, the daily malware hot sheet was known as the Dirty Dozen -- because it listed only a dozen malware programs. Today we have literally hundreds of millions of malware programs, thousands of professional hacking organizations, and tens of thousands bit players who steal hundreds of millions (if not billions) of dollars via the Internet every year.

Though we have smarter online users, better detection tools, and a host of legal tools at our disposal, Internet crime is worse than ever. It's been a long time since I've run into someone who hasn't had his or her life impacted by Internet crime.

How did we ever let Internet crime get so big? Why do we let Internet criminals get away with so much that it impacts and threatens nearly every transaction we commit over the Internet? Read on:

1. Internet criminals almost never get caught

The world is full of malicious individuals who have no problem skirting rules and laws, as well as taking property that belongs to other people. Bad people exist -- and the Internet is a very low-risk neighborood in which they can run amok.

There are tens of thousands of Internet criminals, almost none of whom get caught or prosecuted. If you're an Internet criminal, you have to be especially brazen for a long time -- and make mistakes -- before you get caught.

You don't have to be a mastermind or uber hacker. One of the most popular misconceptions is that you have to be hyperintelligent to get away with cyber crime. The exact opposite is true. Most Internet criminals I've met (and chatted with online) are not particularly smart. They couldn't program a simple notepad application, and they certainly don't have to be as smart as the average defender.

They simply lack morals, buy programs from other, smarter programmers, and want to roll the dice and take the risk. But they aren't taking any real risk, and that's the central problem: You can get rich without much risk of getting caught. Until this equation changes, we will never see a significant decrease in Internet crime.

2. Indefinite legal jurisdiction

Most Internet crime takes place across international borders. Law enforcement agencies are always limited to jurisdictional boundaries. For instance, a city police officer in Billings, Mont., can't easily arrest someone in Miami, Fla. We have federal law enforcement agencies, which reach across city and state boundaries, but they can't easily traverse international boundaries.

The FBI can't go to China and arrest someone just because they have legal evidence a crime being committed by a person there. They have to submit a request, which will likely be ignored, to Chinese authorities. But let's not pick on the Chinese. It's not like we're going to arrest an American citizen and ship him off to Beijing anytime soon, either, regardless of the evidence.

Sometimes law enforcement agencies of one nation work with another nation's law enforcement, but these occasions are rare. Plus, the really big ones involved with the majority of the Internet crime, like Russia, China, and the United States, certainly don't cooperate with each other.

3. Lack of legal evidence

Another huge impediment to successful convictions is the lack of official, legal evidence. Most courts accept "the best representation" of evidence recorded during the commission of a crime. But most computer systems -- and many networks in totality -- don't collect any evidence at all, much less evidence that might stand a chance of holding up in court. I'm still surprised by the number of computers I investigate that don't, at a minimum, have event logging turned on.

Even if more evidence was collected, most of it wouldn't stand up to a decent lawyer, assuming it would even be allowed in court. Collecting and preparing good legal evidence takes planning and commitment. Few organizations have the dedication or expertise.

4. Lack of resources

Few victims or victim advocacy groups have the resources, technology, or funding to pursue Internet criminals. I know many people who have lost tens of thousands of dollars to fraudulent transactions, including car sales, stock trades, bank transfers, and so on. Unfortunately, the amount lost usually pales compared to the cost of the resources that would be needed to recover the funds.

Many victims are too ashamed of their own gullibility to report the crime. If they do, a report will be taken -- and that's that. Your local enforcement agency isn't about to cross international boundaries to try and to recover your personal money. You can report it to the proper authorities, but rarely will they do anything to recover the damages or prosecute.

5. Cyber crime isn't hurting the economy enough (yet)

Lastly, the amount of Internet crime isn't hurting economies enough to raise a global red alert. Sure, Internet crime probably results in the loss of hundreds of millions -- or perhaps several billion -- dollars each year, but that amount of crime has persisted for a long time, well before the Internet.

Most of today's Internet crimes are newer versions of crimes and scams that have been occurring for decades before the Internet was around. Take credit card fraud: Retail stores would once look up known fraudulent credit card numbers in little paper books that the credit card vendors handed out. Nigerian scams have been around, via paper letters, phone calls, or faxes, at least since the 1990s.

Unfortunately, most Internet crime is seen as a necessary cost of doing business. As long as the majority of transactions are legitimate, the noise will be acceptable.

The solution is right in front of us

I've often wondered what it would take for our world to decide to diminish Internet crime substantially. We've had the means and technology to do so for a long time. We are not waiting for some fantastic new technology. Everything we need we already have, except for global consensus on how to do it and actually enabling the new features.

Personally, I think it's going to take a huge disaster. A digital catastrophe will happen eventually and bring down much of the Internet for a few days -- or shut down financial markets for a few hours or more. Passive acceptance of Internet crime will no longer be tolerated. We'll finally have to do something about it.

SAP ties up with Apigee for API management : Apigee's platform will serve as a middleman between SAP systems and mobile apps

SAP will resell software from Apigee in a move to help customers and partners build mobile applications, products and services that securely tap data from SAP systems.

The deal will result in a product called SAP API Management, a rebadged version of Apigee's Edge platform, which will be available in both on-premises form and on SAP's Hana Cloud Platform, according to an announcement Thursday.

The Apigee product's approach should calm the nerves of conservative SAP system administrators, who may be resistant to allowing external applications to call into critical back-end systems directly, said Joav Bally, chief product manager for Gateway and SAP API Management.

He compared Apigee's platform to a bouncer at a nightclub. "It decides who gets into the club or not," he said.

Apigee stands between back-end systems and applications running on mobile devices, websites, POS (point of sale) systems and other places, according to the company's website.

The applications interact with a proxy API (application programming interface) sitting on Apigee's platform, which relays calls to the back end. Apigee provides a framework for security and authorization, as well as the ability to throttle the amount of traffic moving through an API in order to avoid overloading back-end systems.

The proxy approach means SAP customers will have the ability to make changes to their systems as long as they maintain the API on Apigee. In turn, developers don't have to rewrite anything in order to handle such changes, since their applications talk only to the API.

Apigee also provides customers with analytics showing how their APIs are being used, as well as various ways to charge third-party developers for access to APIs.

With the Apigee deal, SAP is signaling a desire to keep pace with rivals such as Salesforce.com when it comes to opening up its software to the world in a secure way. In November, Salesforce.com introduced a new version of its platform that features 10 times as many APIs as before, allowing for a much wider array of integration scenarios.

"APIs are hot, and not just for digital businesses," said IDC analyst Al Hilwa, via email. "In a way, all companies are finding ways to connect with customers and partners through digital means, no matter the product. This is driving a huge wave of architecting systems for external use through APIs."

With Apigee, SAP is partnering with a company that has a wealth of experience in API management, Hilwa added: "SAP is wise to accelerate its investment in this area and support its large contingency of customers with their API efforts."

SAP is also trying to attract partners, particularly startups, to build software for its Hana cloud platform and marketplace, hoping to repeat the success Salesforce.com has had with its own AppExchange. The addition of Apigee's technology to the mix is clearly aimed at making it easier for those companies to interact with SAP systems.

Google makes Hangouts more enterprise friendly : Hangouts and Chromebox for Meetings get a business-focused update

Google is looking to make your work day a bit more social and is taking its Google Hangouts into the business arena.

The company is trying to make it easier for enterprises to use Hangouts for face-to-face, if not in-person, meetings, according to Clay Bavor, vice president of product management for Google Apps.
The Hangouts feature, which was first introduced as part of Google+, comes to the enterprise as part of a slew of new features for Google Apps for Business customers.

Starting today, even non-Google+ users can use Hangouts at work. Any Google Apps customer can start or join a high-definition video meeting that connects up to 15 participants -- from a computer or Chromebox for Meetings device. Google noted that the same ability will "soon" be available on smartphones and tablets.

"Hangouts is now covered under the same Terms of Service that support our other Google Apps for Business products, like Gmail and Drive," wrote Bayor, in a blog post. "That means we've got your back with 24x7 phone support and a 99.9% guaranteed uptime, as well as ISO27001, SSAE 16/ISAE 4302 and SOC 2 certification. Additional enterprise integration with Google Apps Vault is coming by the end of the year."

Taking Hangouts to the business community is another way for Google to get its foot in the door with enterprises. However, it's also part of the company's effort to push out Chromebox, Google's Chrome OS-based corporate meeting device, to a bigger, and more business-minded, audience.

"In the coming months, we'll be making Chromebox for Meetings work better in rooms of all shapes and sizes," Bayor wrote. "In larger conference rooms, you can connect two displays to one Chromebox for meetings device to see your audience and project a presentation at the same time. And if you've ever wanted a dedicated setup for video meetings for your home, new personal calendar integration means you will be able to easily set up Chromebox for meetings outside the office."

He added that IT administrators can better manage meetings directly from the Google Apps Admin Console, giving them options like remote starting, muting and ending a meeting.

"Google is moving into the enterprise, or at least trying to," said Ezra Gottheil, an analyst with Technology Business Research. "I know Hangouts was introduced with Google+, but Hangouts is cleaner, more understandable, and more business-friendly, as a stand-alone chat, video-chat, video-conferencing application."

Google is scheduled to hold a Hangout on Aug. 19 to go over the new features.

Google used this video to introduce its update to Chromebox for meetings, while making Hangouts easier to use in the enterprise.

Judge rules against Microsoft in email privacy case : The company is compelled to comply with a U.S. warrant for emails held on a server in Ireland, a judge rules

A U.S. district court judge has ruled against Microsoft in the company's effort to oppose a U.S. government search warrant for emails stored in Ireland.

On Thursday, Judge Loretta Preska of the U.S. District Court for the Southern District of New York rejected the company's appeal of an earlier ruling requiring it to turn over emails stored in the company's facility in Dublin. Preska ruled that Microsoft will not have to turn over the emails while it files an appeal.

Preska, in an oral ruling from the bench, sided with a magistrate judge's April ruling quashing Microsoft's opposition to the warrant, related to a criminal case, from the U.S. Department of Justice.
Microsoft will appeal Preska's ruling to the U.S. Court of Appeals for the 2nd Circuit, the company said. Microsoft has argued that the DOJ has no authority to issue warrants related to emails stored outside the U.S.

"The only issue that was certain this morning was that the district court's decision would not represent the final step in this process," Microsoft general counsel Brad Smith said in a statement. "We will appeal promptly and continue to advocate that people's email deserves strong privacy protection in the U.S. and around the world."

U.S. law has long required search warrants to name the specific location of the information they seek, instead of requiring a company receiving the warrant to search multiple locations for the information, as has happened in the Ireland case, Microsoft has argued. U.S. search warrants also haven't been able to reach overseas, just as U.S. residents wouldn't want foreign courts to be able to search domestic locations, Smith has said.

U.S. Attorney Preet Bharara of the Southern District of New York has opposed Microsoft's attempts to invalidate the warrant. If Microsoft's interpretation of the law is upheld, Web services providers could move content around the world in an effort to avoid law enforcement requests, Bharara wrote in a brief to the court.

Microsoft EMET 5.0 security tool puts a leash on plug-ins : Latest version of the free toolkit allows administrators to block third-party plug-ins -- a favored route for attackers

The latest release of a Microsoft security tool that's designed to stop exploits lets administrators control when third-party plugins are launched, a long favored route for attackers.

Microsoft has been steadily improving and adding more capabilities to the Enhanced Mitigation Experience Toolkit (EMET), a free tool that strengthens the security of non-Microsoft applications by using defenses built within Windows, such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).

The latest 5.0 iteration, released Thursday, includes something called "Attack Surface Reduction," which can block some of an application's modules or plugins that might be abused, wrote Chris Betz, senior director of the Microsoft Security Response Center.

He wrote that Microsoft Word, for example, can be prevented from loading an Adobe Flash Player plugin or allow Java plugins to only run from intranet-zone sites rather than outside ones.

Third-party software is often favored by hackers as finding vulnerabilities in the Windows operating system has become more difficult. Java, an application framework for running applications, is often targeted, as well as applications from Adobe Systems.

EMET has been configured by default to block Adobe's Flash plugin from being loaded by Word, Excel and PowerPoint.

Another improvement to EMET deals with digital certificates, which are used to secure a SSL (Secure Socket Layer) connection, Betz wrote. EMET now has a blocking mode that will tell Internet Explorer to halt an SSL connection if an untrusted certificate is detected without sending session data.

Microsoft also hardened EMET in light of successful efforts at bypassing mitigations in its 4.0 version. Earlier this year, researchers from Bromium, which develops security technologies based on micro-virtualization, found that more technical hackers could bypass all of EMET's protections.

The company worked on hardening EMET against bypass techniques, which are possible "when a memory corruption within an EMET-protected application can be abused to overwrite selected memory areas and corrupt data belonging to EMET itself," according to a technical writeup.

Microsoft sues Samsung, says it stopped paying for patents : Samsung is requires it to pay licensing fees to Microsoft for the Android phones it sells

Microsoft filed suit against Samsung on Friday, claiming the device maker has backed out of an agreement that requires it to pay licensing fees to Microsoft for the Android phones it sells.
Samsung has not honored the agreement since at least last September, when Microsoft announced it was acquiring Nokia's devices and services business from Google, Microsoft alleged in the complaint.

"Samsung breached the license agreement last fall by refusing to make its Fiscal Year 2 royalty payment on time and then refusing to pay interest on its late payment, and is threatening to breach the License Agreement again with respect to its ongoing royalty payment obligations," says the complaint, which was filed Friday in federal court in New York.

Microsoft and Samsung have been meeting for months to resolve a disagreement over the contract, to no avail, Microsoft said Friday in an accompanying blog post.

"We don't take lightly filing a legal action, especially against a company with which we've enjoyed a long and productive partnership," wrote Microsoft corporate vice president and deputy general counsel David Howard.

"Unfortunately, even partners sometimes disagree," he wrote.

The companies entered into a patent cross-licensing agreement in 2011 under which Samsung would pay Microsoft to use its technology in the Android phones and tablets it sells.

But after Microsoft's Nokia acquisition was announced, Samsung decided to stop complying, Microsoft said Friday.

"Samsung began using the acquisition as an excuse to breach its contract," Microsoft's Howard wrote. Samsung did not ask the court whether the Nokia acquisition invalidated the contract, he wrote.
A Samsung spokeswoman said via email that the company would review the complaint in detail "and determine appropriate measures in response."

Since 2011, sales of Samsung-made smartphones running Google's Android operating system have grown substantially, according to industry research firm IDC. Samsung's smartphones, which include the Galaxy S5 and S4, now have a roughly 30 percent share of the global market, according to IDC.