Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Spanish police arrest eleven crooks for ransomware scam

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

February 14, 2013

Federal police in Spain has arrested eleven individuals suspected of running a €1 million a year ransomware gimmick using malware that posed as a message from law enforcement officials.

Investigators first became interested in the 'Reveton Malware' after hundreds of complaints from victims of the crime starting flooding in at the beginning of 2011.

Trend Micro and Spanish law enforcement agencies worked with the European Cybercrime Centre (EC3) at Europol in a concerted operation coordinated by Interpol over the months that followed, sharing gathered intelligence, samples and many related technical details.

Cops said that their research allowed them to literally map the criminal network infrastructure including traffic redirection and command control servers.

They then conducted multiple raids on various premises, seizing computers, hard drives, servers, IT equipment and stolen credit cards used to cash out the money that victims had paid.

In a statement, police said that since it was detected in May 2011, there had been more than 1,200 complaints about the so-called "POLICE VIRUS" (Reveton drive-by malware).

Police said this intelligence led to the arrest of eleven individuals. One of the suspects, an unnamed 27-year-old, is suspected to be the kingpin of the group that produces the Reveton ransomware.

This Russian national was arrested in Dubai, United Arab Emirates. Spanish authorities have filed an extradition warrant. Along with this key arrest, police said they had run a takedown operation focusing on the lower-ranked members of gang, in connection with which they made several additional arrests.

Police added that lower-ranked members in the group were involved in monetization of the Pay Safe Card/Ukash vouchers received as payment in the scam. The gang had a branch in Spain's Costa Del Sol that exchanged these vouchers and then converted them into real cash, which would then be sent to the main group in Russia.

Europol said in a separate statement: "The financial cell of the network specialized in laundering the proceeds of their crimes obtained in the form of electronic money. The gang employed both virtual systems for money laundering and other traditional systems using various online gaming portals, electronic payment gateways or virtual coins."

Spanish cops said that ten of the suspects had been arrested in connection with allegations of money-laundering activity. Six of the cuffed suspects are Russian, two Ukrainian and two Georgian, but all of them were based in Spain, police said.

Spanish police said the fraudsters behind the scam were netting about €1 million a year in illegal profits. "This coordinated activity, in a similar fashion as the Trend Micro/FBI action against the DNS Changer gang last year, leading directly to the arrest of individuals believed to be actively engaged in cybercrime, should serve as a model for how the security industry and law enforcement can effectively cooperate in the global fight against online criminal activities," said Rik Ferguson, director of security research and communications at Trend Micro.

The ransomware used by the gang utilizes police logos to make it look like it came from a law enforcement agency to convince victims to cough up a fine"of around €100 using cash vouchers in order to unlock their computers.

In other internet security news

U.S. defense contractor Raytheon has developed new software that can mine social media websites such as Twitter and Facebook to track and predict users' behaviour, according to British media news outlets.

The story from The Guardian says that the key features of Raytheon's software, developed in co-operation with the U.S. government and delicately titled Rapid Information Overlay Technology are said to be an ability to sift through social media and figure out who your friends are and the places you frequent.

What is disturbing is that such a tool could likely end up in the hands of a repressive State, or a shadowy agency inside a more open State. Australia's Sydney Morning Herald today has a similar story on the same theme.

All of this *is* disturbing, except for the fact that similar software can be had from other sources that are far less scary than a defense contractor.

For instance, IBM sells “social media analytics” software that can “capture consumer data from social media to better understand attitudes, opinions, trends and manage online reputation” and even “predict customer behavior”. That's the same company that can whip up a supercomputer or sell you a scale-out NAS capable of storing multiple petabytes of raw information.

And customer service software firm Genesys sells “social engagement” software that “automates the process of social listening to your customers” and “extends business rules and service level strategies to the growing volume of social media-based customer interactions.

A quick mention of Big Data, daily and breathlessly advanced as capable of all of the above, and much more to more data, is also surely worth inserting at this point.

And then there are Google, Twitter, Facebook and others whose entire business is built on figuring out who you spend time with and where you spend or intend to spend that time, so they can sell that information to advertisers all over the globe.

Or hand over your data to the government, which seems to be happening rather more regularly if the social networks' own reports on the matter suggest.

We're not suggesting that Raytheon's software was designed as an instrument of State surveillance, but it's still worth pointing out that the company is far from alone in having developed software capable of tracking numerous data public sources, aggregating them into a file on an individual, and doing so without the individuals' knowledge.

And that the company has done so in full collaboration with the U.S. government should not surprise anyone.

As for the spatial aspect of these allegations, the fact that photos contain spatial metadata is hardly news, nor is the notion that social media leaves a trail of breadcrumbs a novel-- it's a well-known fact.

One has only to revisit news from 2010 to be reminded of how pleaserobme.com pointed out how social media can alert thieves to the fact you've left your home.

Far clearer is the fact that you are the product for any free online product. Also very clear is that by using such services, data about you will be consumed by a large and diverse audience. The scariest thing of all may be how few of those that use such services care or even realize the vast implications this could have on their personal and professional lives.

In other internet security news

The Canadian government is blaming a simple printing error for the fact that some student loan recipients who received letters to say their personal information had gone missing along with a portable hard drive also got letters addressed to someone else.

Canada's Human Resources and Skills Development (HRSDC) revealed in mid-January that a hard drive containing the personal information of some 583,200 Canadian students had gone missing.

The data included social insurance numbers and dates of birth of people who had received student loans between 2002 and 2006.

Victims of the data breach began receiving notification letters a few days ago, and at least 100 of those envelopes contained letters intended for other people.

In Ottawa's House of Commons, opposition members hammered the government over the latest blunder in question period earlier this week.

“Mr. Speaker, the incompetence continues regarding the data breach and mail-outs now going to the wrong people,” Liberal MP Rodger Cuzner said.

Human Resources Minister Diane Finley responded that her department had identified the cause of the wayward letters and “the issue has been fixed.”

HRSDC said that a technical issue with printers led to some envelopes being double stuffed, and the personal information contained in the letters was limited to names and addresses.

The department will send pre-paid envelopes to those who received letters intended for others so they can be returned to the intended recipients.

The department went public about the lost of the data last month after a RCMP investigation into another breach revealed that there was a hard drive missing from an office in Gatineau, Quebec.

The hard drive was last seen in August but was only discovered missing in November. Finley has said there is no evidence to suggest that the missing data has been used for unlawful purposes.

The department has said that the portable hard drive did not contain personal banking, social insurance numbers or medical information.

But Canadians affected by the breach are still very concerned. National Democratic Party minister Ruth Brosseau, who took out a student loan eleven years ago, is among those whose data is on the missing hard drive.

“It’s my SIN card, it’s my address,” Brosseau said. “I know a lot of people knew a lot about me after the election, and now they’re going to know a lot more. So it’s very, very disturbing.”

The security breach has sparked both an internal and an RCMP investigation, and department officials will appear before a Commons committee next month to answer questions.

Dozens of people have also joined at least three class-action lawsuits that have been filed over the breach, demanding hundreds of millions of dollars in financial compensation.

In other internet security news

Two internet security research scientists say they have identified a new vulnerability in TLS, the encryption technology used to safeguard online shopping, banking and privacy.

Discovered today, the design flaw could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites.

Professor Kenny Paterson from the Information Security Group at Royal Holloway, University of London and PhD student Nadhem Alfardan claim that they can easily crack TLS-encrypted traffic in a man-in-the-middle attack.

According to their study, the weakness revolves around altering messages exchanged between the web server and browser, and noting microsecond differences in the time taken to process them.

These timings effectively leak information about the data being transferred, allowing eavesdroppers to rebuild the original unencrypted information slowly piece by piece.

Specifically, an attacker strategically changes the data used to pad out the encrypted blocks of information, and measures the time taken for the server to determine that the message was tampered with before rejecting it.

The progress of the algorithms processing the blocks is revealed by this time difference, and it's enough to gradually calculate the contents of the original message.

But it's tricky to precisely measure these timings due to network jitter and other effects. And tampering with the data will cause the connection between the browser and the server to fail.

Thus, a bit of client-side malware is needed to repeatedly probe a server with new connections, replaying slightly altered versions of the original encrypted message, which might for example be a login cookie.

This is similar to the earlier BEAST (Browser Exploit Against SSL/TLS) attack. We're told attacks against DTLS - a variant of TLS used by VPNs to secure traffic - can be carried out in a single session as well.

Professor Paterson said JavaScript code injected into a web page could implement the new research and decrypt a victim's login cookie in about two hours: "An ordinary cyber-criminal would just use a phishing attack to get a password, but for a nation state interested in getting an activist's login cookie for Tor, this sort of attack is possible for a determined and well-resourced attacker.

"TLS is not quite as bullet-proof as we thought, and that's disturbing." A paper titled Lucky Thirteen: Breaking the TLS and DTLS Record Protocols was published late yeaterday and states: The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks like the Internet. It is widely used to secure web traffic and e-commerce transactions on the Internet. Datagram TLS (DTLS) is a variant of TLS that is growing in importance. We have found new attacks against TLS and DTLS that allow a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode encryption is used."

The attacks arise from a flaw in the TLS specification rather than as a bug in specific implementations. We have carried out experiments to demonstrate the feasibility of the attacks against the OpenSSL and GnuTLS implementations of TLS, and we have studied the source code of other implementations to determine whether they are likely to be vulnerable.

Professor Paterson said: "While these attacks do not pose a significant threat to ordinary users in its current form, attacks only get better with time. Given TLS's extremely widespread use, it is crucial to tackle this issue now.

"Luckily, we have discovered a number of countermeasures that can be used. We have been working with a number of companies and organizations, including OpenSSL, Google and Oracle, to test their systems against attacks and put the appropriate defences in place."

The attacks apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. All TLS and DTLS cipher-suites that include CBC-mode encryption are potentially vulnerable.

Like CRIME (Compression Ratio Info-leak Made Easy) and the earlier BEAST SSL exploit, both developed by security researchers Juliano Rizzo and Thai Duong, the Royal Holloway academics' Lucky Thirteen study threatens a fundamental eCommerce security protocol.

The latest attacks "are quite different from BEAST and CRIME" as the university pair explain in an FAQ: "BEAST exploits the inadvisable use of chained IVs in CBC-mode in SSL and TLS 1.0. CRIME cleverly exploits the use of compression in TLS."

"Our attacks are based on analyzing how decryption processing is carried out in TLS. However, our attacks can be enhanced by combining them with BEAST-style techniques."

The computer-science duo tested their attacks against OpenSSL and GnuTLS. For OpenSSL, full plaintext recovery of encrypted data is possible. For GnuTLS, partial recovery is possible. The researchers have not studied any closed-source implementations of TLS.

Blocking the attack can be achieved by either adding random time delays to CBC-mode decryption or switching to either the RC4 or AES-GCM cipher-suites.

GnuTLS released a patch late yesterday. And OpenSSL is also working on a fix at their end. Other security services vendors, including web browser developers, may also need to adapt their software in response to the threat.

The security researchers have a neat explanation for why the attack they have developed is called Lucky Thirteen-- "In Western culture, 13 is considered an unlucky number. However, for our attack, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky - from the attacker's perspective at least. This is what passes for humour amongst cryptographers."

In other internet security news

It would appear that Oracle is trying hard to be more proactive when it comes to Java security implementation on its IT solutions and appliances.

The software company has brought forward the timetable of an upcoming Java security update by two weeks in order to block off a new security hole recently discovered.

The security update, originally scheduled for February 19, was released on Feb. 1st because of active exploitation 'in the wild' of one of the security vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.

The update covers no less than fifty-one security holes, forty-nine of which are remotely exploitable. To be sure, twenty-seven of the security flaws carry the maximum Common Vulnerability Scoring System (CVSS) risk score of 10.

And the latest official versions are Java 7, update 13 and Java 6, update 39. This month marks the end of life of Java 6, however.

Despite the update, many security experts continue to advise against installing Java plug-in on browsers. If users do need to use Java applets to use certain sites, or for internal applications, then these should be accessed using a second browser, not used for day-to-day surfing.

The overall security implications of Oracle's new Java security update can be found in a blog post by Paul Ducklin of Sophos on their site.

In other internet security news

Twitter was very busy last night resetting passwords and revoking cookies, following a serious security breach that may have leaked the account data of about 250,000 users.

"Last night, we detected some very unusual access patterns that led us to identify unauthorized access attempts to Twitter user data," said Bob Lord, Twitter's director of information security.

According to Lord, Twitter was able to fully shut down the breach attack within moments of discovering it, but not before the attackers were able to make off with what he calls "limited user information," including usernames, email addresses, session tokens, and encrypted passwords.

The encryption on such passwords is generally difficult to crack – but it's not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them, suggesting that it may have been an inside job.

As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just "a small percentage" of the more than 140 million Twitter users worldwide.

If yours is one of the accounts involved, you'll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods.

In addition, he recommends against using the same password on multiple sites. Lord says Twitter's investigation is ongoing, and that it's taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Spanish Federal Police.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

















Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Click here to order your new fully dedicated Plesk server with the Linux operating system.


Get your Linux or Windows dedicated server today.





Click here to order your new fully dedicated Plesk server with the Linux operating system.





Click here to order your new fully dedicated Plesk server with the Linux operating system.