Singapore to set up Cyber Security Agency

The Singapore government is setting up an agency, which will develop a national strategy to tackle cyber threats, create a national-level response and coordinate various agencies in managing threats.

Called the Cyber Security Agency (CSA), the agency will be operational from 01 April 2015. It will bring together existing agencies under the Ministry of Home Affairs (MHA) and the Infocomm Development Authority (IDA) to lead the cyber security master plan, the building and design of relevant systems, and to monitor and respond to cyber threats.

The CSA replaces the Singapore Infocomm Technology Security Authority (SITSA) which was set up on 1 Oct 2009 to safeguard Singapore against infocomm technology (IT) security threats.

SITSA has been monitoring 10 sectors: Government, infocomms energy (power), land transport, maritime, civil aviation, water, security and emergency, health, banking and finance; and will be subsumed into the CSA, together with the Singapore Computer Emergency Response Team, which deals with cyber security bodies outside Singapore.

These include strategy and policy development, cyber security operations, industry development and outreach. It will also work closely with the private sector to develop Singapore’s cyber security eco-system.

Dr Yaacob Ibrahim, Minister for Communications and Information, will be appointed as the Minister-in-charge of Cyber Security.

David Koh, Deputy Secretary (Technology) at the Ministry of Defence (MINDEF), has been appointed as the Chief Executive (Designate) of the CSA on 1 January 2015, and as Chief Executive, CSA from 1 April 2015.

Koh will assume his CSA and MINDEF appointments concurrently.

The efforts by the Singapore Government come in the wake of a spate of cyberattacks in the last couple of years that targeted government websites. About 1,560 SingPass accounts were illegally accessed in June last year and, in September, details of more than 300,000 customers of karaoke chain KBox were leaked by hackers. In 2013, a string of hacking incidents on Singapore government websites, including that of the Prime Minister’s Office (PMO).

When fixing a bug in a legacy system...

Hackers target Malaysia Airlines website

Malaysia Airlines has had its website hacked by a group called "Lizard Squad", which made references to the Islamic State on the defaced site.

The website's front page was replaced with an image of a tuxedo-wearing lizard, and read "Hacked by LIZARD SQUAD - OFFICIAL CYBER CALIPHATE". It also carried the headline "404 - Plane Not Found", an apparent reference to the airlines' puzzling loss of flight MH370 last year with 239 people aboard.

Media reports said versions of the takeover in some regions included the wording "ISIS will prevail".

The Lizard Squad is a group of hackers that has caused havoc in the online world before, taking credit for attacks that took down the Sony PlayStation Network and Microsoft's Xbox Live network last month.

The Islamic State, an extremist Sunni Muslim group, has seized large swathes of Syria and Iraq, where it has declared an Islamic "caliphate".

It has drawn thousands of fighters from across the globe to its anti-Western cause, and shocked the world with its video-taped executions of journalists and other foreigners it has captured, the most recent being a Japanese security contractor it claimed Sunday to have beheaded.

A second Japanese captive being held by the militants has also been threatened with execution.

The IS group, which uses social media in recruiting and spreading its message, is believed to harbour ambitions of launching a cyber-war against the West.

It is unclear why Malaysia Airlines was targeted.

But concern has been rising in Malaysia after scores of its citizens were lured to the IS cause in the Middle East. Malaysian authorities last week said they have detained 120 people suspected of having IS sympathies or planning to travel to Syria.

iCloud is a major weakness: will Apple ever fix it?

Those who are interested in the state of Apple as a company will know that online services are not its forte. Unlike Google, Amazon or Microsoft, Apple doesn't seem to be able to catch a break online, revamping the failed MobileMe into iCloud only to have it hacked and abused in several high-profile cases, and experience serious amounts of downtime, damaging the credibility of iCloud and the credibility of Apple itself.

Apple's cloud issues all started with MobileMe. First released in 2008, MobileMe was the precursor to iCloud focused more around the Mac and various desktop-based services, such as iWeb. The service cost £99 (around $150, AU$185) per year and was used by very few and worked even less of the time.

As iOS and OS X started to merge in 2010, Apple released iCloud and combined the features of MobileMe (minus some of the desktop-specific software) with more mobile-friendly software, such as location tracking for a phone. Email addresses, which were previously @me.com, were transitioned to @icloud.com and iMessage was introduced, offering a WhatsApp-like experience for texting exclusively for iPhones. Apple had, it appeared, turned over a new leaf when it came to online services.

But the problems didn't end there. Over the years iMessage has seen various outages, creating angry customers who had to rely on plain old SMS, eating into text plans as opposed to data plans with only Apple to blame. In the summer of 2014, iCloud got hacked, releasing high-profile celebrity nudes onto the internet. Other cases of identity theft from an iCloud account, allowing a hacker to gain access to the most sensitive of information, have also occurred.

Banished to the low ground
Popular web and iOS developer Marco Arment wrote recently that Apple had lost its "functional high ground" in terms of software quality and this is reflected in iCloud. Google and Microsoft produce world-class software products both online and offline, and have effectively claimed the "high ground," as Arment calls it, offering far more reliable services than Apple is able to.

In many ways, Steve Jobs' mantra of owning the "whole widget" is responsible for Apple's online faults. Instead of outsourcing the development of online technologies to a company that can handle it, Apple chose to develop them in-house and, as such, now has to develop hardware and software, both online and offline. A herculean feat that even Apple cannot manage.

The central premise of Arment's piece is that marketing has overtaken software in terms of importance at Apple, superseding the need for a quality product and replacing it with a need for a product to a deadline, which is usually just a year.

Speed is the priority
Arment argues that a value consensus has been reached within Apple that dictates speed is the most important factor when developing software, and for the software to improve Apple would need to uncouple software releases with hardware releases. And if overall software improves, it stands to reason that Apple's online services would improve.

Beyond reliability, many are clamouring for Apple to add more features to iCloud, the most notable of which is to open up the service to developers to work with, just as Google has done with Drive, or Dropbox does.

The "walled garden" approach works with devices and much of iOS, but having an online service exist in a vacuum is setting it up to fail, and Apple should be aware of this. Just as iOS has grown over the years to include third-party services at a system level – sharing on Facebook or Twitter, for example – iCloud needs to grow to allow other services to link in, expanding beyond what it is currently capable of on its own.

What to expect from Apple in 2015?

Many of these improvements would only affect developers who know what "API" stands for (Application Programme Interface) or are interested in the inner workings of iCloud, but they're also vitally important to consumers. Apple does not own the "whole widget" when it comes to the online experience and it is damaging the company's ability to integrate iPhone hardware and software.

Before iOS 8, Apple's mobile operating system was essentially closed and wouldn't even allow for seemingly elementary features such as sharing to third-party apps or a third-party keyboard, hallmarks of the Android user experience for many years. Post-iOS 8, the company seems far happier to integrate with third-parties and that integration is likely set to continue, opening up Apple's ecosystem to a larger group of developers, albeit at Apple's behest.

Crumbling credibility?
The primary problem with iCloud is that it doesn't "just work" and this creates problems for Apple's overall image. Just as Arment is arguing in his piece, each failure on Apple's part detracts from its credibility and image, eroding the loyalty of its customer base and damaging Cupertino's reputation in terms of reliability.

Whenever iMessage does down, Twitter and other social networks light up with angry users asking Apple to sort it out – and this negative response will be remembered. Developers are also becoming increasingly angry on a different level, railing against Apple's unwillingness to open up the service and watching the quality of software deteriorate simultaneously.

Apple still has a chance to fix the damage that its tardiness is causing – it is unlikely that consumers are going to boycott iPhones on a large-scale because iMessage occasionally goes down – but each little incident chips away at the company's credibility while its competitors, principally Google, increase their lead in the online space.

Your computer and smartphone, held hostage

Cybercriminals are making their attacks personal, remotely locking your computers and smartphones until you pay a hefty ransom.

Tapping a link on your smartphone to watch a new music video might sound harmless, but it got one 12-year-old girl from Tennessee into trouble last year.

Instead of a video, the preteen -- whose name has not been disclosed because of her age -- had unwittingly installed malicious software that downloaded child pornography, locked her Android phone, and threatened to report the pornography to the FBI if she didn't fork over $500 in ransom. She reported the hacker's extortion demands to Frank Watkins, an investigator with the Coffee County Sheriff's Department.

It's called ransomware, a type of malicious code that leaves its victims feeling personally violated. Some versions destroy your data if you don't pay, while others merely threaten. Some will encrypt your device, scrambling everything it contains until you pay a ransom.

Ransomware can be big business. CryptoLocker, which uses email attachments to infect and encrypt computers, harvested nearly $30 million in about 100 days, according to estimates from Keith Jarvis of Dell's SecureWorks counter-threat division. CryptoLocker's descendant CrytoWall, which has infected more than 1 million computers, continues to mutate and adopt new techniques that make it harder to remove.

While ransomware has been around since 1989, it's gotten worse as criminals target billions of smartphones and tablets used around the world, demanding $100 to $600 (often in bitcoins) to release it.

A mobile threat report from Mobile Lookout Security, which makes security software for smartphones, found 4 million of Lookout's 60 million users were held hostage last year, said Jeremy Linden, senior security product manager for the San Francisco company.

Avast, which says 55 million people use its free mobile security software, reports similar numbers. Last month alone, the company blocked 5,000 ransomware attacks a day -- up from nearly zero only seven months earlier -- according to Jiri Sejtko, director of Avast's virus detection lab.

Having your computer locked out can be traumatic in its own right. Losing access to your smartphone can trigger "abject panic," said Larry Rosen, a psychologist and researcher at California State University, Dominguez Hills, who studies people's reactions to modern technology. "That little box contains everything you ever need on a daily basis. You're carrying around a phone, computer, friends -- your everything in one box," he said.

Small wonder, then, that hackers have trained their attention on mobile extortion. But payer beware. "You could pay a ransom and the malware would still not unlock your phone," said Mobile Lookout's Linden.

So far, mobile ransomware is considered to be easier to avoid than its desktop cousin. Experts have two tips for smartphone owners.

First, install an application that will block ransomware. And second, never download applications from outside the official Google Play store or Apple App Store.

And finally, report the crime to the police.

"Don't hesitate about calling," even if the attack installed child pornography on your phone, said Watkins, of the Coffee County Sheriff's Department. "Contact your local authorities. They'll be able to tell that it's ransomware."

World’s first (known) bootkit for OS X can permanently backdoor Macs

Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011.

Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.

The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac's Thunderbolt interface. When plugged into a Mac that's in the process of booting up, the device injects what's known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key.

Enter evil maid
While the hack requires an attacker to have brief physical access to a targeted machine, that prerequisite isn't prohibitively steep in many situations. For example, so-called "evil maid" scenarios—in which a rogue hotel housekeeper tampers with a computer—or an agent at an international border crossing both routinely have access to computers, often while unsupervised. Documents leaked by former National Security Agency subcontractor Edward Snowden also exposed how agents intercept hardware being shipped to organizations targeted for surveillance and covertly install modified firmware onto them before they’re delivered.

All any of these attackers would need to do to carry out a Thunderstrike-style attack is to reboot a Mac with a previously weaponized Thunderbolt device attached. If the machine is turned on but locked, the attacker need only press the power button for a few seconds to hard-reboot the machine. Firmware passwords, disk encryption passwords, and user passwords won't thwart the attack since the Option ROMs are loaded before any of those protections are checked.

Thunderstrike made its debut in late December, at the Chaos Communication Congress. The vulnerability was discovered by Trammell Hudson, an employee of a high-tech hedge fund in New York City called Two Sigma Investments, while trying to secure the firm's MacBooks. A self-described reverse engineering hobbyist, Hudson was previously known for creating Magic Lantern, an open source programming environment for Canon digital SLR cameras.

Thunderstrike builds on a similar attack as demonstrated at the 2012 Blackhat conference that bypasses OS X FileVault protections to install a rootkit. Like Thunderstrike, the 2012 exploit used Thunderbolt ports to inject the malicious payload into the boot process, but the earlier attack wasn't able to modify the boot ROM itself. To work around that limitation, the researcher—who works under the hacking moniker snare—wrote the bootkit to the EFI system partition.

Eureka
One of the breakthroughs of Thunderstrike is its ability to get the boot ROM firmware volumes validated. Hudson figured out how to do this after discovering an undocumented CRC32 cyclic redundancy check routine carried out during the normal validation process. A second breakthrough involved the discovery that Option ROMs are loaded during a recovery mode boot. That allowed Hudson to figure out how to replace Apple's existing EFI code.

Thunderstrike was just one of at least two EFI-based attacks that were demonstrated at December's Chaos Communication Congress. A separate talk delved into the Unified Extensible Firmware Interface, a similar mechanism that's used to boot some Windows and Linux machines. Hudson said an attack technique known as Dark Jedi that was outlined during the talk could possibly be adapted to make his exploit work remotely, so the attacker wouldn't require physical access. Earlier this week, the US CERT issued three advisories warning of vulnerabilities in widely used UEFI chips. A researcher from security firm Bromium also has this brief writeup on the UEFI talk.

Hudson said Apple is in the process of partially patching the vulnerabilities that make Thunderstrike possible. The remedy involves not allowing Option ROMs to load during firmware updates, a measure that Hudson said is effective against his current proof of concept. Apple already has begun rolling out the upgrade to Mac Mini's and iMac Retina 5ks and plans to make it more widely available soon.

"However... it is not a complete fix," he warned in a blog post detailing Thunderstrike. "Option ROMs are still loaded on normal boots, allowing snare's 2012 attack to continue working. Older Macs are subject to downgrade attacks by 'updating' to a vulnerable firmware version."

Until there's a complete fix from Apple, there aren't a lot of viable options for preventing Thunderstrike-type attacks. Pouring a liberal amount of epoxy glue in a Thunderbolt port will certainly make the exploit harder, since it would force an attacker to take apart the casing to access the underlying flash ROM chip, but it would come at the cost of disabling key functionality. The other obvious solution is for people to keep their machines on their person at all times, but that isn't always practical, either. Hotel safes and locked and sealed storage boxes are also only partially effective, since both measures are vulnerable to cracking and picking.

Google Isn’t Fixing Some Old Android Bugs

Google appears to no longer be fixing security flaws in the oldest versions of its smartphone Internet
browser.

The previously undisclosed move could leave some users with older phones exposed to snooping by hackers and spies, security researchers said.

The new policy applies to the default browser in Android version 4.3, released in mid-2013 and known as Jelly Bean, and earlier. That covers roughly two-thirds of the billion-plus Android devices in use, according to Google, but some users may have updated their browsers to newer versions.

The policy does not apply to browsers in Android 4.4, or KitKat, which Google released in October 2013, or Android 5.0, or Lollipop, released in November 2014. Those versions changed how websites are viewed on Android devices.

The security blind spot illustrates the challenges companies face as they try to move customers onto newer products and focus security resources on patching more-current software. Microsoft applied the same reasoning when it stopped supporting Windows XP, first released in 2001, in April.

That makes any new security holes found in the old software dangerous after they become public, since the companies won’t fix them.

The tension is particularly acute at Google, which has spent the past few years championing Internet security. The company has led the way in encrypting email and gives preference in its search rankings to websites that use encryption.

Rafay Baloch, a Pakistani security researcher, discovered Google’s shift a few months ago after he found several bugs in the old Android browser. Researchers like Baloch, sometimes called “white hat hackers,” comb through popular software searching for slipups that could give bad hackers an opening. Tech giants like Google and Facebook FB sometimes pay researchers for their discoveries.

As recently as September, Google had fixed, or patched, one of Baloch’s security flaws in the older browser. But when he submitted another one later in the fall, Google’s security team responded that if the affected Web browser is on Android 4.3 or earlier, “we generally do not develop the patches ourselves but do notify partners of the issue.” Google said it would distribute patches developed by others.

“What Google doesn’t seem to be considering seriously, though, is the cost associated with this move,” Tod Beardsley, a senior engineer at Rapid 7, who has worked with Baloch and Google on the issue. Beardsley reasoned that many consumers buy old phones to save money and not all carriers push through Android updates.

This past fall, Google announced a new project to sell sub-$100 phones in developing markets. Called Android One the push requires phones to ship with Android 4.4 or later and receive automatic updates for up to two years.

_________________________________________

Researchers measure reach of Australian TorrentLocker variant

Last year there were more than 10,000 web hits related to versions of the TorrentLocker malware tailored to Australian audiences in a single month of monitoring by security researchers.

TorrentLocker is a strain of malware that encrypts users' files and forces victims to pay a ransom in bitcoins in order to receive a key to decrypt them.

The base price in Australia is $598, but the ransomware threatens to double the price in 96 hours. Payment takes place through the Tor anonymity service.

TorrentLocker identifies itself as CryptoLocker, which is a separate piece of malware that operates in a similar fashion.

Security vendor Trend Micro and Deakin University researchers monitored local TorrentLocker activity in November last year and registered more than 10,000 hits relating to the malware originating from Australia.

The level of traffic to TorrentLocker-related addresses was obtained by studying a sample from the Trend Micro Web Reputation Service (WRS) and Smart Protection Network.

TorrentLocker phishing emails and destination URLs impersonated Australia Post and NSW's Office of State Revenue.

"This strain of CryptoLocker tailored for Australian victims started in the second half of 2014, and continued up to Christmas Eve," Jon Oliver, a senior threat researcher at Trend Micro Australia, said in a statement.

"The outbreaks have stopped for the New Year break, but will almost certainly continue in the New Year."

"These attacks are technically sophisticated and specifically aimed at Australians and have been significantly increasing since July with an enormous impact on businesses and individuals," said Deakin University's Professor Yang Xiang.

Full report available for download here.

Exploit allows Asus routers to be hacked from local network

A vulnerability in Asuswrt, the firmware running on many wireless router models from Asustek Computer, allows attackers to completely compromise the affected devices. Malicious hackers, however, need to launch their attacks from within the local networks served by the vulnerable routers.

The flaw is located in a service called infosvr, which runs on Asuswrt-powered routers by default. The service, which is used by a tool called the Asus Wireless Router Device Discovery Utility, listens to packets sent to the router's LAN (local area network) interface over UDP broadcast port 9999.

"This service runs with root privileges and contains an unauthenticated command execution vulnerability," security researcher Joshua Drake, who found the vulnerability, said on his GitHub account.

Drake published his findings after someone else independently found the same issue and released an exploit for it.

While attackers can't exploit this flaw from the Internet, they can use it to gain control of routers if they first compromise a device connected to them or if they manage to connect to the local network in some other way. Any local computer infected with malware can therefore become a serious threat to a router that's vulnerable to this attack.

Routers are valuable targets for attackers, because they provide them with a foothold inside networks from where they can attack other devices. A router compromise is much harder to detect than a PC infection, because there are no antivirus programs running on such devices.

By controlling routers attackers gain the ability to intercept, inspect and modify incoming and outgoing Internet traffic for all devices that connect through them. Among other things, they can strip SSL from secure traffic and use DNS hijacking techniques to misrepresent legitimate websites.

Until Asus releases firmware updates for the affected routers, there are several mitigations available, although applying some of them requires technical skills.

The simplest way to block potential exploits for this vulnerability is to create a firewall rule that blocks UDP port 9999 on the router, but unfortunately this cannot be done through the Web-based administration interface. Users will have to connect to their router via Telnet and type "iptables -I INPUT -p udp --dport 9999 -j DROP" without the quotes on the command line interface.

The command sets up a firewall rule to block UDP port 9999, but it's not persistent across reboots so the procedure needs to be repeated every time the router restarts.

Eric Sauvageau, the maintainer of Asuswrt-Merlin, a popular custom firmware for Asus routers that is based on Asus' unified Asuswrt firmware, suggested a persistent fix that involves using the non-volatile JFFS partition available on Asus routers.

Users who run Asuswrt-Merlin on their routers can simply upgrade to version 376.49_5 of the firmware, which contains a fix for this vulnerability. Howerver, it should be noted that installing custom firmware can void the device warranty and should only be done by users who understand and accept all the risks associated with this procedure, including the possibility that their device might be damaged.

Skype serving virus-laden ads

In the last 24 hours, a virus ad managed to slip through Microsoft filters and made its way into Skype's ad slot.

Clicking on the advertisement will take you to a site pretending to be Adobe, and try to download viruses to your machine. This is not how Adobe distributes updates. This is how attackers trick unsuspecting users to willingly install malicious software.

The payload? It is a very rapid load iframe that redirects to that page again. Getting the payload to successfully infect sandboxes have not been successful so far.

And this might be an IE only thing. The rapid load iframe does not work on Firefox or Chrome.

Microsoft seems to be aware about this issue, but did not comment further.

Suggested quick fix
Add these entries into your local host file:

# fighting off malware/virus
127.0.0.1 qwindowsdefender.nl
127.0.0.1 q-windowsdefender.nl
127.0.0.1 xwindowsdefender.nl
127.0.0.1 x-windowsdefender.nl
127.0.0.1 zwindowsdefender.nl
127.0.0.1 z-windowsdefender.nl
127.0.0.1 wed322d2.qwindowsdefender.nl
127.0.0.1 wed322d2.q-windowsdefender.nl
127.0.0.1 wed322d2.xwindowsdefender.nl
127.0.0.1 wed322d2.x-windowsdefender.nl
127.0.0.1 wed322d2.zwindowsdefender.nl
127.0.0.1 wed322d2.z-windowsdefender.nl
127.0.0.1 m.adnxs.com
127.0.0.1 cdn.adnxs.com

Note: This is not the comprehensive list of URLs used in the attack. There may be more than the ones indicated here.

If Your iCloud Password Is On This List, Change It Before You Get Hacked

Somebody just uploaded a password-hacking tool called iDict to GitHub that promises to use good old fashioned brute force techniques to crack iCloud passwords. The tool also claims to be able to evade Apple's rate-limiting and two-factor authentication security that's supposed to prevent brute force attacks. But it's not quite as bad as it sounds.

iDict's capabilities are limited by the size of the dictionary it uses to guess your password. So you're really only in danger if your password is on the 500-word-long list included with the hacker tool. All of the passwords fulfill the requirements for an iCloud password, but if you're using one of these rather obvious passwords, you should change your password anyways. Here are some examples:

•     Password1
•     P@ssw0rd
•     Passw0rd
•     Pa55word
•     Password123
•     ABCabc123
•     Devil666
•     Fuckyou2
•     ILoveYou2
•     Blink182

These are the same kinds of passwords that appear almost every year on the most popular password list, making it stupid simple for hackers to wreak havoc. They also follow a lot of the bad password practices we've pointed out before. So for God's sake, change your password if you use a bad password! And if you haven't already, you should also enable two-factor authentication on all your accounts, just for good measure.

All that said, iDict isn't really a plug-and-play hacking device. The developer behind the tool isn't a friend to script-kiddies, he's trying to prove a point: Despite security updates since the brute force attack that gave hackers access to countless celebrities' nude photos, iCloud still isn't completely secure. Apple needs to fix the "painfully obvious" bug before it's "privately used for malicious or nefarious activities," he explains on GitHub. We've reached out to Apple to find out what they're doing about the vulnerability.

It seems like it wouldn't be that hard to swap out the 500-word-long list with an even longer, better list. Then, a tool like iDict could do real damage. Not to mention that ne'er-do-wells are probably gonna be using this tool as-is until the flaw gets fixed. So double-check your iCloud password against this list now, and pick something better even if your bad password isn't listed. Protect yourself while Apple's still working on shoring up that security.