Chinese hackers attacked Belgium

Belgium joined the growing ranks of countries voicing concerns about cyber attacks originating from China. Belgium is believed to have been targeted because the headquarters of the European Union and NATO are located here and because of Belgium's track record in Africa. In recent days, the Chinese have shown growing interest for this continent.

Justice minister Jo Vandeurzen claimed that the Federal Government had been targeted by Chinese hackers, backing up a separate statement by Belgium's foreign affairs minister, Karel De Grucht that his ministry had been hit by espionage in recent weeks.

In both cases, the Belgians appear certain that the culprits were Chinese and that the Beijing authorities must know something about events, although no evidence has been offered to back up these allegations. The precise nature of the attacks has not been explained either.

If the accusation is justified, it is starting to look as if Chinese-originated cyber-attacks have spread well beyond the obvious Western targets.

The Chinese have been implicated in acts of cyber-espionage in the last couple of years, including various alleged assaults on US military systems in 2006 and 2007. As recently as last September, a "leaked" report blamed the Chinese for a similar attack on the Pentagon.

The US reports have come in the form of briefings from unnamed individuals or leaks, suggesting that the US was sending a coded warning to the Chinese that such events risked damaging relations between the countries. The US suspects China of using espionage to make gains in the software, integrated circuit, computing, electronics, telecommunications and information security sectors in an effort to shift the People's Liberation Army (PLA) "into an information-based, network-enabled force."

The UK, by contrast, has been more pointed. In late 2007 it openly sent letters to large UK companies warning them of the threat from Chinese-backed cyber-warfare.

"There simply isn't enough evidence to say whether these attacks were sponsored by the Chinese Government or not," said Graham Cluley of Sophos on the Belgian attacks.

"Governments need to think carefully before accusing another of spying via the Internet - unless they have strong proof. There is no doubt however of the importance of securing critical computers inside government from hackers whether motivated by politics, espionage or money," he added.

China has denied responsibility for any attacks coming from the country, but security experts have stated that the country -- and at least two dozen, and as many as a hundred, other nations -- routinely probe, and even attack, each other networks. Germany's government has acknowledged, for example, that the nation's intelligence agency has engaged in cyber espionage to gain information from computers in Afghanistan and the Democratic Republic of the Congo.

In April, the North Atlantic Treaty Organization (NATO) decided to establish a Cyber Defense Management Authority (CDMA) to coordinate its member countries responses to hostile online attacks.
You can read a US military report on China here

Source TechWorld

FBI fears Chinese have back doors into US government networks

FBI is investigating security leaks that could help Chinese government or Chinese hackers (or both) to benefit of undetectable back-doors into highly secure government and military computer networks for months, perhaps years. The cause: a high-number of counterfeit Cisco routers and switches installed in nearly all government networks that experienced upgrades and/or new units within the past 18 months.

US government has been attempting to avoid security issues by using only higher-end Cisco partners/suppliers for the gear. Cisco have 80% of the market share on networking solutions and 1 of 10 Cisco products are fake. These products are sold on the black market ans can end-up in sensitive networks. However, the highly-competitive lowest-bid environment of government procurement has inspired several vendors to look for cheap alternatives for hardware... resulting in a catastrophic meltdown of security.

There is an unclassified FBI presentation that has been released discusses the fear that China is intentionally having counterfeit Cisco hardware sold in the United States. In the presentation, the FBI discusses four cases that they had investigated where this hardware has been discovered even in classified networks.

The more serious statements made in this presentation are on slide 30, where they claim about 10% of the information technology hardware that is sold globally is counterfeit and it is being sold through legitimate channels (KPMG is the cited source) for the past couple of years. In the case of Cisco, this counterfeit hardware is sold through their Cisco Gold and Silver Partners program. Other vendor vetting processes are just as flawed allowing this hardware to enter into your IT infrastructure.

This photo from the FBI presentation shows the differences between a original Cisco Router and a fake one:


FBI is concerned about critical infrastructure damage and the potential of access to secure government systems. Many online IT circles have been speculating that the counterfeit hardware will provide backdoor capabilities and access into compromised networks for the originators of the equipment. In fact, some areas of speculation regarding the counterfeit Cisco equipment has focused on the possibility that the hardware is being manufactured expressly to deploy exploitable systems far and wide into the wild. The rationale being that the likely "wholesale" price of the counterfeit routers and switches are so low and profit margins likely very thin, that the only real advantage may be gained from downstream system exploits in the future.

US Government should buy only from mainland assembly plants (in the US, preferably monitored) and cutting out any suspicious links in the chain.

Another issue of security that Richard Marcinko was complaining about back in the 90's that nobody took seriously. He has said that the chinese have been getting their hands on our top secret electronic hardware for years. He even says that we've been secretly giving the equipment to them in exchange for political leverage and a lot of other things. He says that china has an extensive spying scheme and network in the US. and that it's very compartmentalized.

System boards are made in China. The BIOS chip on these boards are made there so is easy to have the OS open up a network connection when triggered, thinking it is supposed to because the BIOS claims it has this port open for this card.

This is not the first time when a government authority finds major backdoors.

The German Counter Intelligence found years ago that Internet hackers started to point out several build-in software backdoors for the NSA and other agencies in their Bundeswehr Windows systems and could affect the German economy. (Articles on Wired.com, DebianHelp)

They developed their own proprietary Operating Systems, based mainly on LINUX software rules, and forced all sensitive German government and army offices to change to those OS's, and got rid of all Microsoft infected software.

These facts reminds me the scandal of the American embassy in Moscow in 1987, when the US diplomats refused to move to the new embassy because of rumors that the embassy was filled with soviet surveillance equipment during its construction. I've heard that Clinton received the full schemes of the surveillance system after the fall of URSS. (Another article on NYTimes)

Source AboveTopSecret, News.com
The FBI Presentation

New WIPS from Aruba

Aruba Networks, a global leader in user-centric networks and secure mobility solutions, today announced a new version of its RFprotect Wireless Intrusion Prevention System (WIPS) software that allows users to define their own attack-detection signatures and defend against previously unknown, undisclosed, or unpatched vulnerabilities (zero-day attacks). These user-defined signatures can be implemented almost immediately, enhancing security and giving users more control over their threat vulnerability. All other wireless intrusion prevention systems require the supplying vendor to provide updates, leaving customers vulnerable in the meantime when a new attack is developed.

In addition, Aruba customers will be able to make their user-defined signatures available to others by contributing them to the Wireless Vulnerabilities and Exploits (WVE) database at www.wve.org, a community vulnerabilities database. Aruba has long been an active participant in the WVE Project.

"Security is an unending, iterative process in which the best defense is built by rapidly integrating updates about real or potential attacks as quickly as possible," said Rajeev Shah, Aruba's wireless IDS product manager. "User-defined threat definitions are used successfully in other segments of the security market, and we're pleased to be the first to make it available for WIPS."

The new software represents the full integration of the RFprotect software that Aruba acquired from Network Chemistry in 2007. RFprotect software automatically detects network vulnerabilities and contains unauthorized clients and adhocs even as they roam. With its customizable security policies, RFprotect software delivers organization-specific security policy enforcement, reduces false positives, and generates reports to meet compliance requirements.

Originally acquired from Network Chemistry in 2007, RFprotect software automatically detects network vulnerabilities and contains unauthorized clients and adhocs even as they roam. Featuring customizable security policies, RFprotect software delivers organization-specific security policy enforcement, reduces false positives, and generates reports to meet compliance requirements. The new RFprotect software has been integrated into Aruba's secure mobility solutions to enhance Layer 1-2 security capabilities.

"It is important that interval between the detection of a security threat and its mitigation be as short as possible because of the vulnerability created by the gap," said Paul DeBeasi, senior analyst at Burton Group. "Collaboratively developing, testing, and disseminating security features, including user-defined signatures, can minimize the vulnerability more rapidly than relying on a single vendor for periodic updates. This method has been used effectively in areas such as virus detection, and is an innovative way to enhance WIPS security."

The new RFprotect software will be shipping early this summer, and will be introduced at Interop Las Vegas, April 29 May 1, booth 1262, at the Mandalay Bay Convention Center.

eBay Romanian Hacker Arrested

BUCHAREST / 12:02, 18.04.2008 - Mediafax

The Bucharest court Friday issued a 29-day arrest warrant for the Romanian accused of repeatedly breaking into email accounts belonging to eBay employees between 2005 and 2007 causing damages of over $2 million.
The hacker, Vlad Constantin Duiculescu, was arrested for 24 hours by organized crime prosecutors.

On April 19, 2005, the US-Secret Service sent Romanian authorities a notice on the internet sale of an application containing the source code of the eBay login page, which required users to enter usernames and passwords.

Following investigations, it was found that eBay users were being redirected to fake websites. Investigators identified over 270 such websites, seven of which were linked to Duiculescu.

See the video news here: Antena3, TVR
More about this: eBayWatch

Hackers are seling logins for 8700 FTP servers

San Jose, CA, USA, February 27, 2008 - Criminals have assembled a huge database of hacked FTP server logins belonging to some of the world’s leading companies, a security company has revealed.

Finjan said it had stumbled upon a database containing account usernames, passwords and server addresses for a staggering 8,700 FTP servers, many of which were being used by US Fortune 100-level enterprises.

The hacked servers could be used to distribute crimeware by injecting iframe tags into any webpage stored on the compromised FTP servers. Indeed the server accounts were themselves being traded by a web application able to rank and price them according to their Google page rank for re-sale to other criminals.

The company found the database while examining what appears to be a sophisticated Russian crimeware hub built using a newer version of the Neosploit crimeware toolkit, sophisticated enough to offers its criminal users a SaaS (software as a service) interface for carrying out attacks.

Using the Alexa.com domain ranking, Finjan found 10 of the top 100 domains in the database, 100 of the top 500 domains, and 50 of those between 500 and 1,000.

Breaking these down by location, 2,621 were in the US, 1,247 in Russia, 392 in Australia, 354 in Asia/Pacific. The rest were covered Eastern Europe, with only a handful in western European countries such as Germany and the UK, which accounted for 80 and 78, respectively.

"With this new trading application, cyber-criminals have an instant 'solution' to their problem of gaining access to FTP credentials and thus infecting both the legitimate websites and unsuspecting visitors,” said Finjan’s Yuval-Ben Itzhak.

Read more here

WordPress blogs vulnerable to attack

WordPress developers have released an "urgent" security update to the widely used blog publishing tool to address a flaw that could allow unauthorised users to edit other users' blog posts.
Less serious bugs have also surfaced in two WordPress add-ons, the WP-Forum plugin and the multi-user version of WordPress, WordPress MU.
WordPress is currently one of the most popular blog publishing systems, and is widely used by large organisations.
The WordPress update, version 2.3.3, addresses a bug in WordPress' XML-RPC implementation, developers said.
"If you have registration enabled... a specially crafted request would allow a user to edit posts of other users on that blog," said a WordPress spokesman on the software's website.
Users can download the fixed application directly, or the patched version of xmlrpc.php on its own.
Separately, an unpatched WP-Forum plugin bug has been found to allow attackers to retrieve information such as user names, password hashes and email addresses for users and administrators on a compromised blog, according to Secunia.
The vulnerability "is being actively exploited right now," WordPress said, advising users to disable the plugin until a patch has become available.
Also on Tuesday, WordPress released a fix for a bug in WordPress MU that could be exploited to bypass security restrictions and compromose a vulnerable system.
The bug, found in the wp-admin/options.php script, does not properly restrict changes to options, which could be abused to for instance upload and execute arbitrary PHP code, according to Secunia.
However, to exploit the flaw an attacker must have valid user credentials and "manage_options" capabilities. "Upload_files" capabilities must also be present, Secunia said.
The flaw is fixed in version 1.3.3 of WordPress MU, according to developers.