Nigeria’s electoral commission admitted on Saturday that its website had been hacked, as the country’s crucial presidential and parliamentary elections were hit by technical problems.

“The INEC (Independent National Electoral Commission) website‎ was hacked this morning but we are trying to revive it,” the body’s deputy director of public affairs, Nick Dazang, told AFP.

“But nothing has been tampered with,” he added, without elaborating.

INEC has been under scrutiny for weeks about its preparations for the election, in particular over the use of biometric voter identity cards and new technology to cut down on electoral fraud.

Voters throughout Nigeria have complained about lengthy delays in authenticating their cards. President Goodluck Jonathan’s own card failed on the new system and he had to be accredited by hand.

The INEC website — inecnigeria.org — was allegedly targeted by the Nigerian Cyber Army. A message on the home page read: “Feel some shame Admin!! Security just an illusion.”

The site was later back online.

Tags:

• NEWS & INDUSTRY
• Cybercrime

A serious security hole affecting a popular Internet gateway device used in hotels and convention centers has been closed.

The vulnerability affects ANTlabs’ InnGate, which is designed for operating corporate visitor-based networks. According to security firm Cylance, the vulnerability can be exploited to allow an attacker to monitor or tamper with traffic to and from any hotel Wifi user’s connection and potentially gain access to a hotel’s property management system.

Cylance reports that 277 hotels, convention centers and data centers across 29 countries are affected. At its core, the vulnerability is due to a misconfigured rsync instance included in the InnGate firmware. If exploited, the attacker would have read/write access to the entire file system without authentication.

“CVE-2015-0932 gives an attacker full read and write access to the file system of an ANTLabs’ InnGate device,” explained Brian Wallace, senior researcher at Cylance, in a blog post. “Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction.”

“When an attacker gains full read and write access to a Linux file system, it’s trivial to then turn that into remote code execution,” he continued. “The attacker could upload a backdoored version of nearly any executable on the system and then gain execution control, or simply add an additional user with root level access and a password known to the attacker. Once full file system access is obtained, the endpoint is at the mercy of the attacker.”

If an attacker has compromised a vulnerable InnGate device at a hotel, obtained shell access via SSH and created an account for themselves with root access, they could run tcpdump and dump all network traffic going through the devices. This would allow an attacker to collect any plaintext communication sent through the gateway of the affected hotel or location, Wallace blogged.

“A slightly more sophisticated attacker could use a tool such as SSLStrip in order to attempt to downgrade the transport layer encryption in order to increase the amount of plaintext credentials gathered,” Wallace noted. “This attack gives the threat actor incredible leverage over their targets including making OpenSSL vulnerabilities easier to exploit.”

ANTlabs released a patch for the issue today. The vulnerable devices include:   

• IG 3100 model 3100, model 3101
• InnGate 3.00 E-Series, 3.01 E-Series, 3.02 E-Series, 3.10 E-Series
• InnGate 3.01 G-Series, 3.10 G-Series

Hotel networks offer a potentially attractive target for cyber-espionage groups. Last year, an advanced persistent threat (APT) group was discovered targeting Wifi networks at hotels in Asia. In addition, the FBI and the Internet Crime Complaint Center warned in 2012 that attackers were targeting travelers abroad through malicious pop-up windows when they established an Internet connection in their hotel rooms. 

“While the DarkHotel campaign was clearly carried out by an advanced threat actor with a large number of resources, CVE-2015-0932 is a very simple vulnerability with devastating impact,” Wallace wrote. “The severity of this issue is escalated by how little sophistication is required for an attacker to exploit it.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

When Florida police got a call from a man who said he shot four people at rapper Lil Wayne’s house this month, they responded as they are trained to.

Heavily armed, flanked in body armor and accompanied by sniffer dogs, officers surrounded the Miami mansion after the alleged shooter told the 911 dispatch: “I’m killing whoever else I see…”

But police found no shooter at the house, and no victims. Lil Wayne was not there either.

The rapper was the target of a “swatting” prank, a phenomenon gaining popularity in the United States and creating public safety risks and budget strains for law enforcement.

The stunt — a modern-day and much more serious version of a prank call — involves a call to emergency services claiming a crisis.

When police arrive, the alarmed victim is often greeted by angry bangs at the door from screaming officers with cocked guns.

Special weapons and tactics (SWAT) units are usually dispatched — which the term swatting comes from — because they are trained to deal with serious emergencies swatters typically falsely report, such as hostage taking, mass shootings, bomb threats and domestic violence.

Following the false alarm at Lil Wayne’s mansion, Miami police said on Twitter: “Unfortunately this appears to be a ‘Swatting’ call. No victims /no injuries /no subject at 94 LaGorce.”

Police are obliged to respond to emergency calls, but say such pranks are a waste of resources.

“Fortunately in terms of no one hurt yes. Unfortunate in the waste of resources for a hoax that we have to treat seriously,” Miami Police tweeted.

Lil Wayne is not the only celebrity swatting victim.

Famous Hollywood prankster, Ashton Kutcher, host of the hoax show “Punk’d,” has been swatted, along with Justin Bieber, Rihanna, P. Diddy, Justin Timberlake, Tom Cruise and Miley Cyrus.

Swatters have also hit politicians, journalists and schools.

Live-stream swatting

The phenomenon of swatting was first reported to the Federal Bureau of Investigation in 2008, and has steadily gained popularity since.

Officials estimate about 400 swattings occur every year, but many no longer report incidents to prevent copycat acts and to avoid giving swatters publicity.

The hoax is popular in the online gaming community, where swatters target online rivals who are live-streaming a game. When police arrive, the stunt is broadcast in real-time.

Swatting videos show victims at their computers when they are interrupted by loud bangs at the door followed by heavily armed police storming their homes.

Perpetrators target online rivals and access their addresses by hacking their computers.

Police consider the act a dangerous crime, and say swatting is a serious public safety issue.

“The swatting practice is extremely dangerous and places first responders and citizens in harm’s way,” the FBI said in a statement.

“It is a serious crime, and one that has potentially dangerous consequences.”

Beyond being a waste of resources, police say swatting creates major risks.

Some hapless victims were carrying objects that could be mistaken for a weapon. Others grabbed a real gun, mistaking law enforcement for intruders

Police are at risk too — in one incident an officer was injured in a car accident while responding to a swatting hoax.

“It’s only a matter of time before somebody gets seriously injured as a result of one of these incidents,” the FBI said.

Seeking tough laws

But tracking perpetrators is tough, as callers use software to disguise the call origin or place the calls from untraceable Internet sites.

Though there is no federal swatting legislation in place, punishment can be tough for swatters who are caught.

In 2009, 19-year-old Matthew Weigman was sentenced to 11 years in prison for orchestrating several swattings. The blind phone hacker who was a member of a swatting ring had been making the fake calls to police for five years.

Some politicians are pushing for tougher laws to deal with the crime.

California Congressman Ted Lieu introduced legislation in his state that was adopted in 2014, forcing convicted swatters to pay for costs related to fake calls, which can be as much as $ 10,000.

Lieu, himself a victim of swatting, said the bill protects the public and prevents police resources from being wasted.

Despite moves to strengthen punishments, the phenomenon continues to gain momentum, both on US soil and abroad.

Last week, French television host Enora Malagre was a victim of swatting when a man called police claiming he stabbed her and threatened to shoot at police.

Tags:

• NEWS & INDUSTRY
• Tracking & Law Enforcement
• Cybercrime

Yoast has released a new version of its popular Google Analytics plugin for WordPress to address a persistent cross-site scripting (XSS) vulnerability that could have been exploited to execute arbitrary code.

Google Analytics by Yoast has been downloaded nearly 7 million times. The application allows WordPress administrators to monitor website traffic by connecting the plugin to their Google Analytics account.

The vulnerability was identified by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. Earlier this month, the expert reported identifying several vulnerabilities in the WPML premium WordPress plugin.

According to the researcher, an attacker can leverage a flaw in Google Analytics by Yoast to store arbitrary code in a targeted administrator’s WordPress dashboard. The code is executed as soon as the administrator opens the plugin’s settings panel.

The attack involves two security bugs. First, there is an access control flaw that allows an unauthenticated attacker to connect the plugin installed on the targeted website to his own Google Analytics account by overwriting existing OAuth2 credentials.

The second stage of the attack relies on the fact that the plugin renders an HTML dropdown menu based on data from Google Analytics. Because this data is not sanitized, an attacker can enter malicious code in the Google Analytics account and it gets executed when the targeted administrator views the plugin’s settings panel.

“Under default WordPress configuration, a malicious user can exploit this flaw to execute arbitrary server-side PHP code via the plugin or theme editors,” Pynnonen said in an advisory. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site.”

The security issues have been addressed with the release of Google Analytics by Yoast version 5.3.3. The update also fixes a flaw that allowed administrators to launch XSS attacks against other administrators. This vulnerability was publicly disclosed back in February by Kaustubh G. Padwad and Rohit Kumar.

This isn’t the first time someone finds a vulnerability in a plugin from Yoast. Last week, UK-based researcher Ryan Dewhurst uncovered a blind SQL injection vulnerability in WordPress SEO by Yoast.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

HP has released software updates to address several vulnerabilities affecting ArcSight Enterprise Security Manager (ESM) and ArcSight Logger, products that are part of the company’s enterprise security portfolio.

An advisory published by the CERT Coordination Center at Carnegie Mellon University on Tuesday shows that a total of five security holes have been uncovered by Poland-based security researcher Julian Horoszkiewicz in the two HP ArcSight products.

One of the vulnerabilities affecting ArcSight Logger can be exploited by a remote, authenticated attacker to upload arbitrary files to the affected system. A malicious actor might be able to execute scripts on the server with the application’s privileges. Uploading arbitrary files is possible because the product’s configuration import feature does not sanitize file names, CERT said.

Another Logger issue can be exploited by an authenticated attacker to modify sources and parsers. The weakness exists because all users are allowed to access certain configuration features, such as input, search, and content management.

Horoszkiewicz has also found that the XML parser in Logger’s content import section is vulnerable to XML External Entity Injection attacks. A malicious actor could leverage the bug to execute arbitrary scripts on the server.

The HP ArcSight vulnerabilities identified by the researcher are a cross-site scripting (XSS) flaw that could allow an attacker to disrupt or modify rules and resources on the system, and a cross-site request forgery (CSRF) that can be exploited to modify data on the system. Since these types of vulnerabilities are exploited by tricking the victim into clicking on a maliciously crafted link, the extent of the damage that an attacker can cause depends on the privileges of the targeted user.

HP says the vulnerabilities impact ArcSight ESM prior to version 6.8c, and ArcSight Logger prior to version 6.0P1.

CERT’s advisory shows that CVE identifiers are pending for each of the flaws. However, HP’s own advisory reveals that an identifier, CVE-2014-7885, has been assigned to multiple vulnerabilities in HP ArcSight ESM, and a second identifier, CVE-2014-7884, has been assigned to multiple flaws in HP ArcSight Logger.

Horoszkiewicz has uploaded a proof-of-concept for the ArcSight Logger file upload vulnerability to Offensive Security’s Exploit Database. The researcher said he had sent a vulnerability report to HP in late August 2014, and new versions containing the fix were released on January 21, 2015.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Online payments group PayPal announced Tuesday it was acquiring Israeli cybersecurity firm CyActive and establishing a new security hub in Israel.

The terms of the deal were not announced, but some reports this week said PayPal, which is being spun off by online giant eBay, was paying $ 60 million for CyActive.

“Our goal is to extend our global security leadership, and bolster our efforts in predictive threat detection and prevention,” said PayPal chief technology officer James Barrese in a blog post.

“The acquisition of CyActive will bring great talent and immediately add ‘future-proof’ technology to PayPal’s world-class security platform. With CyActive, we’ll have even more ways to proactively predict and prevent security threats from ever affecting our customers.”

The move comes with the finance sector increasingly under attack from hackers. In recent months, major companies have disclosed data breaches affecting tens of millions of customers, with credit card or financial information leaked in some cases.

CyActive, which launched in 2013, specializes in “predictive cybersecurity,” or heading off online attacks before they happen.

The company’s website claims it has “an unprecedented ability to automatically forecast the future of malware evolution, based on bio-inspired algorithms and a deep understanding of the black hats’ hacking process.”

Online retail giant eBay unveiled plans last September to spin off PayPal, aiming to help the unit compete better in the fast-moving online payments segment.

According to eBay, PayPal facilitates one in every six dollars spent online today.

And PayPal has moved into mobile payments with the acquisition of the payment processing group Braintree, boosting its own mobile platform called OneTouch.

Tags:

• NEWS & INDUSTRY
• Management & Strategy

The CIA plans to radically overhaul operations, ramping up its capability to deal with cyber threats while boosting integration between departments via a network of new units.

Central Intelligence Agency director John Brennan outlined the proposed changes to the agency in a message to staff on Friday described as a “Blueprint for the Future” covering four key areas.

Brennan said the US espionage agency would set up a new “Directorate of Digital Innovation” to reflect the rapidly evolving cyber landscape.

“We must place our activities and operations in the digital domain at the very center of all our mission endeavors,” Brennan wrote.

“To that end, we will establish a senior position to oversee the acceleration of digital and cyber integration across all of our mission areas.”

The changes reflect the increasing emphasis on cybersecurity by the United States after a series of high-profile digital breaches in recent years, such as the Sony Pictures hack blamed on North Korea.

Director of National Intelligence James Clapper last month told lawmakers that foreign cyberattacks represented a bigger threat to national security than terrorism.

US media reports said Brennan’s sweeping changes would affect thousands of employees at the agency.

‘Bold steps’

A centerpiece of the overhaul would be the establishment of 10 new “Mission Centers” aimed at enhancing integration between departments.

“Never has the need for the full and unfettered integration of our capabilities been greater,” Brennan said in his message. “We must take some bold steps toward more integrated, coherent and accountable mission execution.”

Analysts said the introduction of Mission Centers was intended to eliminate divisions between traditional departments covering the Middle East, Africa and other regions.

Several media reports said the new units would be modeled on the CIA’s Counterterrorism Center, which grew exponentially in the years after the September 11, 2001 attacks on US soil.

The new centers will “bring the full range of operational, analytic, support, technical and digital personnel and capabilities to bear on the nation’s most pressing security issues,” Brennan said.

Each new center would be led by an assistant director who would be accountable for overall mission accomplishment in the field or geographic region assigned to their unit.

According to The Wall Street Journal, the overhaul follows an exhaustive review led by senior CIA veterans that identified several “pain points.”

“One of the things we’re trying to do here is to think about the agency operating in a way so that there are less of those… frictions that build up over time, and to have a more streamlined, a more efficient agency so we can, frankly, produce more, do a better job in some of the areas where we need to do better,” Brennan was quoted by the Journal as saying.

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

Identity thieves were busy during 2014, but a new study estimates that U.S. consumers actually suffered fewer losses than in the past.

According to the 2015 Identity Fraud Study from Javelin Strategy & Research, the number of identity fraud victims decreased slightly last year, dropping by three percent from 2013. All totaled, Javelin estimates 12.7 million U.S. consumers were victimized in identity theft in 2014, compared to 13.1 million the previous year. Total fraud losses fell as well, dropping from $ 18 billion in 2013 to $ 16 billion in 2014.

In another bright spot in the report, new account fraud – where a scammer opens a new account in the name of the victim – appears to have hit a record low in 2014. The good news does not go much further than that however. The report also found that victims of new account fraud are three times more likely to take a year or more to discover that their identities were misused than victims of other types of fraud.

Additionally, while incidents of identity fraud may have declined, they had a lasting impact on the spending habits of some of the victims. According to the survey, 28 percent of the 5,000 people surveyed said they avoided merchants after being victims of fraud. In addition, individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.

While students were the least concerned about fraud, Javelin found students were actually the most impacted. Though 64 percent said they were unconcerned with fraud, the group reported feeling more impact when fraud occurred, with 15 percent classifying it as moderate or severe. Students are also the least likely to detect identity fraud themselves. Some 22 percent said they were notified of the situation by a debt collector or when they were denied credit, three times higher than the average fraud victim.

“Despite the headlines, the occurrence of identity fraud hasn’t changed much over the past year, and it is still a significant problem,” said Al Pascual, director of fraud & security, Javelin Strategy & Research, in a statement. “Consumers, financial institutions and retailers are all taking aggressive steps, yet we must remain vigilant. The criminals will continue to find new ways to commit fraud, so taking advantage of available technology and services to protect against, detect and resolve identity fraud is a must for all individuals and corporations.”

Tags:

• NEWS & INDUSTRY
• Cybercrime

Silent Circle Launches Enterprise Platform and New Devices Including Blackphone 2 and Blackphone+ Tablet

Silent Circle today unveiled two new devices as part of its Blackphone product line, along with a with new enterprise platform that combines devices, software and services into a privacy and security focused mobile architecture.

New hardware unveiled by the company includes the Blackphone 2 and the privacy focused tablet, Blackphone+.

Scheduled to be available in the second half of 2015, Blackphone 2 and offers hardware improvements over its predecessor, including a faster 8-core processor, three times more RAM, a longer lasting battery, the company said. The smartphone also integrates with existing Mobile Device Management systems and comes with a larger Full HD display.

Arriving later in 2015, the Blackphone+ tablet will offer privacy for mobile workers, the company said.

News of the enterprise platform and new hardware offerings comes just days after the company announced that it had agreed to buy out a joint venture with Geeksphone, giving Silent Circle a 100 percent ownership stake in SGP Technologies and full ownership of the privacy and security focused Blackphone product line. 

Offerings and enhancements coming as part of the new platform include:

PrivatOS 1.1 – The first major upgrade to the Android-based operating system created by Silent Circle introduces Spaces, an OS-level virtualization and management solution that enable devices to separate work from play. Geared specifically for the enterprise, PrivatOS allows users to keep enterprise and personal apps separate, while enabling IT administrators to lock and wipe enterprise managed ‘Spaces’ when necessary.

PrivatOS can also now integrate with several Mobile Device Management (MDM) platforms as a result of partnerships with Citrix, Soti and Good Technology.

Silent Suite, a set of core applications with peer-to-peer key negotiation and management, now includes Silent Meeting, a new, secure conference calling system that supports multiple participants. 

Aditional services offered as part of the enterprise platform include:

Silent Store – Installed on all Blackphone devices, the world’s first privacy-focused app store features apps from the developer community vetted by Silent Circle.

Silent World – An encrypted calling plan that lets users communicate privately with those who don’t have Silent Phone. Silent Worlds allows users to call anyone within the Silent Circle coverage areas privately, with no roaming charges or extra fees.

Silent Manager – Silent Manager gives enterprises a simple web based solution for managing plans, users and devices.

“Traditional security solutions have failed global enterprise in a mobile world and make data and privacy breaches feel inevitable to most enterprises,” said Mike Janke, Co-Founder and Chairman of the Silent Circle Board at a press conference held at Mobile World Congress 2015 this morning. “What’s more, these breaches have evolved and have much broader impact. They now put every customer, employee and partner at risk. They are eroding the trust people have in enterprises. They have moved privacy firmly to the top of the boardroom agenda.”

“Enterprises have been underserved when it comes to privacy,” said Bill Conner, President and CEO of Silent Circle. “Traditional approaches to security have failed them. We’re here to fix that. We have to understand that to achieve real privacy now requires security plus policy. That new equation is driving everything we do in building the world’s first enterprise privacy platform.”

In May 2014, Silent Circle announced that it had decided to move its global headquarters from the Caribbean island of Nevis to Switzerland, in order to take advantage of the country’s privacy laws. 

Last week, the company also announced that it had raised approximately $ 50 million in a private, common equity round to support accelerated growth.

Tags:

• Mobile Security
• NEWS & INDUSTRY
• Audits