Photograph by Vahid Salemi/AP Photo

A technician works at the Uranium Conversion Facility outside the city of Isfahan, Iran, in 2007.

The developers behind Stuxnet, the computer worm that damaged an Iranian nuclear plant in 2010, began their work on the malware earlier than previously known and experimented with multiple attack techniques, according to new research by Symantec Corp.

Stuxnet, which tampered with the speed of centrifuges, was preceded by a version in development as early as 2005 that was designed to manipulate the nuclear facility’s  gas valves, according to Francis deSouza, Symantec’s president of products and services. That ability could cause an explosion, he said.

The computer attack in 2010 was one of the first known examples of a cyber weapon used to destroy physical infrastructure. The programming code, which was developed by the United States and Israel, took out nearly 1,000 of the 5,000 centrifuges that Iran used to purify uranium by altering the speed of the machines, the New York Times reported.

“It looks like now the weapon tried a few things before it hit on what would actually work,”‘ deSouza said in an interview. “It is clear that this has been a sophisticated effort for longer than people thought.”

Mountain View, California-based Symantec, the world’s biggest computer-security software maker, found a sample of what it calls Stuxnet 0.5, the earliest known version of the computer worm.

Based on an analysis of the code, it was in the wild in November 2007 and in development at least two years before that. It was submitted to Symantec as part of a malware-scanning service, and deSouza would not identify the organization that submitted it. It was unclear if the code was ever activated in the wild, deSouza said.

The biggest change between the two versions was the earlier code had the ability to shut critical gas valves inside Iran’s uranium enrichment system, which could increase pressure and potentially cause an explosion, Symantec said. The later version of Stuxnet that damaged the Iranian facility did not have that ability and was replaced with the capacity to alter the speed of Iran’s centrifuges, deSouza said.

The findings, announced today at the RSA security conference in San Francisco, come amid recent reports of U.S. companies battling computer attacks from abroad, including Eastern Europe and China.

Original post is Stuxnet Had Earlier, Potentially Explosive Version, Symantec Says by Tech Blog.

Photograph by Bradley C. Bower/Bloomberg

The control room at Exelon Corp.’s Limerick nuclear power generating station in Limerick, Pennsylvania.

Control systems are a dream for hackers and Hollywood script-writers. They run power plants, dams, train lines and traffic lights — and they’re becoming more vulnerable to attacks that can inflict spectacular, physical destruction.

According to research released today by NSS Labs Inc., a computer-security firm, the number of vulnerabilities found in control systems worldwide jumped in 2012 to 124, up from 74 in 2011.

These aren’t normal security holes, like the kinds constantly found in Web browsers and consumer operating systems. They’re more serious, often involving obscure vendors with few ways to update their products. Attacks could look like “Live Free or Die Hard,” the 2007 Bruce Willis blockbuster about Internet attacks crippling U.S. infrastructure.

Security experts who make money from selling fixes — and politicians angling for government funds — are often eager to hype the threat from such bugs. But the numbers released by NSS show an unsettling trend.

Of the top 20 control-system vendors affected, few are household names, and attacks are already happening. The U.S. and Israel were allegedly behind the Stuxnet computer worm that damaged an Iranian nuclear plant in 2010, according to the New York Times, for instance.

One reason for the increase is that security researchers are looking for control-system bugs more often. We reported in this story about Project Basecamp, a group of elite researchers that is releasing information about control-system bugs to shock the industry into improving its security.

All of this heightened attention is giving the public a better sense of the scale of the problem with control-system insecurity. As for NSS Labs’ report, it’s a small window into this world since it’s based only on publicly available information (including from Project Basecamp and the U.S. government here and here), but it highlights one of the most urgent issues in computer security today.

Original post is Control-Systems Bugs Jump After Stuxnet Nuclear Plant Attack by Tech Blog.

Photograph by Max Oppenheim

The hacking of the New York Times illustrates the limitations of antivirus software sold by Symantec and others in catching attacks. It’s a cat-and-mouse game where the mouse usually wins.

Symantec, the world’s biggest antivirus-software maker, built a $15 billion empire on the back of a technology that it acknowledges doesn’t work that well at all.

The New York Times, a Symantec customer, reported today that its computer network was hacked repeatedly by attackers in China, and that Symantec’s programs didn’t catch the breaches. In response, Symantec put out a statement that said “anti-virus software alone is not enough.”

Other security technologies are needed to stop an attack like the one that hit the Times, Symantec said. While that may appear to be a bizarre admission from an antivirus maker, it’s no secret among security companies — and their customers — that antivirus programs are becoming less useful.

While security software is good at blocking malicious software it’s seen before, changing just one line of programming code can make a piece of commonly used malware invisible. Sophisticated attacks using custom software often doesn’t trigger alarms. Even Symantec itself was hacked and had some of its code stolen.

The shortcomings of antivirus software provide a sales opportunity. Worldwide spending on security software is projected to top $20 billion this year, according to Gartner. While Symantec doesn’t break out revenue from antivirus software, it’s a significant part of the company’s consumer and corporate security businesses, which had sales of $4.07 billion the company’s latest fiscal year.

While antivirus software often won’t stop advanced attacks, technologies based on analyzing attack patterns and the digital fingerprints of software can help thwart some sophisticated threats, said Cris Paden, a spokesman for Symantec.

The New York Times is still a Symantec customer, according to Eileen Murphy, a spokeswoman for the newspaper. The software was deployed properly on all machines in the Times’ network and did not spot the hackers’ malware, she added. The Wall Street Journal also reported that its systems were breached.

Bloomberg LP, the parent of Bloomberg News, is aware of attempts to infiltrate its computer systems and “the company’s security was not breached,” said Ty Trippet, a spokesman.

So in the cat-and-mouse game between security companies and the hackers they’re paid to stop, consider the latest breaches examples of how sometimes the mouse gets away. In fact, the mouse often gets away. The security industry has a funny solution: sell you a bigger cat.

Original post is Symantec After New York Times Attack Says Antivirus Isn’t Enough by Tech Blog.

Photograph by Colin Hawkins

Online research for personal medical issues may be a healthy practice.

Looking up your health symptoms on the Internet can be a traumatizing experience. Some websites are riddled with incomplete or inaccurate guidance, leaving you feeling like death is around the corner. Meanwhile, drug companies pitch you with online ads for prescriptions before you’ve even seen a doctor.

So how reliable is the information on the Web for those self-diagnosing their health? According to a new survey conducted by the Pew Research Center’s Internet & American Life Project, 41 percent of respondents who went online to look for information about medical conditions had their diagnoses later validated by a physician. That compares with 18 percent who said the clinician either didn’t agree or offered a different opinion.

However, 35 percent said they chose not to seek medical help, so we don’t know if their digital diagnoses were correct or not.

The survey’s authors say the goal wasn’t to determine whether the Internet has a helpful or harmful effect on health care, but rather to study who looks for health information online.

About one in three U.S. adults have gone online to try to diagnose themselves or others, the report found. Forty-six percent of those who turned to the Web  said the information they found led them to think they needed to seek a medical professional. Those who have advanced degrees and higher incomes are the most likely to look up health conditions on the Internet.

What’s the takeaway for the average patient?

Like everything else on the Web, the study shows that there’s valuable information to be found, if one has the acuity and patience to weed out all the unhelpful sites.

Original post is How Reliable Is Health Information Online? Pew Study Sheds Light by Tech Blog.

Photograph by Jin Lee/Bloomberg

Patrons use automated self service booths at the U.S. Postal Service in New York.

When China passed a new law two weeks ago requiring people to give their real names when signing up for Internet and phone service, it raised alarms over the surveillance implications for the world’s largest population of Web users.

It also highlighted what may be an uncomfortable reality for U.S. netizens: a national digital ID, which essentially is what China is proposing, isn’t entirely a foreign concept.

The U.S. is also slowly moving to a system where online personas are inextricably linked to real-world identities, an idea with huge privacy and security implications.

The tactics and enforcement mechanisms being explored in China and the U.S. are worlds apart, but the central idea is similar: knowing someone’s real name improves accountability online. That’s a double-edged sword, though, depending on who’s doing the accounting.

The White House’s National Strategy for Trusted Identities in Cyberspace, or NSTIC, is leading the government’s efforts in this area.

In September, the NSTIC awarded more then $9 million to five ambitious pilot projects that could have deep ramifications for the future of online commerce. They are developing technologies that will allow people to use online credentials — say, a PayPal or Gmail username and password — to obtain government services online, such as accessing health care records, getting driver’s licenses or paying taxes.

Some of the biggest names in business and technology are involved, including Microsoft, AT&T and LexisNexis. Their partners include Virginia’s Department of Motor Vehicles, the American Association of Retired Persons and various medical organizations.

Last month, NSTIC also announced the awarding of another contract, to the U.S. Postal Service, to build a cloud-based service to allow all federal agencies to accept approved third-party credentials for online services.

National digital IDs issued by the government are the “political third rail” in the U.S., and previous incarnations in the 1990s failed, according to John Pescatore, a computer security expert at Gartner. But now, many people are accustomed to using one log-in, such as a Facebook account, to access multiple sites, he said. NSTIC’s approach of deploying small, targeted projects to incorporate government sites into that web is a wise approach to test a controversial idea, he said.

“What NSTIC is doing is it’s sprinkling projects around at different levels,” Pescatore said. “Hedging your bets and trying across many different communities is much more likely to succeed than a top-down approach.”

Taken together, the efforts highlight the contrasting approaches by the U.S. and China.

Encouraging people to use log-ins for services they’ve voluntarily signed up for to access government services they may need only infrequently is one thing. But mandating that individuals give their real name before going online in the first place is quite another, and it’s a requirement that’s difficult to enforce even in China.

But it’s going to be hard to shake the obvious risks of consolidating our digital lives even further than we already have.

“Getting away from usernames and passwords is probably a good thing,” said Richard Bejtlich, chief security officer for Mandiant, an Alexandria, Va.-based computer security firm that investigates data breaches. “But I personally don’t like the idea of an uber-credential that could log into everything, because if that one thing falls, I could lose everything.”

Original post is A National Digital ID, Courtesy of the U.S. Postal Service? by Tech Blog.

Photograph by David Paul Morris/Bloomberg

Facebook Chief Executive Officer Mark Zuckerberg introduced a video-calling feature to his site last year.

Facebook has patched a security vulnerability that would have allowed hackers to turn on users’ webcams without their knowledge and post the videos to their profiles.

The bug was discovered in July by two computer-security researchers in India, according to Fred Wolens, a spokesman for Facebook. Aditya Gupta and Subho Halder, founders of a consulting firm called XY Security, reported their findings to Facebook, which paid them $2,500 in cash for the information, they said. Facebook seems to have deemed this particular bug as “serious” because the company paid five times its usual price, the two researchers said.

Facebook is one of a few technology companies — along with Google and Mozilla, maker of the Firefox browser — that encourages outsiders to hack their products in return for cash payouts. Some companies, notably Microsoft, have shunned “bug bounties” because they might wind up rewarding criminals.

An investigation conducted by Facebook when it fixed the webcam hole found that no users appeared to be affected, Wolens said.

“This vulnerability, like many others we provide a bounty for, was only theoretical, and we have seen no evidence that it has been exploited in the wild,” Wolens wrote in an e-mail. “Essentially, several things would need to go wrong — a user would need to be tricked into visiting a malicious page and clicking to activate their camera, and then after some time period, tricked into clicking again to stop/publish the video.”

Many companies choose to pay researchers such as XY Security for bugs because the alternative can be much worse. Such information can fetch high prices on the black market from criminals who try to find ways to shake down Internet surfers, costing site administrators more in the end.

Facebook’s “peeping Tom” bug could have been exploited on either Windows or Mac computers, the researchers said. The Facebook vulnerability found by XY Security was related to how the site verified requests to record and post webcam video, they said. People who had previously granted Facebook’s site access to their webcams would have been vulnerable, he said.

Bug bounties are to technology companies what “wanted” posters were to Wild West sheriffs: a call for the public’s help in identifying security risks, with the promise of rewards.

Facebook, Google and Mozilla have paid researchers more than $2 million combined through their bounty programs, according to the companies. Google has paid as much as $60,000 (plus a free laptop) for information about weaknesses in its Chrome Web browser, and Facebook has expanded its program to cover not only the Facebook site but also the company’s corporate network.

Before reporting the webcam bug to Facebook, Gupta and Halder had been building a reputation in the tech industry as professional bug-bounty hunters. The researchers, who are in their early-20s, had previously reported software vulnerabilities to Apple, Google, Microsoft and EBay’s PayPal, they said.

Original post is Facebook Fixes Webcam Vulnerability After Receiving Tip by Tech Blog.

Photograph by David Paul Morris/Bloomberg

Those free Android apps you download may end up costing you more than you know.

(Corrected date when Cloudmark published its report.)

A scourge of the personal computer has come to the smartphone.

Anti-spam company Cloudmark said Dec. 16 that its researchers have spotted what they say is a first-of-its-kind “botnet” comprised of more than 800 Android smartphones. The infected devices are being used to send thousands of spam text messages.

Botnets supply massive computing power by tying together thousands or even millions of infected PCs, known as zombies, to steal information, send spam or attack other computers. Hackers sell access to the network to spammers and other nefarious netizens. Now, with the rise of text messaging, some hackers are targeting smartphones for profit.

This botnet is made up of phones that were infected when users responded to spam text messages offering free versions of games such as “Need for Speed Most Wanted,” according to Cloudmark and Lookout Security, a maker of mobile-security software. Along with the games, downloaded from a server in Hong Kong, the would-be pirates also got an infection that turned their phones into spam-spewing robots. The malware, which hides itself by removing its icon from the system, automatically targets phone numbers on a master list.

As consumers move away from PCs and toward mobile devices for everyday computing, hackers are following. But it’s not easy to infect phones, as mobile-software makers have learned from mistakes of the PC era.

One reason this botnet is limited to only 800 or so devices is because Android typically places barriers on downloading applications from anywhere but the official Google Play store. Android also prompts users with meticulous details about the information their apps intend to access, a warning many people ignore. Google representatives did not immediately respond to a message.

The unlucky “Need for Speed” fans who were seeking a free ride could end up with a bill for thousands of text messages they didn’t send. Suddenly, the $6.99 price tag suddenly doesn’t look so bad.

Original post is Attack of the Android Zombies by Tech Blog.

Photograph by Peter Dazeley

Hackers are increasingly wiring money directly out of victims' online bank accounts - without ever typing a keystroke.

As a computer security reporter, I’m often asked for advice on how to avoid being hacked. I quickly rattle off three safeguards: 1) Use long phrases and symbols in passwords; 2) set up two Web browsers — or better yet, two computers — to keep sensitive data walled off from everything else; 3) on websites that offer it, sign up to receive text-message alerts if someone tries to break into your account.

I may need to add a fourth.

An exchange I had last week with Tom Kellermann, a cyber security expert who has advised the White House and the World Bank Treasury, sparked a new tip that might upset anyone who has a “think before printing” disclaimer in their e-mail signature: Don’t use paperless billing.

Trend Micro, the Japanese antivirus-software maker and Kellermann’s new employer, published an interesting report earlier this year about “automatic transfer systems,” and how criminals are increasingly using them to siphon money out of people’s bank accounts without them ever knowing it.

They do this by initiating wire-transfer requests the moment a victim logs into an online banking account. And, even spookier, they change the account balance and transaction history you see on your screen to hide the fraud. They use malicious code that kicks in after the user has logged into their bank’s website.

In other words, your account could show a full balance online but actually be empty. The only way you’d find out is if you went over the limit or if you see it on a paper statement that’s mailed to your home.

Kellermann presumes that 2013 will be when this cyber tactic becomes mainstream, due largely to the rise in mobile banking. For now, the attack is more common in the U.K., Germany and Italy, but versions targeting U.S. and other countries’ financial institutions do exist and will likely become more common, according to Trend Micro.

Hackers have transferred as little as 500 Euros ($658) to as much as 13,000 Euros ($17,120) at a time to foreign accounts using this technique, Trend Micro found. The criminals often steal small amounts each time victims log into their accounts, to avoid detection.

So if you do a lot of online banking, consider getting paper statements. It’s not eco-friendly or particularly convenient, but paper isn’t so easily hackable.

Original post is How Paper Bills Could Protect You From Cyber Theft by Tech Blog.

Photograph by David Lowe

The U.S. government has vowed to fight efforts by Russia and China to empower the U.N. to regulate the Internet.

This could be a crucial week for the future of the Internet and who controls it.

At a conference in Dubai that ends on Friday, the United Nations could emerge with significant authority over key parts of the Internet. And as a result, China, Russia and Saudi Arabia could break apart the U.S.-led system for numbering and naming websites.

In other words, there could be a fundamental change in the way the Internet is governed, and some countries might win the power to control or tamper with the Internet in previously impossible ways.

Or: Little will change at all, which is more likely.

For all the posturing surrounding the Worldwide Conference on International Telecommunications, there’s the distinct possibility that the Internet will emerge unscathed.

Whatever the outcome, the battle taking place in Dubai highlights the growing tension over a relatively obscure but vital system for making sure that people can surf the Web freely without government interference.

The conference is a product of the International Telecommunication Union, a United Nations agency.  The gathering’s stated aim was to update the technical standards that allow different countries’ telephone networks to work together.  The last time they were updated was 1988.

The agency insists it won’t use the conference to increase the UN’s authority over the Internet. Nevertheless, the event has turned into a referendum on the role of the United States, and in particular, the Internet Corporation for Assigned Names and Numbers, in managing the global Internet.

ICANN is an independent, U.S.-based organization that acts as a phone book for the Internet. It coordinates the names and addresses of sites globally to ensure that computers know to find each other online.

The group’s prominence is an outgrowth of the Internet’s roots in the U.S. and the need for a centralized body to oversee traffic instructions. Its primary function is managing the Domain Name System, or DNS, that underpins the modern web.

The ideas being floated would shift some control to the UN and allow individual nations to manage the Internet addresses in their own territories. On Wednesday, an eight-country group that is pushing for more sovereign control over web addresses resubmitted a proposal it had scrapped a day earlier, as my colleague Amy Thomson reported. The group includes China, Russia, Saudi Arabia, Algeria, Bahrain, Iraq, Sudan and the United Arab Emirates.

While it might seem like an equitable idea, the Obama administration published a blog post Tuesday that argued that free speech and innovation would suffer if the UN were granted significant new powers. The proposal also faces opposition from Australia, Canada, the Czech Republic, Germany and Sweden, which have all called for it to be tabled since they’ve agreed not to talk about regulating the Internet at the conference.

The threat is that if every country were allowed to manage their own Internet address books, sites seen as troublesome by the governments could be easily — and silently — eliminated by removing them from the index and making them permanently inaccessible to the outside world.

“The global consensus for a free and open Internet is overwhelming,” the White House’s post stated. “Millions in the United States and around the world have already added their voices to this conversation, and their position is clear: they do not want the WCIT to govern the Internet or legitimize more state control over online content.  Our administration could not agree more – and will not support a treaty that sets that kind of precedent.”

That the Internet can be controlled at all may come as a surprise to some. After all, we often hear it described as the Wild Wild West of computing, where anyone can have a voice, viruses are unstoppable, and as the old New Yorker cartoon famously depicted, nobody knows who — or what — y0u are online, unless you tell them. And that countries don’t fully control their own corners of cyberspace is also little-known.

Yet there are ways that the Internet can be brought to heel. We got a fresh example two weeks ago when the Internet was shut off in Syria. Also, China’s censorship of what its citizens see online is longstanding and pervasive. Governments already have powerful tools at their disposal — namely, regulatory authority over telecommunications companies — that give them a lever for crippling the Internet when so desired.

The infrastructure for managing Web addresses has been a sore spot for some countries for some time. The origins of the latest power grab were outlined in depth in this Vanity Fair piece from May, which described it as a “war under way for control of the Internet.”

The deliberations are fast-moving, and there’s a lot of uncertainty about what comes next. By Friday, we should know a lot more.

Original post is U.S. vs. China, Russia in Battle for Control Over the Internet by Tech Blog.

Photograph by Gunter Ziesler

An Australian medical center is fighting hackers who have encrypted patient records and demanded ransom.

An Australian medical center is facing the possibility that its patients’ electronic medical records may be locked away forever after hackers broke into its computer system and encrypted the files.

The hackers who captured the Miami Family Medical Centre’s data demanded A$4,000 ($4,196) to decrypt the information, David Wood, co-owner of the facility, told Australia’s ABC News, according to this report. They got past what Wood considered good computer-security measures, he said.  The facility is now left with the “very, very, very difficult” task of operating without patient records until the hackers are paid or independent consultants can defeat the encryption on their own, he added.

“We’ve got all the antivirus stuff in place,” Wood told ABC News. “There’s no sign of a virus. They literally got in, hijacked the server and then ran their encryption software.”

The center did not immediately respond to an e-mail from Bloomberg News.

The information may be gone for good, as extortionists often follow one ransom demand with another and may never unlock the data, Nigel Phair, a former investigator with the Australian High-Tech Crime Centre, told ABC News.

The case shows how the digitization of medical records can be a danger to patients. I reported in August on a similar breach affecting a medical center in an affluent Illinois suburb whose records were also hacked and held for ransom. The facility, the Surgeons of Lake County, has declined to comment on the investigation or on whether the data were backed up.

Incidents like those are likely to become more common as medical providers make the shift to digital records, and as health care providers swap those files over “health information exchanges,” clearinghouses for medical data that are already the target of complaints.

The technologies promise to improve patient care, but they also introduce the risk of criminals stealing health data for profit. Health information can be sold on the black market and used for identity theft, a growing problem that some victims battle for decades.

Wood, of the Australian medical center, has learned a valuable lesson about data security: “Check your IT security and don’t leave backups connected to servers.”

Original post is Hackers Hold Australian Medical Center’s Records for Ransom by Tech Blog.