Threatpost for B2B

Federal officials charged eight members of a Ukrainian cybercrime ring this week after they allegedly tried to illegally access the networks of a number of financial institutions including Citibank, JP Morgan Chase, TD Ameritrade and PayPal, along with the U.S. Department of Defense’s Finance and Accounting Services service, among others.

The gang allegedly stole in excess of $15 million via money laundering and identify theft after extracting customer account information from 15 different payment processors, banks and online brokers.

The two ringleaders, Oleksiy Sharapka, 33, and Leonid Yanovitsky, 38, both of Kiev, Ukraine, remain at large, according to reports this afternoon. Sharapka had previously been in custody in Massachusetts and served a 102-month federal sentence from 2004 to 2012 before being deported to Ukraine last spring, according to prosecutors in New Jersey.

While primarily based in Ukraine, the ring extended to New York City, Atlanta and two towns on the outskirts of Boston. Oleg Pidtergerya, 49, of Brooklyn, N.Y.; Robert Dubuc, 40, of Malden, Mass.; Andrey Yarmolitskiy, 41, of Atlanta, Richard Gunderson, 46, of Brooklyn, and Lamar Taylor, 37, of Salem, Mass. were charged with three counts of conspiracy, one for wire fraud, one for money laundering and one for identity theft on Wednesday. While Pidtergerya, Ostapyuk and Dubuc were arrested in Brooklyn and Malden on Wednesday, Yarmolitskiy was arrested when he flew into John F. Kennedy International Airport on Tuesday.

The remaining two co-conspirators, Gunderson and Taylor, are currently being pursued, according to reports.

From March 2012 to June 2013, the suspects hacked into the servers of banks, secured customers’ information and funneled money from legitimate bank accounts to prepaid debit cards. “Cashers” in the U.S. cashed out the accounts via ATMs and by making fake purchases as part of what the federal complaint (.PDF) refers to as the “Sharapka Cash Out Organization.”

According to the complaint, the conspirators also defrauded the IRS by faking tax returns in the names of the identity theft victims. The ring received about $20,000 in fake tax refunds from June to July, 2012.

Fifteen companies were victimized in the attacks, including Aon Hewitt, Automated Data Processing Inc., Citibank N.A., E-Trade, Electronic Payments Inc., Fundtech Holdings LLC, iPayment Inc., JP Morgan Chase Bank N.A., Nordstrom Bank, PayPal, TD Ameritrade, the U.S. Department of Defense’s Defense Finance and Accounting Service, TIAA-CREF, USAA, and Veracity Payment Solutions Inc.

Some iPhone users are vulnerable to having their devices automatically join rogue Wi-Fi networks because of a combination of an iOS feature that allows devices to reconnect to known networks and a directory of carrier-specific wireless network SSIDs that are preloaded into iOS, according to mobile security researchers from Skycure.

A number of operating systems, iOS among them, contain a convenience feature that allows devices to automatically connect to wireless networks with which they have connected in the past based on the SSID of those networks. Skycure cofounder and CEO Adi Sharabani said this feature is something of a security vulnerability in that an attacker can set up a malicious network with a SSID that mimics the SSID of a legitimate wireless network known to a specific device.

In order to exploit this vulnerability, an attacker would have to figure out the SSID of a network that has been accessed on the machine of a potential victim, create a malicious network spoofing that SSID, and then get close enough to the victim’s machine that it will connect to the malicious Wi-Fi network. Once a device is connected to a malicious network, an attacker can launch any number of man-in-the-middle related attacks.

Sharabani claims that some cellular networks are pre-configuring bundles of wireless profiles onto iPhones – in addition to the ones that are built into the default iOS platform – before shipping them off to customers. In this way, customer devices can automatically connect to the wireless networks of the wireless carrier that issued the device. Unfortunately, this also means that an attacker can figure out the SSIDs that carriers and Apple are pre-loading onto their devices, spoof those SSIDs, and compel any number of devices to join malicious networks near them.

A Skycure spokesperson explained that carriers, AT&T for example, deploy Wi-Fi networks in their stores and at Starbucks. The SSID for these networks is “attwifi” and is preloaded into iOS. Despite this, it is not entirely clear why iOS and mobile carriers would have an incentive to preload these SSIDs onto iOS devices, but, according to Sharabani, the fact remains that these SSIDs are on the phones and the phones will connect to any wireless networks associated with them.

Skycure claims to have seen this vulnerability exploited in the wild at a coffee shop in Brooklyn. Apparently a pilot user of one of its mobile security products automatically connected to a malicious wireless hot spot with a SSID that mimicked that of a legitimate wireless carrier.  Sharabani believes that the attackers were merely trying to social engineer users into joining what appeared to be a legitimate wireless network, and that they did not realize that certain wireless carriers  are pre-configuring Wi-Fi SSIDs so that user’s devices can automatically connect to various wireless networks should they encounter them.

A group of eight senators from both parties have introduced a new bill that would require the attorney general to declassify as many of the rulings of the secret Foreign Intelligence Surveillance Court as possible as a way of bringing into the sunlight much of the law and opinion that guides the government’s surveillance efforts.

The bill comes in the aftermath of the National Security Agency leak scandal that revealed some pieces of the agency’s massive domestic surveillance program, including the collection of call data on millions of Verizon customers. The leaks also revealed the existence of a program called PRISM through which the NSA gets data on users from companies such as Google, Yahoo, Apple and Microsoft. Some of the key sponsors of the bill, including Sen. Ron Wyden (D-Ore.), have been vocal critics of the extent of government surveillance as well as the secrecy surrounding its interpretations of the Patriot Act.

Under the terms of the proposed law, the Justice Department would be required to declassify major FISC opinions as a way to give Americans a view into how the federal government is using the Foreign Intelligence Surveillance Act and Patriot Act. If the attorney general determines that a specific ruling can’t be declassified without endangering national security, he can declassify a summary of it. If even that isn’t possible, then the AG would need to explain specifically why the opinion needs to be kept secret.

“Americans deserve to know how much information about their private communications the government believes it’s allowed to take under the law,” Sen. Jeff Merkley (D-Ore.) said. “There is plenty of room to have this debate without compromising our surveillance sources or methods or tipping our hand to our enemies.  We can’t have a serious debate about how much surveillance of Americans’ communications should be permitted without ending secret law.”

The FISC has operated largely in the shadows for decades, handing down rulings on applications for warrants for electronic surveillance related to foreign surveillance. The court has been around for 35 years, but it’s only in the last few years that it has come under scrutiny as the scope and scale of domestic surveillance programs have expanded. The senators sponsoring the new measure say that Americans are entitled to know what goes on with the court’s rulings.

“Of course, ensuring Americans’ safety is one of our government’s most important responsibilities, but there is a careful balance between protecting Americans and honoring the Fourth Amendment,” Sen. Dean Heller (R-Nev.) said. “This legislation is a measured approach that will bring more transparency to the FISA court and respect the American people’s right to know how and when the government may be accessing their personal information.”

Merkley introduced a similar bill last year as an amendment to the FISA law, but it was not included.

BlackBerry’s security incident response team has issued two advisories warning Z10 smartphone and PlayBook tablet users to upgrade to the latest version of the operating system and software on both platforms. The patches address a remote code-execution vulnerability in the Adobe Flash Player integrated into the BlackBerry products, as well as a privilege escalation flaw in the BlackBerry OS.

Users and enterprise administrators are urged to upgrade their devices to BlackBerry 10 OS version 10.0.10.648 or later, and version 2.1.0.1526 of the PlayBook software.

The privilege escalation bug affects only Z10 smartphones and is not being exploited. BlackBerry said the severity limited by the amount of user interaction and physical access on the attacker’s part required to successfully exploit the vulnerability.

“Successful exploitation requires not only that a customer enable BlackBerry Protect, use the feature to reset the device password and download a specifically crafted malicious app, but also that an attacker gain physical access to the phone,” BlackBerry said in its advisory. “If all of the specific requirements are met for exploitation, an attacker could potentially access or modify data on the device.”

The vulnerability could enable a malicious application downloaded by the user to compromise weak permissions on a BlackBerry Protect object to compromise the device. By doing so, the app could gain the device password if a reset is requested through Protect; it also could prevent the device from executing commands from Protect such as remote wipe.

If all these conditions exist, an attacker could access BlackBerry Hub, applications and data, unlock the work perimeter compartment on the device, access the device over a USB tether in order to view files, change device passwords or access local and enterprise services.

BlackBerry Enterprise Server administrators are urged to disallow computer access to Work Space on the device, disallow the use of the same password for WorkSpace as for the rest of the device, require a password for Work Space, and restrict Development mode.

“BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device,” BlackBerry’s Adrian Stone, director of security incident response and threat analysis, said in a statement. “While successful exploitation requires several specific conditions, and there are no current attacks on customers, we recommend BlackBerry Z10 users install the latest software update to be fully protected from this issue.”

As for the second advisory, Adobe Flash Player versions earlier than 10.0.10.648 included with Z10 are affected while versions 2.1.0.1526 on the PlayBook are impacted. Users are urged to upgrade on both platforms. BlackBerry stressed that the vulnerability is not in the operating system, nor is it being exploited in the wild.

“Successful exploitation of this issue could potentially result in an attacker being able to execute arbitrary code in the context of the application that opens the specially crafted Adobe Flash content (typically the web browser),” the advisory says. “Failed exploitation of this issue might result in abnormal or unexpected termination of the application.”

In order for an exploit to execute, the user must interact with a malicious .swf application embedded in website content or via an email attachment over webmail through a browser on one of the devices. The sandbox protection also built into both BlackBerry platforms is a mitigating factor here, BlackBerry said.

The vulnerability is described in CVE-2013-0630 as a buffer overflow in Adobe Flash Player before 10.3.183.50 and 11.x before 11.5.502.146 on Windows and Mac OS X.

Unlike on the PlayBook tablet, Flash is not enabled by default on the Z10 and users must turn it on to view Flash content on the phone’s browser,  BlackBerry said.

“The attacker cannot force the user to access the content or bypass the requirement that the user chooses to access the content,” the advisory said.

After years of discussion and waiting, Mozilla has finally added Content Security Policy 1.0, a defense against some common attacks such as XSS, to its Firefox browser. CSP already has been implemented in Google Chrome and Internet Explorer and there was a limited implementation of it in Firefox previously, beginning in 2011, but this is the first time the approved 1.0 specification has been implemented in Firefox.

CSP is a specification designed to help limit the sources of content that can run on a given Web site. One of the ways that attackers compromise users’ machines  by inserting malicious scripts on a target Web page. Sites today often pull content from multiple different sources, including social networking sites, ad networks and other sites, and it’s difficult for site owners to validate whether each of those pieces of content is safe. Cross-site scripting attacks take advantage of this weakness.

CSP is meant to prevent XSS and other similar attacks from succeeding by restricting the sources of content on a given page.

“In general, CSP allows web developers greater control over their content, helping mitigate several security problems. One major benefit of CSP is that, by default, it prevents inline scripts from executing. This greatly helps mitigate the threat of XSS (Cross Site Scripting) or other forms of script injection,” Ian Melven of Mozilla wrote.

“The concept of CSP gained traction fairly rapidly, with Chrome shipping their first implementation, using the X-Webkit-CSP header, in August 2011. After much discussion among security and web experts, in November 2011 a working draft of a W3C specification for Content Security Policy 1.0 was published. The syntax specified by the working draft was quite different from the syntax used by the initial Firefox implementation, as concepts had over time evolved and been refined.”

One of the changes in the new implementation of CSP in Firefox is that it no longer uses the older, un-prefixed header. Now, CSP uses the Content-Security-Policy header rather than the X-Content-Security-Policy header.

“This is great, because we no longer have the situation where a site has to send multiple CSP headers (with different syntax !) to have its policy enforced in CSP-supporting browsers. The same Content-Security-Policy header will work for Firefox, Chrome, IE 10 (sandbox only) and any other browsers that implement the spec. If for some reason a site sends both the X-Content-Security-Policy header and the Content-Security-Policy header, the prefixed header will be ignored and only the policy from the unprefixed header will be applied,” Melven said.

One other major change in the CSP 1.0 implementation is that it now blocks inline styles in Firefox. This helps prevent certain kinds of attacks that use the injection of some site elements into target sites.

“This was a later addition to the CSP spec. It aims to prevent attacks via injecting <style> elements or another HTML element with a style attribute. These attacks can be carried out even when executing script is not allowed. Some potential attacks include using CSS selectors to exfiltrate data from the page and using attributes to overlay one element on top of another, leading to a possible phishing attack,” Melven said.

Google’s chief legal officer addressed a letter to Attorney General Eric Holder and FBI Director Robert Mueller contesting recent media reports regarding the breadth of the National Security Agency’s surveillance programs and requesting that his company be allowed to publish more national security request data in order to quell media speculation.

The letter, which was published on Google’s official blog today, is part of the company’s response to the unceasing stream of media reports that have surfaced since Edward Snowden, a former Booz Allen Hamilton infrastructure analyst, leaked the contents of two highly secretive NSA programs to the Guardian and Washington Post last week. The first had to do with the NSA collection of all metadata produced by Verizon customers while the second described an alleged surveillance program, called PRISM, through which the top American spy agency allegedly collects user data from a group of major Internet companies, including Google, Facebook, Apple and Microsoft.

Both programs are reportedly overseen and approved by the ultra-secretive Foreign Intelligence Surveillance Court established by the Foreign Intelligence Surveillance Act (FISA) in 1978.

Google’s top attorney David Drummond claims that his company has worked hard over the last 15 years to earn its users’ trust by providing strong encryption, hiring some of the best security minds in the world, and pushing back against overly broad government requests for user data.

Drummond said Google does comply with valid government requests for user data, but he downplays the ease with which his company accepts with such requests. He also suggests that the acknowledgement by Director of National Intelligence, James Clapper, that  online service providers have received FISA requests, has put Google in the untenable position of denying claims they know to be false without legally being allowed to provide the evidence that they have to prove the claims are false.

“Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users’ data are simply untrue,” Drummond wrote. “However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.”

In essence, Google claims that the media has either received false information about, or is exaggerating, the scope of the government’s access to user data on their servers, but the company has no way of refuting these claims given the current legal climate. Therefore, the Mountain View, California tech giant is requesting that the government allow it to publish the aggregate numbers of national security requests and the number and the scope of the FISA disclosures it receives from the government in its annual transparency reports.

“Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.”

It also emerged today that a group of people, including a former federal prosecutor and the parents of a Navy SEAL sniper killed in action, have filed a class-action law suit against the National Security Agency, Verizon and President Obama over the NSA’s collection of cell phone data.

Microsoft took advantage today of its lightest batch of Patch Tuesday security updates this year to release an update to its certificate handling infrastructure. Meanwhile, administrators looking for a patch for a recently disclosed vulnerability by Google engineer Tavis Ormandy will have to wait at least another month for an update.

Building on features native to Windows 8 that automatically move untrusted or compromised certificates to the Windows Certificate Trust List, Microsoft announced enhancements that give enterprises additional options when managing PKI installations. Specifically, the update allows for computers on the same Active Directory domain to auto-update certificate lists without having to access Windows Update; they can also be configured to opt-in to auto-update for trusted and disallowed certificates. Finally, admins will be able to choose a subset of roots for distribution via Group Policy.

Auto-update was introduced a year ago, according to Dustin Childs, group manager, Trustworthy Computing; it is available starting with Windows Vista through Windows 8, Windows Server 2012 and Windows RT.

“Over the coming months, we’ll be rolling out additional updates to this advisory - all aimed at bolstering Windows’ cryptography and certificate-handling infrastructure,” Childs said. “Our efforts here aren’t in response to any specific incident; it’s the continuing evolution of how we handle digital certificates to ensure the safest possible computing environment for our customers.”

Microsoft issued five bulletins today, including another cumulative update for Internet Explorer that patches 19 vulnerabilities, all critical remote-code execution flaws. Another remote execution bug in Office was released, but it was not rated critical despite Microsoft being aware of limited targeted attacks exploiting the vulnerability.

Adobe also released an update to Adobe Flash Player patching a remote-code execution vulnerability.

The Ormandy issue, meanwhile, dates back to May 17 when he posted a note to the Full Disclosure mailing list that he had found an elevation of privilege vulnerability locally in the Windows kernel and was soliciting help in developing an exploit, which he said he had three days later. This isn’t the first time Ormandy has disclosed a Windows vulnerability without giving Microsoft much notice to address the issue. Ormandy wrote on his personal blog that Microsoft is hostile toward researchers and urged anyone submitting bugs to Microsoft do so under a pseudonym to protect themselves.

The IE update is the lone critical bulletin for June. MS13-047 affects IE 6-10 and in 18 of the 19 vulnerabilities, remote code execution is possible because of the way IE handles objects in memory. The remaining flaw, a Script Debug vulnerability, happens because IE improperly processes script while debugging a webpage leading to memory corruption that could allow an attacker to run code remotely once a user visits a site hosting an exploit.

“Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage.” said Wolfgang Kandek, CTO at Qualys. “Apply this bulletin as quickly as possible on all workstations that use IE for Internet access.”

The Office vulnerability, MS13-051, also enables remote code execution but it was not rated critical because it affects only Office 2003 Service Pack 3 and Microsoft Office for Mac 2011. Users would have to open a malicious Office document or view a malicious email in Outlook in order for the flaw to be exploited, Microsoft said. Attackers taking advantage of the buffer overflow vulnerability would be able to install malware, change or delete data, and add accounts with full privileges.

“This issue is seeing limited, targeted exploitation in the wild and the only reason Microsoft hasn’t tagged it as a Critical issue is based on the limited number of affected platforms,” said Rapid7 senior manager of security engineering Ross Barrett. “Exploitation of this issue requires the user to interact with a malicious document.”

The remainder of the bulletins were rated important and include a pair kernel vulnerabilities.

• MS13-048 is an information-disclosure vulnerability in Windows kernel and requires local access to a computer and execution of a malicious application. An attacker would need valid credentials to exploit this flaw, Microsoft said.
• MS13-049 is a denial of service vulnerability in Windows Kernel-Mode Driver. An attacker would have to send specially crafted packets to a server to cause it to crash. Microsoft said standard default firewall configurations should help mitigate potential attacks.
• MS13-050 is a privilege escalation bug in Windows Print Spooler components. An attacker would need  valid credentials and be logged on to exploit this bug.

Adobe Patches Flash Player Vulnerability

Adobe, which has been coordinating patch releases with Microsoft for several months, released a security update for Adobe Flash Player. Adobe said there are no public exploits available for the vulnerability, which could allow an attacker to crash Flash Player and remotely control the underlying system. Users are urged to upgrade to version 11.7.700.224 for Windows, which was given the highest criticality rating by Adobe. The vulnerability on Mac, Linux and Android versions was rated as a less severe threats.

Affected versions for Windows are 11.7.700.202 and earlier; 11.7.700.203 for Mac; 11.2.202.285 and earlier for Linux; and 11.1.115.58 and 11.1.111.54 and earlier for Android. Adobe AIR is also impacted by the vulnerability; versions 3.7.0.1860 are affected.

Legislation filed late last week in the European Parliament that could broadly reform how convicted cybercriminals are prosecuted, fails to adequately differentiate good hackers from bad hackers, a political group argued today.

Jan Philipp Albrech, a spokesman for the Greens/European Free Alliance group, called out the proposed legislation in an editorial on PublicServiceEurope.com this morning. For Albrech, the problem stems from how the government would handle ethical, proactive hackers and their research.

“The blunt new rules on criminalizing cyber-attacks take a totally flawed approach to Internet security,” Albrecht wrote, going on to defend the role white hat hackers can have “identifying vulnerabilities and thereby serving as the Internet’s immune system.”

For example, how would independent white hats researching and disclosing vulnerabilities in software be treated under the law? Reputed white hat Apple hacker Charlie Miller was exiled from the company’s developer program in 2011 after uploading a bogus proof-of-concept application to its App Store. Miller had hoped to demonstrate a code signing vulnerability in the App Store at a future talk, using the harmless application as proof but was booted from the program immediately. While Miller was merely trying to point out a flaw in Apple’s App Store, it’s unclear what the repercussions would be if it had happened in Europe under these proposed laws.

Albrecht pulled no punches in the editorial, calling the legislation “heavy-handed and misdirected” and insisting that under the new rules, minor or non-malicious attacks could result in criminal penalties. He also argued that the laws will deter vendors from adding necessary protections in their software. “Vendors and manufacturers will stay wholly irresponsible for product defects and security threats, with no incentive to invest in safer systems,” he said.

The Greens/European Free Alliance group, the fourth largest group in the European Parliament, is composed of progressive Members of European Parliament (MEPs) and was founded in 1999.

The reaction comes several days after the EU voted to endorse new legislation (.PDF) that would greatly increase penalties against hackers across the union’s 27 member states.

The rules would enforce a maximum sentence of two years in prison for “illegal information system access, illegal system interference, illegal data interference, and illegal interception.”

The draft directive would also up jail time for botnet operators – enforcing at least a three-year sentence for those who cause serious damage to information systems by either running or utilizing botnets, with even more intensified penalties, at least five years in prison, levied against those who attack critical infrastructure or carry out hacks via a criminal organization.

The directive also ensures that each member state would have an “operational point of contact” to respond to cyber-attack concerns within eight hours of their initial reporting, 24 hours a day, seven days a week.

While the Parliament’s Committee on Civil Liberties, Justice and Home Affairs has already approved the legislation, the draft directive needs to be voted on by the Parliament in July, shortly after the EU instates its 28th member state, Croatia. From there it would need to be implemented by each state.

The Electronic Frontier Foundation has urged the European Parliament in the past to make it easier for researchers who help expose security flaws. When asked today, the EFF pointed out an entry from the group’s Deeplinks blog in 2012 that argued in favor of researchers’ freedom and “coder’s rights.”

“Their ability to freely report security flaws is crucial and highly beneficial for the global online community,” the group asserted, arguing that the researchers should have some sort of “breathing room.”

“Public disclosure of security information enables informed consumer choice and encourages vendors to be truthful about flaws, repair vulnerabilities, and improve upon products.”

Industrial control systems are rife with security issues, not the least of which is the use of hard-coded credentials. In order to minimize downtime, developers and administrators build in passwords to expedite remote troubleshooting in the event of a system crash or failure.

Problems arise when an attacker finds these credentials and the practice becomes tantamount to coding in a backdoor to the device in question.

A security researcher reported this week the discovery of hard-coded credentials in well-known ICS device firmware used to connect to the device vendor’s FTP server. Sofiane Talmat of security consultancy IOActive would not reveal the device in question to Threatpost, but said he is working on a process for remediation and disclosure with the vendor.

“I am not allowed to disclose the vendor name right now as the vulnerability is not yet publicly disclosed and unpatched and there is sensitive information on the FTP server,” Talmat said.

Talmat said he came across a script that tests connectivity transmitted in the clear from the firmware that included the FTP host name, user name and password, in addition to the file name being transferred to the vendor.  The script is designed to ping the host and then connects to an internal FTP server to download a test file and upload the results. Conspiring to make a bad situation worse, in addition to the hard-coded in-the-clear credential, the upload inserts the device serial number into the file name, Talmat said. While this facilitates the use of a unique identifier for each file, Talmat said, it also facilitates the attacker accessing any device by its serial number.

“These device serial numbers are also used by the vendor to generate default admin passwords,” he wrote on the company’s blog. “This knowledge and strategy could allow an attacker to build a database of admin passwords for all of this vendor’s devices.”

Talmat said this is the first time he’s seen serial numbers used to generate admin passwords for different devices. But this isn’t the first time he’s seen a device ID or serial number used as a naming convention for an industrial device.

Digging further, Talmat found issues with another script connecting to the same vendor’s FTP server that uses anonymous access to upload statistics used for debugging from each device. Similarly, the .zip file sent from the device to the FTP server includes the device serial number; the script also prompts the user to add the company name to the file name.

“An attacker with this information can easily build a database of admin passwords linked to the company that owns the device,” Talmat said.

A third problematic script was discovered; this one however allows only write-access to the FTP server and sends device configuration information. Talmat said the server is running an older version of the FTP service which is also vulnerable to public exploits.

“I need to check, but I am sure it’s an old version since the vulnerability was disclosed publicly five or six years before,” he said.

A similar issue was recently patched by TURCK, a German ICS vendor whose devices are deployed in manufacturing, agriculture and food services in the United States and Europe. An alert from the Industrial Control System Cyber Emergency Response Team (ICS-CERT) warned of a vulnerability in TURCK BL20 and BL67 Programmable Gateways that included hard-coded credentials reachable via a FTP server.

The flaw was also discovered by an IOActive researcher, Ruben Santamarta, who said that anyone with an understanding of embedded syntax could find the credentials by running the strings command on the firmware file. He did qualify that this can be time consuming because there are potentially thousands of strings in firmware. An IOActive tool called Stringfighter automates the process by searching for strings that are out of context to elements near it and could be hard-coded credentials.

A group of people, including a former federal prosecutor and the parents of a Navy SEAL sniper killed in action, have filed a class-action law suit against the National Security Agency, Verizon and President Obama over the NSA’s collection of cell phone data. The suit says the order that enabled the surveillance program is “the broadest surveillance order to ever have been issued” and enables indiscriminate collection of data.

The suit, filed this week in federal court in Washington, D.C., also names Roger Vinson, the judge who signed the Verizon order, as a defendant, along with Attorney General Eric Holder and NSA Director Keith Alexander. The plaintiffs say that the NSA’s surveillance program violates the Constitution and unfairly and unnecessarily infringes on citizens’ privacy. The classified order directs Verizon to hand over all of the so-called metadata for calls on its network to the NSA. The metadata includes the originating and terminating phone numbers along with details of the call, but not the contents of the call.

“This would give the NSA over one hundred millions phone records on a daily basis. The information would also include a list of all the people that Verizon customers call and who called them; how long they spoke; and perhaps, where they were on a given day. Further, there is nothing in the order requiring the government to destroy the records after a certain amount of time nor is there any provisions limiting who can see and hear the data,” the suit says.

“The order, issued and signed by Judge Roger Vinson, violates the U.S. Constitution and also federal laws, including, but not limited to, the outrageous breach of privacy, freedom of speech, freedom of association, and the due process rights of American citizens.”

The suit is filed on behalf of Larry Klayman, a federal prosecutor in the 1980s and founder of Freedom Watch, and Charles and Mary Ann Strange, the parents of Michael Strange, a member of SEAL Team Six who was killed in Afghanistan. They allege that the NSA surveillance program is illegal and violated Americans’ expectation of privacy and freedoms. The plaintiffs are seeking unspecified damages and relief from the NSA surveillance program.

Much of the outrage surrounding the revelation of the NSA surveillance program and collection of call metadata centers on the fact that the program is collecting information on Americans’ calls, something that is supposed to be outside the agency’s purview.

“Based on knowledge and belief, this Order issued by Defendant Vinson is the broadest surveillance order to ever have been issued; it requires no level of reasonable suspicion or probable cause and incredibly applies to all Verizon subscribers and users anywhere in the United States and overseas,” the suit says.

“To date, Defendants have not issued substantive and meaningful explanations to the American people describing what has occurred. To the contrary, criminal charges are reportedly being pursued by Defendants Obama, Holder, the DOJ, and the NSA against the leakers of this plot against American citizens in a further effort suppress, obstruct justice, and to keep Defendants’ illegal actions as secret as possible.”

The law suit is the first to emerge in the wake of the NSA leaks, which began last week with a series of articles in The Guardian and The Washington Post about the data collection from Verizon as well as a second program, known as PRISM, through which the NSA allegedly collects user data from a group of major Internet companies, including Google, Apple and Microsoft. Obama and other administration officials have sought to calm fears about the programs by saying that the government isn’t listening to the content of citizens’ phone calls.

The suit by Klayman alleges that the NSA programs violate the First, Fourth and Fifth Amendments.

“Defendants Obama, Holder, Alexander, and Vinson’s acts chill, if not ‘kill,’ speech by instilling in Plaintiffs, members of the Class, and over a hundred million of Americans the fear that their personal and business conversations with other U.S. citizens and foreigners are in effect tapped and illegally surveyed,” the suit says.

Image from the Flickr photostream of The COM Library.

Java is a security headache, not just for users and Oracle, its provider, but also for other software companies that have to deal with it, as well. Microsoft has taken steps to address this problem by releasing a FixIt tool that is designed to block all of the Web-based Java attack vectors in Internet Explorer, while still leaving the desktop Java functionality intact.

Attackers have had a field day with Java for years now and users have struggled to find ways to defend themselves, especially when patches have been slow to come from Oracle. Many attacks that have been successful over the last few years have targeted vulnerabilities in older versions of Java, finding plenty of machines with out-of-date Java applications. However there also has been a steady parade of zero day vulnerabilities in Java revealed either by security researchers or through their use by attackers.

To help users defend themselves against Web-based attacks using Java plug-ins in the browser, Microsoft’s FixIt tool will block all of the Web-based vectors for attack on all versions of Java.

“The Fix it solution consists of two parts. The first makes use of Windows Application Compatibility Toolkit, changing the behavior of Internet Explorer at runtime so that it will prevent the load of Oracle’s Java Web plugins. This is achieved by hooking all LoadLibrary* functions so that they return NULL (last error ERROR_FILE_NOT_FOUND) when attempting to load all Java ActiveX dlls (npjpi*.dll, jp2iexp.dll). The second part prevents Internet Explorer from automatically opening JNLP files. It does this by clearing the ACL (access control list) of the JNLP protocol handler registry location (HKCR\JNLPFile), thus preventing all user apps from reading its contents,” Cristian Craioveanu of the Microsoft Security Response Center wrote.

The new tool works to block Web attack vectors for Internet Explorer only. If you use an alternate browser such as Chrome or Firefox, this method won’t work. There are ways to disable the Java plug-in in each of the other browsers, typically by going in to the settings menu and removing it from the list of running plug-ins. The FixIt also doesn’t have any effect on desktop applications that use Java.

Update: Aaron Harison, president of the Center for American Freedom, told Threatpost this morning that the issue has been resolved and the site is no longer serving malware. 

Hackers have latched on to the NSA surveillance story—literally.

A news story on the outing of whistleblower Edward Snowden posted to the Washington Free Beacon is serving malware redirecting visitors to a malicious site where more malware awaits. The Free Beacon site remains infected, according to Invincea researchers, who said they have contacted the news organization about the attack. The story is being linked to by the popular Drudge Report and it’s likely to have snared a pretty good number of victims so far.

The attack on the Free Beacon is similar to a previous watering hole attack carried out against a number of other Washington, D.C.-based media outlets, including radio station WTOP, Federal News Radio and the site of technology blogger John Dvorak. Invincea researcher Eddie Mitchell wrote on the company’s blog that several other Free Beacon pages are also serving javascript, including the site’s main index page. The javascript drops an iframe that sends traffic offsite to a page hosting the Fiesta Exploit Kit.

“This exploit appears to be the same as used against other media sites to infect readers of these websites and part of a concerted campaign against media sites to infect their visitors by exploiting vulnerabilities in Java,” Mitchell wrote. “

Mitchell cautions that this attack isn’t being detected yet by security companies because signatures associated with the attack are different from previous campaigns.

The Free Beacon attack is infecting users with the ZeroAccess rootkit, as well as scareware. ZeroAccess is a virulent peer-to-peer botnet that has been folded into a number of commercial exploit kits including Blackhole. The malware makes an outbound communication requests to a number of command and control servers including e-zeeinternet[.]com, cinnamyn[.]com and twinkcam[.]net, from where the additional malware is loaded onto victim machines.

A little more than a month ago, the campaigns against WTOP and sister station Federal News Radio were discovered. The exploits targeted Java and Adobe plug-ins and were used to spread scareware. Content on both stations is heavily political and the attacks could have been a jumping off point for a larger attack against federal employees who use the site as a resource. Unlike other watering hole attacks that lead to espionage campaigns against activists or political leaders, this one was serving malware usually associated with the cybercrime.

The Dvorak site was also attacked a month ago and malware was discovered on the site’s WordPress configuration files. Invincea said at the time that it used Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. The browser was pulling a Java app from the attacker’s site and connecting to one of two Russian domains downloading Amsecure malware, which is part of the Kazy malware family, which is known for ransomware and scareware attacks. Three Java and Reader exploits were discovered on the Dvorak site: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the Amsecure attacks.

Researchers have found a botnet exploiting a vulnerability in the Plesk hosting control panel, ramping up calls from experts to upgrade to current versions of the product.

A notice on the Plesk command injection vulnerability as well as exploit code was posted last week to the Full Disclosure list by a hacker called kingcope. The researchers who reported the botnet said they were seeing up to 40 infections per hour. Some Apache server configurations are also vulnerable, experts said.

Plesk is popular hosting software used to manage website configurations for any number of domains. Plesk is a Parallels product; the company is headquartered in Seattle and sells virtualization software in addition to products for web hosts.

The vulnerability enables remote code execution affecting PGP-CGI software. A Parallels advisory said the flaw affects Parallels Plesk Panel 9.2 and 9.0 for Linux/UNIX. Later versions are not vulnerable and users are urged to upgrade as soon as possible. However, Trend Micro vulnerability researcher Sooraj KS said this vulnerability differs from the one the company issued an advisory about because the exploit calls the PHP interpreter directly.

“This vulnerability is easily exploitable with the exploit code available and successful exploitation can lead to complete compromise of the system with web service privileges,” said Sooraj on the company’s Security Intelligence blog. “The vulnerability is caused due to PHP misconfiguration in the affected application.”

According to a Full Disclosure entry, the IRC botnet is sizable and is infecting webservers with a backdoor instructing it to connect to a command and control infrastructure in 118[.]97[.]x[.]x range. The host, the researchers said, was vulnerable to the Plesk exploit.

“We made use of this vulnerability to gain privileged access to the C&C server,” a researcher known as jtag said. “After doing so, we monitored attempts to connect to the IRC for several hours.”

Their forensics investigation of the C&C server found that 900 hosts running vulnerable Plesk software tried to connect to the control server. The researcher said a tool was written and used to disinfect the compromised hosts.

There are multiple vulnerabilities in HP’s Insight Diagnostics server management tool that could be exploited by an attacker to run code and let them take over an infected computer. There is currently no fix available for the problem.

According to an alert from the CERT Coordination Center, versions 9.4.0.4710 and earlier versions of HP’s software are at risk.

Two flaws are addressed in the vulnerability note: CVE-2013-3574, External Control of File Name or Path and CVE-2013-3573, Improper Neutralization of Special Elements in Output Used by a Downstream Component Injection.

A third, something CERT is calling Improper Control of Filename for Include/Require Statement in PHP Program, or CVE-2013-3575, is also mentioned.

When all of the vulnerabilities are combined, an attacker could remotely execute arbitrary PHP commands on a server with administrator privileges. When only the first two are combined, it grants an attacker the ability to inject arbitrary data into a file stored in an arbitrary location using a the “devicePath” parameter.

According to CERT, both bugs were dug up by Markus Wulftange, a security consultant at the German IT firm Daimler TSS.

Intended for small and medium businesses, HP’s Insight Diagnostics is a Web-based tool that lets IT administrators troubleshoot and repair problems on Windows and Linux-based machines. While emails to HP asking when it plans to fix the vulnerabilities went unanswered on Monday, when it comes to fixes, HP usually sends email updates to customers when patches are released for their products.

There is a cross-site scripting vulnerability in the Apple Store Web site that is exposing visitors to potential attack. The vulnerability was discovered by a German security researcher who says he informed Apple about the problem in mid-May, but the vulnerability still exists.

The XSS vulnerability lies in store.apple.com, and the researchers, Stefan Schurtz, said he has tested it on several browser versions, including Internet Explorer 8 and 10, as well as Google Chrome 27. Schurtz provided proof-of-concept exploit code for the vulnerability in his advisory, which he posted on the Full Disclosure mailing list.

Schurtz said he contacted Apple about the XSS vulnerability on May 12 and the vendor responded within a day. He then contacted Apple a second time on May 29 with a question about the status of the advisory, again receiving a response later that same day. However, Schurtz decided to release the advisory on June 7 after four weeks without a resolution for the vulnerability.

Schurtz said that the bug is a DOM-based XSS vulnerability that affects visitors to the main Apple Store page. This kind of vulnerability involves a modification to the environment of the victim’s browser. Many other XSS exploits involve modifying the response from the Web server to exploit the vulnerability.

DENVER – When it comes to information sharing, are companies too scared or too selfish to trade attack data?

A number of information security officers from high-profile companies debated the topic this week at the NG Security Summit and came to the conclusion that it’s a little bit of both.

Sharing of threat intelligence and real-world attack data has been the pot of gold at the end of the rainbow for this industry for more than a decade. Companies, however, are often reticent to share information because it’s either not scrubbed, can give away a competitive advantage or they’re gagged by general counsel on anything sensitive.

The result is an industry spinning its wheels on a topic that needs some traction. To give credit where credit is due, some organizations have publicly tried to lead the way. Google, The New York Times and a few others have been stung by targeted attacks and have gone the extra step to put information about indicators of compromise and potential attack sources out there for public consumption. But outside of a few formal sharing entities such as the Financial Services Information Sharing and Analysis Center, better known as FS-ISAC, there’s been very little in the way of positive movement forward.

The FS-ISAC, said panelist Brian Phillips, global head of information security for retailer Macy’s, is trying to drive standards for information sharing by developing a standard language of communication. While that may work for the financial services industry, more effort has to be put in for it to cross market boundaries. For example, data has to be sanitized so that victims aren’t put at further risk or give up any competitive secrets about systems or processes.

“With retail, the challenge is that most of the companies we share with are direct competitors,” Phillips said. “From a security perspective, you have to get over that and share because we’re all  facing the same challenges. There’s no way any of us will win the war on our own.”

Yonesy Nunez, senior vice president of information security for financial services giant CitiGroup, said organizations take time reaching a comfort level before they share within the FS-ISAC, Infragard or other groups trying to facilitate these exchanges.

“You have to be in it; you’re not going to get much out of if you don’t participate in the forums and take part,” Nunez said, also pointing to the need for some standardization to ease hesitation over sharing. “Infragard has one format, other groups have other formats. As a participant, you should agree on what updates or threat documents will look like so you can take actionable events into your environment.”

Trust is an underlying issue with information sharing, the panelists said.

“Trust has to be the issue. We have to trust one another and understand that information security is a common thing to our organizations and it would be mutually beneficial to all of us to participate,” said Kevin McKenzie, CISO at Clemson University. McKenzie said groups he participates in vet members up front and potential issues are ironed out beforehand. “You have to give to get. It happens [that some don’t participate, just take]. I don’t have an issue with it if the information can help their systems from being compromised.

“But security is a shared responsibility. We often close ranks when something happens on our network,” McKenzie said. “It should be the other way around. We should be willing to share and put it out there. You might be next and if you’re forewarned, you can prevent downtime or disclosure issues.”

The top U.S. intelligence official addressed the recent revelations about the National Security Agency’s covert cell-phone and email data collection surveillance programs on Thursday, saying that the programs have been ongoing for years, are fully authorized under U.S. law and that the leaks regarding the programs are “reprehensible” and could endanger the country’s national security.

James Clapper, the director of national intelligence, issued two separate statements on Thursday in response to media reports on the classified order giving the NSA access to all of Verizon’s call metadata, saying that not only is the program lawful, but that’s it’s vital to protecting the country’s security and ferreting out potential terrorist activity. The data collection program is authorized under section 702 of the Foreign Intelligence Surveillance Act, and Clapper said that it specifically prohibits the NSA from targeting U.S. citizens.

“Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States.  It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States,” Clapper said in his statement.

“Activities authorized by Section 702 are subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress. They involve extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.”

However, Cindy Cohn, legal director at the EFF, said that the programs Clapper describes likely still are beyond the scope of the laws on which they’re predicated.

“I think there are different orders, maybe under different legal authorities, but all unconstitutional, and likely beyond the scope of any reasonable reading of the governing statutes,” Cohn said. “The telco ones are likely different than the internet company ones.  It also seems that the functionality of the two is different — Verizon is giving phone records to the NSA and the Internet companies are providing some sort of portal into their systems. But this is still a lot of guesswork.”

Clapper’s remarks follow the publication of a classified order from the Foreign Intelligence Surveillance Court that requires Verizon to turn over all phone metadata–including originating and terminating phone numbers, IMSI numbers and call duration–to the NSA. The program reportedly has been ongoing for at least seven years and privacy experts say that it likely includes the other major cell carriers, as well. Clapper said in a separate statement regarding the leak of the information that the broad scope of the data collection is necessary in order to find potential threat intelligence.

“The collection is broad in scope because more narrow collection would limit our ability to screen for and identify terrorism-related communications. Acquiring this information allows us to make connections related to terrorist activities over time. The FISA Court specifically approved this method of collection as lawful, subject to stringent restrictions,” Clapper said.

“By order of the FISC, the Government is prohibited from indiscriminately sifting through the telephony metadata acquired under the program. All information that is acquired under this program is subject to strict, court-imposed restrictions on review and handling. The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization. Only specially cleared counterterrorism personnel specifically trained in the Court-approved procedures may even access the records.”

The statements from Clapper are rare public discussions of classified programs from the DNI. In an extraordinary move, Clapper responded to the leaks by ordering that some information about the surveillance program be declassified immediately and made public. It’s not clear which portions of his statement contain the declassified information, but Clapper said that it’s important for Americans to understand how the programs work and what they do and don’t include.

“Discussing programs like this publicly will have an impact on the behavior of our adversaries and make it more difficult for us to understand their intentions. Surveillance programs like this one are consistently subject to safeguards that are designed to strike the appropriate balance between national security interests and civil liberties and privacy concerns. I believe it is important to address the misleading impression left by the article and to reassure the American people that the Intelligence Community is committed to respecting the civil liberties and privacy of all American citizens,” he said.

Image from Flickr photostream of Medill DC. 

Google has one of the older bug bounty programs in existence, and the company often makes changes to its rules in an effort to stay current with the security landscape. The latest change is another increase in the rewards that the company will pay to researchers who report certain bugs, including cross-site scripting in sensitive Web properties, to $7,500.

The changes to the top rewards are fairly significant, more than doubling the highest bounty available for certain bugs from $3,133.70 to $7,500. Specifically, Google is now offering the higher amount to researchers who find XSS vulnerabilities in https://accounts.google.com. That’s obviously a high-value target for attackers and Google is hoping that the increased reward will draw more attention to it from researchers, as well.

IN addition to the higher reward for the XSS vulnerabilities in the accounts page, Google also now is offering $5,000, up from $1,337, for the same type of flaws in Gmail and Google Wallet. Researchers who report what Google deems significant authentication bypasses or information leaks in the company’s Web properties also will receive $7,500.

“Our vulnerability reward programs have been very successful in helping us fix more bugs and better protect our users, while also strengthening our relationships with security researchers. Since introducing our reward program for web properties in November 2010, we’ve received over 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies we have acquired. We’ve paid $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity. For example, one of our bug finders decided to support a school project in East Africa,” Google’s Michal Zalewski and Adam Mein said in a blog post.

“In recognition of the difficulty involved in finding bugs in our most critical applications, we’re once again rolling out updated rules and significant reward increases for another group of bug categories.”

Google’s bug bounty program for its Chromium project began in early 2010 and the company followed that up several months later by expanding it to include Web properties such as Gmail, YouTube and others. Both programs have been quite successful, drawing thousands of submissions from researchers around the world. In the years since Google began its reward program, a number of other companies have followed suit, including Facebook, PayPal, Barracuda and others.

Image from Flickr photostream of Jason Taellious. 

Microsoft announced today in an advanced patch Tuesday notification that it will ship just five bulletins in the June edition of patch Tuesday.

Only one bulletin received the software giant’s most sever ‘critical’ rating: it will fix a vulnerability in Windows and Internet Explorer that could allow an attacker to execute code remotely. The remaining four bulletins received the next most severe ‘important’ ratings and will fix information disclosure, denial of service, and elevation of privilege bugs in windows as well as a remote code execution flaw in Internet Explorer.

Ross Barrett, senior manager of security engineering at Rapid7, told Threatpost via email that he would be interested to see whether or not Microsoft fixes the kernel vulnerability that Google’s Tavis Ormandy recently disclosed publicly on the Full Disclosure mailing list. Ormandy’s decision to disclose the bug in this way stirred up controversy late last month, but the information security engineer from Google claimed that he only released the exploit code after the code had already been made available by another group.

Barrett said that Microsoft is slow to patch bugs for which there is no evidence of in-the-wild-exploitation. However, he also claims that the press surrounding the Ormandy incident is just the sort thing that has spurred the company to patch such bugs more quickly in the past. If the Redmond-based tech giant is planning a fix, he claims, it must be the fourth bulletin that is set to fix a privilege elevation vulnerability in Windows, though he also said that there has been a “conditionthat fits that profile, more or less, every month for the past year.”

Barrett ranked the only critical Internet Explorer bug as the highest priority patch and said that the second highest priority should be the remote code execution bug in Office.

Microsoft will post the official bulletins and host a webcast to address customer questions regarding the patches this coming Tuesday, June 12, at 1 PM EDT.

UPDATE – Calling it the company’s “most aggressive” botnet operation operation to date, Microsoft has joined with the FBI for a massive disruption of the Citadel botnet.

More than 1,400 individual botnets associated with the Citadel malware affecting more than five million people in total were disrupted, with cooperation from the Federal Bureau of Investigation and interestingly, a civil seizure warrant issued by the U.S. District Court for the Western District of North Carolina.

Groups like the Financial Services – Information Sharing and Analysis Center (FS-ISAC), NACHA – The Electronic Payments Association, the American Bankers Association (ABA) and Agari, an email phishing authentication firm, all helped chip in intelligence as well.

While this was the seventh botnet operation of its kind coordinated by Microsoft, this is the first time the company has worked with the law enforcement sector to secure a civil seizure warrant to carry out its plans.

Richard Boscovich, the Assistant General Counsel of Microsoft’s Digital Crimes Unit wrote about the operation – codenamed Operation b54 – on the company’s Technet blog last night claiming the action won’t fully eradicate the Citadel malware but should “significantly” curb the botnet going forward.

“Due to Citadel’s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware,” he wrote, “however, we do expect that this action will significantly disrupt Citadel’s operation.”

Technical details on the operation are somewhat scant but Microsoft says the operation culminated yesterday after officials from Microsoft, assisted by U.S. Marshalls helped remove servers from two data hosting facilities in New Jersey and Pennsylvania. The takedown was set into motion last week after the North Carolina court order successfully cut off communication between the Citadel botnets, 1,462 in total, and their infected machines.

Agari, a Palo Alto-based email phishing authentication firm had a big hand in helping Microsoft obtain the seizure warrant.

While the full operation took about a year, Agari spent six of those months poring over phishing emails that were pulling unsuspecting users into the Citadel botnet.

Agari CEO Patrick Peterson described how the company helped monitoring emails that led to the seizure of the servers in Pennsylvania and New Jersey.

“Our whole system is designed to isolate these malicious emails and to get that forensic data for law enforcement, for our customers, for the industry to be able to track the bad guys,” Patterson explained, “In this case working with our partners, the FBI, Microsoft, FS-ISAC, we were able to customize the focus of that specifically around that Citadel botnet.”

The company monitored approximately 2.5 million malicious URLs every month and while not every one of those URLs led to the Citadel malware, all of them were pretending to come from a legitimate bank.

Agari is part of FS-ISAC’s Trusted Registry Program, a program dedicated to securing the emails the financial services industry sends out. FS-ISAC reached out to Microsoft about Agari’s wealth of phishing emails and the company joined the investigation from there.

“I think it’s a great day for everyone involved,”  Peterson said, “It’s certainly a day when everyone on the internet is safer than they were yesterday and that doesn’t happen very often.”

The Citadel Trojan has been spotted mining all types of financial information, including banking logins and passwords since being introduced a year and a half ago. To date it’s believed the botnet is responsible for more than half a billion dollars in financial loss.

Peddled primarily on a handful of underground forums as a variant of the Zeus Trojan, the malware has long been cloaked in secrecy. Owners insist on distributing their kit among trusted insiders, h0ping to keep law enforcement out and support costs down.

Microsoft has taken a hard line on cybercrime over the last several years and much of that is due to the work being done by its Digital Crimes Unit. The DCU, a collection of Microsoft engineers, security experts and lawyers, have proved successful at shutting down botnets that are largely dependent on a centralized infrastructure including Kelihos, Zeus, Waledac and Rustock.

In a discussion with Threatpost’s Dennis Fisher last month,  T.J. Campana, the DCU’s Director of Security claimed the group tries to take a transparent approach with their takedowns.

“We’re not just going out there shooting stuff. We walk in with a pile of legal documents. We’re asking for a judge to agree with what we found,” Campana said of the group’s actions at the time.