Hackers attack high-tech military contractor, break into submarine manufacturing plant

Mitsubishi Heavy Industries, Japan's biggest defense contractor, has revealed that it suffered a hacker attack in August that caused some of its networks to be infected by malware.
The firm - which is involved in a wide range of activities including space rockets, the production of jet fighters, shipbuilding, and running nuclear power plants - said that 45 network servers and 38 PCs became infected with malware at ten facilities across Japan.
The infected sites included its submarine manufacturing plant in Kobe and the Nagoya Guidance & Propulsion System Works, which makes engine parts for missiles.
The Japanese newspaper Yomiuri claimed that at least eight different pieces of malware, including some which stole data, were discovered at Mitsubishi sites.
A Mitsubishi spokesperson, however, was quoted as saying that "there is no possibility of any leakage of defense-related information at this point."
The company first noticed the attack on August 11th, and expects to have the results of an investigation into the security breach by the end of September.
If Mitsubishi Heavy Industries was targeted by hackers, the obvious question to ask is who was behind the attack and what was the motive?
Earlier this year we saw a series of cyber attacks against US military contractors, including Lockheed Martin, L-3 Communications and Northrop Grumman, and US Deputy Defense Secretary William Lynn publicly claimed that a foreign intelligence agency was behind a hack attack that stole classified information about a top secret weapons system.
Whoever it was who attacked Mitsubishi Heavy Industries, and whatever their motive, it's clear that all organisations need to take computer security seriously.
Cybercriminals, whether state-sponsored or not, are interested in stealing sensitive information which could have more than a financial value. You would be foolish to ignore such a threat, and must ensure that your organisation has strong defences in place to reduce the risks.

Troj/PHPShll-B: Malware injects itself into WordPress installations

On Friday, a colleague in our IT department asked about a Mal/Badsrc-C malware detection that had been found by Sophos products on one of their friend's websites.
When I initially downloaded the website it looked clean. However, the automated systems inside SophosLabs were detecting the webpage as being infected with Mal/Badsrc-C.
So, I investigated a little more deeply - repeating the download after setting the User-Agent in my browser to pretend to be Internet Explorer.
This time I saw:

>>> Virus 'Mal/Badsrc-C' found in file index.html

Clearly, the malware on the website was planted in such a way that it would only manifest itself if it believed that the computer visiting the webpage was running Internet Explorer.
When you look at the last line of the index.html file you can see the appended malicious script tag:

As my colleague knew the affected website's owner, I was able to gain a complete copy of the site which was running an installation of the popular WordPress blogging platform.
Looking at the WordPress configuration file (wp-config.php) I saw a suspicious piece of code prepended:


When this code is run it decodes to some suspicious code:

stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){ return base64_decode("PHNjcmlwdCBzcm...

The above code snippet means that malicious code will only be served if the User-Agent is Internet Explorer. The geekier amongst you will recognise the base64 string as being the beginning of:

<script src

Sophos now detects and disinfects this modified code as Troj/PHPShll-B.
So, what's happened is that somehow malicious code has managed to inject itself into the PHP code used on some websites running WordPress, meaning that if you visit them when running Internet Explorer you could be exposing yourself to a malware attack.
What isn't clear is exactly how the malicious code managed to embed itself on the website, although it was most probably via compromised FTP credentials.
If you run a site which uses WordPress you would be wise to ensure that your passwords are chosen carefully (not dictionary words, and not easy to guess) and that you are not using the same credentials on any other websites. If you think it's possible that your password details may have been stolen - or if you use the same passwords elsewhere on the internet - change them immediately.
Furthermore, you should be regularly auditing the code on your site to ensure that there have not been any unauthorised changes.
Finally, always ensure that your website software is up-to-date and fully patched.
This hack appears to be widespread and website owners need to be vigilant.

Automated Skype calls spread fake anti-virus warning [VIDEO]

As more and more people become acquainted by the tricks used by internet scammers and cybercriminals, so they are pressed to find new social engineering tricks in their hope of tricking the unwary.
One of the schemes we have heard of involves unsolicited calls via Skype, where an automated message (what I like to call a "Digital Dorothy") warns you in a semi-robotic voice that your computer's security is not up-to-date.
A Naked Security reader has pointed us to the following YouTube video, showing just such a scam call caught on camera. Fortunately, in this case, the recipient of the bogus call about his computer's security was wise to the scam and knew not to act upon it.
Warning: Some of the language used in this video is a little fruity.

In case you couldn't make it out on the video's soundtrack, here's what the automated call was saying:

"Attention: this is an automated computer system alert. Your computer protection service is not active. To activate computer protection, and repair your computer, go to [LINK]"

If you weren't aware of fake anti-virus (also known as scareware) scams like this you might well be worried enough to visit the website referred to in the message, where it will pretend to scan your computer's security.

Surprise surprise.. the website claims that you are not properly protected - and it urges you to install its software (a steal at $19.95).

I'm not sure I would want to trust any product which uses Skype spam techniques to advertise itself, and presented itself in such an underhand manner.
They seem to be keen for you to hand over your contact details (including your email address). For test purposes, I entered an email address - but haven't received a communication yet. One thing is for sure - I am not going to trust whatever they say in that email.

Of course, if you don't want to receive unsolicited Skype calls the best thing to do is change your privacy settings so only users listed in your contacts list are allowed to get in touch with you.

If you want to find out more about fake anti-virus or scareware attacks download the technical paper from SophosLabs: "What is Fake AV?" [PDF]

Flaw in OS X Lion allows unauthorized password changes

A researcher at the Defense in Depth blog has discovered a flaw in Apple's recently released operating system, OS X 10.7 (Lion), which allows passwords to be changed without knowledge of the logged in user's password.
The flaw appears related to Apple's move towards a local directory service which has permissions set in an insecure manner.
An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user's password without knowing the existing password as would normally be required:

testmac:~ TestUser$ dscl localhost -passwd /Search/Users/TestUser
New Password:
Historically (in Snow Leopard) you would have needed to enter your existing password first to verify that you in fact are the account holder:

testmac:~ TestUser$ passwd
Changing password for TestUser.
Old Password: -OldPass-
New Password: -NewPass-
Retype New Password: -NewPass-

Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it.
Defense in Depth showed how you can parse the hash from openly readable directory information and recover both the hash and the salt used to encrypt the password.
This is another great reason to be sure you have secured your Mac properly until Apple makes a fix available. Taking the following steps will help ensure you are protected:

1. Use a secure password to prevent brute force attacks against your account using stolen hashes.
2. Enable the screensaver and set it to prompt you for your password.
3. Disable automatic logon.
4. Never leave your Mac logged in and unattended. Use a "Hot Corner" or the Keychain lock to lock your screen.

Keychain preferences windows on OS X 10.7 allows for status bar icon for locking.
For more tips on securing your Mac check out our three part series on top tips for Mac OS X security.
This is particularly dangerous if you are using Apple's new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.
Cnet had reported that you can also change other users passwords, but I was unable to replicate their findings.
Hopefully Apple will release an update soon, I was able to confirm with testers of OS X 10.7.2 that the flaw still exists in test builds.

Microsoft reissues update for Win XP/2003 for DigiNotar certificate revocation

Microsoft had to reissue an update for users of Windows XP and Windows 2003 today related to the compromise of certificate authority DigiNotar.
It was not related to further hacking though, it appears to be a quality assurance SNAFU at the software giant.
Microsoft has updated the known issues in security advisory 2607712 to refer to an updated advisory 2616766.
KB article 2616766 points out that the update shipped last week to remove the known compromised certificates from the trusted certificate list omitted the certificates known to have been in use in the wild.
Somehow Microsoft's Patch Tuesday update only removed additional certificates issued to DigiNotar by GTE and Entrust, but did not remove the original root certificates used to intercept communications in Iran.
Users of Windows XP and 2003 with automatic updating enabled will receive the updated patch automatically, but administrators who manually deploy patches using WSUS may be required to push update 2616676 a second time.
Even worse the update requires users of XP and 2003 to reboot after applying the fixed update. Users of Windows 7, Vista, 2008 and 2008 R2 are unaffected.

Google Wallet - why you shouldn't throw away your wallet just yet

Google has announced, to some fanfare, what it hopes will be a revolution in the way we pay for things: Google Wallet.
Google Wallet is a smartphone app (currently only available for the Nexus S 4G Android phone) that aims to replace your credit cards.
It works like this. You go to a store (let's imagine it's a coffee shop), the barista hands you your steaming skinny caramel macchiato and a toasted onion bagel with low fat cream cheese and bacon, and rather than give them your credit card or reach into your pocket for some coins, you..
* take out your smartphone
* unlock it
* run the Google Wallet app
* enter the PIN for your Google Wallet app
* swipe your smartphone against the coffee shop's pay point.
How convenient!
The Google Wallet app uses NFC (near-field communications) technology in your smartphone to wirelessly debit the credit card you have linked with the application.
Here's a video that Google has produced describing Google Wallet.

Human nature being what it is, some people will be nervous of adopting this kind of technology to pay for goods. Just remember how long it took for some people to switch to using credit cards.
The PIN
It looks like Google recognises that some people will be fearful, and is keen for potential users to know that the Google Wallet app is protected by a four digit PIN.
Unless the PIN is entered, the NFC antenna is switched off - meaning that you can't make any purchases. Similarly when the phone's screen is switched off, the NFC antenna is disabled.
The Google Wallet app insists that you re-enter your PIN every five minutes by default - something that I suspect many users will find irritating, and will change to a longer time period for more convenience and less security.
Another concern I have, though, is whether users will choose sensible PINs to protect their Google Wallet.
When you're waiting to slurp your steaming skinny caramel macchiato and munch on your toasted onion bagel with low fat cream cheese and bacon, will you be entering a PIN code that is convenient or one that is more secure?
Research published earlier this year, revealed the top 10 passcodes that iPhone owners use to protect their devices and we have to assume that Google Wallet users will be just as laissez-faire when choosing a PIN.

We already know that 67% of consumers don't have any form of password on their mobile phones.
It's hard to imagine that all users are going to choose a PIN code for their Google Wallet which is hard to crack, let alone different from the one which they should be using to protect all the rest of their smartphone.
So, if you lose your smartphone and have not chosen a sensible PIN code both for the device and a different one for your Google Wallet then there may be opportunities for criminals to take advantage.
Don't throw away your wallet just yet
I don't want to rain on the parade entirely, however. It's not Google's fault that people might choose dumb obvious PINs or use the same PIN code for their digital wallet as for the device itself (although Google might do some work to reduce the likelihood of those happening, or give an option for longer pass codes).
We may be a long way off throwing away our physical wallets entirely - as folks still like to carry around their receipts, driving license, business cards and some old fashioned bank notes - but we will see mobile devices being used more and more for commerce.
It's going to take some years for merchants to invest in the hardware to provide support for Google Wallet, and some may prefer to wait and see how the market plays out and if a rival option becomes more popular.
Always have a backup
I have one piece of advice though, which will probably hold true for many years to come. Think about this. What happens when your smartphone runs out of juice?
You won't be able to open your Google Wallet app to pay for the late night train ride home if the battery is flat. Then you'll be rueing not having a real credit card in your pocket or a couple of notes hidden in the sole of your shoes.

Vorce – Instant language translation app for iPhone

Vorce [voh-krey], instant language translation app allows users to communicate instantly with anybody from anywhere. It translates your voice into other languages instantly and magically speaks what you’ve said into the selected language when you flip the phone horizontally. The language options include English (US/GB/AU), Spanish, French, Italian, German, Japanese and Chinese.
Features of Vorce translation app for iPhone

• In Person Speech-to-Speech Conversation Translation via accelerometer/orientation activation.
• Simply shake the device to edit the translation, and it will be uploaded to the server.
• You can purchase additional translation credits in-app, in addition to initial free credits.
• Option to share the app via Facebook, Twitter, SMS, and Email.

Here is a short demo of the app

The app has also won Best Mobile App and Audience Choice Award at TechCrunch Disrupt event. Download Vorce translation app for iPhone (iOS 4.0 or later) from the Apple iTunes Store (select countries only) for free.

5 new userland exploits found , Untethered iPhone 5 jailbreak imminent

Hacker pOsixninja from the Chronic Dev Team has announced the discovery of 5 new bootrom userland exploits which will be used to develop a jailbreak for Apple A5 based devices. The A5 chip is being currently used in the iPad and is expected to be the chip powering the next generation iPhone.

The 5 exploits discovered are userland ie software level exploits and can be patched by Apple. What is more exciting is that pOsixninja believes that it will be the most amazing jailbreak so far making its way to all exploitable firmwares. The team expects the next generation iPhone to also sport the same chip which will enable the team to develop an untethered jailbreak for it. With the number of jailbreak only features that Apple has been adding to iOS , the importance of jailbreaking has certainly gone down. Are you excited by the prospect of an untethered jailbreak on your next iPhone ?

Google Voice Actions for Android now supports British English, French, Italian, German and Spanish

Google Voice Actions, that lets you control your Android phone or tablet with voice command now supports additional languages like British English, French, Italian, German and Spanish. This would let the users in users in the UK, France, Italy, Germany and Spain to call contacts, send texts, browse the web and do much more using voice commands in their own language.
You can just tap the microphone button on the Google search box and hold the mic button in the app to speak the voice commands that performs the desired action. Some of the commands include

• send text to [contact] [message]
• call [business]
• call [contact]
• go to [website]
• navigate to [location/business name]
• directions to [location/business name]
• map of [location]