Threat Weekly – A Situational Awareness Report from our
Technical Security Team
Volume 2, Issue 11 – 15 March 2012
ThreatCon 1:
Normal
Both Microsoft and Adobe have released
important security patches this week. Computer devices are at
elevated risk until they are patched.
TOP OF THE NEWS
Microsoft, Security Experts Warn ‘Wormable’ RDP Exploit
Will Come Sooner Than Later
As a follow-up to its usual Patch
Tuesday release this week, officials at Microsoft are warning users
that an exploit against the recently disclosed Remote Desktop
Protocol (RDP) vulnerability for Windows is likely to come in the
next 30 days. According to a supplementary entry on its Security
Research & Defence blog, Microsoft claims the “attractiveness”
of the RDP vulnerability may make it especially appealing to
hackers.
The hole is one of two
vulnerabilities patched by Microsoft Security Bulletin MS12-020
yesterday [Tuesday 13th] as part of March’s Patch Tuesday. While
the rest of the month’s bulletins ranged from important to
moderate, the company rated MS12-020 critical and urged users to
patch their systems as soon as possible.
The post, written by MSRC
Engineering’s Suha Can and Jonathan Ness, stresses that RDP comes
disabled on most computers and client workstations. RDP is a
protocol that allows users to remotely access a PC or server. To
exploit the vulnerability, hackers would simply need to send
malicious packets of information to an RDP-enabled system. Some
security experts have speculated that if exploited the hole could
spark the beginning of an onslaught of new worms, some perhaps
rivalling Conficker.
In an interview with Computerworld,
nCircle Security’s Andrew Storms warned the hole “has all the
ingredients for a class worm,” hinting at its ability to allow
network execution without authentication, among other traits.
Jason Miller, manager of research
and development at VMware, also speaking with Computerworld,
guaranteed the vulnerability would be analysed by hackers. "Hackers
want (vulnerabilities) that don't require authentication and are in
a part of Windows that's widely used. I guarantee that attackers
are going to look at this closely," Miller said.
Discussing the vulnerability with
ZDNet Australia, HackLabs’ director Chris Gatford likened the hole
to Microsoft’s critical MS08-067 which allowed attackers to run
arbitrary code without authentication to be “used in the crafting
of a wormable exploit” in 2008. Four days later, that hole was used
by attackers, its exploit code published on the Internet. Eight
days later, Conficker launched leading to widespread head
scratching from researchers.
While Microsoft claims they haven't
seen any active exploits for MS12-020 yet, it seems it will be a
matter of time at this point.
http://threatpost.com/en_us/blogs/microsoft-security-experts-warn-wormable-rdp-exploit-will-come-sooner-later-031412
China Cyber Warfare Skills a Risk to U.S. Military:
Report
China’s cyber warfare capabilities would pose a
danger to U.S. military forces in the event of a conflict over
Taiwan, according to a report by a U.S. congressional advisory
panel released March 8. The report by defines contractor Northrop
Grumman for the U.S.-China Economic and Security Review Commission
said China’s People’s Liberation Army (PLA) has placed great
emphasis on what is known as “information confrontation.” “Chinese
capabilities in computer network operations have advanced
sufficiently to pose genuine risk to U.S. military operations in
the event of a conflict,” the report said. “(PLA) leaders have
embraced the idea that successful warfighting is based on the
ability to exert control over an adversary’s information and
information systems,” it said. “PLA analysts consistently identify
logistics and (command-and-control) infrastructure as U.S.
strategic centres of gravity, which they would almost certainly
target,” the report said.
The 135-page report outlined a possible scenario
in the event of a U.S. defines of self-governing Taiwan — which
Beijing considers to be a part of its territory awaiting
reunification — from Chinese military attack. The PLA would target
U.S. systems with “electronic countermeasures weapons and network
attack and exploitation tools, likely in advance of actual combat
to delay U.S. entry or degrade capabilities in a conflict,” it
said. Difficulty in attributing responsibility for a cyber-attack
could hamper the U.S. response, the report warned. “Even if
circumstantial evidence points to China as the culprit, no policy
currently exists to easily determine appropriate response options
to a large scale attack on U.S. military or civilian networks in
which definitive attribution is lacking,” the report said. “Beijing
may seek to exploit this grey area in U.S. policymaking and legal
frameworks to create delays in U.S. command decision-making,” it
said.
The report also said that Chinese companies,
some with foreign partners supplying critical technology, were
giving the PLA access to cutting-edge research and technology. The
report warned that the PLA’s ties with large Chinese
telecommunications firms “creates an avenue for state sponsored or
state directed penetrations of supply chains for electronics
supporting the U.S. military, the U.S. government, and civilian
industry.” This has the potential to cause the “catastrophic
failure of systems and networks supporting critical infrastructure
for national security or public safety,” it said.
Michael Wessel, a member of the commission, said
the report “highlights China’s extensive development of cyber tools
to advance the leadership’s objectives. “It’s getting harder and
harder for China’s leaders to claim ignorance and innocence as to
the massive electronic reconnaissance and cyber intrusions
activities directed by Chinese interests at the U.S. government and
our private sector,” Wessel said. “There’s clear and present danger
that is increasing every day.”
The commission was created by Congress to report
on the national security implications of trade and economic
relations between China and the United States and the report comes
as the Senate debates cybersecurity legislation.
In an unusually blunt report in November, a U.S.
intelligence agency accused the Chinese of being the world’s “most
active and persistent perpetrators” of economic espionage,
particularly in cyberspace. China has repeatedly denied state
involvement in cyber espionage against Western governments and
companies, including well-publicized attacks on Internet giant
Google that sparked a row between Washington and Beijing.
Source:
http://www.defensenews.com/article/20120308/DEFREG02/303080006/China-Cyber-Warfare-Skills-Risk-U-S-Military-Report
Security experts say China hacked secret F-35 fighter jet
plans from BAE Systems
Chinese spies hacked into computers belonging to
BAE Systems, Britain's biggest defence company, to steal details
about the design, performance and electronic systems of the West's
latest fighter jet, senior security figures have disclosed. The
Chinese exploited vulnerabilities in BAE's computer defences to
steal vast amounts of data on the $300 billion F-35 Joint Strike
Fighter, a multinational project to create a plane that will give
the West air supremacy for years to come, according to the sources.
The hacking attack has prompted fears that the fighter jet's
advanced radar capabilities could have been compromised.
Details of the attack on BAE have been a closely
guarded secret within Britain's intelligence community since it was
first uncovered nearly three years ago. But they were disclosed by
a senior BAE executive during a private dinner in London for cyber
security experts late last year. One of those present said: "The
BAE man said that for 18 months, Chinese cyber-attacks had taken
place against BAE and had managed to get hold of plans of one of
its latest fighters." BAE said: "We don't comment on allegations of
cyber-attacks against the company. BAE Systems' own cyber security
capability can detect, prevent and rectify such attacks."
A former US official, speaking last week on
condition of anonymity, said the BAE Systems element of the JSF
program had "almost certainly" been penetrated. However, he
cautioned: "There are lots of aspects of weapons development. At
least some aspects of it (the F-35 project) were targeted
successfully by the Chinese. They didn't steal everything that was
on that airplane, just some aspects."
The Chinese embassy in London described the
claims as a "baseless allegation". It said China condemned all
forms of online crime. Suspicions that the Joint Strike Fighter had
been targeted by Chinese hackers first emerged in the US media in
2009.
Source:
http://www.terminalx.org/2012/03/security-experts-say-china-hacked.html
Uncle Sam: If It Ends in .Com, It’s .Seizable
When U.S. authorities shuttered
sports-wagering site Bodog.com last week, it raised eyebrows across
the net because the domain name was registered with a Canadian
company, ostensibly putting it beyond the reach of the U.S.
government. Working around that, the feds went directly to
VeriSign, a U.S.-based internet backbone company that has the
contract to manage the coveted .com and other “generic” top-level
domains.
EasyDNS, an internet infrastructure company,
protested that the “ramifications of this are no less than chilling
and every single organization branded or operating under .com,
.net, .org, .biz etc. needs to ask themselves about their
vulnerability to the whims of U.S. federal and state
lawmakers.”
But despite EasyDNS and others’ outrage, the
U.S. government says it’s gone that route hundreds of times.
Furthermore, it says it has the right to seize any .com, .net and
.org domain name because the companies that have the contracts to
administer them are based on United States soil, according to
Nicole Navas, an Immigration and Customs Enforcement
spokeswoman.
The controversy highlights the unique control
the U.S. continues to hold over key components of the global domain
name system, and rips a Band-Aid off a historic sore point for
other nations. A complicated web of bureaucracy and Commerce
Department-dictated contracts signed in 1999 established that key
domains would be contracted out to Network Solutions, which was
acquired by VeriSign in 2000. That cemented control of
all-important .com and .net domains with a U.S. company – VeriSign
– putting every website using one of those addresses firmly within
reach of American courts regardless of where the owners are located
– possibly forever.
The government, Navas said, usually serves
court-ordered seizures on VeriSign, which manages domains ending in
.com, .net, .cc, .tv and .name, because “foreign-based registrars
are not bound to comply with U.S. court orders.” The government
does the same with the non-profit counterpart to VeriSign that now
manages the .org domain. That’s the Public Interest Registry,
which, like VeriSign, is based in Virginia.
Such seizures are becoming commonplace under
the Obama administration. For example, the U.S. government program
known as Operation in Our Sites acquires federal court orders to
shutter sites it believes are hawking counterfeited goods, illegal
sports streams and unauthorized movies and music. Navas said the
U.S. government has seized 750 domain names, “most with
foreign-based registrars.”
More on this story at:
http://www.wired.com/threatlevel/2012/03/feds-seize-foreign-sites/
THE REST OF THE WEEK’S NEWS
More Symantec Source Code Posted to Internet
As expected, hackers have released the source
code of Norton Antivirus 2006 on the net. According to the page on
The Pirate Bay where the 1.1GB file has been posted as a torrent,
the hackers go by the name of AntiSec and sympathise with the
Anonymous hacker group. The posting is dedicated to a number of
arrested LulzSec contributors whose release is called for by the
hackers.
While Symantec has confirmed the source
code's authenticity, the company has put the issue in perspective:
the code is part of the 2006 version and its release has been
anticipated for some time, said Symantec. The company added that
internal analysis shows that, because of the age of the exposed
code, there is no increased risk for the products in Symantec's
current anti-virus and endpoint security portfolios. The current
version's default security settings will suffice against any
possible threats that might materialise as a result of this
incident, said Symantec.
The code that has now been posted is believed
to be the second portion of a large cache of code that was exposed
during an incident in 2006. In February, the sources of pcAnywhere
were posted on The Pirate Bay after an unsuccessful attempt to
negotiate hush money. Symantec anticipates that the source code of
Norton Internet Security 2006 will also be posted on the net in the
near future.
Source:
http://www.h-online.com/security/news/item/Source-code-of-Symantec-Antivirus-posted-on-the-net-1468974.html
Researchers Ask for Help Identifying Mystery Code in
DuQu
Security researchers are appealing for help
after discovering that part of the Duqu Trojan was written in an
unknown programming language. Duqu is a sophisticated Trojan
reckoned to have been created by the same group behind the infamous
Stuxnet worm. While the finely tuned Stuxnet worm was designed to
home in on specific industrial control systems – namely systems
controlling high-speed centrifuges used by Iran's controversial
nuclear enrichment plants – Duqu was created to fulfil the slightly
different role of a backdoor where intruders could slip into
SCADA-based systems and nick confidential information.
Securo-boffins at Kaspersky Lab have
discovered during their research that Duqu uses the mystery code to
communicate with its Command and Control (C&C) servers once it
infects a compromised machine. Researchers at the Russian
anti-virus firm have named this unknown section the "Duqu
Framework".
Unlike the rest of Duqu, the Duqu Framework
is not written in C++ and it's not compiled with Microsoft's Visual
C++ 2008. The Kaspersky research team has gone some way in
unravelling the mystery language used by the Duqu Framework, but
still needs addition help. So far, the researchers have worked out
what the mystery code does, but are still mostly in the dark about
the grammar and syntax of the programming language, they said.
Kaspersky Lab researchers explained: "It
is possible that its authors used an in-house framework to generate
intermediary C code, or they used another completely different
programming language. However, Kaspersky Lab researchers have
confirmed that the language is object-oriented and performs its own
set of related activities that are suitable for network
applications.
The language in the Duqu Framework is
highly specialised. It enables the Payload DLL to operate
independently of the other Duqu modules and connects it to its
dedicated C&C through several paths, including Windows HTTP,
network sockets and proxy servers. It also allows the Payload DLL
to process HTTP server requests from the C&C directly,
stealthily transmit copies of stolen information from the infected
machine to the C&C and even distribute additional malicious
payload to other machines on the network, creating a controlled and
discreet form of spreading infections to other computers."
Having gone as probably as far as they can,
Kaspersky Lab is appealing to the programming community for support
in analysing the mystery language used to build the malware. It
wants to hear from coders who recognise either a framework, toolkit
or a programming language that can generate similar code.
The creation of a dedicated programming
language to construct the communications module shows how skilled
the developers were, as well as providing evidence that significant
financial resources were ploughed into developing the Duqu Trojan
project. "Given the size of the Duqu project, it’s possible that an
entirely different team was responsible for creating the Duqu
Framework as opposed to the team that created the drivers and wrote
the system infection exploits," explained Alexander Gostev, chief
security expert at Kaspersky Lab. "With the extremely high level of
customisation and exclusivity that the programming language was
created with, it is also possible that it was made not only to
prevent external parties from understanding the cyber-espionage
operation and the interactions with the C&Cs, but also to keep
it separate from other internal Duqu teams who were responsible for
writing the additional parts of the malicious program."
Duqu was first detected in September 2011,
but Kaspersky Lab reckons the first trace of Duqu-related malware
dates all the way back to August 2007. The Russian security firm
has logged more than a dozen incidents of Duqu infection, with the
vast majority of victims located in Iran.
Source:
http://www.theregister.co.uk/2012/03/08/duqu_trojan_mystery_code_riddle
U.K. ISPs lose appeal, must pay legal fees of file-sharing
suspects
Under the United Kingdom's new Digital
Economy Act, Internet service providers must pitch in on the legal
costs incurred by people suspected of illegally sharing files on
their network, an appeals court has ruled.
According to the Guardian, a U.K. court today
ruled against an appeal brought by ISPs TalkTalk and BT. The
companies, as well as their competitors, now must pay 25 percent of
all "qualifying" costs related to establishing and operating an
appeals body for alleged file sharers. Ofcom, a U.K.-based
communications regulator, will pay the remaining 75 percent of the
costs.
U.K. ISPs, which will also pay 25 percent of
costs related to identifying alleged file sharers, received a
single reprieve from the court: they won't need to pay case fees
related to charges brought by the aforementioned appeals body.
Today's ruling now paves the way for the
U.K.'s Digital Economy Act to be enforced across the country. The
law, whose monetary ramifications have been under discussion for
nearly two years, requires providers to disconnect subscribers from
their broadband service, if they're found guilty of illegal file
sharing. In 2009, the operating managers of all of the country's
top ISPs spoke out against the bill. TalkTalk and BT were the last
companies standing in its way--until today.
Source:
http://news.cnet.com/8301-1009_3-57391558-83/u.k-isps-lose-appeal-must-pay-legal-fees-of-file-sharing-suspects
Browser Bug Hunters Collect Payoff in Pwn2Own
Researchers last Friday unveiled zero-day
vulnerabilities in Google's Chrome and Mozilla's Firefox during the
final day of two hacking challenges that awarded $210,000 to
contestants. The Chrome vulnerabilities were submitted by a teenage
researcher identified as "PinkiePie," who was only the second to
participate in the Google-sponsored "Pwnium" event. After verifying
that PinkiePie's work met Pwnium's requirement for a "full Chrome
exploit" -- meaning that the two bugs were in the browser's own
code and included a "sandbox escape" exploit -- Google awarded him
$60,000. It was the second such payout during the three-day event.
On Wednesday, Google paid $60,000 to Sergey Glazunov, a frequent
recipient of bounties paid by Google throughout the year. In
announcing PinkiePie's win, Jason Kersey, a Chrome program manager,
called the researchers' exploits "works of art." Kersey also
promised that Google would publish technical write-ups of the two
Pwnium submissions.
On Saturday, Google patched Chrome to fix
PinkiePie's vulnerabilities, the second time in three days that it
updated the browser within 24 hours of obtaining bugs. Also on
Friday, HP TippingPoint's Zero Day Initiative (ZDI) closed out its
"Pwn2Own" hacking contest, which like Pwnium ran March 7-9 at the
CanSecWest security conference in Vancouver, British Columbia.
On the last day of Pwn2Own, a two-man team --
Vincenzo Iozzo and Willem Pinckaers -- exploited a Firefox zero-day
to take the contest's $30,000 second-place prize. Iozzo and
Pinckaers, who also cranked out four other exploits of
previously-patched vulnerabilities during Pwn2Own's on-site
component, are no strangers to the contest. Last year, they made up
two-thirds of a team that won $15,000 by hacking a BlackBerry
smartphone.
A team from French security company Vupen won
Pwn2Own's first-place prize of $60,000 by hacking Chrome and
Microsoft's Internet Explorer earlier in the week. ZDI did not
award Pwn2Own's third-place prize of $15,000 because only two teams
participated in the contest. All told, the two events paid out
$210,000 in prize money, a record at CanSecWest.
The duelling challenges were not on the
original agenda for CanSecWest: A week before the conference
opened, Google withdrew its Pwn2Own sponsorship over objections to
that contest's practice of not requiring researchers to divulge
"sandbox-escape" exploits. Google then announced its own Pwnium,
and pledged to pay up to $1 million for hacks that exploited Chrome
zero-day vulnerabilities. The code execution vulnerabilities used
by the Vupen and Iozzo-Pinckaers teams during Pwn2Own will be
reported to vendors today, ZDI said on Twitter last Friday.
The only browser not targeted at Pwn2Own was
Apple's Safari, which went untouched for the first time in the
contest's six-year history.
Source:
http://www.pcworld.com/article/251671/browser_bug_hunters_collect_payoff_in_pwn2own.html
Porn site breached in hack attack
Hackers claim to have stolen the details of
more than 73,000 subscribers to porn site Digital Playground. The
data includes user names, email addresses and passwords. Also taken
were the numbers, expiry dates and security codes for 40,000 credit
cards. A previously unknown hacker group called The Consortium said
it was behind the attack. Subscribers to the site have been
contacted to let them know about the breach.
While Manwin investigates, the Digital
Playground site has been taken offline. It is not accepting new
members and its member’s area has also been taken offline. The
Consortium posted some of the data it stole on the web and said
security on the site was full of holes that "made it too enticing
to resist" stealing the data. "This company has security, that if
we didn't know it was a real business, we would have thought to be
a joke - a joke that we found much more amusing than they will,"
wrote The Consortium in a log posted on the web.
Visible in the log were admin login names and
passwords as well as a selection of the email addresses and user
names of some members. Internal emails, details of the four servers
underpinning the site and software licence keys were also posted.
The Consortium claims some of the credit card data was stored in
plain text form. The group claims to be connected to the Anonymous
and LulzSec hacker groups.
Porn producer Digital Playground is based in
California but its website is managed and run by Luxembourg-based
firm Manwin. The London office of the company declined to comment
on the attack. In a statement provided to porn industry news site
AVN, Manwin said it took over management of the site on 1 March and
said the breach may have occurred before it took charge. Manwin
management was overseeing the investigation and Digital Playground
subscribers had been contacted to let them know what had
happened.
In late February, details of more than 6,000
users of YouPorn's discussion forums, known as YP Chat, were
stolen. YP Chat stands separate to YouPorn which is administered by
Manwin. Lax security at a third-party provider was blamed for the
breach.
Source: http://www.bbc.co.uk/news/technology-17339508
GCHQ-backed competition names Cyber Security
Champion
A 19-year-old university student has been
named the UK's "Cyber Security Champion" following a competition
sponsored by the intelligence agency GCHQ and several leading tech
firms. Judges said Jonathan Millican had demonstrated knowledge
"years beyond his time". The award in Bristol marks the culmination
of a six-month long challenge designed to attract talented people
to the cyberdefence industry. It coincides with high-profile
attacks.
Last week the FBI charged six men - including
two in the UK - with computer hacking crimes which it said had
affected "over one million victims". The action prompted
retaliatory attacks by the Antisec-wing of the Anonymous hacktivist
movement.
On Saturday, James Jeffrey, from the West
Midlands, pleaded guilty to breaking into the website of the
British Pregnancy Advisory Service in a separate attack. He is
accused of stealing details of people who had contacted the
abortion provider.
The Sunday Times also reported that Chinese
spies had stolen information of the F-35 Joint Strike Fighter jet
from BAE Systems' computers. It said the incident had occurred
three years ago and had been revealed by a BAE executive at a
private dinner. The firm is not commenting. Chinese authorities
denied being behind any such incident.
Mr Millican won the competition after taking
part in a final series of challenges hosted by HP Labs which pitted
six five-person teams against each other on Saturday. These
involved advising an online start-up company how best to protect
itself against hackers during a role-playing exercise, and then
reconfiguring a computer network during a 15-minute long simulated
attack.
Although Mr Millican's team was beaten by a
rival, judges decided he still deserved the top prize. "He showed
great leadership, strong technical abilities and also demonstrated
that he understood the impact what he was doing would have on a
business," said Adam Thompson, the chief judge who works for
Hewlett Packard's security team. Other judges involved were
selected from sponsors, including the accountants
PricewaterhouseCoopers, telecoms giant BT, defence firm Cassidian
and the security technology maker Qinetiq.
Prizes were tailored towards each winner. Mr
Millican - a first year computer sciences student at Jesus College,
University of Cambridge - has been offered a paid follow-up masters
degree at Royal Holloway, University of London. He has also been
invited to visit communications intelligence agency GCHQ's
Cheltenham base.
Jonathan Hoyle, director general for cyber
security at GCHQ said: "It is through initiatives such as this that
organisations, be they in the public or private sector, can
continue to develop and maintain our leading edge in cyberspace by
being able to recruit the right people with the right skills."
Baroness Pauline Neville-Jones, the
competition's patron and the Prime Minister's special
representative to business on cybersecurity, added that she hoped
such events would encourage children to put their computer skills
to constructive use, rather than be tempted to take part in illegal
activities.
Finalists took part in a series of challenges
held at HP Labs in Bristol "There are people who are hacking and
one of the worrying things is that they are regarded as heroes,"
she told the BBC. "They are involved in the betrayal of both
companies and ordinary people. We've seen cases of people's
personal email addresses and passwords and bank details being
posted online, opening these unfortunate individuals to crime. So
they are definitely not heroes."
Mr Millican said he was most interested in
the challenges posed by the more complex cyber-attacks - such as
the Stuxnet worm which attacked Iran's nuclear systems or the Duqu
Trojan suspected of being designed to gather intelligence from
industries' control systems. "We're going into an age of
cyberwarfare," he said. "Given all the critical systems we have in
this country that are connected to the internet it's very important
that there are experts out there that can keep people safe."
This was the second year the Cyber Security
Challenge has been held.
Organisers are now accepting applications for
their 2012/13 contest. They are planning changes to ensure that
some of the youngest entrants, who typically would not make it
through to the final stages, will be offered follow-up
coaching.
Source: http://www.bbc.co.uk/news/technology-17333601
ANALYSIS-In cyber era, militaries scramble for new
skills
With growing worries about the threat of
"cyber warfare", militaries around the world are racing to recruit
the computer specialists they believe may be central to the
conflicts of the 21st century. But whilst money is plentiful for
new forces of "cyber warriors", attracting often individualistic
technical specialists and hackers into military hierarchies is
another matter. Finding the people to command them is also tough.
After a decade of messy and relatively low-tech ground wars in Iraq
and Afghanistan, some senior western officers are if anything less
confident with technology such as smartphones and tablet computers
than their civilian contemporaries. But with the Pentagon saying
its computers are being attacked millions of times every day, time
is short.
"We are busy and we are getting busier every
day," Lt Gen Rhett Hernandez, a former artillery officer who now
heads U.S. Cyber Command, told a cyber security conference in
London last month organised by British firm Defence IQ. "Cyberspace
requires a world-class cyber warrior ... we must develop, recruit
and retain in a different way to today."
Even in an era of shrinking western military
budgets, funding for cyber security is ratcheting up fast. The
Pentagon's 2012 budget allocated $2.5 million to improve cyber
capabilities. In December, the U.S. Army announced its first "cyber
brigade" was operational, whilst the U.S. Navy and Air Force have
their own cyber "fleets" and "wings". Not only are they tasked with
protecting key U.S. military systems and networks, but they are
also working to build offensive skills that U.S. commanders hope
will give them an edge in any future conflict. These, insiders say,
include developing the ability to hack and destroy industrial and
military systems such as traffic and electricity controls.
"For better or worse, it is American military
thought that is leading American societal thought (in) how to think
about things cyber," former CIA director and Air Force Gen Michael
Hayden told a security conference in Munich this month.
European, Latin American, Asian and Middle
Eastern and other nations are seen following suit. Militaries had
barely considered the Internet only a few years ago are building
new centres and training hundreds or even thousands of uniformed
personnel. Russia and China are believed to put even greater
emphasis on a field in which they hope to counter the conventional
military dominance of the U.S. But some worry much investment may
be wasted.
"My theory is that huge defence agencies -
having little clue of what cyber warfare is all about - follow
traditional approaches and try to train as many hacking skills as
possible," says Ralph Langner, the civilian German cyber security
expert who first identified the Stuxnet computer worm in 2010.
"(The) idea could be to demonstrate hypothetical cyber power by
sheer numbers, i.e. headcount." Many experts say the key to
successful operations in cyberspace - such as the Stuxnet attack
believed to have targeted Iran's nuclear program by reprogramming
centrifuges to destroy themselves - is quality rather than quantity
of technical specialists. "Only a very small number of people are
the top notch that you would want to employ for a high-profile
operation like Stuxnet," says Langner, saying that there might be
as few as 10 world-class cyber specialists. "These people will
probably not be covered with a military environment." Commanders
say they are trying to change that, relaxing rules on issues such
as hair length or fitness. But there are limits on how far such
loosening can go. While the U.S. Air Force and Navy have
significantly eased entry requirements for cyber specialists and
removed some of the more arduous elements from basic training, the
U.S. Army still requires its "cyber warriors" to endure regular
basic training.
Speaking on condition of anonymity, one
senior European officer with responsibility for cyber complained of
struggling to find suitable recruits in part because of competition
from the private sector. Agencies such as the U.S. National
Security Agency and Britain's GCHQ say they lose some of their best
talent to Microsoft and Google. But such agencies also pride
themselves on their ability to find and retain the kind of
eccentric expertise that would struggle to find their place in
armies, navies, air forces or regular government departments.
"Higher end capability isn't principally about spending large
amounts of money and having large numbers of people," says John
Bassett, a former senior GCHQ official and now senior fellow at
London's Royal United Services Institute. "It's about having a
small but sustainable number of very good people with imagination
and will as well a technical know-how and we may be more likely to
find them in an organisation like GCHQ than in the military."
Many experts say offensive cyber warfare
capability - particularly anything potentially lethal such as the
ability to paralyse essential networks - should be kept in the
hands of the directly accountable military, not shadowy spy
agencies. But most suspect the NSA, GCHQ and similar organisations
will retain a considerable lead in technology and sophistication
over their military counterparts. The U.S. NSA and military Cyber
Command are both located at Fort Meade outside Washington DC, and
intelligence experts say working closely together is already the
norm - with the former providing much support and expertise to the
latter.
Some other countries now appear keen to avoid
ploughing too much money into uniformed military cyber specialists
at all. Britain's Royal Corps of Signals and Royal Air Force in
particular have been keen to get their hands on a share of the
U.K.'s newly expanded 650 million-pound cyber budget, but much of
it is seen going straight to GCHQ.
What militaries in general and top commanders
in particular need to focus on most, specialists argue, is learning
to integrate the new tools and threats into their broader
conflict-related understanding and training. At the U.S. Naval War
College in Rhode Island, mid-career military officers conducting
"wargaming" exercises are now regularly confronted with the new
cyber dimension. Systems malfunction, supply chains are attacked,
and information corrupted or deleted.
Israel's raid on a suspected Syrian nuclear
weapons site in 2007, when a cyber-attack was believed used to
disable Syria's air defence radar, is seen a guide of how cyber can
work alongside more conventional military operations. "It's a new
form of warfare and it has to be appreciated, just as in the past
you had new developments - siege warfare, trench warfare and air
warfare" says Dick Crowell, associate professor of military
operations at the college.
Understanding of cyber warfare in military
circles is roughly analogous to the understanding of air power in
the 1930s, he said, clearly important in any future conflict, but
with the shape of its role still largely unclear. In new conflicts,
those in charge may need to learn on their feet.
"What's really important is that you have
senior commanders - three and four-star (general) level - who have
a good enough understanding of it is to be able to integrate cyber
into wider military campaigns," says former GCHQ official Bassett.
"Cyber fits into the wider picture of warfare now, and they have to
understand that." (Additional reporting by William Maclean in
Munich; editing by Andrew Roche)
Source:
http://www.trust.org/alertnet/news/analysis-in-cyber-era-militaries-scramble-for-new-skills/
Via G Forbes @OCEANUSlive
Crouching tiger, hidden dragon, stolen data
Cyber-attacks that originate in China have
grown in both size and scope.
According to a whitepaper from penetration
tester and security consultancy Context, Chinese attacks are
targeted and designed to steal data that will furnish the
perpetrator with political, commercial and security/intelligence
information. It claimed that these requirements are carefully and
clearly identified, shared with a number of government departments
and constantly updated, and while there is evidence of worldwide
targeting, only a minority of attacks are identified and fewer
still are made public.
It said that the main protagonists in China
are believed to be the Third Department of the People's Liberation
Army, while the likely recipients of stolen commercial data are the
117 state-owned enterprises that dominate the economy. It said that
these companies are closely linked to the Communist Party, which
has power over strategy, senior management and even wages.
Spear-phishing tactics are often used,
according to the paper, with attackers targeting one person with an
email containing a malicious payload. Attackers also utilise
website vulnerabilities to download malicious code onto a machine
when a user clicks on a link in an email. Once the attacker has
this foothold on the network, they typically look to download and
use further hacking tools to escalate privileges to gain
administrative access to key internal servers such as domain
controllers or file servers. Once this is achieved, the attackers
typically use another remote desktop or laptop on the network to
collate the data stolen and exfiltrate it to their remote
servers.
The main government targets that the Chinese
state is most interested in fall into three groups: its nearest
neighbours: Japan, Taiwan, Tibet, Mongolia and the Muslim ‘Stans'
to the west; other powerful states with international influence
such as the US, Russia, the UK, Germany, France and India; and
finally states with strong economic links to China, including
Brazil, Iran, Australia, parts of Africa and South-East Asia.
The paper also claimed that while the attacks
have been going on since 2003, there is no incentive for China to
stop as the more stolen data is exploited for the benefit of
companies and the government, the greater the motive to continue
with these operations.
It added that governments and large companies
do not appear to be making much headway in solving this problem. It
said that a combination of a reluctance to act, chronic
under-investment in IT and a lack of user education about how to
spot the warning signs of a potential attack means companies and
organisations are extremely vulnerable.
It said: “In order to start rectifying the
problem there is a need in the first instance to understand the
problem. There needs to be an acceptance that this problem is not
going to go away, that this is a business risk not at IT issue.
Doing business with China carries extra risk in terms of data
security, and traditional security products are unable to defend
your data against this type of attack.
“Investigation of compromises needs to be
thorough and conducted by people familiar with this problem and not
simply the technical aspects of it. Above all, sensitive data must
be segregated – it is not possible to defend everything.”
Source:
http://www.scmagazineuk.com/crouching-tiger-hidden-dragon-stolen-data/article/231587/?DCMP=EMC-SCUK_Newswire
China suspected of Facebook attack on NATO's supreme allied
commander
NATO’s most senior military commander has
been repeatedly targeted in a Facebook scam thought to have been
co-ordinated by cyber-spies in China, the Observer has learned. The
spies are suspected of being behind a campaign to glean information
about Admiral James Stavridis from his colleagues, friends and
family, sources say. This involved setting up fake Facebook
accounts bearing his name in the hope that those close to him would
be lured into making contact or answering private messages,
potentially giving away personal details about Stavridis or
themselves. This type of "social engineering" impersonation is an
increasingly common web fraud. NATO said it wasn't clear who was
responsible for the spoof Facebook pages, but other security
sources pointed the finger at China.
Last year, criminals in China were accused of
being behind a similar operation, which was given the codename
Night Dragon. This involved hackers impersonating executives at
companies in the US, Taiwan and Greece so that they could steal
business secrets. The latest disclosure will add to growing fears
in the UK and US about the scale of cyber-espionage being
undertaken by China. As well as targeting senior figures in the
military, the tactic has been blamed for the wholesale theft of
valuable intellectual property from some leading defence
companies.
The sophistication and relentlessness of
these "advanced persistent threat" cyber-attacks has convinced
intelligence agencies on both sides of the Atlantic that they must
have been state-sponsored. NATO has warned its top officials about
the dangers of being impersonated on social networking sites, and
awarded a £40m contract to a major defence company to bolster
security at the organisation's headquarters and 50 other sites
across Europe. A NATO official confirmed that Stavridis, who is the
supreme allied commander Europe (Saceur), had been targeted on
several occasions in the past two years: "There have been several
fake Saceur pages. Facebook has cooperated in taking them down… the
most important thing is for Facebook to get rid of them."
The official added: "First and foremost, we
want to make sure that the public is not being misinformed. Saceur
and NATO have made significant policy announcements on either the
Twitter or Facebook feed, which reflects NATO keeping pace with
social media. It is important the public has trust in our social
media." NATO said it was now in regular contact with Facebook
account managers and that the fake pages were usually deleted
within 24 to 28 hours of being discovered. Finding the actual
source in cases such as these is notoriously difficult, but another
security source said: "The most senior people in NATO were warned
about this kind of activity. The belief is that China is behind
this."
Stavridis, who is also in charge of all
American forces in Europe, is a keen user of social media. He has a
genuine Facebook account, which he uses to post frequent messages
about what he is doing, and where. Last year he used Facebook to
declare that the military campaign in Libya was at an end.
The threat posed by Chinese cyber activity
has been causing mounting concern in the UK and the US, where it is
judged to be a systematic attempt to spy on governments and their
militaries. They also accuse Beijing of being involved in the
anonymous theft and transfer of massive quantities of data from the
west. In a surprisingly pointed report to Congress last year, US
officials broke with diplomatic protocol and for the first time
challenged China directly on the issue. The National
Counterintelligence Executive said Chinese hackers were "the
world's most active and persistent perpetrators of economic
espionage".
It said China appeared to have been
responsible for "an onslaught of computer network intrusions". The
report also claimed that Chinese citizens living abroad were being
leaned on to provide "insider access to corporate networks to steal
trade secrets". The use of moles was, it said, a clear exploitation
of people who might fear for relatives in China.
Security analysts in Washington said they
believed China had undertaken comprehensive cyber-surveillance of
the computer networks that control much of America's critical
infrastructure. This has stoked a political debate on Capitol Hill,
where Democrats and Republicans are locked in an ideological battle
about how to tackle cyber threats. President Barack Obama wants to
introduce regulation to ensure companies are taking them seriously,
but that approach is opposed by Republicans, including Senator John
McCain.
James Lewis, a cyber expert from the Centre
for Strategic and International Studies thinktank in Washington,
said the time for dithering had passed. "We know that Russia and
China have done the reconnaissance necessary to plan to attack US
critical infrastructure," he said. "You might think we should put
protection of critical infrastructure at a slightly higher level.
It is completely vulnerable."
Shawn Henry, an executive assistant director
at the FBI, told the Observer that the agency was dealing with
thousands of fresh attacks every month. "We recognise that there
are vulnerabilities in infrastructure. That's why we see breaches
by the thousand every single month," he said. "There are thousands
of breaches every month across industry and retail infrastructure.
We know that the capabilities of foreign states are substantial and
we know the type of information they are targeting."
The department of homeland security has been
tasked by the White House with countering the cyber threat, but
without making people lose confidence in the web. Its senior
counsellor for cyber-security, Bruce McConnell, said: "The internet
is civilian space. It is a marketplace. Like the market in Beirut
in the 1970s, it will sometimes be a battleground. But its true
nature is peaceful, and that must be preserved."
Source:
http://www.guardian.co.uk/world/2012/mar/11/china-spies-facebook-attack-nato
Via G Forbes @OCEANUSlive
Court date set for alleged Michael Jackson hackers
The trial of two UK men accused of hacking
into Sony systems and downloading Michael Jackson's back catalogue
is to begin on 7 January 2013 at Leicester Crown Court, solicitor
Karen Todner has told ZDNet UK.
James Marks and Jamie McCormick are "eager to
point out to Michael Jackson's fans and family that they would
never do anything to harm the legacy that is Michael Jackson's
music," and deny the allegations against them, Todner said in a
statement on Wednesday.
The alleged theft of Jackson's back catalogue
from Sony occurred at around the same time as LulzSec hacking
attacks on Sony Entertainment. Marks and McCormick are not accused
of taking part in the LulzSec attacks, Todner told ZDNet UK.
Source:
http://www.zdnet.co.uk/blogs/security-bullet-in-10000166/court-date-set-for-alleged-michael-jackson-hackers-10025576/?s_cid=169
Iran Defence Forum users logins compromised and
Leaked
Hacker with name "Le0n B3lm0nt" claimed to
hack into the Iran Defence Forum website (irandefence.net) and leak
user details of all 3,212 members including their usernames, Emails
and Passwords. Iran Defence Forum is an independent forum
that is not associated with the Iranian Government, neither it is
affiliated with any governmental or regulatory agencies nor related
to any political or religious entity.
Hacker leak the database on Pastebin Note.
Also two days before Iran hacked BBC Persian TV The Reason behind
this attack is part of a broader attempt by the government to
disrupt the BBC’s Persian service. This attack follows various
tactics by the Iranian government, such as harassment, arrests, and
threats against the relatives of BBC Persia correspondents who
still live in Iran, in an effort to force the journalists to quit
the Persian news service.
Source:
http://thehackernews.com/2012/03/iran-defense-forum-users-logins.html
APT-Type Attack A Moving Target
Targeted attacks are evolving faster than
victims can detect them, and it's not just about cyber-espionage
anymore, either: Financially driven cybercriminals are also using
advanced persistent threat (APT) methods for longer staying power
in order to increase their spoils. The APT attacker
traditionally has been associated with Chinese cyberspies, but the
types of attacks waged to steal intellectual property are
increasingly blurring as new players and regions enter the
landscape. Among the newcomers to this attack model are
traditional, financially motivated cybercriminals and cyberspy
attackers from Russia.
Recent research from Mandiant, HBGary, and
Trustwave SpiderLabs demonstrates how the advanced targeted attack
is becoming increasingly difficult to pin down.
While most organizations rely on security
tools that detect malware, that's only part of the advanced attack
equation, security experts say. "There are so many [of these]
attacks going on now," says Greg Hoglund, CEO of HBGary, who says
his firm is tracking around 18 different APT groups. "You're not
looking for just malware -- it's behaviour you're looking for. They
leave behind forensic evidence, [namely] things your employees
don't do."
Mandiant, in its new annual M-Trends report
on advanced threats, also says finding the malware from an APT or
advanced attack is only the tip of the iceberg. According to data
gathered by Mandiant in its investigations for clients,
malware-infected machines represent only 54 percent of the systems
compromised in the attack. In all cases, the attackers employed
stolen, legitimate user credentials to move about the network. And
these attackers aren't always coming up with their own zero-day
attacks, either. In 77 percent of the cases Mandiant investigated,
the attackers had used publicly available malware.
Mandiant and other security firms are also
finding that the persistent, under-the-radar technique
traditionally employed by Chinese hackers for stealing intellectual
property is now also being adopted by cybercriminals out for
financial gain rather than IP.
Researchers at Trustwave SpiderLabs have
noticed that trend, as well. Nicholas Percoco, senior vice
president and head of Trustwave SpiderLabs, recently noted this
shift when discussing the firm's latest Global Security Report for
2011. "Attackers are becoming more sophisticated and without being
detected," he said in an interview last month with Dark Reading.
"Smash-and-grab attacks are few and far between. It's all about
persistency: You hear a lot about espionage and APT attacks. But
there's no reason why organized crime groups after financial
information would not want to be using the same techniques [APTs]
are."
Mandiant's report echoed the same trend.
While these financially motivated attackers have often used the
"smash-and-grab" approach with simple tools, that's changing,
according to Mandiant. "Organized crime groups are adopting
persistence mechanisms previously used by the advanced persistent
threat. The long-term access these techniques enable allows the
attacker to steal more data over a longer period of time to gain
access to more lucrative data, and to ensure their data is a fresh
as possible," according to Mandiant.
Among their weapons of choice for staying put
longer and under the radar that Mandiant has seen are custom
backdoors, publicly available backdoors, Web shells, Metasploit
Meterpreter, and remote access utility tools. But it's the
attacker's lateral movement within the targeted organization that
can go unnoticed and incur the most damage. "A company could have
50,000 nodes, and you may find 100 machines exhibiting [certain
behaviours]," some of which appear normal, but then another raises
suspicion, such as a user opening up an interprocess communication
port, Hoglund says.
Mandiant says that only 6 percent of victim
organizations they helped discovered the attacks on their own. Most
found out from external sources, including law enforcement. And
these attacks typically go on for more than a year before they are
found out.
While most of these attacks have ties to
China, Russia also increasingly is showing up on the radar screen,
as well. Both Mandiant and HBGary's Hoglund report spotting such
activity out of Russia. "The two biggest threats to the U.S. are
Russia and China," Hoglund says. "We've caught false flags before
... Russian [attackers] trying to insert Chinese language in there"
to appear to be Chinese attackers, he says.
The trick is spotting and analysing the
behaviours and not just the malware, security experts say. And
don't assume you're immune, because these attacks are spreading
across various industry sectors. According to Mandiant's report, 23
percent of the attacks are hitting the communications industry; 18
percent, aerospace and defence; 14 percent, computer hardware and
software; 10 percent, electronics; 10 percent energy and oil and
gas; and 25 percent in other various industries.
"I'm meeting more CSO's saying, 'All I care
about is APT,'" says Bruce Schneier, CTO of BT Counterpane. "It's
now all about agile security and detection."
http://www.darkreading.com/security-monitoring/167901086/security/attacks-breaches/232602533/apt-type-attack-a-moving-target.html