Close

This website uses cookies. For further information, please see our Legal and Cookie Notice

Threat Weekly – A Situational Awareness Report from our Technical Security Team

Volume 2, Issue 3 – 19 January 2012

ThreatCon 2: Elevated

Both Microsoft and Adobe have released important security patches this month. Computer devices are at elevated risk until they are patched.

TOP OF THE NEWS

Government Sets 20 Critical Controls as Roadmap to Improve National Cyber Security

The Centre for the Protection of National Infrastructure (CPNI) has released a new guidance document detailing the 'Top Twenty Critical Security Controls'. CPNI are working in conjunction with SANS to provide a baseline of high-priority information security measures and controls that can be applied across an organization in order to improve its cyber defence.

Source: http://www.cpni.gov.uk/advice/infosec/Critical-controls/

Zappos coughs to HUGE data breach

Online online shoe and apparel outlet Zappos.com has apologised over a massive data breach that exposed the personal details of millions. Up to 24 million customers of the Amazon subsidiary may have been affected by the breach, which exposed names, email addresses, addresses, phone numbers, and password hashes. Zappos stressed that credit card data was not exposed. Hackers may have been able to lift the last four digits of credit card numbers but nothing beyond this, according to the e-tailer.

Accounts or passwords maintained with parent firm Amazon.com are not affected by the problem.

At the time of writing on Monday morning, Zappos is blocking international traffic to its blog, so customers outside the US are unable to see chief exec Tony Hsieh's explanation on how the breach happened, which was posted late on Sunday night. Hsieh said hackers “gained access to parts of our internal network and systems” through one of the firm’s servers in Kentucky, The New York Times reports. Zappos has reset passwords and is in the process of notifying customers about the breach. In the aftermath of the data spillage, Zappos has suspended its telephone support operation, asking customers to contact it only via email.

Surfers who made the mistake of using the same account login credentials at Zappos and other sites would be advised to change their passwords pronto, Hsieh said. The breach can be expected to result in an increase of regular spam and is likely to spawn phishing attacks, so even more security-conscious users ought to be wary.

Source: http://www.theregister.co.uk/2012/01/16/zappo_breach/

Cyber Conflict Heating up in the Middle-East

Following on from the original Cyber-attack against the Bank of Israel two weeks ago and the subsequent reprisal hacktivist attacks instigated by an Israeli hacker, Cyber attackers have targeted the Israeli stock exchange, several banks and El Al airlines. None of the websites contained sensitive information and trading and flights were not affected. But the on-going salvos by hackers who use anti-Israel language in their posts has revealed how vulnerable Israel is to cyber warfare, despite its sophisticated computer security units in the military and advanced high-tech sector.

Written by: D Gray VCSL

Microsoft to scale up its threat intelligence sharing

Microsoft wants to be a better neighbour when it comes to fighting cyber attackers. The software giant announced this week that it plans to soon make available a real-time, hosted threat intelligence feed to security companies, government agencies and private industry as part of its efforts to share data concerning the origins of malware attacks. As proof that it's got the goods to help others, Microsoft points to its successful disruptions of the pernicious Waledac and Rustock botnets.

Microsoft plans to provide the feed's application programming interface (API) for free, but did not indicate if it planned to charge for the feed itself, according to reports. As part of its on-going anti-botnet initiative, formally known as Project MARS, Microsoft observes malware-infected IP addresses of computers that attempt to "phone home" and receive instructions, even after the command-and-control structure has been deactivated, a company spokesman told SCMagazine.com via email. Microsoft works with internet service providers and computer emergency response teams from around the world to help them clean up the damage and assist customers whose machines may have been compromised.

The goal of now is to get that information into the hands of others so they can react quicker to threats and create viable defences, all in the name of protecting Microsoft customers.

"Microsoft learns more about the threat landscape from each of our botnet takedown operations," he said. "The company is looking for ways to share the knowledge and threat intelligence gained in each operation to further protect internet-connected systems," a company spokesman said. "As such, we also continue to explore ways to make the information learned from our takedowns more readily available to others who can take action to address infections in a more systemic and on-going manner, as was discussed at this week's conference."

Microsoft is aware of privacy concerns and, as a result, plans to strip all personal identifiable information, such as credit card and Social Security numbers, out of the data stream. Releasing such information could lead to identify theft or violate other federal and state laws. Security executives seemed impressed by Microsoft's mission to provide credible and reliable information.

Art Coviello, executive chairman of RSA Security, told SCMagazine.com this week that he hopes information-sharing efforts such as these "go viral" because they can serve as helpful deterrents of advanced persistent threats. RSA itself plans to release a report on intelligence-driven security next week. Bill Boni, vice president and CISO of T-Mobile USA, told SCMagazine.com that the massive amounts of data Microsoft could provide might “remove the denial barrier” some companies have about data security.

Source: http://www.scmagazine.com/microsoft-to-scale-up-its-threat-intelligence-sharing/article/223144/

THE REST OF THE WEEK’S NEWS

Court-Martial Recommended for Manning

An Army investigating officer recommended Thursday that accused leaker Pfc. Bradley Manning face a court-martial for his alleged role in providing massive amounts of classified information to anti-secrecy group WikiLeaks. The ruling came after a preliminary hearing last month in which prosecutors presented evidence appearing to link Manning with the security breach, including chat logs between him and WikiLeaks co-founder Julian Assange. Manning faces 22 counts, including aiding the enemy, and could face life in prison if convicted.

The investigating officer, Lt. Col. Paul Almanza, found that the charges presented at the preliminary hearing offered reasonable evidence that Manning had committed the offenses alleged. Manning, 24, worked as an intelligence analyst in Baghdad and was detained in May 2010 and charged that July.

Manning is accused of leaking hundreds of thousands of documents to WikiLeaks. They include State Department cables, daily field reports from the wars in Iraq and Afghanistan, detainee assessments from Guantanamo Bay, and a 2007 Army video of an Apache helicopter firing on civilians. Manning, a native of Crescent, Okla., was stationed at Forward Operating Base Hammer near Baghdad in November 2009. Manning first contacted Assange the same month he deployed to Baghdad. Investigators recovered a memory card from Manning’s aunt’s home in Potomac, Md., that contained Afghanistan and Iraq field reports. He had left the card there in January 2010 during home leave.

In the preliminary hearing, more than 20 of Manning’s associates testified about his mental state, work product and training. The prosecution presented evidence showing that Manning had been well trained on the handling of classified information and would have been aware of the military regulations restricting the dissemination of classified documents.

Defence attorney David Coombs argued that Manning’s superiors should have recognized signs that he was mentally unstable and stripped him of his access to classified information. He also argued that the military had overcharged Manning and made a plea to reduce the charges from 22 to three.

Another military body, called a convening authority, will make the final decision of whether to refer the case to general court-martial.

Source: http://www.washingtonpost.com/world/national-security/officer-recommends-court-martial-for-bradley-manning-in-wikileaks-case/2012/01/12/gIQAqRvEuP_story.html

US Air Force Base Migrates to Linux After Malware Infection

The control of US military spy drones appears to have shifted from Windows to Linux following an embarrassing malware infection [Previously reported in TW Vol 1 Issue 20]. Ground control systems at Creech Air Force Base in Nevada, which commands the killer unmanned aircraft, became infected with a virus last September. In a statement at the time the Air Force dismissed the electronic nasty as a nuisance and said it posed no threat to the operation of Reaper drones, but the intrusion was nonetheless treated seriously.

"The ground system is separate from the flight control system Air Force pilots use to fly the aircraft remotely; the ability of the pilots to safely fly these aircraft remained secure throughout the incident," it said. The discovery of the virus was nonetheless hugely embarrassing for the Air Force. The credential-stealing malware, first reported by Wired, made its way from a portable hard drive onto ground systems, which control the drones' weapons and surveillance functions. Portable disks are used to load map updates and transfer mission videos from one computer to another, Defence News added.

"The malware was detected on a standalone mission support network using a Windows-based operating system," a US Air Force statement at the time explained. "The malware in question is a credential stealer, not a keylogger, found routinely on computer networks and is considered more of a nuisance than an operational threat. It is not designed to transmit data or video, nor is it designed to corrupt data, files or programs on the infected computer. Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach."

Drone units were advised to stop using the removable drives to prevent another outbreak. Behind the scenes other changes appear to have been made: screenshots of drone control computers uploaded by security researcher Mikko Hypponen suggest that at least some of the consoles have been migrated from Microsoft Windows to open source Linux. Photos of US drone control systems taken in 2009 and 2011 provide evidence of the change - in the earlier picture the Windows desktop GUI can be easily discerned whereas the latter slide indicates the new systems are Linux-based and have "improved displays".

The 2009 photo originally came from the air force base's website but the image has since been removed. A cropped copy can be found here. The 2010 slide came from an unclassified presentation on the US's unmanned drone operations. Hypponen told The Reg: "If I would need to select between Windows XP and a Linux based system while building a military system, I wouldn't doubt a second which one I would take."

Source: http://www.theregister.co.uk/2012/01/12/drone_consoles_linux_switch/

Editor's Comment: There have been many, many different debates about the virtues of Linux, or Mac and whether they are safer than Microsoft, I won’t be adding to them here. Having said that a diverse variation of Operating System does make things harder for an attacker to exploit a network (as long as each of the operating systems is appropriately maintained):

Sykipot Trojan hijacks DoD smart cards

A variant of the Sykipot Trojan Horse hijacks U.S. Department of Defense (DoD) smart cards in order to access restricted resources. "We recently discovered a variant of Sykipot with some new, interesting features that allow it to effectively hijack DoD and Windows smart cards," said Jaime Blasco, a security researcher at AlienVault, in a blog post. "This variant, which appears to have been compiled in March 2011, has been seen in dozens of attack samples from the past year."

Smart cards interface with computers through a special reader. They use digital certificates and PIN codes for authentication purposes. Sykipot is commonly used in advanced persistent threat (APT) attacks. According to Blasco, the Sykipot variant recently analysed by AlienVault contains several commands to capture smart card information and use it to access secure resources.

One of the variant's routines is designed to work with ActivIdentity ActivClient, an authentication software product compliant with DoD's Common Access Card (CAC) specification. The CAC enables access to DoD computers, networks, and certain facilities. It allows users to encrypt and digitally sign emails and it facilitates the use of public key infrastructure (PKI) for authentication purposes. This Sykipot variant reads the smart card certificates registered on the victim's computer, steals the card's PIN number using a keylogger module and uses the information to log into protected resources, as long as the card remains inside the reader, Blasco said. In essence, it becomes a smart card proxy.

"While Trojans that have targeted smartcards are not new, there is obvious significance to the targeting of a particular smartcard system in wide deployment by the U.S. DoD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration," Blasco said.

Sykipot was distributed last month as part of an APT attack against companies from the telecommunications, manufacturing, computer hardware, chemical and defines industries. targeted U.S. federal agencies in particular. According to AlienVault, the Trojan's main command and control servers are located in China, although its creators will sometime use U.S.-based servers to route the stolen information in order to avoid detection.

Source: http://www.computerworld.com/s/article/9223423/Sykipot_Trojan_hijacks_DoD_smart_cards

Student Faces Extradition to US to Face Copyright Infringement Charges

A computer science student from Sheffield is facing five years in a federal prison after a judge ruled he could be extradited to the US to face charges of copyright infringement. Richard O'Dwyer, a 23-year-old student at Sheffield Hallam University, set up the TVShack.net web site nearly four years ago, offering users links to web sites where they could download copyrighted content including movies and TV programmes.

In a Westminster Magistrates Court ruling, it was revealed that the US government finally seized the URL in 2010, but that within a day, O'Dwyer had switched the site to TVShack.cc and "carried on as before". The US government also claimed that the student made more than $230,000 from the site.

In his ruling, district judge Quentin Purdy dismissed the defence's arguments that too much time had passed since the crime and that O'Dwyer was innocent of copyright infringement because his site only posted links to other illegal download sites.

The case echoes that of NASA hacker Gary McKinnon who has fought a ten-year battle over extradition to the US, where he could face up to 70 years in a maximum security jail. UK-US extradition laws have been widely criticised ever since former Labour Prime Minister Tony Blair signed up to them as part of the ill-fated war on terror in the wake of the attacks in September 2001.

Collection of information key to thwarting APT attacks

Intelligence-driven information security, not just firewalls, anti-virus software and analysis of log files, are the future of battling advanced persistent threats, according to a new report from the Security for Business Innovation Council (SBIC). The study was sponsored by EMC Corp.'s security division RSA. The council, made up of 16 executives from Global 1000 companies, said most companies do not have enough information about advanced threats, and need a new approach to defend their networks and confidential data.

SBIC recommends several components for intelligence-driven information security. First, it is imperative to consistently collect reliable cyber security data from a range of government, industry, commercial and internal sources to gain a more complete understanding of risks and exposures. Too, companies must perform on-going research on prospective cyber adversaries to develop knowledge of attack motivations, favoured techniques and known activities. Also, new skills must be developed within the information team focused on the production of intelligence. Further, full visibility must be achieved into actual conditions within IT environments, including insight that can identify normal versus abnormal system and end-user behaviour.

Also important, the report said to develop actionable intelligence a process for efficient analysis, fusion and management of cyber security data from multiple sources must be implemented. As well, enterprises must share useful threat information, such as attack indicators, with other organizations.

Networks are no longer safe if a company takes the egg-shell approach of simply using perimeter-centric hardware devices, anti-virus and anti-malware software and other approaches to keep intruders out, said William Boni, vice president and chief information security officer at T-Mobile USA. He acknowledges that security professionals have been recommending the intelligence-driven approach for some time, but says many companies have been slow in adopting the approach.

The conventional wisdom of defending networks is no longer applicable, Boni said. Building a security profile based on checking boxes to meet compliance regulations will not keep intruders out. “Security is not built on compliance,” he said. Nor will trying to build a wall around the entire network. Boni said the advice of Fredrick II, one of the most powerful Holy Roman Emperors of the Middle Ages, is as true now as it was during his time: “He who tries to defend everything defends nothing.” An intelligence-driven methodology that takes massive amounts of information and derives actionable data might seem like standard operating procedure for enterprises with large data stores, but it is not, added Art Coviello, executive chairman of RSA. While security experts at large companies recommend an intelligence-based approach, Coviello said it can be a difficult sell to corporate boards focusing on return-on-investment and short-term gains.

Coviello is a strong proponent for information sharing about breaches, a topic that some companies avoid for competitive reasons. However, that recommendation in the SBIC report could represent a turning point between recognizing advanced persistent threats and attacks of convenience. “Just talking about information sharing [but not actually doing it] is like talking about the weather,” he said. “It's a cliché for security failure.”

Source: http://www.scmagazine.com/collection-of-information-key-to-thwarting-apt-attacks-report/article/223332/

NHS Employee Fined for Unauthorized Patient Data Access

A former NHS health worker has been fined £500 for illegally accessing the data of five members of her ex-husband's family in a breach of Section 55 of the Data Protection Act (DPA). The five accounts were accessed by Juliah Kechil in 2009, while she was working for the Royal Liverpool University Hospital, in order to obtain the phone numbers of the ex-family members.

The alarm was raised by her former father-in-law who was suspicious that having changed his phone number to avoid nuisance calls from Kechil earlier in the year they soon started again. He contacted the hospital which started an investigation in November 2009. By using an audit trail linked to her ID card, they discovered that Kechil had accessed the records despite there being no professional reason for her to do so. As a result, she was ordered to pay a fine of £500, prosecution costs of £1,000 and a victims' surcharge of £15.

The Information Commissioner's Office (ICO) head of enforcement Steve Eckersley, said the case underlined the right for individuals to expect privacy when providing personal information to organisations. "Unlawfully obtaining other people's information for personal gain is a serious offence, which can have potentially devastating effects," he said. "The breach of their privacy would obviously have been very distressing for the individuals involved."

The ICO has repeatedly called for tougher sentencing guideines around those who breach Section 55 of the DPA, arguing the threat of jail time needs to be introduced to provide a stronger deterrent against personal data theft. In October 2011, MPs on the Justice Select Committee backed these calls from information commissioner Christopher Graham, urging the government to introduce jail sentences to curb this growing menace.

Source: http://www.v3.co.uk/v3-uk/news/2137137/nhs-worker-fined-gbp500-illegally-accessing-health-records

Malware Has Been Lurking on San Francisco College System for a Decade

As thousands of students and employees return today to City College of San Francisco - where criminal hackers, it turns out, have been scanning computer data for years - campus officials are warning everyone to change computer passwords, avoid using school computers for banking or purchases, and to check home computers for viruses. In an e-mail sent to students and employees Friday, Chancellor Don Griffin urged people who think their personal information may have been stolen to contact campus police.

"The College has hired a firm that specializes in computer system security, USDN Inc., to assist in a vigorous effort to determine how widespread the viruses are, and what if any information has been illegally transferred to third parties outside the College," Griffin wrote. The college detected the problem in November, when its data security monitoring service saw an unusual pattern of computer traffic. A closer look showed that data - including personal banking information from people who had used college computers to bank online - had been stolen over a decade. College officials don't yet know the extent of the problem.

Griffin said it could take up to three weeks to check the most critical servers. These might contain data from college finances or student data, Chief Technology Officer David Hotchkiss said at a facilities committee meeting Thursday.

He said servers and desktops have been infected across administrative, instructional and wireless networks. Personal computers belonging to anyone who used a flash drive to carry information home may also have been affected. Seven viruses have been found to be combing through college computers for years, Hotchkiss told the committee of three college trustees. He said the viruses originated in criminal networks in Russia, China and other countries.

More on this story can be found at http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/01/16/BA8T1MQ4E5.DTL

Japanese Aerospace Agency Data Compromised

A computer virus infected a data terminal at Japan's space agency, causing a leak of potentially sensitive information, officials announced today (Jan. 13). The Japan Aerospace Exploration Agency (JAXA) discovered the malware Jan. 6 on a terminal used by one of its employees. A trace showed that the computer virus had gathered information from the machine, officials said.

JAXA still isn't sure how the virus got on the computer, or who put it there. "Information stored in the computer as well as system information that is accessible by the employee have been leaking outside," JAXA said in a statement today. "We are now confirming the leaked information and investigating the cause."

The employee in question works on JAXA's H-2 Transfer Vehicle, an unmanned vessel that ferries cargo to the International Space Station. Information about the robotic spacecraft and its operations may thus have been compromised, officials said, along with stored email addresses and system login information accessed from the infected computer. This same computer has had issues before. JAXA detected a different virus on the machine last August and removed the software. They kept monitoring the computer and noticed further anomalies, leading to the virus detection on Jan. 6.

JAXA also has determined that the computer "sent out some information" sometime between July 6 and Aug.11 of 2011, officials said. The space agency is working to minimize the damage and prevent further incursions. "With the above backdrop, passwords for all accessible systems from the computer have been immediately changed in order to prevent any abuse of possibly leaked information, and we are currently investigating the scale of damage and the impact," JAXA said in the statement. "Also, all other computer terminals are being checked for virus infections."

Computer viruses aren't just a problem on terra firma anymore. In 2008, a laptop used by astronauts aboard the International Space Station was found to be infected with a virus designed to swipe passwords from online gamers. That malware proved to be more of a mysterious nuisance than a real problem, NASA officials said.

Source: http://www.securitynewsdaily.com/japan-space-agency-computer-virus--1495/

Stratfor CEO Accuses Attackers of Censorship

Following a cyber-attack in December 2011 in which intruders stole subscriber data and credit card information the Stratfor Global Intelligence website is back online. Stratfor CEO George Friedman has posted a video on YouTube in which he took responsibility for the company's failure to take adequate security precautions surrounding the data, including failure to encrypt the information. Friedman also lashed out at those responsible for the attack, saying "this is a new censorship that doesn't come openly from governments but from people hiding behind masks." The attackers destroyed four of Stratfor's servers, including all data and backups. Friedman also stated that "the intent here was clearly to silence us by destroying our records, our archives, and our websites."

Written by: D Gray VCSL

NHS Trust Challenging Large Fine Over Data Protection Violations

A hospital is facing a fine of £375,000 after computer hard drives containing confidential information were stolen. The hard drives, containing information on tens of thousands of patients, were taken from Brighton General Hospital in September 2010.

The Information Commissioner's Office (ICO) has sent a notice to the Brighton and Sussex University Hospitals NHS Trust proposing the fine. The trust said it would be challenging the proposed penalty. An ICO spokesman said: "The ICO is currently making inquiries into a possible breach of the Data Protection Act and is unable to speculate on what action will be taken at this time."

Sussex Police were called when the hard drives ended up on eBay after being stolen while they were being decommissioned. Duncan Selbie, chief executive of the trust, said: "As soon as we were alerted to this, we informed the police and with their help we recovered all the hard drives. “We are confident that there is a very low risk of any of the data from them having passed into the public domain." He said the trust was challenging the fine and that they were the victims of a crime.

The trust had subcontracted the destruction of the discs. A 36-year-old man from Seaford was previously arrested on suspicion of theft and was bailed several times before a decision not to take any further action was taken by police in July.

Source: http://www.bbc.co.uk/news/uk-england-sussex-16502602