Threat Weekly – A Situational Awareness Report from our
Technical Security Team
Volume 2, Issue 7 – 16 February 2012
Microsoft has released nine patches this
week fixing 21 vulnerabilities. Normal vigilance when using the
Internet is advised.
TOP OF THE NEWS
CIA Website Attacked with DDoS
An Anonymous-related Twitter channel
claimed Friday that the group had successfully taken down the CIA's
public-facing website. The CIA website reportedly remained
inaccessible several hours after the attack, then appeared to be
offline intermittently for the rest of the weekend, as well as on
Monday, in the face of what appeared to be a distributed denial of
service (DDoS) attack. Anonymous had previously been making a habit
of targeting the FBI on Fridays.
The CIA has acknowledged that it's
been having website issues, but hasn't publicly commented on the
cause. Interestingly, it's not clear if Anonymous was indeed
responsible. "We'd remind media that if we report a hack or DDoS
attack, it doesn't necessarily mean we did it...FYI," according to
a tweet from YourAnonNews, which is a reliable source of
information about Anonymous activities.
Saturday, hackers announced via
Pastebin--with a shout-out to Anonymous and AntiSec--that they'd
hacked the U.S. Census Bureau, and they listed the names of stolen
database tables. The same day, the website of Interpol was also
knocked offline, although the attack wasn't the work of Anonymous.
Instead, via a Pastebin post, a group known as Black Tuesday
(tagline: "We'r revolution of your mind!) claimed credit.
"We'r not Anonymous! Stop
calling us a part of them:[ Yeap, we support their ideas, but we
have own ideas at all!" according to a Twitter post made by
Regardless, members of Anonymous
have been busy. As part of the Anonymous anti-law enforcement
effort AntiSec, the group released Friday what it said were 730 MB
of emails plus a database of information from Mexico's Chamber of
Mines, aka "Camimex." In a Pastebin post, "AnonMex" said the attack
was in retaliation for mining syndicates working in parts of Mexico
without consulting with the indigenous population.
Last week, pro-Anonymous hackers
CabinCr3w and w0rmer hit the Texas Department of Public Safety, and
detailed what they'd stolen, which included contact information for
training centres. The hackers also released what it said were two
Excel spread sheets allegedly stolen in the attack. While one
appeared to contain non-sensitive training centre contact
information, the other appeared to be a dummy file used to disguise
a known piece of spyware called "BadSRC."
The same two hackers last week also
launched an attack against the Alabama Department of Public Safety,
and released seven spread sheets containing information on sex
offenders as well as victims, as well as a database of vehicle
information for offenders.
Much of that information, however,
was redacted. "Inspection of the spread sheets indicates that no
names were dumped, but it might be possible to recognize particular
cases of child sexual abuse or rape by the dates of the arrests and
the description of the crime and victim's age if a case had been
reported in the media or occurred in a small town," said
Databreaches.net. "Similarly, while offenders' names were not
included in the data dump, their vehicle information and license
plate number were. It's not clear whether the hackers also acquired
other files or databases that would enable identification of what
appear to be unique IDs."
In another attack, CabinCr3w and
w0rmer, as well as another hacker known as Kahuna, hacked into a
website for the Mobile, Ala. police department, to protest "recent
racist legislation," according to the Pastebay post announcing the
attack. "Because of your police being lazy when it comes to data
security, we have acquired the following information of over 46,000
citizens of the state of Alabama," said the attackers.
The stolen data included people's
full legal names, social security numbers, birth dates, and
criminal records. But the hackers involved told Databreaches.net
that they'd purposefully chosen to release only a redacted subset
of the data they'd obtained, and then deleted all of the data.
Internet Explorer patch heads Microsoft security
Microsoft on Tuesday released nine
patches to correct 21 vulnerabilities. Though only four of the
bulletins were deemed "critical," security experts said some of the
patches need to be given high-priority status.
They include MS12-010, a cumulative
security update for four previously unknown Internet Explorer
vulnerabilities impacting all versions of the popular web browser.
IE a preferred vector to spread malware, and an exploit of any of
these flaws could result in drive-by download attacks in which
users are infected simply by visiting a malicious website.
Bulletin MS12-013 is another one
that prompted some concern from experts who surveyed the fixes. It
corrects a vulnerability in the C Run-Time Library, which can be
exploited if a user is tricked into opening a "specially crafted
media file that is hosted on a website or sent as an email
attachment," according to Microsoft.
"At first glance, this bulletin
looks like bad news, but so far the only attack vector is via
Microsoft Media Player," Andrew Storms, director of security
operations at vulnerability management firm nCircle, said. "Patch
this one right after you patch Internet Explorer attackers will
probably have exploits for this very shortly.”
THE REST OF THE WEEK’S NEWS
European Parliamentary Committee Votes to Extend and Expand
A push by European authorities to
strengthen the European Union's cybersecurity watchdog has been
given the green light. ENISA, the European Network and Information
Security Agency, was set up in 2004 to ensure a "high and effective
level of network information security" within the E.U. Its mandate
is due to expire in September 2013, but a vote in the European
Parliament's Industry, Research and Energy Committee agreed to
extend it until 2020.
The new proposal would also require
ENISA to help set up a full-scale European Union Computer Emergency
Response Team (EU CERT), to counter cyberattacks against E.U.
institutions, bodies and agencies, as well as providing support to
member states in the event of incidents, attacks or disruptions on
networks. Part of ENISA's role is to help private stakeholders
develop their capabilities and preparedness to prevent, detect and
respond to network and information security problems and
Digital Agenda Commissioner Neelie
Kroes put forward the proposal, which was approved by a 52-3 vote,
as part of her strategy to combat cybercrime. Although this has not
been a traditional priority or competence of the Commission in the
past, cybercrime may now be bigger business than the global drugs
trade said Kroes. "Internet attacks are ever more a threat to our
well-being, being used as a new instrument for political and
economic disruption, espionage, and potentially outright attacks
instigated by terrorist groups or foreign governments. Internet
should not left to the military or to inter-state treaties -- as
though it were just another arena in which to exercise national
power," said Kroes.
NSA's Application Whitelisting Breakthrough
Military computers soon will be
configured to execute only administrator-approved software
applications in certain areas of a computer, Pentagon officials
told Nextgov. The Defense Department's unique version of the
"application whitelisting" approach focuses on where downloads are
allowed to launch in a system. It is intended to be a relatively
inexpensive protection against downloads that antivirus programs
fail to flag as threats. "You can download it, but you can't
install it," said Paul Bartock, a technical director for the
Information Assurance Directorate at the Pentagon's National
Security Agency, who helped develop the economical technique.
One weakness with even the best
antivirus programs is they blacklist software only after it has
been diagnosed as malicious. Unknown worms can't be blocked. And
hackers continuously tweak their code so it remains unknown.
However, NSA's approach in essence blocks every application from
executing until a network administrator has approved, or
whitelisted, it. Whitelisting is a recommended best practice, but
Defence and industry have lagged in adoption because of the
staffing involved in adding and removing applications from the
list, NSA officials said.
To save time, NSA created a way to
grant applications access based on where they are trying to open in
a system -- for example, certain disk drives or directories. With
typical whitelisting, an administrator has to change the list every
time a developer releases a new patch or program update. Under
NSA's approach, administrators are able to focus their attention on
fewer potential entry points for viruses, thus reducing the time
involved in installing new applications. Now, NSA is arranging for
the baseline configurations of all new Defence computers to employ
the tactic, said Eric Chudow, who works with Bartock in the
This method already has thwarted
one type of worm that antivirus programs failed to catch. Chudow
explained: "An email tried to install malware. On the newer
baseline computers, the administrators could see this was malware,"
but on the older models, "the antivirus wasn't able to protect
against it yet. Two weeks later, the antivirus vendors issued a
signature for that particular piece of malware." Commercial
whitelisting software can cost hundreds of thousands of dollars and
require three full-time employees to change the list for every
patch and upgrade. NSA officials were able to do the job without
licensing special software. They used software-restriction features
that come with most operating systems, along with an existing
intrusion detection system, and then wrote some special
permissions, officials said.
The project required monitoring the
agency's network about 20 hours a week for three months to make
sure the new configuration was not obstructing important
applications, officials added. For on-going upkeep, only an hour of
attention per week is required. Almost anyone, including home
computer users and health technicians, can try the technique,
Bartock said. The procedures are largely invisible to computer
users, unless for example, a soldier tries to launch a file-sharing
tool. "It's actually pretty negligible interference, as long as the
end users aren't using any applications that they aren't supposed
to," Chudow said
US Air Force Plans to Use Tablets in Move to Paperless
Iranian Government Blocking Encrypted Internet
First commercial pilots started
getting iPads, and now military pilots want in — the U.S. Air
Mobility Command is planning to buy up to 18,000 iPad 2 tablets “or
equal devices,” replacing heavy flight bags that pilots use to stow
their charts and other flight materials. The devices will
apparently be used on the C-5 Galaxy and C-17 Globemaster. The Air
Force Special Ops Command is also planning to buy 2,861 iPad 2s for
"Moving from a paper-based to an
electronically-based flight publication system will not only
enhance operational effectiveness, it can also save the Department
of Defense time and money," Maj. Gen. Rick Martin, the director of
operations for the Air Mobility Command, said in a statement.
The military is calling them
“electronic flight bags,” hoping the iPads could replace the heavy
notebooks full of aviation charts, regulations and other material
that pilots must carry. This is already catching on in the
commercial sector, too — in December, the FAA granted approval for
American Airlines to start using iPads, though they haven’t started
yet. United Airlines, Alaska Airlines and even UPS are also
planning to use tablets in the cockpit.
It’s primarily an issue of weight
and simplicity, according to the military. The Mobility Command’s
flight charts are updated every 28 days, which equates to 70 pounds
of paper per aircraft that must be sorted and updated. It’s
time-consuming to wade through it all, and the added weight could
also be a problem, even on airplanes designed to carry enormously
More on this story at:
The Iranian government is
reportedly blocking access to websites that use the HTTPS security
protocol, and preventing the use of software residents use to
bypass the state-run firewall.
From [a] post on Hacker News today,
apparently written by an Iranian resident:
Since Thursday Iranian
government has shutted [sic] down the https protocol which has
caused almost all google services (gmail, and google.com itself) to
become inaccessible. Almost all websites that reply on Google APIs
(like wolfram alpha) won't work. Accessing to any website that
replies on https (just imaging how many websites use this protocol,
from Arch Wiki to bank websites). Also accessing many proxies is
Several Hacker News users confirmed
the original post's statement that Iran is blocking encrypted
Internet traffic. "I live in Iran. The fact about the shut down is
correct," one person wrote. Another said "They drop all encrypted
connections. This means no https, no IMAP over TLS and no SSH
connections. (Im in Iran)."
People are debating whether the
shutdown is related to the 33rd anniversary of the Islamic
Revolution, which is being celebrated by the government but has
spurred protests in years past. This may not be the case, as one
person writes "SSH has been disabled for a few months."
According to the Washington Post,
Internet users are increasingly seeing the error message "According
to computer crime regulations, access to this Web site is denied."
The Post's bureau chief in Tehran, Thomas Erdbrink, says that
software Iranians use to bypass Iran's firewall recently stopped
working. "Many fear that the disabling of the software used to
bypass the state-run firewall heralds the coming of what
authorities have labelled the National Internet," Erdbrink
It's not clear how widespread the
blockages are. Reports from some Twitter users earlier this week
indicate that all non-Iranian websites had been censored. However,
checking out the "Blocked In Iran" tool today shows no blockages of
Google sites. Assuming the reports are true, it wouldn't be the
first time websites have been blocked in Iran—Ars itself was
blocked in October 2010 following coverage of the Stuxnet malware
that targeted Iran.
Nortel veteran claims Chinese hackers stole its data for
nearly 10 years
The Wall Street Journal is
reporting that telecoms firm Nortel Networks was repeatedly
breached by Chinese hackers for almost a decade. The newspaper
cited Brian Shields, a former Nortel employee who led an internal
investigation into the security breaches, and published claims that
the hackers stole seven passwords from the company's top executives
- including the CEO - which granted them widespread access to the
entire Nortel network.
According to the WSJ's report, the
security breaches dated as far as back as at least 2000, and
spyware planted by the hackers made it possible to steal
intellectual property, including technical papers, R&D reports,
business plans, employee emails and other documents. "They had
access to everything. They had plenty of time. All they had to do
was figure out what they wanted," said Shields.
Shields, who worked for Nortel for
19 years, claims that the company discovered the hack in 2004 when
it was determined that some PCs were regularly sending sensitive
data to an IP address based in Shanghai. Nortel responded by
changing affected passwords, but wound down an internal
investigation into the breach after six months due to a lack of
Shields claims that he made
recommendations to management about how to better protect the
company's networks, but he was ignored. Mike Zafirovski, who was
Nortel's CEO between 2005-2009, was asked by the Wall Street
Journal to comment on the breach, and reportedly said that that
staff "did not believe it was a real issue".
Nortel ultimately filed for
bankruptcy in 2009, but it's alleged that the firm failed to reveal
to prospective buyers of the company's assets that it had suffered
from hackers for some years. Although some in the media are
presenting this story as another example of China hacking
organisations in the west, it's very hard to prove a Chinese
involvement. Yes, the data might have been transmitted to an IP
address based in Shanghai, but it is possible that a computer in
Shanghai has been compromised by.. say.. a remote hacker in
It's all too easy to point a
finger, but it's dangerous to keep doing so without proof. But
let's not be naive. Of course, there are Chinese hackers. But there
are also British hackers, and South African hackers, and Canadian
hackers, and Italian hackers, and..
TicketWeb issues second warning following fake Adobe spam
TicketWeb issued a second warning
late last night following the weekend security breach by spammers
purporting to offer an Adobe Acrobat upgrade. The online ticket
seller, who acknowledged the breach of their email database on
February 12, issued a statement advising customers not to click the
link after they had received up to four emails with the subject
'Action Required: Update Your PDF Application'.
The email claimed that the
recipient's version of Adobe Reader was out of date and offered a
link where they could download the new version. However, the link
in fact lead to a malicious site.
The Ticketmaster subsidiary assured
customers that they had closed the vulnerability and that "none of
your credit card information was vulnerable during this attack".
But late yesterday TicketWeb sent out a second email for customers
who had clicked through the link, which asked customers to enter
their personal information and payment card details to third party
websites. TicketWeb said: "If you entered your card details upon
following this link, you should contact your card issuer
immediately. Your card issuer will advise you of the best course of
action to take in your particular circumstances which may include
the cancellation and repayment of your card.
"If you are issued with a
replacement card, fraudsters will not be able to undertake
fraudulent 'card-not-present' (internet shopping, telephone or mail
order) activity on your account." TicketWeb added that they would
be liaising with the Information Commissioner's Office in relation
to the security breach.
Foxconn Data Purloined, Posted
It had to happen eventually.
Controversial hardware manufacturer Foxconn was reportedly hacked
late on Wednesday and a heap of staff email log-ins and intranet
credentials posted online which could allow third parties to lodge
In a lengthy message posted to
Pastebin, hacking group Swagg Security claimed the notable scalp.
Though they described Foxconn’s dubious track record on working
conditions at length, the group said this was not the primary
motivation for the hack.
Although we are considerably
disappointed of the conditions of Foxconn, we are not hacking a
corporation for such a reason and although we are slightly
interested in the existence of an Iphone 5, we are not hacking for
this reason. We hack for the cyberspace who share a few common
viewpoints and philosophies. We enjoy exposing governments and
corporations, but the more prominent reason, is the hilarity that
ensues when compromising and destroying an infrastructure. How
The Register tried to contact
Foxconn’s Shenzhen headquarters for confirmation but had not heard
back at the time of writing. However, according to their Twitter
feed the hackers gained access to Foxconn’s systems via an
“outdated vulnerability” in a version of Internet Explorer which
was being used internally by the company. The data dump posted
online includes mail server log in and username credentials as well
as log-ins for procurement sites and intranets which Swagg Security
claimed “could allow individuals to make fraudulent orders under
big companies like Microsoft, Apple, IBM, Intel, and Dell”.
More on this story at: http://www.theregister.co.uk/2012/02/09/foxconn_hack_swagg/
European Governments Questioning ACTA Support
Prime Minister Petr Nečas has
announced that the Czech Republic will follow Poland and suspend
ratification of ACTA, which has become a local lightning rod after
22 EU countries signed on last month. Ratification still needs to
take place in various national parliaments. Anonymous has
been attacking government websites, while the Czech Pirate Party
has organized street protests in Prague. The Pirate Party isn't
happy about the "suspension," though; they want to see full-blown
withdrawal from the whole process.
"By no means would the government
admit a situation where civic freedoms and free access to
information would be threatened," Necas said, according to the
Prague Daily Monitor. He added, "I want to emphasise that no checks
of laptops on the borders, no monitoring of Internet users, no
filtrations and similar things have ever threatened in the Czech
Republic. No such threat has ever existed for a single moment."
Neighbouring Slovakia has also
expressed doubts. Economic Minister Juraj Miškov said he opposes
any deal that "would curtail basic human rights in any shape or
form, particularly the right to freedom and privacy and that will
superimpose copyright protection over these rights."
ACTA may still pass in central
European parliaments, but not before getting a closer look.
Symantec offered hackers $50k in source code sting
As part of a sting operation,
Symantec promised to pay a hacker group $50,000 to keep the source
code for some of its flagship security products off the internet,
the company confirmed on Monday
As part of a sting operation,
Symantec told a hacker group that it would pay $50,000 to keep the
source code for some of its flagship security products off the
internet, the security company has confirmed.
An email exchange revealing the
extortion attempt posted to Pastebin on Monday shows a purported
Symantec employee named Sam Thomas negotiating payment with an
individual named 'YamaTough' to prevent the release of PCAnywhere
and Norton Antivirus code. YamaTough is the Twitter identity of an
individual or group that had previously threatened to release the
source code for Norton Antivirus.
"We will pay you $50,000.00 USD
total," Thomas said in an email dated Thursday. "However, we need
assurances that you are not going to release the code after
payment. We will pay you $2,500 a month for the first three months.
Payments start next week. After the first three months you have to
convince us you have destroyed the code before we pay the balance.
We are trusting you to keep your end of the bargain."
A Symantec representative confirmed
the extortion attempt on Monday in this statement: "In January, an
individual claiming to be part of the 'Anonymous' group attempted
to extort a payment from Symantec in exchange for not publicly
posting stolen Symantec source code they claimed to have in their
Via G Forbes
Trojan Exploits Known Hole in Microsoft Office
Researchers at Symantec said they
have spotted a trojan taking advantage of a previously patched
Microsoft Office vulnerability. The exploit, which is being used in
targeted attacks, arrives as an email that contains a Microsoft
Word file and a separate DLL file, a rare combination considering
DLL files are not typically sent over email.
"The exploit makes use of an
ActiveX control embedded in the Word document file," senior
researcher Joji Hamada wrote Thursday in a blog post. "When the
Word document is opened, the ActiveX control calls fputlsat.dll,
which has the identical file name as the legitimate DLL file used
for the Microsoft Office FrontPage Client Utility Library. If the
exploit is successful, malware is dropped onto the system."
The trojan, dubbed "Activehijack"
by Symantec, takes advantage of a vulnerability rated "important"
that was patched by Microsoft in September with bulletin MS11-073.
To avoid the exploit, users should ensure they have installed the
patch and remain wary of emails that contain DLL files, Hamada
Demand for Cyber Forensics Specialists to Rise
Most people may not have any idea
what a computer forensics expert does beyond a general knowledge
gleaned from spy novels. But the profession may be worth exploring
as a real-life career since it's expected to grow by double digits
with the increasing demand for cybersecurity from public and
Steve Bunting, who has been
involved in computer forensics for more than a decade as a
law-enforcement officer, says he got into the work almost by
accident when investigating an employee's email misuse. Now the
field has become more sophisticated and specialized. "It used to be
just the province of law enforcement. But as more information used
by businesses has become digitized, you need a tech team to also be
working" on retrieving and protecting information, he says.
The Bureau of Labour Statistics
estimates computer forensics jobs are expected to grow more than 13
percent in the next several years with starting salaries of about
$46,500 [£29,450.88 GBP]. The National Security Agency has plans to
hire 3,000 specialists to combat the thousands of cyberattacks
every day in the United States, while the Department of Homeland
Security is hiring about 1,000 more cybersecurity specialists.
While some employers may not require a college degree, Bunting says
many will want one or more of the computer forensic certifications
Why the growing demand for such
specialists? Consider events in just the past year:
- Hackers broke into a Zappos'
server, giving them access to the records of 24 million customers
of the online shoe and clothing retailer. Although credit-card
numbers reportedly were protected, an investigation is under way
amid new worries that such a large company could be at risk.
- Attacks on U.S. infrastructure,
such as energy and water utilities, have been documented. A nuclear
lab in Tennessee was the victim of one cyberattack.
- Military drones and other computer
systems were infected with a virus, and officials were unsure about
whether it was introduced accidentally or on purpose — but it kept
showing up even after it had been eliminated.
- In his confirmation hearing,
Secretary of Defence Leon Panetta told the Senate Armed Services
committee that the "next Pearl Harbour we confront could very well
be a cyberattack that cripples our power systems, our grid, our
security systems, our financial systems, our governmental
- Cybersecurity software company
Symantec's final report in December found that targeted
cyberattacks skyrocketed by 400 percent in 2011.
With the increasing threat to
public and private organizations, computer forensic specialists are
often on the trail of criminals who may operate domestically or
internationally. Many companies now have their own forensic
security specialists although they work with law enforcement
regarding illegal activity, Bunting says. "Most companies don't
want anyone else poking around in their system, so they'll
investigate much of it themselves to protect their security," he
says. While computer skills are necessary for the work, Bunting
says those well versed in that field may not be well suited for
forensics work since it can be very monotonous, especially when it
comes to poring through data for hours, looking for clues. "Many
tech-savvy people like more creative work or troubleshooting
problems," he says. "This kind of job requires you to have great
people skills, be able to write good reports and be intuitive."
In addition, computer forensic
specialists often spend hours in a courtroom, testifying in cases
where security was breached or explaining how they used technology
to find wrongdoing. "You've got to be able to write a lot of
reports and explain technology in a way the grandmother sitting on
the jury would be able understand," he says.