Threat Weekly – A Situational Awareness Report from our Technical Security Team

Volume 1, Issue 1 – 10 November 2011

ThreatCon 1: Normal

TOP OF THE NEWS

US takes aim at China and Russia over Cyber Attacks

U.S. intelligence officials accused China and Russia on Thursday [3^rd] of systematically stealing American high-tech data for their own national economic gain. It was the most forceful and detailed public airing of U.S. allegations after years of private complaints. U.S. officials and cyber security experts said the U.S. must openly confront China and Russia in a broad diplomatic push to combat cyber-attacks that are on the rise and represent a "persistent threat to U.S. economic security." But experts said solving the problem won't be easy.

In a report released Thursday, U.S. intelligence agencies said "the governments of China and Russia will remain aggressive and capable collectors of sensitive U.S. economic information and technologies, particularly in cyberspace." Speaking at a forum at the National Press Club, Robert Bryant, the national counterintelligence executive, said the U.S. is finally making the charges public because China and Russia are stealing sensitive U.S. technology data. "If we build their economies on our information, that's not right," he said. "We want to basically point out what the issue is. We want to be worried and we want to be careful, but we also want there to be an awareness and, frankly, drive that toward solutions where we work together to bring this under control."

The report is part of an increased effort by U.S. officials to highlight the risks of cyber-attacks in a growing high-tech society. People, businesses and governments are storing an increasing amount of valuable and sensitive information online or accessing data through mobile devices that may not be as secure as some computers. The Obama administration has urged individuals and the corporate world to better protect their data. Thursday's report is a clarion call, cyber security experts said. "We should have done this years ago," said James Lewis, cybersecurity expert and senior fellow at the Centre for Strategic and International Studies. "We've pretended it hasn't been happening, but that's not the case. I hope this is the first in a series of documents that lays out the huge problem the U.S. is facing."

The U.S. points fingers at Russian and Chinese intelligence services and corporations based in those countries or tied to the governments. The intelligence report, however, did not say how many of the cyberattacks are government-sponsored and would not name other countries that pose similar but lesser threats. It suggested that U.S. allies may be using their access to American institutions to acquire economic and technology information. China had no immediate response to the report, which was issued after normal business hours Thursday in Beijing.

China has consistently denied engaging in cyberspying and, at a regularly scheduled news briefing Wednesday, Foreign Ministry spokesman Hong Lei reiterated Beijing's insistence that it also has been attacked. "China is a major victim of hacking," Hong said. "China is ready to build, together with other countries, a peaceful, secure and open cyberspace order." He added, "As for the remarks from certain quarters, I would point out that hacking attacks have no boundaries and are anonymous. Speculating on the origin of the attacks without investigation is neither professional nor responsible."

China has been linked to a number of high-profile breaches. Google Inc., operator of the Internet's most popular search engine, disclosed two sophisticated attacks against its systems that it believes were launched from China. The disclosures touched a nerve for technologists, government officials and human rights advocates alike because of the unique roles Google and the Chinese government have in shaping what is seen — and not seen — on the Internet by citizens of the world's most populous country. In one attack, some of Google's intellectual property was stolen in a computer attack that also targeted at least 20 other large companies. And earlier this year Mountain View, Calif.-based Google said it believes hackers in China broke into the Gmail accounts of several hundred people, including senior U.S. government officials, military personnel and political activists.

The report also noted other incidents linked to China:

• Last year computer security firm Mandiant reported that data was stolen from a Fortune 500 manufacturing company during business negotiations when the company was trying to buy a Chinese company.
• Earlier this year, McAfee traced an intrusion to an Internet protocol address in China and said intruders took data from global oil, energy and petrochemical companies.

While officials could not pin down an exact economic cost to the U.S. government and businesses, they said the losses are extremely significant. "(China's) continued theft of sensitive economic information is a threat to our national security, hurts American businesses and workers, and causes incalculable harm to global economy," said the chairman of the House Intelligence Committee, Rep. Mike Rogers, R-Mich. "This once again underscores the need for America's allies across Asia and Europe to join forces to pressure Beijing to end this illegal behaviour."

The escalating rhetoric carries its own political risks, particularly as the U.S. has tried to improve relations with China and Russia. China is a key lender and trading partner, and the U.S. has relied on Beijing to put pressure on its longtime ally North Korea to negotiate over its nuclear program. Russia, meanwhile, is a key vote in the U.N. Security Council, particularly on issues involving Iran sanctions and nuclear arms reduction. Both were Cold War enemies whose motives and government workings are often purposely opaque to American partners or competitors.

"We have to start being more confrontational," said Lewis, adding that the U.S. needs to have a more muscular trade policy and make sure that World Trade Organization rules are observed. The report said foreign intelligence services have used independent hackers as proxies, thereby giving the agencies "plausible deniability." And it also accused the Chinese of being "the world's most active and persistent perpetrators of economic espionage." Attacks from Russia are a "distant second" to those from China, according to the report. But it said Moscow's intelligence services are "conducting a range of activities to collect economic information and technology from U.S. targets." The report said some of the most desired data includes communications and military technologies, clean energy, health care, pharmaceuticals and information about scarce natural resources. Of particular note, the report said, is interest in unmanned aircraft and other aerospace technology.

U.S. officials have called for greater communication about cyberthreats among the government, intelligence agencies and the private sector. The Pentagon has begun a pilot program that is working with a group of defence contractors to help detect and block cyberattacks.

The report, issued by the national intelligence director's office of the counterintelligence executive, comes out every two years and includes information from 14 spy agencies, academics and other experts.

"We have to do a lot to scare those other guys into thinking 'don't do it or bad things will happen to you' but after we do that, we have to solve it here, at home," said Alan Paller, director of research at SANS Institute, a computer-security organization.

"We need to say, 'if you allow your citizens to attack computers in our country, causing massive damage, we have the right to cause massive damage in your country.'"

• http://www.ft.com/cms/s/0/8f0d63e4-0646-11e1-a079-00144feabdc0.html#axzz1dCJJiZLd
• http://www.ncix.gov/publications/reports/fecie_all/index.html

Source: usatoday.com

---

Mac App Store Will Require Sandboxing Support as of March 1, 2012

Recently Apple announced to developers that beginning in March 2012, all applications submitted to the Mac App Store will require support for Apple's sandboxing routines.

Since Apple initially scheduled to implement this requirement in November of this year, this announcement is nothing new and is more of a timeframe shift than anything else; however, it still raises questions and concern over what this means for developers and end users.

• http://news.cnet.com/8301-1009_3-57318099-83/what-apples-sandboxing-means-for-developers-and-users
• http://news.techworld.com/applications/3316380/developers-fear-app-store-sandboxing-to-strip-out-useful-features

Source: news.cnet.com

---

BPI Asks BT to Block The Pirate Bay

Last week we reported on BT having been instructed to block users’ access to Newzbin 2 following successful legal action. This week BPI has sent a letter to BP asking it to block users' access to The Pirate Bay. The letter asks BT to block The Pirate Bay voluntarily within two weeks or face legal action. BT is likely to comply with the request only if it is backed up with a court order. BT was supposed to have begun blocking access to the site by November 2; while the company said it had the technology in place and planned to comply with the order, the site was reportedly still available "over a standard BT DNS-based broadband link."

• http://www.v3.co.uk/v3-uk/news/2123050/bpi-bt-block-pirate-bay-holders-flex-muscles
• http://www.eweekeurope.co.uk/news/bt-asked-to-ban-pirate-bay-after-failed-ban-on-newzbin-44967
• http://www.bbc.co.uk/news/technology-15598438

Black Tuesday Patch Release November 2011

Microsoft has continued their cycle of large patch release one month with a minimal release the following month; with only four advisory this month. A workaround to the Duqu vulnerability has been issued however a patch to permanently fix the issue has not as yet been released. Indications from Microsoft are that this will be addressed in next month’s release.

Bulletin ID	Bulletin Title and Executive Summary	Maximum Severity Rating and Vulnerability Impact	Affected Software
MS11-083	Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)	Critical	Microsoft Windows
		Remote Code Execution
	This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.
MS11-085	Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)	Important	Microsoft Windows
		Remote Code Execution
	This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application.
MS11-086	Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)	Important	Microsoft Windows
		Elevation of Privilege
	This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain. By default, Active Directory is not configured to use LDAP over SSL.
MS11-084	Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)	Moderate	Microsoft
		Denial of Service
	This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message.

Adobe has also had a quiet month releasing only one update that fixes a vulnerability within Shockwave Player 11.6.3.633

Apple too is now joining the Black Tuesday (formally Microsoft Tuesday due to the monthly release of Microsoft Patches on the second Tuesday of the month) with a number of fixes to Snow Leopard and Lion Operating systems.

Finally, Mozilla has released updates to their email client (Thunderbird) and web browser (Firefox) upgrading them both to version 8.

Table sourced from Microsoft.com.

---

THE REST OF THE WEEK’S NEWS

---

Darpa’sPlan to Trap the Next WikiLeaker: Decoy Documents

WikiLeakers may have to think twice before clicking on that “classified” document. It could be the digital smoking gun that points back at them. Darpa-funded researchers are building a program for “generating and distributing believable misinformation.” The ultimate goal is to plant auto-generated, bogus documents in classified networks and program them to track down intruders’ movements, a military research abstract reveals.

“We want to flood adversaries with information that’s bogus, but looks real,” says Salvatore Stolfo, the Columbia University computer science professor leading the project. “This will confound and misdirect them.” (You can make your own fake doc on the research lab’s website, too.)

The program aims to scare off uninvited riff-raff as well as minimize insider threats, one of the greatest vulnerabilities in military networks. Fake “classified” documents, when touched, will take a snapshot of the IP address of the intruder and the time it was opened, alerting a systems administrator of the breach. With that trail of digital breadcrumbs, agencies can track down prying eyes more easily. It’s not only a way to stop the new “systemic threat” demonstrated by “the recent disclosure of sensitive and classified government documents through WikiLeaks,” as a summary of the project notes. The deeper goal is to make hackers and whistle-blowers jittery about whether the data they’ve stumbled on is actually real. With Congress demanding the Defense Department work on eliminating insider threats, feds have been in overdrive trying to prevent another document-dump at the scale of WikiLeaks, even going to the extremes of threatening to prosecute airmen who let their families read the site.

This decoy-detecting project is funded as part of Anomaly Detection at Multiple Scales, a program to design ways of sniffing out “malicious” insider threat behaviour. It’s not the only Pentagon program aimed at weeding out disloyal troops. Led by Peiter “Mudge” Zatko, former hacker-rockstar of the freewheeling Boston’s L0pht collective, Darpa is dreaming ways to detect signs of subversion or infiltration as part of a program called Cyber Insider Threat. Under this plan, the decoy docs would undermine hackers’ trust in the integrity of data, make them question whether releasing it in the public domain would be worth it, and force WikiLeakers to do more work verifying their authenticity. (Take the document we made above, for example.)

“If we implant lots of decoys in a system, the adversary has to expend own resources to determine what’s real and what’s not,” Stolfo tells Danger Room.

If a bogus document is actually released online, it would shatter the credibility of the whistleblowing website that published it, said Stolfo. So even after an attacker has hacked through firewalls, tricked intrusion detection technology and gained unfettered access into a system, he’ll hesitate before making away with the goods.

Columbia University has a pending patent application on the decoy-creating technology. Stolfo co-founded Allure Security Technology in 2009 to make products based on that technology. “I don’t know who has the patent for the concept of deception, though,” he joked. “It possibly dates back to the time of Adam and Eve. Now we’re trying to automate the process.”

• http://www.wired.com/dangerroom/2011/05/house-panel-demands-a-wikileak-proof-pentagon/

Source: G Forbes www.oceanuslive.org

---

Cyber Atlantic 2011 Exercise Aimed at US/EU Collaboration

The European Union and the US have taken part in a day-long exercise to find out how well they would work together in reaction to cyberattacks on security agency systems and critical national infrastructures.

The Cyber Atlantic 2011 round-the-table meeting, held on Thursday, presented participants with two situations: theft of data from cybersecurity agencies using advanced persistent threats (APTs); and attacks on supervisory control and data acquisition (Scada) systems on power-generation networks.

The exercise incorporated two attack scenarios.  In the first, attackers tried to steal and post secret data from EU members' cyber security agencies. The second scenario involved the compromise of a supervisory control and data acquisition (SCADA) system that controlled European wind turbines. The exercise was orchestrated by the European Network and Information Security Agency (ENISA). The exercise, the first of its kind, was organised by agencies including the European Network and Information Security Agency (Enisa) and the US Department of Homeland Security.

• http://www.informationweek.com/news/government/security/231902416
• http://www.zdnet.co.uk/news/security-threats/2011/11/03/eu-and-us-team-up-for-cybersecurity-exercise-40094358/
• http://www.theregister.co.uk/2011/11/04/joint_us_europe_cyber_war_drill/
• http://www.enisa.europa.eu/media/press-releases/first-joint-eu-us-cyber-security-exercise-conducted-today-3rd-nov.-2011

Source: zdnet.co.uk/news

Microsoft Issues Workaround for Kernel Flaw Exploited by Duqu

Microsoft has issued a temporary workaround for a critical privilege elevation vulnerability in the Win32k TrueType font-parsing engine that is being exploited by the Duqu Trojan. In an advisory issued late Thursday, Microsoft said the previously unknown flaw in the Win32k TrueType font-parsing engine affected every supported version of Windows, including Windows 7 and Windows Server 2008, which are the most secure to date. The critical vulnerability was recently exploited to spread Duqu, malware that some researchers say was derived from last year's Stuxnet worm that sabotaged Iran's uranium enrichment program. Successful exploitation of the flaw could allow attackers to "run arbitrary code in kernel mode." The workaround involves disabling support for embedded TrueType fonts. Microsoft plans to issue a patch for the flaw as soon as possible.

• http://news.cnet.com/8301-1009_3-57318309-83/microsoft-issues-temporary-fix-for-critical-windows-hole/
• http://www.informationweek.com/news/security/vulnerabilities/231902375
• http://www.scmagazineus.com/microsoft-issues-workaround-for-duqu-malware/article/216027/
• http://www.computerworld.com/s/article/9221516/Microsoft_releases_manual_fix_for_Duqu_zero_day?taxonomyId=17
• http://www.h-online.com/security/news/item/Microsoft-releases-Duqu-bot-workaround-1372093.html
• http://krebsonsecurity.com/2011/11/microsoft-issues-stopgap-fix-for-duqu-flaw/
• http://www.theregister.co.uk/2011/11/04/duqu_vuln_fix/
• http://support.microsoft.com/kb/2639658

Source: theregister.co.uk

Vulnerabilities give hackers ability to open prison cells from afar

Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems. Tiffany Rad, Teague Newman, and John Strauchs, who presented their research on October 26 at the Hacker Halted information security conference in Miami, worked in Newman's basement to develop the attacks that could take control of prisons' industrial control systems and programmable logic controllers. They spent less than $2,500 and had no previous experience in dealing with those technologies.

The Washington Times' Shaun Waterman reports that the researchers had delivered their findings to state and federal prison authorities, and that the Department of Homeland Security had independently confirmed their research. "We validated the researchers’ initial assertion… that they could remotely reprogram and manipulate [the ICS software and controllers]," Former National Cybersecurity and Communications Integration Center Director Sean P. McGurk, who left DHS in September, told the Washington Times.

The researchers began their work after Strauchs was called in by a warden to investigate an incident in which all the cell doors on one prison's death row spontaneously opened. While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed. In some cases, prison staff used the same computers to browse the Internet; in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems. But even in the absence of an Internet connection, the researchers found, a Stuxnet-like attack could be brought in on a flash drive and introduced into the network, either through social engineering or through the actions of a bribed guard or other prison employee.

"You could open every cell door, and the system would be telling the control room they are all closed," Strauchs, a former CIA operations officer, told the Times. He said that he thought the greatest threat was that the system would be used to create the conditions needed for the assassination of a target prisoner.

• http://www.washingtontimes.com/news/2011/nov/6/prisons-bureau-alerted-to-hacking-into-lockups/
• http://www.theregister.co.uk/2011/11/08/scada_vulns_prison_jailbreak_risk/

Source: www.washingtontimes.com

Anonymous runs amok in Israel, Finland, and Portugal

Anonymous activists marked the 5 November anniversary of the Gunpowder Treason Plot to get up to all sorts of mischief over the weekend. The websites of Israel’s Mossad and Shin Bet intelligence services as well as the Israel Defence Force were reportedly offline for a brief period over the weekend following a 4 November threat by Anonymous to take down the sites.

The threats came in response to the detention and deportation of 27 Gaza flotilla activists, who had set sail from Turkey for Gaza with supplies aboard two boats, by the Israeli military on Friday. The ships were boarded after ignoring calls to turn back, according to Israeli media reports. It's unclear whether or not the boats contained medical supplies.

• http://www.theregister.co.uk/2011/11/07/anonymous_shenanigans/
• http://threatpost.com/en_us/blogs/israeli-military-intelligence-sites-down-after-threat-anonymous-110611

Source: theregister.co.uk

Olympic Games Cyber Threat

According to Stuart OKIN a director of Cipher Security, next year’s London Olympics may be targeted by Cyber criminals to divert the attention and resources from the real threat. A parallel Cyber-attack may instead take place on the financial sector! Reported by express.co.uk, Mr. Okin believes that the UK has a limited number of high calibre security experts capable of fending off such attacks, leaving other sectors prone to cyber heist during the Olympic Games. He continues to say that cyber-attacks on the Games’ IT systems need not to be successful but simply as a misleading tactic. Attacking financial institutions at the same time of the Games guarantees a bigger marketplace for the attackers!

• http://www.express.co.uk/posts/view/282017/Cyber-threat-to-Games

Source: www.express.co.uk

Adobe bids farewell to Flash

Adobe is waving goodbye to Flash Player for mobile platforms, the company said Wednesday. With the exception of issuing critical security fixes for existing installations, Adobe will no longer develop new versions and will instead focus on the HTML5 language, which many believe is better suited for the mobile space.

• http://blogs.adobe.com/conversations/2011/11/flash-focus.html

FBI arrests six in click-fraud cyber scam that netted $14m

Six men believed to be behind a massive click-fraud scheme were arrested on Monday following a two-year, international police investigation, dubbed Operation Ghost Click, the FBI announced Wednesday.

The racket led to the infection of more than four million computers in 100 countries with malware. The defendants, all of whom are Estonian nationals, were arrested in their native country. The U.S. attorney's office is planning to seek their extradition to the United States. The seventh defendant, a Russian national, remains at large.

• http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911?utm_campaign=email-Immediate&utm_medium=email&utm_source=new-york-top-stories&utm_content=45828  

Hacker selling access to compromised websites gets hacked

A hacker believed to be based in Kuwait has in turn been hacked. Srblche stole information from websites belonging to the U.S. Army, the U.S. Department of Defense and other organisations. Srblche was offering services which included compromising servers at a customer’s request. A separate hacking group d33ds broke into Srblche’s online shop and published information about the server, the password hashes and information about the hacker’s admin password. "Anyone willing to pay for this service must be as stupid as he is," d33ds wrote in its announcement of Srblche's online catalogue being hacked.

• http://www.computerworld.com/s/article/9221494/Hacker_selling_access_to_compromised_websites_gets_hacked?source=rss_networking&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ffeed%2Ftopic%2F142+%28Computerworld+Network+Security+News%29