Threat Weekly – A Situational Awareness Report from our
Technical Security Team
Volume 1, Issue 2 – 17 November 2011
Microsoft released a large batch of
security patches on 11 October. There has been no widespread
malicious activity observed since this date.
TOP OF THE NEWS
UK Cyber Security Strategy themes
The UK government will urge businesses to form
'uncomfortable partnerships' with competitors as part of the
upcoming UK Cyber Security Strategy, ZDNet UK has learned.
Businesses must look to forming close working
relationships with competitors to share sensitive cybersecurity
information; they will be told when the document is published. The
UK Cyber Security Strategy is due on 25 November, a Cabinet Office
spokesman confirmed on Thursday.
The document, already delayed twice, will update
a two-year-old strategy and lay out the government's plans for
dealing with the problems of cybercrime and cyber-espionage. The
Cabinet Office leads the UK government's cybersecurity response, in
conjunction with the Office of Cyber Security and Information
Assurance (Ocsia) and the Cyber Security Operations Centre (CSOC)
The government has placed increasing emphasis on
cybersecurity, amid growing concerns about the possible economic
impact of successful attacks on information systems. In October
2010, it announced it had elevated cyberattacks to 'tier-one'
threats, alongside terrorism, military crises and major disasters,
and said that it was putting £650m into UK cyber-response.
The British government has faced a number of
criticisms in the past over its approach to cybersecurity,
including that it does not share enough information on
cyber-threats with critical national infrastructure
Facebook 'eliminates most of porn image spam
Facebook said it has rid its site of most of the
pornographic and violent images posted as part of a spam attack.
The social network blamed a browser vulnerability and said it was
improving its systems to defend itself against similar attacks in
the future. Thousands of the website's 800 million users have
complained about the pictures over recent days. A source told the
BBC that Facebook knew who was responsible - and it was not an
Anonymous hacktivist. The firm is understood to be working with its
legal department to take action against the suspected attacker.
Facebook said the spam attack worked via a
"self-XSS vulnerability in the browser". It added: "During this
attack, users were tricked into pasting and executing malicious
share this offensive content.”No user
data or accounts were compromised during this attack." The firm
said its engineers had built enforcement mechanisms to shut down
malicious pages and accounts that attempt to exploit the
vulnerability. It also offered the following advice to help guard
against further attacks:
- Never copy and paste unknown code into the
- Always use an up-to-date browser
- Use the report links on Facebook to flag
suspicious behaviour or content on friends' accounts
Facebook allows children above the age of 13 to
be members, and polices a ban against inappropriate images.
However, security experts said it was difficult for the firm to
respond to this threat, bearing in mind it exploited a
vulnerability in an unnamed web browser rather than the site
itself. They also said that the attack was very unusual because
most other scams on the social network are designed to deliver a
financial payout. "This seems to be a purely malicious act.
Facebook has a reputation for maintaining a reasonably
family-friendly environment," wrote Chester Wisniewski, a senior
security advisor at Sophos, on his company's blog. "Hopefully
whichever browser it is that has the flaw will provide a fix ASAP,
but as we know most people are slow to apply updates regardless of
which browser they use (except Chrome)." "The flaw being exploited
could likely be used against other sites as well if users can be
Darpa Begs Hackers: Secure Our Networks, End ‘Season of
The Pentagon’s far-out research
agency and its brand new military command for cyberspace have a
confession to make. They don’t really know how to keep U.S.
military networks secure. And they want to know: Could you help
Darpa convened a “cyber colloquium”
at a swank northern Virginia hotel on Monday for what it called a
“frank discussion” about the persistent vulnerabilities within the
Defense Department’s data networks. The Pentagon can’t defend those
networks on its own, the agency admitted.
Because it’s the blue-sky research
agency that helped create the internet, Darpa framed the problem as
a deep, existential one, not a pedestrian question of insecure
code. “It is the makings of novels and poetry from Dickens to
Gibran that the best and the worst occupy the same time, that
wisdom and foolishness appear in the same age, light and darkness
in the same season,” mused Regina Dugan, Darpa’s director. She’s
talking about the internet. “These are the timeless words of our
existence. We know it is true of everything.” Put in a blunter way,
U.S. networks are “as porous as a colander,” Richard Clarke, the
former White House counterterrorism chief turned cybersecurity
Cassandra, told a packed ballroom. “We are losing ground because we
are inherently divergent from the threat,” conceded Dugan, swooping
down from the stratosphere. Current network security is a numbers
game: According to Darpa research, securing sensitive information
on the military’s networks requires, typically, programs running 10
million lines of code. On average, the malicious code, viruses,
bots, worms and exploits that try to penetrate those defences rely
on 125 lines of code. Eventually, simple beats over-engineered.
Dugan didn’t go as far as Clarke did
— she’s a senior Defense Department official, after all — but she
implied that left to its own devices, the government’s network
defences will allow crucial data to increasingly sluice through,
like water through Clarke’s colander. And it’s not just information
leaking out: it’s the danger of a cyberattack crippling U.S.
financial systems or the power grid, according to many at the
colloquium. ”We believe we need more and better options,” Dugan
The entire article can be found
Six Arrested in Connection with Clickjacking
The FBI has unsealed a federal indictment
that includes details of the two-year FBI investigation called
Operation Ghost Click, as announced today in New York. The article
describes the arrest of six Estonian nationals who have been
charged with "running a sophisticated Internet fraud ring that
infected millions of computers worldwide with a virus and enabled
the thieves to manipulate the multi-billion-dollar Internet
This cybercrime ring used "DNSChanger to
redirect unsuspecting users to rogue servers controlled by the
cyber thieves, allowing them to manipulate users’ web
The DNS Changer Working Group (DCWG), with
cooperation from SANS handlers, will be publishing more details
soon as they have been closely monitoring this class of malware. As
you may well be aware, several different malware families modify
DNS to redirect customer traffic in the past, including
Zlob and others. This particular
version uses TDSS and possibly other malware; while it has been
installed in many different ways, it isn't a single malware, but
more a class of malware that exhibits certain characteristics.
The FBI put up a website where people can
check if their computer is infected:
Source: Internet Storm Centre: https://isc.sans.edu/diary.html?storyid=11986
THE REST OF THE WEEK’S NEWS
Met: 'great deal' of cyber-crime
intelligence is lost
The UK has never had a “comprehensive
understanding” of cyber-crime levels and police are continuing to
miss out on intelligence because organisations are failing to
report attacks, the Met’s head of intelligence and covert policing
has warned. Giving evidence to MPs on the Commons Science and
Technology Committee, deputy assistant commissioner Janet Williams
said that unlike other crimes, cyber-crime had no “single point”
for reporting. “Everybody knows if you have a burglary where you go
to, if you’re raped where you go to. I don’t think there is the
same level of understanding,” she said. She added that some
organisations chose not to report attacks due to fears that it
could prove “sensitive to the share price”. “They may feel that
they really don’t want this to come into the public domain,” she
said. “So we lose a great deal of understanding and
intelligence as a result of that…and currently there is no
obligation on business to report.” “So what we do get is fractured
because there is no single agreed point of reporting and even what
we do get is not a full picture because some people just choose not
But the government has indicated it is due to
introduce a single point for recording financially motivated
cyber-crime in the near future. As previously report by
Publicservice.co.uk, Home Office minister James Brokenshire said in
November that Action Fraud would soon provide a “single means” for
both businesses and individuals to report financially-motivated
Evidence found that Duqu is Designer
The creators of the Duqu malware that penetrated
industrial manufacturers in at least eight countries tailored each
attack with exploit files, control servers, and booby-trapped
Microsoft Word documents that were different for each victim,
according to research published on Friday.
What's more, two of the drivers the
sophisticated, highly modular rootkit used in one attack showed
compilation dates of 2007 and 2008, Alexander Gostev, the Kaspersky
Lab expert and author of the report said. If the dates are genuine,
they suggest the Duqu architects may have spent the past four years
developing the malware.
Like forensics investigators combing through a
homicide scene for the tiniest scraps of evidence, security
researchers around the world are examining every email and computer
file associated with Duqu for clues about who created and for what
purpose. They have yet to establish a direct link to the Stuxnet
worm that was unleashed to sabotage uranium-enrichment plants in
Iran, but the aggregate picture of Duqu that's emerging is that
like Stuxnet, it was painstakingly developed by a world-class team
of disciplined and well-financed engineers.
The Duqu version examined in Friday's report was
recovered by the Sudan Computer Emergency Response Team from an
undisclosed company that the attackers targeted in advance. Like
attacks on other targets, it was launched using a booby-trapped
Word document with content that was tailored to the receiving
organization and exploited a previously unknown vulnerability in
the kernel of all supported versions of Microsoft Windows. The
first attempt at infection in the incident studied by Kaspersky
failed because the email containing the Word document wound up in a
spam folder. On May 21, four days after the first email was sent,
the attackers tried again with a slightly modified message. Both
the subject line and the title of the attached file referenced the
targeted company specifically. Interestingly, the DLL file that
served as the Trojan’s main module was dated April 17, the same day
as the first attempt to infect the target.
When the recipient of the second email opened the
Word document, a malicious payload immediately hijacked the
computer, but sat dormant for about 10 minutes, Gostev said. The
exploit didn't actually install the spy components until the end
user went idle. The infected computer used a command and control
server researchers have never seen before. So far, investigators
have identified at least four such servers, and each one was used
to send and receive data from only one target.
In late May, a second computer in the attack
examined by Kaspersky was infected over the targeted company's
local network. Gostev didn't say how the Duqu infection was able to
spread. Separate research from Symantec has suggested the malware
is was able to spread across networks through SMB connections used
to share files from machine to machine. For all the skill and care
the attackers took, they also showed an intriguing sense of humour.
The malicious Shellcode for their exploit was embedded in a
fictitious font called “Dexter Regular,” and contained the line
“Copyright (c) 2003 Showtime Inc.” The hidden message is an obvious
reference to the Dexter television series, which depicts a
ritualistic serial killer who works as a crime-scene investigator
for the Miami Police Department. “This is another prank pulled by
the Duqu authors,” Gostev wrote.
Cyclist and Coach Draw Suspended
Sentences for Drug Test Lab Hack
A French court handed disgraced former U.S.
cyclist Floyd Landis a suspended one-year jail sentence for his
part in a cyberespionage scheme against the anti-doping laboratory
that proved he cheated at the 2006 Tour de France.
The sentence is another layer of shame for the
2006 Tour de France winner, who was subsequently stripped of the
title after the Chatenay-Malabry lab in France found excessive
levels of testosterone in his blood. Much like that scandal, which
rocked the international sports community, the events that put
Landis and his former coach Arnie Baker in their current
predicament read like a made-for-TV thriller.
The case, Cycling News reported, starts in
November 2006, several months after that year's Tour de France had
concluded. The anti-doping lab contacted police after discovering
that someone had used a Trojan horse to put spyware on the lab's
computer network. During the hack, which was traced back to Landis'
coach, information from Landis' file was taken, which the cyclist
used in a bid to clear his name and reputation by showing sports
authorities that he had been clean all along and the lab work had
been flawed. Baker was given the same sentence as Landis.
Last year, Landis finally admitted to doping
after years of denials. The story could very well end here, but the
international hacking plot extended beyond Landis and Baker, and
ultimately implicated three other defendants.
French authorities in 2009 arrested hacker Alain
Quiros, a French national living in Morocco, for hacking into the
Chatenay-Malabry lab. Quiros said he'd been paid a few thousand
dollars to infiltrate not just the anti-doping lab's system, but
also the networks of several other European corporations including
Greenpeace France, all on the orders of Thierry Lorho, a former
French government secret agent and head of the Paris-based
investigative firm Kargus Consultants.
Lorho, prosecutors said, passed the stolen files
— Landis' included — to former paratrooper Jean-Francois Dominguez,
who then handed them off to another person, who has not yet been
identified. The stolen and forged files made their way from this
final person to the media, and formed the basis for Landis' plea to
clear his name for the Tour de France disqualification.
Quiros was given a two-year prison sentence, 18
months of which will be suspended, and ordered to pay a fine of
$4,000 euros. The court gave Lorho a three-year sentence, two of
which will be suspended, and ordered him to pay a $4,000 euro
Inquiry Finds That Many Reporters Used
Phone Hacker Services
The full scale of phone hacking at News
International, Britain's largest and most powerful newspaper group
finally began to emerge on Monday when the Leveson inquiry into
press standards heard that 28 of the company's staff are named in
notes seized from a private investigator who specialised in the
On a dramatic opening day at the high court in
London, Robert Jay QC, counsel for the inquiry, said evidence held
by the Metropolitan police for five years showed "at least 27 other
NI employees", in addition to the former News of the World royal
editor Clive Goodman, appear in notes taken by Glenn Mulcaire.
Goodman and Mulcaire were jailed for intercepting voicemails in
The suggestion that the identities of more than
two dozen NI staff were scribbled in the margins of Mulcaire's
notes is the clearest indication yet that journalists at the
company engaged in the practice systematically. "This fact alone
suggests wide-ranging, illegal activity within the organisation at
the relevant time," Jay said.
The evidence has been in police possession since
it was seized in a 2006 raid on Mulcaire's offices.
EDF Greenpeace hack leads to £1.3m
fine and jail
Energy Company EDF has been fined €1.5m (£1.3m)
for hacking into the computer systems of environmental campaign
Two high-ranking EDF employees were given prison
sentences on Thursday for hiring investigators to hack into
Greenpeace systems in France, Greenpeace said in a blog post on
Thursday. "The evidence presented at the trial showed that the
espionage undertaken by EDF in its efforts to discredit Greenpeace
was both extensive and totally illegal," Greenpeace UK's executive
director, John Sauven, said in the blog post. "The company should
now give a full account of the spying operation it mounted against
Investigators from private detective agency
Kargus Consultants hacked into Greenpeace systems in 2006 looking
for plans concerning a campaign against new EDF nuclear power
plants, a French court found.
Email spam 'Block 25' crackdown
readied in South Korea
South Korea is lobbying its internet service
providers to sign up to a national plan to tackle spam. The plan
requires ISPs to restrict email to official computer gateways by
blocking another common route that messages travel over. It is
hoped this will thwart spammers who hijack home PCs and use them to
send junk mail. Critics say the block could do more harm than good
to businesses and hit home workers.
South Korea's Internet and Security Agency has
been trying for months to persuade its net service providers to
sign up to a plan known as "Block 25". It has this name because of
the way computers work out what to do with data they send and
receive. Data is labelled with a "port" number which tells a
computer what to do with that information. Port 25 is typically
reserved for email, so blocking it could be a way to stop hijacked
PCs sending messages via this route.
About 80% of the billions of junk mail messages
sent every day are believed to travel through hijacked PCs.
According to statistics drawn up by security firm Sophos, South
Korea is the second biggest source of spam in the world. Instead of
using port 25, Korea wants all email to travel via official mail
servers to block spam and help spot infected PCs.
A spokesman for the Korean government told the
BBC that it was continuing to lobby ISPs to adopt its plan which it
wants to be up and working in December.
Jasper Kim, a law professor at Ewha Womans
University in Seoul, said the block could have unforeseen
consequences. "No one likes spam mail," he said. "But the anti-spam
measures can be viewed as a form of cyber-censorship that could
have a disproportionately negative effect on small players - the
very type of players needed to create a Seoul-style Silicon
Valley." A national block could also hit businesses that make
legitimate use of port 25, said James Blessing, a council member of
the UK's Internet Service Providers' Association. "Many corporate
mail servers run authenticated access through port 25," he said.
"If you want to connect to that you won't be able to if you block
port 25. You'll stop people working from home."
Far better, said Mr Blessing, was to tackle the
problem at source and make greater efforts to ensure PCs were not
hijacked by spammers in the first place. Also, he added, criminals
who use PCs to send junk mail will probably bypass the block
completely by using a different port. "Blocks do not solve the
problem," he said. "They just move it around."
US Department of Justice May Obtain
WikiLeaks Employees' Twitter Records
A Virginia District Court Judge has ruled that
the Justice Department may legally obtain Twitter account records
of three people who work or worked for WikiLeaks. Whilst this
ruling does not give any access to the content of messages sent it
does allow prosecutors access to information about the times
messages were sent to each other and from which IP addresses the
messages were sent.
Written by: D Gray VEGA CSL
Juniper Error Causes Widespread
A flaw in an update to the Juniper software that
runs large routers that Juniper supplies to ISPs caused a
widespread Internet outage - disabling large segments of the
Internet. The outage appears to have originated early Monday
following a set of updates to a core Internet routing protocol
[BGP] triggered a software glitch in some of Juniper's routers.
When those routers crashed, key Internet pathways went down with
That "event" took down systems big and small.
Many BlackBerry users -- already skittish from last month's
widespread outage -- found their devices temporarily knocked
offline. BlackBerry maker Research in Motion was quick to point out
that its systems weren't to blame, citing "a global Internet
Warner Brothers Admits Issuing
Takedown Orders In Error
In a Monday court filing, Warner Brothers
admitted that it has issued takedown notices for files without
looking at them first. The studio also acknowledged that it issued
takedown notices for a number of URLs that its adversary, the
locker site Hotfile, says were obviously not Warner Brothers'
Hotfile has been locked in a legal battle with
Hollywood studios since February; the studios accuse the site of
facilitating copyright infringement on a massive scale. Hotfile
counters that it is immune from liability for the infringements of
its users because it complies with the notice-and-takedown
procedures established by the Digital Millennium Copyright Act. But
Hotfile has also tried to turn the tables by arguing that one of
the studios, Warner Brothers, has itself violated the DMCA by
issuing bogus takedown requests.
The studio also "admits that it did not (and did
not need to) download every file it believed to be infringing prior
to submitting the file's URL" to the Hotfile takedown tool. That's
because "given the volume and pace of new infringements on Hotfile,
Warner could not practically download and view the contents of each
file prior to requesting that it be taken down."