Threat Weekly – A Situational Awareness Report from our Technical Security Team

The oil industry has been warned that cyber-attacks could "cost lives" and cause "huge damage". Ludolf Luehmann, an IT manager for Shell, told the World Petroleum Conference in Doha that the company had suffered an increased number of attacks. He said the hacks had been motivated by both commercial and criminal intent. Security researcher David Emm said that such attacks were "not only possible, but they're now real". Mr Luehmann said Shell and others in the industry were experiencing a "new dimension" of attack which could leave physical machinery at serious risk. He made reference to Stuxnet, a targeted "worm" which was designed to attack industrial systems in the summer of 2010.

Mr Luehmann said Stuxnet showed energy giants that cyber-attacks could have a real-world consequence on business processes. "If anybody gets into the area where you can control opening and closing of valves, or release valves, you can imagine what happens. "It will cost lives and it will cost production, it will cost money, cause fires and cause loss of containment, environmental damage - huge, huge damage." He added: "We see an increasing number of attacks on our IT systems and information and there are various motivations behind it - criminal and commercial."

When contacted by the BBC, Shell said it would not comment further on Mr Luehmann's statements. BP, itself a target of high-profile cyber-attacks following the Gulf oil spill, said it did not speak publicly about security issues as a matter of company policy.

Dennis Painchaud, director of international government relations at Canadian energy company Nexen, said targeted attacks such as Stuxnet and the more recent threat Duqu form a "very significant risk to our business". "Cybercrime is a huge issue. It's not restricted to one company or another - it's really broad and it is on-going. "It's something that we have to stay on top of every day. It is a risk that is only going to grow and is probably one of the pre-eminent risks that we face today and will continue to face for some time."

Moscow-based security experts Kaspersky, said the past 18 months had seen a dramatic change in how cyber-threats were perceived by large companies. "The scene used to be dominated by speculative attacks - people being at the wrong place at the wrong time, but it was nothing personal," Mr Emm told the BBC. "But we certainly are in a different world than where we were 18 months ago. What we're starting to see is an increase in targeted attacks. We know critical systems, like those in oil production, are vulnerable to attack. "A lot of countries now are pumping money into research - the last 18 months have shown these people are after not just the public's money, but they're after larger organisation's information. "Organisations like Shell and others are hopefully taking steps to minimise that risk."

Source: http://www.bbc.co.uk/news/technology-16137573

Companies which suffer major data breaches could be fined up to five percent of global turnover under new European data rules. Firms found to have mishandled data may fall foul of data breach notification rules that are due to be updated next month, according to leaked documents seen by the Financial Times. The European Commission is considering the large increase in data breach fines, but the new rules have not yet been finalised, Commission justice spokesman Matthew Newman told ZDNet UK on Tuesday. "There will be much more consistency in terms of sanctions," Newman said. "Draft documents have been circulated. There's a lot in the proposals that's interesting."

The Commission is aiming for Europe-wide parity in data regulation, justice commissioner Viviane Reding said at the 2nd Annual European Data Protection and Privacy Conference in Brussels on Tuesday. "Inconsistent rules hold back businesses," said Reding. "If we want to encourage companies to take advantage of new technologies and operate across borders, we need to make the rules simpler." Reding is leading the Commission's review of 1995 European data protection legislation. On Thursday, Reding said that businesses will find it easier to enforce pan-European privacy rules under the updated legislation.

Source: http://www.zdnet.co.uk/blogs/security-bullet-in-10000166/firms-may-face-five-percent-fines-for-data-loss-10024955/?s_cid=169

The Criminal Records Bureau (CRB) is to introduce an online status checking service for employers to verify that potential employees have been cleared for relevant jobs. It is intended to save people from having to request a new certificate every time they apply for a new role.

The move is one of the measures announced by Lynne Featherstone, the criminal information minister, in response to a review of the criminal records regime by the government's independent advisor Sunita Mason. Featherstone said the government has accepted the majority of the recommendations and incorporated them in the protection of freedoms bill.

In a statement to parliament, she said the online service is part of an effort to reduce the bureaucracy in the CRB regime. The checks are run for positions working with vulnerable people.

"We have included a provision to make the CRB process less burdensome on all concerned by introducing a new, online status checking capability that will in effect mean individuals can re-use their certificates for different employers across the same workforce and so will no longer need to apply for a new certificate every time they want to take up a new role," she said. "This will have a positive impact on business, making it significantly easier for employers to take on staff in relevant sectors."

A Home Office spokesman was unable to provide any further detail on how the service will work.

• http://www.nursingtimes.net/nursing-practice/clinical-specialisms/management/ministers-agree-to-tighten-criminal-checks-on-overseas-nhs-staff/5038858.article

More on this story can be found at: http://www.guardian.co.uk/government-computing-network/2011/dec/07/crb-checks-online

Research In Motion hoped to close a security breach with a software update to its PlayBook tablet, but coders cracked the patch in only a few hours.

Research In Motion provided a system update to the BlackBerry PlayBook tablet late Tuesday. According to the changelog, the primary purpose of the update was to plug a security hole being exploited by the Dingleberry Playbook jailbreak tool.

The log said that version 1.0.8.6067, which is only 5 MB in size, "offers support for Flash 10.3 and updates to Adobe AIR to support developers in addition to DST and security fixes."

Researchers had recently released a tool--called Dingleberry--that unlocks the PlayBook, a first for RIM's tablet, which included government-grade security features. Once unlocked, PlayBook users are granted access to the entire PlayBook codebase, allowing them to do a lot more with it than through the generally available tools.

For example, the Android Market--and its hundreds of thousands of apps--is available for the first time on the PlayBook. While RIM is still developing PlayBook OS 2.0, which will bring support for Android apps in an emulator, impatient PlayBook owners can dive in now if they don't mind cracking the tablet's code. (The patch isn't yet available to developers already using the PlayBook OS 2.0 beta.)

• http://www.eweek.com/c/a/Security/Hackers-Update-PlayBook-Jailbreak-Tool-After-RIM-Closes-Security-Flaw-814044/
• http://www.theregister.co.uk/2011/12/07/blackberry_playbook_jailbreak_release/

Source: http://www.informationweek.com/news/security/attacks/232300081

Adobe says it is working on a fix for a vulnerability in Acrobat and Reader that is being actively exploited in targeted attacks the patch is expected to be released by the end of this week. Adobe is working on a patch for versions 9.X for Windows-based systems only because that is the platform targeted in the attacks. Fixes for other versions of the programs will be released as part of Adobe’s normal schedule in January 2012. The flaw itself exists in versions 10.1.1 and earlier. The flaw is a memory corruption vulnerability in the way Universal 3D files are processed and is being exploited to crash the applications and take control of vulnerable computers.  The sandboxing protected mode in X versions of the programs stops the execution of exploit code. The flaw is being exploited through malicious PDF files that have been sent to several different organizations, including some US defence contractors. Lockheed Martin has acknowledged that it was targeted in an attack but the attackers were not successful in accessing the company's computer network.

• http://www.adobe.com/support/security/advisories/apsa11-04.html
• http://www.darkreading.com/insider-threat/167801100/security/application-security/232300055/new-zero-day-adobe-attack-under-way.html
• http://www.theregister.co.uk/2011/12/06/adobe_reader_attacks/
• http://news.cnet.com/8301-1009_3-57337844-83/adobe-warns-of-attacks-using-reader-on-windows/
• http://krebsonsecurity.com/2011/12/attackers-hit-new-adobe-reader-acrobat-flaw/
• http://www.h-online.com/security/news/item/New-Adobe-Reader-zero-day-in-the-wild-1391441.html
• http://www.scmagazineuk.com/adobe-to-release-emergency-patch-for-critical-vulnerability-in-reader-and-acrobat/article/218288/
• http://www.eweek.com/c/a/Security/Adobe-ZeroDay-Exploit-Targeted-Defense-Contractors-383203/
• http://www.scmagazineus.com/lockheed-martin-hit-but-not-breached-with-adobe-zero-day/article/218603/

Written by D Gray VCSL

Researchers backed by the Defense Advanced Research Projects Agency are developing a system than could scan up to 250 million text messages, e-mail messages and file transfers a day in search of anomalies that could help identify insider threats or employees who might be about to “break bad.”

The system, dubbed PRODIGAL, for Proactive Discovery of Insider Threats Using Graph Analysis and Learning, will combine graph processing, anomaly detection and relational machine learning on a massive scale to create a prototype Anomaly Detection at Multiple Scales (ADAMS) system, according to a release from the Georgia Institute of Technology, which is working with four other organizations on the project.

PRODIGAL, which would be used initially to monitor the communications in civilian government and military organizations where employees have agreed to be monitored, is intended to identify “rogue” individuals — such as a potential mass-attack gunman, terrorist or spy — before they act, Georgia Tech said.

Analysts now have the capacity to investigate about “five anomalies per day out of thousands of possibilities,” said Georgia Tech professor David Bader, co-principal investigator on the project. “Our goal is to develop a system that will provide analysts for the first time a very short, ranked list of unexplained events that should be further investigated.”

DARPA and the Army Research Office are supporting the two-year, $9 million project. Science Applications International Corp. is leading the project, which also includes researchers from Oregon State University, the University of Massachusetts and Carnegie Mellon University.

• http://blogs.computerworld.com/19382/sifting_through_petabytes_prodigal_monitoring_for_lone_wolf_insider_threats

More on this story at: http://gcn.com/articles/2011/12/06/darpa-prodigal-email-monitoring-insider-threats.aspx?admgarea=TC_SECCYBERSSEC

What is snowshoe spamming?  Well, it’s a different type of problem than the traditional spam problem.  Whereas botnet spam has declined over the past 12 months, snowshoe spam has increased.

Snowshoe spam gets its name because the spammers distribute its email over a wider area of IP addresses in order to avoid detection (not to mention IP blacklisting).  It does this in order to maintain a light footprint.  Just like real life snowshoes distribute your weight over a wide area to avoid sinking into the snow, snowshoe spam distributes its weight over a wide area to avoid filters.

Snowshoe spammers use dedicated IP addresses that are purchased by the spammer, and more often than not, the IPs are hosted in the United States.  The spammers make their money from affiliate programs and are not necessarily black hat spammers.  I use the term grey hat spammer, and those hats frequently have varying shades of grey.

More on this story at: http://blogs.msdn.com/b/tzink/archive/2011/11/22/what-snoeshow-spam-looks-like.aspx