Threat Weekly – A Situational Awareness Report from our
Technical Security Team
Volume 1, Issue 6 – 15 December 2011
Adobe Reader 9.x and Adobe Acrobat 9.x
Zero Day vulnerability has been seen in the wild. Adobe expects to
have a patch issued for version 9.x this week. Microsoft has issued
a bumper Christmas Patch release including fixed for the
TOP OF THE NEWS
US, Israel shocked by undamaged captured drone
Iran exhibited the top-secret US stealth drone
RQ-170 Sentinel captured on Sunday, Dec. 4. Its almost perfect
condition confirmed Tehran's claim that the UAV was downed by a
cyber attack, meaning it was not shot down but brought in undamaged
by an electronic warfare ambush. This is a major debacle for the
stealth technology the US uses in its warplanes and the drone
technology developed by the US and Israel.
The state of the lost UAV refutes the US
military contention that the Sentinel's systems malfunctioned. If
this had happened, it would have crashed and either been wrecked or
damaged. The condition of the RQ-170 intact obliges the US and
Israel to make major changes in plans for a potential strike
against Iran's nuclear program.
The Obama administration's decision after
internal debate not to send US commando or air units into Iran to
retrieve or destroy the secret RQ-170 stealth drone which fell into
Iranian hands has strengthened the hands of the Israeli faction
which argues the case for striking Iran's nuclear installations
without waiting for the Americans to make their move.
Senior Israeli diplomatic and security officials
who followed the discussion in Washington concluded that, by
failing to act, the administration has left Iran not only with the
secrets of the Sentinel's stealth coating, its sensors and cameras,
but also with the data stored in its computer cells on targets
marked out by the US and/or Israeli for attack.
debkafile’s military sources say that this
knowledge compels the US and Israel to revise their plans of attack
for aborting the Iranian nuclear program. Like every clandestine
weapons system, the RQ-170 had a self-destruct mechanism to prevent
its secrets spilling out to the enemy in the event of a crash or
capture. This did not happen. Tehran was able to claim the spy
drone was only slightly damaged when they downed it.
More on this story can be found at
Oil cyber-attacks could cost lives, Shell warns
The oil industry has been warned
that cyber-attacks could "cost lives" and cause "huge damage".
Ludolf Luehmann, an IT manager for Shell, told the World Petroleum
Conference in Doha that the company had suffered an increased
number of attacks. He said the hacks had been motivated by both
commercial and criminal intent. Security researcher David Emm said
that such attacks were "not only possible, but they're now real".
Mr Luehmann said Shell and others in the industry were experiencing
a "new dimension" of attack which could leave physical machinery at
serious risk. He made reference to Stuxnet, a targeted "worm" which
was designed to attack industrial systems in the summer of
Mr Luehmann said Stuxnet showed
energy giants that cyber-attacks could have a real-world
consequence on business processes. "If anybody gets into the area
where you can control opening and closing of valves, or release
valves, you can imagine what happens. "It will cost lives and it
will cost production, it will cost money, cause fires and cause
loss of containment, environmental damage - huge, huge damage." He
added: "We see an increasing number of attacks on our IT systems
and information and there are various motivations behind it -
criminal and commercial."
When contacted by the BBC, Shell
said it would not comment further on Mr Luehmann's statements. BP,
itself a target of high-profile cyber-attacks following the Gulf
oil spill, said it did not speak publicly about security issues as
a matter of company policy.
Dennis Painchaud, director of
international government relations at Canadian energy company
Nexen, said targeted attacks such as Stuxnet and the more recent
threat Duqu form a "very significant risk to our business".
"Cybercrime is a huge issue. It's not restricted to one company or
another - it's really broad and it is on-going. "It's something
that we have to stay on top of every day. It is a risk that is only
going to grow and is probably one of the pre-eminent risks that we
face today and will continue to face for some time."
Moscow-based security experts
Kaspersky, said the past 18 months had seen a dramatic change in
how cyber-threats were perceived by large companies. "The scene
used to be dominated by speculative attacks - people being at the
wrong place at the wrong time, but it was nothing personal," Mr Emm
told the BBC. "But we certainly are in a different world than where
we were 18 months ago. What we're starting to see is an increase in
targeted attacks. We know critical systems, like those in oil
production, are vulnerable to attack. "A lot of countries now are
pumping money into research - the last 18 months have shown these
people are after not just the public's money, but they're after
larger organisation's information. "Organisations like Shell and
others are hopefully taking steps to minimise that risk."
Firms may face five percent fines for data loss
Companies which suffer major data breaches could
be fined up to five percent of global turnover under new European
data rules. Firms found to have mishandled data may fall foul of
data breach notification rules that are due to be updated next
month, according to leaked documents seen by the Financial Times.
The European Commission is considering the large increase in data
breach fines, but the new rules have not yet been finalised,
Commission justice spokesman Matthew Newman told ZDNet UK on
Tuesday. "There will be much more consistency in terms of
sanctions," Newman said. "Draft documents have been circulated.
There's a lot in the proposals that's interesting."
The Commission is aiming for Europe-wide parity
in data regulation, justice commissioner Viviane Reding said at the
2nd Annual European Data Protection and Privacy Conference in
Brussels on Tuesday. "Inconsistent rules hold back businesses,"
said Reding. "If we want to encourage companies to take advantage
of new technologies and operate across borders, we need to make the
rules simpler." Reding is leading the Commission's review of 1995
European data protection legislation. On Thursday, Reding said that
businesses will find it easier to enforce pan-European privacy
rules under the updated legislation.
Microsoft issues hefty Christmas Patch
THE REST OF THE WEEK’S NEWS
Download.com President Apologizes for Bundling Installer
Tech publisher CNet has removed the
controversial proprietary installer it overlaid the penetration
testing tool Nmap with, but critics are angry it is still used for
"thousands" of other downloads.
Gordon Lyon, aka Fyodor, the creator of open
source penetration testing tool, Nmap, slammed Cnet for using his
software, distributed on title’s Download.com file site, as bait to
lure people in to downloading various sponsored software, such as
The StartNow toolbar that was offered in the
CNet-altered Nmap download process, for example, would make Bing
the default search engine and MSN the home page.
CNet's proprietary "installer" has been
identified by several antivirus vendors — at least by its behaviour
— as a Trojan, and was first noticed in August when ExtremeTech
reported an altered install process for the popular VLC media
CNet describes its Download.com Installer as
“a tiny ad-supported stub installer or “download manager” that
helps securely deliver downloads from Download.com’s servers to the
The publisher began adding its own installer
on Windows-compatible non-premium software in July but claims it is
not actually installed on the user’s machine and that the process
offers a clearly labelled option to accept or decline additional
White House Issues Cyber Security R&D
The White House has issued a roadmap of its
cyber security research and development (R&D) priorities. The
outline from the Office of Science and Technology Policy divides
the priorities into four areas: Inducing Change; Developing
Scientific Foundations; Maximizing Research Impact; and
Accelerating Transition to Practice. The R&D plan--developed by
the White House Office of Science and Technology Policy-- aims to
jumpstart how the United States approaches the challenge to ensure
more effective cyberspace protections. The R&D roadmap is based
on the 2009 review of the state of cyber security in the US.
Written by D Gray VCSL
FBI says hackers hit key services in three US
The infrastructure systems of three US cities
have been attacked, according to the Federal Bureau of
Investigation. At a recent cybersecurity conference, Michael Welch,
deputy assistant director of the FBI's cyber division, said hackers
had accessed crucial water and power services. The hackers could
theoretically have dumped sewage into a lake or shut off the power
to a shopping mall, he said.
Industrial control systems are becoming an
increasing target for hackers. "We just had a circumstance where we
had three cities, one of them a major city within the US, where you
had several hackers that had made their way into Scada systems
within the city," Mr Welch told delegates at the Flemings Cyber
Security conference. "Essentially it was an ego trip for the hacker
because he had control of that city's system and he could dump raw
sewage into the lake, he could shut down the power plant at the
mall - a wide array of things," he added.
Such systems - commonly known as Supervisory
Control and Data Acquisition (Scada) - are increasingly being
targeted by hackers, following reports that they rely on weak
security. It follows two alleged break-ins to city water supplies.
The first, to a water supply in Springfield, Illinois, was later
played down by the FBI which said it could find no evidence of
cyber-intrusion. Initially it had thought a hardware fault was
caused by Russian hackers but it later emerged that this was not
In another attack a hacker named pr0f claimed
to have broken into a control system that kept water supplied to a
town in Texas. The hacker said the system had only been protected
by a three-character password which "required almost no skill" to
get around. Mr Welch did not confirm whether this breach was one of
the three he was talking about. Security experts predict there will
be a rise in such attacks. "Such systems have become a target
partly because of all the chatter about the lack of security.
Hackers are doing it out of curiosity to see how poorly they are
protected," said Graham Cluley, senior security consultant at
Sophos. He said that many relied on default passwords, and
information about some of these passwords was "available for
Furthermore the firms that run Scada systems,
such as Siemens, often advise against changing passwords because
they claim the threat from malware is not a great as the problem
that will be caused if passwords are changed. "Not changing
passwords is obviously slightly crazy. Proper security needs to be
in place otherwise it is laughable," said Mr Cluley.
Industrial-scale hacking hit the headlines in
2010 with news of a worm aimed at Iran's nuclear facilities.
Stuxnet was widely rumoured to have been developed by either the US
or Israeli authorities and, according to experts, was configured to
damage motors used in uranium-enrichment centrifuges by sending
them spinning out of control. Iran later admitted that some of its
centrifuges had been sabotaged although it downplayed the
significance of Stuxnet in that.
This year a Stuxnet copycat, Duqu, was
discovered by security experts. Initial analysis of the worm found
that parts of Duqu are nearly identical to Stuxnet and suggested
that it was written by either the same authors or those with access
to the Stuxnet source code. Unlike Stuxnet it was not designed to
attack industrial systems but rather to gather intelligence for a
future attack. Mr Welch also revealed at the conference that, to
date, the FBI's cyberteam had worked a 9 to 5 day. He said that a
12% increase in its budget would mean the team could now expand and
begin monitoring cyberthreats around the clock.
Bradley Manning Defence Team Points
to Army's Neglect of Warning Signs
The U.S. Army disciplined 15 people over their failure to
adequately supervise suspected WikiLeaks leaker Bradley Manning,
according to a news report.
In the wake of an internal report written by Lt. General Robert
Caslen chronicling disciplinary failures that allowed Manning to
maintain access to classified networks despite repeated assessments
documenting his emotional and behavioral difficulties, the Army
demoted one non-commissioned officer for dereliction of duty.
Fourteen others were also disciplined in an undisclosed manner,
according to Politico.
“Appropriate action has been taken against 15 individuals
identified in Lt. Gen. Caslen’s report,” an Army spokesman told
Politico. “In accordance with the Army’s long-standing policy to
protect the privacy of individuals below the general officer level,
specific information concerning their misconduct is not
According to a recent list of proposed witnesses that Manning’s
defense attorney hopes to call for testimony at a pre-trial hearing
for his client on Dec. 16, the supervisor who was demoted
apparently drafted three memos detailing Manning’s behavior but
failed to notify anyone of his concerns.
Two good reads on identifying the internal
Criminal Records Bureau to Allow Online
The Criminal Records Bureau (CRB) is to introduce an online
status checking service for employers to verify that potential
employees have been cleared for relevant jobs. It is intended to
save people from having to request a new certificate every time
they apply for a new role.
The move is one of the measures announced by Lynne Featherstone,
the criminal information minister, in response to a review of the
criminal records regime by the government's independent advisor
Sunita Mason. Featherstone said the government has accepted the
majority of the recommendations and incorporated them in the
protection of freedoms bill.
In a statement to parliament, she said the online service is
part of an effort to reduce the bureaucracy in the CRB regime. The
checks are run for positions working with vulnerable people.
"We have included a provision to make the CRB process less
burdensome on all concerned by introducing a new, online status
checking capability that will in effect mean individuals can re-use
their certificates for different employers across the same
workforce and so will no longer need to apply for a new certificate
every time they want to take up a new role," she said. "This will
have a positive impact on business, making it significantly easier
for employers to take on staff in relevant sectors."
A Home Office spokesman was unable to provide any further detail
on how the service will work.
More on this story can be found at:
RIM's PlayBook Security Patch Doesn't Last Long
Research In Motion hoped to close a security
breach with a software update to its PlayBook tablet, but coders
cracked the patch in only a few hours.
Research In Motion provided a system update
to the BlackBerry PlayBook tablet late Tuesday. According to the
changelog, the primary purpose of the update was to plug a security
hole being exploited by the Dingleberry Playbook jailbreak
The log said that version 184.108.40.20667, which
is only 5 MB in size, "offers support for Flash 10.3 and updates to
Adobe AIR to support developers in addition to DST and security
Researchers had recently released a
tool--called Dingleberry--that unlocks the PlayBook, a first for
RIM's tablet, which included government-grade security features.
Once unlocked, PlayBook users are granted access to the entire
PlayBook codebase, allowing them to do a lot more with it than
through the generally available tools.
For example, the Android Market--and its
hundreds of thousands of apps--is available for the first time on
the PlayBook. While RIM is still developing PlayBook OS 2.0, which
will bring support for Android apps in an emulator, impatient
PlayBook owners can dive in now if they don't mind cracking the
tablet's code. (The patch isn't yet available to developers already
using the PlayBook OS 2.0 beta.)
Out-of-Cycle Patch for Flaw in Windows Versions of Reader
and Acrobat on its way.
Adobe says it is working on a fix for a
vulnerability in Acrobat and Reader that is being actively
exploited in targeted attacks the patch is expected to be released
by the end of this week. Adobe is working on a patch for versions
9.X for Windows-based systems only because that is the platform
targeted in the attacks. Fixes for other versions of the programs
will be released as part of Adobe’s normal schedule in January
2012. The flaw itself exists in versions 10.1.1 and earlier. The
flaw is a memory corruption vulnerability in the way Universal 3D
files are processed and is being exploited to crash the
applications and take control of vulnerable computers. The
sandboxing protected mode in X versions of the programs stops the
execution of exploit code. The flaw is being exploited through
malicious PDF files that have been sent to several different
organizations, including some US defence contractors. Lockheed
Martin has acknowledged that it was targeted in an attack but the
attackers were not successful in accessing the company's computer
Written by D Gray VCSL
DARPA Backing Huge Anomaly Detection System to
Identify Insider Threats
Researchers backed by the Defense Advanced
Research Projects Agency are developing a system than could scan up
to 250 million text messages, e-mail messages and file transfers a
day in search of anomalies that could help identify insider threats
or employees who might be about to “break bad.”
The system, dubbed PRODIGAL, for Proactive
Discovery of Insider Threats Using Graph Analysis and Learning,
will combine graph processing, anomaly detection and relational
machine learning on a massive scale to create a prototype Anomaly
Detection at Multiple Scales (ADAMS) system, according to a release
from the Georgia Institute of Technology, which is working with
four other organizations on the project.
PRODIGAL, which would be used initially to
monitor the communications in civilian government and military
organizations where employees have agreed to be monitored, is
intended to identify “rogue” individuals — such as a potential
mass-attack gunman, terrorist or spy — before they act, Georgia
Analysts now have the capacity to investigate
about “five anomalies per day out of thousands of possibilities,”
said Georgia Tech professor David Bader, co-principal investigator
on the project. “Our goal is to develop a system that will provide
analysts for the first time a very short, ranked list of
unexplained events that should be further investigated.”
DARPA and the Army Research Office are
supporting the two-year, $9 million project. Science Applications
International Corp. is leading the project, which also includes
researchers from Oregon State University, the University of
Massachusetts and Carnegie Mellon University.
More on this story at:
What Snowshoe Spam looks like
What is snowshoe spamming? Well, it’s a
different type of problem than the traditional spam problem.
Whereas botnet spam has declined over the past 12 months, snowshoe
spam has increased.
Snowshoe spam gets its name because the
spammers distribute its email over a wider area of IP addresses in
order to avoid detection (not to mention IP blacklisting). It
does this in order to maintain a light footprint. Just like
real life snowshoes distribute your weight over a wide area to
avoid sinking into the snow, snowshoe spam distributes its weight
over a wide area to avoid filters.
Snowshoe spammers use dedicated IP addresses
that are purchased by the spammer, and more often than not, the IPs
are hosted in the United States. The spammers make their
money from affiliate programs and are not necessarily black hat
spammers. I use the term grey hat spammer, and those hats
frequently have varying shades of grey.
More on this story at: