Blog Entry #20: 2013 Predictions

LINK: http://www.redorbit.com/news/technology/1112732086/cyber-threat-forecast-georgia-tech-2013/

            The last article for this blog project is a fitting one, as it takes a look at the cyber threat predictions made by Georgia Tech for the coming year.   Topping the Georgia Tech Information Security Center 's and the Georgia Tech Research Institute's Georgia Tech Emerging Cyber Threats Report for 2013 is cloud computing.  The panel that compiled the list of predictions feels cloud computing will abused for malicious purposes, namely creating networks of "zombie machines" to do their bidding.  The panel also voiced concern that cyber criminals might "[use] cloud computing resources to create clusters of temporary virtual attack systems.  2013 might also see problems with globalized supply chains.  Here is a list of some of the other issues deemed serious by the panel:

Globalized Supply Chains - There is a very real risk that products manufactured in other countries could have security flaws that allow for cyber espionage and even cyber attack.

Search History Poisoning - Manipulating search engine algorithms and controlling what information is seen by an internet user can be a powerful tool for someone who wants control over what people see.

Mobile Threats including Browser and Wallet Vulnerabilities - This threat is not as severe as previously thought thanks to the app store model.  However, the growth in popularity of mobile devices, combined with the high use of the mobile web and mobile wallet, makes mobile devices a tempting target for cyber criminals.

Malware Counteroffensive - Malware authors will make every effort to make their malicious code more robust.  They might incorporate techniques similar to DRM and find new ways to make their malware less detectable.

Clearly education is the key to protecting the public.  With the push toward cloud computing and mobile devices, businesses and consumers will need to be more vigelent in the protection of their data.

Blog Entry #19: Congress Inaction

LINK: http://www.informationweek.com/government/security/congress-kills-cybersecurity-bill-white/240142198

 

            The Senate again held a vote on, and failed to approve, legislation which would provide comprehensive cyber security regulatory reform.  The bill in question is the Cyber Security Act of 2012.  In recent months, security professionals and national security officials have urged Congress to act, but Republicans and the U.S. Chamber of Commerce seem to feel the bill is inadequate and will cost too much to implement.  In light of the lack of action by Congress over the past few months, President Obama has "signed the classified Presidential Policy Directive 20, which sets new cyber defense standards for government agencies, including standards for defensive measures that might require agencies to reach outside their own networks."  The official White House stance is that if Congress is not willing to act, they will.  It is unclear how much of this is political posturing, even after the election, but what is clear is the need for cyber security improvements for the government and private sector.  The White House has also prepared a draft executive order, concerning cyber security.  This order would "direct the NIST to set cyber security standards for eighteen critical infrastructure industries. The Department of Homeland Security would encourage adoption of these standards, and agencies responsible for regulating critical infrastructure industries would be responsible for proposing potentially mandatory cyber security regulations for those industries." 

            This executive order might be a bandage for the time being, but it is not comprehensive and will not offer good long term protection where it is needed most.  As Harry Reid points out, there is no liability protection for companies should they be hit by a cyber attack.  After reading about the U.S.-China Economic and Security Review Commission report it is clear now more than ever this country is at risk of being hurt by a cyber attack.  The report called China "the most threatening actor in cyberspace".  Hopefully, this will not be another case of reactive government.  They need to take a proactive approach in order to prevent what some would call a cyber Pearl Harbor.

Blog Entry #18: Homeland Security

LINK: http://www.politico.com/news/stories/1012/83124.html?hp=r9

            More and more articles have been showing up lately concerning the cyber threat threatening the United States.  Several key government officials have given talks concerning the topic, including Leon Panetta and most recently Janet Napolitano.  Her concern as Homeland Security Secretary is well warranted.  According Tony Romm, Napolitano's talk was one of many lately to stress the importance of shoring up the nation's cyber defenses and infrastructure.  She referenced the damage done by hurricane Sandy and compared it to an attack that could just as easily wreak havoc on our utilities.  As of today, there are still people without power and fuel shortages.  A group that had even moderate resources might be able to inflict far worse damage in the US. 

            Romm notes that legislation is on tap to make cyber security reforms, but he also says "stakeholders are less than optimistic the chamber will pass a bill."  Hopefully now that Obama has been elected he will be more likely to enact an executive order that will provide better security for our major infrastructure.  Even if some in the government are not happy with Obama's progress, Napolitano feels the Obama administration is committed to creating a more secure environment and is even "putting money into cybersecurity."  Let's hope this is true.  After all, we are completely dependent on eletricity and gasoline.  If a larger area was without power and fuel for weeks, it could be a horrible situation.

Blog Entry #17: ANONYMOUS

Link: http://www.theregister.co.uk/2012/11/05/anon_nov5_protests/

            Anonymous was back in the news on the 5th. They have reportedly attacked Paypal, ImageShack, and Symantec. The attack was part of a global day of protest, paying tribute to Guy Fawkes Night. John Leyden reveals that Anonymous has boasted it leaked 28,000 passwords, emails, and names of customers from Paypal. Named on their twitter feed as #OpNov5, The AnonymousPress twitter feed tweeted out the details of various attacks that took place and some that were allegedly planned by various factions of the hacktavist group. Symantec may have had "email addresses and other personal data from hundreds of security researchers" leaked. A couple of the big attacks today were carried out by exploiting zero-day bugs.
            In addition to the data theft attacks, "several NBC websites were defaced with the message "Remember, remember the fifth of November" (extracts from a nursery rhyme about Guy Fawkes and the Gunpowder plot to blow up the UK Parliament in 1605). These less political attacks seem to be deepening the rift between various groups within anonymous. Personally, they don't seem to serve any purpose outside of showing that the sites can be hacked.

Blog Entry #16: The Payback

Link: http://www.pcworld.com/article/2013233/data-breach-victims-could-get-damages-from-careless-firms.html

            The article, “Data breach victims could get damages from careless firms” relates strongly to my previous post about what is going on in South Carolina.  Until recently, victims who had their private information stolen from a company or government agency had limited options with the legal system and often saw small restitution amounts.  With the changing digital landscape though, judges have begun to realize that there is real immediate, and future, harm when ones personal information gets in to the wrong hands.  Data theft victims now have the ability to file class action lawsuits, “[making] companies liable for steps taken to prevent financial harm, such as insurance to cover the costs associated with identity theft."  According article author Antone Gonsalves, the average settlement per plaintiff in a data breach class action suit is $2500.  Add to that an average of $1.2 million in lawyers fees and these lawsuits can get expensive for companies. 

            This can mean only good things for consumers.  The high cost of lawsuits might act as a catalyst, getting IT departments to beef up security and implement more than adequate best practices.  Companies will realize that if they do all they can to secure sensitive information, the amount of liability they are responsible for might be far less.  A bill pending in Congress might also help along the process of securing private information.  The bill would “set a national standard for data breach notification, replacing the variety of state laws that exist today. Introduced in June, the Data Security and Breach Notification Act would also set maximum damages and define what is considered a breach.”  The most important thing for all companies and agencies to realize is the fact that it is only a matter of 'when' an attack will occur.  As long as a company hosts sensitive data, there will be someone who wants access to it.

Blog Entry #15: South Carolina's Unsecured Systems

Link: http://www.huffingtonpost.com/2012/10/27/south-carolina-taxpayer-cyber-attack_n_2025912.html

            South Carolina was the latest victim of data theft by a hacker. According to a report released by Reuters, “As many as 3.6 million Social Security numbers and 387,000 credit and debit card numbers used by state taxpayers” could have been stolen.  This theft has put the residents of South Carolina at risk of being victims of identity theft.  The investigation into the cause of the breach is in its early stages and so far investigators know that the hacker operated from a foreign IP address.  Understandably Governor Nikki Haley is quite upset about the breach, and for good reason. 

            According to the article, not all of the data kept by the state’s Department of Revenue was encrypted.  None of the Social Security numbers and about 16,000 credit card numbers kept by the government agency was encrypted. This fact points to a lapse in maintaining best practices for securing sensitive information.  On the plus side, no public funds were stolen by the hacker, and the vulnerability that led to the breach was found and closed up.  There is no telling what the stolen data may be worth, but if even a small amount of personal data is used for fraud, the cost to the citizens of the state will be huge.

It seems that there were multiple warning signs that South Carolina had security issues with their systems.  According to a state official, two attempts were made to “probe” the South Carolina Department of Revenue’s network in September and one attempt was made in August.  Also in September, two intrusions occurred in which the hacker was able to steal data for the first time.  What’s more troubling is the fact that attacks against South Carolina’s government systems are not isolated to these instances at the department of revenue.  Early in 2012 police arrested a South Carolina state health agency employee who stole the information of 230,000 Medicaid recipients.  Additionally, a hacker was able to access the personal information of 34,000 students and faculty from the University of South Carolina.  It would seem that whoever is in charge of maintaining the systems used by the government in South Carolina should assess and restructure the security practices of the state.

Blog Entry #14: Attacks on the Banks

Link: http://www.foxbusiness.com/industries/2012/10/19/hsbc-is-latest-target-in-cyber-attack-spree/

            Again the focus of international cyber criminals has turned to western Banking institutions.  Over the last few weeks numerous banks have been hit by the Izz ad-Din al-Qassam Cyber Fighters.  A story was reported in the news back in September that this attack would occur.  HSBC was the latest bank to experience an attack.  Similar to attack on other banks, HSBC servers were attacked causing websites to be inaccessible to customers for a short time.  The attack occurred on Thursday the 18th and was under control by early Friday London time.  The group has vowed that the attacks will continue "until the anti-Islamic ‘Innocence of Muslims’ film trailer is removed from the Internet."

            What makes this attack unique is that a group claiming to have ties to Anonymous has also claimed they had a hand in the attack.  According to a source in the article though, “the technique and systems used against HSBC were the same as the other banks.”  Of course this does not mean that some other group did not help out the Islamic Cyber terrorists.  Some in the US government believe that Iran is behind the attacks but researchers think otherwise.  What is agreed upon is the fact that this attack is fairly sophisticated.

During the last two weeks, the following banks have been attacked:

Bank of America

Capital One

SunTrust

Regions Financial

BB&T

HSBC

Wells Fargo

Blog Entry #13: Cyber War Preparedness

Link: http://m.itworld.com/security/304904/why-governments-cybersecurity-plan-will-end-catastrophe?page=0,0&mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dcyber%2Bsecurity%26hl%3Den%26client%3Dms-android-sprint-us%26tbo%3Dd%26source%3Dandroid-browser-type%26v%3D141400000%26source%3Dlnms%26tbm%3Dnws%26sa%3DX%26ei%3Db2WGUO6pLsXf0gHU24DADw%26ved%3D0CAoQ_AUoAw

            In his new proposal to sure up US cyber defenses, Defense Secretary Leon Panetta laid out a plan that would give the government unprecedented and invasive access to private systems in the US.  While the threat on America's infrastructure is very real, according to the author, Rob Enderle, the proposed system to monitor it would create privacy issues.  Panetta feels this intrusive measure is necessary to prevent a 9/11 scale cyber attack.  The article makes a strong argument for not implementing his plan and points out that Panetta's idea may be more dangerous.
            The fact that the various infrastructure systems in the US are independent and do not even have "a common security structure", means that potential cyber attackers would have to narrow the focus of their attack on a particular area.  With Panetta's plan there would be a link that, no matter how well protected, could potentially be exploited.  We saw with Stuxnet that it is possible to attack a closed system.  However, that was highly sophisticated and took a huge amount of resources.  An attack that could be waged on a single point of weakness, via a connected network, might be far less difficult for someone with similar resources, or even a small group of motivated private citizens.
            Enderle continues his article with a few ideas that he sees as more effective.  He proposes that compensation is given to companies hurt by attacks, with the money coming from the targeted government agency's budget, and requiring minimum legal coverage.  He feels this plan "would promote a higher level of prevention through better-funded protection."  I would like to know if there would be any accountability on the side of the private sector in addition to the government agencies, but at the very least, requiring a minimum legal standard of coverage seems like a smart idea.

Blog Entry #12: Universities are under attack.

Link: http://www.securityweek.com/cybercriminals-increasingly-attacking-university-networks

 

            The article, "Cybercriminals Increasingly Attacking University Networks" by Fahmida Y. Rashid, sheds light on an issue that should concern all college students. Rashid looks at analysis by ThreatMetrix, a cyber security firm. They concluded "that cyber-criminals had already infiltrated networks belonging to major educational institutions including New York University, George Mason University, Harvard University, Purdue University, and University of California in Irvine. ThreatMetrix collects millions of pieces of transaction data from its customer websites every day. This data is used to create rules that will "automatically reject transactions that don't meet a certain threshold." When looking at the data from the universities, one trend noticed that even though transactions came from devices with university IP addresses, the data indicated the transactions were made from multiple time zones. This means that cyber criminals were "using a proxy server, a VPN, or that the network has been compromised." Once compromised, devices and servers can be used for any number of criminal activities.
            A big problem facing universities is the number of devices infected with malware. Often students and faculty are bringing their own infected devices, or not protecting their devices once on a university network, opening them up to attacks. In fact, the BYOD practice has been commonplace at universities for years and is a big reason universities are being attacked at such a high rate. One such attack noted in the article enabled a group of hackers, named Team GhostShell, to "steal personal records of students, faculty, and staff from 53 universities around the world." The hackers proceeded to release the data to Pastebin, where it was free for anyone to grab. This type of attack can compromise social network accounts, email accounts, and countless other accounts users want to keep private. Again, this shows just how important it is to educate people about protecting their data in a connected world.

Blog Entry #11: Something for nothing

Link: http://nakedsecurity.sophos.com/2012/10/01/bogus-apple-store-discount-card/

            In keeping with current classroom discussion, I found an interesting article on a phishing scam currently taking place in Australia. It seems that phishers are taking advantage of people’s eagerness to get something for nothing. According to the email pictured below, loyal Apple customers have the option to purchase AU$100 of in-store credit for just AU$9. After searching through multiple articles, there is no word on how the email addresses were obtained by the phishers. However, given Apples popularity, it is a good bet that a large number of recipients have purchased an Apple product.
            It is not clear as to whether the victims are actually charged the $9, but they are definitely affected by the scam. The email contains an attachment titled, “Apple Discount - Complete this form to get your discount.html. “ This form asks for a variety of personal information, including “your name, your address, date of birth, driver's license, your mother's maiden name, and credit card information." The credit card information portion of the form is quite expansive. In addition to the normal requests, the phishers ask for the cards “security code, what password you use for Verified by Visa / MasterCard SecureCode and even (rather cheekily) your credit limit!” The email is very neat and concise and free from common errors made in less sophisticated phishing emails. However, people should always be aware that they will never be asked for such personal information from any business.  Apple has announced that they have nothing to do with this.  Hopefully soon there will be more information on the number of people affected by this.

image courtesy nakedsecurity.sophos.com

 

Blog Entry #10: James Bond's Dry Erase Marker

LINK: http://www.forbes.com/sites/andygreenberg/2012/10/02/hackers-crack-hotel-room-locks-with-a-tool-disguised-as-a-dry-erase-marker/

 

            It seems that a small group of penetration testers have found a way to bypass a common hotel keycard door lock.  The tool has the look of a dry erase marker but is powerful enough to almost instantly unlock keycard door locks built by the company Onity.  Matthew Jakubowski, one of the three who built the device, notes “someone using this could be searched and even then it wouldn’t be obvious that this isn’t just a pen.” The trio, who built what they are calling the "James Bond's dry erase marker: the hotel pentest pen," got their idea from Cody Brocious, a hacker and software developer for Mozilla.  He built a device that functioned in much the same manner but was less concealable.
            This hardware hack is quite significant because of the sheer number of Onity locks in use, over 4 million according to Onity's own statistics.   The hackers "exploited the port on the bottom of the lock intended for a device that hotels can use to set master keys."  From this they were able to read the locks memory, ultimately giving them access to the locking mechanism.  The entire build cost about $30 and took eight hours to assemble.  That is really cheap considering it gets you worldwide access to some of the finest hotel rooms.  Other hackers have created similar versions, concealing the hardware into an aluminum wallet and an iPhone case.

            You would think that as soon as Onity heard of this issue with their locks, they would be quick to remedy the situation.  However, the solutions they presented were replacing or upgrading the locks at the hotels cost, or installing a small plug which would block the locks data port.  The first solution would be cost prohibitive, meaning hotels would not be likely to repair the locks.  This would leave hotel guests in danger.  The second fix could probably be circumvented by a pick or screwdriver, and even if it cannot be dislodged, "the plugs would prevent the use of the hotels’ lock programming devices." Either way Onity has acted irresponsibly and needs to find an economical way to make their product more secure.

For a complete list of instructions and materials to build the pentest pen, follow the link.

Blog Entry #9: Hold on to your wallet.

LINK: http://www.pcworld.com/article/2011307/cybercriminals-plotting-massive-banking-trojan-attack-security-firm-warns.html

            It looks like the assault on U.S. banks will not let up anytime soon. Jaikumar Vijavan writes about a looming attack uncovered by security group RSA. According to RSA, a major campaign is underway to rob online bank accounts of thousands of customers of over 30 major U.S. banks. Information obtained by RSA reveals that the group will use malware called Gozi Prinimalka. This is an updated version of Gozi which caused the loss of millions by U.S. banks a few years back. The malware will “infiltrate computers belonging to U.S. banking customers and use the hijacked machines to initiate fraudulent wire transfers from their accounts.” The scale of this operation is unparalleled, with the criminal organization looking to recruit about 100 botmasters to carry out the Trojan attacks for a share of the stolen money. It is suspected this newest attack will focus on individual consumer accounts rather than going after the banks as a whole. The Trojan being used will trigger when certain words are entered into a URL string. The malware will then create a virtual machine identical to the one infected, allowing the criminals to access banking websites from computers with the same IP address as the infected machines.
            U.S. banks recently fell victim to sustained DDoS attacks which caused websites of several major banks, including JP Morgan Chase, Bank of America, Citigroup and Wells Fargo to be disrupted for a period of time. This most likely already cost the banks millions and further attacks would only raise the amount losses. These attacks are thought to have been initiated by a government body, but a group called "Cyber fighters of Izz ad-din Al qassam" claims to be behind the attack. Banks have been made aware of current and future attacks by the Financial Services Information Sharing and Analysis Center (FS-ISAC), specifically “to watch out for hackers using spam, phishing emails, Remote Access Trojans and keystroke loggers to try and pry loose bank employee usernames and passwords.”
            In order to protect against this it is important that anyone who uses online banking updates their browser and is vigilant in monitoring account activity. No word was given in the article about an exact date, but all signs point to this attack happening sometime this fall.

Blog Entry #8: PlaceRaider Malware

Link #1: http://threatpost.com/en_us/blogs/new-android-malware-app-turns-phone-surveillance-device-100112?utm_source=Threatpost&utm_medium=Left+Sidebar&utm_campaign=Most+Commented

            Up until now mobile malware has been used almost exclusively to steal data from inside a person's phone, and perhaps the data they have stored in the cloud. Recently though, the game has changed. Michael Mimoso, a writer for ThreatPost.com, details the latest in mobile malware which has come from the Naval Surface Warfare Center and Indiana University’s School of Informatics and Computing. Researchers at the school have created a sophisticated method that utilizes a low tech attack to gain control of a few of the features of Android smartphones. This attack turns the phone into a surveillance tool. The software, named PlaceRaider, is being dubbed as "visual malware", a term coined by the researchers. According to the article, "PlaceRaider exploits innate weaknesses in Android to use the phone’s camera to surreptitiously take photographs, and send that data off to a command and control server where an attacker could build a 3D model of the victim’s environment." This allows the controller to get a picture of the phone owner's surroundings and the objects within the surroundings.
            Once a user has installed a malicious camera application infected with PlaceRaider onto their phone, the malware controller's C&C server is notified and the attacker can begin modeling the users surrounding environment. In tests, barcodes, personal information, credit card information, and other sensitive data was able to be picked up. The creators, Robert Templeman, Zahid Rahman, David Crandall and Apu Kapadia upped the ante on spying with smartphones. Previous malware allowed attackers to listen in with a phones microphone, but now this malware allows its controllers to have eyes on the phones surroundings. Additionally, it has the capability to perform this task remotely. In their paper, the authors write, “We show how PlaceRaider allows remote hackers to reconstruct rich three-dimensional models of the smartphone owner’s personal indoor spaces through completely opportunistic use of the camera."
            The news is not all bad though. It seems the makers of PlaceRaider share one big concern of all smartphone readers, battery life. They were considerate enough to build into their software the ability to analyze each image to weed out “redundant and uninformative images” before they are sent out to the malware controller. This is done by applying a set of algorithms to each image. Once complete, "the analysis sets a threshold for images, and discards any that fall below in order to lessen the burden on the phone for transmission and power consumption." Of course this malware was created in a research environment, and we can't be so sure that real criminals will be so considerate to their potential victims.

To read the full write-up by the researchers follow this link.

Blog Entry #7: Malnets, when one piece of malware just won't do.

Link #1: http://hothardware.com/News/Malnets-Were-the-Cause-of-Most-CyberAttacks-in-2012/
Link #2: http://www.theregister.co.uk/2012/10/03/malnets/

            The world of malware has a new king.  Malnets, a malware attack strategy that emerged in 2011, have been given the dubious distinction by Blue Coat as the leading cause of cyber attacks in 2012.  Malnets are networks of malware that provide a robust and easily adapted platform for carrying out series of organized attacks.  According to the article Zombie-animating malnets increase 200% in just 6 months, "Blue Coat expect malnets to account for more than two-thirds of all malicious cyber attacks in 2012.  The firm is currently tracking more than 1,500 unique malnets, a 200 per cent (four-fold) increase from just six months ago."  This is an alarming statistics and it must mean that criminals are having huge amounts of success with this type of attack.  Malnets make use of thousands of servers and spread themselves out across the web. Their command and control structure is also constantly changing. This makes detection and discovery of the entire network a daunting task for security firms and law enforcement.
            According to Blue Coat, a "negative day defense" is the best approach to bringing down these expansive pieces of malicious software.  Because of the way the malnet network is set up, taking down a single system, or even a few nodes, will not do much to slow down the malnet's progress.  The software will simply replace the closed down pieces with a new one.  The "negative day defense" strategy involves blocking the malnets before they launch. Blue Coat describes this process: "Blue Coat Security Labs maps the relationships between malnet components to identify and block new subnets, IP addresses and host names when they come online.  Once the malnet infrastructure has been identified, it can be blocked at the source before attacks are launched."
            Here is a graphic describing the top five malnets as identified by Blue Coat.  This image is courtesy of Blue Coat and taken from Paul Lilly's article “Malnets” Were the Cause of Most Cyber-Attacks in 2012.  For a more detailed description of these and a few other big malnets to watch out for check out the John Leyden article Zombie-animating malnets increase 200% in just 6 months from the Register.com.

Blog Entry #6: And the score is Apple 0, Samsung 0

LINK 1: http://arstechnica.com/security/2012/09/apples-iphone-commandeered-at-hacker-contest/

            On the lighter side of things, it still rings true that any piece of hardware can be hacked.  Dan Goodin reported on a few of the goings on at the sixth annual mobile Pwn2Own contest, being held at the EUSecWest security conference in Amsterdam.  Perhaps the most notable piece of news to come out of the contest was the fact that security researchers from Certified Secure and from MWR Labs were able to commandeer an Apple iPhone 4S using iOS 5 and a developer version of iOS 6, and a Samsung Galaxy S3 running Android 4.0.4.  The news of this came just days before the highly anticipated release of the new iPhone 5.  The exploit allowed the team to “pilfer the address book, photos, videos, and browsing history from the iPhone 4S”.  It is believed that since they were able to perform the hack on the developer version iOS 6 software, the hack will work on the new iPhone and other apple devices running the OS.  While this may not be the end of the world, it is a bit scary to see that nothing is safe in this world.   The Android hack contains an exploit that penetrates its Near Field Communication feature.  When I was reading through the article and saw this, I had to gasp for a second.  This was one of the features that sold me on buying my shiny new galaxy S3 over waiting for the new iPhone.  According to the article the hack works like this,

“it used a new feature known as Near Field Communication to upload a malicious file to the device. The file was then able to bypass security mitigations including address space layout randomization, data execution prevention, and application sandboxing so it could eventually execute.”

I tend to be bias when it comes to apple stuff; I am not a big fan.  So, I should mention that most in the industry still consider the iPhone to be the most secure mobile device.  The biggest piece of advice the article give is regardless of your choice of phone, do not do “anything of value” on it.   

Blog Entry #5: Updates on Flame and Stuxnet

LINK 1: http://www.wired.com/threatlevel/2012/09/flame-coders-left-fingerprints/

First things first, There have been a few more developments in the Flame malware saga.  Kim Zetter reveals that Flame was in development and might have active much longer than previously thought.  According to the clues left in the servers that were breached by Kaspersky and Symantec, the code development can be traced back to 2006.  The researchers looking at this malware also believe that about 10,000 machines have been infected with Flame.  In addition to these new details, a timeline (image below) has been created that shows the activity of four of the suspected programmers.  It includes nicknames of programmers, communication logs, target logs, and other information.  Besides Iran, 15 other countries have machines that have been infected.  Though most of those countries only account for a few infections, Sudan has about 1/3 of the infections suffered by Iran.  One of the juiciest tidbits to come out recently was the fact that about 5.5 GB of stolen data was left on the C&C servers.  They do not release any info on what this data is, but I am sure that anyone interested in this topic would love a look at what these hackers were collecting.

LINK 2: http://www.nextgov.com/cybersecurity/2012/09/computer-criminals-copy-stuxnet-tricks/58230/?oref=ng-HPriver

LINK 3: http://www.technologyreview.com/news/429173/stuxnet-tricks-copied-by-computer-criminals/

In news related to the Flame family, cyber criminals have begun using techniques copied from the new pieces of sophisticated malware such as stuxnet.  Stuxnet, the worm that targeted Iran’s nuclear enrichment facilities installed fake device drivers using digital security certificates stolen from Taiwanese firms, allowing them to bypass security software. Criminals are now employing this technique to fool consumer security software and steal passwords, account information and credit card numbers.  In Tom Simonite’s article, Roel Schouwenberg, a researcher with Kaspersky, talks about another technique that may become popular with less skilled criminal hackers. His concern is that using these hackers will begin using the modular design of Flame. This will enable the malware operators to upgrade or change parts to suit their needs for a particular attack.  He thinks this kind of malware will also be profitable to those who write the malicious code saying, "It provides an up-sell opportunity for these guys if they can sell something, and then offer upgrade kits to improve it later."  Ultimately, this type of changing malware will be harder for security companies to defend against. 

With all this new information coming from Symantec and Kaspersky, it night only be a matter of time until some sort of concrete evidence is found which can lead to the creators of this malware.  Many experts believe these more sophisticated pieces of malware can only belong to a government, but there are those that think because of the fact that there are so many mistakes and clues being found that this might not be the work of a nation.  Either way, this malware has paved the way for more sophisticated attacks on the general public.

Blog Entry #4: Flame Worm Updates

LINK 1: http://www.bbc.com/news/technology-19637182

LINK 2: http://www.itworldcanada.com/news/flame-malware-server-password-cracked/14613

 

            In the continuing saga of Iran and malware attacks, two conflicting reports have come out in the last few days regarding the malware Flame.  The first article, taken from bbc.com, suggests that Flame worm is possibly part of a much wider "family" and is older than previously thought.  It can now be traced back to 2006.  Earlier in the summer, it was discovered that the Flame worm was related to Stuxnet, malware aimed at  disrupting Iran's nuclear aspirations, and Dugu, another worm responsible for some data theft.  According to the bbc.com article though, Flame may also have other relatives.  All of this new information is the result of a joint study between Kaspersky, Symantec, the Crypto Labs, and the UN's International Telecommunications Union.  They were able to look at the servers that control Flame and have found that the worm may have three other relatives that have not been identified.  In the article, Prof Alan Woodward, a visiting professor at the University of Surrey's department of computing, has asserted that while many believe this malware is state sponsored, "the latest analysis showed little involvement from intelligence agents." 

 

            I discovered the second article for this entry while doing a little background research.  It had just come out and gives some further insight into whether this may be state sponsored espionage.  Brian Bloom discusses a lot of the same topics as in the article above.  He does however add the fact that the password to the server was cracked by a Kaspersky researcher, and that Flame was disguised as a content management system called "Newsforyou."  This article however, cites a Reuters quote by unnamed U.S. security officials who have said that both Flame and the Stuxnet, another highly sophisticated worm targeted at Iran, were likely developed by a U.S. organization.   This is a contradiction to the first article that is trying to downplay any government involvement.

 

            The bottom line is that whether or not this malware is government sponsored, the creators should be ashamed of the way the malware was identified.  According to the bbc.com article and Prof Woodward, "Those behind [Flame] did try and destroy it. They may have known that they were about to be rumbled, but they failed at the last minute by mistyping the name of the file."  This is a scary thought it if is our government behind this.  To think a simple filename misspelling could bring down what many call the most sophisticated piece of malware ever.  It should be interesting to see what new information Kaspersky and Symantec can obtain from their access to the server controlling this stuff and you can be sure that as more news comes out, I will do my best to post it.

Blog Entry #3: Private Sector Protection

LINK: http://www.washingtonpost.com/world/national-security/cybersecurity-should-be-more-active-official-says/2012/09/16/dd4bc122-fc6d-11e1-b153-218509a954e1_story.html

 

            How far can the private sector go to protect its data?  Ellen Nakashima compiles an enlightening article in which she cites numerous sources who believe that companies need to be more proactive in defense of their intellectual property.   Cited numerous times throughout the article is Steven Chabinsky, former top cyber lawyer for the FBI.  Chabinsky calls current US efforts on cyber security a "failed approach."  He strongly believes that companies need to have the ability to seek out hackers and protect what is rightfully theirs.  Some may see this as giving companies the ability to peek and pry wherever they want, but Chabinsky is quoted as “not advocating vigilantism.”  He feels that this issue needs to be discussed and refined so that a marriage between the rights of companies to protect their property and the rights of others are protected.

 

            The biggest thing to take away from this article is the realization that a lot of security experts agree there needs to be more collaboration between the government and the private sector.  If the two do not learn to be more proactive in fighting simple hacking or even cyber warfare, such as what I talked about last week, we could see a situation like the one described by Michael V Hayden.  He believes that because of the limitations the government has, we will see private cyber warfare firms similar to Blackwater.   This type of firm could enter us into a slippery slope.  All we have to do is look at what has happened in Iraq and Afghanistan to see what some private cyber army might be capable of doing. 

Blog Entry #2: US Bolstering its Cyber Warfare Prowess

LINK1:  http://www.koreatimes.co.kr/www/news/nation/2012/09/205_119780.html

LINK2: http://www.pcmag.com/article2/0,2817,2408838,00.asp?kc=PCRSS03069TX1K0001121

           

Two articles caught my eye as a follow-up to my first posting.  These articles concern the US governments efforts to bolster cyber security.

 

            Since the multiple attacks on US and South Korean interests took place earlier this year, the two countries have increased their concerns about the growing threat North Korea may pose in the realm of cyber warfare.  This is yet another nation that poses a threat to civilian and military infrastructure of the US and its allies.  According to the article, "Korea, US Mull Regular Cyber Warfare Drills," the US and its ally South Korea will begin joint training exercises for cyber warfare.  In my mind, what makes these exercises especially important is the fact that the US has announced that in addition to formulating defense plans, the two nations will "formulate concrete steps to deal with...Korea's nuclear and missile programs."  Similar to what the US and Israel allegedly did in Iran, the US is taking an offensive to deter North Koreas nuclear capabilities.  This is needed for stabilization in the region. 

 

            Closer to home, the US Government, by way of DARPA, is taking steps to advance its cyber warfare prowess.  The article, "DARPA Solicits Ideas for Waging Cyber Warfare," by Stephanie Mlot, talks about DARPA's plan to hold meetings to find and discuss various technologies that can be used to "understand, plan, and manage cyber warfare in large, real-time networks."  The program was given the moniker "Plan X" and will be used by the Defense Department to find technology that can help it dominate cyber warfare.  DARPA will focus on four key areas with Plan X:

·         Understand the cyber battlespace

·         Automatically constructing verifiable and quantifiable cyber operations

·         Developing OSes that can operate in hostile environments

·         Visualizing and interacting with large-scale cyber battlespaces.

 

            These steps that the government is taking are crucial to maintaining the safety of the US and its allies.  More news should come by October on what is going on in South Korea.  The DARPA project will have its first meeting on September 27th.  Some of the meeting is unclassified, so it should be quite interesting to see what morsels are released.  Next week, I hope to look at some of the specific tactics and technology used in cyber warfare.

Blog Entry #1: Is Iran Becoming a Serious Threat in Cyber Warfare?

 LINK:  http://www.huffingtonpost.com/huff-wires/20120904/ml-tec-gulf-computer-viruses/

          My first blog entry for the semester concerns a topic that I hope to revisit. I have become increasingly interested in cyber-espionage and cyber-warfare between large entities, such as governments and multinational corporations, since the 2010 stuxnet virus. This new threat has been on the rise, and is the kind of captivating stuff that most people think only takes place in the movies. My first article for this project,"Virus Origin in Gulf Computer Attacks in Question," is written by Adam Schreck and concerns the recent targeted attacks of systems at two of the biggest Gulf energy companies, Saudi Aramco and RasGas. While the possible threat to Gulf oil amd gas supplies is a scary enough thought, I find Jeffrey Carr's supposition more alarming. According to the article, Carr, head of a Virginia based computer security firm, feels that the Iranian government, and hackers in their employ, carried out the attacks. He goes on to describe similarities between this new virus, named "Shamoon", and a virus that gave Iran big trouble in the past. The article goes so far as to say that Carr suggests, "That Iran-linked hackers may have created Shamoon by adapting computer code from the earlier virus."

          The attacks on Saudi Aramco and RasGas are said to affect networked computers and may have caused considerable data loss. These attacks occurred in the Persian Gulf, but may have a link to Exxon Mobil, a company much closer to home. Because of the tightlipped security policies, we cannot know the true scope of the damage to any of these companies, but data loss is thought to be huge. The only positive to this situation is the fact that oil production was not halted, THIS TIME! The first attack occurred on August 15th and the second on August 27th. These two attacks are the only ones that have been confirmed. In the article, Israeli security expert, Aviv Raff, claims that more than just these two companies may have been affected by the virus attack. The true scope of this situation may just give us a clue as to the sophistication and size of the network that planned and executed this attack.

          The attack on these two energy companies is only a small part of the bigger picture though. What Adam Schreck talks about towards the bottom of this article is what I found most interesting. He lays out examples as to how the various anti-American and anti-Israeli regimes in the Middle East are bolstering their ranks of cyber warriors. They have become increasingly organized and skilled. It was the paragraphs discussing this that have spurred my interest to follow this topic and learn as much as I can about it. Iran seems determined to do whatever it can to undermine the energy network of the US and Israel and any other pro-democracy nation. With our increasing dependence on computers and oil, Iran, Lebanon, and other nations with similar goals have another area to search for and exploit any weakness. Hopefully, more news will trickle onto the internet in the next few weeks as to the variety of businesses that suffered from this attack. This will give everyone a clearer picture as to what those responsible for our cyber security are up against.

Blog is up and running!!!

Just a little test to make sure I understand this blogging thing.

Java zero-day exploit goes mainstream, 100+ sites serve malware

Who dropped the ball on this one?