Blog Entry #6: And the score is Apple 0, Samsung 0

LINK 1: http://arstechnica.com/security/2012/09/apples-iphone-commandeered-at-hacker-contest/

            On the lighter side of things, it still rings true that any piece of hardware can be hacked.  Dan Goodin reported on a few of the goings on at the sixth annual mobile Pwn2Own contest, being held at the EUSecWest security conference in Amsterdam.  Perhaps the most notable piece of news to come out of the contest was the fact that security researchers from Certified Secure and from MWR Labs were able to commandeer an Apple iPhone 4S using iOS 5 and a developer version of iOS 6, and a Samsung Galaxy S3 running Android 4.0.4.  The news of this came just days before the highly anticipated release of the new iPhone 5.  The exploit allowed the team to “pilfer the address book, photos, videos, and browsing history from the iPhone 4S”.  It is believed that since they were able to perform the hack on the developer version iOS 6 software, the hack will work on the new iPhone and other apple devices running the OS.  While this may not be the end of the world, it is a bit scary to see that nothing is safe in this world.   The Android hack contains an exploit that penetrates its Near Field Communication feature.  When I was reading through the article and saw this, I had to gasp for a second.  This was one of the features that sold me on buying my shiny new galaxy S3 over waiting for the new iPhone.  According to the article the hack works like this,

“it used a new feature known as Near Field Communication to upload a malicious file to the device. The file was then able to bypass security mitigations including address space layout randomization, data execution prevention, and application sandboxing so it could eventually execute.”

I tend to be bias when it comes to apple stuff; I am not a big fan.  So, I should mention that most in the industry still consider the iPhone to be the most secure mobile device.  The biggest piece of advice the article give is regardless of your choice of phone, do not do “anything of value” on it.   

Blog Entry #5: Updates on Flame and Stuxnet

LINK 1: http://www.wired.com/threatlevel/2012/09/flame-coders-left-fingerprints/

First things first, There have been a few more developments in the Flame malware saga.  Kim Zetter reveals that Flame was in development and might have active much longer than previously thought.  According to the clues left in the servers that were breached by Kaspersky and Symantec, the code development can be traced back to 2006.  The researchers looking at this malware also believe that about 10,000 machines have been infected with Flame.  In addition to these new details, a timeline (image below) has been created that shows the activity of four of the suspected programmers.  It includes nicknames of programmers, communication logs, target logs, and other information.  Besides Iran, 15 other countries have machines that have been infected.  Though most of those countries only account for a few infections, Sudan has about 1/3 of the infections suffered by Iran.  One of the juiciest tidbits to come out recently was the fact that about 5.5 GB of stolen data was left on the C&C servers.  They do not release any info on what this data is, but I am sure that anyone interested in this topic would love a look at what these hackers were collecting.

LINK 2: http://www.nextgov.com/cybersecurity/2012/09/computer-criminals-copy-stuxnet-tricks/58230/?oref=ng-HPriver

LINK 3: http://www.technologyreview.com/news/429173/stuxnet-tricks-copied-by-computer-criminals/

In news related to the Flame family, cyber criminals have begun using techniques copied from the new pieces of sophisticated malware such as stuxnet.  Stuxnet, the worm that targeted Iran’s nuclear enrichment facilities installed fake device drivers using digital security certificates stolen from Taiwanese firms, allowing them to bypass security software. Criminals are now employing this technique to fool consumer security software and steal passwords, account information and credit card numbers.  In Tom Simonite’s article, Roel Schouwenberg, a researcher with Kaspersky, talks about another technique that may become popular with less skilled criminal hackers. His concern is that using these hackers will begin using the modular design of Flame. This will enable the malware operators to upgrade or change parts to suit their needs for a particular attack.  He thinks this kind of malware will also be profitable to those who write the malicious code saying, "It provides an up-sell opportunity for these guys if they can sell something, and then offer upgrade kits to improve it later."  Ultimately, this type of changing malware will be harder for security companies to defend against. 

With all this new information coming from Symantec and Kaspersky, it night only be a matter of time until some sort of concrete evidence is found which can lead to the creators of this malware.  Many experts believe these more sophisticated pieces of malware can only belong to a government, but there are those that think because of the fact that there are so many mistakes and clues being found that this might not be the work of a nation.  Either way, this malware has paved the way for more sophisticated attacks on the general public.

Blog Entry #4: Flame Worm Updates

LINK 1: http://www.bbc.com/news/technology-19637182

LINK 2: http://www.itworldcanada.com/news/flame-malware-server-password-cracked/14613

 

            In the continuing saga of Iran and malware attacks, two conflicting reports have come out in the last few days regarding the malware Flame.  The first article, taken from bbc.com, suggests that Flame worm is possibly part of a much wider "family" and is older than previously thought.  It can now be traced back to 2006.  Earlier in the summer, it was discovered that the Flame worm was related to Stuxnet, malware aimed at  disrupting Iran's nuclear aspirations, and Dugu, another worm responsible for some data theft.  According to the bbc.com article though, Flame may also have other relatives.  All of this new information is the result of a joint study between Kaspersky, Symantec, the Crypto Labs, and the UN's International Telecommunications Union.  They were able to look at the servers that control Flame and have found that the worm may have three other relatives that have not been identified.  In the article, Prof Alan Woodward, a visiting professor at the University of Surrey's department of computing, has asserted that while many believe this malware is state sponsored, "the latest analysis showed little involvement from intelligence agents." 

 

            I discovered the second article for this entry while doing a little background research.  It had just come out and gives some further insight into whether this may be state sponsored espionage.  Brian Bloom discusses a lot of the same topics as in the article above.  He does however add the fact that the password to the server was cracked by a Kaspersky researcher, and that Flame was disguised as a content management system called "Newsforyou."  This article however, cites a Reuters quote by unnamed U.S. security officials who have said that both Flame and the Stuxnet, another highly sophisticated worm targeted at Iran, were likely developed by a U.S. organization.   This is a contradiction to the first article that is trying to downplay any government involvement.

 

            The bottom line is that whether or not this malware is government sponsored, the creators should be ashamed of the way the malware was identified.  According to the bbc.com article and Prof Woodward, "Those behind [Flame] did try and destroy it. They may have known that they were about to be rumbled, but they failed at the last minute by mistyping the name of the file."  This is a scary thought it if is our government behind this.  To think a simple filename misspelling could bring down what many call the most sophisticated piece of malware ever.  It should be interesting to see what new information Kaspersky and Symantec can obtain from their access to the server controlling this stuff and you can be sure that as more news comes out, I will do my best to post it.

Blog Entry #3: Private Sector Protection

LINK: http://www.washingtonpost.com/world/national-security/cybersecurity-should-be-more-active-official-says/2012/09/16/dd4bc122-fc6d-11e1-b153-218509a954e1_story.html

 

            How far can the private sector go to protect its data?  Ellen Nakashima compiles an enlightening article in which she cites numerous sources who believe that companies need to be more proactive in defense of their intellectual property.   Cited numerous times throughout the article is Steven Chabinsky, former top cyber lawyer for the FBI.  Chabinsky calls current US efforts on cyber security a "failed approach."  He strongly believes that companies need to have the ability to seek out hackers and protect what is rightfully theirs.  Some may see this as giving companies the ability to peek and pry wherever they want, but Chabinsky is quoted as “not advocating vigilantism.”  He feels that this issue needs to be discussed and refined so that a marriage between the rights of companies to protect their property and the rights of others are protected.

 

            The biggest thing to take away from this article is the realization that a lot of security experts agree there needs to be more collaboration between the government and the private sector.  If the two do not learn to be more proactive in fighting simple hacking or even cyber warfare, such as what I talked about last week, we could see a situation like the one described by Michael V Hayden.  He believes that because of the limitations the government has, we will see private cyber warfare firms similar to Blackwater.   This type of firm could enter us into a slippery slope.  All we have to do is look at what has happened in Iraq and Afghanistan to see what some private cyber army might be capable of doing. 

Blog Entry #2: US Bolstering its Cyber Warfare Prowess

LINK1:  http://www.koreatimes.co.kr/www/news/nation/2012/09/205_119780.html

LINK2: http://www.pcmag.com/article2/0,2817,2408838,00.asp?kc=PCRSS03069TX1K0001121

           

Two articles caught my eye as a follow-up to my first posting.  These articles concern the US governments efforts to bolster cyber security.

 

            Since the multiple attacks on US and South Korean interests took place earlier this year, the two countries have increased their concerns about the growing threat North Korea may pose in the realm of cyber warfare.  This is yet another nation that poses a threat to civilian and military infrastructure of the US and its allies.  According to the article, "Korea, US Mull Regular Cyber Warfare Drills," the US and its ally South Korea will begin joint training exercises for cyber warfare.  In my mind, what makes these exercises especially important is the fact that the US has announced that in addition to formulating defense plans, the two nations will "formulate concrete steps to deal with...Korea's nuclear and missile programs."  Similar to what the US and Israel allegedly did in Iran, the US is taking an offensive to deter North Koreas nuclear capabilities.  This is needed for stabilization in the region. 

 

            Closer to home, the US Government, by way of DARPA, is taking steps to advance its cyber warfare prowess.  The article, "DARPA Solicits Ideas for Waging Cyber Warfare," by Stephanie Mlot, talks about DARPA's plan to hold meetings to find and discuss various technologies that can be used to "understand, plan, and manage cyber warfare in large, real-time networks."  The program was given the moniker "Plan X" and will be used by the Defense Department to find technology that can help it dominate cyber warfare.  DARPA will focus on four key areas with Plan X:

·         Understand the cyber battlespace

·         Automatically constructing verifiable and quantifiable cyber operations

·         Developing OSes that can operate in hostile environments

·         Visualizing and interacting with large-scale cyber battlespaces.

 

            These steps that the government is taking are crucial to maintaining the safety of the US and its allies.  More news should come by October on what is going on in South Korea.  The DARPA project will have its first meeting on September 27th.  Some of the meeting is unclassified, so it should be quite interesting to see what morsels are released.  Next week, I hope to look at some of the specific tactics and technology used in cyber warfare.

Blog Entry #1: Is Iran Becoming a Serious Threat in Cyber Warfare?

 LINK:  http://www.huffingtonpost.com/huff-wires/20120904/ml-tec-gulf-computer-viruses/

          My first blog entry for the semester concerns a topic that I hope to revisit. I have become increasingly interested in cyber-espionage and cyber-warfare between large entities, such as governments and multinational corporations, since the 2010 stuxnet virus. This new threat has been on the rise, and is the kind of captivating stuff that most people think only takes place in the movies. My first article for this project,"Virus Origin in Gulf Computer Attacks in Question," is written by Adam Schreck and concerns the recent targeted attacks of systems at two of the biggest Gulf energy companies, Saudi Aramco and RasGas. While the possible threat to Gulf oil amd gas supplies is a scary enough thought, I find Jeffrey Carr's supposition more alarming. According to the article, Carr, head of a Virginia based computer security firm, feels that the Iranian government, and hackers in their employ, carried out the attacks. He goes on to describe similarities between this new virus, named "Shamoon", and a virus that gave Iran big trouble in the past. The article goes so far as to say that Carr suggests, "That Iran-linked hackers may have created Shamoon by adapting computer code from the earlier virus."

          The attacks on Saudi Aramco and RasGas are said to affect networked computers and may have caused considerable data loss. These attacks occurred in the Persian Gulf, but may have a link to Exxon Mobil, a company much closer to home. Because of the tightlipped security policies, we cannot know the true scope of the damage to any of these companies, but data loss is thought to be huge. The only positive to this situation is the fact that oil production was not halted, THIS TIME! The first attack occurred on August 15th and the second on August 27th. These two attacks are the only ones that have been confirmed. In the article, Israeli security expert, Aviv Raff, claims that more than just these two companies may have been affected by the virus attack. The true scope of this situation may just give us a clue as to the sophistication and size of the network that planned and executed this attack.

          The attack on these two energy companies is only a small part of the bigger picture though. What Adam Schreck talks about towards the bottom of this article is what I found most interesting. He lays out examples as to how the various anti-American and anti-Israeli regimes in the Middle East are bolstering their ranks of cyber warriors. They have become increasingly organized and skilled. It was the paragraphs discussing this that have spurred my interest to follow this topic and learn as much as I can about it. Iran seems determined to do whatever it can to undermine the energy network of the US and Israel and any other pro-democracy nation. With our increasing dependence on computers and oil, Iran, Lebanon, and other nations with similar goals have another area to search for and exploit any weakness. Hopefully, more news will trickle onto the internet in the next few weeks as to the variety of businesses that suffered from this attack. This will give everyone a clearer picture as to what those responsible for our cyber security are up against.