Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi Engdahl says:
Critical flaw exposes Oracle database passwords
Vuln leaves barn door open to brute-force attacks
http://www.theregister.co.uk/2012/09/21/oracle_11g_db_password_flaw/
A security researcher says some versions of the Oracle database contain a vulnerability so serious that anyone with access to the server over a network can crack database passwords using a basic brute-force attack, given nothing more than the name of the database and a valid username.
“This is a critical issue because it’s very easy to exploit, and it doesn’t require any privileges,”
According to a report issued on Thursday by Kaspersky Labs’ Threatpost, the vulnerability stems from a fundamental flaw in the logon authentication protocol used by Oracle Database 11g Releases 1 and 2.
“The attacker can perform a brute force attack on the Session Key by trying millions of passwords per second until the correct one is found,”
According to Fayó, Oracle currently has no plans to patch version 11.1 of the protocol to fix the flaw, and they aren’t doing much to help customers migrate to version 12, either.
GPU acceleration and hybrid dictionary attacks can speed up the process of guessing passwords considerably
Tomi Engdahl says:
Chinese hacktivists launch cyber attack on Japan
Government sites sink in dispute over islands
http://www.theregister.co.uk/2012/09/21/japan_china_attack_sites_senkaku/
Chinese hackers have taken up cyber arms and followed up widespread anti-Japan protests in the People’s Republic over a set of disputed islands by attacking at least 19 Japanese government and other web sites.
The web sites of banking, utilities and other private companies were also hit
300 Japanese web sites were short-listed for attack on a message board of Chinese hacktivist group Honker Union
Tomi Engdahl says:
Cloud Will Save U.S. Government Billions, But Security Concerns Persist
http://www.cio.com/article/716551/Cloud_Will_Save_U.S._Government_Billions_But_Security_Concerns_Persist?page=1&taxonomyId=3024
New study finds that government agencies can net substantial savings by moving mission-critical applications to the cloud, but security remains a top concern.
In a new survey of federal IT managers, MeriTalk, an online community dedicated to government technology, charted the progress of agencies that have been shifting “mission-critical” applications to the cloud.
Respondents flagged security as a chief area of concern in migrating to the cloud, with 73 percent indicating that issues such as data vulnerabilities and threat vectors are a primary barrier in shifting mission-critical apps to the cloud.
Following on the “cloud-first” policy the Obama administration promulgated in 2010, the General Services Administration has recently been soliciting feedback from industry and government members for a program that would enlist cloud brokers to assist federal agencies with the transition of their systems and applications to private-sector providers.
the government could save $16.6 billion
But the government’s drive to the cloud, with all of its promised cost and efficiency benefits, has been slowed by significant obstacles.
“Transitioning legacy, mission-critical applications to the cloud is not a forklift exercise — in many cases it’s more like an organ transplant,” MeriTalk founder Steve O’Keeffe said in a statement, noting the respondents’ preference of a private cloud over the public and hybrid alternatives. “With the complexity and security concerns, it’s not surprising many agencies want a private room.”
Tomi Engdahl says:
Oil and gas giants’ PCs polluted by new cyber-spy Trojan
Advanced Persistent Threat ‘Mirage’ group is back
http://www.theregister.co.uk/2012/09/21/mirage_cyberespionage_campaign/
Hackers bent on espionage have infiltrated a large oil company in the Philippines, an energy biz in Canada and a military organisation in Taiwan among others, claim researchers.
The crooks also targeted other as yet unidentified businesses in Brazil, Israel, Egypt and Nigeria, according to the preliminary results of a probe by Dell SecureWorks. The researchers have been tracking the hackers’ so-called Mirage campaign for about five months since April.
Victims are simply tricked into executing the files, at which point the malicious software installs itself and phones home with the specifications of the infected computer.
Tomi Engdahl says:
Network will be a war zone
Jarno Limnell from Stonesoft estimates that the war moves to the next few years more and more to cyber-world.
“I’m absolutely. I believe it, “he says seriously in Stonesoft’s Helsinki office.
In Finland, the issue has not yet woken up enough, but the risks are there. Information technology is increasingly driven by the activities of the physical world. For example, trains, access control, and power stations are completely it’s dependent on IT.
Limnell believes that Finland should have the ability to make a launch cyber-attacks. The mere defense is not enough. According to him, the ability of their own is not the same as using it. “But, of course, in some cases, attack is the best defense,” says Limnell.
Source: http://www.tietoviikko.fi/kaikki_uutiset/verkosta+tulee+sotatanner/a841198?s=r&wtm=tietoviikko/-24092012&
Tomi Engdahl says:
Top Security Threats and Attackers by Country
http://www.incapsula.com/the-incapsula-blog/item/397-top-security-threats-and-attackers-by-country
Most internet security studies show that the countries that produce the most malicious traffic are typically The United States, China, Brazil, Germany, recently joined by India. This should not really be any surprise because these are the most populated countries and the more people and PCs you have, the more attack traffic, on average, you are going to produce.
The study shows that Server Take Over attempts are by far the most common attack objective (yielding total control of the server and further repurposing for other criminal activity).
Tomi Engdahl says:
Finland could be a security business haven. The telecom experts do not just want to find that line of work. This year security sector is lacking about 600 people. Almost every other engineer could be completed in the next few years employed directly in the industry.
- This is the so-called Nokia cluster is currently several thousand people free. Those people are now trying to find ones that interest in information security, Viitasaari says.
- Size in Finland annually are now talking about 500 to 600 people in whole Finland. I think the number is increasing by about one thousand, Kotilainen said.
Nordic region’s largest field of information security consulting firm Nixu Timo Kotilainen says that only 130 persons in their ranks needed over the next year 30 people more.
Claims based upon the EU Commission’s assessment that in 2015, the ICT sector has employed up to 700 000 intellectual deficit. Security companies seek to where labor is.
Source: http://yle.fi/uutiset/tietoturva-ala_kukoistaisi_suomessa__tekijat_vain_puuttuvat/6306229
Tomi Engdahl says:
According to IBM, this year 2012 is coming from security breaches viewpoint, the worst year since 1997. X-Force security unit semi-annual report shows that the beginning of the year to the discovery of more than 4,400 openings and is a growing trend. If the same rate continues, this year revealed more weaknesses than the previous record set in 2010.
Major software vendors patching pace has improved, but on the other hand, almost half of this year, revealed gaps are still without fixes.
SQL injections are still the most common attack technology, even if the number is on the decline.
Number of cross-site scripting attacks (XSS) is increasing (over half of web applications attacks made this year use XSS).
Spam and phishing are at a relatively low level.
The security problems are more and more related to interconnected systems systems, lax enforcement of security policies and human error.
Source: http://www.tietoviikko.fi/kehittaja/ibm+ennustaa+tietoturvaaukkojen+huippuvuotta/a841773?s=r&wtm=tietoviikko/-25092012&
Tomi Engdahl says:
U.S. Senators call for executive order to boost cybersecurity of nation’s critical infrastructure
Posted on 9/19/2012
http://www.cablinginstall.com/index/blogs/blog-display/blogs/cim-blogs/cabling-blog/post987_8061742683253310503.html
United States Senators Richard Blumenthal (of Connecticut) and Chris Coons (of Delaware) have written a letter to President Barack Obama requesting that he issue an executive order dealing with cybersecurity. In a press release, Senator Blumenthal’s office explained that he and Senator Coons “were part of a bipartisan effort to build consensus on critical infrastructure provisions of the Cybersecurity Act of 2012,” and said that an executive order could “begin addressing the urgent need to improve the cybersecurity capabilities of the nation’s critical infrastructure.”
The letter to President Obama states, “the failure of Congress to act should not prevent the executive branch from taking available steps to counter the enormous and growing cyber threat,”
Tomi Engdahl says:
Facebook flooded with complaints after messages ‘bug’
Facebook has been flooded with complaints from users who say some of their old private messages have been re-published publicly on the social network.
However, Facebook denied that there had been a privacy breach and claimed the messages were old public messages that were being reposted because of a bug.
Some users said that messages they had sent privately on the social network between 2007 and 2009 were being republished into their public timelines on the site.
Facebook has recently added a new feature that shows members of the site their search history and lets them delete searches they do not want Facebook to retain.
Facebook agreed to turn off the feature in Europe. The feature has long been controversial and was turned on by default last year, meaning that users who did not want to be identified would have to opt out.
Source: http://www.telegraph.co.uk/technology/facebook/9563855/Facebook-flooded-with-complaints-after-messages-bug.html
Tomi Engdahl says:
Schneier: We Don’t Need SHA-3
http://it.slashdot.org/story/12/09/25/0259239/schneier-we-dont-need-sha-3
The problem is, he doesn’t think that the world needs a new hash function standard at all. SHA-512, the stronger version of the SHA-2 function that’s been in use for more than a decade, is still holding up fine, Schneier said, which was not what cryptographers anticipated would be the case when the SHA-3 competition was conceived.
‘I expect SHA-2 to be still acceptable for the foreseeable future’
Tomi Engdahl says:
Book Review: Digital Forensics For Handheld Devices
http://books.slashdot.org/story/12/09/24/1816228/book-review-digital-forensics-for-handheld-devices
“Today’s handheld device is the mainframe of years past. An iPhone 5 with 64 GB of storage and the Apple A6 system-on-a-chip processor has more raw computing power entire data centers had some years ago. With billions of handheld devices in use worldwide, it is imperative that digital forensics investigators and others know how to ensure that the information contained in them, can be legally preserved if needed.”
The notion of digital forensics is seize it, examine it and then prepare it for evidence in court. In Digital Forensics for Handheld Devices, you found out how to do just that.
Tomi Engdahl says:
Update: Facebook Confirms No Private Messages Appearing On Timeline. They’re Old Wall Posts.
http://techcrunch.com/2012/09/24/reports-facebook-users-seeing-private-messages-pre-2009-showing-up-on-timelines-as-posted-by-friends/
Some Facebook users were alarmed this morning when it appeared that private messages written in 2009 and earlier were showing up on viewable Timelines as messages “Posted by friends.”
Facebook also says in no uncertain terms that there is absolutely no privacy bug. What people are seeing are old Wall postings, not private messages.
The reason that this became an issue today may be because of Timeline’s global rollout. The first cases of people being worried about the potential exposure of old messages came from France
But worry not, and make sure your friends know the truth. No private Facebook messages have leaked.
Tomi Engdahl says:
Crime-attack on TLS (HTTPS):
Vulnerable TLS compression is supported on many websites, but only the browsers Chrome and Firefox use it. It is the vulnerability of the disabled in the latest versions, so users should make sure that you have the latest version of the browser.
Cert-fi vulnerable lists :
TLS 1.2 and previous versions
Chrome prior to version 21.0.1180.89
Firefox prior to version 15.0.1
GnuTLS (TLS compression is not enabled by default)
Apache 2.x series (ModSSL)
Web services administrators may want to turn TLS compression support off.
Source: http://www.tietokone.fi/uutiset/nettiliikenteen_salausmenetelmaa_vastaan_hyokataan
Tomi Engdahl says:
Careful, Android users, your phone can have a nasty hole
Several manufacturers of Android phones have found a serious vulnerability that allows malicious attacker can at worst destroy the data on resetting the phone. Fortunately, the problem is corrected.
The problem is the software that makes calls call, which can be connected to the control code commands directly to a text message or a web link to the form.
The problem affects all Android’s latest versions.
Fortunately, users can circumvent the vulnerability by changing the phone call software.
Source: http://www.tietokone.fi/uutiset/varovasti_android_kayttaja_puhelimessasi_voi_olla_ilkea_aukko
Tomi Engdahl says:
Data breach at IEEE.org: 100k plaintext passwords.
Using the data to gain insights into the engineering and scientific community
http://ieeelog.com/
IEEE suffered a data breach which I discovered on September 18 (UPDATE: the breach is now confirmed).
The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery.
Due to several undoubtedly grave mistakes, the ieee.org account username and plaintext password of around 100,000 IEEE members were publicly available on the IEEE FTP server for at least one month. Furthermore, all the actions these users performed on the ieee.org website were also available. Separately, spectrum.ieee.org visitor activity is also publicly available.
The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone
On these logs, as is the norm, every web request was recorded (more than 376 million HTTP requests in total).
Web server logs should never be publicly available, since they usually contain information that can be used to identify users
If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome.
Keeping a salted cryptographic hash of the password is considered best practice, since it would mitigate exactly such an access permission mistake. Also, keeping passwords in logs is inherently insecure, especially plaintext passwords, since any employee with access to logs (for the purpose of analysis, monitoring or intrusion detection) could pose a threat to the privacy of users.
IEEE notifies members of the breach and informs them to change their passwords.
http://ieeelog.com/ieee-confirmation/
Tomi Engdahl says:
Summer cyber institute a success
http://www.controleng.com/single-article/summer-cyber-institute-a-success/7243923e716e4f2f62c5492f2dd8fb60.html
As a student there is nothing better than hands on training and that is just what graduate students pursuing careers in cyber security got as they worked alongside Sandia and other prominent experts in a weeklong summer institute sponsored by Sandia National Laboratories at the Livermore, Calif., Valley Open Campus.
“Having worked in cyber defense for many years and with multiple federal government customers, Sandia is well-versed in the deep technical questions and tools being developed to counter the cyber terrorism threat,”
students chose one of the following focus areas:
Assured Sharing: Post-WikiLeaks Era Tensions in National-Security Information Sharing and Safeguarding
Public-Private Sector Responsibilities and Legal Issues in Our Nation’s Cyber Defense
Trusted Digital Systems Designed with Field-Programmable Gate Arrays
Tomi Engdahl says:
American Banks Undamaged by Cyberattacks
http://bits.blogs.nytimes.com/2012/09/26/american-banks-undamaged-by-cyberattacks/
Bank of America, JPMorgan Chase, Citigroup, U.S. Bancorp and PNC have been hit by a wave of cyberattacks that have caused Internet blackouts and delays on online banking sites.
The banks have been targeted with distributed denial of service or DDoS attacks, in which hackers barrage a Web site with traffic, causing it to slow or collapse under the load. Such attacks, while a nuisance, are not technically sophisticated and typically do not affect a company’s computer network — or, in this case, funds or customers’ bank accounts.
A hacker group, which calls itself the Izz ad-Din al-Qassam Cyber Fighters, took credit for the attacks in an online post to Pastebin, a Web site hackers frequently use to publicize attacks.
Last week, Bank of America, JPMorgan and Citigroup customers all experienced delays and intermittent failures on the banks’ sites. On Tuesday, Wells Fargo’s online banking site also periodically fell offline.
“The issues, indeed, are related to what we would call an unusual amount of coordinated, high-volume traffic that has slowed down the system very similar to what other banks have experienced,” Mr. Joyce said. “These attacks were designed to slow the customer experience but their funds and data are secure.”
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said that in this case, the attack methods used were “pretty basic,” which raised doubts about whether the attacks were state-sponsored.
He added that if the attacks were not the work of Iran’s government, the state would still be aware of them.
Tomi Engdahl says:
US calls Assange ‘enemy of state’
http://www.smh.com.au/opinion/political-news/us-calls-assange-enemy-of-state-20120927-26m7s.html
THE US military has designated Julian Assange and WikiLeaks as enemies of the United States – the same legal category as the al-Qaeda terrorist network and the Taliban insurgency.
Declassified US Air Force counter-intelligence documents, released under US freedom-of-information laws, reveal that military personnel who contact WikiLeaks or WikiLeaks supporters may be at risk of being charged with “communicating with the enemy”, a military crime that carries a maximum sentence of death.
“communicating with the enemy, 104-D”, an article in the US Uniform Code of Military Justice that prohibits military personnel from “communicating, corresponding or holding intercourse with the enemy”.
US Vice-President Joe Biden labelled Mr Assange a “high-tech terrorist” in December 2010 and US congressional leaders have called for him to be charged with espionage.
“It appears that Julian Assange and WikiLeaks are the ‘enemy’. An enemy is dealt with under the laws of war, which could include killing, capturing, detaining without trial, etc.”
Tomi Engdahl says:
Vandals break into congressman’s office, install Linux on PCs
http://www.theregister.co.uk/2012/09/26/vandals_install_linux_on_congressman_office_computers/
A US congressmen has been left incensed after miscreants installed Linux on computers at his campaign office, possibly thrashing some data in the process.
Michael Grimm, a Republican who represents a district in New York covering Staten Island and parts of Brooklyn, has slammed the weekend break-in to his offices on as a “politically motivated” crime
Police sources told the New York Daily News that in the absence of evidence of forced entry to Grimm’s campaign headquarters, the case is being investigated as an act of criminal mischief rather than a burglary.
Tomi Engdahl says:
Got a data security policy? Chances are your IT bods don’t know it
Most data-blurt blunders are internal cockups, not hacks
http://www.theregister.co.uk/2012/09/27/it_staff_half_do_not_know_about_data_security_policies_of_employer/
Advisory firm Forrester Research questioned 2,383 IT workers from five countries for a report called Understand The State Of Data Security And Privacy: 2012 To 2013, but only 56 per cent of those surveyed in North America and Europe said that they were aware of their employers’ current data security policies, according to a media reports.
“It’s not simply just a matter of having the appropriate tools and controls in place,” the Forrester paper said, according to a report by PC World. “It’s worth noting that only 56 percent of information workers in North America and Europe say that they are aware of their organisation’s current security policies.”
“Consider employee awareness to be another layer of security, and realize that educating employees is also internal PR outreach for the security group,” Forrester Research analyst Heidi Shey wrote in the paper, according to a report by Security Week.
The Forrester report also outlined that the majority of data breaches the survey respondents experienced in the last 12 months were caused by company employees. Only 25 per cent of the data breaches stemmed from actions by external attackers, according to a report by PC World.
“Given all the media attention on data and privacy breaches, hacking, and advanced persistent threats today, it’s easy to assume that all the major threats to your organisation come from external actors,”
Tomi Engdahl says:
Many Android phones are vulnerable to attack that can deactivate the SIM card.
The attack could be carried out by attracting user to open the telephone up a website, which would have a harmful code. The site could be, for example ten iframe, which should contain a pin code to change mmi code wrong puk code with.
Security researcher Collin Mulliner estimates that the vulnerability can be implemented in most Android phones, as it is a standardized SIM card function and not a proprietary feature.
Samsung has announced it has taken remedial vulnerability Galaxy S III mobiles
Source: http://m.tietoviikko.fi/Uutiset/Nettisivu+voi+tappaa+Android-puhelimen+sim-kortin
Tomi Engdahl says:
Inappropriate Use of Adobe Code Signing Certificate
http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html
We recently received two malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate. The discovery of these utilities was isolated to a single source.
We have identified a compromised build server with access to the Adobe code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate. This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh.
The first malicious utility we received is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll.
Our forensic investigation is ongoing. To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities.
Tomi Engdahl says:
Adobe to revoke code signing certificate
http://news.cnet.com/8301-1009_3-57521794-83/adobe-to-revoke-code-signing-certificate/
Adobe takes action after finding malware signed with the Adobe certificates.
“The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware,” Arkin added. There is no evidence at this time that “any other sensitive information — including Adobe source code or customer, financial or employee data — was compromised.”
Tomi Engdahl says:
Smart-Grid Control Software Maker Hacked
http://it.slashdot.org/story/12/09/27/2144220/smart-grid-control-software-maker-hacked
“Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent’s core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced ‘smart grid’ technologies.”
Tomi Engdahl says:
Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent
http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/
In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.
The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.
“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” the company said in a letter mailed to customers this week, a copy of which was obtained by KrebsOnSecurity.com. “Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent.”
Tomi Engdahl says:
10K Reasons to Worry About Critical Infrastructure
http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/
A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public internet, including water and sewage plants, and found that many could be open to easy hack attacks, due to lax security practices.
Infrastructure software vendors and critical infrastructure owners have long maintained that industrial control systems (ICSes) — even if rife with security vulnerabilities — are not at risk of penetration by outsiders because they’re “air-gapped” from the internet — that is, they’re not online.
“Vendors say they don’t need to do security testing because the systems are never connected to the internet; it’s a very dangerous claim,” Leverett said last week at the S4 conference, which focuses on the security of Supervisory Control and Data Acquisition systems (SCADA) that are used for everything from controlling critical functions at power plants and water treatment facilities to operating the assembly lines at food processing and automobile assembly plants.
“Vendors expect systems to be on segregated networks — they comfort themselves with this. They say in their documentation to not put it on an open network. On the other side, asset owners swear that they are not connected,” Leverett said. But how do they know?
To debunk the myth that industrial control systems are never connected to the internet, Leverett used the SHODAN search engine developed by John Matherly, which allows users to find internet-connected devices using simple search terms.
Leverett found 10,358 devices connected through a search of two years worth of data in the SHODAN database. He was unable to determine, through his limited research, how many of the devices uncovered were actually working systems
Tomi Engdahl says:
Electronic Surveillance By US Law Enforcement Agencies Rising Steeply
http://yro.slashdot.org/story/12/09/28/0251214/electronic-surveillance-by-us-law-enforcement-agencies-rising-steeply
“According to data obtained by the American Civil Liberties Union (ACLU), surveillance of emails and other forms of Internet communications without warrants has increased substantially over the last two years.”
Tomi says:
The most dangerous cyber criminals come from Eastern Europe according to security company Trend Micro
East Asians hackers often use zero-day vulnerabilities and phishing to attack, but then rely on the simple side programs and third-party tools to maintain the attack and get deeper in the network.
Eastern Europeans work just the opposite: they use other tools built specifically for the intrusion, but build a customized malware to get to final goal. The malware they create is usually used on a small scale. Eastern European hackers are working in small teams, make precise attacks and try to hide their identity.
East Asians are “cybersoldiers” who do not really care, even if their identity revealed. Their goal is usually to get access to trade secrets or steal sensitive information from companies and government agencies.
Source: http://www.tietoviikko.fi/kaikki_uutiset/vaarallisimmat+verkkorikolliset+tulevat+itaeuroopasta/a841767?s=r&wtm=tietoviikko/-28092012&
Tomi Engdahl says:
Severe Apple Maps Oversight Threatens National Security
http://sosyalmedya.co/en/apple-maps-national-security/
Apple’s clumsy attempt at creating a reliable mapping service, which went live with iOS 6 last week, met with such widespread criticism that the blogosphere is now full of comments from users who think the service isn’t so bad after all, because, well, it can locate 5th Avenue. Not the kind of compliment Cupertino fishes for.
That Apple rushed the half-baked service and put its own interest before those of its users is bad enough
How can the fruity company infringe national security? Simple. Apple Maps displays highly sensitive satellite information in Turkey, like a very clear view of all the installations on a maximum security prison island that houses a single high-profile inmate: Abdullah Öcalan.
Since Yandex got into trouble with the army just this week for displaying street view shots of widely known and public military buildings, it is naive to hope that this will just fly over for Apple.
Tomi Engdahl says:
Sloppy security? Apple and Nokia conceal fewer sensitive sites than Google Maps
http://www.theverge.com/2012/9/28/3417234/apple-maps-military-security-satellite-images-google-nokia-comparison
iOS 6 Maps is the most transparent of the three — but is that a good thing?
Imrali Island, Turkey
Imrali Island is a designated Military Forbidden Zone, meaning that anyone sketching, mapping, or shooting high-quality photography of the area could be subject to a hefty fine or even imprisonment
Apple’s images, however, are extremely detailed
Turkish site Sosyalmedya claiming that Apple was putting the country’s national security at risk by providing highly detailed satellite imagery of a maximum security prison on Imrali island.
Minamitorishima, Japan
The island of Minamitorishima is hugely important to Japan.
Minamitorishima is used as a small military airport, and the only non-military personnel allowed ashore are members of Japan’s meteorological agency.
Apple’s maps provide an unusually detailed view that looks more like military photography than anything else.
Aberdeen proving ground, Maryland, US
Both Nokia and Apple’s maps are again very clear; where Google displays a landscape dominated by deep, circular gashes, its competitors show a forest neatly segmented by roads. Phillips is almost pixel-perfect, and aviation enthusiasts will likely be able to identify the aircraft parked by the runway.
NATO Airbase, Geilenkirchen, Germany
This airbase is an essential part of NATO’s airborne early warning and control system.
Tomi Engdahl says:
Sheriff looks to lock down open Internet connections
http://journalstar.com/news/local/crime-and-courts/sheriff-looks-to-lock-down-open-internet-connections/article_3a98d107-05c6-5a11-8d09-8769e6e7dacd.html
Deputies are trying to nip online scams in the router.
The Lancaster County Sheriff’s Office has seen an increase in scammers using unsecured Wi-Fi connections to steal identities and mask their crimes during the past six months, Sheriff Terry Wagner said.
Wireless Internet connections that don’t require passwords can be open invitations to criminals, his office said.
So deputies spent the past few weeks finding unsecure connections and sending 40 to 50 letters to let people know about the potential dangers of strangers accessing their network connections.
“You’re just opening yourself up for a series of potential pitfalls,” Chief Deputy Jeff Bliemeister said.
Tomi Engdahl says:
PlaceRaider Builds a Model of Your World With Smartphone Photos
http://tech.slashdot.org/story/12/09/30/1321210/placeraider-builds-a-model-of-your-world-with-smartphone-photos
PlaceRaider, a trojan that can run in the background of any phone running Android 2.3 or above,
PlaceRaider quietly takes pictures at random that are tagged with the time, location, and orientation of the phone while muting the phone’s shutter sound. Once pictures are taken, PlaceRaider uploads them to a central server where they are knitted together into a 3D model of the indoor location where the pics were taken. A malicious user can then browse this space looking for objects worth stealing and sensitive data
Tomi Engdahl says:
Homeland Security Secretary Janet Napolitano says she doesn’t use email
http://www.nydailynews.com/news/politics/homeland-security-secretary-janet-napolitano-email-article-1.1170915
The woman in charge of U.S efforts to make email secure doesn’t use it herself.
“I don’t have any of my own accounts,” she told a cybersecurity conference hosted by National Journal. “I’m very secure.”
“You can’t get in trouble for something you wrote in an email if you never use email,” Weismann said.
Tomi Engdahl says:
Hackers break onto White House military network
Spear phish hits ‘unclassified’ presidential system
http://www.theregister.co.uk/2012/10/01/white_house_hack/
Hackers reportedly attempted a brazen attack on a White House military network in charge of the president’s nuclear football.
US officials familiar with the incident said unidentified hackers launched an attack early last month on the network used by the White House Military Office (WHMO), an military office in charge of sensitive communications, including systems to send and authenticate nuclear strike commands.
An unnamed Obama national security official said: “This was a spear phishing attack against an unclassified network.”
Rob Rachwald, director of security strategy at Imperva, said the attempted attack should nonetheless act as a wake up call.
“Yet again traditional security software has failed to keep the bad guys out. Enterprise needed to assume that they have been compromised which means we need to detect abnormal access to data and Intellectual Property. This is yet another example of why we need to rethink the current security model and implement a new one that puts cameras on sensitive information.”
Tomi Engdahl says:
FireEye: Silicon Valley’s Hottest Security Start-up
http://www.forbes.com/sites/petercohan/2012/05/24/fireeye-silicon-valleys-hottest-security-start-up/
You wouldn’t get too far trying to drive by looking in the rear view mirror. But since they compare incoming network traffic to a database of previously detected malware, that’s what most companies do when it comes to protecting their computer networks from organized cyber-criminals.
Security today is based on signature-based and pattern-matching technology that today’s sophisticated cyber-criminals can easily outsmart. The offense, the cyber-criminals, has essentially outpaced the defense, which is why there are so many high profile cyber-attacks.
FireEye has an ingenuous way of detecting and preventing attacks the likes of which have never happened before. Ashar Aziz, founder and CEO explained to me that FireEye developed a “portfolio of appliances” based on a so-called virtual execution environment.
There FireEye can safely detonate the Advanced Persistent Threats (APTs) that cyber-crooks cook up. As a result, malicious programs despoil these virtual environments so system administrators can block or quarantine them without endangering the corporate network.
Aziz claims that FireEye’s product pays for itself in less than 24 hours because it makes companies aware of attacks that their existing security products miss.
And in competition with other products, companies test the FireEye product by installing it behind their firewalls and other security products.
Aziz claims that FireEye wins these bake offs “over 99% of the time” since it find threats that all the other products miss. He points out that the median number of attacks it finds that have evaded all other traditional security is a “staggering 450 per week.”
FireEye has a compelling business model. It sells an appliance for between $15,000 and $120,000. And companies also buy a support and maintenance contract priced at between 18% and 20% of the cost of the appliance.
Tomi Engdahl says:
White House Hack Attack
Chinese hackers break in to White House military office network in charge of the president’s nuclear football
http://freebeacon.com/white-house-hack-attack/
Hackers linked to China’s government broke into one of the U.S. government’s most sensitive computer networks, breaching a system used by the White House Military Office for nuclear commands, according to defense and intelligence officials familiar with the incident.
One official said the cyber breach was one of Beijing’s most brazen cyber attacks against the United States and highlights a failure of the Obama administration to press China on its persistent cyber attacks.
Disclosure of the cyber attack also comes amid heightened tensions in Asia, as the Pentagon moved two U.S. aircraft carrier strike groups and Marine amphibious units near waters by Japan’s Senkaku islands.
An Obama administration national security official said: “This was a spear phishing attack against an unclassified network.”
Spear phishing is a cyber attack that uses disguised emails that seek to convince recipients of a specific organization to provide confidential information. Spear phishing in the past has been linked to China and other states with sophisticated cyber warfare capabilities.
The official described the type of attack as “not infrequent” and said there were unspecified “mitigation measures in place.”
Details of the cyber attack and the potential damage it may have caused remain closely held within the U.S. government.
However, because the military office handles strategic nuclear and presidential communications, officials said the attack was likely the work of Chinese military cyber warfare specialists under the direction of a unit called the 4th Department of General Staff of the People’s Liberation Army, or 4PLA.
It is not clear how such a high-security network could be penetrated. Such classified computer systems are protected by multiple levels of security and are among the most “hardened” systems against digital attack.
However, classified computer systems were compromised in the past using several methods. They include the insertion of malicious code through a contaminated compact flash drive; a breach by a trusted insider, as in the case of the thousands of classified documents leaked to the anti-secrecy web site Wikileaks; and through compromised security encryption used for remote access to secured networks, as occurred with the recent compromise involving the security firm RSA and several major defense contractors.
Former McAffee cyber threat researcher Dmitri Alperovitch said he was unaware of the incident, but noted: “I can tell you that the Chinese have an aggressive goal to infiltrate all levels of U.S. government and private sector networks.”
“The White House network would be the crown jewel of that campaign so it is hardly surprising that they would try their hardest to compromise it,” said Alperovictch, now with the firm Crowdstrike.
Tomi Engdahl says:
Google Warns of New State-Sponsored Cyberattack Targets
http://bits.blogs.nytimes.com/2012/10/02/google-warns-new-state-sponsored-cyberattack-targets/
In June, many Google users were surprised to see an unusual greeting at the top of their Gmail inbox, Google home page or Chrome browser. “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.”
On Tuesday, tens of thousands more Google users will begin to see that message. The company said that since it started alerting users to malicious — probably state-sponsored — activity on their computers in June, it has picked up thousands more instances of cyberattacks than it anticipated.
Mike Wiacek, a manager on Google’s information security team, said in an interview on Tuesday that since Google started to alert users to state-sponsored attacks three months ago, it had gathered new intelligence about attack methods and the groups deploying them. He said the company was using that information to warn “tens of thousands of new users” that they may have been targets, starting on Tuesday.
Tomi Engdahl says:
Arduino, resistor, and barrel plug lay waste to millions of hotel locks
http://hackaday.com/2012/07/25/arduino-resistor-and-barrel-plug-lay-waste-to-millions-of-hotel-locks/
The security flaws on this common hotel keycard lock are nothing short of face-palmingly stupid.
The exploit in Onity programmable keycard locks was revealed by [Cody Brocious] at the Blackhat conference. Apparently the DC barrel jack on the outside of the lock serves as a one-wire protocol interface. Once communications are established a 32-bit sitecode can be read from any of the locks and immediately used to open the door. There is no authentication or encryption used to obfuscate this kind of attack.
Tomi Engdahl says:
NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition
http://www.nist.gov/itl/csd/sha-100212.cfm
The National Institute of Standards and Technology (NIST) today announced the winner of its five-year competition to select a new cryptographic hash algorithm, one of the fundamental tools of modern information security.
The winning algorithm, Keccak (pronounced “catch-ack”), was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors.
The NIST team praised the Keccak algorithm for its many admirable qualities, including its elegant design and its ability to run well on many different computing devices.
Keccak has higher performance in hardware implementations than SHA-2 or any of the other finalists.
“Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be,” says NIST computer security expert Tim Polk. “An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently.”
What then will SHA-3 be good for? While Polk says it may take years to identify all the possibilities for Keccak, it immediately provides an essential insurance policy in case SHA-2 is ever broken.
Tomi Engdahl says:
Authentication Implications in Uniquely Identifiable Graphics Cards
http://threatpost.com/en_us/blogs/authentication-implications-uniquely-identifiable-graphics-cards-100212
Researchers working on the “physically unclonable functions found in standard PC components (PUFFIN) project” announced last week that widely used graphics processors could be the next step in online authentication.
Known as physically unclonable functions (PUF), the identifiable characteristics are uncontrollable products of the manufacturing process.
The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors
Kenneth Hermes says:
Blame is a sluggish mans wages.
Tomi Engdahl says:
MegaDroid: 300,000 Androids clustered together to study network havoc
520-node cluster uses x86 build of Android 4.0 on $500,000 worth of hardware.
http://arstechnica.com/information-technology/2012/10/megadroid-300000-androids-clustered-together-to-study-network-havoc/
Anyone who builds an Android app knows that testing on real devices is important. But what if instead of testing on one device at a time, you could test 300,000?
Enter MegaDroid. A project of the US government’s Sandia National Laboratories in California, the aptly named MegaDroid has linked 300,000 Android virtual machines together in a testbed for studying all kinds of network disruptions. Researchers could use MegaDroid for anything they can dream of, but the lab says it envisions projects that seek to “understand and limit the damage from network disruptions due to glitches in software or protocols, natural disasters, acts of terrorism, or other causes.”
MegaDroid, unveiled on Tuesday, is the third in a series of such projects. The first was MegaTux, which booted 1 million Linux kernels as virtual machines in 2009, and MegaWin, which did the same with 100,000 Windows XP and Windows 7 instances. Fritz and team would like to extend the Mega- projects to iOS, but that would require some cooperation on Apple’s part.
For MegaDroid, Sandia built a cluster on 520 nodes, each one a quad-core Intel Core i7 processor (Sandy Bridge) with 12GB RAM (and no disk storage), and a Gigabit Ethernet network.
MegaDroid uses an x86 build of Android 4.0, running on qemu-kvm virtual machines.
With GPS interfaces, researchers can feed the Android virtual machines “cooked” mapping data, to emulate hundreds of thousands of people walking around a city. With SMS, “We can actually text the cluster, and the cluster will route the SMS message over an SMS radio we’ve written to the individual VMs and they respond,” Fritz said.
The cluster isn’t in a classified area of Sandia, and may possibly be made available to researchers from outside the lab. But the surest way of the public getting access to MegaDroid capabilities is to get the source code.
Tomi Engdahl says:
Today in Europe there is a broad international effort to combat against network attack. This is only a simulated attack, known as Cyber Europe 2012. The exercise is organized by EU countries in concert with, and is attended by more than 300 network information security professionals from all over Europe.
A similar exercise was carried out in 2010, but this one is much more versatile, broader and more complex.
Source: http://www.tietokone.fi/uutiset/verkkohyokkayksen_torjunnasta_tanaan_laaja_harjoitus
Tomi Engdahl says:
NetFlow Analysis Helps Understand and Protect Distributed Networks
http://rtcmagazine.com/articles/view/102768
The ability to collect and analyze metadata on network traffic is helping administrators achieve better security as well as understand how their networks are performing so that they can maximize efficiency.
What’s going on with your network? No, what’s really going on?
An existing but not yet fully appreciated technology called NetFlow, originally developed by Cisco, can be used to collect data about network traffic and subject it to analysis for network administrators and security personnel to better monitor and understand network traffic.
NetFlow consists of metadata about network traffic that is generated by routers and switches that support it and on which it has been enabled. The routers export the NetFlow data in small messages using UDP, and it can then be collected and stored by means of a NetFlow collector and then subjected to analysis using various tools.
Most of the newer routers and switches support NetFlow. NetFlow records contain, among other information, source and destination IP addresses, source and destination port IDs, start and stop times, and the number of packets and bytes. Some of the newer versions also report things like user IDs. NetFlow takes place in the background so that users are unaware of it.
One example of the kinds of collection and analysis tools is the Scrutinizer product from Plixer.
Dozens of NetFlow collectors can be distributed and used to analyze enterprise wide traffic from a central location across thousands of interfaces if need be.
A number of flow analytic algorithms are supplied to help detect malicious traffic patterns such as network scans and unwanted protocols. In addition, the user can set up their own algorithms to look for security problems.
Free NetFlow tools:
http://www.networkuptime.com/tools/netflow/
Janetta Canner says:
There are certainly plenty of details like that to take into consideration. That could be a great level to carry up. I provide the thoughts above as basic inspiration however clearly there are questions like the one you convey up the place crucial factor can be working in trustworthy good faith. I don?t know if finest practices have emerged around issues like that, but I am sure that your job is clearly recognized as a fair game. Each girls and boys feel the influence of only a moment’s pleasure, for the remainder of their lives.
Tomi says:
Swedish sites hit by new wave of cyber attacks
http://www.thelocal.se/43588/20121003/
Computer hackers claiming to be from the Anonymous network took over the official website of Sweden’s National Board of Health and Welfare (Socialstyrelsen) on Tuesday night, leaving a profane message for anyone who visited the site.
The attack was carried out by “Anonymous”, the hacktivist group which has previously claimed responsibility for cyber attacks against Sweden and which on Tuesday issued a video warning of new attacks.
On Monday, a series of Distributed Denial of Service (DDOS) attacks occurred in Sweden which paralyzed the websites of several banks, Sweden’s main news agency TT, as well as a number of Swedish government agencies.
“If those who lie behind the attack have decided to bring a website down, then it’s going down. The challenge is to shorten the time the side is down by filtering and softening the attack,” he told the TT news agency.
Hansson’s agency is currently attempting to inform companies and government agencies about the threat of potential attacks.
Tomi says:
Criminals hijacked 4500000 routers
Serious software error made in Brazil from 4.5 million broadband router security breach on the victims. Criminals were due to a bug in control of all traffic that is passed through the devices.
What was done:
- malware installed to user computers
- online banking details stolen
- users were directed to fake Google and Facebook pages to get username and password for those services
The first evidence of attacks came in 2011. Their seriousness, however, come to find out only now
The criminals took advantage of the cases the so-called-CSRF attacks (cross-site request forgery), in which the victim’s browser to send a forged web application request.
Bug allows attackers were able to bypass the check-in to the router and modify the DNS server settings.
Source: http://www.tietoviikko.fi/kaikki_uutiset/rikolliset+kaappasivat+45+miljoonaa+reititinta/a844660
Tomi Engdahl says:
Tablet security study finds BlackBerry still good for something
iPad, Samsung Galaxy Tab and PlayBook face off in BYOD probe
http://www.theregister.co.uk/2012/10/05/tablet_security_audit/
A technology audit has identified security failings in three of the most popular tablets, raising concerns about the security implications of allowing workers to use their personal technology at work.
A study by Context Information Security looked at Apple’s iPad, Samsung’s Galaxy Tab and RIM’s BlackBerry PlayBook, and concluded the Samsung device was the least enterprise-ready of the trio. While the iPad and BlackBerry PlayBook performed better, both still have security deficiencies – including desktop software that fails to encrypt backups by default.
The BlackBerry was the only device of the three found to provide good separation between personal and work data, something that ought to be a key feature in supporting the growing trend of Bring Your Own Device (BYOD).
We can’t stop BYOD
Jonathan Roach, principal consultant at Context and author of the report, concludes that even though security controls are easier to apply on traditional desktops and laptops, the trend towards allowing working to bring their own devices into work is unstoppable.
“Our research suggests that most tablet manufacturers still have a way to go before their products can deliver the high levels of security required for use in most corporate enterprises.”
Tomi Engdahl says:
Europe joins forces in massive simulated cyber attack
http://www.net-security.org/secworld.php?id=13726
Hundreds of cyber security experts from across the EU are testing their readiness to combat cyber-attacks in a day-long simulation across Europe today.
In Cyber Europe 2012, 400 experts from major financial institutions, telecoms companies, internet service providers and local and national governments across Europe are facing more than 1200 separate cyber incidents (including more than 30 000 emails) during a simulated DDoS campaign.
The exercise is testing how they would respond and co-operate in the event of sustained attacks against the public websites and computer systems of major European banks. If real, such an attack would cause massive disruption for millions of citizens and businesses across Europe, and millions of euros of damage to the EU economy.
Cyber incidents are becoming more frequent. In 2011, web-based attacks increased by 36%. A four-fold increase in companies reporting security incidents with a financial impact was reported between 2007 and 2010 (rising from 5% in 2007 to 20% in 2010).