Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Anonymous hacks MIT after Aaron Swartz’s suicide
http://news.cnet.com/8301-1023_3-57563752-93/anonymous-hacks-mit-after-aaron-swartzs-suicide/
Just hours after the Massachusetts Institute of Technology pledged an investigation into its role in events leading up to the suicide of Aaron Swartz, online hacktivist group Anonymous defaced the school’s Web site.
Anonymous outlined its list of goals under a section reservedly labeled “Our wishes:”
Tomi Engdahl says:
Microsoft flings out emergency patch for Iatest gaping IE hole
Monday ‘fun’ for sysadmins
http://www.theregister.co.uk/2013/01/14/ms_emergency_ie_patch/
Microsoft has announced plans to release an out-of-band patch today tackling a critical zero-day hole in Internet Explorer.
The update will almost certainly tackle an unpatched remote-code execution flaw in earlier versions of IE (detailed in Microsoft Security Advisory 2794220) that has become the target of hacker attacks since late December.
For now, Redmond only says the flaw is critical
Several websites have already been compromised to spread malware exploits based on the vulnerability in IE 6,7 and 8. Users could safeguard themselves by either updating to IE 9 and 10 or using an alternative browser.
Microsoft published a temporary FixIt tool to protect against this vulnerability but security researchers found this defence was far from bullet-proof.
Tomi Engdahl says:
India’s tough hacker crackdown: IT security leaflets with every device
Vendors cry foul over packaging problems
http://www.theregister.co.uk/2013/01/14/indian_security_brochure_plan/
India has reportedly concocted a plan to cut down on IT security problems: forcing hardware vendors to include a security awareness brochure with all desktop PCs, mobile phones and USB modems.
The plans were dreamt up to improve the country’s cyber security preparedness, in response to the increasing volume of online threats facing users, according to the Economic Times.
Imported goods would cause particular headaches
Indian web users are certainly being targeted like never before, as increasing broadband penetration married to an expanding middle class means more are getting online, but often without appreciating the security risks.
A 2012 Symantec report found advanced, targeted attacks rose from 77 per day in 2010 to 82 by the end of 2011, with over half hitting SMBs.
While its plans to raise cyber security awareness are well-meaning, the Indian government is not exactly leading by example when it comes to defending its networks.
Over 100 government web sites were hacked in just three months at the beginning of 201
Tomi Engdahl says:
What’s bugging you? Maybe it’s YOUR Cisco PHONE, warns prof
Eavesdrop on calls using VoIP security bug
http://www.theregister.co.uk/2013/01/14/cisco_voip_easily_tapped/
Computer scientists claim security vulnerabilities in Cisco VoIP phones allowed them to eavesdrop on calls and turn devices into bugging equipment.
Ang Cui has demonstrated how malicious code injected into 14 of the networking vendor’s Unified IP Phone models could be used to record private conversations – and not just those held over the compromised telephone itself:
The pair of academics reckon either a complete rewrite of the firmware or a new type of security defence technology is needed.
Cui and Prof Stolfo found the exploitable security weaknesses after analysing the firmware binaries of VoIP phones. The research was part of an attempt to develop security technologies for embedded systems, such as network-connected phones, routers and printers. They christened this prototype technology Software Symbiotes.
The Symbiote runs on the embedded hardware and monitors its host’s behaviour to ensure the device behaves itself and operates as expected. If not, the Symbiote stops the host from doing any harm.
Cui said the Symbiote system could be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars.
Tomi Engdahl says:
Russian investigators have just revealed an extensive network spying mission.
Russian security company Kaspersky Lab reported on Monday to have found a powerful new computer virus they call “Red October”. This virus has been in business since 2007.
The virus collects material secret files particularly in Eastern Europe, but also in the West. The company’s website on the map found in the target countries include Finland, too, but the subject of attack here is not known.
Information phishing has focused on governments, diplomats and research (especially NATO and EU encrypted files).
Source: http://www.iltalehti.fi/digi/2013011416553730_du.shtml
Tomi Engdahl says:
Operation“Red October” map
https://www.securelist.com/en/images/pictures/klblog/208194085.png
Tomi Engdahl says:
EU cyber security agency flags top ten cloud threats
http://www.cloudpro.co.uk/cloud-essentials/5179/eu-cyber-security-agency-flags-top-ten-cloud-threats
Cloud flagged as an attractive target for hackers and useful base for cyber criminals
Tomi Engdahl says:
Dangerous remote Linksys 0-day root exploit discovered
http://www.net-security.org/secworld.php?id=14234
DefenseCode researchers have uncovered a remote root access vulnerability in the default installation of Linksys routers.
Tomi Engdahl says:
Today’s antivirus apps ARE ‘worse at slaying hidden threats’
But they’re not as rubbish as those other researchers said
theregister.co.uk/2013/01/15/anti_virus_test/
The effectiveness of antivirus products has declined, according to tests by German testing outfit AV-Test.org.
AV-Test put 25 antivirus products for home users and eight corporate endpoint protection software applications through their paces in November and December 2012.
Only an average of 92 per cent of the zero-day attacks were blocked during the tests, it said, a result that suggests that one out of 10 malware attacks succeeded. The products were able to clean 91 per cent of the infected systems, however, only 60 per cent could be put back in a condition similar to the pre-infection state, the firm said.
Tomi Engdahl says:
Shodan Search Engine Project Enumerates Internet-Facing Critical Infrastructure Devices
https://threatpost.com/en_us/blogs/shodan-search-engine-project-enumerates-internet-facing-critical-infrastructure-devices-010913
Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That’s mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States.
It’s not a pretty picture.
The duo, Bob Radvanovsky and Jacob Brodsky of consultancy InfraCritical, have with some help from the Department of Homeland Security pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses
“The biggest thing is we are trying to assign a number–a rough magnitude–to a problem plaguing the industry for some time now,” Radvanovsky said. “Until you identify the scope of a problem, no one takes steps to change things. We’re doing it on a beer budget; we hope others confirm our results.”
Shodan was created for the purpose of finding servers, routers, network devices and more that sit online. Users can filter searches to find specific equipment by manufacturer, function and even where they’re located geographically. A 2010 advisory on Shodan pointed out that the availability of the search engine greatly reduces the resources attackers require to find these privately owned assets.
Radvanovsky and Brodsky said they built a suite of scripts that includes 600 search terms for equipment built and managed by close to seven dozen manufacturers of SCADA equipment and support systems for SCADA. The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums.
Experts have called the state of SCADA security laughable. Terry McCorkle and Billy Rios presented similar research at the 2012 Kaspersky Lab Security Analyst Summit where they found more than 1,000 vulnerabilities in Internet-facing HMI interfaces that translate SCADA data into visualizations of critical infrastructure. More than 90 of those were exploitable flaws, including SQL injection, buffer overflows and more. They, too, said that SCADA and industrial control system operators, most of whom are privately owned, believe their systems are not connected to the Internet.
ICS-CERT’s fourth quarter report on critical infrastructure security detailed a pair of malware attacks against utilities in the U.S. where USB drives were inadvertently used to spread malware that in one case delayed a plant restart by three weeks. In all, ICS-CERT said there were 198 cyber incidents reported to them in FY 2012 and 41 percent of those against the energy sector.
Tomi says:
Latest Java patch is not enough, warns US gov: Axe plugins NOW
Metasploit boss says Oracle needs TWO years to make everything good
http://www.theregister.co.uk/2013/01/15/avoid_java_in_browsers/
Security experts advise users to not run Java in their web browsers despite a patch from Oracle that mitigates a widely exploited security vulnerability.
The database giant issued an emergency out-of-band patch on Sunday, but despite this the US Department of Homeland Security continues to warn citizens to disable Java plugins.
“Unless it is absolutely necessary to run Java in web browsers, disable it even after updating to [Java 7 update 11],” the US-CERT team said in an update yesterday. “This will help mitigate other Java vulnerabilities that may be discovered in the future.”
Ross Barrett, senior manager of security engineering at Metasploit developers Rapid7, said the update is worth applying but only goes so far: further zero-day security bugs in Java are likely if not inevitable.
“This fix changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed”
remove malware says:
hello admin, great post, But I had to let you know that the nav bar is missing images on the HTC Evo
tomi says:
Thank you for your feedback.
Telecom and networking trends 2013 « Tomi Engdahl’s ePanorama blog says:
[...] The big question is whether companies will see the payback on the needed investment. And there are many security issues that needs to be carefully weighted [...]
Tomi Engdahl says:
January 14, 2013, 9:22PM
Malware Infects Two Power Plants Lacking Basic Security Controls
https://threatpost.com/en_us/blogs/malware-infects-two-power-plants-lacking-basic-security-controls-011413
During the past three months, unnamed malware infected two power plants’ control systems using unprotected USB drives as an attack vector. At both companies, a lack of basic security controls made it much easier for the malicious code to reach critical networks.
In one instance, according to a recent report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), malware was discovered after a power generation plant employee asked IT staff to look into a malfunctioning USB drive he used to back up control systems configurations.
A scan with updated antivirus software turned up three instances of malware, two common and one considered sophisticated.
That discovery prompted a more thorough on-site inspection that revealed “a handful of machines that likely had contact with the tainted USB drive.” This included two of 13 workstations in an engineering bay tied to critical systems.
“Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations,” according to the report.
Analysts noted the need for operators of the nation’s critical infrastructure networks to follow best practices. In recent years security researchers have tried to draw more attention to SCADA and ICS security (or the lack thereof) as a way of pushing companies, usually privately owned, to invest more resources in protecting their networks from cybercriminal activity.
Tomi Engdahl says:
Malware infects US power facilities through USB drives
ICS-CERT recommends power plants adopt new USB practices
http://www.techworld.com.au/article/446611/malware_infects_us_power_facilities_through_usb_drives/
Two U.S. power companies reported infections of malware during the past three months, with the bad software apparently brought in through tainted USB drives, according to the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
ICS-CERT recommended that the power facility adopt new USB use guidelines, including the cleaning of a USB device before each use.
In the second incident, a power company contacted ICS-CERT in early October to report a virus infection in a turbine control system
The malware delayed the plant’s reopening by three weeks, the organization said.
Tomi Engdahl says:
DHS Steps In As Regulator for Medical Device Security
http://tech.slashdot.org/story/13/01/17/149245/dhs-steps-in-as-regulator-for-medical-device-security
“The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware”
Tomi Engdahl says:
FDA Should Expand Its Consideration of Information Security for Certain Types of Devices
http://www.gao.gov/assets/650/647767.pdf
In recent years, the design and development of certain active medical devices have become increasingly complex.1 Active implantable medical devices, such as implantable cardioverter defibrillators (defibrillators), and other active devices, such as insulin pumps, use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wireless communication
However, the growing use of wireless capabilities and software has raised questions about how well these devices are protected against information security risks, as these risks might affect devices’ safety and effectiveness.
Information security refers to protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to preserve their confidentiality, integrity, and availability.
Tomi Engdahl says:
“Red October” – part two, the modules
http://www.securelist.com/en/blog/208194091/Red_October_part_two_the_modules
Earlier this week, we published our report on “Red October”, a high-level cyber-espionage campaign that during the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations.
In part one, we covered the most important parts of the campaign: the anatomy of the attack, a timeline of the attacker’s operation, the geographical distribution of the victims, sinkhole information and presented a high level overview of the C&C infrastructure.
Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the modules used in the operation.
Tomi Engdahl says:
Did ZDI snub your 0-day attack? Packet Storm will buy it for $7k
http://www.theregister.co.uk/2013/01/18/packet_storm_bug_bounty/
Long-running computer security website Packet Storm has launched a bug bounty scheme to reward folks who find and report holes in software. Details of qualifying flaws will eventually be publicly disclosed.
Under the new scheme, contributors will be typically paid anywhere between a few hundred dollars and $7,000 for exploits that enable miscreants to execute arbitrary code on vulnerable systems. Holes uncovered in Adobe Reader, Adobe Flash and Internet Explorer are worth top dollar to the website.
Several vendors including Google, Mozilla, Facebook and PayPal have offered bug bounties for security researchers who find flaws in their products or services. The money is typically paid out once the bugs are identified, fixed and patches rolled out to users.
Security technology vendors such as iDefense and HP TippingPoint’s Zero-Day Initiative (ZDI) also act as middlemen between bug-hunters and big software makers, by offering researchers between $500 and $20,000 for exclusive details of security bugs. This information can be used to warn vendors and corporations of upcoming attacks, using the logic that if one researcher can find the bug and report it then so can hackers.
Buying up vulnerability information also allows, for example, HP TippingPoint’s network defence products to detect and block new or anticipated assaults.
Tomi Engdahl says:
Feds: Infected USB drive idled power plant 3 weeks
http://www.usatoday.com/story/tech/2013/01/16/usb-drive-infected-with-crimeware-shut-power-plant/1840783/
Homeland Security cyber sleuths say ‘crimeware’ found in October. Second plant also hit.
A USB drive tainted with “crimeware” infected a turbine-control system at a U.S. power plant in early October and delayed its restart by three weeks, according to the Homeland Security Department.
Tomi Engdahl says:
Cybercrooks send in Bouncer to guide marks to phishing sites
http://www.theregister.co.uk/2013/01/18/black_hat_phishing_whitelist/
Cybercrooks have begun bundling whitelisting technology with phishing kits in a bid to restrict access to phishing sites to only their intended victims.
The tactic of blacklisting IP addresses associated with security firms from accessing banking fraud sites has been in play for at least a few months now, but a new phishing toolkit called Bouncer goes one step further – restricting access ONLY to prospective marks.
Security analysts at RSA, which discovered the new phishing toolkit, said it has been used to target customers of banks in South Africa, Australia and Malaysia in recent weeks.
Bouncer allows cybercrooks to generate a unique ID for each intended victim, which is embedded in the URL that intended victims are asked to click on in order to visit hijacked sites that serve as phishing scam hubs. Intended victims are redirected to a live site posing as their banking institution, where attempts are made to trick them into handing over their online banking login credentials, while everyone else gets a “404 page not found” error message.
“Traditional phishers like to cast as wide of a net as possible, but with this tactic the phisher is laser-focusing the campaign in an effort to collect only the most pertinent credentials for his purposes. Keeping out uninvited guests also means avoiding security companies and prompt take-downs of such attacks,”
Tomi Engdahl says:
File-Sharing Is Riskier Than You Know
http://inthepersonalcloud.com/2012/11/29/file-sharing-is-riskier-than-you-know/
The sheer ease of file-sharing in 2012 is astounding but what might be even more shocking is the number of people who choose to download files like music and movies illegally.
According to an article from The Guardian, over 43 million people illegally downloaded songs in the UK alone during the first six months of the year. But the landscape overall is still largely unchanged; virtually everything you could possibly think of is available just as quickly and still without cost. File-sharing though seemingly innocuous, is a risky habit that makes you, your personal information and computer or phone susceptible to harm.
Let’s start off with the most obvious thing: malware. A study a few years ago found that nearly 20 percent of files downloaded from the internet, legal and illegal, contain some form of malware.
If you’re using BitTorrent to illegally procure files, you’re possibly opening doors in your system
There’s two more points about file-sharing that get a bit less attention.
running a bunch of torrents, you’re you’re negatively affecting your machine’s performance and leaving less bandwidth for other applications to do important things
Finally, if you’re illegally file-sharing, you might just get busted. It happens and the Recording Industry Association of America and the US judicial system are largely unforgiving.
Tomi Engdahl says:
‘Rogue clouds’ giving IT staffs nightmares
Inefficient storage methods also seen as raising costs in cloud, survey finds
http://www.networkworld.com/news/2013/011613-rogue-clouds-265854.html
Cloud computing is increasingly being adopted by companies around the world, but IT managers say “rogue cloud implementations” in which business managers sign up for services without getting IT approval is among their biggest challenges.
This is according to a survey on avoiding hidden cloud costs that was sponsored by Symantec with interviews and polling done by ReRez, in which some 94% of the 3,236 information-technology managers in 29 countries said their companies either already were using cloud services or discussing how to do so.
“Rogue clouds” occur if sales and marketing people, for example, order up Salesforce.com without bothering to consult IT or set up Dropbox with outside vendors to share sensitive information. It’s happening to three-quarters of those using cloud, according to the survey, and it occurs more in large enterprises (83%) than in small to midsize ones (70%).
“So why are organizations doing it? One in five don’t realize they shouldn’t,”
The report adds they think they’re saving money through “rogue cloud” projects and believe “going through IT would make the process more difficult.”
On top of having to deal with rogue clouds, 43% of IT managers relying on cloud-based services said they had “lost data in the cloud,” meaning they either couldn’t find it or had accidentally deleted it,
This means they had to recover it from a backup, but two-thirds doing this saw recovery operations fail at some point.
Some 61% making use of backup procedures for the cloud use three or more methods to do this, which Elliott said might be too many. One place where inefficient processes clearly seem to be occurring is in cloud storage, which is quick to deploy and you pay only for what you use.
“They’re overprovisioning cloud storage,”
Other points of concern revolve around legal issues, such as requests for electronically stored documents that are demanded for what’s known as “e-discovery” purposes in court or otherwise.
41% said they were simply unable to do it at all and never found the requested information.
Another issue the survey asked about, managing cloud-based SSL certificates, revealed a mixed bag of activity. About a quarter of the IT managers said they thought it was “easy,” but 8% “don’t even try.”
Tomi says:
APT technology (Advanced Persistent Threat) has finally shown it’s face clearly:
June 2010 Stuxnet, Duqu September 2011, May 2012 Flame, January 2013 Rocra – which of these APT technology (Advanced Persistent Threat) developed by spyware and malware should learn?
Year 2013 will start from the perspective of kyberturvallisuuden bleak news of the Russian Kaspersky Lab Security company released the first data “Red October” (Rocra) transmural spy code-named the project and its purposes, drawn up malware ecosystem.
Rocraa technically can not be considered an eye-popping as a result of it would be something really new, space-age technology. On the contrary, even if the whole is very large, however, it is based on a large number of already existing in other attacks on tried and tested technologies, combined with a massive entity (the ecosystem). The magnitude can be described as numbers> 1000 software module in approximately 30 different categories of data collection, over 60 the command and control server (C & C) server in several countries (primarily in Russia and Germany). Traditional information-gathering and espionage activities (keys, recording, screen captures, sending files) along with Rocra includes modules for smart phones in the data (iPhone, Symbian, Windows Phone), network equipment (Cisco), as well as, for example usb-memories that were found, including withdrawals of information out digging. Kaspersky believes that possibly five years, information has been collected up to hundreds of terabytes?
The program is embedded in the side primarily for Microsoft Office documents (Word, Excel), PDF files, and in some cases making use of Java vulnerabilities, such as web browsing.
Rocran What should we learn?
1. The traditional means of distribution are still working
It seems that the Rocraa has been to embed the target organizations in a very traditional, properly identified, carefully thought-out content and unique e-mail messages and attachments
The above means that organizations should continue the organization of incoming e-mail / spam & phishing of such messages, the web, as well as the organization of outgoing traffic analysis, verification and response capacity building as a gateway to the terminal level. More and more technical levels in security systems are needed.
2. Users – Information & Training
Technology alone is never enough, and it does not always work, because this is still a more important role in increasing the users’ security awareness.
Source: http://www.tietoviikko.fi/blogit/turvasatama/mitka+ovat+red+octobervakoiluohjelman+opetukset/a871510?s=r&wtm=tietoviikko/-18012013&
Tomi says:
Paging Dr Evil: Philips medical device control kit ‘easily hacked’
Homeland Security ‘taking an interest’
http://www.theregister.co.uk/2013/01/18/medical_device_control_kit_security/
Researchers have discovered security problems in management systems used to control X-ray machines and other medical devices.
Terry McCorkle and Billy Rios of security start-up Cylance used fuzzing approaches previously applied to unearth security holes in industrial control systems to find a way into the Xper Information Management system from Philips.
The tactic allowed the researchers to gain privileged user status onto the medical information management system. “Anything on it or what’s connected to it was owned, too,” Rios said during a presentation at Digital Bond’s annual SCADA Security Scientific Symposium (S4) conference, which took place in Miami this week.
The attack was in part enabled by weak remote authentication supported by the system, as well weaknesses that left it open to fuzzing – a tactic that involves throwing variable inputs at a test device until a fault condition that might be exploited occurs.
Philips said that the flaw exists only in older version of Xper.
Tomi Engdahl says:
Bad grammar make good password, research say
http://www.newscientist.com/blogs/onepercent/2013/01/bad-grammar-make-good-password.html
Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.
An algorithm developed by Ashwini Rao and colleagues at Carnegie Mellon University in Pittsburgh, Pennsylvania, makes light work of cracking long passwords which make grammatical sense as a whole phrase, even if they are interspersed with numbers and symbols.
Tomi Engdahl says:
Youth expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data
http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/
A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs, one which compromised the security of over 250,000 students’ personal information.
discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system”
“All software companies, even Google or Microsoft, have bugs in their software,” said Mr. Taza. “These two students discovered a very clever security flaw, which could be exploited.”
“Dawson has betrayed a brilliant student to protect Skytech management,”
Tomi Engdahl says:
‘End of passwords’ predictions are premature – Cambridge boffin
Nice fresh well-salted hash will keep them healthy
http://www.theregister.co.uk/2013/01/21/passwords_not_doomed/
Advances in the power of computers won’t automatically make passwords obsolete, according to a top computer science researcher.
Storing plain text passwords as part of an online authentication system is an obviously bad idea. If a website is broken into and the passwords are lifted then even well thought out passwords are exposed.
Instead websites need to store password hashes, protected by salting, in order to prevent brute force attacks using rainbow tables.
A password hash is computationally easy to create but working out the corresponding password from a hash ought to be nearly impossible, given a correctly implemented hash function. Rainbow tables circumvent this snag by creating a large data set of hashes from nearly every possible password.
“Password cracking is certainly getting faster,” Bonneau explains.
“The good news though is that password hash functions can (and should) co-evolve to get proportionately costlier to evaluate over time. This is a classic arms race and keeping pace simply requires regularly increasing the number of iterations in a password hash. We can even improve against password cracking over time using memory-bound functions, because memory speeds aren’t increasing nearly as quickly and are harder to attack using parallelism,” he adds.
Bonneau cautions against complacency: hashing passwords isn’t going to get any more efficient over time and older algorithms will need to be replaced by more complex successors.
“Moore’s Law has indeed broken MD5 as a password hash and no serious application should still use it. Human memory isn’t more of a problem today than it used to be though. The problem is that we’ve chosen to let password verification become too cheap,” Bonneau argued.
“Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust. But these can be easily cracked with the emergence of advanced hardware and software,”
“In a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts,” Deloitte Canada adds.
Easily guessable passwords are arguably a lesser problem than password re-use. The average user has 26 password-protected accounts, but only five different passwords across those accounts, according to a recent study by credit reference agency Experian.
Tomi Engdahl says:
Google Declares War on the Password
http://www.wired.com/wiredenterprise/2013/01/google-password/
Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?
This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time.
2012 may have been the year that the password broke.
Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be.
Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.
Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.
Courtney says:
I read this paragraph completely regarding the comparison
of latest and previous technologies, it’s remarkable article.
Aftermath: Telecom 2012 « Tomi Engdahl’s ePanorama blog says:
[...] + Security trends were talked a lot in 2012 and discussion on them continues active on 2013. [...]
Tomi Engdahl says:
Eugene Kaspersky And Mikko Hypponen Talk Red October And The Future Of Cyber Warfare At DLD
http://techcrunch.com/2013/01/21/eugene-kaspersky-and-mikko-hypponen-talk-red-october-and-the-future-of-cyber-warfare-at-dld/
What is the consequence of cyber warfare slowly becoming increasingly common? That was the basic question that guided the DLD keynotes of Eugene Kaspersky, the co-founder of security company Kaspersky Lab, and F-Secure‘s chief research officer Mikko Hypponen.
Kaspersky, who admitted that all his years of security research left him a bit paranoid, argued that the early viruses and malware of the 90s was the equivalent of a bicycle, with the criminal malware we now increasingly face being cars
Hypponen took a similar view. The “happy hacker” of the 80s and 90s, he said, is long gone. Instead, we now have to deal with criminals who try to make money from their malware and botnets, hacktivists who try to protest and governments attacking their own citizens and other governments for espionage and full-scale cyber warfare.
Asked about the highly targeted and personalized Red October attack, both Hypponen and Kaspersky currently seem to assume that it was a state-sponsored attack, especially given that it took a good amount of traditional espionage to target the embassies, European Union agencies and space and nuclear research centers around the world the malware attacked over the last few years. Still where it came from remains unclear
Hypponen went on to liken Stuxnet, the virus that targets Iran’s nuclear program to the Manhattan Project. The scientists involved in created Stuxnet, he argued, lost their innocence when they worked on this. It’s possible, after all, that Stuxnet killed people, though we can’t be sure about that. “The people who launched this must have understood and did it anyway,” said Hypponen. “We crossed some line as mankind when we started doing that.”
Looking ahead, Hypponen believes that the next major war between developed countries will definitely include some form of cyber warfare, maybe to shut down electricity and defense systems before launching a conventional attack. “It won’t be a ‘clean’ cyber war,” Hypponen believes.
The main question for him is if we ready to give up some of our technologies because they have become to dangerous?
“Probably not”, said Kaspersky, but he is afraid that “the situation is going from bad to worse.”
Asked whether we will experience a major and devastating cyber attack that will influence the general public in the next three years, Kaspersky showed his paranoid side and noted that those already happened. He blames the major East Coast blackout of 2003 on the Blaster virus. “We still don’t understand that we live in an absolutely different world,” said Kaspersky. “We are like Alice in Wonderland and don’t know how to behave in this different land.” On the positive side, though, he said that he believes “that we will survive.”
Tomi Engdahl says:
iPad Hack Statement Of Responsibility
http://techcrunch.com/2013/01/21/ipad-hack-statement-of-responsibility/
In June of 2010 there was an AT&T webserver on the open Internet. There was an API on this server, a URL with a number at the end. If you incremented this number, you saw the next iPad 3G user email address. I thought it was egregiously negligent for AT&T to be publishing a complete target list of iPad 3G owners
I did this because I despised people I think are unjustly wealthy and wanted to embarass them. I thought this is the United States of America where we have the right to do basic arithmetic and query public webservers.
I was convicted of two consecutive five-year felonies, and am now awaiting sentencing.
The facts: AT&T admitted, at trial, that they “published” this data. Their words. Public-facing, programmatic accesses of APIs happen upwards of a trillion times per day. Twitter broke 13 billion on their API ages ago. This is something that happens more than the entire population of Earth, daily. The government has no problem with this up until you transform the output into something offensive to important people. People with “disruptive” startups, this is your fair warning: They are coming for you next.
This is a country where if you express ideas that federal agents don’t like you, you will be beaten, imprisoned, or killed.
Tomi Engdahl says:
Even Snapchat Cannot Keep Sexting Images Private Forever
http://www.redorbit.com/news/technology/1112754971/snapchat-images-private-122812/
People, often the younger generation, will send provocative pictures of themselves to one another (also can include explicit texting an email).
Snapchat is a photo and video sharing service with a special and interesting twist: It gives users the power to control how long their photos can be seen by those they sent the pictures to.
Once this user-determined viewing time has lapsed, the photo is said to disappear completely;
The easy answer to storing these photos and videos is to simply take a screenshot. However, the sender is alerted whenever the receiver takes such actions.
However, some “inspired” individuals have now discovered a way in which Snapchat videos can not only be seen even after the deadline has passed
While photos were not found to be stored locally, videos can easily be copied onto a computer to be viewed repeatedly. What’s worse, these files can even be shared on the Internet, likely to be viewed by those the sender never intended.
Tomi Engdahl says:
The European Network for Cyber Security
https://www.encs.eu/
ENCS creates and brings together knowledge and resources to secure European critical infrastructures. ENCS is a cooperative association with dedicated highly specialized resources and uses her network in government, academia and business to provide cyber security solutions dedicated to the needs of owners of critical infrastructures and regulators. Established in July 2012, ENCS is already actively involved in projects supporting the energy transition in Europe and is open for association of new members.
Tomi Engdahl says:
A close look at how Oracle installs deceptive software with Java updates
http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/
Congratulations, Oracle.
Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.
And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.
Summary: Oracle’s Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here’s what it does, and why it has to stop.
Tomi Engdahl says:
Tech guide: Securing wiring closets with Cisco Catalyst switches
http://www.cablinginstall.com/articles/2012/12/cisco-catalyst-guide.html
A recent technical paper from Cisco explains for network technicians how to secure wiring closets using the company’s ubiquitous Catalyst switches.
Moreover, the paper presents the wiring closet switching infrastructure as the first line of defense for campus networks to protect an organization’s data, applications, and the network itself — and that the features that enable this defense are a critical part of the entire enterprise.
Tomi Engdahl says:
Legal Questions Arise as Cloud Computing Gains Traction
http://www.designnews.com/author.asp?section_id=1394&doc_id=257715
Cloud computing is simply computers somewhere else, dolling out software or hardware recourses over the Internet or local network. The inherent risks all still exist, but not on site. Despite this, the cloud has become quite popular with businesses and institutions as a way of storing and accessing data and information on demand.
Some of these institutions, including large US law firms, are slowly and reluctantly implementing the use of these services, but have fears that sensitive information could potentially be compromised (hacked) by exploiting their relatively weak security measures.
Using these services, such as IaaS (infrastructure-as-a-service), StaaS (storage-as-a-service), and PaaS (platform-as-a-service), can be both beneficial and potentially risky for those involved in the US justice system.
On one side of the cloud coin, major law firms can store an incredible amount of legal documentation that can be accessed at any given point for documentation management. This means that records are less likely to be lost, damaged, or misfiled
The other side of that coin is painted in an unattractive light, and is anything but beneficial to large law firms: Security risks that can potentially compromise sensitive material such as confidential client information and court litigation information. Cloud services generally use the same security measures (firewall, IPsec Protocol, anti-virus protection, etc.) and encryption methods of a typical shared multi-user mainframe (server). The problem with implementing cloud defense tactics is that the services are still in their infancy, which means security measures are basic at best.
Tomi Engdahl says:
A quick, well crafted Google search returns “About 86,800 results” for publically accessible HP printers.
PS: There are security concerns here, as many printer models have known exploits which can be used as an entry point to a private network.
Source: http://port3000.co.uk/google-has-indexed-thousands-of-publicly-acce
Tomi Engdahl says:
Red October – Indicators of compromise
http://www.securelist.com/en/blog/208194092/Red_October_Indicators_of_compromise
The small whitepaper includes summarized information about malware’s known locations in infected systems, command and control domains and servers, snort rules, RC4 encryption keys, passwords and an industry standard IOC file with all these informations.
Tomi Engdahl says:
Linux/SSHDoor.A Backdoored SSH daemon that steals passwords
http://blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords
In his summary of New Year predictions by security researchers here at ESET, Stephen Cobb pointed to expanded efforts by malware authors to target the Linux operating system. Looks like that might be right: A blog post published by Sucuri yesterday describes a backdoored version of the SSH daemon discovered on compromised servers. Interestingly, this backdoor was used in conjunction with the malicious Apache module Linux/Chapro.A that we blogged about recently.
Tomi Engdahl says:
Hacker Bypasses Windows 7/8 Address Space Layout Randomization
http://tech.slashdot.org/story/13/01/25/2146222/hacker-bypasses-windows-78-address-space-layout-randomization
“Microsoft upped its security ante with Address Space Layout Randomization (ASLR) in Windows 7 and Windows 8, but it seems this mechanism to prevent hackers from jumping to a known memory location can be bypassed. A hacker has released a brilliant, yet simple trick to circumvent this protection.”
Tomi says:
Doctor of Engineering Jyrki J. Kasvi: New Finnish cyber security strategy is a joke
Defence Minister Carl Haglund announced the launch of the strategy that Finland’s goal is to become the world’s leading cyber security country by 2016.
- Information security can not be be improved without investing to it. Security organization is primarily a state responsibility, and it requires a good financial investment, which now did not want to give.
- Now every ministry a little like watching your own security affairs, and then doing what you are doing. No one will lead to a centralized operation
Source: http://www.iltalehti.fi/uutiset/2013012616603425_uu.shtml
Tomi says:
Finnish cyber strategy guidelines summarized:
- Effective collaboration model: different actors in readiness exercises on a regular basis.
- Situational Awareness and Understanding: updating information on threats.
- The ability to detect and block threats: rapid identification and response.
- The police requirements: adequate powers and resources.
- Armed Forces cyber capabilities: part of the development of other activities.
- National cyber security strengthening the participation in international co-operation.
- All social actors cyber knowledge improvement: in particular enterprises and non-governmental organizations.
Source: http://www.iltalehti.fi/digi/2013012416596841_du.shtml
Tomi Engdahl says:
Extracting data with USB HID
http://hackaday.com/2013/01/26/extracting-data-with-usb-hid/
High security workstations have some pretty peculiar ways of securing data. One of these is disabling any USB flash drives that may find their way into a system’s USB port. Security is a cat and mouse game, so of course there’s a way around these measures. [d3ad0ne] came up with a way of dumping files onto an SD card by using the USB HID protocol.
this demonstration shows how something as simple as a keyboard can be used to lose data.
Tomi Engdahl says:
In Swartz protest, Anon hacks U.S. site, threatens leaks
http://news.cnet.com/8301-1009_3-57566016-83/in-swartz-protest-anon-hacks-u.s-site-threatens-leaks/
Saying “a line was crossed” with the treatment of tech activist Aaron Swartz, the group hacks a government site related to the justice system and distributes encrypted files it says it will decrypt unless demands are met.
Anonymous encouraged its followers to download the files on the hacked site, a set of nine downloads named after the U.S. Supreme Court’s nine justices and collectively referred to by the hacking collective as a “warhead.”
The group wouldn’t specify what, exactly, is in the files, saying only that “the contents are various and we won’t ruin the speculation by revealing them.”
The contents of the encrypted files can apparently be accessed only with a decryption key, and Anonymous said it didn’t necessarily want to provide that key to its followers — it mentioned “collateral damage” as a result of any leaks
The group said it had acquired the files by compromising various government Web sites and installing “leakware,” which it has since removed to cover its tracks.
Tomi Engdahl says:
Sony fined £250,000 after millions of UK gamers’ details compromised
http://www.ico.gov.uk/news/latest_news/2013/ico-news-release-2013.aspx
The entertainment company Sony Computer Entertainment Europe Limited has received a monetary penalty of £250,000 from the Information Commissioner’s Office (ICO) following a serious breach of the Data Protection Act.
The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers
An ICO investigation found that the attack could have been prevented if the software had been up-to-date, while technical developments also meant passwords were not secure.
“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
Following the breach, Sony has rebuilt its Network Platform
Tomi Engdahl says:
Pentagon Expanding Cybersecurity Force to Protect Networks Against Attacks
http://www.nytimes.com/2013/01/28/us/pentagon-to-beef-up-cybersecurity-force-to-counter-attacks.html?pagewanted=all&_r=0
The Pentagon is moving toward a major expansion of its cybersecurity force to counter increasing attacks on the nation’s computer networks, as well as to expand offensive computer operations on foreign adversaries, defense officials said Sunday.
The Pentagon “is constantly looking to recruit, train and retain world class cyberpersonnel,” a defense official said Sunday.
“The threat is real and we need to react to it,”
In October, Mr. Panetta warned in dire terms that the United States was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial network and government.
Tomi Engdahl says:
FBI is increasing pressure on suspects in Stuxnet inquiry
http://www.washingtonpost.com/world/national-security/fbi-is-increasing-pressure-on-suspects-in-stuxnet-inquiry/2013/01/26/f475095e-6733-11e2-93e1-475791032daf_story.html
Federal investigators looking into disclosures of classified information about a cyberoperation that targeted Iran’s nuclear program have increased pressure on current and former senior government officials suspected of involvement, according to people familiar with the investigation.
The inquiry, which was started by Attorney General Eric H. Holder Jr. last June, is examining leaks about a computer virus developed jointly by the United States and Israel that damaged nuclear centrifuges at Iran’s primary uranium enrichment plant. The U.S. code name for the operation was Olympic Games, but the wider world knew the mysterious computer worm as Stuxnet.
The FBI and prosecutors have interviewed several current and former senior government officials in connection with the disclosures
“People are feeling less open to talking to reporters given this uptick,” said a person with knowledge of Machen’s inquiry. “There is a definite chilling effect in government due to these investigations.”
Former prosecutors said investigators run sophisticated software to identify names, key words and phrases embedded in e-mails and other communications, including text messages, which could lead them to suspects.
Tomi Engdahl says:
Disruptions: A Fuzzy and Shifting Line Between Hacker and Criminal
http://bits.blogs.nytimes.com/2013/01/27/disruptions-a-fuzzy-and-shifting-line-between-hacker-and-criminal/
Daniel Spitler
Aaron Swartz
Both cases are perfect examples of the justice system’s misunderstanding of what a hacker actually is. To many people who understand computers and the law, there is a danger in lumping people who have not sought financial gain with armed robbers. Where people should receive slaps on the wrist, they face decades in prison.
“There’s still uncertainty as to what should be criminal online, and the statutes are pretty vague,” said Orin S. Kerr, a professor of law at George Washington University.
“It’s hard because you’ve got conduct that looks bad, and maybe leads to some harm, coupled with vague laws that haven’t properly been clarified by Congress.”
The lack of clarity is something that became all too apparent in Mr. Spitler’s case.