Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Activists on Front Lines Bringing Computer Security to Oppressed People
https://threatpost.com/en_us/blogs/activists-front-lines-bringing-computer-security-oppressed-people-040313
Security-related policy or legislation is enacted and then enforced to protect corporate, government or military interests. Civil organizations are often left flailing in the wind, fending for themselves with fewer IT resources and experience than a Middle America mom-and-pop operation.
“It’s a widespread assumption that the Internet, mobile devices, social media are empowering, but [attackers] are finding leverage there to put NGOs at risk,”
“They lack awareness. They’re poorly resourced. They’re left out to dry when it comes to policy; government focuses on the private sector and civil society is left defenseless.”
Citizen Lab is one organization that has done intense research into understanding the threat environment facing those groups NGOs and human rights organizations seek to help. Often, these groups are desperate to communicate with others, and believe that social networks or tools such as Skype and other platforms are safe. But attackers, most of whom are believed to be state-sponsored, have infiltrated these networks and platforms with malware that reports back on the activities of these groups.
In the last two weeks, researchers at Citizen Lab and Kaspersky Lab have discovered the first targeted attacks using malware for the Android mobile platform. Spear-phishing emails spoofed from prominent Tibetan activist leaders spread infected Android application package (.APK) files that not only opened backdoor channels to the attackers and collected contact and messaging data from the phone, but also relayed location information that could be used for surveillance.
Tibetan Android users, for example, are barred by the Great Firewall of China from accessing the Google Play store, forcing them to download apps from third-party resources that may be untrustworthy.
“For every Fortune 500 company or network that is breached, somewhere there is a NGO whose social network was compromised,” Deibert said. “The risk is greater, because we are talking about loss of life or imprisonment.”
Tomi Engdahl says:
Anonymous hacks North Korea’s Twitter and Flickr accounts
http://news.cnet.com/8301-1009_3-57577904-83/anonymous-hacks-north-koreas-twitter-and-flickr-accounts/
The “hacktivist” group also took credit for hacking a North Korean news and information Web site, which is currently off line.
Tomi Engdahl says:
Threaten yours reveal your secrets? Mobile devices lies in the high risk
“Many consumers do not understand, however, how large a part of the equipment of the deposited a personal and private information is fair game, so to speak in a situation where the device is lost or stolen,”
Often a lot of help to be simple basic actions, such as locking the screen setting. Mobile devices are also available for applications in which they can remotely lock and erase if necessary.
Even though two thirds of the respondents said that the device has access to confidential information, only a third admitted that it charged smart device password.
Source: http://www.tietoviikko.fi/kaikki_uutiset/uhkaavatko+sinunkin+salaisuutesi+paljastua+mobiililaitteissa+piilee+suuri+vaara/a891705?s=r&wtm=tietoviikko/-05042013&
Tomi Engdahl says:
Apple’s iMessage encryption trips up feds’ surveillance
http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-encryption-trips-up-feds-surveillance/
Internal document from the Drug Enforcement Administration complains that messages sent with Apple’s encrypted chat service are “impossible to intercept,” even with a warrant.
When Apple’s iMessage was announced in mid-2011, Cupertino said it would use “secure end-to-end encryption.” It quickly became the most popular encrypted chat program in history
records of text messages already obtained from Verizon Wireless were incomplete because the target of the investigation used iMessage: “It became apparent that not all text messages were being captured.”
FBI’s Mueller confirmed that the bureau is pushing for “some form of legislation.”
because iMessage has “lots of moving parts,” there are plenty of places where things could go wrong. Green said that Apple “may be able to substantially undercut the security of the protocol”
Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union, said yesterday that “Apple’s service is not designed to be government-proof.”
“It’s much much more difficult to intercept than a telephone call or a text message” that federal agents are used to, Soghoian says. “The government would need to perform an active man-in-the-middle attack… The real issue is why the phone companies in 2013 are still delivering an unencrypted audio and text service to users. It’s disgraceful.”
Tomi Engdahl says:
Google Fights U.S. National Security Probe Data Demand
http://www.bloomberg.com/news/2013-04-04/google-fights-u-s-national-security-probe-data-demand.html
Google Inc (GOOG)., operator of the world’s largest search engine, is challenging a demand by the U.S. government for private user information in a national security probe, according to a court filing.
It “appears” to be the first time a major communications company is pushing back after getting a so-called National Security Letter, said the Electronic Frontier Foundation, an Internet privacy group.
Tomi Engdahl says:
Why Facebook Home bothers me: It destroys any notion of privacy
http://gigaom.com/2013/04/04/why-facebook-home-bothers-me-it-destroys-any-notion-of-privacy/
Facebook’s history as a repeat offender on privacy, and playing loose and easy with our data means that need to be even more vigilant about privacy issues, thanks to this Home app/faux-OS.
The new Home app/UX/quasi-OS is deeply integrated into the Android environment. It takes an effort to shut it down, because Home’s whole premise is to be always on and be the dashboard to your social world.
But there is a bigger worry. The phone’s GPS can send constant information back to the Facebook servers, telling it your whereabouts at any time.
So if your phone doesn’t move from a single location between the hours of 10 p.m. and 6 a.m. for say a week or so, Facebook can quickly deduce the location of your home. Facebook will be able to pinpoint on a map where your home is, whether you share your personal address with the site or not.
This future is going to happen – and it is too late to debate. However, the problem is that Facebook is going to use all this data — not to improve our lives — but to target better marketing and advertising messages at us. Zuckerberg made no bones about the fact that Facebook will be pushing ads on Home.
Tomi Engdahl says:
Trojan Turns Your PC Into Bitcoin Mining Slave
http://www.wired.com/wiredenterprise/2013/04/bitcoin-trojan/
Maybe it’s a sign of the Bitcoin bubble. Criminals are trying to take control of PCs and turn them into Bitcoin miners.
According to antivirus seller Kaspersky Lab, there’s a new Trojan — spotted just yesterday and spreading via Skype — that takes control of infected machines and forces them to do known as Bitcoin mining, a way of earning digital currency.
Tomi Engdahl says:
Laws Can’t Save Banks From DDoS Attacks
http://www.informationweek.co.uk/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324
A threat information-sharing bill wouldn’t do much to help banks defend themselves against distributed denial of services (DDoS) attacks.
The co-author of the Cyber Intelligence Sharing and Protection Act (CISPA) ought to know better.
The problem with that reasoning is that the bank disruptions — often publicized in advance by attackers — overwhelm targeted networks through sheer quantities of packets. They don’t employ attacks of a stealthy or unknown nature that banks might have difficulty spotting if only they had access to better attack data.
Valdez continued: “Some intelligence can help you — it’s good to know the attack techniques being used, that might help you put in place better mitigation technologies. But most of the [DDoS] attacks these days are sheer packets-per-second attacks, designed to overwhelm your infrastructure so that you can’t service any requests. In that type of scenario, with threat intelligence, it’s … not going to effectively help your mitigations.”
n fact, multiple security experts I’ve spoken with contend that banks are combating the DDoS attacks quite well via layered defenses, DDoS scrubbing services from third-party providers, and dedicated DDoS mitigation defenses running on premises or in the cloud. In some cases, banks can also use content delivery networks that spread instances of their sites across different geographical regions, helping minimize the effects of a DDoS-generated disruption in any one of those areas.
As a result, bank officials say that even in the face of massive DDoS attacks, their websites are for the most part remaining online, or going offline just briefly. Still, during the DDoS disruptions more customers than normal might not be able to reach their websites, perhaps as a side effect of scrubbing or other DDoS defenses that might be temporarily blocking their PC, network segment or geographic region. “Typically what customers see [from DDoS attacks] is slow responses … especially with these banking sites,”
That’s just a DDoS attack fact of life. “Everyone is vulnerable, to some extent,” he said. “The reality is you’ve got a pipe attached to your system, and there’s only so much that can go through that pipe, and when attackers are filling it up with junk, you can’t get the rest through.”
Tomi says:
Silent Circle aims for email that’s as secure as it gets
PGP and Navy SEALs take on privacy
http://www.theregister.co.uk/2013/04/06/silent_circle_private_email_expansion/
It’s been 22 years since Phil Zimmerman, Jon Callas and the rest of the PGP crew brought encryption to the masses for free, and now the same team – augmented by backing from a couple of former Navy SEALs – has expanded into a new privacy concern that will launch an email service in a couple of weeks.
Silent Circle came out of stealth mode last June with a $20 (£13) per month package for voice, text, and video services that are encrypted by an application on a user’s smartphone, tablet or computer. Users download the software and all traffic is handled by the company’s own servers.
Tomi Engdahl says:
Unique in the Crowd: The privacy bounds of human mobility
http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html
We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.
the uniqueness of mobility traces decays approximately as the 1/10 power of their resolution. Hence, even coarse datasets provide little anonymity.
Modern information technologies such as the Internet and mobile phones, however, magnify the uniqueness of individuals, further enhancing the traditional challenges to privacy. Mobility data is among the most sensitive data currently being collected.
Tomi Engdahl says:
French homeland intelligence threatens a volunteer sysop to delete a Wikipedia Article
http://blog.wikimedia.fr/dcri-threat-a-sysop-to-delete-a-wikipedia-article-5493
Wikimedia France strongly condemns pressure on Wikipedia sysop by French homeland intelligence agency (DCRI)
Unhappy with the Foundation’s answer, the DCRI summoned a Wikipedia volunteer in their offices on April 4th. This volunteer, which was one of those having access to the tools that allow the deletion of pages, was forced to delete the article while in the DCRI offices
This volunteer had no link with that article, having never edited it and not even knowing of its existence before entering the DCRI offices. He was chosen and summoned because he was easily identifiable, given his regular promotional actions of Wikipedia and Wikimedia projects in France.
Tomi Engdahl says:
German ransomware threatens with sick kiddie smut
IWF warns of scheme to shock victims into ‘police’ payment
http://www.theregister.co.uk/2013/04/05/iwf_warning_smut_ransomware/
Security technicians at Sophos are poring over a new piece of ransomware that uses images of purported child sexual abuse to extort money from internet users, a discovery that has prompted an alert from the Internet Watch Foundation (IWF).
“Ransomware that uses pornography as a tool is nothing new,” Graham Cluley, senior technology consultant for the British security software vendor, told The Register. “This is the first time we’ve seen images shown – that’s very different. It’s going for shock value.”
Ransomware has been around for over 20 years, but there’s recently been a big upsurge in its use. Along with fake security software it’s one of the most directly lucrative ways of extorting money from internet users, and recent arrests have shown that it’s becoming very big business indeed.
Tomi Engdahl says:
Now You See It, Now You Don’t: Disappearing Messages Are Everywhere
http://www.technologyreview.com/news/513006/now-you-see-it-now-you-dont-disappearing-messages-are-everywhere/
Smartphone apps that send disappearing messages are gaining in popularity.
You’ve heard it an eye-rolling number of times: anything you post online, or any message you send—be it a seemingly benign text or a photo taken when you were drunk—can come back to haunt you.
A growing number of startups, led by rapidly growing photo-sharing app Snapchat, are challenging the assumption with apps that allow you to send text and multimedia messages that—like in Mission Impossible or Inspector Gadget—quickly self-destruct (minus, of course, an actual explosion). Even Facebook has gotten in on the action, releasing a Snapchat lookalike app called Poke for sending friends notes, pictures, and videos.
On Android, Gryphn’s app replaces the stock SMS texting app and encrypts outgoing messages and decrypts incoming messages. The app doesn’t allow users to take screen shots, and encryption can prevent a message recipient from saving or forwarding a message or set a picture message to disappear shortly after being viewed.
Enterprise apps like Gryphn’s could also help companies comply with various laws that dictate how long they must hang on to certain information—such as messages pertaining to a stockbroker’s sale of a client’s stock.
If ephemeral messaging startups gain in popularity among both consumers and business users, it’s more likely that this kind of capability will bleed into other apps and services, too. “I do believe ephemeral data’s the future. Every single messaging, social, communications app in the future will have ephemeral capabilities,” Sell says. “Now that we’ve done it, it’s really obvious.”
Tomi Engdahl says:
Cyberattacks Abound Yet Companies Tell SEC Losses Are Few
http://www.bloomberg.com/news/2013-04-04/cyberattacks-abound-yet-companies-tell-sec-losses-are-few.html
The 27 largest U.S. companies reporting cyber attacks say they sustained no major financial losses, exposing a disconnect with federal officials who say billions of dollars in corporate secrets are being stolen.
Those mixed messages have triggered a debate over whether Washington is overstating the damage from cyber attacks or whether companies are understating its impact — or not disclosing the attacks at all. It also raises questions about whether some companies are painting more alarming scenarios for politicians than for their investors.
“There is a clear discrepancy between what companies are reporting to their stockholders and what they’re declaring to policy makers,” said Sascha Meinrath, vice president of the New America Foundation, a Washington-based policy group.
After a wave of cyber attacks hit a Federal Reserve website, the New York Times and other news outlets, and U.S. banks, President Barack Obama issued an executive order in February to better protect businesses and critical assets, such as pipelines and power grids.
The challenge for companies is that regulators want more information about cyber attacks yet businesses don’t want to provide
The SEC issued guidance in October 2011 telling companies to disclose
cyber attacks or risks
Almost all of the top 100 U.S. companies by revenue said they rely on technology that may be vulnerable to security breaches, theft of proprietary data and disrupted operations, according to a review of their most recent annual reports.
Expensive Fixes
While Verizon said in its 2012 10-K the cyber attacks it experienced haven’t been material, the company said the potential costs of a major assault include “expensive incentives” to keep customers, a jump in security spending, lost revenue and damage to the company’s reputation.
Tomi Engdahl says:
Facebook Home isn’t where your privacy is
http://news.cnet.com/8301-1009_3-57578244-83/facebook-home-isnt-where-your-privacy-is/
commentary Facebook’s latest attempt to get you to spend more time with its services bodes ill for the privacy-minded, but not all hope is lost.
Tomi Engdahl says:
DEA Accused Of Leaking Misleading Info Falsely Implying That It Can’t Read Apple iMessages
http://www.techdirt.com/articles/20130405/01485922590/dea-accused-leaking-misleading-info-falsely-implying-that-it-cant-read-apple-imessages.shtml?_format=full?_format=full
Yesterday, CNET had a story revealing a “leaked” Drug Enforcement Agency (DEA) memo suggesting that messages sent via Apple’s own iMessage system were untappable and were “frustrating” law enforcement.
In reading over this, however, a number of people quickly called bullshit. While Apple boasts of “end-to-end encryption” it’s pretty clear that Apple itself holds the key — because if you boot up a brand new iOS device, you automatically get access to your old messages.
That leads Sanchez to wonder if there might be some sort of ulterior motive behind the “leaking” of this document, done in a way to falsely imply that iMessages are actually impervious to government snooping.
Tomi Engdahl says:
Malware spread on Skype taps victim PCs to mint bitcoins
http://arstechnica.com/security/2013/04/malware-spread-on-skype-taps-victim-pcs-to-mint-bitcoins/
Latest Bitcoin malware comes amid a spike in the value of the digital currency.
But scammers spreading malware on Skype are taking a decidedly more nefarious approach. Their malicious code hijacks a computer’s resources to mine BTC, according to a blog post published Thursday by a researcher from Kaspersky Lab. While the bitcoin-miner.exe malware harnesses only the CPU resources, which are much slower than GPUs in BTC mining, the attackers have the benefit of infecting many computers and then chaining them together to mint the digital currency. Unlike legitimate miners, the criminals don’t have to pay the purchase price of the hardware or pay for the electricity to run them.
Tomi Engdahl says:
U.S. Air Force designates six cybertools as weapons
http://news.cnet.com/8301-1009_3-57578567-83/u.s-air-force-designates-six-cybertools-as-weapons/
Six cybertools have been designated as weapons by the U.S. Air Force, allowing the programs to better compete for increasingly scarce Pentagon funding, an Air Force official said on Monday.
Lt. Gen. John Hyten, vice commander of Air Force Space Command, told a conference held in conjunction with the National Space Symposium that the new designations would boost the profile of the military’s cyberoperations as countries grapple with attacks originating from the Internet.
“This means that the game-changing capability that cyber is going to get more attention and the recognition that it deserves,”
The Air Force plans to increase its cyberworkforce by 20 percent, adding 1,200 people to its current 6,000, he said.
Tomi Engdahl says:
Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight
http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-aircard/
A legal fight over the government’s use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect.
Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI.
The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location.
The secretive technology, generically known as a stingray or IMSI catcher, allows law enforcement agents to spoof a legitimate cell tower in order to trick nearby mobile phones and other wireless communication devices like air cards into connecting to the stingray instead of a phone carrier’s legitimate tower.
When devices connect, stingrays can see and record their unique ID numbers and traffic data, as well as information that points to the device’s location.
By moving the stingray around and gathering the wireless device’s signal strength from various locations in a neighborhood, authorities can pinpoint where the device is being used with much more precision than they can get through data obtained from a mobile network provider’s fixed tower location.
Tomi Engdahl says:
Shodan: The scariest search engine on the Internet
http://money.cnn.com/2013/04/08/technology/security/shodan/
“When people don’t see stuff on Google, they think no one can find it. That’s not true.”
That’s according to John Matherly, creator of Shodan, the scariest search engine on the Internet.
It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet.
Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.
It’s stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.
What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.
“You can log into just about half of the Internet with a default password,”
“It’s a massive security failure.”
Scary stuff, if it got into the wrong hands.
“You could really do some serious damage with this,”
Penetration testers, security professionals, academic researchers and law enforcement agencies are the primary users of Shodan. Bad actors may use it as a starting point, Matherly admits.
To date, most cyberattacks have focused on stealing money and intellectual property. Bad guys haven’t yet tried to do harm by blowing up a building or killing the traffic lights in a city.
Security professionals are hoping to avoid that scenario by spotting these unsecured, connected devices and services using Shodan, and alerting those operating them that they’re vulnerable.
Tomi Engdahl says:
Hackers take aim at key U.S. infrastructure
http://money.cnn.com/2013/02/20/news/economy/hacking-infrastructure/index.html?iid=EL
The only two countries thought to have actually altered industrial processes in another country are the United States and Israel, which are suspected of infecting an Iranian uranium enrichment plant with malicious software that caused the centrifuges to spin out of control and self-destruct.
But the Mandiant report said it was likely Chinese military personnel that hacked into Telvent Canada, a firm now known as Schneider Electric that makes switches and other gear for oil and gas pipelines.
Experts say the snooping probably has two purposes: To gather information in an effort to improve China’s own critical infrastructure; and to lay the groundwork for a future attack to shut down those systems, if China wanted to pursue that option.
If it did ever come to that, things could get ugly in short order.
The industrial control systems than run so many of America’s power plants, factories, pipelines, dams, water treatment plants and other infrastructure elements are fairly well guarded from the outside, said Dale Peterson, chief executive of Digital Bond, a company that consults on such matters. But once a hacker is in the system, Peterson said there’s very few safeguards preventing the intruder from sending commands that could, say, cause an accident at a chemical plant or lead a pharmaceutical factory to dispense the wrong medications.
“Once they get on those networks, they are insecure by design,”
Targeting a third-party vendor like Telvent is one way to get around the more robust security systems put in place by the pipeline companies
“For a while, it was a dirty little secret that just people in the industry knew,” said Petersen, referring to how easy it is to take over an industrial process once you’re in the system. “But we can’t wait another 20 years, or whatever it is that people thought we could get out of these systems. We have to upgrade them now.”
Electric industry sources say the most sensitive equipment — think nuclear power plants — have internal, on-site control functions that are not connected to the Internet. That makes them much less vulnerable to attack.
But not all systems are that secure. The advanced age of much of the power grid, combined with how interconnected everything is, is a major challenge.
“It’s an issue that’s at the top of the list of every utility executive,”
McGranaghan said building redundancies into the system should make it stronger. There are also efforts toward greater monitoring, and toward ensuring that compromised systems can be isolated. He believes grid security should be made better, not worse, by the adoption of smart meters and other Internet-connected devices that could further the utilities’ ability is quickly wall-off problem
Still, he conceded that challenges remain.
“There will be breaches, and it’s a very interconnected system,” he said. Problems “can result in cascading conditions.”
book for education says:
Thank you for the good writeup. It if truth be told was a enjoyment account it. Look complex to more delivered agreeable from you! By the way, how could we communicate?
Win on Qubids says:
Great blog 9/10! Bookmarked
Tomi Engdahl says:
Microsoft Gets Ready to Pull the Life Support on Windows XP
http://www.webmonkey.com/2013/04/microsoft-gets-ready-to-pull-the-life-support-on-windows-xp/
Today marks the first day of the last year of Windows XP’s long and storied life.
On April 8, 2014, Microsoft will officially stop supporting Windows XP, meaning there will be no more security updates or other patches. When April 2014 rolls around Microsoft will have supported Windows XP for nearly 12 years.
According to NetMarketShare, just over 38 percent of PCs connected to the web are still running Windows XP. Given that current XP users have already ignored three OS upgrades, it seems reasonable to assume a significant number of XP diehards still won’t upgrade even now that Microsoft is no longer issuing security updates — all of which adds up to a potentially huge number of vulnerable PCs connected to the web.
With so many suddenly vulnerable PCs on the web, it’s really only a matter of time before unpatched vulnerabilities are identified and exploited, which could mean a serious uptick in the amount of botnet spam or worse — imagine even a small percentage of those 38 percent of PCs being harnessed for distributed denial of service attacks.
Tomi Engdahl says:
Hijacking airplanes with an Android phone
http://www.net-security.org/secworld.php?id=14733
An extremely well attended talk by Hugo Teso, a security consultant at n.runs AG in Germany, about the completely realistic scenario of plane hijacking via a simple Android app has galvanized the crowd attending the Hack In The Box Conference in Amsterdam today.
By taking advantage of two new technologies for the discovery, information gathering and exploitation phases of the attack, and by creating an exploit framework (SIMON) and an Android app (PlaneSploit) that delivers attack messages to the airplanes’ Flight Management Systems (computer unit + control display unit), he demonstrated the terrifying ability to take complete control of aircrafts by making virtual planes “dance to his tune.”
One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on)
The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter.
Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the “behavior” of the plane.
Teso showcased an Andorid application that uses SIMON’s powers to remotely control airplanes on the move.
PlaneSploit uses the Flightradar24 live flight tracker and you can tap on any airplane found in range. When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment.
Tomi Engdahl says:
ZeroAccess Bitcoin botnet shows no signs of slowing
http://www.net-security.org/malware_news.php?id=2464
FortiGuard Labs observed that the Bitcoin mining botnet, ZeroAccess, was the number one threat last quarter.
“In the first quarter of 2013, we have seen owners of the ZeroAccess botnet maintain and expand the number of bots under its control,” said Richard Henderson, security strategist and threat researcher for Fortinet’s FortiGuard Labs. “In the last 90 days, the owners of ZeroAccess have sent their infected hosts 20 software updates.”
Based on reporting from FortiGate devices worldwide, ZeroAccess is the number one botnet threat the team is seeing. ZeroAccess is used primarily for click fraud and Bitcoin mining.
“As Bitcoin’s popularity and value increases, we may see other botnet owners attempt to utilize their botnets in similar fashions or to disrupt the Bitcoin market,”
The growth of new ZeroAccess infections has remained constant in the last 90 days.
Most recently, the team is seeing a staggering 100,000 new infections per week and almost 3 million unique IP addresses reporting infections.
Tomi Engdahl says:
“The surge in Android adware can most likely be attributed to users installing what they believe are legitimate applications that contain the embedded adware code,” said Guillaume Lovet, Senior Manager at FortiGuard Labs. “It suggests that someone or some group has been able to monetize these infections, most likely through illicit advertising affiliate programs.”
Source: http://www.net-security.org/malware_news.php?id=2464
Tomi Engdahl says:
Metasploit Pro 4.6 Adds OWASP Top 10 2013 and Security Auditing Wizards
https://community.rapid7.com/community/metasploit/blog/2013/04/10/metasploit-adds-owasp-top-10-2013-and-penetration-test-wizards?mkt_tok=3RkMMJWWfF9wsRokvazNZKXonjHpfsX56uwsXaC%2BlMI%2F0ER3fOvrPUfGjI4DT8ZrI%2FqLAzICFpZo2FFKG%2FCceNc%3D
Support for OWASP Top 10 2013: Release 4.6 broadens the scope of Metasploit’s security auditing with the inclusion of testing capabilities for the upcoming Open Web Application Security Project (OWASP) Top 10 2013, which is currently in the Release Candidate stage. The list identifies ten of the most critical risks relating to web applications.
Metasploit Pro 4.6 also introduces the concept of Security Auditing Wizards, which walk the user through the steps of a typical engagement. Seasoned penetration testers will find that the wizards shortcut the first steps of an engagements, making them more productive.
Software mods says:
It is perfect time to make some plans for the longer term and it’s time to be happy. I have read this post and if I may I wish to recommend you few interesting things or suggestions. Maybe you could write next articles regarding this article. I desire to learn more things approximately it!
Tomi Engdahl says:
Bing Delivers Five Times as Many Malicious Websites as Google
http://securitywatch.pcmag.com/security/310268-bing-delivers-five-times-as-many-malicious-websites-as-google
Searches on Bing returned five times more links to malicious websites than Google searches, according to an 18-month study from German independent testing lab AV-Test.
The study looked at nearly 40 million websites provided by seven different search engines.
The study concluded that while all the search engines the lab evaluated delivered malware, Google delivered the least. It was followed by Bing, which returned a disconcerting five times as much malware as Google. Yandex, the Russian website, delivered 10 times as many malicious sites.
Tomi says:
WordPress Sites Under Wide-Scale Brute Force Attack
http://it.slashdot.org/story/13/04/12/1940248/wordpress-sites-under-wide-scale-brute-force-attack
“Some of us have been experiencing attacks on WordPress sites for the last few days”
‘This attack is well organized and again very, very distributed’
CloudFlare has announced that they’re giving all users protection
Patching the Internet in Realtime: Fixing the Current WordPress Brute Force Attack
http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br
There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.
One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack.
If you are running a WordPress blog and want to ensure you are protected from this attack, you can sign up for CloudFlare’s free plan and the protection is automatic.
ndiwoehdnxsai says:
Thanks for your inquiry. That’s really cool. Please keep moving like this.
Tomi Engdahl says:
WordPress blogs and more under global attack – check your passwords now!
http://nakedsecurity.sophos.com/2013/04/13/wordpress-blogs-and-more-under-global-attack-check-your-passwords-now/
If you have a web service that supports remote users, you will know that malevolent login attempts are an everyday occurrence.
Even on my own home-hosted SSH server, listening unassumingly on an IP number on a DSL line, I’ve seen thousands of login attempts from dozens of different IP numbers in the course of a single day.
But hosting providers worldwide are reporting that they’ve been seeing systematic attempts, over the last 48 hours or so, to breach blogs and content management systems (CMSes) at well above average levels.
The primary target seems to be WordPress, with Joomla users also reportedly getting a bit of a hammering.
Since it would take too long to try every possible username and password on every known WordPress or Joomla server, this onslaught is using what is known as a dictionary attack.
Since it would take too long to try every possible username and password on every known WordPress or Joomla server, this onslaught is using what is known as a dictionary attack.
Tomi Engdahl says:
Father of SSH working on new version of crypto standard
Free tool to assess risks associated with SSH keys also on tap
http://www.networkworld.com/news/2013/040913-ssh-ylonen-268548.html
“There will be a new version of SSH,” says Tatu Ylonen, CEO of SSH Communications Security, pointing to the IETF draft document that’s recently been made available for public review. Co-authored with others, including NIST computer scientist Murugiah Souppaya, this third version of SSH has a focus on key management and could be set by early next year.
the new version could take a couple of years to catch on, so he’s pushing for backward compatibility
“There’s no proper tracking of what key exists,” Ylonen says about the situations he sees in many organizations.
The envisioned SSH standard provides guidelines for “discovering, remediating, and continuously managing SSH user keys and other authentication credentials.”
Ylonen acknowledges this is not necessarily the practice today and that there’s often an unfortunate state of disorder in SSH key usage that threatens the fundamental security of the assets the protocol is supposed to protect in the enterprise.
His company, SSH Communications Security, next month intends to make available a free key discovery tool that would allow the user to collect SSH key information throughout its IT environment in order to gain an assessment of risk exposure. Called SSH Risk Advisor, this tool is expected to be able to find out where SSH is being used and the SSH keys that may have proliferated.
Tomi Engdahl says:
Patching the Internet in Realtime: Fixing the Current WordPress Brute Force Attack
http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br
We just pushed a rule out through CloudFlare’s WAF that detects the signature of the attack and stops it. Rather than limiting this to only paying customers, CloudFlare is rolling it out the fix to all our customers automatically, including customers on our free plan. If you are a WordPress user and you are using CloudFlare, you are now protected from this latest brute force attack.
San Francisco relocation moving companies says:
It is in point of fact a great and useful piece of info.
I’m happy that you simply shared this helpful info with us. Please keep us informed like this. Thanks for sharing.
My blog – San Francisco relocation moving companies
Tomi Engdahl says:
Cybersecurity: A View From the Front
http://www.nytimes.com/2013/04/12/opinion/global/cybersecurity-a-view-from-the-front.html?_r=1&
TALLINN, Estonia — The changes in the digital world today represent a dramatically sped-up version of the changes the world underwent in a century of industrialization.
Today, a small, poor East European country can be a world leader in e-governance and cybersecurity.
In February, the United Nations praised Estonia’s e-Annual Report system
Last autumn, Freedom House ranked Estonia first in Internet freedom for the third year in a row
At the same time, Estonia is also remembered as the first publicly known target of politically motivated cyberattacks in April 2007
Disruptive as the attacks were, they were by today’s standards primitive, consisting of “distributed denial of service” attacks (DDoS)
Yet those attacks were a blessing — Estonia took cybersecurity seriously earlier than most. In 2008, NATO opened its Cooperative Cyber Defense Center of Excellence, to enhance NATO’s cyberdefense capability, in Tallinn.
Cybersecurity needs to be taken seriously by everyone. We continue to think of cyberthreats in military or classical warfare terms, when in fact cyber can simply render the military paradigm irrelevant. The whole information and communication technologies (ICT) infrastructure must be regarded as an “ecosystem” in which everything is interconnected. It functions as a whole; it must be defended as a whole.
Today, almost everything we do depends on a digitized system of one kind or another. Our critical infrastructure — our electrical, water or energy production systems and traffic management — essentially interacts with, and cannot be separated from, our critical information infrastructure — private Internet providers, lines of telecommunications and the Supervisory Control and Data Acquisition (Scada) systems that run everything from nuclear power plants to delivery of milk to our supermarkets.
In a modern digitalized world it is possible to paralyze a country without attacking its defense forces: The country can be ruined by simply bringing its Scada systems to a halt. To impoverish a country one can erase its banking records. The most sophisticated military technology can be rendered irrelevant. In cyberspace, no country is an island.
If the private sector is unwilling to take the necessary steps to guarantee the integrity of its online activities, the government must step in to fulfill its most fundamental task
Identity lies at the core of security online. Virtually all breaches of computer security involve a fake identity
The key to all online security is a secure online identification system.
In Estonia, the government has become the guarantor of secure transactions online, while identity is authenticated by a body independent of the government
By the end of 2012, Estonians gave more than a hundred million digital legal signatures
The job of cybersecurity is to enable a globalized economy based on the free movement of people, goods, services, capital and ideas. This can only be accomplished if identities are secure.
Tomi Engdahl says:
ACLU asks feds to probe wireless carriers over Android security updates
“Defective” phones from AT&T, Verizon, Sprint, T-Mobile pose risks, ACLU says.
http://arstechnica.com/security/2013/04/wireless-carriers-deceptive-and-unfair/
Civil liberties advocates have asked the US Federal Trade Commission to take action against the nation’s four major wireless carriers for selling millions of Android smartphones that never, or only rarely, receive updates to patch dangerous security vulnerabilities.
“All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices,” Christopher Soghoian, principal technologist and senior policy analyst for the ACLU
“The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software”
“The wireless carriers have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch,” the complaint stated. “The practices of the major wireless carriers alleged herein as they relate to the poor security of the smartphones sold to consumers constitute deceptive and unfair business practices subject to review by the FTC under section 5 of The Federal Trade Commission Act.”
Security experts said the proliferation of unpatched handsets opens millions of owners to hacks that wouldn’t be possible if their smartphones were running more up-to-date versions of Android. The most common types of attacks on the mobile OS are launched by malicious apps exploiting vulnerabilities that escalate privileges, allowing the apps to access address books or other sensitive resources that by design are supposed to be off limits.
Tomi Engdahl says:
Oracle fixes 42 holes in Java to revive security confidence
http://ibnlive.in.com/news/oracle-fixes-42-holes-in-java-to-revive-security-confidence/385907-11.html
Oracle Corp released a major security update on Tuesday for the version of Java programming language that runs inside Web browsers to make it a less popular target for hackers.
The patch fixes 42 vulnerabilities within Java, including “the vast majority” of those that have been rated as the most critical, said Oracle Executive Vice President Hasan Rizvi.
Perhaps the most significant change will be that, in the default setting, sites will not be able to force the small programs known as Java applets to run in the browser unless they have been digitally signed. Users can override that only if they click to acknowledge the risk, Rizvi said.
Not all known problems are being fixed with the current patch, but there are no unpatched problems that are being actively exploited, Rizvi said.
“It was pretty embarrassing what happened with the Facebook attacks,”
Tomi Engdahl says:
ACLU to FTC: Mobile carriers fail to provide good Android security
http://news.cnet.com/8301-1035_3-57579978-94/aclu-to-ftc-mobile-carriers-fail-to-provide-good-android-security/
The civil liberties group claims AT&T, Verizon, T-Mobile, and Sprint aren’t doing enough to protect users’ private data because they’re not sending out timely Android security updates.
Tomi says:
Firefox ‘death sentence’ threat to TeliaSonera over gov spy claims
Mozilla may snub telecom giant’s new SSL certs
http://www.theregister.co.uk/2013/04/16/mozilla_threatens_teliasonera/
Firefox-maker Mozilla could issue a “death sentence” to TeliaSonera’s SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators.
The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who make up one-fifth of the planet’s web surfers.
If Mozilla decides to reject TeliaSonera’s new root certificate, Firefox users who visit a website that uses an SSL cert generated from the new root certificate will be strongly warned they are visiting an untrusted website. Website operators would therefore steer clear of buying SSL certificates from TeliaSonera.
A TeliaSonera spokesperson told The Reg it has an “ongoing dialogue” with Mozilla
“If Mozilla kicks a CA out of the trust database, it is essentially a death sentence for the company – or at least, its certificate-selling business. No one is going to pay money for a certificate that generates warnings for millions of Firefox users.”
tomi says:
EXCLUSIVE: Drones vulnerable to terrorist hijacking, researchers say
http://www.foxnews.com/tech/2012/06/25/drones-vulnerable-to-terrorist-hijacking-researchers-say/
Professor Todd Humphreys and his team at the University of Texas at Austin’s Radionavigation Laboratory have just completed a successful experiment: illuminating a gaping hole in the government’s plan to open US airspace to thousands of drones.
They could be turned into weapons.
“Spoofing a GPS receiver on a UAV is just another way of hijacking a plane,” Humphreys told Fox News.
In other words, with the right equipment, anyone can take control of a GPS-guided drone and make it do anything they want it to.
“Spoofing” is a relatively new concern in the world of GPS navigation. Until now, the main problem has been GPS jammers, readily available over the Internet
While jammers can cause problems by muddling GPS signals, spoofers are a giant leap forward in technology; they can actually manipulate navigation computers with false information that looks real. With his device — what Humphreys calls the most advanced spoofer ever built (at a cost of just $1,000) — he infiltrates the GPS system of the drone with a signal more powerful than the one coming down from the satellites orbiting high above the earth
The new rules have raised privacy concerns about a “surveillance society,” with UAVs tirelessly watching our every move 24/7. But Humphreys’ experiments have put an entirely new twist on the anxiety over drones.
“What if you could take down one of these drones delivering FedEx packages and use that as your missile? That’s the same mentality the 9-11 attackers had,” Humphreys told Fox News.
Tomi Engdahl says:
Can a Hacker Hijack a Plane With an Android App?
http://mashable.com/2013/04/11/hacker-hijack-plane-android-app/
Imagine the kind of havoc a malicious hacker could cause if he or she were able to take over an airplane simply using his Android phone.
Hugo Teso, a security researcher for the German IT consultancy firm N.Runs — he is a trained commercial pilot as well — explained at the Hack in the Box security conference that a protocol used to transmit data to commercial airplanes can be hacked, turning the hacker into a full-fledged hijacker.
The flawed protocol is a data exchange system called Aircraft Communications Addressing and Report System, or ACARS. Exploiting its flaws, as well as the bugs found in flight management software made by companies like Honeywell, Thales, and Rockwell Collins, Teso maintains he can take over a plane by sending it his own malicious radio signals. To do that, he has created an exploit framework, codenamed SIMON, and an Android app called PlaneSploit that can communicate with the airplanes’ Flight Management Systems (FMS).
“You can use this system to modify approximately everything related to the navigation of the plane,” Teso told Forbes’ Andy Greenberg in an interview. “That includes a lot of nasty things.”
Hacker to FAA: Airplanes can’t be hacked? Prove it.
http://venturebeat.com/2013/04/13/renderman-plane-hacks/
Researcher and hacker Brad “Renderman” Haines knew airplanes could be hacked a year ago, before news hit of a German researcher’s app that can take over a plane’s flight controls. Now, he’s telling the nay-saying Federal Aviation Administration to prove its systems are safe, and says drones might have a similar problem.
“Really, it’s put up or shut up. If they say it’s secure, there should be no harm in publicly giving access to a test lab,” said Haines in an interview with VentureBeat. “Now, you don’t have to be a nation state in order to tinker with this stuff. You can be some bored guy on a couch.”
This week, German researcher Hugo Teso revealed an app that manipulates the Aircraft Communications Addressing and Report System (ACARS), which can give you access to the plane’s flight management system (FMS). You can communicate with ACARS through hacking the airline’s systems or using a special radio, according to Teso. From there, he could send his own information to the plane, such as “turn left.”
“Pilots receive no training on what happens … if there’s an outside intelligence manipulating the data. They’re not trained for that,” said Haines.
Tomi Engdahl says:
CISPA Passes US House, Despite Privacy Shortcomings and Promised Veto
http://politics.slashdot.org/story/13/04/18/1739234/cispa-passes-us-house-despite-privacy-shortcomings-and-promised-veto
“Despite the protests of Internet privacy advocates, the controversial Cyber Intelligence Sharing and Protection Act (CISPA) passed the House of Representatives Thursday. The vote was 288-127. … CISPA saw a handful of minor amendments soon before passage.”
Tomi Engdahl says:
US House of Representatives passes CISPA by 288-127
http://www.theregister.co.uk/2013/04/18/house_of_representatives_cispa_vote/
The legislation sets up as framework for federal government agencies to share information on security threats with private companies in order to help protect their systems. In return, private companies can choose to hand over user information (anonymized or not) to the government for “cybersecurity purposes” with full legal indemnity, whatever their terms and conditions say.
“CISPA is a poorly drafted bill that would provide a gaping exception to bedrock privacy law,” EFF senior staff attorney Kurt Opsahl said in a statement. “While we all agree that our nation needs to address pressing Internet security issues, this bill sacrifices online privacy while failing to take common-sense steps to improve security.”
Tomi Engdahl says:
‘He’s F**KED with the wrong nerd – I warned him I’d go public’
Plus: ‘You have to be a complete Facebook junkee to use Home’
http://www.theregister.co.uk/2013/04/19/quotw_ending_april_19/
This was the week when head honcho at Google Eric Schmidt gave the world his two cents on the privacy concerns surrounding unauthorised photos taken of people and their homes. The photos taken by civilian drones of course, not those taken from cars with “Street View” emblazoned on them.
In other air-related news, both the US Federal Aviation Administration (FAA) and the European Aviation Safety Administration (EASA) have pointed out that a flight simulator and an actual aeroplane are not the same thing. The aviation officials were forced to bring this to folks’ attention after a security researcher claimed that he used an Android app to hijack in-flight systems.
Facebook Home, which replaces phone lockscreens with a rolling feed of friends’ pictures and also prioritises other Zuck apps like Messenger above typical Android features, is just a little too… Facebooky for folks penning reviews on Google Play.
Tomi Engdahl says:
Lost laptops cost companies $50k apiece
Encryption no match for corporate accounting
http://www.theregister.co.uk/2009/04/23/ponemon_intel_lost_laptop_study/
A single lost or stolen laptop costs a business an average of nearly $50,000. At least, that’s the word from an Intel-sponsored study by the Ponemon Institute.
Value of missing kit was mathmagically calculated by factoring laptop replacement, data breach cost, loss of productivity, investigation cost, and other variables.
The value of a lost lappy to a firm cost an average of $49,246, according to Ponemon. Minimum damage calculated in the survey was about $1,200, and the maximum reported value was just short of a cool $1m.
Loss of a laptop used by mid-level managers and directors would cost a company about $60,000 on average, according to the study, while the CEO’s machine isn’t even worth half that.
Tomi Engdahl says:
In Q1 2013, attackers take aim at ISP and carrier router infrastructures with high packet-per-second DDoS attacks
Global DDoS Attack Report reveals the increasing scale of DDoS attacks is challenging appliances, ISPs, carriers and content delivery networks.
In Q1 average attack bandwidth totaled 48.25 Gbps, a 718 percent increase compared with last quarter, and an average packet-per-second rate of 32.4 Mpps.
Source:
Q1 2013 Global DDoS Attack Report
http://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html
Tomi Engdahl says:
American Megatrends Statement on BIOS Security Compromise via Unnamed Taiwan Vendor FTP Site
http://www.ami.com/News/PressRelease/?prid=392
Recent disclosures via the personal blog site of an industry blogger and researcher detailed the discovery of a “leaky” FTP server from an unnamed Taiwan-based vendor containing AMI UEFI BIOS source code and suspected security key data among various internal data
AMI would like to clarify that this leak is not the fault of AMI and is not a result of a security lapse on AMI’s behalf
As this would imply a serious threat to AMI intellectual property and security issues for the BIOS utilized for these platforms, AMI was compelled to respond in order to allay concerns regarding any potential security threats that might be implied from this news. AMI states that this is not a general security threat which could “create a nearly undetectable, permanent hole in a system’s security”, if the manner in which production-level BIOS is signed and created uses production keys.
To explain in more detail, AMI has examined the security keys referenced in the blog post and confirmed that the keys in question are test keys. Test keys are normally used for development and test purposes since developers do not have access to production keys.
Therefore, even though the test keys were unfortunately leaked via this unsecure FTP site, a production level private key used by a customer cannot be obtained with the information made public.
Tomi Engdahl says:
Security Done Wrong: Leaky FTP Server
http://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/
here are the key points and clarifications:
To clarify, the ‘vendor’ I refer to is a customer of AMI; it is this customer’s public FTP server that exposed this information.
Per AMI, the signing key included in the ‘Ivy Bridge’ archive is a default test key; AMI instructs customers to change the key before building for a production environment. It’s not currently known if the customer was following recommended practices.
The ‘Ivy Bridge’ code was unmodified, meaning that the customer had not made any alterations to this specific copy.
I received a call from my frequent research partner, Brandon Wilson, about an open FTP server hosted in Taiwan serving up some rather interesting data. Internal emails, various system images (and even the Ghost software!), numerous photos – some personal, some high resolution PCB images, private specification sheets, Excel documents loaded with private information – but that wasn’t the worst.
In a folder called code was quite a treasure. The source code for different versions of American Megatrends (AMI) firmware – but there was even a bonus on top of that! They included their private signing key with the code in the ‘Ivy Bridge’ archive.