Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Google Proposes To Warn People About Non-SSL Web Sites
http://tech.slashdot.org/story/14/12/17/2233236/google-proposes-to-warn-people-about-non-ssl-web-sites
The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm’s browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”.
Google considers warning internet users about data risks
http://www.bbc.com/news/technology-30505970
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system.
Paul Mutton, a security analyst at web monitoring firm Netcraft, also welcomed the proposal, saying it was “bizarre” that an unencrypted HTTP connection gave rise to no warnings at all.
“In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS,” he said. Many may resent the cost in time and money required to adopt the technology, he said, even though projects exist to make it easier and free for website administrators to use HTTPS.
“It will seem like a lot of hassle in the short term, but it will be a good thing for the whole web in the long run,” he said.
Tomi Engdahl says:
RFID-blocking blazer and jeans could stop wireless identity theft
http://thestack.com/rfid-blocking-blazer-jeans-wireless-identity-theft-171214
A pair of trousers and blazer have been developed by San Francisco-based clothing company Betabrand and anti-virus group Norton that are able to prevent identity theft by blocking wireless signals.
The READY Active Jeans and the Work-It Blazer contain RFID-blocking fabric within the pockets’ lining designed to prevent hacking through radio frequency identification (RFID) signals emitted from e-passports and contactless payment card chips.
According to the clothing brand, this form of hacking is an increasing threat, with “more than 10 million identities digitally pick pocketed every year [and] 70% of all credit cards vulnerable to such attacks” by 2015.
Due to go on sale in February of next year
Other such initiatives include Disklab’s RFID-blocking wallets which will launch in the new year. “There is technology readily available for anyone to snatch other people’s credit and debit card data within seconds,” said Simon Steggles CEO at Disklabs. “These apps simply copy the card with all the information on it,” he explained.
Tomi Engdahl says:
Google’s End-To-End Email Encryption Tool Gets Closer To Launch
http://techcrunch.com/2014/12/17/googles-end-to-end-email-encryption-tool-gets-closer-to-launch/
More than half a year ago, Google announced that it was working on an email encryption Chrome plugin that would make it very easy for anybody to encrypt their emails. Now, it looks like this tool is getting a bit closer to launch.
While it’s not ready for a wider release yet, Google this week moved its so-called “End-to-End” tool to GitHub to encourage a wider range of developers to take a look at it and make sure it’s secure. It also released a few more details on how it expects the service to work.
Email encryption has always been a hassle to use. That’s not so much because public-key cryptography is all that complex (though the concept behind it is a bit unintuitive at first), but mostly because nobody ever really figured out how to make it easy for mainstream users. Mailvelope is one of the easier Chrome plugins to use to encrypt email right now and that still assumes at least some basic understanding of the concepts behind it.
While End-to-End is still a work in progress, Google has now also shared some if its plans
Most other OpenPGP-based systems rely on a web of trust to ensure that a public key really belongs to its owner. “This requires a significant amount of work by the user, and is a hard concept to grasp for average users,”
With its key server, Google is taking a more centralized approach. Users’ public keys will be automatically registered with the server and the directory will publish the key.
It looks like the plugin will also offer other web applications access to its encryption services. That’s great to see, because a service that only supports Gmail isn’t quite as interesting as one that also supports other web-based messaging systems
Tomi Engdahl says:
Mobile Ad Firms Spotted Serving Up Malware Posing As Google Play Apps
http://techcrunch.com/2014/12/12/mobile-ad-firms-spotted-serving-up-malware-posing-as-google-play-apps/?ncid=rss&cps=gravity
Malware creators have historically found creative ways to distribute their malicious wares across PC networks, and now they’ve turned their attention to mobile. In 2013, for example, there were a few high-profile cases where security firms like Palo Alto Networks and Lookout discovered how malware was being distributed through rogue mobile ad networks to Android devices. Today, security firm Avast has spotted another handful of ad firms distributing malware to mobile devices – but this time, the ads are pointing users to malware that are posing as “real” Google Play applications.
Combined, the three ad firms’ servers have around 185,000 views daily, which may make this a smaller scale malware distribution effort compared with the “BadNews” malware Lookout had found which had been downloaded somewhere between 2 million to 9 million times
App users are directed to pornographic sites via the ads displayed in their apps, Avast researcher Filip Chytry explains. Those sites then display a download for the malware-laden apps.
Most of the apps links lead to pornography or fake apps, but because they’re not actually hosted on Google Play, the malware authors have designed official-looking pages that explain how to configure your phone to allow for their installation.
Tomi Engdahl says:
Serious Vulnerabilities Found in Schneider Electric’s ProClima Solution
http://www.securityweek.com/serious-vulnerabilities-found-schneider-electrics-proclima-solution
The ProClima configuration utility developed by Schneider Electric is affected by several command injection vulnerabilities, the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) reported on Tuesday.
ProClima is a thermal management software used in sectors such as energy, commercial facilities, and critical manufacturing, mainly in the United States and Europe. The solution processes thermal data, such as temperature and humidity, in order to define the right thermal management choice (ventilation, control, heating and cooling functions) for installed equipment.
The security holes, which according to Schneider Electric are ActiveX Control vulnerabilities, were discovered by researchers Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc, and reported through HP’s Zero Day Initiative (ZDI). Successful exploitation could allow a remote attacker to execute arbitrary code.
The vulnerabilities can be exploited even by an attacker with a low skill level. However, ICS-CERT says there’s no evidence that they are being exploited in the wild.
As always, ICS-CERT advises organizations that use ProClima to minimize the network exposure of control systems and devices, and isolate them from the Internet. For cases where remote access is required, the use of virtual private networks (VPNs) is highly recommended.
Since Schneider Electric’s products are widely deployed, they are targeted by many researchers who specialize in ICS security.
Tomi Engdahl says:
Vulnerabilities Found in Schneider Electric SCADA Product Line
http://www.securityweek.com/vulnerabilities-found-schneider-electric-scada-product-line
A total of three security holes have been identified in Schneider Electric’s StruxureWare SCADA Expert ClearSCADA products, ICS-CERT reported this week.
Schneider Electric SCADA Expert ClearSCADA solutions are Web-based systems deployed in industries such as energy, water and commercial facilities, mainly in the United States and Europe.
According to security advisories published by ICS-CERT and Schneider Electric, the flaws include an authentication bypass issue, a weak hashing algorithm and a cross-site scripting (XSS) vulnerability. Independent security researcher Aditya Sood, who has been credited for identifying two of the vulnerabilities, clarified for Kaspersky’s Threat Post that he actually reported a cross-site reference forgery (CSRF) flaw, not an XSS vulnerability.
By leveraging this vulnerability (CVE-2014-5411), an attacker could remotely shut down the ClearSCADA server by tricking a victim with system administrator privileges logged in via the WebX client interface to unknowingly execute arbitrary code, the vendor said.
“The guest user account within ClearSCADA installations is provided read access to the ClearSCADA database for the purpose of demonstration for new users. This default security configuration is not sufficiently secure to be adopted for systems placed into a production environment and can potentially expose sensitive system information to users without requiring login credentials,” ICS-CERT said in its advisory.
Tomi Engdahl says:
Linux Systems Affected by “Grinch” Vulnerability: Researchers
http://www.securityweek.com/linux-systems-affected-grinch-vulnerability-researchers
Researchers at cloud security company Alert Logic have discovered a vulnerability in the Linux platform that can lead to privilege escalation. The flaw has been dubbed “Grinch.”
According to Alert Logic, Grinch could affect all Linux systems, including Web servers and mobile devices. The security hole is actually a common configuration issue related to Polkit, a relatively new component used for controlling system-wide privileges on Unix-like operating systems.
Unlike Sudo, which enables system administrators to give certain users the ability to run commands as root or another user, Polkit allows a finer level of control by delimiting distinct actions and users, and defining how the users can perform those actions.
Privilege escalation can be achieved through “wheel,” a special user group with administrative privileges. On Linux systems, the default user is automatically assigned to this group, Stephen Coty, chief security evangelist at Alert Logic wrote in a blog post.
Alert Logic has pointed out that the flaw mostly affects home users, but the company believes an attack could also work in a corporate environment where many users are assigned to the “wheel” group for one reason or another.
Don’t Let the Grinch Steal Christmas
https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/
Tomi Engdahl says:
Layered Security – It’s Not Just for Networks
http://www.securityweek.com/layered-security-its-not-just-networks
It strikes me that attackers like to ‘surprise’ their targets in much the same way – disguising threats as something they aren’t, but leading to a not so pleasant surprise. They may send emails that appear to be from a trusted source but instead include a link to a website or a file attachment infected with malware. There are targeted attacks that combine sophisticated social engineering with elusive methods to gain a persistent foothold within the network and exfiltrate critical data. There are entirely new zero-day attacks, unlike anything we’ve seen before and which traditional defenses can’t recognize. And techniques continue to change.
These various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. That’s what we as defenders need to do with our defenses – use a security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. As security professionals we’re all familiar with the concept of defense-in-depth and multi-layered protection. Traditionally these approaches have been focused on the network, but they can and should be applied to email gateways as well.
Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Tomi Engdahl says:
More and more organizations are moving applications and data to IaaS/PaaS environments in order to enjoy the benefits of cloud computing while still preserving application flexibility and control.
However, many enterprise IT departments have serious concerns about moving their more sensitive servers and data to the cloud. They have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day
Zen and the Art of Cloud Database Security (Part 1)
http://www.securityweek.com/zen-and-art-cloud-database-security-part-1
Zen and the Art of Cloud Database Security (Part 2)
http://www.securityweek.com/zen-and-art-cloud-database-security-part-2
Tomi Engdahl says:
Transforming Security Into an Enabler: The Validated Best of Breed Certification Paradigm
http://www.securityweek.com/transforming-security-enabler-validated-best-breed-certification-paradigm
Current Certification and Accreditation Regimes Have Become a Hindrance to the Rapid Fielding of Effective Software Solutions
According to the Center for Strategic and Budgetary Assessments, between 2001 and 2011 the Department of Defense (DoD) spent some $46 billion on a dozen or more programs that never achieved operational capability.
Security drives many of these software issues. Security requirements for information assurance, risk management, and certification and accreditation constrain Government organizations with respect to software allowed on Government networks. On one level, this is nothing more than managing the supply chain to prudently mitigate security risks to systems and networks. Unfortunately, these security measures often become procedural impediments and disablers, preventing Government programs from implementing optimal solutions.
The intent of these requirements is uniformly good, but problems arise as they are distilled into a myriad of risk management policies and directives. This results in a security environment where many excellent, and often cost effective, software components are unavailable for Government use. In many cases these components are proven commercial products (both proprietary and open source) that simply lack the right certification or accreditation pedigree. A brief look at one of the most important security certification standards, the “Common Criteria for Information Technology Security Evaluation” (Common Criteria), helps to illustrate the point.
Instead of providing useful security, assurance programs often stifle innovation, retard the economy and entrench monopolies. Clearly, these are unintended outcomes. A proactive certification regime’s goals should be to create a broad catalogue of approved software and, at the same time, ensure security through a rapid and cost effective vetting process. Achieving these would go a long way toward addressing the acquisitions dilemmas that continue to plague the Government.
Tomi Engdahl says:
NSA to defend Internet collection in court
http://thehill.com/policy/cybersecurity/227283-nsa-heads-to-court-to-defend-internet-collection
Digital rights advocate the Electronic Frontier Foundation (EFF) is taking the National Security Agency (NSA) to court on Friday over the agency’s Internet data collection program.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
State-sponsored or not, Sony Pictures malware “bomb” used slapdash code
State-sponsored or not, Sony Pictures malware “bomb” used slapdash code
Malware was just good enough to do the job, perhaps what North Korea intended.
http://arstechnica.com/security/2014/12/state-sponsored-or-not-sony-pictures-malware-bomb-used-slapdash-code/
According to multiple reports, unnamed government officials have said that the cyber attack on Sony Pictures was linked to the North Korean government. The Wall Street Journal reports that investigators suspect the attack was carried out by Unit 121 of North Korea’s General Bureau of Reconnaissance, the country’s most elite hacking unit.
But if the elite cyber-warriors of the Democratic People’s Republic of Korea were behind the malware that erased data from hard drives at Sony Pictures Entertainment, they must have been in a real hurry to ship it.
Analysis by researchers at Cisco of a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures revealed that the code was full of bugs and anything but sophisticated. It was the software equivalent of a crude pipe bomb.
Compared to other state-sponsored malware that researchers have analyzed, “It’s a night and day difference in quality,” said Craig Williams, senior technical leader for Cisco’s Talos Security Intelligence and Research Group, in an interview with Ars. “The code is simplistic, not very complex, and not very obfuscated.”
Faking hacktivism
Based on the mailbox files leaked by the attackers, data was being pulled from the network—likely from desktop backups—as late as November 23, the day before the attack wiped disk drives. While data may have been extracted over a much longer period of time, it seems likely that it was retrieved in bulk directly from Sony Pictures’ network on the Sunday before the attack by someone with direct access to the network and that the wiper malware was implanted at the same time.
That approach would have required inside help or the insertion of operatives into Sony’s organization. Such an operation might not exactly be high-tech, but it would certainly require organizational sophistication and significant intelligence collection in advance—both things that play to the strengths of a state actor like Unit 121.
According to South Korean reports, North Korea has been building a cyber-army of incredible magnitude for over a decade.
Wiper Malware – A Detection Deep Dive
http://blogs.cisco.com/security/talos/wiper-malware#more-160237
Tomi Engdahl says:
Graham Cluley:
Technology news site Ars Technica hacked, readers advised to change passwords
http://grahamcluley.com/2014/12/ars-technica-hacked-readers-advised-change-passwords/
Tomi Engdahl says:
Craig Timberg / Washington Post:
Critical vulnerabilities in SS7 telephony protocol found; tested techniques can decrypt cell phone calls and texts — German researchers discover a flaw that could let anyone listen to your cell calls. — German researchers have discovered security flaws that could let hackers …
German researchers discover a flaw that could let anyone listen to your cell calls
http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/
German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.
The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.
The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.
These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.
“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.
The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Vulnerability in embedded web server software from 2002 leaves about 12M home routers exposed — 12 Million Home Routers Vulnerable to Takeover — More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man …
12 Million Home Routers Vulnerable to Takeover
http://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970
More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer.
Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order.
The problem with embedded device security is that, with consumer-owned gear especially, it’s up to the device owner to find and flash new firmware, leaving most of the devices in question vulnerable indefinitely.
“The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.” – See more at: http://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970#sthash.qay5bYS0.dpuf
Tomi Engdahl says:
Spear Alerting: Improving Efficiency of Security Operations and Incident Response
http://www.securityweek.com/spear-alerting-improving-efficiency-security-operations-and-incident-response
I’ve written in the past on the topic of “alert fatigue”, which describes the concept where organizations receive too many alerts with too little context and too many false positives. I discussed this concept most recently in a SecurityWeek piece entitled, “Security Operations: What is Your Signal-To-Noise Ratio?”
I have found it most effective to first enumerate security risks, goals, and priorities as discussed in one of my previous SecurityWeek pieces entitled, “Is Security An Unsolvable Problem?” Following that, I advise organizations to then “Throw Out The Default Rule Set”, as I discussed in another one of my previous SecurityWeek pieces.
This approach is a bit different than the traditional approach taken by many security organizations, and at first, it may seem radical. But we already know that the conventional approach drowns us is noise and obscures our signal to the point that we cannot operate. It would seem to me that a different approach is necessary, one similar to that which I have described above. I call this approach “spear alerting”, and it is the only way to allow an organization to get to 100 alerts a day. What do I mean by that? Allow me to explain.
One of the goals of an incident response team should be to handle no more than 100 alerts a day. At first, this may sound like a ridiculous assertion. However, I think that if we examine this more closely, you will agree that it makes sense. Let’s take an analytical approach and go to the numbers.
Let’s say we have each of our analysts working an eight hour shift. Assuming 100% productivity for each analyst, that allows each analyst to work approximately eight incidents per day. Let’s assume that we want to work 96 alerts properly each day (since 100 is not divisible by eight). That works out to a requirement to have 12 analysts on shift (or spread across multiple shifts) to give proper attention to each alert.
Let’s face it — the numbers are sobering. Even a large enterprise with a large incident response team can realistically handle no more than 100-200 alerts in a given day. Sometimes I meet people who tell me “we handle 5,000 incidents per day”.
I’m referring to as spear alerting and can be outlined at a high level as follows:
• Collect the smallest amount of data of highest value and relevance to security operations and incident response that provides the required visibility.
• Identify goals and priorities for detection and alerting in line with business needs, security needs, management/executive priorities, risk/exposure, and the threat landscape. Use cases can be particularly helpful here.
• Craft human language logic designed to extract only the events relevant to the goals and priorities identified in the previous step.
• Convert the human language logic into precise, incisive, targeted queries designed to surgically extract reliable, high fidelity, actionable alerts with few to no false positives
• Continually iterate through this process, identifying new goals and priorities, developing new content, and adjusting existing content based on feedback obtained through the incident response process.
Tomi Engdahl says:
The Virtual Currency Taking Over the World isn’t the One You Think
http://www.securityweek.com/virtual-currency-taking-over-world-isn%E2%80%99t-one-you-think
Currency is a technology that evolves according to the needs of the people who use it. Throughout history, the forcing function for an evolutionary step in currency has usually been to meet an efficiency gap such as arbitrage, auditing, or fraud control. In the 20th century, the most significant evolution occurred when all governments detached the value of their currencies from underlying precious metal reserves.
With the rise of the Internet, the world may be on the verge of evolving a new currency—one that more closely lives in the digital world, and one that can be transmitted directly from one individual and received and processed by another as easily as an email or a text message. The world is looking for a virtual currency. Virtual means that the currency is not backed by a physical commodity, is not controlled by a government agency either, and is used and accepted among members of a specific virtual community (that is, the Internet).
Today, enthusiasts of virtual currencies fall into two camps. The first camp contains the crypto-currency enthusiasts.
Crypto-currency enthusiasts are also a very expressive group, blogging frequently about the currency and singing the praises of its benefits and the security of its protocol. However, as one would expect from contrarians, they disagree with each other quite often; as a result, there are now 80 virtual currencies—all based off of Bitcoin—with names like Dogecoin, Altcoin, and Primecoin. Of these, Bitcoin has the vast majority of mindshare and user base.
But for all the noise, the actual number of Bitcoin users is very likely quite small. Brandon Hurst, a Bitcoin enthusiast himself, estimates the number of Bitcoin users at less than 1 million.
The second camp of virtual currency enthusiasts is largely unknown, which is surprising considering that there are over 30 million of them. They wouldn’t even consider themselves as virtual currency enthusiasts, but just ordinary people in Africa using an SMS text-based currency called M-Pesa.
M-Pesa was invented as a virtual currency by mobile network provider Vodafone after it was discovered that its airtime minutes were being used and traded in by people in Africa in lieu of actual money. Partnering with the governments of Kenya and Tanzania, Vodafone launched the M-Pesa service, which would allow registered users to send and receive money using text messages. Tens of thousands of Point of Sale merchants, such as news agencies, grocers, landlords and government agencies were recruited to accept M-Pesa.
M-Pesa transactions are limited to $500, which reduces the incentive for mischief. Fraud still occurs in the M-pesa system, but at very low levels compared with that of Bitcoin or any traditional currency. In fact, Safaricom, the operator of M-pesa in Kenya, reports a fraud rate less than 1%.
The forward drivers for Bitcoin and M-Pesa are completely different. Speculation will continue to be a primary force for Bitcoin in 2015.
Tomi Engdahl says:
Rockwell: Security a business enabler
http://www.controleng.com/single-article/rockwell-security-a-business-enabler/fb7f9fd02b72649b8db0f7b6404c03ab.html
Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Security is truly a business enabler that can provide manufacturers more than just an insurance policy. It can show real bottom line results by allowing manufacturers to keep their systems up and running and more productive.
That was one of the ideas behind a discussion with Rockwell Automation and Cisco before Rockwell’s Automation Fair 2014 kicked off in Anaheim, Calif.
Security awareness is on the rise throughout the industry, but the idea of security being a business enabler is not resonating yet. But it will.
“Most manufacturing companies don’t get it yet,” said Bryan Tantzen, senior director of discrete manufacturing in the Connected Industries Group at Cisco Systems.
Mitsubishi Electric
“Cyber is a board level issue,” said Rick Esker, senior director of Industry Solutions Group-EcoSystems Global Domain Leader, II and CRE at Cisco. “It is at the top of the shop. Security is a necessary entity.”
“We can’t tell a manufacturing company they have to invest in security by scaring them, that just won’t work,” said Sujeet Chand, senior vice president and chief technology officer at Rockwell Automation. “When they think about security, the change will occur incrementally.”
“More customers are having IT take over networking on the OT side,” Chand said. “I can’t remember any meeting I have had where there was not an IT person in the room.”
Tomi Engdahl says:
Hackers Compromise ICANN Computers
http://www.securityweek.com/hackers-compromise-icann-computers
The private agency that acts as a gatekeeper for the Internet on Wednesday said that hackers tricked their way into its computers.
A “spearfishing” attack aimed at US-based nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) hooked staff members with emails crafted to appear as though they were sent from peers using “icann.org” addresses, according to a blog post.
“The attack resulted in the compromise of the email credentials of several ICANN staff members,” ICANN said.
The ruse won hackers ICANN email user names and passwords, giving the intruders control of accounts and keys to reaching deeper, according to the blog post.
User names and passwords were used this month to access a Centralized Zone Data System, where hackers could get hold of files about generic top-level domains as well as names, addresses, passwords and other valuable information about users, according to ICANN.
ICANN believed that security enhancements made earlier this year limited how deep hackers could dive into its computers. More defense measures have been instituted since the hack, according to ICANN.
ICANN, which is in charge of assigning Internet domain names, is expected to break free of US oversight late next year.
The agency plans to submit a proposal on oversight to the US Department of Commerce next year.
ICANN Targeted in Spear Phishing Attack | Enhanced Security Measures Implemented
https://www.icann.org/news/announcement-2-2014-12-16-en
ICANN is investigating a recent intrusion into our systems. We believe a “spear phishing” attack was initiated in late November 2014.
Tomi Engdahl says:
YLE: Guests States of spying in Finland, Sweden and Norway, mobile phones
YLE interview with the Security Police, according to Finland, it has been found to mobile phones against a government espionage, which is implemented using a fake base stations.
Related espionage cases in the past uncovered in Sweden and Norway.
Aftonposten followed by a spy base stations in Norway for a few months with the assistance of technology companies. According to the newspaper they can listen in on phone calls, collect the data from them and see who moves in the region. Coverage of the 12th of December in Norway launched a police investigation on the matter.
Swedish newspaper Dagens Nyheter reported this after finding mobile traffic espionage in center of Stockholm (administration blocks in the area).
Source: http://www.tivi.fi/kaikki_uutiset/yle+vieraat+valtiot+vakoilleet+suomessa+ruotsissa+ja+norjassa+matkapuhelimia/a1038072
Tomi Engdahl says:
ICANN: Phishing attack compromised systems
The Internet Corporation for Assigned Names and Numbers — the nonprofit organization responsible for assigning and monitoring the Internet’s IP addresses and domain names — said it is investigating a breach of its internal systems that may have compromised several staff members’ credentials.
The culprits accessed ICANN’s Centralized Zone Data Service, a repository that stores, among other things, data related to information needed to pair domain names with IP addresses. ICANN said hackers accessed copies of that data, as well as names, postal addresses, email addresses, fax and telephone numbers, usernames, and passwords. While the passwords were stored as salted cryptographic hashes, ICANN said it has taken steps to deactivate the entire library.
- See more at: http://fedscoop.com/icann-hacked/#sthash.WMKNVCkB.dpuf
Tomi Engdahl says:
New fear: ISIS killers use ‘digital AK-47′ malware to hunt victims
New code built in-house targets innocents fending off deranged terrorists
http://www.theregister.co.uk/2014/12/18/experts_fear_isis_using_cheap_malware_as_digital_equivalent_of_ak47/
Malware has emerged from war-torn Syria targeting those protesting the rule of ISIS (ISIL, Islamic State, whatever the murderous humanity-hating fanatics are calling themselves these days.)
The trivial Windows spyware, analyzed by University of Toronto internet watchdog Citizen Lab, was sent out in a small number of emails aimed squarely at members of the group Raqqah is being Slaughtered Silently (RSS) – which is holed up deep in ISIS-controlled territory and campaigning against the medieval terror bastards.
The booby-trapped emails purport to come from a Canadian expat group that wants to help the fight against ISIS. The messages ask the recipients to check over a report about the actions of the religious fanatics. Clicking on the URL leads to a file-sharing account with TempSend, and downloads an archive called slideshow.zip.
Just getting the IP address may not sound like much, but it could be useful information in the hands of a determined killer, and may narrow down the location of a target, if not pinpoint it using geolocation.
And someone with the right skills could use the leaked public IP addresses to prod a victim’s machine for software vulnerabilities to exploit, leading to a full system compromise and, ultimately, death.
‘It definitely looks like it has been developed internally’
This malware is pretty basic and buggy, we’re told.
The spyware has now been fingerprinted and the signatures published for antivirus products to use, so hopefully security software companies will be able to block further infections. But Hardy said it would be “trivial” to tweak the code to evade detection again.
Tomi Engdahl says:
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
http://www.theregister.co.uk/2014/11/25/nsa_source_code_release/
The NSA has decided to let the public have a peek at what it’s been up to, for a change, by promising to release some of its data analysis tools under an open-source license.
On Tuesday, intelligence-gobbling agency said it hopes to make the code to NiFi – a project previously known internally as Niagarafiles – available as an Apache Incubator Project under an Apache License.
Described as a tool for automating data flows across multiple networks, even where data formats and protocols differ, NiFi is based on the concept of flow-based programming.
The idea behind open sourcing it, the NSA says, is for private industry to benefit from the US government’s research and vice versa.
“Posting the code to open source forums allows the private sector and others to examine the agency’s research up close, and potentially benefit from it through additional enhancements and applications,” the agency said in a press release. “At the same time, the government can gain from related research advances.”
Tomi Engdahl says:
Hack hijacks electric skateboards, dumps hipsters in the gutter
Automated attacks crash riders on the fly
http://www.theregister.co.uk/2014/12/19/hack_hijacks_boosted_skateboards_kills_hipsters/
A hacker duo have shown how to hijack “Boosted” brand electricity-assisted skateboards.
The boards feature small motors to help riders go up hills, or down hills much faster. An app controls the motors over Bluetooth.
Stripe security engineer Richo Healey and penetration tester and Bluetooth expert Mike Ryan found a way to block the Bluetooth signal used between the controller and skateboard, then force it to pair with a laptop.
The result was that Boosted skateboards could be remotely hijacked while in motion, with unpleasant consequences for riders.
The attack can be automated using scripts, allowing attackers to pop hipsters merely by carrying a laptop in a backpack.
“The simplest way to do this would be to get something that generates a whole lot of noise on the 2.4Ghz spectrum to disconnect the controller.”
Tomi Engdahl says:
Researchers Make BitTorrent Anonymous and Impossible to Shut Down
http://torrentfreak.com/bittorrent-anonymous-and-impossible-to-shut-down-141218/
While the BitTorrent ecosystem is filled with uncertainty and doubt, researchers at Delft University of Technology have released the first version of their anonymous and decentralized BitTorrent network. “Tribler makes BitTorrent anonymous and impossible to shut down,” lead researcher Prof. Pouwelse says.
The Pirate Bay shutdown has once again shows how vulnerable the BitTorrent ‘landscape’ is to disruptions.
With a single raid the largest torrent site on the Internet was pulled offline, dragging down several other popular BitTorrent services with it.
“Tribler makes BitTorrent anonymous and impossible to shut down,” Tribler’s lead researcher Dr. Pouwelse tells TF.
“Recent events show that governments do not hesitate to block Twitter, raid websites, confiscate servers and steal domain names. The Tribler team has been working for 10 years to prepare for the age of server-less solutions and aggressive suppressors.”
To top that, the most recent version of Tribler that was released today also offers anonymity to its users through a custom-built in Tor network. This allows users to share and publish files without broadcasting their IP-addresses to the rest of the world.
“The public was beginning to lose the battle for Internet freedom, but today we are proud to be able to present an attack-resilient and censorship-resilient infrastructure for publishing,” Dr. Pouwelse says.
Anonymity
http://tribler.org/anonymity.html
Tribler offers anonymous downloading. Bittorrent is fast, but has no privacy. We do NOT use the normal Tor network, but created a dedicated Tor-like onion routing network exclusively for torrent downloading. Tribler follows the Tor wire protocol specification and hidden services spec quite closely, but is enhanced to need no central (directory) server.
Tomi Engdahl says:
Critical Git Security Vulnerability Announced
http://it.slashdot.org/story/14/12/18/2346238/critical-git-security-vulnerability-announced
Github has announced a security vulnerability and has encouraged users to update their Git clients as soon as possible.
Tomi Engdahl says:
This Little USB Necklace Hacks Your Computer In No Time Flat
http://techcrunch.com/2014/12/18/this-little-usb-necklace-hacks-your-computer-in-no-time-flat/
Quick! The bad guy/super villain has left the room! Plug in a mysterious device that’ll hack up their computer while an on-screen progress bar ticks forward to convey to the audience that things are working!
It’s a classic scene from basically every spy movie in history. In this case, however, that mystery device is real.
Samy Kamkar — developer of projects like that massive worm that conquered MySpace back in 2006, or SkyJack, the drone that hijacks other drones — has released a video demonstrating the abilities of a particularly ridiculous “necklace” he sometimes wears around.
Called USBdriveby, it’s a USB-powered microcontroller-on-a-chain, rigged to exploit the inherently awful security flaws lurking in your computer’s USB ports. In about 60 seconds, it can pull off a laundry list of nasty tricks:
It starts by pretending to be a keyboard/mouse.
If you have a network monitor app like Little Snitch running, it uses a series of keystrokes to tell LittleSnitch that everything is okay and to silence all warnings.
It disables OS X’s built-in firewall.
It pops into your DNS settings and tweaks them to something under the hacker’s control, allowing them to replace pretty much any website you try to visit with one of their own creation.
It opens up a backdoor, then establishes an outbound connection to a remote server which can send remote commands. Since the connection is outbound, it eliminates the need to tinker with the user’s router port forwarding settings.
It closes any windows and settings screens it opened up, sweeping up its footprints as it heads for the door.
So in 30-60 seconds, this device hijacks your machine, disables many layers of security, cleans up the mess it makes, and opens a connection for remote manipulation even after the device has been removed. That’s… kind of terrifying.
So what can you do to protect yourself from things like this? Not a whole lot, really — that’s why attacks like this and BadUSB are so freaky.
Tomi Engdahl says:
Will Ripple Eclipse Bitcoin?
http://tech.slashdot.org/story/14/12/18/1725244/will-ripple-eclipse-bitcoin
This year’s biggest news about Bitcoin may well turn out not to be the repeat of its surge in value last year against the dollar and other state currencies but its impending eclipse by another independent but corporate-backed digital currency. Popularly known as Ripple, XRP shot up in value last year along with other cryptocurrencies that took advantage of the hype around Bitcoin. However, among the top cryptocurrencies listed in Coinmarketcap.com, a site that monitors trading across different cryptocurrency exchanges, Ripple is the only one that not only regained its value after the collapse in the price of Bitcoin
Users of the Ripple system are able to transact in both cryptocurrency and regular fiat currency like the dollar without passing through a central exchange.
Tomi Engdahl says:
Does the ‘Grinch’ issue affect Red Hat Enterprise Linux?
https://access.redhat.com/articles/1298913
A report has been released detailing an issue that the reporter is naming “Grinch”. This report incorrectly classifies expected behavior as a security issue.
The PackageKit console client (pkcon) is a utility which allows users in the wheel group, also known as local administrators, to install packages. This utility allows local administrators to install packages without a password if they are a “local user”, meaning they are using the physical keyboard attached to the computer. If you are a user who does not have a physical console (such as a remote users connected via SSH), you must supply authentication credentials to install packages.
This behavior is controlled in Red Hat Enterprise Linux 7 via the /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules file which mandates that installation of packages can only be done, without authentication credentials, if the user is local.
Red Hat does not consider this to be a security issue or even a bug. This is the expected behavior of the PackageKit console client.
Tomi Engdahl says:
The Future of Privacy
http://www.pewinternet.org/2014/12/18/future-of-privacy/
“We have seen the emergence of publicy as the default modality, with privacy declining. In order to ‘exist’ online, you have to publish things to be shared, and that has to be done in open, public spaces.”
Overall, 2,511 respondents weighed in on the following questions:
Security, liberty, privacy online—Will policy makers and technology innovators create a secure, popularly accepted, and trusted privacy-rights infrastructure by 2025 that allows for business innovation and monetization while also offering individuals choices for protecting their personal information in easy-to-use formats?
Some 55% of these respondents said “no” they do not believe that an accepted privacy-rights regime and infrastructure would be created in the coming decade, while 45% said “yes” that such an infrastructure would be created by 2025.
Despite this very divided verdict, there were a number of common thoughts undergirding many of the answers. For instance, many of those answering “yes” or “no” shared the opinion that online life is, by nature, quite public. An anonymous respondent even went so far to say, “Privacy will be the new taboo and will not be appreciated or understood by upcoming generations.” Respondents also suggested that a fluid environment will continue to confront policy makers.
“Big data equals big business. Those special interests will continue to block any effective public policy work to ensure security, liberty, and privacy online.”
A promoter of the global Internet who works on technical and policy coordination, wrote, “By 2025, there will be an international consensus among Internet organizations on how best to balance personal privacy and security with popular content and services. The patchwork approach of national privacy protections will be harmonized globally in 2025, and the primacy of security concerns will be more balanced by such an international consensus. In 2025, the public will see the need to reduce the primary focus on security and create a better, workable balance in favor of protection privacy.”
Tomi Engdahl says:
Welsh council rapped for covert spying on sick leave worker
‘Incredibly intrusive’ use of powers prompts slap from ICO
http://www.theregister.co.uk/2014/12/19/welsh_council_faulted_sick_work_surveillence/
A council that ordered covert surveillance of a sick employee has been ordered to review its practices following an investigation by data privacy watchdogs.
An Information Commissioner’s Office (ICO) investigation found that Caerphilly Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick.
“Organisations need to be absolutely clear why they need to carry out covert surveillance and consider all other alternatives first. If it cannot be completely justified, it shouldn’t be done,”
Tomi Engdahl says:
UK air traffic bods deny they ‘skimped’ on IT investment after server mega-fail
90s kit isn’t ‘ancient’, indignant chief exec tells Parliament
http://www.theregister.co.uk/2014/12/19/nats_denies_it_has_skimped_on_it_investment/
The chief executive of the National Air Traffic Services, Richard Deakin, has denied the body “skimped” on its IT investment after being hauled in front MPs this week to account for its major computer outage.
The cock-up last Friday resulted in 120 flights being cancelled and 500 flights being delayed for 45 minutes, affecting a total of 10,000 passenger.
business secretary Vince Cable last week accused NATS of skimping on IT investment and leaving itself vulnerable due to its “ancient” technology.
Deakin said that due to safety concerns it was necessary not to rush upgrades. “Just because the technology is old, does not necessarily mean it is not fit for purpose or doesn’t do the job,” he said. The current system “has its roots in the 90s.”
He said it would be “unrealistic” to expect failures never to occur given the complexity of the systems. “I can’t honestly sit here and say we will never have a computer glitch again,” he said.
Tomi Engdahl says:
Misfortune Cookie
http://mis.fortunecook.ie/
Misfortune Cookie is a critical vulnerability that allows an intruder to remotely take over an Internet router and use it to attack home and business networks.
To date, researchers have distinctly detected approximately 12 million readily exploitable unique devices connected to the Internet present in 189 countries across the globe, making this one of the most widespread vulnerabilities revealed in recent years. Research suggests the true number of affected devices may be even greater.
First of all, be smart about your privacy. Make sure your devices and any documents or folders containing sensitive information are password protected. Consider adding more privacy to your browsing by using HTTPS connections to encrypt all your browser activity.
Watch for firmware updates from your device vendor addressing Misfortune Cookie, apply the update as it is released.
Remember that your router’s security is another layer in your network security defenses – you should have endpoint protections in place, including firewalls, anti-virus software, and a freshly updated operating system.
All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser.
This should be considered an alarming wake-up call for the embedded device industry and consumers alike, highlighting the importance of increased security and privacy for consumer and enterprise networks.
Is this a problem with the TR-069 protocol specification?
While the proliferation of devices managed by TR-069 is responsible for creating a very large vulnerable client population, Misfortune Cookie is not a vulnerability related to the TR-069/CWMP per se. Misfortune Cookie affects any implementation of a service using the old version of RomPager’s HTTP parsing code, on port 80, 8080, 443, 7547, and others.
Is this a problem with the security design of RomPager?
We have no reason to believe it is any better or worse than comparable software in 2002.
12 Million Home Routers Vulnerable to Takeover
http://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970
Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order. – See more at: http://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970#sthash.qay5bYS0.5de1ieBx.dpuf
In the case of the RomPager vulnerability, an attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device.
“We hope this is a game-changing wake-up call,” said Shahar Tal, malware and vulnerability research manager with Check Point. “Certainly in terms of numbers, I don’t remember a vulnerability released that had 12 million endpoints online since maybe Conficker in 2008. This is really, really bad and the incredibly slow update propagation chain makes it worse.”
“The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.”
“Even when people become aware of this, I don’t expect updated firmware to be deployed in 189 countries,” Tal said. “This will be with us for months and years to come.”
“This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.”
Tomi Engdahl says:
Misfortune Cookie: The Hole in Your Internet Gateway
SUSPECTED – VULNERABLE MODELS
http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf
Tomi Engdahl says:
Towards the Perfect Coin Flip: The NIST Randomness Beacon
http://hackaday.com/2014/12/19/nist-randomness-beacon/
Since early evening on September 5th, 2013 the US National Institute of Standards and Technology (NIST) has been publishing a 512-bit, full-entropy random number every minute of every day. What’s more, each number is cryptographically signed so that you can easily verify that it was generated by the NIST. A date stamp is included in the process, so that you can tell when the random values were created. And finally, all of the values are linked to the previous value in a chain so that you can detect if any of the past numbers in the series have been altered after the next number is published.
But first, before those of you who’ve got crypto on the brain start thinking crazy thoughts, note that the NIST has a banner stating the obvious in all caps: “WARNING: DO NOT USE BEACON GENERATED VALUES AS SECRET CRYPTOGRAPHIC KEYS.” Why not? Cryptographically speaking, they’re phenomenal random numbers; they’re just not secret at all! In contrast, they’re publicly available to everyone and archived for all time. The aim of the Randomness Beacon is to provide a random number standard, not to generate secrets.
Tomi Engdahl says:
FBI concludes that the North Korean government is responsible for Sony Pictures hack — Update on Sony Investigation … Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE).
Update on Sony Investigation
http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE). In late November, SPE confirmed that it was the victim of a cyber attack that destroyed systems and stole large quantities of personal and commercial data. A group calling itself the “Guardians of Peace” claimed responsibility for the attack and subsequently issued threats against SPE, its employees, and theaters that distribute its movies.
The FBI has determined that the intrusion into SPE’s network consisted of the deployment of destructive malware and the theft of proprietary information as well as employees’ personally identifiable information and confidential communications. The attacks also rendered thousands of SPE’s computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company’s business operations.
After discovering the intrusion into its network, SPE requested the FBI’s assistance.
FBI now has enough information to conclude that the North Korean government is responsible for these actions.
our conclusion is based, in part, on the following:
Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North K
We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves.
Working together, the FBI will identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests.
Tomi Engdahl says:
Danny Yadron / Wall Street Journal:
Poll: 45% of Americans have been notified that payment card details were stolen in a data breach — Poll Shows Broad Impact of Cyberattacks — Just fewer than half of Americans say that a retailer, bank or credit-card company has told them or a household member that their payment card details …
Poll Shows Broad Impact of Cyberattacks
http://blogs.wsj.com/digits/2014/12/17/poll-shows-broad-impact-of-cyberattacks/
Just fewer than half of Americans say that a retailer, bank or credit-card company has told them or a household member that their payment card details were stolen in a data breach, according to the latest Wall Street Journal/NBC News poll.
Some 45% of Americans said they had received such a breach notification letter from a retailer or card-issuer that their payment data had been affected by a breach
The poll also found that more Americans than ever think they have been targeted in Internet crime. As of December, 15% said either they or a member of their household had been hit by online fraud or hacking. When Gallup asked the same question more than four years ago, 11% answered yes.
Some 45% of Americans say they or a household member have been notified by a credit card company, financial institution or retailer that their credit card information had possibly been stolen as part of a data breach.
Tomi Engdahl says:
Computer intrusion inflicts massive damage on German steel factory — A German steel factory suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace, according to a report published Friday by IDG News.
Computer intrusion inflicts massive damage on German steel factory
Blast furnace can’t be properly shut down after attackers take control of network.
http://arstechnica.com/security/2014/12/computer-intrusion-inflicts-massive-damage-on-german-steel-factory/
A German steel factory suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace, according to a report published Friday by IDG News.
The attackers took control of the factory’s production network through a spear phishing campaign, IDG said, citing a report published Wednesday by the German government’s Federal Office for Information Security. Once the attackers compromised the network, individual components or possibly entire systems failed. IDG reporter Loek Essers wrote:
Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant,”
The incident is notable because it’s one of the few computer intrusions to cause physical damage. The Stuxnet worm that targeted Iran’s uranium enrichment program has been dubbed the world’s first digital weapon, destroying an estimated 1,000 centrifuges. Last week, Bloomberg News reported that a fiery blast in 2008 that hit a Turkish oil pipeline was the result of hacking, although it’s not clear if the attackers relied on physical access to computerized controllers to pull it off. The suspected sabotage of a Siberian pipeline in 1982 is believed to have used a logic bomb. Critics have long argued that much of the world’s factories and critical infrastructure aren’t properly protected against hackers.
Tomi Engdahl says:
Why cyber warfare is so attractive to small nations
http://fortune.com/2014/12/21/why-cyber-warfare-is-so-attractive-to-small-nations/
Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons.
Last week news broke that North Korea, which is believed to be responsible for a massive cyber attack against Sony SNE -2.65% , may have as many as 1,800 cyber warriors. That may seem like a large figure for the nation of 24.9 million people, especially considering that Pyongyang isn’t exactly known for its centers of higher learning. Yet many small nation-states—even those that are in regions that lack universities with notable computer science programs—are finding that cyber war provides more bang for the buck than investment in conventional weapons.
“Cyber warfare is a great alternative to conventional weapons,” says Amy Chang, a research associate in the technology and national security program at the Center for a New American Security. “It is cheaper for and far more accessible to these small nation-states. It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are [caught].”
There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. According to recent intelligence studies more than 140 countries have some level of cyber weapon development programs.
“Why develop advanced weapons technology when you can steal it?”
Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one—which means small nations may have more of a stomach for going on the cyber offensive than for stopping a similar attack.
“For good or bad, cyber attacks aren’t [usually] directed at ‘hard’ targets,” Libicki says. “This is an extension of terrorist attacks, which typically don’t go after a military base but go after an embassy or other interests. It sends a message and is easier to perpetrate.”
In an Internet-connected world, the ancient notion of barbarians at the gate—used to describe the Sack of Rome in 410 by the Visigoths after they entered the city through its Salarian Gate—has been replaced with a far more complex concept. Online, there is a seemingly endless number of entrances to someone’s secure infrastructure, a gate for every authorized user and device.
“Sony is a great example of how this sort of thing happens even though they had been warned about it before,”
“There is too much information going around the cyber world and so many ways to access it. As the whole world gets connected, it just provides the details that make these attacks possible.”
“This is really physiological warfare, and in Sony’s case people won’t go to the movies,” McKnight says. “At this point cyber warfare is over-hyped on what it can accomplish. But it is the only game in town for a lot of countries.”
Tomi Engdahl says:
Guardian:
Obama says Sony hack was an act of cybervandalism, not war, considers putting North Korea back on state sponsors of terrorism list — Obama: North Korea hack on Sony Pictures was not an act of war — President tells CNN North Korea may go back on state terror list
US may put North Korea back on state terror list after Sony ‘cybervandalism’
http://www.theguardian.com/us-news/2014/dec/21/obama-us-north-korea-state-terror-list-sony-hack
Obama says North Korea’s Sony Pictures hack was not an act of war
North Korea warns ‘toughest counteraction will be boldly taken’
Tomi Engdahl says:
New York Times:
Obama administration seeks China’s help in blocking North Korea’s ability to launch cyberattacks
Tomi Engdahl says:
New York Times:
Obama administration seeks China’s help in blocking North Korea’s ability to launch cyberattacks
U.S. Asks China to Help Rein In Korean Hackers
http://www.nytimes.com/2014/12/21/world/asia/us-asks-china-to-help-rein-in-korean-hackers.html?_r=0
The Obama administration has sought China’s help in recent days in blocking North Korea’s ability to launch cyberattacks, the first steps toward the “proportional response” President Obama vowed to make the North pay for the assault on Sony Pictures — and as part of a campaign to issue a broader warning against future hacking, according to senior administration officials.
“What we are looking for is a blocking action, something that would cripple their efforts to carry out attacks,” one official said.
So far, the Chinese have not responded. Their cooperation would be critical, since virtually all of North Korea’s telecommunications run through Chinese-operated networks.
Tomi Engdahl says:
Sony and the rise of state-sponsored hacking
http://www.cnet.com/news/sony-and-the-rise-of-state-sponsored-hacking/
North Korea has been blamed for one of the most destructive cyberattacks on a company in US history. It’s just the latest in a string of hacks sanctioned and funded by governments.
James Bond may need a license to kill, but North Korea only needed an Internet connection and computers to cripple an entire company.
That’s the lesson from one of the most damaging hacks ever on a US company. North Korea targeted Sony Pictures Entertainment because the studio planned to release “The Interview,” a satirical film depicting a plot to assassinate North Korea’s Supreme Leader Kim Jong-Un.
“This is absolutely a wake-up call,” said Bruce Bennett, an expert on North Korea and military defense for the RAND Corporation think tank. “We have North Koreans who built nuclear weapons. Why should we suspect they can’t do cyberattacks?”
While the latest cyberattack puts North Korea in the public eye, the country is not unique. China, Israel, France, Syria and the US are among the world’s most powerful countries that have amassed armies of hackers engaged in cyberwarfare. These countries have reportedly used sophisticated computer skills to disable Iran’s uranium enrichment plants, cripple oil and gas production in Saudi Arabia and sabotage satellite and infrastructure systems around the world.
hackers working on behalf of various countries have carried out plots against nations and corporations.
US President Barack Obama said these types of breaches will grow in regularity. “They’re going to be costly, they’re going to be serious,” he said in a Friday news conference.
President Obama also said he doesn’t believe North Korea worked with other countries in the attack against Sony.
In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
That isn’t as farfetched as it once was, said Dmitri Alperovitch, co-founder of security services firm CrowdStrike. “From a technical perspective, this attack wasn’t unprecedented,” he said. “There’s no doubt we’ll see more of these in the future.”
Tomi Engdahl says:
South Korea nuclear plant hit by hacker
http://www.cnet.com/news/south-korea-nuclear-plant-hit-by-hackers/
The hacking comes in the wake of increased tension and trouble from North Korea, though the source has not been confirmed.
Computers at a nuclear power plant in South Korea have been compromised by a hacker, but the plant’s operator says no critical data has been leaked.
The hacker was able to access blueprints, floor maps and other information on the plant, the South Korean Yonhap News Agency reported Sunday. Using a Twitter account called “president of anti-nuclear reactor group,” the hacker has released a total of four postings of the leaked data since December 15, each one revealing internal designs and manuals of the Gori-2 and Wolsong-1 nuclear reactors run by Korea Hydro and Nuclear Power Co. (KHNP), Yonhap added. The hacker has threatened to leak further information unless the reactors are shut down.
KHNP has insisted that the leaked information is not critical and does not undermine the safety of the reactors. The company also played down the threat of any type of cyberattack, saying that the reactors’ controllers are protected because they’re not linked to any external networks, according to the Wall Street Journal.
The hacking against KHNP nuclear plants occurs in the midst of a major hack against Sony Pictures over its movie “The Interview,”
Tomi Engdahl says:
North Korea internet ‘totally down’ as US cyber attack suspected
http://www.telegraph.co.uk/news/worldnews/asia/northkorea/11309376/North-Korea-internet-totally-down-as-US-cyber-attack-suspected.html
The hermit country is suffering one of its worst ever internet outages and experts say it may be under attack as US officials decline to comment
North Korea is experiencing one of its worst ever internet outages days after US President Barack Obama vowed a “proportional” response for the hermit country’s cyber attack on a Hollywood studio.
It began encountering problems on Friday, and by Monday night North Korea was completely cut off from the world wide web. One expert described its connectivity as “toast.”
The US declined to comment on the situation amid speculation that America was hitting back in a new cyber war to protect itself from future hacking assaults.
Tomi Engdahl says:
Exploits Circulating for Remote Code Execution Flaws in NTP Protocol
http://threatpost.com/exploits-circulating-for-remote-code-execution-flaws-in-ntp-protocol/110001
Researchers at Google have uncovered several serious vulnerabilities in the Network Time Protocol and experts warn that there are exploits publicly available for some of the bugs.
The vulnerabilities are present in all versions of NTP prior to 4.2.8 and include several buffer overflows that are remotely exploitable
The flaws disclosed today in NTP are more worrisome. They put servers running older versions of the protocol at risk of remote code execution.
“These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.”
The advisory from NTP.org says that a single packet is enough to exploit any of the buffer overflow vulnerabilities.
“A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process,” the advisory says.
- See more at: http://threatpost.com/exploits-circulating-for-remote-code-execution-flaws-in-ntp-protocol/110001#sthash.EoS3Mi3u.dpuf
Tomi Engdahl says:
Serious NTP security holes have appeared and are being exploited
http://www.zdnet.com/article/major-ntp-security-holes-appears-and-are-being-exploited/
Summary:A network time protocol security hole has been discovered and there are reports that exploits already exist for it and are being used in attacks.
All NTP Version 4 releases, prior to Version 4.2.8, are vulnerable and need to be updated to Version 4.2.8. Unfortunately, the NTP site, as of 5 PM Eastern time, has been going up and down. It’s not clear if this is the result of heavy demand, a DDoS attack, or some other unrelated cause.
According to Dennis Fisher at ThreatPost, before the NTP site went down, the NTP advisory stated that a single packet would be enough to exploit NTP’s vulnerabilities.
This is a serious bug and it’s almost a sure bet that it will be used by hackers to launch DDoS attacks over the weekend
Tomi Engdahl says:
Hackers Used Sophisticated SMB Worm Tool to Attack Sony
https://www.securityweek.com/hackers-used-sophisticated-smb-worm-tool-attack-sony
Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise.
While not mentioning Sony by name in its advisory, instead referring to the victim as a “major entertainment company,” US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks.
The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said.
An FBI “flash memo” issued to a limited number of organizations earlier this month also warned about the dangerous malware, which has been referred to as “Destover” by some security vendors.
Tomi Engdahl says:
Tor Warns of Possible Attempts to Disable Anonymity Network
https://www.securityweek.com/tor-warns-possible-attempts-disable-anonymity-network
The Tor anonymity network might be disrupted in the next few days via the seizure of directory authorities, the Tor Project has learned.
There are a total of nine directory authorities spread out in the United States and Europe. These servers provide a signed list of all the relays that make up the Tor network.
Some believe the attack the Tor Project has warned about might be related to an FBI investigation into the recent Sony Pictures hack. Dingledine initially believed this had nothing to do with the attack on Sony. However, after being shown a report from HP which mentions the Sony hackers using Tor exit nodes to cover their tracks, he promised to investigate more.
Tomi Engdahl says:
Easily Exploitable NTP Vulnerabilities Put ICS Operators at Risk
https://www.securityweek.com/easily-exploitable-ntp-vulnerabilities-put-ics-operators-risk
Security researchers Neel Mehta and Stephen Roettger of Google’s Security Team recently discovered vulnerabilities in the Network Time Protocol (NTP), a service that helps synchronize system times over a network, including some flaws that could enable an attacker to take control of or crash a system.
According to the disclosures, several vulnerabilities exist, including buffer overflow vulnerabilities (CVE-2014-9295) that could allow a remote attacker to send a specially crafted request packet that could crash the NTP daemon (ntpd) or execute arbitrary code with the privileges of the NTP user.
The biggest concern is that the vulnerabilities can be easily exploited remotely by a low skilled attacker with exploits that are already publicly available.