ads

Friday, June 7, 2013

NSA collecting phone records of millions of US citizens daily


Phone records data
The U.S. NSA is collecting phone records of millions of Verizon Communications customers, according to a secret court order obtained by the Guardian.

The U.S. NSA is collecting phone records of millions of customers Verizon, the second telephone company in the country. The shocking news has been revealed by ‘Guardian‘ whose journalists had access to a “Top Secret” court order, signed by Judge Roger Vinson, issued in April against Verizon.

The order obliges the Verizon company to deliver the daily list of calls, “both within the Member States and between the United States and other countries.”

The order was issued by the U.S. The Foreign Intelligence Surveillance Court directs Verizon’s Business Network Services Inc and Verizon Business Services units to hand over electronic data including all calling records on an “ongoing, daily basis” until the order expires on July 19, 2013. Curious that order forbids disclosure of the order’s existence.

The order reveals that is ongoing a massive collection of communications records of millions of Americans, each citizen is intercepted regardless of whether he was suspected of some crime. It must be considered that the order covers each phone number dialed by every Verizon’s customer including location and routing data, duration and frequency of the calls, but not collecting the contents of the communications.

NSA is collecting phone records of millions

The revelation is embarrassing for the Obama administration, since now authorities and law enforcement haven’t commented the news, a source close to the judiciary has confirmed the authenticity of the order.

A spokesman for the National Security Agency announced:

“We will respond as soon as we can,” .

The news is arousing great noise, let’s consider that US Government has been severely criticized for many other law proposals that violate citizen’s privacy.

“That’s not the society we’ve built in the United States,” “It’s not the society we set forth in the Constitution, and it’s not the society we should have.” commented  Kurt Opsahl, an attorney at the Electronic Frontier Foundation.

The order is the demonstration of advanced surveillance conducted by the US Government that began under the administration of President George W. Bush.

AT&T Inc, the biggest telephone company of US did not provide any comment when asked if the government had made a similar request for its data.

It can be expected that other providers have been achieved by similar court orders.

The business behind a cashout service for cybercriminals


cashour service

Brian Krebs has recently published an interesting post on his KrebsOnSecurity blog regarding the way cyber criminals cashout their money through a dedicated cashout service. The conversion of ill-gotten gains into cash, The “Cashout”, is considered most risky part of a cybercrime that exposes crooks to law enforcement investigation.

Krebs introduces a new cashout service for ransomware authors that offers money laundering service by abusing of a legitimate Web site that allows betting on dog and horse races in the United States. The Ransomware is a category of malware which restricts access to victim’s resources that it infects and demands a ransom paid to the author of malicious code in order to remove any. The service also employs a free CAPTCHA service from Microsoft that can be used to preserve the abuse of the service.

Most complex malicious codes encrypt files on the victim’s hard drive meanwhile other simply lock the system and display messages requesting the payment. Cyber criminals provide to the victims detailed instructions to pay ransom using prepaid cards such as  MoneyPak or PaySafe and to provide evidence of the transaction.

The principal problem relates to the conversion of the extorted money criminals have to spend it in shops that accept these methods of payment, crooks have to daily manage a large number of transactions and often they are not based on the place where the fraud is consumed.

The post described an original ransomware cashout service hosted in Belarus that support crooks in this articulated and risky phase, the service in fact checks the balances of MoneyPak codes sent by victims to demonstrate the payment and verify them abusing of a legitimate feature of  betamerica.com, a site for betting on dog and horse races in the US. The same service also provides cashout service for PaySafe cards from Mexico for a quarter of the price of their balances.

The operations team at Betamerica.com are aware of these abuses and have already tried to block the account used to check the MoneyPak voucher codes, anyway impeding them to place any bet to avoid money laundering.

“This account was already flagged as some type of bot or compromise, and was set to non-wagering,” explained an operator at betamerica.com.

“We are pretty diligent, because in the past we have had [individuals who] will try to do a Moneypak deposit and then do a withdrawal, basically trying to launder it. Bottom line is that money has to be wagered. It’s not going to be returned to you in another form.”

Following the Cashout process described by Krebs:

The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.
The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.
The guy(s) running this cashout service.
The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.

cashout service MoneyPak

The Business dimension

The cashout service is very expensive, the fee requested to the ransomware author is more than half of the value of the MoneyPaks, the service manager justifies the so high cost with decreasing of infection rate on exploits.

Analyzing the list of lists of checks made on MoneyPak voucher appears that a large number of requests are generated by a scammer that is extorting around $300 to the victims. It seems that around 24,000 MoneyPak codes have been checked that could indicate that the cashout service has processed more than $7 million coming from ransom victims.

Cashout MoneyPak vouchers

This figure should lead us to a deeper reflection on criminal proceeds industry and in particular of this kind of malware. The situation is worrying because in addition to an increase of this type of crime should bear in mind that most of them are not even reported for fear of legal retaliation for downloading pirated content or pornographic.

Facebook Zeus malware targeting bank accounts


Facebook ZeusPrincipal security firms detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts.A Facebook Zeus malware variant (aka ZeuS/ZBOT) has been detected by principal security firms confirming the longevity of malicious code and the ability of cybercrime to customize it according to its needs.Symantec was one of the first companies to detect the Facebook Zeus virus and its capability to drain user’s bank accounts,  the malicious code exploits phishing messages as a method of propagation. A compromised account  is used to automatically send messages to its contact with links to ads, usually to video or product. The new Facebook Zeus instance is able to infect only Windows users, there is no news of variant that targeted Linux or Mac OS X systems. 

The Facebook Zeus malware appears very complex, it is able to replace a bank’s Web site page with a fake one used to capture social security number data and other information from the victims. Once again cyber criminals don’t use directly the credentials collected but re-sold them on the black market within a Fraud As A Service (FaaS) model. 
How does Facebook Zeus steal victim’s credentials? 
ZBOT connects to a remote site to download its encrypted configuration file containing the following information:


Site where an updated copy of itself can be downloaded
List of websites to be monitored
Site where it will send the stolen data
Facebook Zeus communication CeC server

“These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.” reported TrendMicro post.

Facebook Zeus statistics

According to Trend Micro the pages are being hosted by the Russian criminal gang known as the Russian Business Network. Despite Facebook is aware of the diffusion of the Facebook Zeus malware since now it appears to have not taken clomourous countermeasures.  Eric Feinberg, founder of the advocacy group Fans Against Kounterfeit Enterprise (FAKE) declared that has tried to warn Facebook on the diffusion of the cyber threat. I contacted Mr Feinberg requesting major info on the event and he told me:
“Best way to describe how we uncover the Zeus Malware is as follows. I observed that the Russian Business Network was created Fake Facebook Profiles that were posted .tk links to websites selling counterfeit Merchandise. The .tk links caught my attention when i did url query of these .tk links url query report listed these as likely hostile and from the Russian Business Network. I turn the links over to a colleague who identified the Zeus Botnet”

The majority of the victims of Facebook Zeus malware is located in the USA and UK, other cases are registered all over the world including India, Russia and South Africa.
The resurrection of Facebook Zeus variant is not surprising, cybercriminal underground Also never stops to make a profit on old cyber threats and the Prolific business is daily growing in the underground.

Friday, May 24, 2013

Google data breach, Company’s Surveillance Database hacked


Google_HackedChinese hackers who breached Google in 2010 are responsible for the recent violation to Google Company’s Surveillance Database according officials revelations.
Google data breach is reality and Google Company’s Surveillance Database has been violated by the same hackers who breached Google’network in 2010, the attackers have obtained the access to the company’s tracking system for management of surveillance requests from law enforcement.

The news has been published by the Washington Post and confirmed the voices on the Google data breach.

The database hacked is used by Google company to archive the court orders submitted by law enforcement who are investigating on a user’s profile, but the repository also includes classified Foreign Intelligence Surveillance Act (FISA) orders that are used in foreign intelligence surveillance investigations.

FISA is a US law which outlines practices for the physical and electronic surveillance and “collection of “foreign intelligence information” between “foreign powers” and “agents of foreign powers”, “the sections of FISA authorizing electronic surveillance and physical searches without a court order specifically exclude their application to groups engaged in international terrorism. “

The Google’s database contained precious information on surveillance activities conducted during the last years, it’s clear the purpose of the attack, it was arranged to gather information on law enforcement and intelligence agency’s investigation on Chinese intelligence operatives in the US, a former US official confirmed to the Washington Post it:

“Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,”

The Post states:

“The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies.”

In 2010 numerous companies were hacked by Chinese hackers, including Adobe and many other financial institutions and defense contractors, with a series of sophisticated cyber attacks. The attackers stolen from Google source code and also tried to access to the Gmail accounts of Tibetan activists.

The hackers that targeted Google in December also hit 33 other companies using a zero-day vulnerability in Adobe Reader to deliver malware to the victims and steal  source-code management systems to obtain the access to company source code as well as to modify it to make customers who use the application vulnerable to attack.

The Google data breach was originated in China, Secretary of State Hillary Clinton publicly condemned the intrusion requesting for the Chinese Government to give information on the attack.

Google hasn’t confirmed the impairment of its systems for processing law enforcement surveillance requests, but announced to stop collaborating with Chinese authorities for censoring Google search results in that country.
google hacked china intelligence

Google isn’t unique victims of this new wave of attacks, last month, a senior Microsoft official denounced that Chinese hackers had targeted the company’s systems having the same function of Google Surveillance DB about the same time that Google’s was breached.

“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” David W. Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, said at a conference near Washington, according to a recording of his remarks. “If you think about this, this is brilliant counterintelligence,” he said in the address, which was first reported by the online magazine CIO.com. “You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case.”

According the Washington Post,  Justice Department faced with Google resistance to show evidence of the attacks providing full access to internal logs and to authorize a further forensic investigation of the breach … It is still unclear what Google provided to the investigators.

Michael M. DuBose, former chief of the Justice Department’s Computer Crime and Intellectual Property Section, commented the attacks defining them a wake-up call for the government that the overall security and effectiveness of lawful interception and undercover operations is dependent in large part on security standards in the private sector.

“Those,”  “clearly need strengthening.” DuBose said,

The incidents raise once again the need to share information on cyber attacks and data breaches, incidents like these are clear indications of ongoing sophisticated intelligence operations.

Cost of cybercrime for UK Small Businesses


cost of cybercrime2
The Federation of Small Businesses issued an interesting study on cost of cybercrime suffered by small businesses in the UK.
Cost of cybercrime is usually evaluated for large corporate underestimating its dramatic effect on small business, small companies are in fact most vulnerable to the increasing cyber criminals and hacktivists.

An interesting study conducted by the Federation of Small Businesses on cost of cybercrime in UK revealed the incidence of the phenomena on the small business, worrying losses for billions of pounds every year, the average small firm facing a near £4,000 cost.

The Federation of Small Businesses declared that around 30% of its members had been victims of fraud, majority of crimes is related to virus infections, more than 50% of small business was hit by a malware, 8% of UK small business had been victims of hacking and around 5% had suffered security breaches.
The report of the Federation of Small Businesses revealed that cost of cybercrime and fraud for its 200,000 members is around £800m a year, (£3,926 each on average), but according the analysts the total cost is much bigger for total UK small business.
cost of cybercrimeAccording the FSB estimation, by projecting the data related to the small business on a national scale the cost of cybercrime is greater than  £18.8bn based on the FSB’s average.


In the UK there are around 4.8 million small firms and despite the impact of cybercrime and the high frequency of malicious events almost 20% had taken no countermeasure to mitigate the cyber threats..

“Cybercrime poses a real and growing threat for small firms and it isn’t something that should be ignored,”

“Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth”.

“Many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime.”

“While we want to see clear action from the government and the wider public sector, there are clear actions that businesses can take to help themselves.”said Mike Cherry, the FSB’s national policy chairman, referring the effect of cybercrime on UK businesses.


The scenario is alarming, on one side the activities of cybercrime are becoming even more sophisticated and pounding, on the other side the response of Small business is still inappropriate with obvious repercussion, due this reason the FSB issued new advice to small firms encouraging the implementation of the security mechanisms and the adoption of best practices.

The FSB issued 10 tips to suggest businesses how to protect their assets from cybercrime, including a combination of standard security protection steps (e.g. Define and constantly update security policy, keep systems updated, protect networks with firewall, use and update antivirus and anti-spam software).

Security is a must for the growth of the entire United Kingdom, security minister James Brokenshire commented the results proposed by the study spurring the action and in the adoption of a proactive approach to cybercrime.

 ”We need to make sure that all businesses, large and small are engaged in implementing appropriate prevention measures in their business”

“This report will help give a greater understanding of how online security and fraud issues affect small businesses, giving guidance as well as valuable top tips to protect their business.”

“We know only too well of the importance of securing buy-in from both big and small business in implementing appropriate protection against cyber risks – business success can depend on it. Increasing security drives growth.” said Business minister David Willets added.

To limit the impact of cybercrime and reduce the cost of cybercrime another fundamental issue is the information sharing on cyber attacks, incidents and data breaches, the Government issued The Data Protection Bill will force companies to denounce every incidents and data breaches. Despite the Act there is still much to do, the strong support of the Government and principal enterprises is an essential factor to support the growth of a security culture that could help to reduce the effect of cybercrime.

source: securityaffairs.co

US critical infrastructure under unceasing cyber attacks


US Congressmen Ed Markey and Henry Waxman issued the report “Electric grid vulnerability” on the level of security for US critical infrastructure.
Critical Infrastructures Electric Grid ReportAttack on critical infrastructure is the main concern for worldwide security community, every government has become aware of the risks related to a cyber attack against their own country and is investing to improve its cyber capabilities.

Day after day the number of attacks against critical infrastructure is increasing at an alarming, US is among the most targeted countries, a report issued by U.S. Congressmen Ed Markey and Henry Waxman revealed that  that the quantity of assaults against core infrastructure continues to rise.

The report, titled “Electric grid vulnerability” report, states that a utility facing roughly 10,000 attacks every month, the study is based on 160 surveyed U.S. utilities.

The most concerning aspect is that around 10 % of US critical infrastructure are daily under attack of various types, such as malware based or spear-phishing attacks.

The report highlighted the economic impact of grid vulnerabilities, it is estimated that power outages and related damage cost the U.S. economy between $119 to $188 billion per year and a single successful cyberattack can cause losses upwards of $10 billion.

US Critical Infrastructures Electric Grid Report 2

The Department of Homeland Security demonstrated that 2012 registered an increase of 68 percent in comparison to 2011 for the number of cyberattacks against US critical infrastructure, industrial bodies and Federal offices.

Every day there are numerous attacks conducted to discover vulnerabilities within these critical systems, many of these attacks is perpetrated in an automatic and method manner.

A Midwestern power provider declared that it was “subject to ongoing malicious cyber and physical activity. For example, we see probes on our network to look for vulnerabilities in our systems and applications on a daily basis. Much of this activity is automated and dynamic in nature – able to adapt to what is discovered during its probing process.”

To respond the increasing threat of cyber-attack security community has called on Congress to provide a federal authority with the necessary power to ensure the grid protection from potential cyber-attacks, but despite these calls for action since now Congress has not provided any governmental entity with the necessary capabilities.

Today the protection of  the nation’s electricity grid from cyber-attack is referenced “by voluntary actions recommended by the North American Electric Reliability Corporation (NERC), an industry organization, combined with mandatory reliability standards that are developed through NERC’s protracted, consensus-based process. Additionally, an electric utility “

“Almost all utilities surveyed are compliant with mandatory NERC standards but totally ignore recommendations by NERC. The report provided disturbing data, for example despite NERC has established both mandatory standards and voluntary measures to protect against Stuxnet warm, the implementation of voluntary countermeasures was overruled.”

Stuxnet voluntary measures have been implemented by only 21% of IOUs, 44% of municipally- or cooperatively owned utilities, and 62.5% of federal entities reported compliance, an alarming data in my opinion.

The cybercrime is considered the most dangerous threat for US critical infrastructure that are under unceasing cyber attacks, its menace is more concerning of terrorism, because the increasing sophistication level of the attacks.

Fortunately despite the delay in the adoption of proper countermeasures for many US critical infrastructures hasn’t yet caused a successful breach of their systems.

As usual there are different opinions, some say the report provides a false overview on real security of national critical infrastructure that are protected from external cyber attacks thanks the compliant of mandatory standards set by the NERC.

“The majority of those attacks, while large in number, are the same attacks that every business receives” through web-connected networks,” ”Those are very routine kinds of attacks and we know very well how to protect against those…Our control systems are not vulnerable to attack,” Arkansas Electric Cooperative Corporation Chief Executive Duane Highley told Reuters.

It is my opinion that whatever the actual state of infrastructure is necessary that all measures are taken to ensure  protection from the attacks of increasing complexity.

source: securityaffairs.co

Monday, April 22, 2013

US army discloses budget for cyber operations


It’s not a mystery, every state despite the spending review on the military budget is continuing to reserve consistent investment in cyber security, in particular majority of states is pushing research and development activities on both defense and offense cyber capabilities.

US is one of the most advanced country in cyber warfare, the US Government was one of the first to recognize the importance of operations in the cyberspace and the necessity to consider it as the fifth domain of warfare.

Since now the estimations on US expenses in cyber operations were estimates of the leading experts in the field but for the first time The Pentagon has detailed $30 million in spending on Air Force cyber attack operations and new Army funding.

With the public disclosure of the budget for cyber operations US, in particular the Defense Department, desires to provide to national taxpayer’s evidence of effort spent in what is being considered a critical component of the modern military.

The public opinion is dedicating even more wide space to news related cyber security and to the risks related to a cyber attack against critical infrastructures of a country, the government with the announcement desire to inform his population on its network assault programs and of course to launch a warning to those who intend to attack the country from cyber space.

The Pentagon revealed the intent to constitute and fund new staff dedicated to offensive cyber operations for the  exploitation of opponent networks and infrastructures.

This week is circulated the document titled “Fiscal Year (FY) 2014 Budget Estimates – OPERATION AND MAINTENANCE, AIR FORCE” to explain how US intends to invest the money, lets’ go to analyze in detail the amount of money reserved by the US Administration.

The Air Force in fiscal 2014 will reserve $19.7 million on “offensive cyber operations,” the expense will support operative cyber operations, personnel training and research and development activities.  In cyber warfare scenario a crucial role is played by cyber tools used to exploit opponent’s structures so US estimate needing $9.8 million for development of new cyber tools to use in cyber operations.

The Pentagon proposed also the hiring of new personnel, 65 units, to dedicate to the cyber missions, the mission assigned to Cyber Command is critical because it is responsible to deflect incoming assaults from cyber space against critical infrastructures of the country.

Of course part of the funds will be dedicated to Defense Cyber Operations to protect data and infrastructures of the country from cyber attacks, sabotage and cyber espionage.

Following a portion of the “Summary of funding Increases and Decreases” related to the “cyber commitment”:

Transfers In
TransferIn

Transfers Out

TransferOut


Nextgov portal reported the US government chose to divulge this information “because cyber offense will be a standard line item from now on and the public needs to understand what it is paying for.”

To those taxpayers that as justification for the investments in cyberspace while defense budget is under cutting Air Force spokesman Maj. Eric Badger replied:

“We are committed to maintaining the right balance of integrated cyber capabilities and forces that are organized, equipped and trained to successfully conduct operations in cyberspace. We’re equally as committed to doing so in a way that’s respectful of the taxpayers’ dollar,”

“We know the Air Force’s capabilities in cyber are going to continue to be touchstones for the whole joint team, the whole of government and for the private sector,” the official added.

According Nextgov further $4.9 million will be dedicated to the development of “computer network exploitation” and “computer network attack” capabilities.

Of course no shortage of controversy for military spending, analysts accused the government of excessive and duplicated hacking investments. Todd Harrison, senior fellow for defense budget studies at the Center for Strategic and Budgetary Assessments accuses the dispersion in cyber attack spending to fund different commands within US army:

“Do we really want each service going off and developing their own capabilities for these threats?” questioned “How much redundancy are we building across the services in the areas of cyber? What is unique to the Army?” “Maybe it’s time to give Cyber Command more budget authority,” Harrison said.

Other military experts said the services might be giving away these details to ward off potential foes on the Internet.

I will not go into the merits of the distribution of spending and allocation of responsibilities for operations in cyberspace, but I believe that investment in cyber security is crucial for the cyber strategy of each country … Probably the funds allocated are still too small compared to the need for cyber security.

source: http://securityaffairs.co

CISPA approved by House of Representatives....


A nightmare come true, last Thursday The United States House of Representatives approved the debated cyber security bill,  the act will force any company to give away all the user’s data it collects if asked by the government, trampling all claims of privacy of the people on the Internet in the name of security.

The Cyber Intelligence Sharing and Protection Act (CISPA) passed with 288-127 vote also receiving support from 92 Democrats, now the bill is submitted to the Senate and then to the President Office.

It’s second time that The United States House of Representatives passed the challenged bill, the US Senate already rejected the first draft if the bill, that appears not different to this second one, due the lack of protection on user’s privacy. Probably the bill has been set in the wrong way, we all agree on the needs to reinforce security also in the cyberspace and of course to do this US government request greater power of action.

During the last months worldwide internet community expressed great concern at the possibility of a reintroduction of  The Cyber Intelligence Sharing and Protection act (CISPA)  before the US House by House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Rep. Dutch Ruppersberger (D-Md.).

Recent events have conditioned the decision to repeat the bill, many Americans are starting to be aware of the risks related to the improper use of the Internet, they understood that we can protect sea, land, sky and space but leave uncontrolled the Internet is compared to leave the door open in a fortress.

Part of the bill are necessary to improve the security of the US against cyber attacks, let’s remind that the it establishes a strict collaboration between central governments and private companies to protect their infrastructure, “information sharing” is the watchword. US Government and private business need to share information of cyber attacks they suffered to allow the authorities to activate its alert network, although the concept may seem obvious today does not happen so often hacked companies do not disclose the news to avoid any negative impact on the reputation of the corporate and the consequences can be disastrous.

Following the statements used by Rogers to sustain the bill:

 ”This is clearly not a theoretical threat – the recent spike in advanced cyber attacks against the banks and newspapers makes that crystal clear,”

“American businesses are under siege,”  “We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats.  It is time to stop admiring this problem and deal with it immediately,”

“We’re talking about exchanging packets of information, zeroes and ones, if you will, one hundred million times a second. So some notion that this is a horrible invasion of content reading is wrong. It is not even close to that.”,

The other co-author of the bill, Dutch Ruppersberger, declared during debate on the issue that $400bn worth of American trade secrets are being stolen by US companies every year.

“If your house is being robbed, you call 911 and the police department comes. That’s the same scenario we are looking at here,” he said.

Various companies, included the giant of social networks Facebook, confirmed their support to the cyber security bill, following the declaration of Joel Kaplan, FB Vice President:

“One challenge we and other companies have had is in our ability to share information with each other about cyber attacks. When one company detects an attack, sharing information about that attack promptly with other companies can help protect those other companies and their users from being victimized by the same attack,” “Similarly, if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems.”

But in the same time Reuters agency confirmed the opposition of Microsoft and Facebook to the bill.

Web companies, including Google and Wikipedia and Twitter expressed disappointment  on the debated bill warning on possible violations of digital freedoms and the user’s privacy.

The American Civil Liberties Union, one of 34 groups that wrote to lawmakers this week urging them to oppose the bill, Michelle Richardson, legislative counsel at the ACLU’s Washington Legislative Office commented the act with following words:

“CISPA is an extreme proposal that allows companies that hold our very sensitive information to share it with any company or government entity they choose, even directly with military agencies like the NSA, without first stripping out personally identifiable information,”

Of course there is a side effect far from negligible, private companies daily manage user’s data ensuring non-disclosure to protect the privacy, Privacy advocates and groups of hacktivists such as Anonymous are mobilizing to protest against the bill considered poorly drafted and that represents a serious menace to freedom of expression and to civil liberties.

Anonymous collective is invited to publish a page to explain the bill and the way it could violate our privacy,  meanwhile The House Minority leader Nancy Pelosi expressed great concerns on CISPA  that represent the failure between  security and privacy.

“I’m disappointed that we did not address some of the concerns mentioned by the White House about personal information,” Pelosi said. “Unfortunately, it offers no policies and did not allow any amendments or real solution that upholds Americans’ right to privacy.”

The Center for Democracy and Technology states that CISPA would allow Internet Service Providers (ISPs) to “funnel private communications and related information back to the government without adequate privacy protections and controls. The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient.”

The Bill will in fact allow the government to obtain complete control over the internet censoring every suspect content that could represent a threat to national security.

Do we need to sacrifice our privacy in the name of security? Is it really necessary?

source: http://securityaffairs.co

Saturday, April 13, 2013

Hacking an Airplane


An alarming dispatch from the Hack In The Box security conference in Amsterdam arrived on Wednesday: a hacker says he's found a way to take over airplane controls. That's probably not true. At least according to the Federal Aviation Administration (FAA), the European Aviation Safety Administration (EASA) and Honeywell, the maker's of the cockpit software, it's not. The FAA, for one, says, "The described technique cannot engage or control the aircraft's autopilot system using the FMS or prevent a pilot from overriding the autopilot." The agency assures America that this hack "does not pose a flight safety concern because it does not work on certified flight hardware."

So why did Hugo Teso, the German hacker in question, tell everybody at the conference as well as countless journalists who've latched on to the story that he could take over the software? Well, Teso says he's successfully taken over a plane's controls in a flight simulator on his desktop computer at home. Hoping to expose some of the security flaws in planes' flight management system (FMS), Teso bought some FMS hardware on eBay as well as some FMS software that, according to Forbes "was advertised as containing some or all of the same code as the systems in real planes" and gave it a go. And he did it! Teso said that his technique would send radio signals to the plane and hijack its controls. "You can use this system to modify approximately everything related to the navigation of the plane," Teso told Forbes. "That includes a lot of nasty things."

To recap that order of events: Hacker buys equipment from eBay, loads up software that may contain "some or all of the same code" that's on commercial jets and in a flight simulator hijacks a plane. Come to think of it, that does sound a little reach-y doesn't it? The whole thing seems even less believable if you check out the slides that he used during the presentation, complete with images from The Matrix and Japanese Manga cartoons. One reason why the story felt like it could be feasible is the fact that there have been warnings from all sides of the cyber security industry about vulnerabilities in air traffic control software. This has been happening for years, and the FAA has actually admitted to risks in that arena.

We're not trying to say that Teso's making all this up. But hacking into your desktop computer's flight simulator is something that middle school kids do in technology class. It's not reason to strike fear into the hearts of millions. But hey, at least Teso seems well intentioned. You certainly can't say that about all hacker-types these days.

Credits to Original Author : Adam Clark Estes | The Atlantic Wire

Friday, April 5, 2013

Anonymous Hacker Arrested


A 17 year old alleged hacker accused of being associated with Anonymous hacker appeared in Parramatta Children's Court on Friday, over multiple unauthorised access crime on the behalf of hacktivist collective Anonymous.

The Australian Federal Police (AFP) issued a statement over the matter, saying that a search warrant was issued at the youth's home in Glenmore Park, New South Wales, in November last year.

The youth has been charged with six counts of unauthorised modification of data to cause impairment, one count of unauthorised access with intent to commit a serious offence, one count of possession of data with intent to commit a computer offence, and 12 counts of unauthorised access to restricted data.

"Australian Federal Police investigates various types of cybercrime and will continue to take a strong stance against these perpetrators" Suspected hacker faces a maximum of 10 years jail time if convicted and will face court again on May 17.

The AFP says the accused was charged with the following:
"Six counts of unauthorised modification of data to cause impairment, which carries a maximum penalty of 10 years imprisonment;
One count of unauthorised access with intent to commit a serious offence, which carries a maximum penalty of 10 years imprisonment;
One count of possession of data with intent to commit a computer offence, which carries a maximum penalty of 3 years imprisonment; and
Twelve counts of unauthorised access to restricted data, which carries a maximum penalty of 2 years imprisonment."
Police said, "protesting through computer intrusions and website defacements is not an appropriate method to raise public awareness about any issue."

Source: TheHackerNews.com

Sunday, March 17, 2013

Microsoft Flaw allows USB with Payload to Bypass Security Controls


Microsoft flaw allows USB loaded with payload to bypass security controls
This flaw allows anyone with a USB thumb drive loaded with the payload to bypass security controls and access a vulnerable system even if AutoRun is disabled, and the screen is locked. Flaw exposes your Windows PCs to major risk. If you remember Stuxnet, worm was injected to Iran's nuclear program system using USB thumb drive.
During March Patch Tuesday of 2013, Microsoft released seven new security bulletins, with four rated as critical, and others as Important. Most interesting one was MS13-027, which is rated as "important" because the attack requires physical access to the vulnerable machine.

Windows typically discovers USB devices when they are inserted or when they change power sources (if they switch from plugged-in power to being powered off of the USB connection itself).

To exploit the vulnerability an attacker could add a maliciously formatted USB device to the system. When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel.

Because the vulnerability is triggered during device enumeration, no user intervention is required. In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine.

Microsoft admits the flaw could "open additional avenues of exploitation that do not require direct physical access to the system," once the USB-based exploit is successful.

The vulnerabilities addressed by Microsoft do not include those exploited by security researchers at the recent Pwn2Own hacking competition at the CanSecWest Conference in Vancouver.

source: http://thehackernews.com

9/11 Cyber Doomsday


cyber doomsdaySenators are interested to evaluate the level of protection of nuclear stockpile of foreign governments against cyber attacks, question has been raised after that Pentagon's chief cyber officer admitted to ignore if countries such as Russia or China have adopted efficient countermeasures.

Nelson and Armed Services Committee Chairman Sen. Carl Levin, D-Mich. will request to national intelligence an assessment about the ability of foreign states to safeguard networked nuclear systems.

"In this new world of cyber threats, we of course have to be responsible for ours, but we have to worry about those others on the planet that have a nuclear strike capability, of protecting theirs against some outside player coming in and suddenly taking over their command and control," Nelson declared.

Last week Defense Science Board (DSB), a Federal Advisory Committee, published a report titled “Resilient Military Systems and the Advanced Cyber Threat”, the document presented alarming scenarios on US nation’s military considered unprepared for a full-scale cyber-conflict.

hacking

The analysis proposed by DSB alerts Pentagon on the necessity to improve cyber capabilities, top-tier adversary represents a serious menace in case of cyber war, the analyst believe various initiatives conducted by US Government not sufficient to face with sophisticated cyber attacks by hostile countries. The report remarks that Defense Department “is not prepared to defend against these threats” and its effort leak of a proper coordination, the document also alert central authorities on a “fragmented” dispersion of commitments.

“Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems The study by the Defense Science Board urges the intelligence community to maintain the threat of a nuclear strike as a deterrent to a major cyber attack.”

“DoD needs to take the lead and build an effective response to measurably increase confidence in the IT systems we depend on (public and private) and at the same time decrease a would-be attacker’s confidence in the effectiveness of their capabilities to compromise DoD systems” “the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems”

The statements are concerning, attackers don’t need sophisticated computing platforms to hit the country in its vital centers, the technologies are readily available on Internet.

Chief of U.S. Strategic Command, Gen. C. Robert Kehler, which oversees Cyber Command highlighted the need of intelligence activities to evaluate security level of foreign infrastructures but he remarked the necessity to evaluate the potential for a cyber-related attack on U.S. nuclear command and control systems and the weapons systems.

The high official admitted to hasn’t information on capabilities of other governments to response to a cyber offensive against its nuclear plants and arsenal. A cyber attacks could hit directly control system of a critical infrastructure, but it could also compromise military system such as an intercontinental missile that could be directly against other resources of the country.

"What about the Russians and the Chinese? Do they have the ability to stop some cyber-attack from launching one of their nuclear intercontinental ballistic missiles?" probed Sen. Bill Nelson, D-Fla., a member of the Armed Forces Committee.

"Senator, I don't know," answered Kehler, who was testifying on Tuesday at a committee hearing.

As reported in the in the report of Defense Science Board the attacks against US infrastructures, including weapons of defense, could be conducted by various actors, state sponsored attacks appears to be most interested but intelligence is aware of the menace represented by cyber terrorist and cyber criminals.

Cyber terrorism is one of the aspect most debated in this moment, hit a critical infrastructure with a cyber attacks has the same effect as a conventional attack, but it has the advantage of being easier to manage. The recruitment of cyber mercenaries and the availability of tools in internet and in the underground that could be used by attackers to cause considerable damage, as demonstrated by the U.S. cyber units, may increase the risk related to the conduction of cyber attack for terrorist purposes.

We read on news paper world such as cyber “9/11” and “cyber doomsday” words that evoke death, destruction and scary scenarios but above all describe a real danger not to be underestimated, that’s why top U.S. intelligence official, in another Senate chamber, named cyber first on his list of current transnational threats.

An article on Nextgov portal states: “There is a danger that unsophisticated attacks by highly motivated actors would have “significant outcomes due to unexpected system configurations and mistakes” or that a vulnerability in one spot “might spill over and contaminate other parts of a networked system," James Clapper, national Intelligence director, testified before the Intelligence Committee on Tuesday. “

What’s about U.S. command and control systems nuclear weapons platforms security?
Gen. C. Robert Kehler is cautiously optimistic, he is confident U.S. command and control systems and nuclear weapons platforms "do not have a significant vulnerability", the official also remarked that meanwhile there is a “fairly decent transparency" with Russian government officials on missile capabilities it’s not the same with China.

My interpretation of the words of General suggests that despite the opening to the two governments, there is much work to be conducted under its diplomatic profile in the definition and unanimous acceptance of a framework to regulate the use of cyber weapons that menace security of critical systems. We are in an extremely critical period of transition, most of the governments work for the production of cyber weapons and conduct cyber espionage campaign undercover. Alongside to historical powers such as Russia and China there are dangerous states such as Iran and North Korea and a plethora of independent actors represented by cyber terrorists and cyber criminals, so it is crucial to know the capabilities of the opponents but also enhance their own.

source: http://thehackersnews.com

Indian pentester discovers a flaw in Google Drive

google_drive_logo_3963
As usual I was reading the news on The Hacker New security portal when a post attracted my attention, another security issue related to an IT giant, Google. The Indian penetration tester Ansuman Samantaray discovered a security flaw in Google drive that exposes millions of Google users to threat of phishing attacks.



Too bad that Google has ignored the warning underestimating the risks and replying to the researcher that

“It is just a mare phishing attempt,not a bug in Google”

On December 20th Ansuman Samantaray reported JavaScript Script Execution vulnerability in Google Drive Files but Google Security Team rejected it the day after. The thesis exposed by the researcher is that the flaw could be exploited for phishing attack.

An attacker could exploit the mode Google Drive preview the documents in the browser, he may execute code contained is a doc files as HTML/JavaScript just by changing the value of a parameter called “export” in the URL.

Analyzing in detail the URL used to upload or create a file on Google Drive/Docs is possible to note the value “download” for the attribute “export” that alow user to download the document.

https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=download

The Indian pentester  demonstrated that if an attacker changes “export” parameter to “view“, the malicious code written in the document file created is executed by the browser.

https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=view

GoogleDocFlawTest

The researcher at THN also provided proof of flaw, they uploaded a file on Google Drive and using the attribute value download.

https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jZnZnV1ZEZThqaDA&export=download

meanwhile following there is the same link using view value for the export attribute.

https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jZnZnV1ZEZThqaDA&export=view

The document contains a JavaScript code that displays a fake authentication box that request to the user to insert the password to re-authenticate him to the view of the document.

FakeAuthBox

Once submitted the password the scripts intercept it in a log file and redirect the user to Google Drive homepage.

PWDList

The hacker news Team revealed that Google Security Team in not new to similar error of evaluation of possible, last week another Google Drive Clickjacking Flaw was refused by Google, that later extends to phishing attack.

source: http://securityaffairs.co

NIST – National Vulnerability Database website hacked


NISTBtoken
The news is curious as it is worrying, unknown hackers have violated the US government repository of standards based vulnerability management website, known as National Vulnerability Database (NVD), last week.

The NVD website appears down since last Friday, fortunately while I’m writing is up again, the attackers have compromised at least two servers with a malware-based attack discovered on Wednesday.

NIST detected the malware presence on March 8th due observation of suspicious activity, two servers being taken offline, one machine ran the NVD web site meanwhile the other hosted a half-dozen other sites, including manufacturing.gov, E3.gov, greensuppliers.gov, emtoolbox.nist.gov, nsreserve.gov, and stonewall.nist.gov.

It’s curious that the site which should enable automation of vulnerability management, security measurement, and compliance was victim of attacks, let’s remind that NVD also provides information on software flaws, misconfigurations, and distribute impact metrics and security checklists.

NVD

In the days when the site was down the home page of website states,

“The NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available. We are working to restore service as quickly as possible. We will provide updates as soon as new information is available.”

Kim Halavakoski, Chief Security Officer at Crosskey Banking Solutions, in a blog post published on Google+ revealed that received the following information from NIST Public Inquiries Office:

“On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet. NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability.”

He also added that there isn’t evidence that NVD website was used to spread malware infecting its visitors, a schema that recently has been adopted in many cases adopting a technique known as Watering Hole, a methods to infect on large-scale the goers of legitimate web sites.

The attackers exploited a vulnerability in Adobe’s ColdFusion Web development software, according revelation NIST (National Institute of Standards and Technology) spokeswoman Gail Porter who declared that the malware was inserted before a patch Adobe Issued January 15.

The mission of the NVD is to help organizations, private companies and individuals to improve protection from cyber threats of their IT infrastructures, many government agencies and private businesses use the database, infecting the NVD with a malware hackers may infect an impressive amount of visitors.

The hack of the National Vulnerability Database (NVD) reinforces the conviction that US needs for a stronger effort to improve cyber security, the same conviction has been manifested by president Barack Obama in meetings Wednesday and Thursday with corporate leaders according Bloomberg post.

The improvement of cyber capabilities and mitigation of cyber attacks is possible only if private companies and governments will increase the collaboration and the US Government will reaffirm its commitment.

source: http://securityaffairs.co

Sunday, March 10, 2013

Phishers Hijack Facebook Page using Apps


Hijacking Facebook pages
Another phishing campaign come in action recently targeting Facebook accounts and company pages with millions of followers. Phishers continue to devise new fake apps for the purpose of harvesting confidential information.


Not a new method, but very creative phishing example in Facebook hacking scene, where hacker host a phishing page on Facebook app sub domain itself. Designed very similar to Facebook Security team with title 'Facebook Page Verification' and using Facebook Security Logo as shown in the screenshot posted above.


Phishing app URL: https://apps.facebook.com/verify-pages/
Application hosted on: https://talksms.co.uk/


The phishing page asking users to enter Page URL and Page Name that victim own and his Facebook login email ID with password. Once victim trapped in hacker web, the phisher records your information.

Another interesting fact is that, the phishing domain https://talksms.co.uk/ is a HTTPS site with with verified SSL from GeoTrust.

ssl


When someone has been phished, hacker hijack all there pages, Groups for his own use or selling purpose.

Three Facebook pages with millions of fans got hijacked last night by hacker using this phishing page and may be there can be many more victims that are right now unknown to us.

Hacker Pages are :
https://www.facebook.com/funHETU
https://www.facebook.com/getInspiration
https://www.facebook.com/bySmiles
We found that after hijacking these pages, hacker start spamming his own web blog (http://teenquotes2013.blogspot.in) with a Facebook page ( i.e. https://www.facebook.com/This.Is.Teen.Quote ). Facebook Insight shows that, hacker's Facebook gain 96,000 Followers in last two months.

We have informed Facebook security team about the issue, and hope that Facebook will suspend all similar phishing pages as soon as possible. Original Facebook Page Admin's also looking for help from Facebook team to get their pages back.

Facebook users are advised to follow best practices to avoid phishing attacks:
Do not click on suspicious links in email messages
Do not provide any personal information when answering an email
Do not enter personal information in a pop-up page.
Report fake websites and email (for Facebook, send phishing complaints to phish@fb.com)

source: thehackernews.com

Wednesday, March 6, 2013

Java 0day signed with cert stolen to bit9

target-java
According security experts the numerous cyber attacks that hit principal IT companies, news agencies and government offices exploited zero-day vulnerabilities in Java software to the point that many recommend to uninstall Java plug-in from our browser unless absolutely necessary.




Same clamor had obtained in the past the discovery that malware source codes were signed with stolen digital certificates to elude victims defense systems and infect their machines.

These time the two events have concurred for the success of the recent attacks, malware used in a zero-day Java exploit was signed with certificates stolen from a Bit9 security firm that was hit itself by a cyber attack.

The is no peace for Java software, the malicious code targeted all early version of the popular software such as Java 6 Update 41 and Java 7 Update 15 released a couple of weeks ago.

The shocking revelation has been made by researchers at security firms FireEye and CyberESI that discovered the attack known as CVE-2013-1493 able to compromise both above editions of Java.

The researchers discovered that the malicious code used for the exploits is the same found in the recently attacks at security firm Bit9, according FireEye the exploit downloaded the McRat, a remote access trojan. Security analysts observed also that once infected the victims, the malware contacted  C&C server with IP address 110.173.55.187, exactly the same server used in the attack against Bit9 and described by same security firm in a blog post.

“It contains one (1) export: “DllRegisterServer”. When this function is called, the malicious DLL beacons to IP address “110.173.55.187” over port 80.”

The following information was found about the “110.0.0.0-110.255.255.255” net range:

OrgName Asia Pacific Network Information Centre
Krebsonsecurity.com blog published the following eloquent declaration released by Alex Lanstein, a senior security researcher at FireEye:

 “Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,”.

Security researchers at Symantec have proved the links between the malware (dubbed by Symantec as “Naid”) and the attacks against Bit9 firm, in July 2012, attackers stole certificates from Bit9 to sign malicious code.

The attack according Symantec is a watering hole attack that infects users while visiting a compromised web site, obviously hackers target web sites attractive for the victims.  The recent attacks against Apple, Facebook and Microsoft exploited zero day flaw the Java browser plugin while victims visited particular site.

The Symantec post states:

“As seen in figure 1, the initial stage of the attack involves a target visiting a compromised site that hosts a malicious JAR file, detected by Symantec as Trojan.Maljava.B. The JAR file contains the exploit CVE-2013-1493 which, if successful, downloads a file called svchost.jpg that is actually an MZ executable, detected by Symantec as Trojan.Dropper. This executable then acts as a loader for the dropped appmgmt.dll file, detected as Trojan.Naid”.

SymantecAttackSchema



Security experts suggest to disable Java in user’s browser in not necessary, anyway to disable it until a patch has been released by Oracle, but we cannot ignore that is not sure that Oracle will issue an update for retired version of Java software such as Jave 6.

We just have to wait for Oracle java software updates!

Sunday, March 3, 2013

Old School Hacker Spying on European Governments

Kaspersky Lab's team of experts recently published a new research report that analyzed that Cyber criminals have targeted government officials in more than 20 countries, including Ireland and Romania with a new piece of malware called 'MiniDuke'.

In a recent attack, malware has infected government computers this week in an attempt to steal geopolitical intelligence. The computers were infected via a modified Adobe PDF email attachment, and the perpetrators were operating from servers based in Panama and Turkey.

According to Kaspersky Lab CEO Eugene Kaspersky,"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyber world."


Last week Adobe released an update that patches the Adobe PDF bug (CVE-2013-6040) used in the attack. Once it was opened, the MiniDuke malware would install itself on a victim's computer. It is not known what information the attackers are targeting.

MiniDuke attacks government entities in Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States.

The malware also compromised the computers of a prominent research foundation in Hungary, two thinktanks, and an unnamed healthcare provider in the US.
208194132













source: http://thehackernews.com

Another Java 0day Vuln Exploited in the Wild

java

Do you still have Java installed? There is a bad news for you ! FireEye has detected yet another Java zero-day vulnerability being exploited in attacks in the wild.

The vulnerability targets browsers that have the latest version of the Java plugin installed Java v1.6 Update 41 and Java v1.7 Update 15 and FireEye warned that the vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm.

"Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process,"

"After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero."

The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month.

It is not known if this particular Java vulnerability is on Windows only or on Linux and Mac OS X, too. However, McRat is a Windows Trojan so the in-the-wild attacks are specifically targeting Windows users.

If you don't want any chance of being infected, the best thing to do is uninstall Java altogether.

source: http://thehackernews.com


Thursday, February 21, 2013

Mandiant report on APT1 & China’s cyber espionage units


Early this month it was spread the news regarding a sophisticated cyber espionage campaign against principal media agencies in US, included NYT and Washington Post, the hackers have tried to compromise the email account of journalists to steal sensitive information. The campaign appeared very aggressive, the hackers have tried to infiltrate the network of the journal using 45 instances of targeted malware, as revealed by forensics analysis conducted by Mandiant security firm.

Mandiant experts observed that the hackers began work, for the most part, at 8 a.m. Beijing time operating for a standard work day, but the group of hackers has also attacks stopped for a couple of weeks periodically.

APT1_Activity

The New York Times reported:
"“The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.”"




TimeLine_APT1


Few weeks after The Mandiant® Intelligence Center™ released an shocking report that reveals an enterprise-scale computer espionage campaign dubbed APT1.  The term APT1 is referred to one of the numerous cyber espionage campaign that stolen the major quantity of information all over the world.


The evidences collected by the security experts link APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398) but what is really impressive is that the operations have been started in the distant 2006 targeting 141 victims across multiple industries.


Following the info provided on the famous “Unit 61398:

The nature of “Unit 61398’s” work is considered by China to be a state secret; however, we believe it engages in harmful “Computer Network Operations.”
Unit 61398 is partially situated on Datong Road (大同路) in Gaoqiaozhen (高桥镇), which is located in the Pudong  New Area (浦东新区) of Shanghai (上海). The central building in this compound is a 130,663 square foot facility  that is 12 stories high and was built in early 2007.
We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398’s physical infrastructure.
China Telecom provided special fiber optic communications infrastructure for the unit in the name of national defense.
Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.
Mandiant has traced APT1’s activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.
During the attacks the attackers have took over APT1 malware families and has revealed by the report APT1′s modus operandi (tools, tactics, procedures) including a compilation of videos  showing actual APT1 activity.

The Mandiant has also identified more than 3,000 indicators to improve defenses against APT1 operations  and is releasing a specific document that will address them  including APT1 indicators such as domain names, IP addresses, and MD5 hashes of malware.

APt1 has systematically stolen hundreds of terabytes of data from victim organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.

Compromised_Industry

APT1 is a persistent collector,  once APT1 has established access, they periodically access to victim’s network stealing sensitive information and intellectual property for a long time, typically maintaining access to victim networks for an average of 356 days.

The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.

In the precious document the Mandiant will also propose:

Thirteen (13) X.509 encryption certificates used by APT1.
A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of over 40 malware families in APT1′s arsenal of digital weapons.
IOCs that can be used in conjunction with Redline™, Mandiant’s free host-based investigative tool, or with Mandiant Intelligent Response® (MIR), Mandiant’s commercial enterprise investigative tool.
Mandiant managers have decided to make an exception to its traditional non-disclosure policy due the risks related to the imposing cyber espionage campaign and its impact on global economy, many states and related industries are victims of the offensive.

Following a meaningful declaration of the security firm:

“It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively.  The issue of attribution has always been a missing link in the public’s understanding of the landscape of APT cyber espionage.  Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.  We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”

The cyber war has started a long time ago!

source: http://securityaffairs.co

Saturday, February 16, 2013

Botnets for sale


Internet is becoming a mine for criminals that in easy way are able to access to any kind of resources to arrange a cyber attacks, a cyber espionage campaign or a complex banking fraud.

What is very scaring is the simplicity with which it is possible to acquire any kind of criminal services in the underground and the creativity of cyber criminals that are able to offer model of sale efficient as cheap. In the past I proposed in different posts information related to the sales in the underground market, especially the Russian one that is considered the most active.

In the last month various malicious campaigns have been launched by cyber criminals with specific intent to infect the largest number of machines composing dangerous botnets. The availabilities of a great number of infected machines translates into the availability of valuable resources and services to be marketed by cybercrime gaining considerable profits.

Cyber criminals are offering malware-infected-hosts, also known as loads, in a model of sale that proposes the monetization of bots activities through its rent of the compromised systems.

Of course the services offered are totally customizable, clients can choose the type of malware that infects the victims and their geographic location, it is possible rent US-based malware infected hosts or machine in European Union.

Security expert Dancho Danchev in a post on Webroot threat blog revealed newly launched underground service offering access to thousands of malware-infected machine for upsetting prices, a thousand US-based hosts costs $200 meanwhile for a thousand EU-based hosts price varies between $60/$120, and the price for a thousand international mix type of hosts is $20.



The different prices applied are calculated bases on purchasing power and long-term value of a malware-infected host, US users are considered by cybercriminal organization the most wealthy, the pricing policy is very diffused, in many cases the malicious services are sold to US users at higher prices, I add that probably there are also other considerations behind cost evaluation such as specificity of the demand in specific areas and cost to maintain alive botnet in countries in which cyber security is more responsive.

Dancho Danchev a couple of years ago conducted an interesting study on botnet renting:

“The logical shift from static pricing lists, to the embracing of multiple pricing schemes such as price discrimination (differentiated pricing), or penetration pricing, naturally resulted in different prices for different targeted groups.”

Which are the principal use of thousands of infected hosts?

Typically the criminals are interested to the arrangement of cyber frauds and a so wide number of machines could be used for launching related malicious and fraudulent campaigns, in other cases they search for new infected machines in possession of clean IP reputation, IP reputation is an essential component for the efficiency of botnets.

The post highlight the use of “partitioned” access to botnet to further disseminate malware variants, in many cases security experts discover inter-connections between different malware families spread by the same group of compromised machines, circumstance that suggest the promiscuous use of the machines.

The model of sale appears ideal for those criminals that desire to spread malware without be bothered with botnet management and hosts recruiting, due this reason cyber criminals opt to rent an exploit service.

Damballa Labs recently investigated a criminal infrastructure being used by a person or group running a Critx exploit kit rental service.



The exploit kit is being rented or leased on its own criminal infrastructure, for which the cyber criminals have already build up the malicious services adopting al necessary precautions, such as multiple IP addresses and redundancy, to avoid botnet takedowns.

Few months ago security researchers from Symantec discovered Malware-infected computers rented as proxy servers on the black market. Cyber criminals using a malware were able to turn infected computers into SOCKS proxy servers to which access is then sold, they used compromised host to power a commercial proxy service that tunnels potentially malicious traffic through them.

The example provided are the demonstration of how much prolific is the model of sale known as “malware as service”, a monetization schema that will we will encounter more and more often in the months to come.

source: http://securityaffairs.co

Facebook hacked by 0day




In this last months we have registered numerous clamorous attacks against intelligence agencies, government offices, media and social networking platforms. Twitter was last victim in order of time but the thought of security experts was focuses of Facebook, the biggest social networking with more than 1 billion members, a mine of information related to the widest audience of users. Facebook is a single application that manages an impressive number of information of data and so it represents a privileged target for attackers.

Facebook company revealed on Friday that it has been hit in January by an unidentified group of hackers, fortunately no user information was compromised during the attack.

What is really interesting is the level of sophistication of the malware based attack that eluded security defense, it compromised the developer’s website and infected the employees machine when visited it.

The laptops infected were fully-patched and running up-to-date anti-virus software occurrence that suggests attacker have exploited zero day vulnerabilities hosting an exploit on the web site.

The official statements reports:

“Facebook, like every significant internet service, is frequently targeted by those who want to disrupt or access our data and infrastructure. As such, we invest heavily in preventing, detecting, and responding to threats that target our infrastructure, and we never stop working to protect the people who use our service. The vast majority of the time, we are successful in preventing harm before it happens, and our security team works to quickly and effectively investigate and stop abuse.

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.”

Facebook advisory confirmed that security teams of the company are very active in the fight to cyber threats thanks to an intense collaboration with law enforcement and security teams of other companies. The attacks seems to have exploited a zero-day Java software vulnerability well before the official announcement provided by Oracle company.

“After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”

The investigation are still ongoing as confirmed by Facebook

“We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.”

Friday, February 8, 2013

Microsoft and Symantec = not fucking around



Microsoft teamed up with Symantec to take down a nasty malware affecting thousands upon thousands of PCs. Bamital botnet hijacked people’s search experiences and redirected victims to potentially dangerous sites that could leave them vulnerable to other online threats and steal their personal information.

Experts from the organizations obtained a court order and shut down servers at a data center in New Jersey and convinced operators in Virginia to shut down a server they control in the Netherlands on Wednesday.

The Bamital botnet threatened the US$12.7 billion online advertising industry by generating fraudulent clicks on Internet ads. Microsoft’s research shows that Bamital hijacked more than 8 million computers over the past two years. Microsoft says that the botnet affected many major search engines and browsers including Bing, Yahoo, and Google offerings.

Bamital's organizers also had the ability to take control of infected PCs, installing other types of computer viruses that could engage in identity theft, recruit PCs into networks that attack websites and conduct other types of computer crimes.

Now that the servers have been shut down, users of infected PCs will be directed to a site informing them that their machines are infected with malicious software when they attempt to search the web.

It was the sixth time that Microsoft has obtained a court order to disrupt a botnet since 2010. Botnets are an increasing problem for security firms and computer users alike.

Their complaint identified 18 "John Doe" ringleaders, scattered from Russia and Romania to Britain, the United States and Australia, who registered websites and rented servers used in the operation under fictitious names.

Chinese malware campaign 'Beebus' target US defense industries





A Chinese malware campaign called 'Beebus' specifically targeting the aerospace and defense industries has been uncovered by FireEye security researchers. Beebus is designed to steal information, and begins its infiltration, as so many attacks do, with spear-phishing emails.

Operation Beebus very related to Operation Shady RAT and was first detected in April 2011. The attacks carried out by spear phishing attack and drive-by downloads as a means of infecting end users. malicious Whitepapers or PDFs were mailed to targets and by using known flaws, malware was able install Trojan backdoors on vulnerable systems. The malware communicates with a remote command and control (CnC) server.

FireEye discovered the attacks on some of its customers in the aerospace and defence last March and the Vulnerability in the Windows OS known as DLL search order hijacking was used to drops a DLL called ntshrui.DLL in the C:\Windows directory.

It has modules to capture system information like processor, disk, memory, OS, process ID, process start time and current user information and another module to download and execute additional payloads and updates.

The original PDF was modified using the Ghostscript tool for making weaponized PDF. Researchers believes that Beebus is a Chinese campaign because of its similarities to Operation Shady RAT.

The Beebus attackers also used a TTP (tools, techniques, and procedures) identical to the RSA hack. Researchers believe that to group called "Comment Group" or "Comment Team," associated with the Chinese government is behind the Operation Beebus campaign.

source: www.americannewsblog.com

Computer hacker accused of funding terrorist





A hacker 'Cahya Fitrianta' sentenced to eight years in prison by the West Jakarta District Court judges for hacking into many economic websites to steal money and funding that money to terrorist groups.

He is also ordered to pay a Rp 500 million ($51,000) fine. He is charged with breaking into many sites, for running online fraud of billions of dollars and fund that money to terrorist training in Poso, Central Sulawesi.

Cahya was arrested in May last year in a Bandung hotel. The defendant, along with another man, Rizki Gunawan. Police in May arrested Rizki, accusing him of hacking a marketing firm’s website to steal money in order to fund militant training.

They both accused of channeling money to terrorism suspect Umar Patek, who was sentenced this year to 20 years for his role in the 2002 Bali bombing.

“Aside from engaging in a vicious conspiracy, the defendant was also found guilty of laundering money, which he obtained from hacking the www.speedline.com website and used the proceeds to fund military training in Poso”

Meanwhile, the prosecutor decided to appeal because the sentence received is lower than demand and even it is lighter than the 12 years prosecutors.

source www.americannewsblog.com

Friday, February 1, 2013

How the US is Preparing for Cyber Defense



Every government conscious of strategic importance of cyber security and of the investments of other countries in cyber warfare capability is improving its effort. Last week I wrote about Russian government and the Putin’s request to reinforce the garrison of the fifth domain, the cyber space, through a series of investment to secure national critical infrastructures from cyber attacks, in the previous months we have spoken of Iran, China and North Korea, all those governments are moving the battlefield in the digital world.

The US and Israel are considered in cyber warfare context most advanced countries, according international specialized press they have been involved in the creation of the first worldwide recognized cyber weapon, Stuxnet, and of many other related spy tool kits such as Flame.

According US officials the government is “is constantly looking to recruit, train and retain world class cyber personnel,”

Both governments, US and Israeli ones, are improving their cyber capabilities in response to high number of cyber attacks they daily suffer, The Pentagon has announced a major expansion of its cyber army to defend national infrastructures, as well as to empower offensive computer operations against hostile states.

The US government has decided an increase of 4000 units for the Defense Department’s Cyber Command, considering that actually the Command is composed by 900 specialists it has been decided to quadruple the resources dedicated to the operations in the cyberspace.

The expansion will be structured and will create the following three distinct areas controlled by Defense Department’s Cyber Command:

“national mission forces” is responsible for the protection of computer systems that support the nation’s power grid and critical infrastructure.
“combat mission forces” is responsible for offensive operations.
“cyber protection forces” is responsible for Pentagon’s computer systems security.
William J. Lynn III, a former deputy defense secretary who worked on the Pentagon’s cyber security strategy declared:

“The threat is real and we need to react to it,”

Pentagon has started various projects and initiatives to involve the private companies, universities and even computer-game companies to develop technologies to improve its cyber warfare capabilities.

Obama administration is massive investing in the cyber warfare preparing its structures to respond to cyber threats and also creating the condition to launch effective attacks against foreign and hostile states. If confirmed the ‘Olympic Games’ operation if the first sample of offensive conducted in the cyber space and arranged without conventional weapon, using digital attacks instead of military operations.

US has recently started the Plan X project that will involve also private non-military entities in what is considered “a call to arms”, it is more oriented on protecting the Defense Department’s computer systems than on disrupting or destroying those of enemies according official sources. Plan X is a project of the DARPA (Defense Advanced Research Projects Agency), a Pentagon section responsible for the development of new technology for use by the military.

“Because the origins of cyberattack have been in the intelligence community, there’s a tendency to believe that simply doing more of what they’re doing will get us what we need,”

said Kaigham J. Gabriel, acting director of DARPA.

“That’s not the way we see it. There’s a different speed, scale and range of capabilities that you need. No matter how much red you buy, it’s not orange.”

One of the main aspects of a warfare is the deep knowledge of the battlefield, for this reason one of the main projects to be financed is the tracking of cyberspace and all entities that populate it, its map have to be updated over time to allow precise monitoring of main area of battle. Other projects will be related to the hardening of Operating Systems, for mobile devices and desktop installations, to resist to any king of cyber attacks, US researchers have a clear idea of the OSs of the future, totally different from the one we ordinary use.



Many experts sustain the one of the primary target is to develop a new generation of cyber soldier, artificial intelligence able to prevent cyber attacks and that is able to conduct powerful offensives automatically. The research program promoted by DARPA agency has a duration of five years and will be financed with $110 million starting from this summer. The agency has allocated a total budget of $1.54 billion from 2013 to 2017 with the specific target to increase cyber-offense capabilities.

DARPA has recently announced the development of many other interesting projects, one of the most ambitious is the new Cyber Targeted-Attack Analyzer program that will attempt to automatically monitor the entire defense network without human intervention. Another interesting project is the Space Enabled Effects for Military Engagements, also known as SeeMe, that will build a constellations of micro-satellites to provide troops with accurate satellite imaging within 90 minutes.

What is the theme of the main projects related to cyber warfare capabilities?

Governments all around the world are committed for the definition of a proper cyber strategy that represents an optimum balance between a good cyber offense and an efficient cyber defense. Cyber conflicts are characterized by the necessity of an immediate cyber response to the incoming cyber threats, in many cases the reaction must be instantaneous to avoid the destruction of assets and resources.

Human factor and human capacity of judgment could represent element of delay not acceptable in an electronic disputes that happen in real time, due this reason is assuming fundamental importance the concept “proactive defense“. The massive introduction of technologies in every object the surround us has increased nation attack surface, power grids, telecommunications and any other critical infrastructure are still vulnerable to cyber attacks.

The protection of national infrastructures is one of the primary goals for cyber strategies, but due nature of the possible offense, instantaneous and unpredictable, has highlighted the need to develop systems for automatic defense that can independently respond to a cyber threats from cyber space, but this option introduces significant problems in terms of “devolution of decision” and “rule of engagement”.

Are we ready to trust in such critical decisions taken by the machines?

The Homeland Security Department In September has released REQUEST FOR INFORMATION – RFI-OPO-12-0002 titled “Developing a Capability Framework for a Healthy and Resilient Cyber Ecosystem Using Automated Collective Action” to gather information from Industry to evaluate the current state of technology in the cyber ecosystem environment.

This Department is working with NIST to develop system capable of using a defensive concept called Automated Collective Action, following the definition provided in the document:

“Automated collective action refers to processes in a cyber ecosystem or community of interest (COI) that select (and perhaps formulate) automated courses of action that will be performed by the ecosystem or COI in response to cybersecurity events. Policies, procedures, technology, and a high level of trust are necessary to enable automated collective action. An appropriate level of human intervention might be required to ensure unintended consequences do not result from flawed courses of action. Determining which cybersecurity events are normal and which are unauthorized or malicious remains a major challenge. “

The officials of DHS declared that US need to respond in automated fashion to automated attacks from cyber space. The researches need to evaluate the feasibility of a system completely independent in the detection of anomalous situations and able to respond in a proportionate manner, the solution thanks to automated processes have to be able to monitor and respond to cyber threat while maintaining mission-critical operations.

The final target is the substitution of humans into the decision loop to respond to increasingly sophisticated attacks.

In more than one occasion U.S. Defense Secretary Leon Panetta. U.S. Defense Secretary Leon Panetta, has expressed very concern about the possibility of a major cyber attack against the country and its critical infrastructures, to aggravate the scenarios the economic crisis which has inevitable effects on the budget allocated to the defense.

The government is planning the biggest cuts to defense budget of the last decade, around $450 billion over a period of ten years. Persistent rumors speak of a further cut of $500 billion due an automatic mechanism of protection known as sequestration after members of Congress failed to reach an agreement to reduce the nation’s deficit.

The cuts represent a serious problem for the development of US capabilities in a delicate historical period, meanwhile the principal adversaries of US such as Iran, China and also Russia are massive investing trying to acquire a strategic advantage under this perspective.

In June 2012 Panetta warned on the possible risks deriving from the cuts, on the argument he said:

“It would guarantee that we hollow out our force and inflict severe damage on our national defense. I think you all recognize that sequester would be entirely unacceptable and I really urge both sides to work together to try to find the kind of comprehensive solution that would de-trigger sequester and try to do this way ahead of this potential disaster that we confront,”

“I’m very concerned that the potential in cyber to be able to cripple our power grid, to be able to cripple our government systems, to be able to cripple our  financial systems would virtually paralyze this country and as far as I’m concerned that represents the potential for another Pearl Harbor  as far as the kind of attack that we could be the target of using cyber,”

The scenario hypothesized by Panetta is realistic and dramatic, a cyber attack against an US critical systems could represent a disaster. The possible source of attacks could be foreign governments but also cybercriminals or cyber terrorists.

In October, Mr. Panetta raised again the question with strong words, the US was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to cyber attacks against its critical infrastructures that could cause a catastrophe.

Panetta was particularly concerned by the growth of Iranian cyber army that many sources accredit for the attacks to Saudi Aramco and that could be able to hit US on national soil through a cyber attack.

But cyber espionage campaigns are also considered operations of cyber warfare, foreign governments could be interested to spy on intelligence agencies and government offices to steal sensible information, let’s remind the recent attack to the White House.

Also industry and defense subcontractors are considered strategic targets for state-sponsored hackers that try to acquire intellectual property on military technology.

The world is changing and also warfare operations are shifting to cyber space, the battlefield is changed and also the actors of new conflicts are totally mutated, US such as any government must be prepared to the cyber warfare empowering its cyber capbilities.

source http://securityaffairs.co