Advanced Persistent Threats

Advanced Persistent Threat refers to a type of long term attack that is carried out via the internet and that consistently assails the same target. They are usually covert in nature and require high level funding and resources, a characteristic consistent with that of a nation or state-sponsored group. Attacks are typically complex and detailed and target specific systems or information. The vector of attack may include any combination of previously identified vulnerabilities and new zero-day exploits and may be conveyed over many types of medium.

The victims of recent APTs include the U.S. Departments of Defense and Energy, RSA Corp., Google, the Iranian Government, and Lockheed Martin. These attacks successfully compromised systems and information and went undiscovered or unhindered for some time. While there are a handful of actors, China has been responsible, directly or indirectly, for a large amount of attacks that have sought data on a wide spectrum including Google source code and user data; military and defense plans and designs; intelligence data; and economic and financial information. The issue is a sensitive one because although a significant amount of industrial, military, and military data is being compromised the United States can do little diplomatically with China as it lacks comprehensive proof and a means to force China to halt the attacks. Furthermore, China contends that it is also a victim and that any attacks that originate from the country are from criminals. The U.S. Government has, in cooperation with industry, investigated and tracked down the attacks and has found traces and footprints that consistently tie them to China.

The United States and its allies are not just victims of APTs however. While they do not have the same motives and targets as China, Western powers have created and executed attacks such as Stuxnet, the intricate computer worm that ruined and destroyed centrifuges in Iranian nuclear enrichment facilities. It was for this type of operation that the U.S. Government established Cyber Command to conduct the offensive and defensive functions of the nation’s cyberspace. The threat landscape has changed so drastically that cyberspace is now classified as a battlefield and as such as we must be prepared to fight in it.

Advanced Persistent Threats will continue to be an issue in the cyber domain. Due to the their nature they are hard to completely defend against and new vulnerabilities and techniques will allow for more attacks. Preventing these types of attacks requires a system of passive and active defenses that are constantly updated and reviewed for flaws and errors.

Source: http://www.washingtontimes.com/news/2011/dec/14/cyberthefts-of-vital-data-by-china-based-teams-ris/

Fake Documents

After the Wikileaks scandal, the Department of Defense is using a new software that generates fake documents that send an alert when they are opened. This would allow the DoD to provide misinformation but also to potentially see who opened the file and where they are.

Unfortuneatly, there seems to be a few ways around this techonlogy. You can disconnect your computer from the Internet before you open files, but this can be averted by requireing the document to authenticate and alert before the contents are visible to the user. Once you have access to the contents, you could easily take screenshots of the information and delete the original.

For more info, see: http://www.schneier.com/blog/archives/2011/11/fake_documents.html

Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:
http://www.informationweek.com/news/security/vulnerabilities/231902121
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
http://en.wikipedia.org/wiki/Duqu

 

 

 

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

Anti-anti virus malware

The FBI has arrested six eastern European hackers for infecting numerous computers across the world with a sophisticated form on malware. The group known as The Rove Group, was actually hired and paid by advertising companies to increase traffic to specific sites. They did this by using a class of malware called DNSChanger which redirected traffic from legitimate sites to bogus sites instead. Some of the websites were iTunes, Netflix And even NASA and the IRS. The malware worked by redirecting a user that would click on a legitimate link to a site like iTunes to a site that pretended to sell Apple software or music.  Much like an online phishing attack except they would not steal your identity but rather the customer would pay them directly. Sometimes the customer would receive black-market good or pirated software and often they would get nothing at all. The scheme was discovered and brought down by a FBI investigation known as Operation Ghost but not before making 14 million dollars over four years. The rest of the story is here…

http://www.fbi.gov/news/stories/2011/november/malware

An apparent inside job in Brazil’s DNS cache poisining

Securelist.com reported that an employee at one of Brazil’s internet service providers is accused of tampering with the cache of a domain name server.  It is believed that the employee’s work redirected customers looking for Google, Gmail, YouTube, and Hotmail to websites that instructed users to unwittingly download Java programs containing trojans.  These trojans installed banking malware.

http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil

Once again, encryption and security protocols are defeated by vulnerabilities attributed to human elements.  Because of the ties to the banking malware, it suggests that this probably is not the work of just one person, acting by themselves.  It is troubling to think that elements of organized crime can gain access to the domain name servers of internet service providers.  We will have to wait and see if the employee was a willing participant or a coerced victim.

Of course it should not be too much of a surprise that it happened in Brazil.  According to Symantec’s latest Intelligence Quarterly Report, Brazil ranks #3 in the world for the source of malicious activity (behind #2 China and #1 USA).

 

Cyber Security Insurance-Related Industry

The introduction to the Bruce Schneier’s book Secrets & Lies alluded to an industry that will be booming in the upcoming years,  insurance company-driven Cyber Security Providers.

Mr. Schneier pointed out that many companies and organizations don’t invest enough money and effort into protecting their digital data. Making sure that data is safe from potential attack or theft is a new concept to non-tech savvy business leaders, and one that isn’t at the top of many company’s priority list.  Unfortunately attacks are becoming more widespread and more complex, so the likelihood that a business will be attacked increases daily.  To off-set the threat and the possible losses incurred from an attack, some business owners are turning to insurance policies.

Mr. Schneier feels that as more business owners turn to cyber insurance policies, the insurance industry will push for cyber security providers to supply better services (to better protect business owners).  The demand for services will increase, and so will the need for some sort of industry standards for cyber security providers.  Looking forward from Mr. Schneier’s viewpoints, one can see a new service industry spring up to meet the needs of standardized and strong cyber security services to meet insurance company requirements.

A similar “cottage-industry” boom occurred in the late 1990s as companies rushed to prepare their computer systems for Y2K, but that was a temporary surge in demand.  Conversely, cyber crime and attacks will only increase as global economies suffer and people become more desperate to find alternative sources of income.  To see how important it is, just look at the Information, Security and Forensics program that is growing in popularity here at RIT.  The emergence of the Cyber Insurance industry will increase the need for more highly trained professional, and should lead to plenty of long-term employment opportunities for people with the right skill set.

Hacker Vs. Hacker?

A recent news article over at InfoWorld ( http://www.infoworld.com/d/security/hacker-selling-access-compromised-websites-gets-hacked-178103 ) talks about a hacker by the name of Srblche. He is known to try to profit from hacking by compromising systems for money, and he also runs an online store selling access to high profile websites and data. But in this article it doesn’t go into details about how he did these things, or talk about how he got caught. This article talks about a group of hackers known as d33ds decided to hack him.

Members of the hacking community accused Srblche in the past of stealing other people’s tools from underground forums and trying to profit from them, which might explain why d33ds targeted him.

“Anyone willing to pay for this service must be as stupid as he is,” d33ds wrote in its announcement of Srblche’s online catalogue being hacked. The group published information about the server, the password hashes of his customers and even the hacker’s administrative access code in plain text.

It’s common to think about how hackers break into peoples systems and try to steal things. What people don’t think about much is hackers hacking other hackers. This article made me start wondering how much this really goes on. Is it common for hackers to go after each other? I think it could easily be a common occurrence without it being known. The hacker being attacked has his ego and reputation to protect, and the hacker doing the hacking doesn’t want to get caught. So isn’t it possible this happens fairly often but details never get out?

Cyber Attack Effects

When it comes to cyber attacks, no matter the purpose behind the attack, it always seems to cause harm.  As we have found, attacks can be perpetrated for a number of reasons, some meant to be harmful and some not particularly so.  However, whichever the case the victims of the attack tend to be harmed regardless. For example, the sportswear company  Adidas website suffered an attack by unknown forces, this was discovered on Thursday.  Currently investigation of this incident is going on and they have not found that any consumer data has been impacted. Despite this they have shutdown the site  and will keep it this way until the investigation is complete and all problems are resolved.  So in the end, although the attack itself may have not done any particularly harm it has caused the site to be shutdown which will affect the company anyway.

Adidas attack info: http://www.straitstimes.com/BreakingNews/TechandScience/Story/STIStory_731336.html

So, in class we’ve been talking about privacy, and how it no longer exists on the internet. Most of us use Facebook on the internet, correct? Well, how many of you have have used any of the apps on Facebook? Did you know that those apps have access to everything on your Facebook: friends, pictures, information you post on Facebook, like the town you live in, you’re relationship status, ect…

We watched a video in class about the Facebook stalker. It was kind of a spoof; what if it actually happened? Does your Facebook have the least amount of information on it about you?

With this app on Facebook, it shows exactly what would happen if there were someone looking at your Facebook; in fact if they gained access to it. http://www.takethislollipop.com/ is a really scary application that makes you as a Facebook user re-think every thing you put on Facebook, or any social media website for that matter.

The fact that our generation doesn’t view anything as private anymore is really scary. People put up their address on Facebook and then they do not have their privacy settings so that only friends can see their information. But really, what is the definition of ‘Friend’ on Facebook? Is it someone that your just clicked a button and suddenly you have access to their page of pictures and their wall? Or is it some one that you’d trust to save your life if it had to be done?

Basically, in this day in age, the stuff you can find on the internet is so much different then the stuff that you had to actually look up in books years ago. The internet has made it so much easier to get information at your fingertips. Do you trust people with your information not to abuse it?