Advanced Persistent Threats

Advanced Persistent Threat refers to a type of long term attack that is carried out via the internet and that consistently assails the same target. They are usually covert in nature and require high level funding and resources, a characteristic consistent with that of a nation or state-sponsored group. Attacks are typically complex and detailed and target specific systems or information. The vector of attack may include any combination of previously identified vulnerabilities and new zero-day exploits and may be conveyed over many types of medium.

The victims of recent APTs include the U.S. Departments of Defense and Energy, RSA Corp., Google, the Iranian Government, and Lockheed Martin. These attacks successfully compromised systems and information and went undiscovered or unhindered for some time. While there are a handful of actors, China has been responsible, directly or indirectly, for a large amount of attacks that have sought data on a wide spectrum including Google source code and user data; military and defense plans and designs; intelligence data; and economic and financial information. The issue is a sensitive one because although a significant amount of industrial, military, and military data is being compromised the United States can do little diplomatically with China as it lacks comprehensive proof and a means to force China to halt the attacks. Furthermore, China contends that it is also a victim and that any attacks that originate from the country are from criminals. The U.S. Government has, in cooperation with industry, investigated and tracked down the attacks and has found traces and footprints that consistently tie them to China.

The United States and its allies are not just victims of APTs however. While they do not have the same motives and targets as China, Western powers have created and executed attacks such as Stuxnet, the intricate computer worm that ruined and destroyed centrifuges in Iranian nuclear enrichment facilities. It was for this type of operation that the U.S. Government established Cyber Command to conduct the offensive and defensive functions of the nation’s cyberspace. The threat landscape has changed so drastically that cyberspace is now classified as a battlefield and as such as we must be prepared to fight in it.

Advanced Persistent Threats will continue to be an issue in the cyber domain. Due to the their nature they are hard to completely defend against and new vulnerabilities and techniques will allow for more attacks. Preventing these types of attacks requires a system of passive and active defenses that are constantly updated and reviewed for flaws and errors.

Source: http://www.washingtontimes.com/news/2011/dec/14/cyberthefts-of-vital-data-by-china-based-teams-ris/

Clickjacking

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:
http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

Anti-anti virus malware

The FBI has arrested six eastern European hackers for infecting numerous computers across the world with a sophisticated form on malware. The group known as The Rove Group, was actually hired and paid by advertising companies to increase traffic to specific sites. They did this by using a class of malware called DNSChanger which redirected traffic from legitimate sites to bogus sites instead. Some of the websites were iTunes, Netflix And even NASA and the IRS. The malware worked by redirecting a user that would click on a legitimate link to a site like iTunes to a site that pretended to sell Apple software or music.  Much like an online phishing attack except they would not steal your identity but rather the customer would pay them directly. Sometimes the customer would receive black-market good or pirated software and often they would get nothing at all. The scheme was discovered and brought down by a FBI investigation known as Operation Ghost but not before making 14 million dollars over four years. The rest of the story is here…

http://www.fbi.gov/news/stories/2011/november/malware

On-line Job Application Scam

As if job-seekers didn’t have it hard enough, the Better Business Bureau of Abilene, TX posted warnings about on-line job application scams that trick applicants into providing personal information.

http://abilene.bbb.org/article/score-a-job–not-a-scam-28725

The scammers were smart to target people who are willing to provide whatever information it takes to get hired by an employer.  Your resume usually contains your contact information and your employment history.  With the job market tightening up and many employers referring applicants to websites, it is no wonder that social engineers recognized this as a way to steal identities on a large scale.  With the publicity of websites like Linked.com and Monster.com it was inevitable that scammers would create copy-cat websites or create fake Craigslist postings.  Some scammers were even able to convince applicants to provide direct-deposit information or send money to the fake companies!

As we all prepare to look for Co-Op and permanent jobs, it is best to watch out for the red flags to a scam as suggested by the Better Business Bureau.

1. Watch out for grammatical and/or spelling errors on application websites or in e-mails.
2. Emails from job posting websites claiming there’s a problem with a job hunter’s account.
3. Employer asks for extensive personal information such as social security or bank account numbers.
4. An employer offers the opportunity to become rich without leaving home.
5. An employer asks for money upfront.
6. The salary and benefits offered seem too-good-to-be-true.
7. The job requires the employee to wire money through Western Union or MoneyGram.

Overall, be sure to know the company that you are applying for.  Do some research and make some telephone calls to be sure that the company and website are legitimate.  And remember that if it sounds too good to be true, it probably is!

Real World Pen Testing

Want to get into pen testing? Knowing the following attack vectors is a good place to start. View the source for more detailed information on each category.

• Information Gathering

• Goal: Employee Information

• Social Engineering

• Goal: Gain Employee Credentials by directly asking for them
• Goal: Enticing Users to a Website

• Phishing

• Goal: Internal Access via Employees

Source: http://blog.opensecurityresearch.com/2011/11/just-that-easy-real-world-pen-testing.html

Behavioral monitoring malware

Behavioral monitoring malware is a new class of malware that mines many of the social networking sites for behavioral patterns. What I mean by behavioral patterns is that it will monitor what kind of websites you like, who you associate with, the kinds of things you buy. This kind of information is a goldmine for marketers. It allows them to build profiles of individuals outside a greater scope of sex, age, and location. Now they can know that your friends with x,y,z or that your a Chihuahua enthusiast who loves NASCAR. This kind of information can  be more insidious then more conventional malware.

Through this information they could then targets ads just for you or extending beyond marketing, unique attacks. We’ve talked about phishing attempts before in class and how its always kind of broad message to get as many people as possible. Thanks to behavioral pattern malware they can now easily tailor specific attacks just for you even if your some nobody. The usual malware targets things like credit cards or accounts and passwords. While these can cause trouble and be an inconvience you can at least cancel a credit card or change your password. But once they know who you are your in trouble. You can’t just change everything about yourself. Your not going to get rid of your friends and family and stop liking the things you do.

Some of the interesting technical aspects about this malware is it’s able to recognize who is on the fringe of social connections. That is if I’m someone who posts prolifically on twitter or Facebook and have lots of followers/friends, I’m going to stand out as a greater target compared to someone who has very few. Since I would have lots of connections I become a greater target because through my connections it can move on to new targets. Another interesting thing is that they infect unconventionally comapared to the usual malware. Most malware attempts to infect as many devices as fast as possible, while behavior patter malware would want to take its time in order to go unnoticed and collect as much information as it could.

http://www.pcworld.com/article/207659/malware_aimed_at_social_networks_may_steal_your_reality.html

Office printer sending malicious emails?

Printers are obviously an important part of most offices, and lots of times we don’t really think of a printer as more than a printer. Why would we consider it a security threat, it just prints paper? Well the fact is there are many attacks that involve network printers. Some of the more recent printers are specifically a problem. Office printers are now being built with a scan to email feature. When a paper is scanned the copy of that paper gets received through email. Attackers are taking advantage of this by sending emails that look as if they are from the printers containing an attachment the same way the normal printers send the file. The difference is these attackers are sending a ZIP file containing an exe file inside. This is an example Symantec has on there website:

This exe is usually hidden by an icon of a word document or something similar. This exe when executed installs malware on the system. The best way to prevent this is to try to filter out these emails, and educate employees about the possible threat. When receiving a ZIP file as an attachment, no matter who the sender you should take caution.

More information can be found at:

• http://www.symantec.com/connect/blogs/malicious-emails-masquerade-office-printer-messages-0
• http://www.pcworld.com/businesscenter/article/239456/a_hidden_security_threat_beware_the_office_multifunction_printer.html

What is a secure password?

Secure passwords are an issue that internet users face everyday. Every time you sign up on a new website, you are asked to use a password for your login. You look around you, making sure the resident computer security expert doesn’t see you, and you type in that one password that you use for every other site. You justify the use of that password by saying, “It’s a secure password: it contains more then 10 characters, some upper case, some lower case, some numbers, and a symbol” (which doesn’t actually guarantee a secure password).

“So what is a secure password?” you ask. Simply put, a secure password is one that is somewhat long, easy to remember, and only told to people or websites that you trust. The last one is the key. It is very simple to create a website that has the sole purpose of harvesting passwords from users. A website that promises, and maybe delivers, a service that the user would find useful. The user signs up for it, and puts in their password, and usually email address as well, and now the admins of that website have your email login and, if the password is the same, your email password. The website admin could also try and use the combination on Facebook, Twitter, banking sites, etc. and see what information, and possibly money, they can get.

So next time you sign up for a website, ask yourself “Do I trust the admins of this site with the ability to read my email? Change my Facebook page? Post on my Twitter account?”. If you answered yes then by all means use the same password as those other services; but, if you answered no, do yourself a favor and use a new password.

See also:

http://www.usewisdom.com/computer/passwords.html
http://xkcd.com/792/

Researchers’ typosquatting Fortune 500 companies emails

List of some of the 151 Fortune 500 companies (in red) that have subdomains that are potentially vulnerable to a doppelganger attack

Two researchers set up doppelganger domains to intercept email’s with mistyped company domains and collected 20GB of emails over a 6 month period.

Email’s included a lot of sensitive company data, including employee info, legal documents pertinent to the company and network configuration data. “Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.”

Doppelganger domains are domains that are spelled almost exactly like legitimate domains, usually missing a period or letter such as uscisco.com instead of us.cisco.com.

The researchers found that 30% of Fortune 500 companies were potentially vulnerable from such attacks. They also found many of these doppelganger domains had already been registered, many of them in China.

Attackers could also set up man-in-the-middle attacks so they get emails then forward them to the real recipient. A victim could send emails back and forth without ever noticing something is wrong.

Of the 120,000 emails their doppleganger domains got, only 2 senders noticed something was wrong. Of the 30 domains they set up only 1 company noticed they had registered the domain and threatened a lawsuit if the researchers didn’t turn over ownership, which they did.

Companies can always buy up these domains to protect themselves, or block DNS and any internal emails to these domains as Kim seggests. Though this will not protect from email sent from outside the company to the doppleganger in the first place.

This is a somewhat hard problem to fix since most people will mistype some of the email they send, however we should be trying to educate users to watch out for this type of attack and/or validate that you are talking with the right person before sending sensitive information.

Source: http://arstechnica.com/business/news/2011/09/researchers-typosquatting-snarfed-20gb-worth-of-fortune-500-e-mails.ars

Not all Certificates are Created Equal

http://www.networkworld.com/news/2011/090911-google-contacts-iranian-users-to-250653.html

The certificate authority (CA) DigiNotar was recently involved in a case that made their certificates malicious. DigiNotar failed to go through the proper channels of contact to notify companies such as Mozilla, Google, and Microsoft, who all run web browsers that “trust” certificates signed by numerous publishers. Previously, browsers would automatically accept certificates signed by DigiNotar, however their lack of communication has caused them to be blacklisted by most browsers.

This certificate problem originated in Iran, where the government was spoofing citizens’ requests to pages like Google and Microsoft. Even though the users connection to these sites was secure, the government regained control of the certificates, thus allowing them to snoop on citizens web traffic. This is basically a Man in the Middle Attack.

Google has notified approximately 300,000 account-holders in Iran about this issue and encouraging them to change their password.

This is a smart move, but obviously a required move on Google’s part, and I believe the blacklisting of DigiNotar certificates was the best course of action. We take the lock-icon and https:// in our web browsers for granted, but this entire incident shows us what can happen when hacking and lack of communication collide.