Advanced Persistent Threats

Advanced Persistent Threat refers to a type of long term attack that is carried out via the internet and that consistently assails the same target. They are usually covert in nature and require high level funding and resources, a characteristic consistent with that of a nation or state-sponsored group. Attacks are typically complex and detailed and target specific systems or information. The vector of attack may include any combination of previously identified vulnerabilities and new zero-day exploits and may be conveyed over many types of medium.

The victims of recent APTs include the U.S. Departments of Defense and Energy, RSA Corp., Google, the Iranian Government, and Lockheed Martin. These attacks successfully compromised systems and information and went undiscovered or unhindered for some time. While there are a handful of actors, China has been responsible, directly or indirectly, for a large amount of attacks that have sought data on a wide spectrum including Google source code and user data; military and defense plans and designs; intelligence data; and economic and financial information. The issue is a sensitive one because although a significant amount of industrial, military, and military data is being compromised the United States can do little diplomatically with China as it lacks comprehensive proof and a means to force China to halt the attacks. Furthermore, China contends that it is also a victim and that any attacks that originate from the country are from criminals. The U.S. Government has, in cooperation with industry, investigated and tracked down the attacks and has found traces and footprints that consistently tie them to China.

The United States and its allies are not just victims of APTs however. While they do not have the same motives and targets as China, Western powers have created and executed attacks such as Stuxnet, the intricate computer worm that ruined and destroyed centrifuges in Iranian nuclear enrichment facilities. It was for this type of operation that the U.S. Government established Cyber Command to conduct the offensive and defensive functions of the nation’s cyberspace. The threat landscape has changed so drastically that cyberspace is now classified as a battlefield and as such as we must be prepared to fight in it.

Advanced Persistent Threats will continue to be an issue in the cyber domain. Due to the their nature they are hard to completely defend against and new vulnerabilities and techniques will allow for more attacks. Preventing these types of attacks requires a system of passive and active defenses that are constantly updated and reviewed for flaws and errors.

Source: http://www.washingtontimes.com/news/2011/dec/14/cyberthefts-of-vital-data-by-china-based-teams-ris/

Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:
http://www.informationweek.com/news/security/vulnerabilities/231902121
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
http://en.wikipedia.org/wiki/Duqu

 

 

 

Facebook’s security woes: 600K accounts compromised per day

Facebook’s security woes: 600K accounts compromised per day

By Kara Reeder

November 2, 2011, 7:49 AM PDT

Takeaway: Kara Reeder reports on the latest security mishaps from the Facebook camp.

With more than 800 million active users, there’s no shortage of people looking for loopholes in the social network. The latest vulnerability has been discovered by Nathan Powers, who works for technology consultancy CDW. Powers has discovered a way for a user to send an executable file to another user who is not their friend. The risk, as Computerworld points out, is that “a hacker [could] send, for instance, a key logging program to another user in a kind of spear-phishing attack.”

Facebook’s Security Manager Ryan McGeehan is downplaying the flaw, noting that “an additional layer of social engineering” would be required for the scam to work.

Security issues are nothing new for Facebook. In fact, as msnbc.com reports, buried deep in a recent security announcement, Facebook revealed that 600,000 accounts are compromised every day. Of course, Facebook put a different spin on it, saying “only 0.06 percent of 1 billion logins per day are compromised.” Still, 600,000 a day is nothing to scoff at as hijacked Facebook accounts lay the foundation for a number of misbehaviors, including cyber bullying and scams designed to trick unsuspecting users into coughing up money.

Editor’s Note: Facebook has clarified what they mean by “compromised.” According to TechCrunch:

Facebook wants it known that these accounts weren’t hacked or compromised on Facebook itself, they are compromised off site, such as through phishing scams, for example.

Facebook blocks access to accounts when they have reason to believe someone other than the true owner is trying to access it. Here is Facebook’s original infographic (PDF), which includes the numbers cited (.06% of 1 billion logins per day).

 

I am astonished that Facebook down plays such a large number of compromised accounts.  600,000 accounts a day are compromised!  I can’t even begin to wrap my head around that figure.  Many of these users are not in the information technology field and most likely don’t have a healthy sense of skepticism when using a social networking site like Facebook.  IF attackers are able to compromise user’s accounts, they can harvest useful information that user’s post on Facebook assuming their information is safe and secure.  They need a password to access their profile so they assume no one else is able to access the profile without their knowledge.  This is definitely not a safe assumption to make.  The stat of 600,000 compromised accounts a day clearly prove that.

The discovery of the latest vulnerability of Facebook was made by Nathan Powers of CDW.  The vulnerability makes it possible for an attacker to send an executable file to another user that they are not friends with.  Programs like key loggers and bonnets could be sent in attempts at a spear fishing attack.  This presents a major security risk for the end users of Facebook.  Their personal information including passwords, pin numbers, web surfing activity, and bank account numbers to name a few could now be possible accessed remotely by another Facebook user.  The victim would have no idea that this was happening until it was too late.  The attacker could also make fraudulent entries on the victims Facebook profile and damage their reputation with friends, family and colleagues.

I myself am a Facebook user, but after reading this article I am going to have to think long and hard if continuing to do so is just too risky.  It is wonderful that I am able to keep in touch with friends and family that live far away and see pictures of them; but is that really worth possibly exposing myself to an attacker looking to hack my account and cause havoc?

Real World Pen Testing

Want to get into pen testing? Knowing the following attack vectors is a good place to start. View the source for more detailed information on each category.

• Information Gathering

• Goal: Employee Information

• Social Engineering

• Goal: Gain Employee Credentials by directly asking for them
• Goal: Enticing Users to a Website

• Phishing

• Goal: Internal Access via Employees

Source: http://blog.opensecurityresearch.com/2011/11/just-that-easy-real-world-pen-testing.html

Preventing skimming

For those who don’t know skimming is when a person records the information on a credit or debit card without the persons permission, and in most cases without them knowing. Skimming has been going on for a long time and continues to be a big issue. Just recently a German man was sentenced to three years in prison for bringing skimming equipment into the UK. SANS had a article about this in there news bits that read:

A German man has been sentenced to three years in prison for bringing card skimming technology into the UK. Thomas Beeckmann was arrested at Victoria Station in London in June; investigators say he was carrying sophisticated skimming equipment, some of which would allow users to retrieve data captured by skimmers though Bluetooth technology from a distance of 100 meters. Beeckmann’s sentence includes time for refusing to divulge his laptop encryption password to law enforcement officials as well as for possessing skimming equipment.
-http://www.bbc.co.uk/news/technology-15312057
-http://www.h-online.com/security/news/item/Sentenced-German-engineer-modified-ca
rd-terminals-for-criminal-gangs-1362217.html

Law enforcement in the United States as well as other countries are continuously investigating skimming attacks. But the problem I have found is that even with investigations and prison sentences, skimming attacks are still to easy to preform with little risk of getting caught. Equipment to perform simple skimming attacks is very easy to come by. A simple search around the internet and you can find a place to purchase some equipment at not to high of a price. Also people don’t really watch out for skimming much, which makes it easy to get away with and not get caught. If people don’t know its happening there not going to report it to the police.  An article at merchantequip.com said:

Skimming most commonly occurs in restaurants, where the card owner looses contact with the card and a purchase is made. It takes about two seconds to scan a card through a portable reader, and the reader records all of the information on the credit card. Portable card readers are small enough that someone could easily conceal one in the pocket, sleeve, and even in their hand.

Which brings to question, how many people even think about whats happening to their card when they give it to the waiter or waitress at a restaurant.

What to do to prevent skimming? I doubt it will ever just stop happening, so the best thing to do is just be aware of how it can happen, and watch out for it. If your careful about how you use your card, and who you give it to there’s less chance your cards information will be stolen.

Office printer sending malicious emails?

Printers are obviously an important part of most offices, and lots of times we don’t really think of a printer as more than a printer. Why would we consider it a security threat, it just prints paper? Well the fact is there are many attacks that involve network printers. Some of the more recent printers are specifically a problem. Office printers are now being built with a scan to email feature. When a paper is scanned the copy of that paper gets received through email. Attackers are taking advantage of this by sending emails that look as if they are from the printers containing an attachment the same way the normal printers send the file. The difference is these attackers are sending a ZIP file containing an exe file inside. This is an example Symantec has on there website:

This exe is usually hidden by an icon of a word document or something similar. This exe when executed installs malware on the system. The best way to prevent this is to try to filter out these emails, and educate employees about the possible threat. When receiving a ZIP file as an attachment, no matter who the sender you should take caution.

More information can be found at:

• http://www.symantec.com/connect/blogs/malicious-emails-masquerade-office-printer-messages-0
• http://www.pcworld.com/businesscenter/article/239456/a_hidden_security_threat_beware_the_office_multifunction_printer.html

Facebook’s New Features

With new modifications implemented on facebook, and without proper changes to some privacy settings, your friends can see your current activities such as what game your  playing, websites or articles that you are currently visiting, and even what music or song that you are listening to without your consent to share this information. With all of these new ‘real time’ apps on facebook, it brings up the common question “where is the line  drawn that the information being broadcasted is getting too personal”.

Another new feature that will be added onto facebook is a timeline feature. It has already been documented that this timeline could pose to be a “gold mine” for harvesting information about people. The information would be displayed in chronological order, and could potentially increase the risk of the user being “cyber-stalked”. The information provided in the timeline could also help a criminal steal your passwords, since most users generally use personal information as their credentials.

Overall, I think that the new modifications on facebook will take some ‘getting used to’. It is becoming more of a controversy whether the information outputted on the website, knowing or unknowing to the user is being displayed is a privacy concern.

Sources:
http://www.cnn.com/2011/09/23/tech/social-media/facebook-real-time/index.html?iid=EL

http://www.computerworld.com/s/article/9220240/Facebook_s_Timeline_will_be_boon_for_hackers

Biometric Authentication Systems

Many companies are now looking for ways to leave behind the “password”. The problem with using passwords is human error. Many people usually just make really simple password that are easy for them to type and or remember. Many times it not just simple passwords but rather some employees are willing to trust anyone with their password. This leaves a huge security risk for companies because many of their employees have access to sensitive information and if their account is compromised then there will be problems.

Biometric security systems fix many of the problems with passwords. Biometrics provides faster access to secure documents which in the end leaves employees happy. It also prevents people from letting others know their password because you can’t really lend a finger or eyeball. Biometrics is improving and now offers things like USB finger print scanners which allow users to easily access their account form multiple systems. They are also developing Biometrics for mobile platforms which will give users even more ways to access their accounts. Biometrics still has security risks but it is much more secure than passwords.

Facebook Timeline

Just recently, Mark Zuckerberg announced a new feature called Timeline that will be available to all facebook users in a few weeks. Supposedly, this new feature will summarize all of a user’s important past events in a one page summary. This would be a good way to somewhat share a person’s life story online which could include first dates they’ve been on, meaningful events, or favorite foods. It doesn’t mean that it’s not already made available for someone to see, but it makes it easier for another person to learn more about someone else. That person however, could potentially be a cyber criminal. They could easily gather information about a person in order to find answers to security questions or find smarter ways to spread malware. Other than a cyber criminal, there could be people out there looking for information to use against other people.

Simple way to be safe: don’t post personal information and
try to have common sense when posting things online.

http://www.computerworld.com/s/article/9220240/Facebook_s_Timeline_will_be_boon_for_hackers

What is a secure password?

Secure passwords are an issue that internet users face everyday. Every time you sign up on a new website, you are asked to use a password for your login. You look around you, making sure the resident computer security expert doesn’t see you, and you type in that one password that you use for every other site. You justify the use of that password by saying, “It’s a secure password: it contains more then 10 characters, some upper case, some lower case, some numbers, and a symbol” (which doesn’t actually guarantee a secure password).

“So what is a secure password?” you ask. Simply put, a secure password is one that is somewhat long, easy to remember, and only told to people or websites that you trust. The last one is the key. It is very simple to create a website that has the sole purpose of harvesting passwords from users. A website that promises, and maybe delivers, a service that the user would find useful. The user signs up for it, and puts in their password, and usually email address as well, and now the admins of that website have your email login and, if the password is the same, your email password. The website admin could also try and use the combination on Facebook, Twitter, banking sites, etc. and see what information, and possibly money, they can get.

So next time you sign up for a website, ask yourself “Do I trust the admins of this site with the ability to read my email? Change my Facebook page? Post on my Twitter account?”. If you answered yes then by all means use the same password as those other services; but, if you answered no, do yourself a favor and use a new password.

See also:

http://www.usewisdom.com/computer/passwords.html
http://xkcd.com/792/