The Middle Eastern Cyber War

In the middle east, since about six years ago, some countries have used their cyber power instead of having a physical war with a big number of military people and equipment with a big financial lose for the country’s economy. In the middle east, every country has both powers (cyber and physical), but some people from these countries have attacked another countries electronically and these attacks have started few political issues between those countries in the Middle East especially Iran, Israel and Saudi Arabia.

A few years ago, around 2007, a Syrian group hacked one of Israel’s banks and from their the cyber attacks in the Middle East have started. After that, in 2008, an Iranian group attacked one of the country’s systems in Saudi Arabia and they left comments about some political issues between these countries. two years later, a group from Israel hacked one of the nuclear reactors in Iran and they knew about that attack later and this attack was going to destroy the whole country of Iran. In 2011, a Saudi Arabian guy called “X-Omar” with a group called “Group-XP” hacked the system of a couple of the biggest credit card companies in Israel and they published about 26,000 numbers of credit cards on the internet. A few months ago, in May, 2012, Flame malware destroyed about 200,000 computer all around the Middle East. In August 2012, about month and a half ago, an Iranian group hacked the system of Saudi Aramco the biggest oil company in Saudi Arabia and they destroyed the whole system of the company and they deleted all of the information that computer in the company have.

Indeed, most of the Middle Eastern countries have used their cyber powers to attack each other instead of having a physical war with a group of soldiers and military equipment. Cyber attacks most of the time cost what physical attack do and maybe more. http://latimesblogs.latimes.com/world_now/2012/05/flame-malware-middle-east-computers-cyber-attack.html

http://www.haaretz.com/print-edition/news/saudi-hacker-threatens-to-expose-details-of-another-million-credit-cards-1.405725

http://www.theaustralian.com.au/opinion/world-commentary/a-game-of-war-over-iran/story-fnfi3i8f-1226480437198

http://bits.blogs.nytimes.com/2012/08/27/connecting-the-dots-after-cyberattack-on-saudi-aramco/

http://www.richardsilverstein.com/2012/05/28/flame-israels-new-contribution-to-middle-east-cyberwar/

http://in.reuters.com/article/2012/09/25/net-us-iran-military-idINBRE88O0MY20120925

Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:
http://www.informationweek.com/news/security/vulnerabilities/231902121
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
http://en.wikipedia.org/wiki/Duqu

 

 

 

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

A reason to keep Windows Updated

Microsoft released a security update yesterday fixing a flaw in Window’s handling of TCP/IP that would allow malicious code to remotely executed through closed ports using special UDP packets.

Affected OSs include Vista, 7, and Server 2008. XP and Server 2003 were not affected by the flaw.

Source: https://technet.microsoft.com/en-us/security/bulletin/ms11-083

Someone shut off the Internet!

Someone shut off the Internet! No I’m not kidding.

Yesterday, November 7th, 2011, the internet briefly ‘died’ for about 30 seconds. This event was witnessed by users and servers all around the U.S. in places ranging from highly populated areas such as Washington D.C., Los Angeles, San Francisco, Raleigh, N.C., Dallas, NYC, and some lesser known locations in the Midwest.

Obviously this affected individuals world wide. Servers and services hosted in the U.S. could no longer be reached by any client, regardless of their location.

Time Warner took responsibility for the massive outage with only a brief statement on their Twitter account.

@TWCableHelp: We appear to be recovering from a large but brief internet outage affecting most of our service areas. Please attempt to connect again.

This raises the question of how easy would it be to actually ‘turn off’ the internet in the event access could be gained to the systems Time Warner controls? Either that, or, how easy would it be to disable the systems preventing Time Warner’s customers from going offline?

Security is a huge issue here, because, if Time Warner has the power to disable the internet and adjacent services, at least the portion they control (which is massive! they had over 36 million subscribers as of 2009), then, potentially, other ISPs might have the same amount of incredible power. Could we be facing a state where a complete shutdown of the internet, ala Egypt or China, is feasible and a real threat to our freedoms as citizens?

What if an unscrupulous individual manages to take control of these systems and have an entire country’s internet at their fingertips? If a merchant like Amazon goes offline for even a few seconds, they potentially lose millions of dollars. Thirty seconds of downtime is a massive outage in any network administrator’s eyes. It is certainly unacceptable for such a large service provider conglomerate.

Sources:

• http://www.businessinsider.com/weird-the-internet-just-died-for-about-30-seconds-around-the-country-2011-11
• http://twitter.com/#!/TWCableHelp/status/133551519311216640
• http://en.wikipedia.org/wiki/Time_Warner_Cable

An apparent inside job in Brazil’s DNS cache poisining

Securelist.com reported that an employee at one of Brazil’s internet service providers is accused of tampering with the cache of a domain name server.  It is believed that the employee’s work redirected customers looking for Google, Gmail, YouTube, and Hotmail to websites that instructed users to unwittingly download Java programs containing trojans.  These trojans installed banking malware.

http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil

Once again, encryption and security protocols are defeated by vulnerabilities attributed to human elements.  Because of the ties to the banking malware, it suggests that this probably is not the work of just one person, acting by themselves.  It is troubling to think that elements of organized crime can gain access to the domain name servers of internet service providers.  We will have to wait and see if the employee was a willing participant or a coerced victim.

Of course it should not be too much of a surprise that it happened in Brazil.  According to Symantec’s latest Intelligence Quarterly Report, Brazil ranks #3 in the world for the source of malicious activity (behind #2 China and #1 USA).

 

Cyber Security Insurance-Related Industry

The introduction to the Bruce Schneier’s book Secrets & Lies alluded to an industry that will be booming in the upcoming years,  insurance company-driven Cyber Security Providers.

Mr. Schneier pointed out that many companies and organizations don’t invest enough money and effort into protecting their digital data. Making sure that data is safe from potential attack or theft is a new concept to non-tech savvy business leaders, and one that isn’t at the top of many company’s priority list.  Unfortunately attacks are becoming more widespread and more complex, so the likelihood that a business will be attacked increases daily.  To off-set the threat and the possible losses incurred from an attack, some business owners are turning to insurance policies.

Mr. Schneier feels that as more business owners turn to cyber insurance policies, the insurance industry will push for cyber security providers to supply better services (to better protect business owners).  The demand for services will increase, and so will the need for some sort of industry standards for cyber security providers.  Looking forward from Mr. Schneier’s viewpoints, one can see a new service industry spring up to meet the needs of standardized and strong cyber security services to meet insurance company requirements.

A similar “cottage-industry” boom occurred in the late 1990s as companies rushed to prepare their computer systems for Y2K, but that was a temporary surge in demand.  Conversely, cyber crime and attacks will only increase as global economies suffer and people become more desperate to find alternative sources of income.  To see how important it is, just look at the Information, Security and Forensics program that is growing in popularity here at RIT.  The emergence of the Cyber Insurance industry will increase the need for more highly trained professional, and should lead to plenty of long-term employment opportunities for people with the right skill set.

Cyber Spying

We love and hate china all at the same time. Why? Obviously, we hate their communist government but we love their cheap labor and market potential. So like any other troubled couples, the United States and China have their fights.

Some times we accuse China of lowering its currency and jeopardizing our competitive edge, but this time the accusations went to cyber space.

According to Reuters: “The U.S. intelligence report said on Thursday China and Russia are using cyber espionage to steal U.S. trade and technology secrets to bolster their own economic development, which poses a threat to U.S. prosperity and security.”

Obviously china denied any wrong doing and accused the United States of being irresponsible. An expected move from our friendly giant from the east.

The real issue is, why its so easy for foreign agents to infiltrate the U.S. networks and what should we do about it?

Is it even possible to create a network that is 100% resistible to hackers attacks? Should the United States counter attack with its own cyber army of computer programmers?

A lot of questions that makes us wonder, where is the world going and could the next big war be over a cyber attack?

Government requests to Google for information on users has spiked.

 

 

 

The number of requests from the government to Google for information on its users has increased by 29% in the last 6 months.  Google is one of the few companies that release these kinds of statistics to the public. The reason they give for doing this is that they want to raise awareness about the ECPA.

The ECPA is the Electronic Communications Privacy Act and it was enacted 25 years ago. It was set to provide people with protection and privacy against government intrusion but hasn’t been updated since it was made to reflect new advances in technologies. Because of this people are still massively vulnerable to government intrusion, with their ability to get access to users online information with out having to go through a judges approval like they would need to with a warrant. Google is just  one of many high tech companies that have formed the Digital Due Process coalition to advocate reform.

This isn’t the first time Google has attempted to rock the boat over government monitoring. Most of you probably remember back when Google refused to censor search results in China. Their refusal of this demand caused them to close up shop in a much of China. On the other hand companies like yahoo have no trouble with censoring or even monitoring and giving information on political dissidents.

http://www.digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163

http://m.wired.com/threatlevel/2011/10/google-data-requests/

Nation Wide Attacks against Law Enforcement

Multiple law enforcement agencies nationwide have become targets of cyber attacks. While some being more successful then others, a majority of these attacks are sure to  be the same group of hackers. It is believed that the hackers are trying to get access to databases that contain law enforcers personal information. That personal information being public could be very dangerous. At this point there isn’t a whole lot of concern, this is not the first time law enforcement agiences have been targeted, and they try to take some precautions to keep there data safe. Dothan Systems Analyst Robb Meredeth said

We try to take our security in layers so that we have multiple layers so if any fail we’re still in good shape

He went on to say how they keep track of attacks:

We monitor success and failures of people trying to get into things. We would go back and start reviewing log-ons and access.

So for now the security of there systems is holding up well enough to keep any important data out of hackers hands. But if these attacks continue its possible they could eventually get some important data they shouldn’t have there hands on. Robb later said

It’s just like being an officer on the street you’re always aware of your surroundings and what’s going on but one thing that I’ve learned in my time with the new technology is that there’s absolutely no sure-fire secure system.

I agree that there’s no secure system, which means its only a matter of time before hackers succeed. Really made me start questioning what type of things the police have on there systems, and how good is the security for local police, they most likely don’t have the same budget for security as the FBI. But just because there budget might not be as high doesn’t mean they don’t have information that could be dangerous if public.