Threats to high ranking and influential officials may no longer be a lone gunman on a rooftop. A new frightening and precarious threat is evolving and becoming ever more ominous. Car hacking is this new threat. This threat is a subject of recent recalls and news headlines, however this threat is more omnipresent as these headlines may lead people to believe. It is not difficult to envisage that this threat extends to an significant amount of modern automobiles.
The use of the microchip in the automobile has had enumerable benefits, including improving efficiency, safety, reliability, and the drivability. However with these benefits, dangers come with them. For example, the new Mercedes Benz has a system called Intelligent Drive, in their new models available on the market today. This system has the ability, to influence braking, steering, and throttle to keep the car in the lane, and autonomously come to a stop. Most luxury brands have a very similar system in their models. This innovation also opens a door for some very precarious hacking opportunities. All these systems are controlled by a central computer called an ECU. An individual who gains access to this CPU, it is conceivable that said individual could influence the control of the vehicle to do a malicious deed.
Will the headlines of the near future be reading stories of assassinations of influential individuals through hacking? Possibly. However in the current state of technology this form of hacking is difficult and risky. Currently hacking an automobile involve in gaining physical access to the automobile. However as more and more new models become internet connected, this physical access problem that hackers face, may fade away.
Once again, another popular website is facing the consequences of a phishing attack, although this time it is a little different. Normally when you think of a phishing attack you come to the conclusion that some clueless individual clicked a link in an email and corrupted the system, or gave away important information to a phony account and cost their business millions of dollars. The blame isn’t as easily directed on certain individuals this time around.
For anyone who doesn’t know what careerbuilder.com is or has never heard of it, it is a popular job searching service website. Tons of companies post job advertisements on this website such as open positions, then users can browse these job postings by area or category and apply. Generally you are able to just apply right from the website and upload your resume and attach it as a word document. Whenever a job seeker uploads their resume to a job posting, careerbuilder then notifies the company of the uploaded document. The people behind these attacks just simply title the document things such as “resume.doc” or “cv.doc” and employers open them as if it was just another typical resume. The employees download these attachments which on the surface appear to be just another applicant, but the files then go on to exploit a memory corruption vulnerability in Word RTF. This causes the infected machine to download a payload, which downloads a .zip file containing an image file which then drops a rootkit, Sheldor, on the machine. An image file is used because anti-virus programs tend to look past image files as they are expected to be nothing more than that. This is a dangerous peace of malware working its way into the organizations seeking new employees. Although the methods behind these attacks require a lot more work from the attackers due to having to find job posting and actually apply to them manually with their documents, the benefit is that it is very likely the majority of their attempts will indeed be successful. Typically, these kind of phishing attacks are just attempted with fake email accounts trying to fool people and is much less likely to work.
Researchers from a firm known as Proofpoint uncovered the information behind these malware attacks stating that the malicious documents were created in a program called Microsoft Word Intruder (MWI), a FireEye tool that was created in April of this year. This tool is sold on underground forums and serves up CVE-weaponized docs and costs around $2000-$3500 to purchase. Proofpoint also claims that careerbuilder took swift action against these attacks, but didn’t state exactly how. The bigger issue here is the fact that these attacks are always going to be a risk on job search websites and other alike websites with file attachments for attackers to parse out malware.
White House officials this week publicly admitted that during October of last year, hackers were able to access Obama’s and the State Department’s unclassified emails. This resulted in system administrators shutting down the unclassified email system for a month. Although the hackers were unable to access the classified emails in Obama’s Blackberry, they did access the email archives of people inside the White House. It is because of this second breach that actual classified information may have been leaked. These e-mails include, among other things, schedules, e-mails with ambassadors and diplomats, talks about policy and legislation changes, and information about future personnel deployments.
The attack is believed to have originated from Russia. According to the New York Times, the hack “was far more intrusive and worrisome than has been publicly acknowledged,” partly because the hacker group is presumed to be linked to, or working for, the Russian government. Although the president’s email was not directly breached, it remains unclear just how many of his emails were accessed through the accounts of other staff.
According to online security company FIreEye,this latest attack follows the modus operandi of Russian state-sponsored cyber attacks. The compile times for the malware matches the normal working hours of major Russian cities, and there is a lack of focus on monetary gain. Instead, the attacks focus on acquiring military, government and security information. Previous targets of this particular group, known as “APT28”, include US defense and military contractors and NATO officials.
Dyre Wolf is an ongoing and complex attack that combines multiple types of attacks into one large scam that has managed to make the attackers millions of dollars from companies. The attack consists of an initial spear phishing attack on a company. Contained within the email is an installer that will install the program upatre that is commonly disguised as pdf or some other file type. Once installed the attacker is allowed access to the computer by the installed software. The attacker installs Dyre onto the victims computer which allows the attacker to modify information when he chooses. The attack really ramps up when the victim goes to log into the bank. Dyre allows the attacker to modify the page returned to show a fake phone number and a message telling the user to call the number to resolve the issues. At this point it is up to the attacker to use social engineering to coerce the proper banking information out of the user. Once this happens the attacker will go and transfer the money to an account that is offshore commonly. Then the attacker will run a DDoS attack against the company to try and throw the company off from what happened and slow the companies ability to figure out who the attacker was.
Some steps to help prevent this would include making sure that people know to report anything that seems suspicious. Run mock phishing attacks against your users to help train them to look for the suspicious emails.
The IBM X-Force Exchange is a database of current security information. It compiles found vulnerabilities, known exploits, and malicious IPs. I signed up for the service for free and interface is very sleek and clear looking. The main screen is just IP after IP popping up as dangerous. There is a counter of malicious IPs logged in the last hour and there are over 1,000. Of course 99.9% of them are in the spam category but it looks like every once in a while one is flagged with scanning, malware, or command & control. There are also interest feed like found vulnerabilities, security related blog posts, and recent big topics like China scanning IP’s, PoSeidon POS malware, and IRC botnets. There are options to add things to “Collections” which let you save reports on IPs to look at later.
IBM claims that their service is “One of the largest and most complete catalogs of vulnerabilities in the world” and that they log 25 billion security events per day. Users have access to over 700 terabytes of raw data, the rate of which will continue to grow the more users there are. The platform is designed to foster communication between security teams at different companies so that everyone can be better protected from cybercrime.
This platform is a big deal in the security community and will help centralized the knowledge gained by professionals. It will thwart a lot of loss sophisticated cybercriminals but the problem is that it doesn’t help against targeted attacks. It is more of a band-aid than a set of armor that keeps companies from falling for the same attack twice.