WASHINGTON – Sony Pictures Entertainment is looking into whether North Korea may have been behind a major cyberattack on the studio last week, a news website reported.

The website re/code noted that the attack came as the studio neared release of a comedy about a CIA plot to assassinate its leader Kim Jong-Un.

“The Interview,” which stars Seth Rogen and James Franco as two journalists recruited by the CIA to bump off Kim, has infuriated the North Koreans, with state media warning of “merciless retaliation.”

Citing sources familiar with the matter, re/code on Friday said Sony and outside consultants were exploring the theory hackers operating in China carried out the attack last Monday on behalf of North Korea.

A North Korean link has not been confirmed, however, according to the sources.

An image posted on the Reddit social network from an individual claiming to be a former Sony employee showed a page with the words “Hacked by #GOP.”

It was unclear what GOP stands for, but some reports said the hacker group is called Guardians of Peace.

The posted image said unspecified demands must be met by Sony or important files would be released.

Tags:

• NEWS & INDUSTRY
• Cybercrime

SAN FRANCISCO – US justice officials are scooping up mobile phone data from unwitting Americans as part of a sophisticated airborne surveillance program designed to catch criminals, the Wall Street Journal reported Thursday.

Small aircraft deployed by the US Marshals Service from at least five major airports have been taking to the skies with “dirtbox” equipment designed to mimic signals from cell towers, according to the Journal.

That in turn tricks mobile phones into revealing unique identifying numbers and general locations, according to the report.

The name “dirtbox” was said to be derived from an acronym of Digital Recovery Technology Inc., the Boeing subsidiary that makes the device.

The range of aircraft in the program covers most of the US population, the Journal reported, citing unnamed sources familiar with the operation.

Details of flights were not given, but they were said to take place regularly with each outing potentially gathering data from tens of thousands of mobile phones.

The Journal reported that the US Justice Department declined to comment for the story other than to say that its agencies comply with the law when it comes to surveillance.

Mobile phones are programmed to connect with the closest signal tower, but trust signals from towers or imposters when it comes to making decisions, hackers have demonstrated.

Boxes in planes could automatically assure mobile phones they are the optimal signal tower, then accept identifying information from handsets seeking connections.

Fake cell towers could then pass connections onto real signal towers, remaining as a conduit with the ability to tune into or block digital transmissions.

Hackers refer to such tactics as “man-in-the-middle attacks.”

The Journal quoted American Civil Liberties Union chief technologist Christopher Soghoian as calling the program “dragnet surveillance” that is “inexcusable.”

The program is reportedly in place to reveal locations of mobile phones associated with criminals or those suspected of crimes, but collect data about other handsets that connect, according to the Journal.

After sifting through data collected, investigators could determine the location of a targeted mobile phone to within about three meters, the report indicated.

Similar devices are used by US military and intelligence officials operating in other countries to locate terrorist suspects, according to the Journal.

Trust in US authorities has already been shaken by revelations about a sweeping Internet surveillance program.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement

Data security firm Imperva released its fifth annual Web Application Attack report (WAAR) this week, a study designed track the latest trends and cyber threats facing web applications.

The report, which is based on the analysis of 99 applications over a period of nine months (August 1, 2013 – April 30, 2014), determined that WordPress is the most targeted content management system (CMS). In fact, WordPress websites were attacked 24.1% more than sites running on all other CMS platforms combined.

“WordPress has been in the headlines, in the past couple of years, both because of its popularity, and because of the amount of vulnerabilities found in its application and exposed by hackers. We believe that popularity and a hacker’s focus go hand-in-hand. When an application or a platform becomes popular, hackers realize that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet,” the report reads. 

This year’s WAAR also makes a comparison between attacks targeting PHP and .NET applications. It turns out that PHP apps suffer almost three times more cross-site scripting (XSS) attacks than ASP applications, and nearly two times more directory traversal attacks. On the other hand, Imperva has determined that ASP applications suffer twice as many SQL injection attacks than PHP applications.

When it comes to websites, unsurprisingly, ones that have login functionality and implicitly store consumer-specific information are the most targeted.

Nearly half of all the attacks observed by Imperva during the nine month period targeted the retail sector, followed at a distance by financial institutions which accounted for 10% of all Web application attacks.

Compared to the previous period reviewed by the company (June 1, 2012 – November 30, 2012), attacks have been 44% longer. A 10% increase was also observed in SQL injection attacks, and a 24% increase in remote file inclusion (RFI) attacks.

As far as attack sources are concerned, Imperva found that the United States generates most of the Web application attack traffic.

“In our educated opinion, based on years of analyzing attack data and origins, we propose that attackers from other countries are using U.S. hosts to attack, based on those hosts being geographically closer to targets,” the report reads.

“While this may be overwhelming, we believe that there is more to this picture. Attacks originating in the U.S. may indicate other things such as TOR exit nodes, Botnet infected machines, etc., and so this information needs to be looked at in proportion. What it potentially teaches us is the quality of targets. It makes sense for an attacker to execute the attack as close to the target as possible, to remain undetected or to maximize the available bandwidth of the attack.”

Attackers are increasingly leveraging cloud and infrastructure-as-a-service (IaaS) hosted applications and servers. Imperva has found that 20% of all known vulnerability exploitation attempts and 10% of all SQL injection attempts originated in Amazon Web Services (AWS) source IPs.

The complete Web Application Attack report from Imperva is available here.

Tags:

• NEWS & INDUSTRY
• Application Security

A Russian hacker group has obtained an estimated 1.2 billion Internet credentials collected from various websites around world, Nicole Perlroth and David Gelles of the New York Times reported Tuesday. 

According to data provided to the newspaper by Hold Security, the Times reported that user names and passwords were stolen from roughly 420,000 websites of all different sizes. According to the report, the hackers also gained access to 500 million email addresses.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, founder and chief information security officer of Hold Security, told the Times.

Most of the sites that the hackers pillaged are still vulnerable, Holden said. The Times said the group is based in a small city in south central Russia and includes fewer than a dozen men in their 20s “who know one another personally — not just virtually.”

“This issue reminds me of an iceberg, where 90 percent of it is actually underwater,” John Prisco, CEO of Triumfant, told SecurityWeek in an emailed statement. “That’s what is going on here with the news of 1.2 billion credentials exposed. So many cyber breaches today are not actually reported, often times because companies are losing information and they are not even aware of it.”

“Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight, but in reality the iceberg has been mostly submerged for years – crime rings have been stealing information for years, they’ve just been doing it undetected because there hasn’t been a concerted effort on the part of companies entrusted with this information to protect it,” Prisco continued.

An Urgent Call for Two-factor Authentication

Eric Cowperthwaite, vice president, advanced security & strategy at Core Security, explained that this is another example of the pressing need for users and companies to leverage two-factor authentication.

“Companies need to transition to two-factor authentication,” Cowperthwaite said. “Companies such as Facebook and Twitter have finally started offering two-factor authentication, but the bottom line is that most users aren’t taking advantage of it.”

“Banks, as a standard practice, should absolutely be using two-factor authentication,” Cowperthwaite added. “They have a certain amount of loss from fraud built into their operating model – they just accept that it will happen. This acceptance is a shame since there are many simple ways to reduce those costs significantly.”

Holden told the Times that his team has started to alert victimized companies of breaches, but had been unable to reach every website. He also said that Hold Security was working to develop an online tool that enables users to test and see if their personal information is in the database.

“Russian cyber gangs are known for breaking in to steal whatever they can as quickly as possible,” said Joshua Roback, Security Architect, SilverSky. “We should expect to see these accounts for sale on underground forums before the week is through.”

“Understanding why passwords are so valuable to hackers can both explain and prepare enterprises to deal with potential security vulnerabilities,” SecurityWeek columnist Gil Zimmermann noted in a December 2013 column. “There are potentially hundreds of uses for stolen passwords once they are obtained.”

While not close to the scope of this recently disclosed discover, Germany’s Federal Office for Online Security (BSI) warned Internet users in January that cybercriminals had obtained a list of 16 million email addresses and passwords.

Related: Hackers Just Made Off with Two Million Passwords, Now What?

Tags:

• NEWS & INDUSTRY
• Fraud & Identity Theft
• Cybercrime

VMware released a series of updates to address the OpenSSL vulnerability known as Heartbleed in its products in April, but many organizations still haven’t secured their installations, virtualization management firm CloudPhysics reported on Monday.

Based on machine metadata collected from virtualized datacenters, CloudPhysics determined that 57% of VMware vCenter servers and 58% of VMware ESXi hypervisor hosts are still vulnerable to Heartbleed attacks.

“This is a remarkably high percentage given that ESX run the majority of business critical VMs in the world. I speculate that IT teams are more lax about patching ESXi since those machines are typically behind the firewall and not easy to reach from the outside world,” Irfan Ahmad, CTO and co-founder of CloudPhysics, wrote in a blog post.

“However, that laxity doesn’t make the delay in patching a good idea,” he added. “For one thing, insider attacks continue to be a major source of breaches. Another consideration is that if outside attackers do manage to infiltrate a low privilege service inside your firewall, you have just given them carte blanche to attack your most sensitive data.”

According to Ahmad, 40% of the organizations in CloudPhysics’ dataset have at least one vCenter server or ESXi host running a vulnerable version of OpenSSL. By May, over 25% of vCenter servers and ESXi hosts had been patched, but over the next two months, the rate at which organizations were applying the updates had slowed down.

Shortly after the existence of the Heartbleed bug came to light, there were roughly 600,000 vulnerable systems. A couple of months later, Errata Security reported that the number was down to 300,000. However, some experts predict that it will take months, possibly even years, until all systems are patched.

“If insiders, or attackers via insiders, exploit the Heartbleed vulnerability through an untraceable attack they can gain access to mission-critical systems. With the window for the exploit being so large, combined with the current slowness of patching, the severity of an already serious problem is exacerbated,” Ron Zalkind, CTO of cloud data protection company CloudLock, told SecurityWeek.

“Maintaining patches is always prudent, but with an exploit like Heartbleed, its importance cannot be overstated. We strongly encourage organizations to immediately patch their systems per guidance from VMware, with a particular focus on systems that are the most significant to their businesses.”

Eric Chiu, founder and president of cloud control company HyTrust, points out that the traditional approach to security has been to protect the perimeter, which has bred a long-standing misconception that systems within an organization’s datacenter don’t need to be protected.

“However, breaches are not only happening more often and getting bigger, but they’re also primarily happening from the inside. Attackers are using social engineering, phishing, malware and other attack techniques to steal employee or I.T. credentials in order to gain access to networks. Once in, they can move forward, backward or laterally, and siphon large amounts of sensitive data without ever being detected. Given that virtualization is a ‘concentration’ of systems and data, the result is a higher concentration of risk. If an attacker is able to pose as a virtualization admin, for example, that could ultimately be ‘game over’ for a victim company,” Chiu told SecurityWeek.

“Bottom line, organizations need to shift their security strategy from that of just an ‘outside-in’ approach, to an ‘inside-out’ model. They should assume attackers are already inside, in which case access controls, audit logging, alerts and data encryption are important—if not critical… especially in ensuring a secure cloud environment.”

Related: Heartbleed Vulnerability Still Beating Strong

Related: Recovering from Heartbleed: The Hard Work Lies Ahead

Tags:

• NEWS & INDUSTRY
• Cloud Security
• Vulnerabilities

SEOUL – North Korea has doubled the number of its elite cyber warriors over the past two years and established overseas bases for hacking attacks, a report said Sunday.

The North’s cyber war unit now has 5,900 personnel, compared with 3,000 two years ago, the South’s Yonhap news agency said.

“The communist country operates a hacking unit under its General Bureau of Reconnaissance, which is home to some 1,200 professional hackers,” a military source was quoted as saying.

North Korean hackers have launched cyber attacks through overseas bases in countries such as China, the source said.

In recent years, hackers have used malware deployments and virus-carrying emails for cyber attacks on South Korean military institutions, commercial banks, government agencies, TV broadcasters and media websites.

Investigations into past large-scale cyber assaults have concluded that they originated in North Korea.

The North has denied any involvement and accuses Seoul of fabricating the incidents to fan cross-border tensions.

South Korea has increased its Internet security budget to train experts since it set up a special cyber command in 2010, amid growing concern over its vulnerability.

Related: North Korea Jump Significantly: Solutionary

Related: South Korea’s ‘Top Gun’ Cyber Warriors

Related: New Disk Wiping Malware Used in Attacks Against South KoreaCyber-Attacks From 

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

WASHINGTON – The US National Security Agency has been authorized to intercept information “concerning” all but four countries worldwide, top-secret documents say, according to The Washington Post.

“The United States has long had broad no-spying arrangements with those four countries – Britain, Canada, Australia and New Zealand,” the Post reported Monday.

Yet “a classified 2010 legal certification and other documents indicate the NSA has been given a far more elastic authority than previously known, one that allows it to intercept through US companies not just the communications of its overseas targets but any communications about its targets as well.”

The certification – approved by the Foreign Intelligence Surveillance Court and included among a set of documents leaked by former NSA contractor Edward Snowden — says 193 countries are “of valid interest for US intelligence.”

The certification also let the agency gather intelligence about entities such as the World Bank, the International Monetary Fund, European Union and the International Atomic Energy Agency, the report said.

“These documents show both the potential scope of the government’s surveillance activities and the exceedingly modest role the court plays in overseeing them,” Jameel Jaffer, deputy legal director for the American Civil Liberties Union who had the documents described to him, told the Post.

The report stresses the NSA did not necessarily target nearly all countries but had authorization to do so.

It should come as cold comfort to Germany which was outraged by revelations last year that the NSA eavesdropped on Chancellor Angela Merkel’s mobile phone, as well as about wider US surveillance programs of Internet and phone communications.

Germany’s parliament is investigating the extent of spying by the US National Security Agency and its partners on German citizens and politicians, and whether German intelligence aided its activities.

The privacy issue is a particularly sensitive one in formerly divided Germany.

Ties between Washington and Europe more broadly, as well as other nations such as Brazil, have been strained since the revelations, despite assurances from US President Barack Obama that he is ending spy taps on friendly world leaders.

The Obama administration has insisted the NSA needs tools to be able to thwart terror attacks not just against the United States, but also its allies.

Snowden, a 30-year-old former NSA contractor was granted temporary asylum by Russia last August after shaking the American intelligence establishment to its core with a series of devastating leaks on mass surveillance in the US and around the world.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement

WASHINGTON – The US National Security Agency is scooping up large quantities of images of people for use in facial recognition programs, the New York Times reported Sunday, citing top secret documents.

The Times said documents, which were obtained from fugitive former US intelligence analyst Edward Snowden, show a significant increase in reliance on facial recognition technology at the agency over the past four years.

The report said the NSA was using new software to exploit a flood of images included in intercepted emails, text messages, social media posts, video conferences and other communications.

It cited leaked 2011 documents as saying the NSA intercepts “millions of images per day,” including 55,000 “facial recognition quality images.”

The images represented “tremendous untapped potential,” according to the report, which said NSA officials believe advances in technology could revolutionize the way the agency finds intelligence targets.

“It’s not just the traditional communications we’re after: It’s taking a full-arsenal approach that digitally exploits the clues a target leaves behind in their regular activities on the net to compile biographic and biometric information” that can help “implement precision targeting,” a 2010 document quoted by the newspaper said.

The Times said it wasn’t clear how many people, including how many Americans, had been caught up in the effort, but noted that neither US privacy laws nor US surveillance laws provide specific protections for facial images.

A NSA spokeswoman said, however, that the agency would be required to get court approval for imagery of Americans it collects through its surveillance programs.

The agency has been at the center of controversy over the scope of its global electronic surveillance program since they were first revealed by Snowden in June 2013.

The former intelligence contractor is in Russia, where he was granted temporary political asylum last year.

Tags:

• NEWS & INDUSTRY
• Tracking & Law Enforcement

WASHINGTON – The US National Security Agency has secretly tapped into the networks of Chinese telecom and internet giant Huawei, the New York Times and Der Spiegel reported on their websites Saturday.

The NSA accessed Huawei’s email archive, communication between top company officials internal documents, and even the secret source code of individual Huawei products, read the reports, based on documents provided by fugitive NSA contractor Edward Snowden.

“We currently have good access and so much data that we don’t know what to do with it,” states one internal document cited by Der Spiegel.

Huawei — founded in 1987 by former People’s Liberation Army engineer Ren Zhengfei — has long been seen by Washington as a potential security Trojan Horse due to perceived close links to the Chinese government, which it denies.

The United States and Australia have barred Huawei from involvement in broadband projects over espionage fears.

Related: China’s Huawei Denies US Spies Compromised its Equipment

Shenzhen-based Huawei is one of the world’s leading network equipment providers and is the world’s third-largest smartphone vendor.

The original goal of Operation “Shotgiant” was to find links between Huawei and the Chinese military, according to a 2010 document cited by The Times.

But it then expanded with the goal of learning how to penetrate Huawei computer and telephone networks sold to third countries.

“Many of our targets communicate over Huawei-produced products,” the NSA document read, according to The Times.

“We want to make sure that we know how to exploit these products,” it added, to “gain access to networks of interest” around the world.

Huawei is a major competitor to US-based Cisco Systems Inc. – but US officials insist that the spy agencies are not waging an industrial espionage campaign on behalf of US companies, as Snowden has alleged.

“The fact that we target foreign companies for intelligence is not part of any economic espionage,” a senior intelligence official told reporters Thursday.

The goal of economic intelligence efforts is “to support national security interests,” and “not to try to help Boeing,” the official said.

Related: China’s Huawei Denies US Spies Compromised its Equipment

Related: Huawei Founder Breaks Silence to Reject Security Concerns

Related: PLA Concerns Lead to Huawei Being Blocked in Australia 

Related: Huawei Calls for Global Security Standards

Related: China’s Huawei Responds to US Hackers

Related: China’s Huawei to Curb Business In Iran 

Insight: A Convenient Scapegoat – Why All Cyber Attacks Originate in China

Tags:

• Network Security
• NEWS & INDUSTRY
• Tracking & Law Enforcement
• Security Infrastructure

BERLIN – The US National Security Agency has collected sensitive data on key telecommunications cables between Europe, north Africa and Asia, German news magazine Der Spiegel reported Sunday citing classified documents.

Spiegel quoted NSA papers dating from February and labelled “top secret” and “not for foreigners” describing the agency’s success in spying on the so-called Sea-Me-We 4 undersea cable system.

The massive bundle of fibre optic cables originates near the southern French city of Marseille and links Europe with north Africa and the Gulf states, continuing through Pakistan and India to Malaysia and Thailand.

“Among the companies that hold ownership stakes in it are France Telecom, now known as Orange and still partly government-owned, and Telecom Italia Sparkle,” Spiegel said.

It said NSA specialists had hacked an internal website belonging to the operator consortium to mine documents about technical infrastructure including circuit mapping and network management information.

“More operations are planned in the future to collect more information about this and other cable systems,” Spiegel quoted the NSA documents as saying.

Der Spiegel has over the last several months reported on mass NSA spying on targets in the United States and abroad using documents provided by fugitive intelligence contractor Edward Snowden.

A White House-picked panel this month recommended curbing the secretive powers of the NSA, warning that its spying sweeps in the “war on terror” had gone too far.

US President Barack Obama plans to address the report in January.

Tags:

• NEWS & INDUSTRY
• Security Infrastructure