http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2013-05-24 22:58:28 - SANS Internet Storm Center InfoCON green : We have seen today a big rise of incoming packets of what appears to be a SQL Slammer attacks more http://www.secuobs.com/revue/news/447640.shtmlhttp://www.secuobs.com/revue/news/447640.shtml 2013-05-24 22:55:24 - Security Bloggers Network : Electrical grids worldwide have become more susceptible to cyber attacks, due to the use of industrial control systems, according to market analysts ABI Research The post Electrical grids woefully prepared for cyber attacks, warns analyst appeared first on We Live Security http://www.secuobs.com/revue/news/447639.shtmlhttp://www.secuobs.com/revue/news/447639.shtml 2013-05-24 19:47:09 - Computer Security News : The notorious Zeus Trojan, a family of banking malware known for stealing passwords and draining the accounts of its victims, has steadily increased in recent months, according to data collected by Trend Micro http://www.secuobs.com/revue/news/447594.shtmlhttp://www.secuobs.com/revue/news/447594.shtml 2013-05-23 23:04:23 - Security Bloggers Network : Twitter has introduced a new two-factor security system - an optional extra layer of security which should help to prevent unauthorised access to accounts The post Twitter beefs up security after wave of attacks on media sites appeared first on We Live Security http://www.secuobs.com/revue/news/447435.shtmlhttp://www.secuobs.com/revue/news/447435.shtml 2013-05-23 21:50:36 - Computer Security News : The market for Intrusion Prevention Systems will continue to grow on the back of more advanced designs and rising anxiety about the threat posed by advanced persistent threats , Frost Sullivan has said http://www.secuobs.com/revue/news/447415.shtmlhttp://www.secuobs.com/revue/news/447415.shtml 2013-05-23 20:48:27 - Network World on Security : Utility companies are making only minimum efforts to protect their facilities from persistent and unrelenting cyberattacks, said a Congressional report released Tuesday http://www.secuobs.com/revue/news/447397.shtmlhttp://www.secuobs.com/revue/news/447397.shtml 2013-05-23 16:16:50 - LinuxSecurity.com Latest News : LinuxSecuritycom The bane of the computer security world is how long it takes to recognize and respond to new attack paradigms Name a major threat -- the boot virus, macro virus, email attachment, or Web JavaScript redirect -- and it seems to take years to respond adequately http://www.secuobs.com/revue/news/447330.shtmlhttp://www.secuobs.com/revue/news/447330.shtml 2013-05-23 15:29:56 - Computer Security News : We've found an existing account with the given email To link the social network identity with your site account, please provide the site password for the provided email http://www.secuobs.com/revue/news/447318.shtmlhttp://www.secuobs.com/revue/news/447318.shtml 2013-05-23 09:38:31 - Computer Security News : The City is extending the number of days attorneys will be available at its community centers for citizens to inquire about the cyber-attack on the City's website http://www.secuobs.com/revue/news/447234.shtmlhttp://www.secuobs.com/revue/news/447234.shtml 2013-05-23 08:47:30 - Computer Security News : Don't open that attachment warns Sophos security analyst Graham Cluley If you get an email appearing to be from world-famous jeweler Tiffany's, saying something like, Kindly open to see export License and payment invoice attached, it likely contains a malicious Trojan horse, designed to infect and compromise your computer http://www.secuobs.com/revue/news/447229.shtmlhttp://www.secuobs.com/revue/news/447229.shtml 2013-05-23 07:08:30 - Computer Security News : One of the first times hackers tried to infiltrate Danny O'Brien through his email inbox, it was in the guise of a human-rights event invitation from what appeared to be a friend http://www.secuobs.com/revue/news/447219.shtmlhttp://www.secuobs.com/revue/news/447219.shtml 2013-05-23 06:16:57 - Computer Security News : More than 1,400 people who booked sessions online have been contacted by New Forest District Council following the discovery that someone has hacked into its website http://www.secuobs.com/revue/news/447183.shtmlhttp://www.secuobs.com/revue/news/447183.shtml 2013-05-23 00:33:02 - Computer Security News : The Will County Courts website is currently experiencing down time, following a recent cyber attack, Sun-Times Media reports http://www.secuobs.com/revue/news/447146.shtmlhttp://www.secuobs.com/revue/news/447146.shtml 2013-05-23 00:24:26 - Dark Reading All Stories : Regular attack attempts on electricity providers, malware infections, threatening the power grid http://www.secuobs.com/revue/news/447144.shtmlhttp://www.secuobs.com/revue/news/447144.shtml 2013-05-22 22:04:23 - Security Bloggers Network : WASHINGTON DC Cybersecurity threats have come a long way since hackers temporarily crippled the computer system at one of Chris Collins businesses a few years ago For that reason, Collins now US Congressman Rep Chris Collins, R-NY dedicated his first hearing as chairman of a House Small Business subcommittee to the growing danger of cyberattacks, which he deemed an often ignored threat that can put companies out of business Although attacks on small businesses don t make the headlines, a recent report shows nearly 20 percent of cyberattacks are on small firms with less than 250 employees, Collins said Unlike a large company, small businesses may not be able to survive a cyberattack That s because those attacks cost so much, Collins said, citing FCC reports show that the average annual cost of cyberattacks on small and medium-size businesses was 188,242 Not surprisingly, then, nearly 60 percent of small businesses that are hit by cyberattacks close within six months of the problem, he added, citing a 2011 report by Business Insider http://www.secuobs.com/revue/news/447121.shtmlhttp://www.secuobs.com/revue/news/447121.shtml 2013-05-22 20:12:52 - Security Bloggers Network : Protect Your Business Tips for Preventing Cyber Attacks, From a Stevie Awards Chair Craig Lund, CEO of SecureAuth Corporation in Irvine, California, USA, is the Chair of the Final Judging Committee for the company awards and organization awards categories in The 2013 American Business Awards, the premier business awards program in the USA We talked with him about cyber terrorism, career advice, and what http://www.secuobs.com/revue/news/447087.shtmlhttp://www.secuobs.com/revue/news/447087.shtml 2013-05-22 19:15:59 - Ars Technica Risk Assessment : Electric grid is under daily assault, Congressional report finds http://www.secuobs.com/revue/news/447070.shtmlhttp://www.secuobs.com/revue/news/447070.shtml 2013-05-22 18:22:13 - Security Bloggers Network : Critical infrastructure in the US including the energy sector with its nuclear power facilities is increasingly coming under cyber attack from hostile nations and a range of other hackers, with potentially disastrous consequences The warning was issued earlier this month by Charles Edwards, deputy inspector general of the Department of Homeland Security DHS , who emphasized the need for Read more IMAGE http://www.secuobs.com/revue/news/447051.shtmlhttp://www.secuobs.com/revue/news/447051.shtml 2013-05-22 17:29:08 - Security Bloggers Network : As many know, the South Carolina tax system experienced a security breach in August of 2012 According to an article by Eric Chabrow, this security breach was made possible when a Department of Revenue employee accessed an email that was part of a phis http://www.secuobs.com/revue/news/447037.shtmlhttp://www.secuobs.com/revue/news/447037.shtml 2013-05-22 17:29:08 - Security Bloggers Network : An interesting article in NBC News in there Technology Section Several power utilities say they face a barrage of cyberattacks on their critical systems, a report by two Democratic lawmakers found, echoing warnings from the Obama administration that foreign hackers were trying to bring down the US power grid Rep Henry Waxman, D-Calif, released the report, co-authored IMAGE http://www.secuobs.com/revue/news/447034.shtmlhttp://www.secuobs.com/revue/news/447034.shtml 2013-05-22 17:05:34 - Dark Reading All Stories : Increase in APTs primarily compels customers to upgrade to IPS http://www.secuobs.com/revue/news/447024.shtmlhttp://www.secuobs.com/revue/news/447024.shtml 2013-05-22 14:45:15 - Network World on Security : New cyberespionage attack by People's Liberation Army prompts calls for action such as sanctions, but experts are mixed on best response http://www.secuobs.com/revue/news/446991.shtmlhttp://www.secuobs.com/revue/news/446991.shtml 2013-05-22 14:45:15 - Network World on Security : A survey of US utilities shows many are facing frequent cyberattacks that could threaten a highly interdependent power grid supplying more than 300 million people, according to a congressional report http://www.secuobs.com/revue/news/446987.shtmlhttp://www.secuobs.com/revue/news/446987.shtml 2013-05-22 14:39:33 - Dark Reading All Stories : Black Hat injection-attacks instructor dishes on the complexity of SQL injection and the prevalence of lesser-known injection attacks http://www.secuobs.com/revue/news/446984.shtmlhttp://www.secuobs.com/revue/news/446984.shtml 2013-05-22 13:25:11 - ZDNet Zero Day Blog RSS : A new report claims that a number of US-based utilities are fending off cyberattacks on a daily basis IMAGE http://www.secuobs.com/revue/news/446973.shtmlhttp://www.secuobs.com/revue/news/446973.shtml 2013-05-21 23:27:59 - Computer Security News : A slew of attorneys are available to answer questions from residents who may be concerned about their information being compromised during last week's cyber attack on the city's website http://www.secuobs.com/revue/news/446883.shtmlhttp://www.secuobs.com/revue/news/446883.shtml 2013-05-21 22:30:49 - Computer Security News : NEWS ANALYSIS The Chinese Army added to its cyber-warfare arsenal and is attacking US networks that haven't been strengthened since the last attacks http://www.secuobs.com/revue/news/446869.shtmlhttp://www.secuobs.com/revue/news/446869.shtml 2013-05-21 21:48:49 - Help Net Security News : The APT1 hacker group is back to its old tricks, targeting a big number of organizations and businesses and, among them, many of those that they have previously breached, Mandiant has confirmed http://www.secuobs.com/revue/news/446856.shtmlhttp://www.secuobs.com/revue/news/446856.shtml 2013-05-21 20:53:10 - Security Intelligence TrendLabs Trend Micro : In the process of investigating and analyzing targeted attacks, we have seen that attacks which may not be related at first glance may in fact be linked conversely attacks that may seem unrelated may turn out to be connected Knowing which is which can provide useful information in determining how to respond to an attack Post from Trendlabs Security Intelligence Blog - by Trend Micro What Connections Between Attacks Say About Them http://www.secuobs.com/revue/news/446850.shtmlhttp://www.secuobs.com/revue/news/446850.shtml 2013-05-21 18:54:16 - Security Bloggers Network : Cyber attacks on America will continue to escalate, according to National Security Director Keith Alexander, speaking to the Reuters Cybersecurity Summit in Washington Disruptive and destructive attacks on our country will get worse, said Alexander, the leading US general in charge of the nation s cybersecurity Mark my words, it will get worse The post Cyber attacks on America will get worse , warns NSA director appeared first on We Live Security http://www.secuobs.com/revue/news/446826.shtmlhttp://www.secuobs.com/revue/news/446826.shtml 2013-05-21 17:58:42 - Security Bloggers Network : More and more organizations realize that DDoS threats should receive higher priority in their security planning However, many still believe that the traditional security tools such as firewalls and Intrusion Prevention Systems IPS can help them deal with the DDoS threat This post explains why organizations should not count on their firewall and IPS when http://www.secuobs.com/revue/news/446808.shtmlhttp://www.secuobs.com/revue/news/446808.shtml 2013-05-21 17:58:42 - Security Bloggers Network : The Apache Darkleech attack has been in the news for quite some time now The first compromise that we identified in our transactions dates back to mid-March This Darkleech exploit aka LinuxCdorked injects malicious redirections into a website http://www.secuobs.com/revue/news/446806.shtmlhttp://www.secuobs.com/revue/news/446806.shtml 2013-05-21 16:52:15 - Computer Security News : Hackers backed by China's military appear to have resumed a campaign of cyberattacks on US businesses, the New York Times is reporting http://www.secuobs.com/revue/news/446791.shtmlhttp://www.secuobs.com/revue/news/446791.shtml 2013-05-21 15:05:39 - LinuxSecurity.com Latest News : LinuxSecuritycom Three months after hackers working for a cyberunit of China's People's Liberation Army went silent amid evidence that they had stolen data from scores of American companies and government agencies, they appear to have resumed their attacks using different techniques, according to computer industry security experts and American officials http://www.secuobs.com/revue/news/446766.shtmlhttp://www.secuobs.com/revue/news/446766.shtml 2013-05-21 14:34:00 - Help Net Security News : When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looki http://www.secuobs.com/revue/news/446756.shtmlhttp://www.secuobs.com/revue/news/446756.shtml 2013-05-21 12:05:18 - ZDNet Zero Day Blog RSS : An attack which took place against Google exposed sensitive data concerning US surveillance targets IMAGE http://www.secuobs.com/revue/news/446731.shtmlhttp://www.secuobs.com/revue/news/446731.shtml 2013-05-21 03:23:49 - Computer Security News : The Financial Times has confirmed that its website and several Twitter accounts were hacked by the Syrian Electronic Army http://www.secuobs.com/revue/news/446672.shtmlhttp://www.secuobs.com/revue/news/446672.shtml 2013-05-20 21:59:59 - Dark Reading All Stories : Operation Hangover signals new franchise model in cyberespionage with cyberspying services for hire http://www.secuobs.com/revue/news/446643.shtmlhttp://www.secuobs.com/revue/news/446643.shtml 2013-05-20 21:08:11 - Computer Security News : The campaign is using vulnerabilities in Microsoft software to install the HangOver malware, according to Norwegian security firm Norman Shark http://www.secuobs.com/revue/news/446638.shtmlhttp://www.secuobs.com/revue/news/446638.shtml 2013-05-20 20:12:21 - Symantec Connect Security Response Billets : Today Norman and the Shadowserver Foundation released a joint detailed report dubbed Operation Hangover, which relates to a recently released ESET blog about a targeted cyber espionage attack that appears to be originating from India Symantec released a brief blog around this incident last week and this Q A will provide additional information relevant to Symantec around this group Q Do Symantec and Norton products protect against threats used by this group Yes Symantec confirms protection for attacks associated with Operation Hangover through our antivirus and IPS signatures, as well as STAR malware protection technologies such as our reputation and behavior-based technologies Symanteccloud also detects the targeted emails used by this group Q Has Symantec been aware of the activities of Operation Hangover Yes As called out in our initial blog, multiple security vendors have been tracking this group Symantec has been privy to information surrounding this group for a period of time and has been actively tracking their work while ensuring that the best possible protection was in place for the various threats used by them Q Where does the name Operation Hangover come from Norman and Shadowserver derived the name Operation Hangover, as one of the most prevalent malwares used by this group contains a project debug path containing this name Q How does a victim get infected The initial compromise occurs through a spear phishing email sent to the target The email contains an attachment using a theme relevant to the target Figure 1 shows the different stages in the Operation Hangover attack NewHangove_0png Figure 1 Operation Hangover attack The email contains a malicious attachment that, if opened, infects the victims system or attempts to use an exploit against the target victim's system If successful, the first stage malware is loaded onto the victim s system This malware, in the most part, is from a family of Visual Basic downloaders known as Smackdown Following reconnaissance of the infected system by the attacker, they can then decide whether to download the second stage of malware that consists of information stealers mostly written in C from a malware family known as HangOve There are several possible modules from the HangOve family downloaded, which can perform the following taks Keylogging Backconnect Screen grabber Self-replication System gathering Q Does Symantec know who this group is targeting Yes Symantec telemetry has identified Pakistan as being the main target of this attack With defense documents being used as a lure in these attacks, it would suggest the targets of interest are government security agencies Symantec has however also observed this group taking part in industrial espionage in countries outside of Pakistan Q How widespread is the threat As seen in figure 2 and 3, Symantec telemetry is reporting Pakistan as being the main country impacted by this group These findings correspond to other researcher s findings in relation to this group As previously stated, it is also evident that the operations of this group does not solely focus on one target or region HeatMappng Figure 2 Heat map of Symantec telemetry for Operation Hangover related detections Piepng Figure 3 Top 10 countries showing Symantec telemetry for Operation Hangover detections Q What name does Symantec give to threats used by this group Symantec has detection in place for the threats used by this group under the following detection names TrojanMdropper Downloader Infostealer For Symantec customers to identify this group, we are remapping the main components of this campaign to the following TrojanSmackdown TrojanSmackup TrojanHangove The following Intrusion Prevention Signature IPS is also in place System Infected TrojanHangove Activity Q Do Symantec Norton products protect against known exploits used in this campaign Yes The known vulnerabilities being used by this group are listed below along with the Symantec protections At this time there is no evidence to suggest that the group are using, or have at any time used, a zero-day vulnerability in their attacks Table1png Q How will this report affect the group orchestrating Operation Hangover Similar to other cases, despite the exposure of the Operation Hangover group, Symantec believes they will continue their activities Symantec will continue to monitor their activities and provide protection against these attacks As always, we advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups of this kind http://www.secuobs.com/revue/news/446626.shtmlhttp://www.secuobs.com/revue/news/446626.shtml 2013-05-20 18:23:10 - Security Bloggers Network : A service which boots websites offline for payment is legitimate, says the owner But why a backdoor monitored by the FBI http://www.secuobs.com/revue/news/446577.shtmlhttp://www.secuobs.com/revue/news/446577.shtml 2013-05-20 17:21:23 - Ars Technica Risk Assessment : Being outed, public shaming by White House only yielded pause in hacks http://www.secuobs.com/revue/news/446571.shtmlhttp://www.secuobs.com/revue/news/446571.shtml 2013-05-20 11:45:57 - ZDNet Zero Day Blog RSS : A service which boots websites offline for payment is legitimate, says the owner But why a backdoor monitored by the FBI IMAGE http://www.secuobs.com/revue/news/446509.shtmlhttp://www.secuobs.com/revue/news/446509.shtml 2013-05-20 02:55:08 - SecurityTube.Net : Video on stopping simple SET attacks by enabling SRP on a windows domain IMAGE http://www.secuobs.com/revue/news/446453.shtmlhttp://www.secuobs.com/revue/news/446453.shtml 2013-05-19 01:41:16 - Computer Security News : Four young computer hackers who masterminded cyberattacks on targets from the CIA to Sony Pictures and Rupert Murdoch's News International were sentenced to up to 32 months in prison on Thursday http://www.secuobs.com/revue/news/446373.shtmlhttp://www.secuobs.com/revue/news/446373.shtml 2013-05-18 14:36:10 - Dark Reading All Stories : While distributed denial-of-service attacks topping 100Gbps garner the headlines, they are not the threat that should worry most companies http://www.secuobs.com/revue/news/446324.shtmlhttp://www.secuobs.com/revue/news/446324.shtml 2013-05-18 01:48:07 - Office of Inadequate Security : Jenn Strathman reports Cyber hackers from Turkey hacked into the city of Akron s website and replaced city messages http://www.secuobs.com/revue/news/446286.shtmlhttp://www.secuobs.com/revue/news/446286.shtml 2013-05-17 18:23:59 - Computer Security News : Pearson's Financial Times reported Friday that several of its blogs and social media accounts were compromised by hackers The announcement, initially made through the UK-based business publication's Twitter account, was also confirmed by FOX Business through a Financial Times spokesperson http://www.secuobs.com/revue/news/446175.shtmlhttp://www.secuobs.com/revue/news/446175.shtml 2013-05-17 13:36:39 - Office of Inadequate Security : Just for perspective Ben Bland reports More than 25,000 cyber attacks were carried out against Essex County Council http://www.secuobs.com/revue/news/446099.shtmlhttp://www.secuobs.com/revue/news/446099.shtml 2013-05-17 13:15:16 - Dark Reading All Stories : Information-stealing malware campaign spreads via phishing email attachments posing as Indian military secrets http://www.secuobs.com/revue/news/446096.shtmlhttp://www.secuobs.com/revue/news/446096.shtml 2013-05-17 12:46:42 - Help Net Security News : ESET has uncovered and analyzed a targeted campaign that tries to steal sensitive information from different organizations, particularly in Pakistan with limited spread around the world During t http://www.secuobs.com/revue/news/446084.shtmlhttp://www.secuobs.com/revue/news/446084.shtml 2013-05-17 10:55:48 - Computer Security News : Wellington, May 16 With the cars becoming more powered and connected to the Internet and operated by computers, the risk of cyber attacks have arisen http://www.secuobs.com/revue/news/446076.shtmlhttp://www.secuobs.com/revue/news/446076.shtml 2013-05-17 07:53:20 - Symantec Connect Security Response Billets : ESET recently blogged about a targeted cyber espionage attack that appears to be originating from India Multiple security vendors have been tracking this campaign The attack appears to be no more than four years old and very broad in scope Based on our telemetry Figure 1 , it appears that attackers are focusing on targets located in Pakistan, specifically government agencies Targeted_Attacks_South_Asia_imagepng Figure 1 Telemetry data focused on South Asia The identified infection vector of this campaign is spear phishing emails with malicious files attached We ve observed malicious documents exploiting the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability CVE-2012-0158 Once exploited, the documents will drop malware that is used to steal information from the targets and send it back to the attackers servers Symantec products detect the spear phishing Word documents as TrojanMdropper and the dropped files as Downloader and Infostealer Users should ensure that software applications are up to date, and avoid clicking on suspicious links and opening suspicious email attachments To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses http://www.secuobs.com/revue/news/446058.shtmlhttp://www.secuobs.com/revue/news/446058.shtml 2013-05-17 06:18:19 - Computer Security News : The Pentagon has developed cyber attack capabilities that would allow it to at least partially cripple Syrian air defenses without firing a shot, according to military analysts http://www.secuobs.com/revue/news/446043.shtmlhttp://www.secuobs.com/revue/news/446043.shtml 2013-05-17 01:19:22 - Security Bloggers Network : It was simpler back then You know, back in the olden days of 2003 Viruses were predictable, your AV vendor could virus signatures to catch malware, and severe outbreaks like Melissa and SQL Slammer were based on brittle operating systems and poor patching practices Those days are over long gone under an onslaught of innovative attacks leveraging professional software development tactics and taking advantage of the path of least resistance, which tends to be your employees We ve written rather extensively about this battle with advanced attacker, given it s arguably the top issue facing security organization s today From the original Network-based Malware Detection paper, through Evolving Endpoint Malware Detection, and through the most recent Early Warning arc Building an Early Warning System, Network-based Threat Intelligence, Email-based Threat Intelligence Finally, we took the message to an executive view with the CISO s Guide to Advanced Attackers Although in a technology-driven world change is constant The attacks change and the defenses change, and as much as we try to write timeless research sometimes our stuff needs a refresh Detecting advanced malware on the network is one of those markets that has changed very rapidly over the past 18 months since we wrote the first paper Compounding the changes in attack tactics and control effectiveness, the competition for network-based malware protection solutions has dramatically intensified, and now every network security vendor has introduced a network-based malware detection capability or will soon This makes for a pretty confusion situation for a security practitioner, who is really only trying to keep malware out of their network and is less interested in vendor sniping and bad mouthing each other Accelerating change and increasing confusion usually indicates it s time to wade back into the space and document the changes to ensure you understand the key aspects of detecting malware on your network Thus we re launching a new blog series called Network-based Malware Detection 20 Assessing Scale, Security, Accuracy, and Blocking, to update our original paper As with all of our blog series, we ll develop the content independently and objectively guided by our Totally Transparent Research methodology We do have bills to pay, and we re pleased that Palo Alto Networks will once again consider licensing the paper upon completion Let s not get the cart before the horse here, and go back to the beginning to consider why advanced malware requires new approaches for both detection and remediation Gaining Presence With New Targets --------------------------------- Cloppert s kill chain is alive and well, and that means the first order of business for the attackers is to gain a foothold in your environment by weaponizing and delivering exploits to compromise devices Following the path of least resistance, it s far more efficient for attackers to target your employees and get them to click on a link they shouldn t That s not new, but what is new is the target of their exploitation In terms of looking at targets for exploitation, they want to go after the most widely deployed software to provide the greatest number of potential victims and increase their chance of success That led them to take advantage of unpatched vulnerabilities within the operating systems With the latest versions of Windows, it s gotten a lot harder to exploit the devices, which is a good thing So the attackers went after the next most widely distributed software browsers The initial success of compromising the browsers forced all of the browser providers to respond aggressively to better lock down the software That doesn t mean you don t still see edge cases of problems with older browsers requiring out of cycle patches, but for the most part the browser isn t the path of least resistance anymore The action reaction cycle continues with the attackers moving their attention to other widely used software like Adobe Reader and Java And once Oracle and Adobe make progress, there will be another target There always is The only thing that you can count on is that attackers will find new ways to compromise devices The Role of the Perimeter ------------------------- Once the attackers have presence in your network via the initially compromised device, then they systematically move laterally to their target until they achieve their mission Your defensive strategy involves trying to detect and block the malicious software, optimally before it wreaks havoc on the endpoint Why Because once the malware ends up on the device, you can t rely on your endpoint defenses to stop it We talk to many larger organizations that basically treat every endpoint as a hostile device If it s not already compromised, it will be soon enough As such, they take preemptive measures, like extensive network segmentation, to make it harder for attackers to gain access to the data they are targeting But what they d like to do is stop the malware from reaching the endpoint device in the first place There is clear precedence for this approach Years ago, anti-spam technology resided on the email server Over time, the technology to block unsolicited email moved out to the perimeter and eventually into the cloud to move the flood of bad email as far away from your email system as possible We expect a similar movement of the advanced malware protection technology, from the endpoint to the perimeter But that begs the question of how do you detect the malware on the perimeter With a network-based malware detection device NBMD , of course As we described in the original paper, these devices have emerged to analyze files passing by on the wire and identify files exhibiting questionable behavior by executing the files in a sandbox In the next post, we ll revisit that research to delve into how these devices work and why they make a good compliment to other controls implemented to detect malware elsewhere in your environment Insecurity By Obscurity ----------------------- As mentioned above, in the olden days you could just match a file signature with a known bad file and determine the file is a virus and block it This endpoint-centric blacklist approach worked well, until it didn t Now it s largely ineffective and the endpoint protection vendors have moved to a combination of heuristics, cloud-based fuel repositories, IP and file reputation, and a variety of other intelligence based mechanisms to isolate the attacks But the attackers are pretty smart and they ve learned to defeat blacklists and reputation and most other anti-malware defenses in use today They send polymorphic files into the wild that change the files randomly, so your blacklist is dead They hijack system files that usually are excepted from analysis by your anti-malware agents They obscure communications with the command and control networks that manage the compromised device to hide from IP reputation defenses running on network gear Basically, they make it very difficult to detect the attack, defeating your security with their obscurity Now that s a turn of events, no It has resulted in an industry-wide arms race that will get more fierce as the attackers continue to increase the sophistication of their techniques Just as an example, attackers now add logic to their malware kits to check whether the program is executing in a virtual machine, and to do nothing or delay execution for hours or days in that event Given that virtualization is the main technique used by sandbox technology, this sandbox-aware malware can hide from some NBMD devices Furthermore, given some of the new innovative malware techniques, security and accuracy on a NBMD device is more important than ever With the first generation of NBMD technology, catching an incremental 40-50pourcents of malware on the perimeter was a win Nowadays that s not good enough, and the expectation is for much better detection to justify running yet another device and invest more money in perimeter defenses We re also seeing no end in sight for the exponential increases in traffic volumes and number of malware samples This adds a significant scaling requirement on any perimeter NBMD equipment to keep pace Especially since the expectation is increasingly to deploy the NBMD inline to enable reliable blocking of the malicious files Given the acute funding and resource shortages to actually investigate and remediate attacks, it s all the more critical to block as much malware on the edge as possible But going inline changes the latency, security, and reliability requirements of the devices rather significantly It s a bad day when an incremental security device knocks down a network or blocks legitimate traffic, as some of you have probably learned the hard way In this Network-based Malware Detection 20 series, we ll specifically address these changes and cover the latest and greatest tactics and deployment models to eliminate as much malware on the perimeter of your network as you can So strap in, we ll resume the series next week by revisiting how these devices detect advanced malware on the network - Mike Rothman 0 Comments Subscribe to our daily email digest http://www.secuobs.com/revue/news/446016.shtmlhttp://www.secuobs.com/revue/news/446016.shtml 2013-05-16 23:14:40 - Dark Reading All Stories : Prison time marks the end of a prominent chapter in hacktivist history, one security researcher says http://www.secuobs.com/revue/news/446004.shtmlhttp://www.secuobs.com/revue/news/446004.shtml 2013-05-16 21:32:40 - Computer Security News : A skilled computer hacker who launched cyber attacks on the websites of Kent Police and Oxford and Cambridge universities has been jailed for two years http://www.secuobs.com/revue/news/445928.shtmlhttp://www.secuobs.com/revue/news/445928.shtml 2013-05-16 20:49:31 - Security Bloggers Network : The level and sophistication of advanced threats is a constantly moving target pitting the advantages of smart and patient attackers against security teams that often times can t possibly know what to look for when an attacker employs specialized techniques and tools designed to cloak their movements What happens when an attacker doesn t have to rely on malware to infiltrate their target or when an attacker is able to successfully blend in like a legitimate insider In this edition of the Speaking of Security Podcast, Tom Chmielarski, Practice Lead in RSA's Advanced Cyber Defense Services shares some of the attack techniques he's seen used in real breach cases, along with best practices used in the detection and defense of these advanced attacks http://www.secuobs.com/revue/news/445923.shtmlhttp://www.secuobs.com/revue/news/445923.shtml 2013-05-16 19:17:29 - Dark Reading All Stories : Most companies continue to try to protect themselves using approaches that are years out of date, according to a new how-to book published by ISACA and written by Ernst Young http://www.secuobs.com/revue/news/445897.shtmlhttp://www.secuobs.com/revue/news/445897.shtml 2013-05-16 17:47:09 - Security Bloggers Network : Detailed analysis of a targeted campaign that tries to steal sensitive information from different organizations throughout the world, but particularly in Pakistan The post Targeted information stealing attacks in South Asia use email, signed binaries appeared first on We Live Security http://www.secuobs.com/revue/news/445871.shtmlhttp://www.secuobs.com/revue/news/445871.shtml 2013-05-16 14:19:03 - Security Bloggers Network : Google cloud attacks Amazon and Azure at I O Urs Hölzle gets excited about Compute Engine ITBW for Computerworld GOOG http shares Zrd5X attached image IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/445825.shtmlhttp://www.secuobs.com/revue/news/445825.shtml 2013-05-16 13:27:35 - Help Net Security News : Anonymous' highly publicized Operation USA has not been the resounding success they expected it to be Sure, the number of sites sporting a page containing messages from the attackers was big, bu http://www.secuobs.com/revue/news/445810.shtmlhttp://www.secuobs.com/revue/news/445810.shtml 2013-05-16 11:28:53 - Computer Security News : Computers belonging to the Chico Unified School District came under what appears to have been a focused cyber attack that put them out of commission between Friday and Tuesday http://www.secuobs.com/revue/news/445783.shtmlhttp://www.secuobs.com/revue/news/445783.shtml 2013-05-16 06:47:33 - SecurityTube.Net : Demo Performing a DoS-attack on a webserver using Xerxes IMAGE http://www.secuobs.com/revue/news/445751.shtmlhttp://www.secuobs.com/revue/news/445751.shtml 2013-05-16 05:41:26 - Dark Reading All Stories : The malware universe is typically divided into targeted attacks and mass, opportunistic attack, but a middle category--mass customized malware--poses a more serious threat for business http://www.secuobs.com/revue/news/445745.shtmlhttp://www.secuobs.com/revue/news/445745.shtml 2013-05-15 22:46:54 - Security Bloggers Network : Criminals and hackers have been extremely sophisticated in creating phony, but authentic looking e-mails that seemed to have originated from legitimate companies If you receive an e-mail that you believe to be a phishing attempt, do not reply to it si http://www.secuobs.com/revue/news/445709.shtmlhttp://www.secuobs.com/revue/news/445709.shtml 2013-05-15 21:47:49 - Security Intelligence TrendLabs Trend Micro : Last week s OpUSA attacks resulted with no high-profile sites knocked offline, and damage limited to relatively unknown sites compromised and defaced Still, the attack did show how hackers operate and claim their results in high-profile hacking operations like OpUSA Using information provided both by the Smart Protection Network and the attackers themselves via Pastebin , we Post from Trendlabs Security Intelligence Blog - by Trend Micro Failed OpUSA Attacks Show How Hackers Operate http://www.secuobs.com/revue/news/445703.shtmlhttp://www.secuobs.com/revue/news/445703.shtml 2013-05-15 21:46:59 - Security Bloggers Network : Hacked hosting providers are becoming a fertile launch pad for new phishing attacks, accounting for nearly half of all phishing incidents during the second half of 2012, according to new research from the Anti-Phishing Working Group APWG The fact that these phishing attacks are increasing is not surprising, since based on earlier reports spear phishing is the main way cyber Read more IMAGE http://www.secuobs.com/revue/news/445698.shtmlhttp://www.secuobs.com/revue/news/445698.shtml 2013-05-15 20:22:11 - Network World on Security : The FBI has reportedly briefed US bank executives on a wave of cyberattacks that have lashed the industry since last summer as part of a new policy designed to foster co-operation between the state and private sectors http://www.secuobs.com/revue/news/445689.shtmlhttp://www.secuobs.com/revue/news/445689.shtml 2013-05-15 19:43:50 - Security Bloggers Network : The federal government issued a strong warning to the financial services sector Beware of cyber threats, according to the recently released 2012 Financial Stability Oversight Council FSOC report The FSOC report, which fulfills a Congressional mandate to describe significant financial market and regulatory developments, analyze potential emerging threats, and make certain recommendations, found cyberattacks to be a significant operational risk Read more IMAGE http://www.secuobs.com/revue/news/445650.shtmlhttp://www.secuobs.com/revue/news/445650.shtml 2013-05-15 17:37:06 - Security Bloggers Network : A few weeks ago I started looking at Windows Software Restriction Policy SRP and using it to stop client side attacks This is going to go over some of the options, setup and the results once enabled SRP is easy to setup via Group Policy Object GPO Inside GPO editor create New Software Restriction Policy Once create the default will be setup You can look around to see basic options Here is my tested setup Enforcement Select All Software files and All users except local administrators Enforcement Properties Under Designated File types Remove type LNK - this will make sure that shortcuts placed outside of the designated execution directories will run When I initially tested what I thought would work none of the shortcuts on the toolbar or desktop would launch an application and I found this to be the issue FileTypes Ignore trusted publishers, this is used if we are limiting applications based on the certificate authority Select Additional Rules The default execution directories will be selected pourcentsHKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows NT CurrentVersion SystemRootpourcents pourcentsHKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion ProgramFilesDirpourcents Since mine is 64bit Windows I added pourcentsHKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion ProgramFilesDir x86 pourcents Security level for these are all going to be Unrestricted I want them to be able to execute as normal Now back under Security Levels the default setting is Unrestricted, since we are changing users over to defined execution directories I want to set anything not specifically allowed in the Additional Rules section to Disallowed So we change the default to Disallowed Save this and run gpupdate force on the target machine Now to test a client side attack using SET I am going to use the java attack method 1 - Social-Engineering Attacks, 2 - Website Attack Vectors, 1 - Java Applet Attack Method, 1 - Web Templates, 1 - Java Required, 2 - Windows Reverse_TCP Meterpreter, 16 - Backdoored Executable - Enter port of listener default 443 Fire it up and wait till it starts the payload handler SET Launch Once the handler is started you are ready to test the attack Go ahead and run the unsafe java applet Java Applet You will notice that the the site is responding but the java applet is unable to execute the payload SET Failure After attempting this and being successful, I tried running SET with PowerShell Injection and to my surprise the attack succeeded I realized with PowerShell the payload was running from the C Windows sysWOW64 WindowsPowerShell directory which by default is explicitly allowed To defeat this attack I added the path to the list of Additional Rules and set it to Basic User , retested the attack with PS Injection and the attack failed as expected I tested this with multiple payloads and encoding methods and everyone of them did not result in a successful attack I ran two other tests, the first was using EXE embedded PDF and an older version of Adobe Reader 93 SRP was able to successfully stop this attack Finally I tested a physical attack using a USB Rubber Ducky Human Interface Device HID from the folks over at hak5 wwwhak5com I used a great little payload generator found over on google code https codegooglecom p simple-ducky-payload-generator It is pretty slick and simple, I used a meterpreter powershell injection payload that didn't attempt to elevate privileges SRP was able to successfully stop this attack If the user had admin privileges and entered in creds in the UAC window it would have worked since I allow Local Admins unrestricted access In Production the are likely other directories where code needs to execute, those will need to be added to the allow list As the config is done, administrators will be able to bypass these rules for installation of software etc Administrators will also need to ensure that ACLs are properly set since a curious user could move executables into the approved directories and run them While this is like a bit tough to implement in a very large organization this is a very effective method for stopping client side attacks To find other executable directories in use in your environment enable SRP with defaults fully unrestricted and set the following registry key HKLM SOFTWARE Policies Microsoft Windows Safer CodeIdentifiers String Value LogFileName, This will log the executable and the directory it was run from a little data mining can determine were applications need to execute from Also Inventory Collector from Application Compatibility toolkit can assist in this task IMAGE http://www.secuobs.com/revue/news/445583.shtmlhttp://www.secuobs.com/revue/news/445583.shtml 2013-05-15 15:17:07 - Acunetix Web Application Security Blog : Are you ready to respond to DoS attacks at the web layer In this article, Kevin Beaver shares an anecdote from his own experience whilst highlighting some important steps to take First things first responding to DoS attacks at the The post Responding to DoS attacks at the web layer appeared first on Acunetix http://www.secuobs.com/revue/news/445546.shtmlhttp://www.secuobs.com/revue/news/445546.shtml 2013-05-15 14:36:34 - Network World on Security : Dorkbot variant infection unusual because the criminals exploited a flaw in the file-sharing site MediaFire to spread the malware http://www.secuobs.com/revue/news/445533.shtmlhttp://www.secuobs.com/revue/news/445533.shtml 2013-05-15 13:38:36 - Dark Reading All Stories : Using exploits to test Web applications can be an enlightening way to test for vulnerabilities, but there are downsides as well http://www.secuobs.com/revue/news/445524.shtmlhttp://www.secuobs.com/revue/news/445524.shtml 2013-05-15 07:59:57 - Dark Reading All Stories : Using exploits to test Web applications can be an enlightening way to test for vulnerabilities, but there are downsides as well http://www.secuobs.com/revue/news/445468.shtmlhttp://www.secuobs.com/revue/news/445468.shtml 2013-05-15 05:01:16 - Computer Security News : Adam Cecchetti, a founder of D vu Security, is one of the white hat hackers working on behalf of companies to fight off cyberattacks on a daily basis http://www.secuobs.com/revue/news/445452.shtmlhttp://www.secuobs.com/revue/news/445452.shtml 2013-05-15 01:23:17 - Computer Security News : Amidst increasing concern about cybersecurity , researchers at North Carolina State University have taken one step closer to guarding America's infrastructure from Cylon attack http://www.secuobs.com/revue/news/445437.shtmlhttp://www.secuobs.com/revue/news/445437.shtml 2013-05-14 21:39:22 - Dark Reading All Stories : Embedded software prototype operates under the 'new normal' that many SCADA environments have already been breached http://www.secuobs.com/revue/news/445397.shtmlhttp://www.secuobs.com/revue/news/445397.shtml 2013-05-14 20:15:00 - Security Bloggers Network : Quite a lot, it seems The Ponemon Institute study estimates that the average cost of one minute of downtime due to a DDoS attack is 22,000 With an average downtime of 54 minutes per DDoS attack, this amounts to a heavy toll Obviously, the costs depend on several variables, such as your business segment, the http://www.secuobs.com/revue/news/445370.shtmlhttp://www.secuobs.com/revue/news/445370.shtml 2013-05-14 19:54:10 - Network World on Security : Fighting denial-of-service attacks has become a matter of survival for some businesses that find their websites getting smashed and network flooded by attackers Online gaming company SG Interactive says it's under constant attack and the only way to keep going is to set up an anti-DDoS defense http://www.secuobs.com/revue/news/445362.shtmlhttp://www.secuobs.com/revue/news/445362.shtml 2013-05-14 13:17:11 - ZDNet Zero Day Blog RSS : US bankers have been given temporary security clearance to share data on cyberattack investigations IMAGE http://www.secuobs.com/revue/news/445256.shtmlhttp://www.secuobs.com/revue/news/445256.shtml 2013-05-14 10:48:09 - SecurityTube.Net : This paper presents two types of cryptanalysis on a Merkle-Damgård hash based MAC, which computes a MAC value of a message M by Hash KℓM with a shared key K and the message length ℓ This construction is often called LPMAC Firstly, we present a distinguishing-H attack against LPMAC instantiating any narrow-pipe Merkle-Damgård hash function with O 2 n 2 queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiating a secure hash function should resist the distinguishing-H attack up to 2 n queries In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2 n 2 and 2 n Because it works in generic, our attack updates these results, namely full rounds are attacked with O 2 n 2 complexity Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value For any narrow-pipe Merkle-Damgård hash function, our attack can be performed with O 2 n 2 queries These results show that the length prepending scheme is not enough to achieve a secure MAC IMAGE http://www.secuobs.com/revue/news/445230.shtmlhttp://www.secuobs.com/revue/news/445230.shtml 2013-05-14 10:48:09 - SecurityTube.Net : By examining the similarity of side-channel leakages, collision attacks evade the indispensable hypothetical leakage models of multi-query based side-channel distinguishers like correlation power analysis and mutual information analysis attacks Most of the side-channel collision attacks compare two selective observations, what makes them similar to simple power analysis attacks A multi-query collision attack detecting several collisions at the same time by means of comparing the leakage averages was presented at CHES 2010 To be successful this attack requires the means of the side-channel leakages to be related to the processed intermediate values It therefore fails in case the mean values and processed data are independent, even though the leakages and the processed values follow a clear relationship The contribution of this article is to extend the scope of this attack by employing additional statistics to detect the colliding situations Instead of restricting the analyses to evaluation of means, we propose to employ higher-order statistical moments and probability density functions as the figure of merit to detect collisions Thus, our new techniques remove the shortcomings of the existing correlation collision attacks using first-order moments In addition to the theoretical discussion of our approach, practical evidence of its suitability for side-channel evaluation is provided We provide four case studies, including three FPGA-based masked hardware implementations and a software implementation using boolean masking on a microcontroller, to support our theoretical groundwork IMAGE http://www.secuobs.com/revue/news/445229.shtmlhttp://www.secuobs.com/revue/news/445229.shtml 2013-05-13 20:39:55 - Computer Security News : As a UK government commissioned survey reveals the number of cyber attacks hitting businesses has soared in the past year and it is discovered that international cyber terrorists are specifically targeting Jersey, Rossborough is warning companies that they are potentially under insured to deal with the aftermath of an attack http://www.secuobs.com/revue/news/445133.shtmlhttp://www.secuobs.com/revue/news/445133.shtml 2013-05-13 17:01:09 - MSI State of Security : See on Scoopit Chinese Cyber Code Conflict Officials said the aim in a new wave of attacks was not espionage but sabotage, and that the source seemed to be in the Middle East Red-DragonRising s insight ICS-CERT issued this alert Continue reading The post Cyberattacks on Rise Against US Corporations appeared first on MSI State of Security http://www.secuobs.com/revue/news/445084.shtmlhttp://www.secuobs.com/revue/news/445084.shtml 2013-05-13 16:01:27 - Computer Security News : The news websites, WTOPcom and FederalNewsRadiocom , are accessible to all Internet users following resolution of a cyber attack against the websites http://www.secuobs.com/revue/news/445065.shtmlhttp://www.secuobs.com/revue/news/445065.shtml 2013-05-13 02:22:03 - MSI State of Security : See on Scoopit Chinese Cyber Code Conflict A covert unit within the Chinese Army has been using highly sophisticated cyber weapons in a desperate attempt to acquire classified information about the stealthy Joint Strike Fighter JSF See on wwwdailymailcouk The post Chinese hackers caught trying to steal secrets of our new stealth fighter as tens of thousands of cyber attacks are launched on jet manufacturer every week appeared first on MSI State of Security http://www.secuobs.com/revue/news/444931.shtmlhttp://www.secuobs.com/revue/news/444931.shtml 2013-05-13 02:22:03 - MSI State of Security : See on Scoopit Chinese Cyber Code Conflict The war of words over cyber attacks escalated this week with an official Chinese newspaper branding the US the real hacking empire, two days after the Pentagon explicitly accused China of spying Continue reading The post War of words intensifies as Beijing rejects Washington claims of cyber attacks Business chinadailycomcn appeared first on MSI State of Security http://www.secuobs.com/revue/news/444930.shtmlhttp://www.secuobs.com/revue/news/444930.shtml 2013-05-12 17:15:21 - Computer Security News : A News Limited investigation has discovered that the AFP has been monitoring hacking forums for tech-savvy teenagers in the hope of guiding them away from a path of crime http://www.secuobs.com/revue/news/444898.shtmlhttp://www.secuobs.com/revue/news/444898.shtml 2013-05-11 07:26:43 - Computer Security News : This picture is taken from the cell phone of a man accused of being part of a massive bank robbery http://www.secuobs.com/revue/news/444781.shtmlhttp://www.secuobs.com/revue/news/444781.shtml 2013-05-10 20:07:34 - Network World on Security : Colleges and universities are being encouraged to scrutinize their systems to keep them from being hijacked in DDoS distributed denial-of-service attacks http://www.secuobs.com/revue/news/444705.shtmlhttp://www.secuobs.com/revue/news/444705.shtml 2013-05-10 15:31:24 - MSI State of Security : See on Scoopit Chinese Cyber Code Conflict Huawei CEO Ren Zhengfei points out that the company hasn t actually sold any big network gear in the US yet See on wwwtechweekeuropecouk The post People s Republic of China s Huawei CEO Denies Involvement In Cyber Attacks On US appeared first on MSI State of Security http://www.secuobs.com/revue/news/444630.shtmlhttp://www.secuobs.com/revue/news/444630.shtml 2013-05-09 20:37:09 - Security Intelligence TrendLabs Trend Micro : While looking into recent reports about the Winnti malware family, we discovered another backdoor which was built using similar techniques and has other similarities as well It is also possible that it is being used in similar targeted attacks We found this particular threat via feedback provided by the Smart Protection Network we detect it Post from Trendlabs Security Intelligence Blog - by Trend Micro Backdoor Built With Aheadlib Used In Targeted Attacks http://www.secuobs.com/revue/news/444483.shtmlhttp://www.secuobs.com/revue/news/444483.shtml 2013-05-09 19:40:49 - Security Bloggers Network : Well-crafted and wrought How-To on DNS Application Attack mitigation, via CloudShield's Alexandre Cezar, CISSP Today's MustRead http://www.secuobs.com/revue/news/444462.shtmlhttp://www.secuobs.com/revue/news/444462.shtml 2013-05-09 17:48:03 - Security Bloggers Network : An posting from Information Week in there Security section Help desk teams love remote-control software When employees call with computer problems, the IT department can remotely take control of the user s machine, copy over files and set all application and operating system wrongs to right Unfortunately, they re not the only group interested in putting TeamViewer, Symantec PCAnywhere, IMAGE http://www.secuobs.com/revue/news/444434.shtmlhttp://www.secuobs.com/revue/news/444434.shtml 2013-05-09 13:50:24 - Network World on Security : Two US senators will push Congress or President Barack Obama's administration to pursue trade and immigration sanctions against China and other countries that allegedly support cyberattacks on US government agencies and businesses, the lawmakers said Wednesday http://www.secuobs.com/revue/news/444392.shtmlhttp://www.secuobs.com/revue/news/444392.shtml 2013-05-09 07:02:14 - Dark Reading All Stories : Security pros say latest watering hole attack patterns expose the ecosystem of mediocrity set out by today's baseline of protection http://www.secuobs.com/revue/news/444344.shtmlhttp://www.secuobs.com/revue/news/444344.shtml 2013-05-09 05:14:52 - Computer Security News : A Dutchman arrested in Spain in connection with an unprecedented cyber attack has been extradited to the Netherlands where he appeared before a judge, Dutch prosecutors say http://www.secuobs.com/revue/news/444337.shtmlhttp://www.secuobs.com/revue/news/444337.shtml 2013-05-08 21:05:29 - Computer Security News : Over a one-year period, 69 per cent of Canadian businesses said they experienced some type of cyber attack, ranging from malware and computer viruses to phishing and social engineering attacks, a new survey has found http://www.secuobs.com/revue/news/444276.shtmlhttp://www.secuobs.com/revue/news/444276.shtml 2013-05-08 15:52:55 - Computer Security News : Dutch government websites were paralysed for several hours overnight after a mass cyber attack which targeted several ministerial sites, a spokesman said on Wednesday http://www.secuobs.com/revue/news/444204.shtmlhttp://www.secuobs.com/revue/news/444204.shtml 2013-05-08 15:15:57 - Help Net Security News : Despite repeated warnings, a majority of organizations are failing to enact recommended best practice security policies around one of the primary targets of advanced attacks privileged accounts http://www.secuobs.com/revue/news/444197.shtmlhttp://www.secuobs.com/revue/news/444197.shtml 2013-05-08 14:55:02 - IC3.gov News : http://www.secuobs.com/revue/news/444187.shtmlhttp://www.secuobs.com/revue/news/444187.shtml 2013-05-08 14:08:51 - Computer Security News : WTOP, the largest radio station in the region, and Federal News Radio, along with the website of technology blogger John Dvorak were all infected by a waterhole attack http://www.secuobs.com/revue/news/444178.shtmlhttp://www.secuobs.com/revue/news/444178.shtml 2013-05-08 04:20:53 - Computer Security News : The Department of Homeland Security and the FBI are cautioning American government and financial institutions that they could be targets of a wave of cyber attacks Tuesday from Anonymous-linked hacktivists in the Middle East and North Africa http://www.secuobs.com/revue/news/444100.shtmlhttp://www.secuobs.com/revue/news/444100.shtml 2013-05-08 01:12:01 - Security Bloggers Network : A watering hole attack on pages within the US Department of Labor site exploited a zero-day vulnerability in Internet Explorer 8 to deliver malware to visitors, according to reports The post Watering hole attack on Dept of Labor site exploited new IE8 vulnerability appeared first on We Live Security http://www.secuobs.com/revue/news/444081.shtmlhttp://www.secuobs.com/revue/news/444081.shtml 2013-05-08 01:10:35 - Ars Technica Risk Assessment : Linux Cdorked backdoor exposes 100,000 Web visitors to potent Blackhole exploits http://www.secuobs.com/revue/news/444079.shtmlhttp://www.secuobs.com/revue/news/444079.shtml 2013-05-08 00:48:33 - Dark Reading All Stories : Anonymous groups wage ad-hoc defacements, data dumps from a few lesser-known sites not the planned attacks on major US government agencies, banks http://www.secuobs.com/revue/news/444072.shtmlhttp://www.secuobs.com/revue/news/444072.shtml 2013-05-07 19:46:06 - TorrentFreak : Following the release of their white paper earlier today, Megaupload lawyer Robert Amsterdam considers the current political situation in the United States, one in which the interests of powerful corporations are deemed to be of greater importance than the rights of individuals The US government's attack on Megaupload bears all the hallmarks of a Digital Gitmo , Amsterdam argues, one which shares an absence of rule of law with its physical, Cuba-based namesake Source US Govt Attack on Megaupload Bears Hallmarks of Digital Gitmo http://www.secuobs.com/revue/news/444021.shtmlhttp://www.secuobs.com/revue/news/444021.shtml 2013-05-07 19:28:57 - Network World on Security : A recent cyberattack targeting US government employees working with nuclear weapons illustrates the vulnerability of large organizations that struggle with deploying protective software upgrades http://www.secuobs.com/revue/news/444016.shtmlhttp://www.secuobs.com/revue/news/444016.shtml 2013-05-07 18:01:01 - Security Bloggers Network : The Chinese government and military are behind large numbers of cyberespionage attacks directed at US government computer systems, according to a Pentagon report released this week The post China is behind numerous attacks on US computer systems, says Pentagon appeared first on We Live Security http://www.secuobs.com/revue/news/443994.shtmlhttp://www.secuobs.com/revue/news/443994.shtml 2013-05-07 16:48:12 - Dark Reading All Stories : Information on the number of bots, along with trend details on attack types and attack locations is available in PLXpatrol http://www.secuobs.com/revue/news/443980.shtmlhttp://www.secuobs.com/revue/news/443980.shtml 2013-05-07 15:33:01 - Help Net Security News : The email server of FOX21 News has been hacked over the weekend and the information it contained held ransom The attackers were asking for 5,000 to decrypt the information they encrypted, but http://www.secuobs.com/revue/news/443958.shtmlhttp://www.secuobs.com/revue/news/443958.shtml 2013-05-07 14:43:47 - TorrentFreak : Megaupload's legal team are not restricting their fight with the US Government only to the courts Today they published a detailed white paper accusing the White House of selling out to corporate interests, particularly Hollywood The message is clear The White House is for sale More and more of our rights are eroding away to protect the interests of large corporations and their billionaire shareholders, Dotcom summarizes Source Megaupload Launches Frontal Attack on White House Corruption http://www.secuobs.com/revue/news/443946.shtmlhttp://www.secuobs.com/revue/news/443946.shtml 2013-05-07 14:29:26 - Network World on Security : China's government and military appear to be directly involved in cyberattacks against the US, according to a report released Monday by the US Department of Defense http://www.secuobs.com/revue/news/443943.shtmlhttp://www.secuobs.com/revue/news/443943.shtml 2013-05-07 13:36:06 - Dark Reading All Stories : Hacktivist groups plan denial of service attacks on banks, government sites http://www.secuobs.com/revue/news/443936.shtmlhttp://www.secuobs.com/revue/news/443936.shtml 2013-05-07 13:11:19 - Wired Danger Room : Israel Swears Its Missile Defense Can Block Syrian AttacksIsrael may have attacked targets in Syria -- and risked a wider war -- to stop ballistic missiles from falling into the wrong hands But the Israelis insist they can shoot the Fateh-110 missiles out of the sky IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/443931.shtmlhttp://www.secuobs.com/revue/news/443931.shtml 2013-05-07 09:37:48 - Computer Security News : China's military is denying renewed US accusations of carrying out cyber-attacks and says the sides should cooperate against the global threat of computer crime http://www.secuobs.com/revue/news/443897.shtmlhttp://www.secuobs.com/revue/news/443897.shtml 2013-05-07 07:14:16 - Computer Security News : US financial institutions, including some in Ohio, have been threatened by a potential cyber-attack that could render online banking services unavailable on Tuesday, May 7 The Ohio Bankers League and Ohio Credit Union League are warning customers members of all financial institutions that an interruption of service due to an attack does not more http://www.secuobs.com/revue/news/443885.shtmlhttp://www.secuobs.com/revue/news/443885.shtml 2013-05-07 03:24:47 - Computer Security News : Not 100 percent That's where paranoia really comes in I wipe my machine, reformat my machine every other week, Chronister said, pointing at his laptop computer http://www.secuobs.com/revue/news/443861.shtmlhttp://www.secuobs.com/revue/news/443861.shtml 2013-05-07 00:27:09 - Security Bloggers Network : The tactics we ve described thus far can be very useful to detecting and disrupting advanced attackers, even if only used in one-off situations But you can and should shoot for a more structured and repeatable process, especially if you expect to be an ongoing target of the advanced attackers Thus you ll need to evolve your existing security program, including your incident response capabilities So what exactly does that mean It means you need to factor in the tactics you ll see from an advanced attacker and increase the sophistication of your intelligence gathering, active controls, and incident response Change is hard, we get that Unless you ve had a recent breach, then change is easy At that point, you don t face budget pressures since the mandate is to fix it no matte the cost and you ll face little resistance to change process ensuring the success of the next response Although even without a breach-driven catalyst you can still make these kinds of changes, but you ll need to use some budgetary kung fu and strategic use of the recent, highly publicized attacks to make your point But even leveraging a breach doesn t necessarily result in sustainable change, regardless of how much money you throw at the problem Evolving these processes involves not just figuring out what to do now or even in the future Those are short term band-aids Success involves empowering your folks to rise to the challenge of the advanced attackers By piling more work on their respective plates you ll need to make sure they need to accept the added responsibilities and be recognized for stepping up This provides an opportunity for some of your managers to take on more important responsibilities, and also ensures someone is on the hook to get something done Just updating the processes and printing out new workflows won t change much, unless there are adequate resources and clear accountability in place to ensure the change happens Identify Gaps ------------- You start your program evolution by identifying the gaps in the status quo That s easiest if you are cleaning up a breach, since it s usually pretty obvious to identify what worked, what doesn t, and what needs to change Without a breach, you can use a periodic risk assessment or penetration test to pinpoint the issues Regardless of the gaps, it s key that you as senior security professional drive the process changes to address the gaps Accountability starts and ends with the CISO or senior security professional Be candid about what went wrong and what went right with senior management and your team and couch the discussion from the perspective of improving the overall capability to defend against the advanced attackers Intelligence Gathering ---------------------- The next aspect of detecting advanced attackers is to build an intelligence gathering program to provide some perspective on what s happening out there Benefiting from the misfortune of others, remember Larger organizations tend to formalize an intelligence group, while smaller entities need to add intel gathering and analysis to the existing task list of their staffers Of all the things that could end up in the lap of a security professional, having to do intelligence research isn t a bad extra responsibility They ll get exposed to cutting edge attacks and make a difference in your defenses And that s how you should sell it to them Once you determine organization structure and accountability for intel, then you ll need to focus on the integration points with the rest of your active defensive and passive monitoring controls Is the intelligence in a format to be directly integrated into your FW, IPS and WAF What about integration with the SIEM or forensics tools Don t forget about analyzing malware since a key aspect of detecting an advanced attacker is to isolate the indicators and search for them Also understand that more sophisticated and mature environments should push beyond just searching for technical indicators of compromise Mature intelligence processes involve doing proactive intel gathering about potential and active adversaries, as we described earlier If you don t have those capabilities internally, which of your service providers can offer that intelligence and how would you use it Finally you ll need to determine your stance on information sharing We re big fans of sharing what you see with folks that are like you industry, company size, geography, etc to learn from each other The real issue with these information sharing networks is to reduce the signal to noise ratio, as some can be pretty active with lots of stuff that isn t relevant to your situation As with figuring out the integration points described above, you need to have a structure and accountability for taking and using information gleaned from the various sharing networks Tracking Innovation ------------------- Another aspect of dealing with an advanced attacker is to keep track of innovation coming from the industry to deal with the advanced attackers We ve done a lot of research into evolving endpoint controls, network-based advanced malware detection, and the application of intelligence Early Warning, Network-based Threat Intelligence, Email-based Threat Intelligence to get a feel for how the technologies can help But that s a point in time, and will not provide the sustainable change that you need So who in your organization is going to be responsible for evaluating new technologies How often will this happen To be clear, you may not have budget to buy the latest and greatest shiny object that hits the market But you need to know what s out there, and if necessary find the money if it solves a significant enough problem We ve seen organizations put together a new technology task force, comprised of promising individual contributors within each of the key security disciplines These folks monitor their areas of expertise, meet with innovative start-ups and other companies, go to security conferences, and leverage research services to evaluate new technologies At periodic task force meetings they present what they ve found Not just in terms of what the shiny object does, but also assessing how any new technology would change what you re doing today and why it would be better This isolates not just whether they can parrot back what a vendor is telling them, but how they d apply that within the context of your existing control sets Evolving DFIR ------------- As we ve discussed throughout this series, a key aspect of detecting advanced attackers is digital forensics and incident response DFIR First things first, you need to ensure your responders have an adequate tool set to determine what happened and analyze the attack That means you ll need to revisit your data collection infrastructure and most likely look at capturing more detailed information both at the network and device levels That means looking at network full packet capture technologies and possibly endpoint forensic solutions Since we re evolving the security program here, it s not just about selecting and deploying the tools, rather it s how will the tools be used in your program and who will be responsible for deploying and managing the DFIR tools The DFIR tools are just technical controls More importantly, how is your incident response process changing to factor in these kinds of capabilities Do you need to procure a sandboxing capability and build a malware analysis testbed What kind of changes to your organization are required Do you need to have more than one set of play books depending on the adversary For example, if it s a financial fraud issue you d deal with a predominately finance-driven oversight team Whereas if it s intellectual property at risk, that would be a situation warranting CEO-involvement That s just an example, as your CEO may want to be hands-on with any incident There are no right or wrong answers, but you need to make sure you re asking the right questions, which goes to every aspect of evolving your security program to deal with advanced attackers With that we wrap up the CISO s Guide to Advanced Attackers As with all of our blog series, we ll assemble the posts into a white paper over the next couple of weeks Stay tuned for that In the meantime you can check out the other posts in this series 1 Sizing Up the Adversary 2 Intelligence, The Crystal Ball of Security 3 Mining for Indicators 4 Verify the Alert 5 Breaking the Kill Chain - Mike Rothman 0 Comments Subscribe to our daily email digest http://www.secuobs.com/revue/news/443841.shtmlhttp://www.secuobs.com/revue/news/443841.shtml 2013-05-06 22:33:42 - Computer Security News : Islamist-hackers in the the Middle East and Maghreb are planning to launch cyberattacks against US government agencies, banks and companies this week, according to the Department of Homeland Security http://www.secuobs.com/revue/news/443825.shtmlhttp://www.secuobs.com/revue/news/443825.shtml 2013-05-06 20:40:29 - Dark Reading All Stories : Other US energy agencies, organizations targeted in apparent nuclear technology cyberspying campaign that employed a zero-day bug in Internet Explorer 8 http://www.secuobs.com/revue/news/443815.shtmlhttp://www.secuobs.com/revue/news/443815.shtml 2013-05-06 20:13:08 - Security Bloggers Network : TCG has been working for several years to enable the automation of routine security tasks What does this mean Essentially, security automation enables network and security systems to provide dynamic, responsive protection with automated handlin http://www.secuobs.com/revue/news/443811.shtmlhttp://www.secuobs.com/revue/news/443811.shtml 2013-05-06 18:27:18 - Ars Technica Risk Assessment : Months-old attacks apparently targeted workers in Aerospace, defense, labor http://www.secuobs.com/revue/news/443787.shtmlhttp://www.secuobs.com/revue/news/443787.shtml 2013-05-06 16:48:24 - Security Bloggers Network : Celebrity news service E Online became the latest high-profile media Twitter account to fall victim to hackers, with a series of false Tweets that began with a claim that Justin Bieber was gay The post Fake Justin Bieber I m gay Tweet marks latest attack on media Twitter accounts appeared first on We Live Security http://www.secuobs.com/revue/news/443770.shtmlhttp://www.secuobs.com/revue/news/443770.shtml 2013-05-06 14:27:35 - Help Net Security News : Last week a US Department of Labor website was discovered to be redirecting users to sites serving a hard-to-detect variant Poison Ivy backdoor Trojan Researchers are now saying that the exploit us http://www.secuobs.com/revue/news/443744.shtmlhttp://www.secuobs.com/revue/news/443744.shtml 2013-05-06 14:11:10 - LinuxSecurity.com Latest News : LinuxSecuritycom Anonymous' failed attack against Israeli websites last month has left security experts cautiously optimistic that the hacktivist group will be unsuccessful in its plans to disrupt US government and banking sites http://www.secuobs.com/revue/news/443736.shtmlhttp://www.secuobs.com/revue/news/443736.shtml 2013-05-05 23:11:53 - Security Bloggers Network : Great educational video, by Sophos, on how iFrames are being used for attack These types of attacks have exploded in popularity over the past couple months In Microsoft's Security Intelligence Report, released a few weeks ago, they mention http://www.secuobs.com/revue/news/443645.shtmlhttp://www.secuobs.com/revue/news/443645.shtml 2013-05-05 04:24:58 - Symantec Connect Security Response Billets : Microsoft has issued Security Advisory 2847140 in response to reports regarding public exploitation of a vulnerability affecting Internet Explorer 8 Other versions such as Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Explorer 10 are not affected Initial reports indicate that a website associated with a department of the US government was compromised to host the exploit in what s known as a watering hole attack Upon visiting the site a vulnerable victim would have been redirected to download a back door as the payload Symantec products detect the exploit code on the vulnerable site as TrojanMalscript and the back door as BackdoorDarkmoon In the Microsoft advisory this vulnerability has been assigned CVE-2013-1347 From analysis, it appears to be nearly identical to a previously discovered vulnerability, CVE-2012-4792, which was patched by Microsoft in MS13-008 in January 2013 Further details and analysis will be provided as they become available Symantec customers are protected from the payload with updates from May 1, 2013 We are also investigating the possibility of further protections for these vulnerabilities and will provide updates when available We advise users to apply any patches as soon as Microsoft makes them available Microsoft has also provided workarounds to mitigate risk associated with the vulernability We have carried out in-depth research into watering hole style attacks dating back to 2009 That research and analysis is contained in a paper named The Elderwood Project, which we published in September 2012 http://www.secuobs.com/revue/news/443586.shtmlhttp://www.secuobs.com/revue/news/443586.shtml 2013-05-04 21:46:23 - Computer Security News : In the latest incident of nation-state cyber-attacks, attackers slipped malware onto the agency's site, apparently aiming to compromise nuclear-energy officials from the Department of Energy http://www.secuobs.com/revue/news/443575.shtmlhttp://www.secuobs.com/revue/news/443575.shtml 2013-05-04 13:48:17 - Computer Security News : Hedija Jahic, 33, became angry with her daughter after reviewing text messages from the girl's boyfriend http://www.secuobs.com/revue/news/443555.shtmlhttp://www.secuobs.com/revue/news/443555.shtml 2013-05-04 01:14:01 - Computer Security News : Mikhail Davidov, a white hat hacker in Seattle, is recognized for both his distinctive mohawk and his skills fighting black hat hackers http://www.secuobs.com/revue/news/443504.shtmlhttp://www.secuobs.com/revue/news/443504.shtml 2013-05-03 23:03:15 - Security Bloggers Network : In the last post in the CISO s Guide to Advanced Attacks series, you had verified the alert and now it s time to spring into action This is what you get paid for and to be candid, your longevity in the CISO role directly correlates to your ability to contain the damage and recover from the attack as quickly and efficiently as possible But no pressure, right So let s systematically go through the steps involved in breaking the kill chain, disrupting the attackers, taking counter measures, and or getting law enforcement involved To be clear, incident response needs to be a structured and conditioned response You want to avoid setting policies during a firefight, although realistically you can t model every potential threat and gain consensus on every possible counter measure But that doesn t mean you shouldn t try to define the most likely scenarios and get everyone on board about the appropriate tactics for containment and remediation Those scenarios will provide a basis to make decisions on the scenarios that don t fit exactly into those you ve already modeled Then at least you can spin why you made certain decisions in the heat of battle Contain the Damage ------------------ As we described in our Incident Response Fundamentals series containment can be challenging because you don t exactly know what s going on, but you need to intervene as quickly as practical The goal here is very clear - do not make things worse Make sure you provide the best opportunity for your investigators both internal and external to isolate and study the incident So be careful not to destroy data by turning off and or unplugging machines without first taking appropriate forensic images Keeping this discussion at a high level, containment typically involves 1 Quarantine the device You want to isolate the device quickly, so it doesn t continue to do reconnaissance and move laterally within your network infecting other devices and moving closer to completing the mission and stealing your data You may monitor the device as you figure out exactly what you are doing, but you want to make sure that specific device isn t going to cause any more damage 2 Protect critical data A benefit of quarantining the device is to ensure the device can t continue to mine your network and possibly exfiltrate data But you also can t assume the compromised device you ve identified is the only compromised device So go back to the potential targets you outlined when you sized up the adversary and take extra care to protect the critical data most interesting to your adversary The one thing you can say about an advanced attacker is they usually have multiple paths to achieve their mission You may have discovered one in the form of the compromised device , but there is very likely more So being a little extra diligent in terms of monitoring data access and egress points will help disrupt the kill chain in the event you have multiple compromises Investigate and Mitigate ------------------------ Your next step is to identify the attack vectors and determine appropriate remediation paths As mentioned above, you want to make sure to gather just as much information as you need to mitigate the problem stop the bad guys and to collect it in a way that doesn t preclude subsequent legal or other action at some point For more details on malware investigation techniques, we ll again point you to the Malware Analysis Quant research that details a very granular process to investigate the attack When it comes to mitigation, you ll set a series of discreet achievable goals, and assign resources to handle them Just like any other project, right Although when dealing with advanced attackers, you have a couple of remediation paths to consider 1 Clean You can also call this the Big Bang approach which we ll describe later , since you ll need to do it quickly and completely Because if you leave the attacker with any remaining foothold in your environment, then you ll be starting all over again sooner rather than later Most organizations opt for this approach, since the sooner you clean your environment, the better 2 Observe In certain instances, such as when you re dealing with an inside job or law enforcement is involved, you may be asked not to clean all of the machines But as described above you need to take extra care to ensure you don t suffer any subsequent losses when observing the attackers That involves deep monitoring likely network full packet capture and memory forensics on traffic in out of your critical data stores, and tightening the controls on your egress filters and or DLP gateways 3 Disinformation Another alternative, though uncommon, involves actively providing disinformation to your adversaries That could involve dummy bids, incorrect schematics, or files with tracking data to try to identify the attacker This represents very advanced tactics and will likely be done under the guidance of law enforcement or a very select few third party incident response firms Executing the Big Bang ---------------------- If you want to get rid an advanced attacker, you need to find all potentially compromised devices We ve been talking about how to do that via searching for indicators of compromise, but you can t assume you ve seen and profiled all the malware in use Those pesky advanced attackers may be throwing 0-day attacks at you This again is where threat intelligence comes in to look for patterns that others have seen though not likely the specific files Once you ve identified all of the affected devices and we mean ALL , they need to go dark at the same time You can t give the adversary with an opportunity to compromise other devices or execute a plan to remain persistent while you incrementally clean up This involves most likely wiping the machines to bare metal, even if it means losing data Given the capabilities of the attacker, you can t assume you ll be able to totally eliminate the malware from the device At the point the affected devices are wiped and rebuilt, you need to monitor the devices and capture egress traffic for a burn-in period to make sure you didn t miss anything That involves both scrutinizing all config changes on devices that could indicate the attacker finding new victims, as well as looking for command and control indicators that other compromised devices remain At the moment the adversary is blown out, they ll start working double time to get back in You re never done That means you need to ensure your defenses have evolved to deal with these kinds of attacks And no, you won t be perfect At some point an advanced adversary will get back in, your job is to make sure they have to work for it Advanced Attacker Complications ------------------------------- Incident response is hard enough But when you factor in the reality of a well funded, capable, advanced attacker things get a bit more complicated The first realization is that many decisions relating to mitigation, remediation, and potential prosecution of perpetrators are not security s decision These are executive decisions since the impact could ripple throughout the organization and may also involve disclosure activities This is why having a team approach, involving all of the important stakeholders, is so important But that doesn t mean you shouldn t have recommendations and build a case to support your line of thinking When deciding between cleaning the affected devices or observing the attackers, you need to factor in the cost and likelihood of total clean-up Many organizations and senior executives prefer to clean it up, but keep in mind it s very difficult to keep an advanced attacker out forever, so you ll likely have to do the same dance again sooner rather than later Though if you do push for a clean-up, then make sure you have details about what is involved, what business operations will potentially be disrupted and a realistic timeline for eradication Another area that is complicated by advanced attackers is disclosure If sensitive data was lost, you re likely required to make a best effort attempt to undertake a full clean up It would be hard to spin a stance of letting the attackers remain in your environment after they ve stolen sensitive data As with most security situations, the involvement of PII private information changes everything So the key issues in Breaking the Kill Chain involve figuring out how to most effectively disrupt the attackers, and then to get everyone on board with your plan We ll wrap up the series in the next post by talking about how to take all of these distinct functions and build them into a repeatable program to ensure you re ready to deal with an advanced attacker - Mike Rothman 0 Comments Subscribe to our daily email digest http://www.secuobs.com/revue/news/443484.shtmlhttp://www.secuobs.com/revue/news/443484.shtml 2013-05-03 19:42:44 - Security Bloggers Network : More than a third of companies endured a disruptive attack last year, according to a new survey pdf Thirty-five percent of those surveyed across industries dealt with at least one Distributed Denial of Service DDoS incident, with attacks on the retail sector seeing the largest year-to-year increase 16 percent to 39 percent , making for a 144 percent bump Financial services Read more IMAGE http://www.secuobs.com/revue/news/443434.shtmlhttp://www.secuobs.com/revue/news/443434.shtml 2013-05-03 17:08:18 - Help Net Security News : Most drive-by exploit kits use a minimal exploit shellcode that downloads and runs the final payload This is akin to a two-stage ICBM InterContinental Ballistic Missile where the first stage, the e http://www.secuobs.com/revue/news/443391.shtmlhttp://www.secuobs.com/revue/news/443391.shtml 2013-05-03 05:09:32 - Computer Security News : National Cyber Security Centre The National Cyber Security Centre , with the CERT Program of Carnegie Mellon University's Software Engineering Institute , is offering spaces on a one day course for Government departments and critical infrastructure operators on how to respond to cyber attacks http://www.secuobs.com/revue/news/443304.shtmlhttp://www.secuobs.com/revue/news/443304.shtml 2013-05-03 01:13:41 - Computer Security News : In recent weeks, the self-styled Syrian Electronic Army has launched hacking attacks on the BBC, the Associated Press and most recently, the Guardian http://www.secuobs.com/revue/news/443289.shtmlhttp://www.secuobs.com/revue/news/443289.shtml 2013-05-03 00:38:22 - Security Bloggers Network : In the cross hairs of anonymous The hacktivist group Anonymous announced phase one of a massive cyberattack, called Op USA, on US government and banking websites scheduled for next Tuesday, May 7 The White House, the NSA, and the FBI are included on a list of high profile government targets, and 133 financial institutions including the http://www.secuobs.com/revue/news/443283.shtmlhttp://www.secuobs.com/revue/news/443283.shtml 2013-05-03 00:38:22 - Security Bloggers Network : February saw a significant jump in cyber attack activity emanating from North Korea, according to recent analysis IT security vendor Solutionary found that touches a known reconnaissance, an overt external attack or the attempted exfiltration of data from North Korean IP addresses spiked during the month of February Historically, North Korea has generated roughly 34-to-200 touches per month against Read more IMAGE http://www.secuobs.com/revue/news/443280.shtmlhttp://www.secuobs.com/revue/news/443280.shtml 2013-05-02 22:02:29 - SANS Internet Storm Center InfoCON green : more http://www.secuobs.com/revue/news/443253.shtmlhttp://www.secuobs.com/revue/news/443253.shtml 2013-05-02 20:10:47 - Security Bloggers Network : Most drive-by exploit kits use a minimal exploit shellcode that downloads and runs the final payload This is akin to a two-stage ICBM InterContinental Ballistic Missile where the first stage, the exploit, puts the rocket in its trajectory and the second stage, the payload, inflicts the damage In the cybercrime world, the de-coupling of the first stage from the payload is designed to make sure that an exploit kit is as generic as possible and can deliver all possible payloads, provided that the payloads only need native execution either as a standalone executable files with an exe file extension, or DLL registration via RegSvr32 files with a dll extension We recently found that a Java exploit kit called g01pack has added another mid-course stage, turning the infection process into a multi-stage attack The first stage of the attack, the exploit shellcode, executes a second stage, in which a Java class runs in a separate Java process This second Java process then downloads and runs the final payload We believe this discovery represents the first instance of an exploit kit delivering its payload via a multi-stage attack Why would an attacker need a multi-staged exploit To use the ICBM analogy much like the way an ICBM uses multiple stages to obtain a longer range, the attacker uses multiple stages to distance the attack launch site from its final destination By utilizing an extra stage, the attack is more likely to bypass some security products the initially exploited process Java launches another Java process second stage that appears less suspicious, and only that second stage process runs the final, native payload the persistent malware dropper This is supported by the analysis we performed using various security tools and the poor detection rate we observed Out of 46 tools tested in file scanning mode only eight tools identified the first stage JAR as malicious, and only two identified the second stage class cabOrgiesclass as malicious We observed this multi-staged exploit approach in one of the vulnerabilities exploited by the g01pack exploit kit - the well-known Java vulnerability CVE-2012-1723 which dates back to mid-2012 This vulnerability allows the exploit to break out of the Java sandbox It has long since been patched by Oracle, but apparently there are enough unpatched targets to make this attack worthwhile Figure 1 Exploit Kit 'g01pack' Multi-Stage Attack Although the Java exploit we researched is part of the g01pack exploit kit, it is interesting to note that some implementation details are similar to the exploit used by BlackHole for CVE-2012-1723, identified in mid-2012 described in a Symantec blog The BlackHole approach, however, was a typical exploit-payload scheme, not the exploit-intermediate process-payload scheme we see here The final payload is, of course, malware we noticed many malware families being distributed by this specific exploit kit Zeus, Torpig, Gozi, Shylock, and there are most likely many others The exploit kit is used to infect targets globally, with the current infection rate estimated at 1 3,000 machines per month payload executions from this exploit kit alone This very high infection rate proves the effectiveness of this multi-stage approach Therefore, it is highly likely that other exploit kits will incorporate a similar approach Stage One Exploiting CVE-2012-1723 Stage one begins when the browser navigates to a webpage that contains HTML code and an Applet tag When the browser renders the content of the webpage, the Applet tag instructs the browser to launch a Java class from a URL designated in the Applet tag using arguments given in the Applet tag These arguments contain the encrypted URL of the final payload this can be a Windows executable parameter name is date or a Windows DLL file parameter name guid For example, the Applet tag would be This instructs the browser to launch Java the javawexe process with the JAR URL in our example the example jar is located in the same host and folder originally accessed by the browser , the class name package critical , class securityupdate , and the parameters in our case date whose value is a long encrypted string, representing the URL of the final payload Java then retrieves the JAR URL and invokes the Applet class from the package The JAR File The malicious JAR file implements a Java package called critical, and contains six Java classes class files Java starts by running the init method of the applet class securityupdate This function first ensures that it is running on a Windows platform, and that the JRE version is not 17 ie it ensures it does not run on Java 7 in fact the exploit will succeed only for Java versions 6u10-6u32 inclusive Next, the function uses the Java class entry to exploit CVE-2012-1723 and escape out of the Java sandbox A patch for this vulnerability is available, but apparently there are still enough unpatched Java 6 installations to make it a valuable target for exploit kit writers A successful exploitation results in running the method JiXU of class keaVestAltho with high privileges This method contains a hard-coded encrypted string which represents the in memory class remoterEhPoplin The method decrypts the string, creates the class from it and invokes the class constructor with 3 arguments the Applet s date parameter, the Applet s guid parameter, and a byte array representing the second stage class cabOrgies which the method copied into memory from the corresponding JAR resource The constructor for class remoterEhPoplin the in memory class has the following flow As you can see, in steps 5 and 6, the Java process launches another new Java process with a copy of the second stage class Note that the date and guid parameters of the Applet tag which contain the payload URL in an encrypted form are transferred as-is in the Java invocation command line The EXE DLL indicator becomes the third parameter set to 0 for EXE or 1 for DLL For the example above, the following command will be executed This launches Java javawexe in a new, minimized window with an empty title Stage Two A New Java Process A new Java process is launched with the working directory set to pourcentsTEMPpourcents This directory includes a package folder called critical which includes a class file called cabOrgies The Java process is launched with four command line arguments critical cabOrgies , main ignored , the encrypted URL and an EXE DLL indicator This instructs Java to invoke the main method of the class cabOrgies found in pourcentsTEMPpourcents critical cabOrgiesclass with a string array containing the following three command line arguments main , the encrypted URL, and the EXE DLL indicator It follows this workflow As you can see, step 3g runs the final payload In our example, the encrypted URL string is decrypted into But the host name no longer has a DNS resolution hardly surprising Java Obfuscation The Java code in both stages is heavily obfuscated Four different obfuscation methods are applied some of them probably via an obfuscation tool Using dummy code dummy code is inserted, seemingly in a random fashion between real operations The dummy code is mostly calling functions with no argument, with a string argument, or with an integer argument that immediately return Function method names are randomized Most strings are encrypted at the class file and only get decrypted in runtime the encryption scheme is a cyclic XOR with a hard coded key Using Java reflection to bind to functions in runtime The obfuscation instances change rapidly and it s quite common to see two to three different versions in a single day, so, we don t expect to see cabOrgies a few days from now Some names change more slowly For example, the package name used to be called oracle in early April, and for the last few weeks it s called critical Raw Data Conclusion g01pack is among the most successful exploit kits available today It executes a drive-by download attack that results in the silent installation of malware Using the multi-staged attack the g01pack exploit kit can effectively distribute advanced malware evading detection by existing security controls Trusteer Apex blocks this attack by stopping the exploit process and preventing the payload from compromising the endpoint I d like to thank Assaf Friedman from Trusteer s security group for his help collecting the data for this blog http://www.secuobs.com/revue/news/443203.shtmlhttp://www.secuobs.com/revue/news/443203.shtml 2013-05-02 20:10:47 - Security Bloggers Network : It s not always obvious to a network or system administrator that their company s infrastructure is under attack In fact, an attack usually starts slowly and it s only as the attack progresses that someone takes notice But what does a DDoS attack look like from the inside What are the early warning signs Who are the http://www.secuobs.com/revue/news/443200.shtmlhttp://www.secuobs.com/revue/news/443200.shtml 2013-05-02 18:22:17 - SecurityTube.Net : Slide - http wwwiacrorg conferences crypto2012 slides 14-2-Baypdf Iterated attacks are comprised of iterating adversaries who can make d plaintext queries, in each iteration to compute a bit, and are trying to distinguish between a random cipher C and the ideal random cipher C based on all bits In EUROCRYPT '99, Vaudenay showed that a 2d -decorrelated cipher resists to iterated attacks of order d when iterations make almost no common queries Then, he first asked what the necessary conditions are for a cipher to resist a non-adaptive iterated attack of order d Secondly, he speculated that repeating a plaintext query in different iterations does not provide any advantage to a non-adaptive distinguisher We close here these two long-standing open problems We show that, in order to resist non-adaptive iterated attacks of order d , decorrelation of order 2d-1 is not sufficient We do this by providing a counterexample consisting of a cipher decorrelated to the order 2d-1 and a successful non-adaptive iterated attack of order d against it Moreover, we prove that the aforementioned claim is wrong by showing that a higher probability of having a common query between different iterations can translate to a high advantage of the adversary in distinguishing C from C We provide a counterintuitive example consisting of a cipher decorrelated to the order 2d which can be broken by an iterated attack of order 1 having a high probability of common queries IMAGE http://www.secuobs.com/revue/news/443174.shtmlhttp://www.secuobs.com/revue/news/443174.shtml 2013-05-01 21:13:45 - Security Bloggers Network : Evidently, Taiwan is publicly calling out the Peoples' Republic of China, in reference to the Chinese Communists' targeted cyber attacks http://www.secuobs.com/revue/news/442998.shtmlhttp://www.secuobs.com/revue/news/442998.shtml 2013-05-01 18:33:59 - SecurityTube.Net : Slide - http wwwiacrorg conferences crypto2012 slides 11-1-Steelpdf We show how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as a side channel In the asymmetric encryption case, we modify and improve Bleichenbacher's attack on RSA PKCS 1v15 padding, giving new cryptanalysis that allows us to carry out the million message attack' in a mean of 49 000 and median of 14 500 oracle calls in the case of cracking an unknown valid ciphertext under a 1024 bit key the original algorithm takes a mean of 215 000 and a median of 163 000 in the same case We show how implementation details of certain devices admit an attack that requires only 9 400 operations on average 3 800 median For the symmetric case, we adapt Vaudenay's CBC attack, which is already highly efficient We demonstrate the vulnerabilities on a number of commercially available cryptographic devices, including security tokens, smartcards and the Estonian electronic ID card The attacks are efficient enough to be practical we give timing details for all the devices found to be vulnerable, showing how our optimisations make a qualitative difference to the practicality of the attack We give mathematical analysis of the effectiveness of the attacks, extensive empirical results, and a discussion of countermeasures IMAGE http://www.secuobs.com/revue/news/442940.shtmlhttp://www.secuobs.com/revue/news/442940.shtml 2013-05-01 15:43:20 - LinuxSecurity.com Latest News : LinuxSecuritycom The HackMiami 2013 Hackers Conference, taking place on Miami Beach, will feature comprehensive training seminars that seek to facilitate the skills of SQL injection, smartphone attacks, and enterprise network breaches http://www.secuobs.com/revue/news/442912.shtmlhttp://www.secuobs.com/revue/news/442912.shtml 2013-05-01 12:27:32 - Computer Security News : Aging networking protocols still employed by nearly every Internet-connected device are being abused by hackers to conduct distributed denial-of-service attacks http://www.secuobs.com/revue/news/442873.shtmlhttp://www.secuobs.com/revue/news/442873.shtml 2013-05-01 09:44:15 - Help Net Security News : Return Path announced that its Anti-Phishing Solutions have expanded to enable brand owners to combat attacks from all email domains, including those beyond their control This represents a produ http://www.secuobs.com/revue/news/442861.shtmlhttp://www.secuobs.com/revue/news/442861.shtml 2013-05-01 04:05:58 - Computer Security News : The cost of cyber attacks is astronomical The recent security breach at Schnucks will cost financial institutions millions http://www.secuobs.com/revue/news/442836.shtmlhttp://www.secuobs.com/revue/news/442836.shtml 2013-05-01 00:00:42 - Security Bloggers Network : And they did it, they managed to slow down the internet Next thing you know, they will break it I am referring to what s been called the largest publicly announced online attack in the history of the Internet And this week we read about the suspect a 35-year old guy from Netherlands who was arrested in Spain The Netherlands Public Prosecutor Service press release in Dutch http://www.secuobs.com/revue/news/442812.shtmlhttp://www.secuobs.com/revue/news/442812.shtml 2013-04-30 23:48:59 - Computer Security News : Receiving Wide Coverage JPM Shakeup, Day Two The departure of Frank Bisignano - one of a dozen senior executives to leave JPMorgan in the Read More B of A just recorded its lowest provision for buybacks of bad mortgages in years, and JPMorgan Chase has been reducing its reserves, but most claims from private investors are unresolved http://www.secuobs.com/revue/news/442809.shtmlhttp://www.secuobs.com/revue/news/442809.shtml 2013-04-30 21:54:10 - Dark Reading All Stories : New Prolexic white paper explains how to secure your devices and infrastructure from SNMP, NTP, and CHARGEN attacks http://www.secuobs.com/revue/news/442794.shtmlhttp://www.secuobs.com/revue/news/442794.shtml 2013-04-30 20:17:59 - Network World on Security : Apache servers are being ambushed by a particularly pernicious malware program called Linux CdorkedA that's infecting visitors to the sick machines with the Blackhole malware kit http://www.secuobs.com/revue/news/442781.shtmlhttp://www.secuobs.com/revue/news/442781.shtml 2013-04-30 19:29:14 - Computer Security News : UK consumers believe smart meters will capture too much personal information and will be vulnerable to cyber attack , a survey has revealed http://www.secuobs.com/revue/news/442768.shtmlhttp://www.secuobs.com/revue/news/442768.shtml 2013-04-30 16:17:04 - Security Bloggers Network : An posting From Cnet News in there security and privacy section Using the Web app Logstalgia, a developer has managed to capture on video a visual impression of what happens during a DDoS attack We ve all heard of a distributed denial of service DDoS attack and know what it is when a person or people attempt to take down http://www.secuobs.com/revue/news/442717.shtmlhttp://www.secuobs.com/revue/news/442717.shtml 2013-04-30 16:17:04 - Security Bloggers Network : If you've received an email in your inbox telling you that your wire transfer has been cancelled, take care - as it's the latest attempt by online criminals to infect the general public's Windows computers http://www.secuobs.com/revue/news/442716.shtmlhttp://www.secuobs.com/revue/news/442716.shtml 2013-04-30 15:25:11 - Security Bloggers Network : By Henry Dalziel The, quote, biggest cyber attack we ve seen, from Matthew Prince, CloudFlare s CEO is the result of two competing sides CloudFlare were hired to mitigate the DDoS attacks suffered by Spamhaus Team Spamhaus Spamhaus is based in Geneva, Europe Essentially Spanhaus is an Internet Watch Dog that creates spam data filters to protect Continue Reading The post The world s biggest cyber attack A Concise summary appeared first on Concise Courses Information Security Blog http://www.secuobs.com/revue/news/442698.shtmlhttp://www.secuobs.com/revue/news/442698.shtml 2013-04-30 14:35:06 - Security Bloggers Network : We ve read the blogs about how the addition of two-factor authentication wouldn t have prevented the AP Twitter attack It s amazing that even here in 2013 most simply think of two-factor authentication as just another thing a user enters on screen Just a few more digits for you to input after your password or something Here http://www.secuobs.com/revue/news/442686.shtmlhttp://www.secuobs.com/revue/news/442686.shtml 2013-04-30 07:41:28 - Computer Security News : Supporters of Sven Olaf Kampuis, who was arrested on Friday over the largest cyber-attack in history have threatened to an even larger attack on those they believe are out to get him http://www.secuobs.com/revue/news/442616.shtmlhttp://www.secuobs.com/revue/news/442616.shtml 2013-04-30 02:54:03 - Computer Security News : The logo of the Syrian Electronic Army, which has targeted a number of western media organisations, including the Guardian, the BBC and al-Jazeera The Guardian has come under a cyber-attack from Syrian hackers who have targeted a series of western media organisations in an apparent effort to cause disruption and spread support for President Bashar more http://www.secuobs.com/revue/news/442586.shtmlhttp://www.secuobs.com/revue/news/442586.shtml 2013-04-29 23:47:11 - Ars Technica Risk Assessment : Newly discovered Linux Cdorked evades detection by running in shared memory http://www.secuobs.com/revue/news/442550.shtmlhttp://www.secuobs.com/revue/news/442550.shtml 2013-04-29 21:57:54 - Sucuri Blog : For the past few months we have seen a gradual increase in server-level compromises In fact, every week it seems we re handling half a dozen or so and it continues to increase It s one of the reasons that I have started including this as a trend in my most recent Website Security presentations Just last Read More http://www.secuobs.com/revue/news/442540.shtmlhttp://www.secuobs.com/revue/news/442540.shtml 2013-04-29 21:41:04 - Dark Reading All Stories : Shopping and deals site LivingSocial says all customers should change passwords source of hack undisclosed http://www.secuobs.com/revue/news/442538.shtmlhttp://www.secuobs.com/revue/news/442538.shtml 2013-04-29 19:08:47 - Computer Security News : Researchers following a cyberespionage campaign apparently bent on stealing drone-related technology secrets have found additional malware related to the targeted attacks http://www.secuobs.com/revue/news/442494.shtmlhttp://www.secuobs.com/revue/news/442494.shtml 2013-04-29 18:31:16 - Security Bloggers Network : Remember Spamhaus The attack was apparently conducted not from a bedroom, but an antenna-equipped mobile van http://www.secuobs.com/revue/news/442486.shtmlhttp://www.secuobs.com/revue/news/442486.shtml 2013-04-29 17:39:55 - Schneier on Security : Max Abrahms has two sensible essays Probably the ultimate in security theater Williams-Sonoma stops selling pressure cookers out of respect They say it's temporary I bought a Williams-Sonoma pressure cooker last Christmas I wonder if I'm now on a list A tragedy Sunil Tripathi, whom Reddit and other sites wrongly identified as one of the bombers, was found dead in http://www.secuobs.com/revue/news/442479.shtmlhttp://www.secuobs.com/revue/news/442479.shtml 2013-04-29 15:38:33 - LinuxSecurity.com Latest News : LinuxSecuritycom A Dutch citizen arrested in northeast Spain on suspicion of launching what is described as the biggest cyber attack in internet history operated from a bunker and had a van capable of hacking into networks anywhere in the country, officials said on Sunday http://www.secuobs.com/revue/news/442449.shtmlhttp://www.secuobs.com/revue/news/442449.shtml 2013-04-29 11:43:45 - ZDNet Zero Day Blog RSS : Remember Spamhaus The attack was apparently conducted not from a bedroom, but an antenna-equipped mobile van IMAGE http://www.secuobs.com/revue/news/442405.shtmlhttp://www.secuobs.com/revue/news/442405.shtml 2013-04-29 10:43:35 - Computer Security News : Adam Cecchetti, 31, e of the founders of Dj vu Security, which operates out of a loft on Capitol Hill, says unlike hackers who are a menace to oths, I'm not in this business to harm people, or to take grandma's savings or deface somebody's website Mikhail Davidov, a white hat hacker in Seattle, is recognized for both his distinctive Mohawk and more http://www.secuobs.com/revue/news/442399.shtmlhttp://www.secuobs.com/revue/news/442399.shtml 2013-04-29 07:46:23 - Help Net Security News : A new Akamai report provides insight into key global statistics including connection speeds, attack traffic, and network connectivity and availability, among many others Nearly 700 million unique http://www.secuobs.com/revue/news/442377.shtmlhttp://www.secuobs.com/revue/news/442377.shtml 2013-04-29 06:47:23 - Computer Security News : A Dutch citizen arrested in northeast Spain on suspicion of launching what is described as the biggest cyberattack in Internet history operated from a bunker and had a van capable of hacking into networks anywhere in the country, officials said Sunday http://www.secuobs.com/revue/news/442369.shtmlhttp://www.secuobs.com/revue/news/442369.shtml 2013-04-29 02:48:12 - Computer Security News : A 35-year-old Dutch citizen has been arrested in northeastern Spain in connection with the biggest cyber attack in history, police said Sunday http://www.secuobs.com/revue/news/442358.shtmlhttp://www.secuobs.com/revue/news/442358.shtml 2013-04-28 19:55:02 - SecurityTube.Net : Slide - http wwwiacrorg conferences crypto2012 slides 6-3-Knellwolfpdf This paper shows preimage attacks against reduced SHA-1 up to 57 steps The best previous attack has been presented at CRYPTO 2009 and was for 48 steps finding a two-block preimage with incorrect padding at the cost of 2 1593 evaluations of the compression function For the same variant our attacks find a one-block preimage at 2 1506 and a correctly padded two-block preimage at 2 1511 evaluations of the compression function The improved results come out of a differential view on the meet-in-the-middle technique originally developed by Aoki and Sasaki The new framework closely relates meet-in-the-middle attacks to differential cryptanalysis which turns out to be particularly useful for hash functions with linear message expansion and weak diffusion properties IMAGE http://www.secuobs.com/revue/news/442324.shtmlhttp://www.secuobs.com/revue/news/442324.shtml 2013-04-28 05:47:03 - Computer Security News : Online deals site LivingSocial said its computer systems were hacked on Friday, which may have compromised the personal data of more than 50 million of its customers http://www.secuobs.com/revue/news/442274.shtmlhttp://www.secuobs.com/revue/news/442274.shtml 2013-04-28 01:21:43 - Computer Security News : A 35-year-old Dutch man has been arrested in Barcelona by Spanish police over last month's massive cyber attack which disrupted global internet services, the Dutch public prosecutor's office said on Saturday http://www.secuobs.com/revue/news/442266.shtmlhttp://www.secuobs.com/revue/news/442266.shtml 2013-04-27 16:48:59 - Computer Security News : Dutch Suspect Sven Olaf Kamphuis Arrested for Biggest Cyber Attack in Internet History - A suspect, believed to be Dutchman Sven Olaf Kamphuis, has been arrested in Spain in relation to the cyber-attack on Spamhaus, which has been called the biggest in the history of the internet http://www.secuobs.com/revue/news/442239.shtmlhttp://www.secuobs.com/revue/news/442239.shtml 2013-04-27 15:02:01 - Network World on Security : A 35-year-old Dutchman was arrested Thursday in Spain, as part of an investigation into a large-scale DDoS distributed denial-of-service attack that targeted a spam-fighting organization called the Spamhaus Project in March http://www.secuobs.com/revue/news/442235.shtmlhttp://www.secuobs.com/revue/news/442235.shtml 2013-04-27 12:41:51 - Computer Security News : ROB Insight is The Globe and Mail's exclusive feature led by a team of award-winning editors and writers who provide you with in-depth analysis on breaking business news and the issues that matter most http://www.secuobs.com/revue/news/442226.shtmlhttp://www.secuobs.com/revue/news/442226.shtml 2013-04-27 01:58:57 - Security Bloggers Network : A 35-year-old Dutch national, officially identified only as SK, was arrested in Spain on Thursday He is accused of DDoS attacks against Spamhaus and others Who is SK, do you think http://www.secuobs.com/revue/news/442181.shtmlhttp://www.secuobs.com/revue/news/442181.shtml 2013-04-27 00:09:30 - Computer Security News : LivingSocial, the second-largest daily deal company behind Groupon Inc, said on Friday that it was hit by a cyber attack that may have affected more than 50 million customers http://www.secuobs.com/revue/news/442164.shtmlhttp://www.secuobs.com/revue/news/442164.shtml 2013-04-26 21:32:53 - Computer Security News : Cybercriminals increasingly hack into shared Web hosting servers in order to use the domains hosted on them in large phishing campaigns, according to a report from the Anti-Phishing Working Group http://www.secuobs.com/revue/news/442148.shtmlhttp://www.secuobs.com/revue/news/442148.shtml 2013-04-26 20:48:57 - Ars Technica Risk Assessment : Is suspect identified as SK actually CyberBunker affiliate Sven Olaf Kamphuis Likely http://www.secuobs.com/revue/news/442137.shtmlhttp://www.secuobs.com/revue/news/442137.shtml 2013-04-26 19:36:09 - Network World on Security : Cybercriminals increasingly hack into shared Web hosting servers in order to use the domains hosted on them in large phishing campaigns, according to a report from the Anti-Phishing Working Group APWG http://www.secuobs.com/revue/news/442120.shtmlhttp://www.secuobs.com/revue/news/442120.shtml 2013-04-26 19:36:09 - Network World on Security : Online gamers have become rich targets for cybercriminals, according a report released this week by the Anti Phishing Work Group http://www.secuobs.com/revue/news/442119.shtmlhttp://www.secuobs.com/revue/news/442119.shtml 2013-04-26 16:27:50 - Security Bloggers Network : As the cyber security landscape evolves and attacks become more sophisticated and malicious, the question of responsibility has grown increasingly important Despite the fact that in the wake of high profile cyber attacks charges of blame abound, pinpointing blame for cyber attacks is actually harder than most people think Over the course of my career, http://www.secuobs.com/revue/news/442077.shtmlhttp://www.secuobs.com/revue/news/442077.shtml 2013-04-26 14:44:03 - Help Net Security News : Recent reports all point to the same fact despite the different motives of the attackers, DDoS attack have become more frequent and more intense So what are businesses and organizations to do http://www.secuobs.com/revue/news/442049.shtmlhttp://www.secuobs.com/revue/news/442049.shtml 2013-04-26 10:29:34 - Help Net Security News : When DDoS attacks hit, organizations are thrown into crisis mode From the IT department to call centers, to the boardroom and beyond, it s all hands on deck until the danger passes In February http://www.secuobs.com/revue/news/442009.shtmlhttp://www.secuobs.com/revue/news/442009.shtml 2013-04-26 10:29:34 - Help Net Security News : A new phishing survey by the Anti-Phishing Working Group APWG reveals that phishers are breaking into hosting providers with unprecedented success, using these facilities to launch mass phishing att http://www.secuobs.com/revue/news/442008.shtmlhttp://www.secuobs.com/revue/news/442008.shtml 2013-04-26 00:42:14 - Dark Reading All Stories : A researcher at Cisco has uncovered a possible link between a malicious script and an attack that has compromised thousands of web servers around the globe http://www.secuobs.com/revue/news/441952.shtmlhttp://www.secuobs.com/revue/news/441952.shtml 2013-04-26 00:18:53 - SANS Internet Storm Center InfoCON green : more http://www.secuobs.com/revue/news/441948.shtmlhttp://www.secuobs.com/revue/news/441948.shtml 2013-04-25 23:52:51 - Dark Reading All Stories : Nearly half of all phishing attacks in the second half of last year came via hacked hosting providers, new data from the Anti-Phishing Working Group APWG http://www.secuobs.com/revue/news/441940.shtmlhttp://www.secuobs.com/revue/news/441940.shtml 2013-04-25 20:48:16 - Security Bloggers Network : Cyberattacks Cyberwar How many times in the past year have you heard language about cyberwar and whether or not it has a place in physical war Do we have an answer Not a firm one, but at the very least we have a sense of it In the scheme of things, North Korea is not considered a world power in the arena of cyberattacks According to data Solutionary has observed in our ActiveGuard service platform, countries like the United States, China and Russia generate millions of touches a month against Solutionary Managed Security Services clients Let s say a touch is a known reconnaissance, an overt external attack or the attempted exfiltration of data In a normal month, North Korea has historically generated 34-200 touches per month against Solutionary clients That is, until February of 2013, when they jumped all the way up to 12,473 touches log monthly volume 2012 resized 600 What is special about February of 2013 Only the latest escalation of events with North Korea On February 12, North Korea announced that it had conducted an underground nuclear test While there is some debate over whether or not the detonation was nuclear, an underground explosion consistent with a nuclear warhead has been confirmed by several other nations The test generated widespread condemnation and once again raised potential sanctions against North Korea North Korea has responded with additional aggressive words, and another threat to test one of their missiles that they say is capable of delivering a nuclear warhead Is the escalation coincidence Is this just a war of words Outside of the fact that I do not really believe in coincidences, three things tell us the answer to that is no First, the sheer size of the escalation in events The number of touches in February was an 8445pourcents increase over the average number of touches in the previous 12 months So, while in comparison to other countries North Korea s cyberpresence is relatively low, the size of the escalation is undeniable Second, the persistency of the escalation in events While not as significant as February s numbers, March still represented an increase of 1913pourcents over the average of the January 2012 to January of 2013 timeframe Third, the repeat of the escalation What repeat In November of 2012, the number of touches produced by North Korea sites against Solutionary clients more than doubled Again, not particularly significant numbers when compared to the heavy hitters, but, it doubled Did that have anything to do with North Korea s political environment We can make no guarantees, but it does seem coincidental that it was in late November when North Korea replaced their defense minister with a more aggressive, hard-line military commander It was also late November when North Korea started talking about missile testing prior to the December elections in South Korea, ending with the actual launch of that missile on December 12 It may be worth noting that while the number of touches fell in December, the last month of the year still showed the second highest number of events in the entire year Just as interesting is the profile of the targets of the network-based touches According to Solutionary data, North Korean related events pretty evenly spanned target organizations across 13 industries, but showed a clear favoritism for targeting organizations in the financial community For the period January 2012 through January 2013, 491pourcents of all North Korean sourced cyberactivity seen by Solutionary was directed at financial companies February of 2013, however, saw a marked jump in the number of touches on organizations in the financial industry In February of 2013, over 99pourcents of all touches were directed against members of the financial industry This profile continued into March of 2013, across the same timeframe that North Korea waged denial of service attacks against South Korean banks and broadcasting companies Industries log audit 022012 resized 600 Keep in mind that alleged hacktivists escalated attacks against banks based in the United States, starting in September of 2012, and attacks continued in waves throughout the fall spanning much of the same time period as North Korea s escalated language and cyberattacks This does not necessarily mean they are related, but at the very least may have served as encouragement for North Korea s escalated financial activity Now, there is no evidence that any of this is supported or even encouraged by the North Korean government But, there do appear to be several parallels between escalated verbal rhetoric and escalated cyberattacks It is evident that, whether government influenced or not, that the dual-path of aggression is a new way of facing the world, at least from North Korea Given the more hard-line government in North Korea, we expect escalations like this to continue, and to become even more evident in other conflicts around the globe describe the image IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/441909.shtmlhttp://www.secuobs.com/revue/news/441909.shtml 2013-04-25 19:37:32 - Network World on Security : An Islamic group that launched a third wave of high-powered denial-of-service attacks against US banks in March have started targeting other financial organizations, including credit card companies and financial brokerages, security experts says http://www.secuobs.com/revue/news/441875.shtmlhttp://www.secuobs.com/revue/news/441875.shtml 2013-04-25 19:04:18 - Ars Technica Risk Assessment : Support of Litecoin is postponed as Bitcoin exchange struggles to stay online http://www.secuobs.com/revue/news/441856.shtmlhttp://www.secuobs.com/revue/news/441856.shtml 2013-04-25 14:35:26 - Dark Reading All Stories : What attacks are most likely against cloud computing environments Here's a look -- and some advice http://www.secuobs.com/revue/news/441795.shtmlhttp://www.secuobs.com/revue/news/441795.shtml 2013-04-25 14:08:51 - Schneier on Security : Encouraging poll data says that maybe Americans are starting to have realistic fears about terrorism, or at least are refusing to be terrorized Good essay by Scott Atran on terrorism and our reaction Reddit apologizes I think this is a big story The Internet is going to help in everything, including trying to identify terrorists This will happen whether or http://www.secuobs.com/revue/news/441790.shtmlhttp://www.secuobs.com/revue/news/441790.shtml 2013-04-25 11:48:09 - Security Intelligence TrendLabs Trend Micro : Using encrypted communication like Secure Sockets Layers SSL along with the clever use of recent news item as a social engineering lure is the perfect combination to penetrate and remain in a targeted entity s infrastructure It didn t take long for targeted attacks to use last week s Boston Marathon bombing as a bait to trick predetermined Post from Trendlabs Security Intelligence Blog - by Trend Micro Targeted Attack Campaign Hides Behind SSL Communication http://www.secuobs.com/revue/news/441757.shtmlhttp://www.secuobs.com/revue/news/441757.shtml 2013-04-25 11:46:48 - Help Net Security News : DigiD, the identity management platform that allows Dutch citizens to digitally sign bills, pay taxes, and more, has been unavailable since Tuesday evening due to a DDoS attack, Biz Community reports http://www.secuobs.com/revue/news/441755.shtmlhttp://www.secuobs.com/revue/news/441755.shtml 2013-04-25 10:59:19 - Help Net Security News : Every large UK business is open to 247million in possible threat exposure due to a lack of control over cryptographic keys and certificates, the foundation of trust in the modern world of secure http://www.secuobs.com/revue/news/441750.shtmlhttp://www.secuobs.com/revue/news/441750.shtml 2013-04-25 02:55:02 - Fortinet Blog News and Threat Research All Posts : Deutsche Telekom s interactive, real-time map of global cyberattacks reveals the bulk of recent attacks 273 million in February alone were against the Server Message Block SMB , aka the Common Internet File System CIFS Reuven Harrison, CTO and co-founder of Tufin, a security and lifecycle management company and Fortinet solution partner, wrote in a blog that the map s revelations are significant This attack vector, he explains, operates across an application http://www.secuobs.com/revue/news/441701.shtmlhttp://www.secuobs.com/revue/news/441701.shtml