Foreign hackers from China and Russia carried out large-scale hacking into government communications, and a Finnish TV station.
Finland’s foreign minister Erkki Tuomioja said the breach of the Foreign Ministry’s data network was discovered in spring, and Finland’s intelligence service was investigating it as a case of serious espionage. Broadcaster MTV3 reported the hacking incident which until know had been kept under wraps, probably because everyone thought the Americans had done it.
Tuomioja declined to comment on suspects, but MTV3 had earlier said Chinese and Russian spies agents may have been involved. The report said that the hackers had gained access to its network for years and targeted communications between Finnish and European Union officials. Tuomioja insisted that there was nothing classified.
A U.S. bureau on Tuesday provided a draft of voluntary standards that businesses can adopt to boost cybersecurity – part of an attempt to protect critical industries without setting restrictive and costly regulations.
The National Institute of Standards and Technology (NIST), a nonregulatory agency that is part of the Department of Commerce, issued the so-called framework following input from some 3,000 industry and academic experts.
Cybersecurity experts warn that relentless efforts to hack into U.S. banksand financial institutions, the power grid and other critical infrastructure, paired with instances of disruptive attacks abroad, pose a national security threat.
President Barack Obama directed NIST to compile voluntary minimum standards in a February executive order aimed at countering the lack of progress on cybersecurity legislation in Congress.
Action on bills this year is stalled after the disclosures of vast online U.S. government spying programs.
The draft offers guidance on how companies could identify and protect network assets and detect, respond to and recover from breaches.
Steps might include keeping inventories of software platforms and applications they use, ensuring that top executives know roles and responsibilities, and setting information security policies.
The document also expands on how the companies could do all that while protecting privacy and civil liberties.
“Ultimately what we want to do is we want to turn today’s best practices into common and expected practices,” NIST Director Patrick Gallagher told reporters, calling the framework “a living document” that is expected to be flexible.
Many in the private sector have expressed fears that the voluntary framework will inevitably turn into a set of requirements or create new liabilities.
Another concern is that companies have little incentive to adopt the framework – something being reviewed by the Departments of Homeland Security, Commerce and Treasury.
“This is really just a stepping stone … . The meat of all of this still remains in the incentives program,” said Melanie Teplinsky, who teaches law at American University and serves as an adviser to cybersecurity firm CrowdStrike. “Even if this is perfect, who’s going to adopt this and why?”
Some trade groups and industry analysts say the framework appears vague and complex, and experts warn that may become a hurdle to adoption.
“I understand their problem, they’re trying to write something that any industry can apply. As soon as you do that, you’re going to get to a very big level of abstraction,” said Stewart Baker, a former Department of Homeland Security assistant secretary and now lawyer at Steptoe & Johnson.
“Much of the document is very procedural,” he said. “I fear that it won’t measurably improve cybersecurity without making it more expensive for everybody.”
While Chinese hackers are famous for taking on other people’s governments, it appears that one of them has broken ranks to take out Glorious People’s Republic’s Twitter site.
China’s state broadcaster CCTV deleted a tweet claiming the country’s president had set up a special unit to probe corruption accusations against a former domestic security chief. The tweet referred to an article in Hong Kong’s South China Morning Post newspaper. CCTV said that the Twitter account was hacked on October 21 and used illegally to post incorrect information copied from other sources.
The Tweet said that President Xi Jinping has set up a special unit to investigate corruption allegations against the retired leader Zhou Yongkang. The South China Morning Post, had said Zhou was being investigated for corruption. But sources have told Reuters he was helping in a graft probe, rather than being targeted himself.
Twitter is blocked in China but some state media have set up accounts in an apparent bid to reach foreign audiences. The hack would have had little impact as the account only has 2,480 followers, in contrast to the 9.9 million followers of its main account on Sina Weibo, China’s version of Twitter.
Google introduced the service on Google+, saying that it is aimed at websites that might otherwise be at risk of online disruption.
“Project Shield, [is] an initiative that enables people to use Google’s technology to better protect websites that might otherwise have been taken offline by “distributed denial of service” (DDoS) attacks. We’re currently inviting webmasters serving independent news, human rights, and elections-related content to apply to join our next round of trusted testers,” it said.
“Over the last year, Project Shield has been successfully used by a number of trusted testers, including Balatarin, a Persian-language social and political blog, and Aymta , a website providing early-warning of scud missiles to people in Syria. Project Shield was also used to protect the election monitoring service in Kenya, which was the first time their site stayed up throughout an election cycle.”
Interested websites should visit the Google Project Shield page and request an invitation to the experience. They should not try to do the same at Nvidia’s website, as they will probably just come away with a handheld games console. This will not offer much assistance against DDoS attacks.
According to a video shared by Google last night, Project Shield works by combining the firm’s DDoS mitigation technologies and Page Speed Service (PSS).
Russian mobile malware factories are working with thousands of affiliates to exploit Android users, a security company has claimed.
According to Lookout Mobile Security the system is so efficient that almost a third of all mobile malware is made by just 10 organisations operating out of Russia. These “malware HQs” are pumping out nasty toll fraud apps, largely aimed at Android users, which force the user to call premium rate numbers the report said.
Thousands of affiliate marketers are also profiting from the scheme and helping spread the malware by setting up websites designed to trick users into downloading seemingly legitimate apps. Affiliates can make up to $12,000 a month and are heavy users of Twitter.
The report’s release at the DEF CON 21 conference in Las Vegas indicated that Lookout Mobile Security are working with the spooks to bring the crooks down. The malware HQs had gone to great lengths to obfuscate and encrypt their code to make detection tricky, but their advertising was pretty brazen.
The Google code developer website is being used by hackers to spread malware, security firm Z-Scaler has warned.
According to Z-Scaler security researcher Chris Mannon who reported uncovering the ploy, cyber crooks are using the Google Code website as a fresh twist on their usual attack strategies.
“Malware writers are now turning to commercial file-hosting sites to peddle their wares,” Mannon wrote in a company blog post. “If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether.
“The kicker is that this time we see that Google Code seems to have swallowed the bad pill.”
The firm urged businesses to adapt their security protocols to deal with the new threat.
“This incident sets a precedent that no file-hosting service is beyond reproach. Blind trust of specific domains should not be tolerated from an organisational or personal perspective,” Mannon added. “So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location.”
Anti-malware vendor Fireeye said the use of developer websites by hackers to spread malware isn’t anything new and it expects to see similar attacks in the very near future.
“We see this all of the time. In many cases we see fragments of multi-stage attacks for specific campaigns hosted across a variety of intermediate locations,” said Fireeye regional technical lead Simon Mullis. “Any site with user-editable content can be used to host part of the malware attack lifecycle.”
Fireeye noted that the key point is that if you cannot detect the initial inbound exploit, then the rest of the attack can be hidden or obfuscated using this approach.
“This technique has been used for years, and the traditional security model and simple discrete sandboxing has no answer for it,” Mullis added.
Google isn’t the only information technology giant whose developer website has been attacked by hackers. Apple shut down access to its developer website last week after a researcher went public about a security vulnerability. Though it is back up and running now, the attack showed that even the richest technology companies can fall victim to hackers.
There is usually a game played at the event, and that is “spot the fed”. Usually they are easy to pick out thanks to their suits and shiny shoes, crewcuts and questions like, “What’s a VPN?”
This year if there are any there they are going to have to attend in serious disguises.
The bar has come down because of recent alarming news about US federal government snooping and the US National Security Agency (NSA) PRISM programme, as well as the government persecution and tragic suicide of Aaron Swartz and ‘hacking’ prosecutions of other individuals by the US government.
Anyway, it doesn’t seem like Defcon attendees should be happy to play host to guests that are already snooping on them, the US public and the rest of the world, not to mention trying to throw some of them in prison.
“For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect,” said a note posted to the Defcon website.
“When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a ‘time-out’ and not attend DEF CON this year. This will give everybody time to think about how we got here, and what comes next.”
The announcement comes in the wake of the PRISM scandal. That was exposed by NSA whistleblower Ed Snowden and has highlighted just how nosey the US government and its federal investigators are, which is very nosey indeed.
Defcon 21 will be held in Las Vegas in the first week of August.
While the world hears lots of stories about Chinese hackers, apparently Beijing has mountains of data on Americans doing the same thing to them.
China’s top Internet security official told Reuters that he has “mountains of data” pointing to extensive US hacking aimed at China. However, Huang Chengqing told them that it would be irresponsible to blame Washington for such attacks. Cyber security is a major concern for the government and is expected to be at the top of the agenda when President Barack Obama meets with Chinese President Xi Jinping in California on later this week.
Huang said that he had mountains of data, if we wanted to accuse the US, but it’s not helpful in solving the problem. Huang runs the National Computer Network Emergency Response Technical Team/Coordination Centre of China, known as CNCERT.
LinkedIn Corp rolled out technology to intended to enhance the security of the social networking site for professionals, about a week after Twitter introduced similar tools following a surge in high-profile attacks on its users.
The optional service, known as two-factor authentication, is designed to verify the identity of users as they log in by requiring them to enter numeric codes sent via text message.
LinkedIn introduced the service on Friday, about a year after a highly publicized breach that exposed passwords of millions of its users. Some security experts criticized LinkedIn at the time, saying the firm had failed to use best practices to secure its passwords.
The site provided instructions to its 225 million users on how to turn on the optional service at linkd.in/1aIFV3D
The mandatory disclosure plans are designed to cover organisations that run “critical national infrastructure”, the definition of which will impact firms such as Apple, Facebook and Google.
“Operators of critical infrastructures in some sectors, enablers of information society services and public administrations must adopt risk management practices and report major security incidents on their core services,” the EC said.
The EC defines information society services as “app stores, e-commerce platforms, internet payment, cloud computing, search engines, social networks”.
This would means huge firms like Apple, Facebook, Google, Microsoft, Amazon and Twitter would have to publicise breaches, which could cause major security and trust concerns among consumers.
Various agencies contacted these firms for comment on the proposals but had received no reply at time of publication.
The plans were originally unveiled in December 2012, when the EC promised to instigate new laws forcing businesses to disclose data on significant incidents within 24 hours.
Lawyer Stewart Room from Field Fisher Waterhouse said the proposals could have a huge impact on the technology world.
“Essentially, the internet as a whole has now been recognised as part of critical infrastructure, just like utilities. Until now, cyber security law has focused on telcos and ISPs, the trunk and access layers of e-comms if you like, but the change brings in ‘over the top providers’,” he said.
“No doubt the EU will play down the cost of implementing the law, but such claims should be resisted – the cost will be massive to the internet economy.”
In the past the security community has been hostile to the idea of forced disclosure. When the policy was announced in 2012 many security researchers claimed the policy would do more harm than good, warning the strategy’s 24-hour disclosure deadline was too short.
But passwords played a part in the perfect storm of users, service providers and technology failures that can result in epic network disasters. Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing.
The problem is this: The more complex a password is, the harder it is to guess and the more secure it is. But the more complex a password is, the more likely it is to be written down or otherwise stored in an easily accessible location, and therefore the less secure it is. And the killer corollary: If a password is stolen, its relative simplicity or complexity becomes irrelevant.
Password security is the common cold of our technological age, a persistent problem that we can’t seem to solve. The technologies that promised to reduce our dependence on passwords — biometrics, smart cards, key fobs, tokens — have all thus far fallen short in terms of cost, reliability or other attributes. And yet, as ongoing news reports about password breaches show, password management is now more important than ever.
All of which makes password management a nightmare for IT shops. “IT faces competing interests,” says Forrester analyst Eve Maler. “They want to be compliant and secure, but they also want to be fast and expedient when it comes to synchronizing user accounts.”
Is there a way out of this scenario? The answer, surprisingly, may be yes. There’s little consensus on what the best solution will be, but consultants and IT executives express optimism about the future. They cite technologies such as single sign-on, two-factor authentication, machine-to-machine authentication and better biometrics as ways to strengthen security — eventually. For now, each still has its drawbacks.
A freshly discovered Linux rootkit could give researchers insight into evolving malware techniques.
Security researchers have started issuing reports on an unnamed and previously unknown Linux rootkit posted earlier this month to a security mailing list.
While early analysis found that the attack is relatively crude and insecure by Windows rootkit standards, the attack has caught the eye of security vendors because it appears to be a commercially designed sample rather than a targeted attack.
Researchers believe that the rootkit is intended to attack web servers, infecting 64-bit Linux kernels and then injecting further attack code into web pages.
The discovery of the rootkit could indicate that cyber criminals are increasingly looking to infect Linux systems with sophisticated attacks. Rootkits, which run at the operating system kernel level of a system, have emerged as a favourite means for avoiding detection by conventional anti-virus software.
“Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction,” security firm Crowdstrike wrote in its analysis of the malware sample.
“The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack.”
Crowdstrike researchers went on to suggest that the attack is likely the work of a contracted malware developer and has since been modified by the buyer.
Marta Janus, a researcher with Kaspersky Lab, suggested that the attack could also signal a shift away from high-level attacks on HTTP servers to more sophisticated methods that infect the server itself and poison hosted web pages.
“This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future,” Janus wrote.
Kaspersky Lab has confirmed that it is working on developing an industrial control system (ICS), claiming it can create one that is more secure than Apple, Microsoft or distributions from the open source community.
Rumors have been flying that Kaspersky Lab has been working on an operating system and Eugene Kaspersky confirmed that the firm has been working on a ICS operating system that he claims will be more secure than efforts by Apple, Microsoft and the open source community. According to Kaspersky, the firm’s efforts will be “highly tailored” rather than a general purpose operating system and will not allow background activity by processes.
Kaspersky gave two reasons why his firm’s efforts will be better than others, saying, “First: our system is highly tailored, developed for solving a specific narrow task, and not intended for playing Half-Life on, editing your vacation videos, or blathering on social media. Second: we’re working on methods of writing software which by design won’t be able to carry out any behind-the-scenes, undeclared activity. This is the important bit: the impossibility of executing third-party code, or of breaking into the system or running unauthorized applications on our OS; and this is both provable and testable.”
Kaspersky also stated the bleeding obvious when he said that existing security measures are ineffective against contemporary threats. However, given that his firm, among many other security vendors, has been happily peddling what is clearly ineffective software, it is quite a stretch to think that a Kaspersky Lab developed operating system will be any better. The firm is also taking a risk with its reputation by creating an operating system that many security researchers will see as a bullseye target at a high profile security vendor.
Kaspersky did not say when his firm expects to roll out its operating system.
Kaspersky Lab has discovered three Flame spyware related malware threats that it said use “sophisticated encryption methods”.
Kaspersky claims that it uncovered the three new hostile programs while analysing a number of Command and Control (C&C) servers used by Flame’s creators.
“Sophisticated encryption methods were utilised so that no one, but the attackers, could obtain the data uploaded from infected machines,” the firm’s statement read.
“The analysis of the scripts used to handle data transmissions to the victims revealed four communication protocols, and only one of them was compatible with Flame.
“It means that at least three other types of malware used these Command and Control servers. There is enough evidence to prove that at least one Flame-related malware is operating in the wild.”
The discovery of the three programs indicates that Flame’s Command and Control platform was being developed in 2006, four years earlier than first thought.
Flame was originally uncovered in May targeting Iranian computer systems. The malware drew widespread concerns within the security industry regarding its advanced espionage capabilities.
“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers,” said Kaspersky’s chief security expert, Alexander Gostev.
Following the discovery of the three new related programs, Kaspersky’s chief malware expert Vitaly Kamluk told The INQUIRER that Flame is not the only one in this big family.
“There are others and they aren’t just other known malwares such as Stuxnet, Gauss or Duqu,” he said. “They stay in the shadows and no one has published anything about them yet. Others were probably used for different campaigns.”
Kamluk added that it is “very possible” there are more than the three listed in Kaspersky’s report.
“They started building RedProtocol, yet another ‘language’ for unknown malware. No known client types are using that one, which means that there is even more malware out there,” he added.
Security experts have found new Zeus malware which targets Android and BlackBerry mobile phones. Kaspersky Lab said it found four new Zeus-in-the-mobile (Zitmo) samples targeting BlackBerry users in Germany, Spain, and Italy, Denis Maslennikov, a researcher at Kaspersky Lab wrote on the company’s Securelist blog that he variants were communicating with two command-and-control mobile phone numbers in Sweden.
Zitmo is a version of the Zeus malware that specifically targets mobile devices. There were three .cod files and one .jar file with a .cod file inside. The BlackBerry variants were the same as other Zitmo versions in the wild, other than grammatical corrections, Maslennikov said.
Maslennikov also found a new Zitmo variant for Android using the same command and control (C&C) numbers as the BlackBerry versions. BlackBerry has avoided being a target for malware despite its significant install base amongst enterprises and government agencies.