For those who can get on location – and can afford it – Richard Bejtlich, from TaoSecurity will give a 2-days course on how to detect and react to an attack on a network. The course will cover those points:
Collection: What data do you need to detect intruders? How can you acquire it? What tools and platforms work, and what doesn’t? Can I build what I need?
Analysis: How do you make sense of data? If intrusion detection systems are dead, what good are they? What is Network Security Monitoring (NSM)? How can I perform network forensics?
Escalation: What do you do when you suspect an intrusion? How can you confirm a compromise? How should you act?
Response: You’re owned — now what? Do you contain, remediate, or play dead? How do intruders react to your actions? Can you ever win?
Black Hat Europe 2009 will occur from April 14 to 17 in Amsterdam and will reunite 20 internationally renowned security specialists worldwide.
An unnamed senior US official has declared to the Financial Times that the Whitehouse computer network was victim to numerous cyber attacks from China. According to the same official, the attackers had access to e-mails for short periods of time.
The unclassified network of the Whitehouse was breach numerous times by the attackers, which may have stole information. The sensibility of the information accessed is not specified, but since it was on the unclassified network, no data of value should have been viewed by the hackers. The attacks were detected by the National Cyber Investigative Joint Task Force, an agency created in 2007 and under the FBI.
No one from the American and Chinese sides commented on this event. This declaration comes amid many cyber attacks performed in previous years also and every time, blamed on the Chinese or Russians. In 2007, the Pentagon claimed to have been hacked by the cyber division of the People’s Liberation Army (PLA). It has been known for a while not that China has developed advanced cyber warfare capabilities and has gain a lot of experience.
The Register reports that malware creators are already using Mr. Obama’s popularity to distribute the Papras Trojan using spam, social engineering and Google Ads.
Users usually receive an email from what seems a legitimate news sources such as CNN and BBC, inviting users to see the speech of Barack Obama on their website. The content of the email is the following:
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
Newsweek reports that the computer systems of M. Obama and M. McCain were both hacked by unknown attackers during their campaigns. Very little information is available, but according to Newsweek, the FBI and the Secret Services claimed that several files from the Obama servers had been compromised by a “foreign entity” in midsummer. The same happened to the McCain campaign.
According to the FBI, documents were stole by foreign powers (probably Russia or China) in order to gather information for future negotiations.
But the former director of technology for the 2004 presidential campaign of Rep. Dennis Kucinich expressed skepticism about the claims. Henry Poole from CivicActions, a firm that offers Internet campaign consulting services, said “It’s unlikely that either campaign would have stored sensitive data on the same servers that were being used for public campaigning purposes“.
It is unclear if anyone got compromised at all. If so, why would the FBI and Secret Services report such events? Hopefully there is more to come on this…
Russian criminals who are selling a fake anti-virus, “Antivirus XP 2008/2009” among others, have made more than 150 000$ in a week, according to the Sydney Morning Herald. If you ever seen those annoying popups warning you that you might be infected with one or more viruses, then you probably came across this scam.
“For most people they might just be browsing the web and suddenly they don’t know why this thing will pop up in their face, telling them they’ve got 309 infections on their computer, it will change their desktop wallpaper, change their screen saver to fake ‘blue screens of death’,” said Joe Stewart, from SecureWorks said.
The software is sold for 49.95 $US and will “detect” various viruses and Trojans on the computer. Stewart shows that Antivirus XP still has some basic anti-malware functionality, but as he explains, it’s mostly in case the authors are brought to court “they might try to claim the program is not truly fraudulent – after all, it can clean computers of at least a few malicious programs“. Only 17 minor threats can be removed, far from the 102,563 viruses the anti-virus claims to clean. And don’t expect a refund for the software.
The entity behind this fraudware is called Bakasoftware, a Russian company that pays affiliates to sell its anti-virus to users. Affiliates can earn between 58% and 90% of the sale price. Criminals are therefore using everyway to trick users into installing the software, including scaring the user into believing that he is infected, even using botnets to push the program into the users’ computers.
“Since it is not hacking people’s computers and only runs the affiliate program, Bakasoftware does not have to worry about being shut down by police“, Stewart said.
Account Balance (USD)
Table 1.0 – Top earners in the Bakasoftware Affiliate Program
Screenshots took from the administrative panel of bakasoftware.com which was hacked by NeoN:
By the time of this writing, http://www.bakasoftware.com/ was not accessible. Another interesting fact, if the Russian language is installed on your computer, there’s a good chance you won’t be considered as a target because of Russian legislation. Apparently the creators have been sued anyway.
Many other fraudware are available, always proposing anti-malware software. Their ads are oven seen on torrents, warez and cracks/serials sites. What’s particularly dangerous is that they can come with other legitimate software or by drive-by downloads. Once they are installed in your computer, they get annoying very fast and can trick you into buying fraudware. Popups can appear that you are infected. Other types of fraudware are those “boost your computer” software.
P.S “baka” means “stupid” in Japanese. A totally appropriate title for the operators of this company.
According to the latest Security Intelligence Report from Microsoft, malicious software installations on computers increased 38% in the U.S for 2008. Also, the number of “High Severity” vulnerabilities detected increased by 13% in the second half of 2007, putting the total of “High Severity” vulnerabilities to 48%.
Downloaders and droppers, accounting for 30% of all malicious software, with around 7 millions computers infected in the United States alone.
And of course, no good Microsoft document would be complete by stating that Vista in more awesome than XP, and therefore the report states that if you own Windows XP SP3, you’re likely to be infected 9 times on 1000 infections, while this number drops to 4 times on 1000 infections for Vista.
“For browser-based attacks on Windows XP-based machines, Microsoft vulnerabilities accounted for 42 percent of the total. On Windows Vista-based machines, however, the proportion of vulnerabilities attacked in Microsoft software was much smaller, accounting for just 6 percent of the total.”
Taken from the report:
Former Yugoslav Republic of Macedonia
United Arab Emirates
Bosnia and Herzegovina
Table 1.0 – Countries with the Highest Infection Rates
Since the 70s, when Deng Xiaoping was the head of China, the People’s Liberation Army tried to modernize itself and cut its size in order to become more efficient. Still, China is still behind when it comes to military even if its defense budget is the second largest after the United States on the planet, with US$57 billion in 2008. According to an article published in Culture Mandala, China could boost its cyber warfare capabilities in order to compensate for their technological backwardness.
It started as soon as in 2003, when it deployed its first cyber warfare units, the “zixunhua budui“. Since, many attacks have been attributed to China, such as Operation Titan Rain in 2003. China hopes that by using asymmetrical warfare, such as information warfare and cyber warfare, it might level other modern armies.
Michael Vickers, Senior Vice President for Strategic Studies at the Center for Strategic and Budgetary Assessments declared that “a Chinese attack on Taiwan could entail special operations and cyber attacks on U.S. regional bases in Japan and South Korea, and might even include cyber attacks on the U.S. homeland that target the U.S. financial, economic, energy, and communications infrastructure“. In the same document, we can read:
“One way to assess this risk is to ask whether a cyber attack by China launched a few days in advance of a clash could prevent U.S. carrier battle groups from deploying to the Taiwan Straits. Launching the attacks too early would create the risk of discovery and countermeasures.“
It is clear to me that a nation with a technologically late compared to modern armies have all the advantage to develop asymmetrical warfare. We can assess its effectiveness in Afghanistan and Iraq. And cyber warfare is a perfect way to destabilize modern armies used to technology in their daily operations. But this is far from being easy for both sides, as talented individuals and highly skills hackers are needed to develop this kind of warfare. Terrorists and groups are unlikely to develop a high quality cyber warfare force, although they still can be efficient. China, on the other hand, can and is smart to do it. After all, if a force can disable communications the enemy’s communications networks, such as GPS, emails and phone networks, it can makes a strong army useless. Like a strong man or woman, if the brain can contact the muscle through the nervous system, the body is powerless…
The Department of Homeland Security seeks ideas on how to retrieve information in blogs and forums about the potential use and fabrication of Improvised Explosive Devices (IEDs). The DHS thinks that by analyzing information posted on blogs and forums in real time, it may be able to counter the use of IEDs on the field. They are therefore looking for “Indicators of Intent to Use Improvised Explosives (IEDs) available in Blogs to support the Counter-Improvised Explosive Devices (C-IED) Program.“
Any potential person interested would have to:
“2) developing objective, systematic data collection and retrieval techniques to gather data on a near real-time basis from blogs and message boards. Data will be collected at multiple, pre-determined times to evaluate the transmission of information over time, and should include metrics for determining the impact factor and usage patterns of the blogs and message boards. 3) identifying blogs and message boards utilized or favored by groups that engage in violent or terrorist activity to include in the study. Blogs and message boards must be representative of various characteristics of the larger populations of interest. and 4) collecting quantitative and qualitative data from the bloggers to evaluate such issues relating to knowledge of the preparation and execution of violent activities, including IED attacks.“
Now, I can think of so many ways to defeat this kind of surveillance. Encryption for one. Second, don’t use blogs or forums from the Internet to show where you will plan your next attack. Use a virtual private network (VPN). Maybe by looking for blogs or forums, they may find the stupidest insurgents/terrorists or teenagers that think they are cool, but the vast majority of them know how to use technology and have learned about encryption. A private web server would do the job also…Imagination is the limit!