Increasing Militarization Of The Internet

March 6, 2013

The rise of Stuxnet, Flame, Gause, the Olympic Games operations and Shamoon have all shed light on the issue of nation-state driven cyberwarfare and cyberespionage activities. Now that we are in cyberspace, we have another domain for humans to occupy and dominate, according to Ed Skoudis, founder of Counter Hack Challenges.

Skoudis told RSA Conference 2013 attendees that he worries about some of the risks of taking action over the Internet. Many of the nation-state driven activities could have a tremendous impact on the private sector, he said. “It could have a cascading impact,” he said. “It is possible that every cyberaction could cause bigger problems than people think.” Some of the techniques outlined by Skoudis and Johannes Ullrich, chief research officer at the SANS Institute are not new, but they are being ramped up by cybercriminals to become a serious problem.

Here’s a look at the five most dangerous new hacking techniques that concern top security experts Ullrich and Skoudis.

Rise Of Offensive Forensics

Anti-forensics is the process of cybercriminals getting into a targeted environment and hacking the forensics tools themselves. Offensive forensics is taking forensics techniques and analyzing file systems and memory in-depth then combing them for information assets and extracting them.

Mis-Attribuiton

The industrial processes used to build Stuxnet and other malware provides unique fingerprints for malware analysis investigators to categorize it. Coding styles down to machine level language can indicate a specific threat actor. A nation-state backed cybercriminal that doesn’t want to get noticed may place phony clues in malware to shake off investigators, Skoudis said. The catastrophic attack on Saudi Aramco via Shamoon infections on that company’s workstations had some technical information that made investigators think it clearly wasn’t the work of a nation-state. But, researchers at Kaspersky Lab provided evidence linking some specific characteristics to the Flame malware, an cyberespionage attack toolkit.

Computer Attacks Resulting In Kinetic Impact

Historically we have worked to protect PII and PHI, bank records and trade secrets, but companies haven’t had a good track record, Skoudis said. But, attackers are now targeting physical infrastructure such as industrial control systems and SCADA systems.

“Some of it is just mischief, but it could be a harbinger of much bigger things to come,” Skoudis said. “We are rapidly moving into the area where cyberattacks cause kinetic impact.”

Smaller systems are now at risk, such as automobiles, water distribution systems and traffic light control systems, which have buffer overflows, SQL injection flaws and other coding problems that can be exploited, he said. Attackers can infiltrate the devices and gain command and control of the infrastructure.

Large Scale DDoS Attacks

U.S. banks have spent a lot of time investing substantial resources to defend distributed denial-of-service (DDoS) attacks. They are simple and don’t require a lot of resources.

While the attacks are not new, businesses and attackers have been playing a cat and mouse game, said Johannes Ullrich, chief research officer at the SANS Institute, told RSA Conference attendees. Attack tools are getting better at tricking DNS anti-DDoS defenses, he said. Attacks are getting larger, up to over 40 gigabits per second. The attacker only needs 2,000 bots to carry them out, Ullrich said.

Password Breach, Password Leaks

The advice given to organizations is to salt and hash passwords, but the process of salting and hashing only slows an attacker down, Ullrich said. Dedicated password crackers only cost a few thousand dollars, he said. For now user education and better protection of databases that contain passwords is the only answer. Until an alternative to the pass phrase emerge, the problem will persist. Two-factor authentication is expensive and used by only a small percentage of security-minded organizations, Ullrich said. Some experts are looking to the smartphone as an authenticator, but token stealing malware, as evidenced by the Zitmo/Eurograbber Android Trojan, defeats SMS-based tokens and will likely continue to be a target of attacks.

Thanks to The Threat Vector:

http://thethreatvector.wordpress.com/2013/03/05/increasing-militarization-of-the-internet/

 

3 Comments | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

The Attack of Red October: Cyberespionage is not just for Nation-states Anymore

January 30, 2013

After reading a recent analysis of the newly discovered Red October malware, I was left with a profound feeling of dread. We all surmised this kind of thing was probably happening. Flame and Stuxnet demonstrated that sophisticated cyberattacks are in fact taking place. Up until now, the malware we’ve seen has been attributed to state-sponsored entities that appear to be narrowly targeting specific regions – the realm of political motivations. This latest campaign, however, appears to demonstrate that it’s not just governments looking to pilfer state secrets through cyberespionage, but also professional crime organizations have gotten into the game as well.

This is a wonderful example of the asymmetric nature of cyberwarfare. In many ways, the digital battlefield is the great equalizer, and while unlimited resources will get you a more polished product, quite a bit can be done with a much more modest budget. Consider the fact that it appears the Red October attackers were quite adept at leveraging the work of others, as well as using what they learned along the way. Instead of developing or purchasing zero-days, they used the same exploits – in some cases the exact same malicious Word documents used in other attacks attributed to a completely different group – with only the payload modified. Most self-respecting state-sponsored attack developers would scoff at such a notion. The attackers in Red October also leveraged information such as passwords that they likely found being used over the course of their campaign. While these techniques don’t have the flair of the MD5 collision attack used by Flame, the development cost is essentially zero, and the campaign appears to have been quite successful thus far.

It also demonstrates that a handful of smart, motivated actors can achieve a high degree of sophistication. The modularity of the malware involved in the campaign is impressive, and contains features designed to extract data from network hardware, USB drives and mobile phones, as well as the more traditional keystroke logging and password dumping. The persistence modules are somewhat novel, in that they install add-ins to Adobe and Microsoft Office that will allow the reintroduction of the malicious code by sending a document with an embedded payload, but no exploit code. This allows the document to bypass some security checks such as traditional virus scanners. Also, the command and control infrastructure included sufficient redirection and complexity to effectively shield the identities of the operators behind the campaign.

Finally, I find the targeting of the campaign to be very interesting. The attackers do not appear to be going after heavily protected systems, but rather those in which sensitive data is likely to pass through (embassies, government research institutes, and military contractors). While they may not possess real state secrets, a lot of related data passes through these systems, allowing the attackers to likely intercept some very sensitive information. Sifting through all the data gathered is not a trivial task, but it’s also one that is not urgent. Automated searches can be done for keywords related to more timely information, and the rest can be done as time allows. This also appears to be a high-touch campaign, with the attackers actively involved with the infected systems and pushing down new modules as needed. While a campaign of this nature is still outside the reach of most of the smaller cybercriminal groups out there, it is definitely not a nation-state-only club, and there are strong indications that this may have been the work of another entity.

While 99.9 percent of attacks are fairly typical, it is important to remember that there is also some really nasty stuff out there. Also remember that both Flame and this campaign were going on for several years before being brought to light. Who knows what else is out there waiting to be found? It will be both interesting and frightening, I’m sure.

Bit9 provides Advanced Threat Protection for endpoints and servers using the market’s leading trust-based application control and whitelisting.

Leave a Comment » | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 753 other followers