Tuesday, November 30, 2010

Android Data Stealing Vulnerability

Android Browser Flaw Allows Data Theft

A new vulnerability has been discovered in the Android web browser that could allow hackers to steal files stored on the smartphone's SD card.

According to security expert Thomas Cannon, the a flaw automatically allows payload data to be downloaded to the device's SD card. A few tweaks to a JavaScript will allow the files on the SD card to open making the data readable, he said.

Once the JavaScript has stored the contents of the targeted file, it will then post it to the malicious website. He warned that the flaw is present on multiple handsets and multiple Android OS versions. The security expert has posted a
video on his website showing the Android browser exploit in action.

“I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue. They have since updated me to say they are aiming for a fix to go into a Gingerbread maintenance release after Gingerbread (Android 2.3) becomes available,” he said

Refer here to read more details.

Monday, November 29, 2010

Taking-control of People's Webcams

Computer genius jailed for hacking webcams

A computer hacker who used his technological-know how to take control of people’s webcams was sentenced to 18 months in prison today.

Matthew Anderson, aged 33, was an important member of a globally-running gang who abused the skills he picked up from his role as an expert in computer security in order to target both businesses and members of the public with spam that contained hidden viruses.

As well as this, he accessed personal data such as photographs in a highly sophisticated email scam run from his the front room of his mother’s house, and took control of random internet users’ webcams in an attempt to see inside their houses and appointments.

While also boasting at one point to a colleague that he had had a teenage girl in tears with his acts, Anderson also saved webcam images of girls in school uniforms, a newborn baby with its mother in hospital and other intimate pictures, some of which were of a sexual nature.

Monday, November 15, 2010

New Android Bug Lets Spoofed Apps Run Wild

Spoofed Android apps can bypass security permissions

Google has always a lot of control over its products in the hands of its users, and Android OS is probably on of the best examples. When downloading an application, the user is shown just what said application needs to run properly. If the user doesn’t want the app to have access to certain things it requires, you simply don’t download it. Well, it seems that isn’t the case anymore, as there’s now a new bug in town, and it doesn’t need your stinkin’ permission.

A new bug found in Android can allow those with malicious intent to make a spoof application that seems harmless, only to find out that it can roam free on your handset, and download other, more dangerous applications to steal your personal data, without any permission by the user. Tricky tricky.

Intel security researchers Jon Oberheide and Zach Lanier have created such an application. It looks harmless – an Angry Birds add-on pack that after downloaded, will install a handful of programs that will track your location, steal your contacts, and give the hacker the option to send pay-per-texts. While this isn’t the first time we’ve seen this kind of hack attack, it will certainly be unsettling to most users, especially if this bug isn’t fixed pronto.

Refer here to read more details on Forbes.

Saturday, November 13, 2010

Android on the iPhone?

Install Android 2.2 on the iPhone 2G and 3G over WiFi

Hackers have come up with a way of rescuing Apple fanboys who have elderly versions of the iPhone.

For a while now Jobs' Mob has been forcing its long suffering customers to upgrade their 2G and 3G phones to the broken iPhone 4 by saddling them with an upgrade which made their gizmos slower. Now Redmond Pie has come up with a method of replacing iOS on iPhone 2G and 3G models with Android 2.2 Froyo without using any tools on a host computer.

The outfit had shown off an Android installation before. This involved running iPhoDroid on a host computer connected to a jailbroken iPhone 2G or 3G. This new process uses Bootlace 2.1 to install Android directly via WiFi. It works on iPhone 2Gs with iOS 3.1.2 and 3.1.3 and iPhone 3Gs with 3.1.2, 3.1.3, 4.0, 4.0.1, 4.0.2 and 4.1.

Refer here to read more details.

Thursday, November 11, 2010

Beware - New, Improved Trojans Target Banks

Malware Variants Seek Corporate Accounts

Security researchers are warning financial institutions about the Qakbot Trojan, a rare kind of malware that is allegedly infiltrating large banks and other global financial institutions. It's unlike other types of malware because it has the ability to spread like a worm, but still infect users like a Trojan.

The Qakbot Trojan, named for its primary executable file, _qakbot.dll, is not new, but its qualities and difference in attack set it head and shoulders above other more well-known Trojans, such as Zeus, in that it can infect multiple computers at a time.

In another disturbing find, security researchers at TrustDefender Labs have found a new Gozi Trojan variant that shows a zero percent detection rate. The Trojan targets financial institutions and is invisible to the most used anti-virus software.

Gozi has been attacking banks for three years, but has managed to stay low and undetected. TrustDefender researchers warn that by targeting specific financial institutions, mainly business and corporate banking, Gozi has avoided wider attention from businesses as the Zeus Trojan has grabbed the headlines.

The new Gozi variant has many of the same characteristics of its earlier variants that were researched a year ago. Gozi developers evade signature patterns so much that the history of the Trojan is mostly unknown. TrustDefender's CTO Andreas Baumhof states that an increasing number of Trojans are using SSL and HTTPS to hide their presence. Gozi is also using client-side logic to go around two-factor authentication, as are other Trojans including Zeus, Spyeye and Carberp.

Wednesday, November 10, 2010

Pen-Testing: Learn your target, Understand your target, Develop your attack specifically around your target

Would it cripple the organization as a whole? What hurts them the most?

Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.

Handing a sixty page 'penetration test' report with five hundred vulnerabilities does absolutely nothing for a company aside from a check mark for whatever regulatory and compliance initiatives they have underway. It's time for a reality check:
  • Good hackers don't need to utilize expensive vulnerability scanners.

  • Good hackers don't use automated penetration testing.

  • Attackers don't have a scope or timeframes.

  • Attackers don't stop after they get root.

  • Attackers don't have portions taken out of scope.
The reality of the current situation with pentests is that the true purpose of a testing is completely wasted. For one, your incident response team doesn't get a true attack against a focused attack. If you are at the point where you can't detect automated scans against your network then these traditional methods are right up your alley and your security program is still immature in nature which is fine, you'll get there. The most important element is there is no true representation of impact or financial loss due to a breach.

In simplistic terms there's no focus on business risk, but instead focused on the vulnerability and the exposure of the attack. We aren't hitting companies where it hurts, what makes their business run.

Penetration testing has to be something that measures the organizations business risk and impact if a breach were to occur. When attacking an organization you have to understand what is sensitive and what hurts the company the most. Intelligence gathering is one of the most important elements of a penetration test as well as understanding and learning the network.

Learn your target, understand your target, develop your attack specifically around your target, nothing is out of scope.

Where can I have the most impact on the organization and how do I represent that? WOW I GOT DOMAIN ADMIN!!!!!! OMG I GOT ROOT! That's fantastic buddy, I'm happy for you but that doesn't mean squat to me. Present them with their intellectual property, future projections, show the ability to change their product, confidential and trade secret information or whatever you identify as what hurts them the most. Some questions to answer in Pen-testing includes but not limited to: would that impact them in a negative manner? Would it cripple the organization as a whole? What hurts them the most?

We're also significantly challenged with the basic penetration tests, how do you go against a cheap vulnerability scan penetration test to something that will cost significantly more than that and be done right. Businesses don't understand the difference, they just go with the cheapest buyer, they don't know what they are about to purchase sucks.

We need to hire qualified people that get it, I will pay extra for a group that knows what they are doing vs. a super cheap scan. The industry is bleeding, let's step it up and do it the right way.

Monday, November 8, 2010

SCADA security issues will be the shiny hot topic

Metasploit and SCADA Exploits: Dawn of a New Era?

On 18 October, 2010 a significant event occurred concerning threats to SCADA.

That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository.

Some striking facts about this event follow:

  1. This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.

  2. This exploit was not added to the public Exploit-DB site until 27 October, 2011.

  3. The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.

  4. This is the first SCADA exploit added to Metasploit.
Shawn Medinger at InfoSec Island shared some interesting thoughts:

First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.

Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.

Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.

Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues. Put bluntly, there is blood in the water.

Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.

Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.

Often, there is no security point-of-contact at the vendor. Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.

Even in the case of specialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented cases of “vendor spin” furthering the bad blood between vendors and ethical research.

All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.

Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool.

Roger on Stuxnet

Stuxnet talks – do we listen?

Stuxnet is a severe threat – that’s something we know for sure. But if we look at it, what do we really know? What can we learn?

Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story that is interesting for a broad audience – however, we security professionals need different sources.

Refer here to read an interesting view on Stuxnet from Roger Halbheer.

Wednesday, November 3, 2010

'Shodan' - Computer Search Engine: Pinpoints shoddy industrial controls

Hackers tap SCADA vulnerabilities search engine

A search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team has warned.

The year-old site known as
Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. As white-hat hacker and Errata Security CEO Robert Graham explains, the search engine can also be used to identify systems with known vulnerabilities.

According to the Industrial Control Systems division of US CERT, that's exactly what some people are doing to discover poorly configured SCADA gear. “The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems,” the group wrote in an advisory (PDF) published on Thursday. “These systems have been found to be readily accessible from the internet and with tools, such as Shodan, the resources required to identify them has been greatly reduced.”

Besides opening up industrial systems to attacks that target unpatched vulnerabilities, the information provided by Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned. The organization advised admins to tighten security by:
  • Placing all control systems assets behind firewalls, separated from the business network
  • Deploying secure remote access methods such as Virtual Private Networks (VPNs) for remote access
  • Removing, disabling, or renaming any default system accounts (where possible)
  • Implementing account lockout policies to reduce the risk from brute forcing attempts
  • Implementing policies requiring the use of strong passwords
  • Monitoring the creation of administrator level accounts by third-party vendors
Refer here to read more details.

Saturday, October 30, 2010

Identity Theft: Trends, Patterns and Typologies Report

Identity Theft Reports Jump; Most Attributed to Family

According to a new ID theft report from the
Financial Crimes Enforcement Network, most cases of ID theft are linked to a victim's family members or coworkers.

John Summers, a project officer at FinCEN and a lead in FinCEN's report, "Identity Theft: Trends, Patterns and Typologies Reported in Suspicious Activity Reports", says ID theft perpetrated by family, friends and business partners ranked No.1 among SARs filed by U.S. depository institutions in 2009. "In 27.5 percent of the filings, this was the highest," he says. "It basically means someone close to them was getting access to their files and using their information."

In the FinCEN study, of the 372 depository institutions reviewed - a mix of banks and credit unions of varying assets sizes - the majority of ID theft incidents, not surprisingly, were reported by the largest financial institutions.

Identity theft was the sixth most frequently reported characterization of suspicious activity, trailing money laundering, check fraud, mortgage-loan fraud, credit-card fraud, and counterfeit-check fraud. In the study, FinCEN defines identity theft as involving the theft and misuse of unique identifying information, such as financial account numbers, depository accounts, investments, loans, credit cards, online payment accounts, officially issued federal or state identification documents, and biometric information.

Impersonation of an actual person without consent also fell into the ID theft definition, whether that impersonation occurred in-person or through an electronic form or other medium.

The most important takeaway from the study, Summers says: The narrative section on the SAR, which provides the most critical information. "It is very key to the analysis," he says. "Since we added the identity theft box in 2003, we've used the narrative to tell law enforcement what happened; and the more information the banks can provide in the narrative, the more the regulators and law enforcement can do."

Please refer here to download the report.

Thursday, October 28, 2010

How to bypass iPhone’s passcode-protected lock screen?

Circumventing iPhone Security with the Push of A Button

A tech savvy iPhone user has posted a video demonstrating a new finding; there’s an easily executable and potentially serious flaw in the iPhone password security function. Under the right circumstances, a simple press of the iPhone’s lock button will allow a malicious user to bypass the phone’s password protection and enter into the main phone app. Here, anyone can view the phone’s call history and stored contacts and listen to voicemail.

Wired.com’s Threat Level blog reports that Apple has not yet commented on the bug.

For more details refer here.

Bug no iOS 4.1 from Salomão Filho on Vimeo.

Monday, October 25, 2010

Verizon report connects PCI non-compliance and data breaches

Verizon Business report shows a correlation between non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) and data breaches

A new Verizon Business report released today shows a correlation between non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) and data breaches. The results revealed that organizations that had suffered data breaches were 50% more likely to exhibit PCI non-compliance.

The report also ranked the top attack techniques used to steal payment card data. Remote access to systems via backdoors was the top attack, followed closely by SQL injection attacks. Poor authentication was also a problem, in particular, attackers exploiting default or easily guessable passwords to gain access to systems storing or processing payment data.

Further, 11% of companies met less than half of the requirements, while 22% met 100% of the requirements. The report also covers compensating controls, and determined that Requirement 3.4, which mandates that a primary account number (PAN) be unreadable, is the control most compensated for.

Quick Summary
  • 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.

  • On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally, there was some variation around this number but not many (11% of clients) passed less than 50% of tests.

  • Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data).

  • Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.

  • Sub-requirement 3.4 (render the Primary Account Number (PAN) unreadable) was met through compensating controls far more often than any other in the standard.

  • Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council.

  • Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.
Please refer here to download the report.

Friday, October 22, 2010

NIST Scientists Offer Tips to Defeat Keyloggers

How to Beat Keyloggers

Keyloggers monitor and record keyboard use, including the information typed into a system, which might include the content of emails, usernames and passwords for local or remote systems and applications, as well as financial information like credit card numbers, Social Security numbers or PINs.

Some keystroke loggers require the attacker to retrieve the data from the system, whereas others actively transfer the data to another system through email, file transfer or other means.

NIST scientists identify three main types of keyloggers:

Hardware -- Tiny inline devices placed between the keyboard and the computer. Because of their size, they can go undetected for long periods of time. These devices have the power to capture hundreds of keystrokes, including banking and email username and passwords. But for the criminal, the threat of being caught breaching the machine is a deterrent.

Software -- This type of keylogging is done by using the Windows function SetWindowsHookEx that monitors all keystrokes. The spyware will usually appear packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx is capable of capturing even autocomplete passwords.

Kernel/driver -- This kind of keylogger is at the kernel level and receives data directly from the input device (typically a keyboard). It replaces the core software for interpreting keystrokes. This type of keylogger can be programmed to be virtually undetectable by being executed when the computer is turned on, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.

Defending Against Keyloggers

There are several kinds of defenses that can be used to spot or prevent keyloggers from embedding on machines:

Physical Security -- The physical protection of the computer must be considered. Whether the computer is at home, in an office or during traveling, keeping the computer secure and making sure no one has access to it is a primary concern.

Application whitelisting -- is a way to prevent any software that isn't already approved or on the "white list" from being downloaded on to the computer. This is an emerging approach in combating viruses and malware. Application whitelisting tells the computer a list of software considered safe to run, and the machine is instructed to block all others.

Some experts see this approach as superior to the standard signature-based, anti-virus approach of blocking/removing known harmful software (essentially blacklisting), as the traditional approach generally means that exploits are already in the wild.

Detection Software -- Be careful where you go to on the Internet. Drive-by downloads from ads that have been laced with malware are being found now even on popular news sites - not just on the fringes.

At a minimum, at least have anti-virus and anti-spyware loaded, and make sure they're kept up to date. Again, buy from a reputable vendor.
Consider operating a "virtual" machine environment to browse the Internet.

Virtual machines -- are separated into two major categories, based on their use and degree of correspondence to any real machine. A system virtual machine provides a complete system platform that supports the execution of a complete operating system. The other type, a process virtual machine, is designed to run a single program. An essential characteristic of a virtual machine is that the software running inside is limited to the resources and abstractions provided by the virtual machine -- it cannot break out of its virtual world.

Future Trends

"Moving forward in the next 12-18 months, the major computer manufacturers will begin offering virtual machine technology. "We're going to see more consumer-friendly operating systems being designed by vendors that will limit malware by having the user on a virtual machine while on the Internet, and the 'home' environment separate.

Cloud-based whitelisting will also become more popular, making whitelisting more available.

Another advancement in the fight against keyloggers and other types of malware is the move by anti-virus vendors to set up reputation-based systems, which checks programs and tells the user whether it is legitimate or malicious.

The addition of a third component in the fight against malware is the use of operating systems and browsers that don't allow the malicious programs to be pushed down in the first place. By isolating and "sandboxing" the user's specific browsing session,
no software is downloaded to the user's computer.

Thursday, October 21, 2010

Advanced evasion techniques can bypass network security

After "APT", we now have "AET"

A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences, such as firewalls and intrusion prevention systems.

So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to document the approach. Researchers at the Finnish firm came across the attack while testing its security appliance against the latest hacker exploits.

Various evasion techniques including splicing and fragmentation have existed for years. Security devices have to normalise traffic using these approaches before they can inspect payloads and block attacks.

Refer here to read more details.

Wednesday, October 20, 2010

Problems associated with elevated privileges

Least Privilege Security for Windows 7, Vista, and XP - Security

Russell Smith, renowned Windows security expert, discussed how adhering to the principle of least privilege can benefit the security of your environment, including reducing support incidents and improving user productivity. To attend the webinar, register for one of the following dates:

Least Privilege Security for Windows 7, Vista, and XP: Tuesday, November 2, 2010, 9:00 a.m. - 10:00 a.m. PDT

Least Privilege Security for Windows 7, Vista, and XP: Wednesday, December 1, 2010, 8:00 a.m. - 9:00 a.m. PST

In the webinar, Russell notes that running administrator-level privileges on desktop PCs increases total cost of ownership (TCO) by 36.3%. He also discusses the fact that although users tend to view security as restrictive, enforcing proper security measures actually benefits users because it helps meet their expectations for speed, reliability, and productivity.

Problems associated with elevated privileges include the following:
  • Malware—The more users running with elevated privileges, the greater the risk of infection.
  • Data leakage—Having more users with elevated privileges increases the chance of data loss.
  • Help desk costs—Giving users the right to change system configuration can lead to problems.
  • Unlicensed software—Users with admin privileges can install personal software, as well as unwittingly infect their systems by running fake antivirus software.
  • System/network slowdowns—Problems that users create on their own systems affect not only those systems but also the network.
  • Elevated privileges allow users to circumvent the management controls that are designed to protect systems and networks.

Monday, October 18, 2010

Facebook improving its security or increasing users concern on privacy?

Facebook Introduces OTP (One-time Password) Functionality

Facebook began rolling out new service on Tuesday that allows people using public computers to log into the site without having to enter their regular password.

Instead, users can login with a one-time password that, upon request, Facebook zaps to their mobile phones. The temporary access code is good for 20 minutes only. The new feature is designed to prevent account compromises that result when credentials are entered into machines that have been compromised by keyloggers and similar types of malware.

“We’re launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports,” Jake Brill, a Facebook product manager, blogged here. “If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.”

A lot of banks use a similar system labeled as a TAC (Transaction Authorisation Code) or similar when you want to carry out a transaction which involves moving money out from your account (bill payment, fund transfers etc).

The other new security related features are remote log-out, which Gmail from Google has had forever – if you didn’t know about the feature just scroll to the very bottom of the Gmail window and you’ll see something like this:

This account is open in 1 other location (xxx.xxx.xxx.xxx).
Last account activity: 2 hours ago on this computer. Details

To use the service, users must first configure their accounts to work with a designated mobile phone number. When they text “otp” to 32665, they should immediately receive a password that’s good for the next 20 minutes. The feature is available to select Facebook users for now. Over the next few weeks, it will gradually become available to everyone

Saturday, October 16, 2010

Microsoft Security Intelligence Report - Volume 9

Most attackers use social engineering techniques to trick you into installing malware

US leads the world in numbers of Windows PC’s that are part of botnet. More than 2.2 million US PCs were found to be part of botnet. Brazil had the second highest level of infections at 550,000.

Infections were highest in South Korea where 14.6 out of every 1000 machines were found to be enrolled in botnets

Key Findings Current Threat Overview

The Microsoft Security Intelligence Report (SIR) is a comprehensive evaluation of the evolving threat landscape and trends. The information can help you make sound risk-management decisions and identify potential adjustments to your security posture. Data is received from more than 600 million systems worldwide and internet services.

Volume 9 of the Security Intelligence Report covers the first half of 2010 (January 1 - June 30)
and is divided into five sections:
  • Featured Intelligence for Volume 9 focuses on botnets and how to combat the threat.
  • Key Findings reveals data and trends analysis captured by Microsoft security analysts.
  • Reference Guide provides definitions for discussion points covered in the Key Findings.
  • Managing Risk recommends techniques to protect your organization, software, and people.
  • Global Threat Assessment looks at botnet and malware infection rates worldwide.
  • Infection rates for Windows 7 are lower than its desktop predecessors.
  • Most attackers use social engineering techniques to trick you into installing malware.
  • Stolen equipment remains the most frequent type of security breach incident.
Please refer here to download the report.

Wednesday, October 13, 2010

Security of Infrastructure Control Systems for Water and Transport

Audit finds Vic SCADA systems vulnerable

The auditor criticised (PDF) the state's water organisations for failing to secure critical water infrastructure against network threats.

Unprotected Supervisory Control and Data Acquisition (SCADA) systems are at risk from network attacks that may target critical infrastructure including electricity and water supplies. The still active and now infamous Stuxnet worm.

The report stated that Victoria's water agencies lack an effective means to manage or avert the risks posed to central infrastructure control systems. It says the security of SCADA systems is inadequate and must be upgraded to meet the threats posed by networked environments, which had not previously been a consideration when the systems were offline and isolated.

I recommend all control systems's operator to download this report, as this report have some interesting findings and recommendations which can be applied in other control systems environment as well.

Read more details from here.

Tuesday, October 12, 2010

Mobile platform can also be the next Advanced Persistent Threats (APT) target?

OR part of the factor/contributor in the cyber ecosystem?

Mobile malware that affects Symbian Series 60 handsets is being used to create a botnet.

Pirated versions of 3D Anti-terrorist action, a first-person shooter developed by Beijing Huike Technology in China, and uploaded onto several Windows Mobile freeware download sites, come with a nasty add-on courtesy of Russian virus writers.

Compromised phones start attempting to silently make expensive international calls without user involvement, as reported in a thread on the XDA-Developers' forum, featuring the experience of a UK victim of the Trojan.

Read this interesting news here.

Monday, October 11, 2010

440 million new hackable smart grid points

How to Hack the Power Grid for Fun and Profit

By the end of 2015, the potential security risks to the smart grid will reach 440 million new hackable points. Billions are being spent on smart grid cybersecurity, but it seems like every time you turn around, there is yet another vulnerability exposing how to manipulate smart meters or power-grid data.

At the IEEE SmartGridComm2010 conference, Le Xie, Texas A&M University's assistant professor of electrical and computer engineering, gave examples of how attackers could hack the power grid for fun and profit. I quote from the reference:

According to the Lockheed Martin smart grid expert, there are three worst case scenarios for the 3,200 utilities in the U.S:

  1. Someone, a neighborhood kid or a person in another country, might turn off the power to a hospital or neighborhood in the middle of night.

  2. Voltage control devices could be hacked, turned up and down so that the voltage zaps computers, high-definition TVs or other voltage-sensitive equipment.

  3. "If you can cause rapid problems in the grid to occur in the right places at scheduled times, you could destabilize the whole grid, black out whole cities or states and cause massive damage." He added that some devices aren't available in the U.S. and could take two years to get a replacement.

Refer here to read more.

Sunday, October 10, 2010

Protect Yourself from Migration Fraud

Online help for immigrants

IMMIGRANTS planning a move to Australia have been warned of scams that leave them broke and without a visa. Immigration Minister Chris Bowen has launched a new online tool to help keep potential immigrants on the right path.

"It is vital that people are aware of fraudsters' tricks before handing over money for immigration assistance which is never provided," quote from his statement.

The Protect Yourself from Migration Fraud information kit includes victims' stories, tips for staying safe online, help with identifying non-genuine websites and fake emails and links to other resources. Mr Bowen said the most widespread scam involved online registration and the provision of a credit card number.

Saturday, October 9, 2010

A government-produced worm that may be aimed at an Iranian nuclear plant?

The Story Behind The Stuxnet Virus

Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)

The Stuxnet computer worm that appears aimed at undermining Iran's nuclear program is part of a worsening phenomenon. Half of all companies running "critical infrastructure" systems worldwide say they have sustained politically motivated attacks.

A global survey of such attacks – rarely acknowledged in public because of their potential to cause alarm – found companies estimated they had suffered an average of 10 instances of cyber war or cyber terrorism in the past five years at a cost of $US850,000 ($880,000) a company.

After going through quite few articles and news, here are some interesting and useful links I would like to share which help you to understand the Stuxnet Worm.

F-Secure - Stuxnet Questions and Answers
ICSA Labs - Stuxnet Worm: Facts First
Bruce Schneier's Commentary - The Story Behind The Stuxnet Virus
Sydney Morning Herald - Mystery computer worm part of a global cyber war

Ralp Langner - Stuxnet Logbook *Updated*

Thursday, October 7, 2010

Smart grid security: Critical success factors

Security is paramount in any smart grid deployment and should be embeded into the end-to-end architecture and deployment of intelligent networks

Threats to the smart grid can be classified into three broad groups: System level threats that attempt to take down the grid; attempts to steal electrical service; and attempts to compromise the confidentiality of data on the system.

It’s often assumed that security threats come exclusively from hackers and other individuals or outside groups with malicious intent. Staff and other “insiders” also pose a risk, however, because they have authorised access to one or more parts of the system. Insiders know sensitive pieces of information, such as passwords stored in system databases, and have access to a secure perimeter, cryptographic keys, and other security mechanisms that are targets of compromise. And not all security breaches are malicious; some result from accidental misconfigurations, failure to follow procedures, and other oversights.

An effective security strategy for smart grids needs to be end-to-end. This means that security capabilities need to be layered such that defence mechanisms have multiple points to detect and mitigate breaches. These capabilities also need to be integral to all segments of intelligent network infrastructure and address the full set of logical functional requirements, including:

Physical security

Examining the security of SCADA Networks, we always found lack of evidence in regards to physical security. The first thing to consider for securing a smart grid is keeping the intruders off the premises. A physical security solution needs to include capabilities for video surveillance, cameras, electronic access control, and emergency response. These functions need to be flexible enough to integrate and converge onto the IP backbone. The secure and smooth interoperability enables centralized management and control, monitoring and logging capabilities, and rapid access to information. This reduces the amount of time it takes facilities personnel and operations teams to respond to incidents across the grid.

Indentity and access control policies

Knowing who is on the grid is a vital element to the overall security strategy. Today, we see various user groups that have a reason to be on the network, including employees, contractors, and even customers. Access to these user groups, be it local or remote, should be granular, and authorization should only be granted to 'need to know' assets.

For example, an employee can have access to a specific grid control system, while a contractor only has access to a timecard application, and a customer has Internet-enabled access that allows that customer to view energy consumption and bills online.

Identity should be verified through strong authentication mechanisms. Passwords must be strong, attempts must be logged, and unauthorised attempts should be logged. We should implement a 'default deny' policy whereby access to the network is granted only through explicit access permissions. Furthermore, all access points should be hardened to prevent unauthorised access, and only ports and services necessary for normal operation should be enabled.

Hardened network devices and systems

The foundation of effective security architecture is the protection of the infrastructure itself. A system is only as strong as its weakest link and core elements—the routers and switches—can represent vulnerabilities and access methodologies if not properly protected. If these devices are compromised, they can be used to disrupt grid operations through denial-of-service (DoS) attacks or worse used to gain access to more vital control systems.

For example, routers can be shipped with factory default passwords and basic remote access such as Telnet and HTTP services turned on. Network administrators might neglect to change these settings, unknowingly providing an easy entry point into their domain. These best practices address the steps that keep intruders off the devices and help to make sure of a secure environment.

Threat defence

A comprehensive threat defence strategy is required to broadly cover the different vulnerabilities that a smart grid network can face. Despite discrete functional zones and clear segmentation, it is often difficult to anticipate what form a new threat might take. Care should be taken to apply security principles broadly across the entire infrastructure to build an effective, layered defence:

DoS attacks can debilitate the functionality of the grid. DoS attacks sourcing from the Internet should not have any effect on the control systems due to network segmentation and access control.

Host protection in the form of antivirus capabilities along with host-based intrusion prevention is required to protect critical client systems, servers, and endpoints. Host protection should be kept up to date with patch management controls to make sure that the latest threat intelligence and signature updates are in place.

Network intrusion prevention system (IPS) technologies should augment the host-based defenses. An IPS should be used to identify external threats attempting to enter the infrastructure, as well as stop any attempts at internal propagation.

Vulnerability assessments must be performed at least annually to make sure that any elements that interface with the perimeter are secure.

In some instances, user action can open potential vulnerabilities to the system. As such, awareness programs should be put in place to educate the network users—employees, contractors, and guests alike—about security best practices for using network-based tools and applications.

Data protection for transmission and storage

Because of the different entities that make up a grid, it is important to think about how data is protected as it is transmitted and stored.
  • Implement firewall functionality that enforces access policies between different network segments, either logical or physical
  • Support VPN architectures that apply encryption algorithms to make sure of secure and confidential data transmission
  • Allow for host encryption and data storage security capabilities to protect critical assets on servers and endpoints
  • Provide granular access control to sensitive data at the application level
  • Provide ubiquitous security across both wired and wireless connections in a consistent manner
Real-time monitoring, management, and correlation

For ongoing maintenance and tighter control, it is important to have the ability to monitor events at a granular level. Over the lifespan of any complex system, events occur. Some of these events might be the result of a security incident, and some might simply be 'noise', but it is important for the system to detect those events, generate alerts, and apply intelligence so that more informative and intelligent decisions can be made.

This level of visibility can show which network elements are being targeted, which network elements might be vulnerable, and what type of corrective action needs to take place. This is a requirement for any successful security strategy.

Tuesday, October 5, 2010

Phishing has always been attractive to criminals

Zeus-Based Scam

Last week arrests of 19 people in London has Scotland Yard's special electronic crimes unit unraveling what appears to be a online banking scheme that stole at least $9 million from thousands of banking customer accounts.

Police say that for the last three months the accused criminals, 15 men and four women, infected the customers' computers with a Trojan computer virus known as Zeus, designed to steal banking credentials from unsuspecting users. The $9 million taken may go higher as the investigation continues. Another 37 arrests in the U.S. happened on Thursday.

In November, Scotland Yard arrested a man and a woman in Manchester after they were accused of infecting computers with malware similar to Zeus. At the time, police said the two were the first people to be arrested on suspicion of using this type of malware to steal money from bank accounts. Police and malware researchers warn that Zeus, also known as Zbot, is a worldwide threat. It's attacks have increased in number, and the sophistication of attacks is increasing as well.

In May, the Anti Phishing Working Group released a report showing that Avalanche, the same electronic crime syndicate behind two-thirds of the phishing attacks detected in the last half of 2009, was linked to a rash of incidents targeting small and mid-size businesses. Avalanche successfully targeted some 40 banks and online service providers, as well as vulnerable or non-responsive domain name registrars and registries.

The individuals and businesses were hit with the Zeus Trojan, which was embedded in the phishing e-mails. Businesses that were attacked then became victims of fraudulent automated clearing house and wire transactions, as the criminals posed as employees of the business, moving thousands of dollars to overseas locations.

Banks must implement a dual strategy: increased controls and detection at their servers and deployment of secure endpoints and strong authentication to customers.

Saturday, October 2, 2010

Maltego 3 - Quick and Effective Information Gathering Tool

Maltego is a one-stop resource for carrying out foot-printing and passive analysis

Maltego is a premier information gathering tool that allows you to visualize and understand common trust relationships between entities of your choosing.

Currently Maltego 3 is available for Windows and Linux. There is also an upcoming version for Apple users that has yet to be released.

Information gathering is a vital part of any penetration test or security audit, and it’s a process that demands patience, concentration and the right tool to be done correctly. In our case Maltego 3 is the tool for the job.
  • Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.

  • Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.

  • Maltego provide you with a much more powerful search, giving you smarter results.

  • If access to "hidden" information determines your success, Maltego can help you discover it.

Please refer here for detailed explanation, here for its documentation and here to download.

Friday, October 1, 2010

Securing our Confidential Information

How to protect confidential information?

Even when an organisation has state-of-the-art technology, strict security policies, and a highly skilled IT staff to manage policies, some organisations are not as secure as they could be. In fact, a recent survey conducted at Interop New York 2010 showed 40 percent of IT managers surveyed reported that their organisation had experienced at least one security breach in the last year.

Protecting confidential information plays a key part in suitability of any organization. With the proliferation of critical information in digital format, the risks of a security breach have increased, both to the company and individuals.

We've all seen media reports highlighting a leak of customer personal information like ID numbers, account data, credit-card information, addresses, customer information etc. The identity theft can be devastating to the individual and both embarrassing and costly to the company where the confidential data leak occurred.

The 2009 Australian Cost of a Data Breach study, conducted by US-based Ponemon Institute on behalf of data encryption specialist PGP, examined the actual financial losses incurred by 16 organisations from different industry sectors following a data loss, with breaches ranging from around 3300 to 65,000 lost or stolen records.

Other key findings in the study:

Ø Organized crime is now going after corporate data.

Ø Data breaches are now being caused by malware.

Ø Increased use of mobile devices is leading to increasing data security issues.

Ø Third-party mistakes with outsourced data were involved in 42% of the breaches.

Confidential information is not only restricted to customer or employee personal information, though that is important. It also applies to intellectual property that generates the tactical and strategic competitive advantage.

Employees can unknowingly pose security risks to the organisation they work for in a number of ways:

Ø Poorly designed passwords may increase the risk of network attack.

Ø Improper handling of confidential documents can lead to the loss of proprietary information.

Ø Leaving the confidential documents unattended on the desk and photo copier.

Ø Sharing the confidential information with friends, relatives and sometimes strangers knowingly or unknowingly.

Ø Falling prey to a social engineering attack may lead an employee to divulge confidential information.

How to protect confidential information?

Ø Never leave documents out even if they will only be away from your desk a short time. Just open the secure drawer and lock it. It is a habit every employee needs.

Ø If you are shipping sensitive data off-site use a secure package and a shipping method that allows you to track the package.

Ø Employees with company laptops should secure them in their car and in their home.

Ø Encourage employees to use strong passwords, the longer and more sophisticated the better.

Ø Never open an email attachment from someone you do not know. Even if they know the person employees should always be wary of attachments.

Ø A study last year found that 67% of employees use removable media such a personal USB thumb drives at work. Not only does this put our IT systems at risk from a potential virus but also increase the risk of data-leakage.

Thursday, September 30, 2010

Stuxnet - First worm to control the inner workings of industrial plants

Who funded virus attack on Iran Nuclear plants

A cyber worm burrowing into computers linked to Iran's nuclear programme has yet to trigger any signs of major damage, but it was likely spawned either by a government or a well-funded private group, according to a new analysis.

The malicious Stuxnet computer code was apparently constructed by a small team of as many as five to 10 highly educated and well-funded hackers, said an official with the web security firm Symantec Corp. Government experts and outside analysts say they haven't been able to determine who developed the malware or why.

Stuxnet, which is attacking industrial facilities around the world, was designed to go after several "high-value targets," said Liam O Murchu, manager of security response operations at Symantec. But both O Murchu and US government experts say there's no proof it was specifically developed to target nuclear plants in Iran, despite recent speculation from some researchers.

The Stuxnet worm infected the personal computers of staff working at Iran's first nuclear power station just weeks before the facility is to go online, the official Iranian news agency reported Sunday.

The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it "has not caused any damage to major systems of the plant," the IRNA news agency reported.

It was the first clear sign that the malicious computer code, dubbed Stuxnet, which has spread to many industries in Iran, has affected equipment linked to the country's controversial nuclear programme. The US has been pressing international partners to threaten stiff financial sanctions against Tehran goes ahead with its nuclear program.

The Energy Department has warned that a successful attack against critical control systems "may result in catastrophic physical or property damage and loss."

Tuesday, September 28, 2010

Stuxnet worm created by team of hackers

Governments with sophisticated computer skills would have the ability to create such a code

A POWERFUL computer code attacking industrial facilities around the world, but mainly in Iran, was probably created by experts working for a country or a well-funded private group.

The malicious code, called Stuxnet, was designed to go after several "high-value targets," Liam O Murchu, manager of security response operations at Symantec Corp, said.

It has surprised experts because it is the first one specifically created to take over industrial control systems, rather than just steal or manipulate data. Creating the malicious code required a team of as many as five to 10 highly educated and well-funded hackers. Government experts and outside analysts say they haven't been able to determine who developed it or why.

The malware has so far infected as many as 45,000 computer systems around the world. Siemens AG, the company that designed the system targeted by the worm, said it has infected 15 of the industrial control plants it was apparently intended to infiltrate.

One of them is Iran's first nuclear power station at Bashehr, just weeks before the facility is to go online. The US Energy Department has warned that a successful attack against critical control systems "may result in catastrophic physical or property damage and loss".

The Russian-built plant will be internationally supervised, but world powers are concerned that Iran wants to use other aspects of its civil nuclear power program as a cover for making weapons.

Of highest concern to world powers is Iran's main uranium enrichment facility in the city of Natanz. Iran, which denies having any nuclear weapons ambitions, says it only wants to enrich uranium to the lower levels needed for producing fuel for power plants.

At higher levels of processing, the material can also be used in nuclear warheads. The computer worm, which can be carried or transmitted through portable thumb drives, has affected the personal computers of staff working at the plant.

Iranian news agency ISNA said it has not yet caused any damage to the plant's major systems. Experts from the Atomic Energy Organization of Iran met this past week to discuss how to remove the malware, according to the semiofficial ISNA news agency.

Source: News.com.au

Monday, September 27, 2010

Stuxnet worm infected at least 30,000 Windows PCs

Iran confirms massive Stuxnet infection of industrial systems

Officials in Iran have confirmed that the Stuxnet worm infected at least 30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday. Experts from Iran's Atomic Energy Organization also reportedly met this week to discuss how to remove the malware.

Stuxnet, considered by many security researchers to be the most sophisticated malware ever, was first spotted in mid-June by VirusBlokAda, a little-known security firm based in Belarus. A month later Microsoft acknowledged that the worm targeted Windows PCs that managed large-scale industrial-control systems in manufacturing and utility companies.

Those control systems, called SCADA, for "supervisory control and data acquisition," operate everything from power plants and factory machinery to oil pipelines and military installations.

Refer here to read more details.

Friday, September 24, 2010

Threats on Several Fronts

Old vulnerabilities may reappear in several ways

The security threats to business are real and relevant. No longer are they simply predictions about attackers using personally identifiable information sometime in the future. Breaches are occurring regularly. Recently, worms have been released to harvest computers for malicious activities. In addition, prominent companies have been hit by targeted backdoor data breaches.

Although the frequency of attacks is escalating, most corporate directives are to reduce costs, cut vendors and minimize the overall complexity of security. At first glance, it seems that companies cannot do both: They cannot improve their security posture without adding new tools and headcount.

The best approached security is part of a total business strategy. Security as an afterthought stops business activity, but security built into the fabric of the business enables activity. It is quite common that old vulnerabilities may reappear in several ways:
  • After a data failure, a system is restored from an old backup that is missing current security patches.

  • A vendor adds new functions to a popular software application by incorporating code from other packages, but fails to identify the classic application logic flaws in the original application.

  • A software package encapsulates or repurposes components from a third party. At some point, the third party releases security fixes for the component. Because the authors of the main software package are unaware of the update, they fail to provide customers with the necessary fixed.

  • Embedded and certified systems may contain older operating systems or applications for simplicity and stability reasons (such as the operating system on a multifunction printer). Such systems are either forgotten or neglected because they are so difficult to update.

What can Security managers Do?

In response, security managers are putting network intrusion prevent devices in front of their servers. These contain current virus signatures and are updated with signatures describing new vulnerabilities and attacks. At the application level, there are lot more use of scanning tools that are updated weekly to look for potential vulnerabilities.

But companies also should heed the potential of Web 2.0 and the spread of computing capabilities and access among customers. The real question can be: "How do we protect our customers' customers? As companies provide access their customers, you have to ask what operating systems the customers are using. What's the status of the browsers they're using? It becomes tougher for companies to protect themselves from potential vulnerabilities on machines they don't own or control.

The use of more-advanced heuristic malware engines are highly recommended. Instead of using a one-for-one protection model that looks for specific virus signatures, these engines can be used to protect companies from entire classes of malware because they look for behavior rather than specific code. So they identify the behavior of both old and new vulnerabilities. These engines will continue to perform whether 100 or 100,000 new vulnerabilities are discovered.

Tuesday, September 21, 2010

Characteristics of Good IT Governance

Implementing effective IT governance continues to be a challenge

IT governance is about ensuring that the organisation's resources are used the right way to create value while managing IT risks. The Val-T framework from the IT Governance Institute helps address these challenges. The four "Ares" are the core of Val-IT framework. This is a sound framework which helps organisations ensure IT efforts are aligned and IT continues to deliver value.

1) Are we doing the right things?

To quote Peter Drucker: "There is nothing so useless as doing efficiently that which should not be done at all". This is the question about should we be doing something at all. It ensures strategic alignment between business and IT. Is what we are trying to do fit with the organisations vision and strategy? Is it consistent with the business principles?

2) Are we doing them the right way?

This is the question about architecture and standards. Is what we are doing conform to the architecture and process?

3) Are we getting it done well?

This is the question about the execution. Do we have the disciplined delivery and change management processes? Do we have the right skilled resources and are we managing them well? How does our performance measure up to others? Are we effectively managing risks?

4) Are we getting the benefits?

This is a question about realising value from investments in IT/projects. Are we clear about the benefits? Do we have metrics? Is the accountability for the benefits clearly defines?

Characteristics of Good IT Governance
  • IT investments and decisions are assessed in a manner similar to business investments and IT is managed as a strategic asset. This means there is top management participation in key IT decisions. There is board oversight of IT investments and executives are held accountable for realising benefits.

  • IT is essential part of corporate planning and strategic planning. IT understands the business dynamics and contributes to the development of business strategy, which is interlinked to IT strategy. IT and business work together to identify opportunities.

  • Top IT risks are considered within the enterprise risk management framework. Risks such as data protection, IT security and business continuity receive periodic board oversight.

  • IT performance is regularly measured and compared with peers and best practice.

  • How decisions are made and why, is well understood and outcomes are clearly and formally communicated to the stakeholders. Formal exception processes are established and promote transparency as well as allowing organisational learning.