Thursday, September 30, 2010

Stuxnet - First worm to control the inner workings of industrial plants

Who funded virus attack on Iran Nuclear plants

A cyber worm burrowing into computers linked to Iran's nuclear programme has yet to trigger any signs of major damage, but it was likely spawned either by a government or a well-funded private group, according to a new analysis.

The malicious Stuxnet computer code was apparently constructed by a small team of as many as five to 10 highly educated and well-funded hackers, said an official with the web security firm Symantec Corp. Government experts and outside analysts say they haven't been able to determine who developed the malware or why.

Stuxnet, which is attacking industrial facilities around the world, was designed to go after several "high-value targets," said Liam O Murchu, manager of security response operations at Symantec. But both O Murchu and US government experts say there's no proof it was specifically developed to target nuclear plants in Iran, despite recent speculation from some researchers.

The Stuxnet worm infected the personal computers of staff working at Iran's first nuclear power station just weeks before the facility is to go online, the official Iranian news agency reported Sunday.

The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it "has not caused any damage to major systems of the plant," the IRNA news agency reported.

It was the first clear sign that the malicious computer code, dubbed Stuxnet, which has spread to many industries in Iran, has affected equipment linked to the country's controversial nuclear programme. The US has been pressing international partners to threaten stiff financial sanctions against Tehran goes ahead with its nuclear program.

The Energy Department has warned that a successful attack against critical control systems "may result in catastrophic physical or property damage and loss."

Tuesday, September 28, 2010

Stuxnet worm created by team of hackers

Governments with sophisticated computer skills would have the ability to create such a code

A POWERFUL computer code attacking industrial facilities around the world, but mainly in Iran, was probably created by experts working for a country or a well-funded private group.

The malicious code, called Stuxnet, was designed to go after several "high-value targets," Liam O Murchu, manager of security response operations at Symantec Corp, said.

It has surprised experts because it is the first one specifically created to take over industrial control systems, rather than just steal or manipulate data. Creating the malicious code required a team of as many as five to 10 highly educated and well-funded hackers. Government experts and outside analysts say they haven't been able to determine who developed it or why.

The malware has so far infected as many as 45,000 computer systems around the world. Siemens AG, the company that designed the system targeted by the worm, said it has infected 15 of the industrial control plants it was apparently intended to infiltrate.

One of them is Iran's first nuclear power station at Bashehr, just weeks before the facility is to go online. The US Energy Department has warned that a successful attack against critical control systems "may result in catastrophic physical or property damage and loss".

The Russian-built plant will be internationally supervised, but world powers are concerned that Iran wants to use other aspects of its civil nuclear power program as a cover for making weapons.

Of highest concern to world powers is Iran's main uranium enrichment facility in the city of Natanz. Iran, which denies having any nuclear weapons ambitions, says it only wants to enrich uranium to the lower levels needed for producing fuel for power plants.

At higher levels of processing, the material can also be used in nuclear warheads. The computer worm, which can be carried or transmitted through portable thumb drives, has affected the personal computers of staff working at the plant.

Iranian news agency ISNA said it has not yet caused any damage to the plant's major systems. Experts from the Atomic Energy Organization of Iran met this past week to discuss how to remove the malware, according to the semiofficial ISNA news agency.


Monday, September 27, 2010

Stuxnet worm infected at least 30,000 Windows PCs

Iran confirms massive Stuxnet infection of industrial systems

Officials in Iran have confirmed that the Stuxnet worm infected at least 30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday. Experts from Iran's Atomic Energy Organization also reportedly met this week to discuss how to remove the malware.

Stuxnet, considered by many security researchers to be the most sophisticated malware ever, was first spotted in mid-June by VirusBlokAda, a little-known security firm based in Belarus. A month later Microsoft acknowledged that the worm targeted Windows PCs that managed large-scale industrial-control systems in manufacturing and utility companies.

Those control systems, called SCADA, for "supervisory control and data acquisition," operate everything from power plants and factory machinery to oil pipelines and military installations.

Refer here to read more details.

Friday, September 24, 2010

Threats on Several Fronts

Old vulnerabilities may reappear in several ways

The security threats to business are real and relevant. No longer are they simply predictions about attackers using personally identifiable information sometime in the future. Breaches are occurring regularly. Recently, worms have been released to harvest computers for malicious activities. In addition, prominent companies have been hit by targeted backdoor data breaches.

Although the frequency of attacks is escalating, most corporate directives are to reduce costs, cut vendors and minimize the overall complexity of security. At first glance, it seems that companies cannot do both: They cannot improve their security posture without adding new tools and headcount.

The best approached security is part of a total business strategy. Security as an afterthought stops business activity, but security built into the fabric of the business enables activity. It is quite common that old vulnerabilities may reappear in several ways:
  • After a data failure, a system is restored from an old backup that is missing current security patches.

  • A vendor adds new functions to a popular software application by incorporating code from other packages, but fails to identify the classic application logic flaws in the original application.

  • A software package encapsulates or repurposes components from a third party. At some point, the third party releases security fixes for the component. Because the authors of the main software package are unaware of the update, they fail to provide customers with the necessary fixed.

  • Embedded and certified systems may contain older operating systems or applications for simplicity and stability reasons (such as the operating system on a multifunction printer). Such systems are either forgotten or neglected because they are so difficult to update.

What can Security managers Do?

In response, security managers are putting network intrusion prevent devices in front of their servers. These contain current virus signatures and are updated with signatures describing new vulnerabilities and attacks. At the application level, there are lot more use of scanning tools that are updated weekly to look for potential vulnerabilities.

But companies also should heed the potential of Web 2.0 and the spread of computing capabilities and access among customers. The real question can be: "How do we protect our customers' customers? As companies provide access their customers, you have to ask what operating systems the customers are using. What's the status of the browsers they're using? It becomes tougher for companies to protect themselves from potential vulnerabilities on machines they don't own or control.

The use of more-advanced heuristic malware engines are highly recommended. Instead of using a one-for-one protection model that looks for specific virus signatures, these engines can be used to protect companies from entire classes of malware because they look for behavior rather than specific code. So they identify the behavior of both old and new vulnerabilities. These engines will continue to perform whether 100 or 100,000 new vulnerabilities are discovered.

Tuesday, September 21, 2010

Characteristics of Good IT Governance

Implementing effective IT governance continues to be a challenge

IT governance is about ensuring that the organisation's resources are used the right way to create value while managing IT risks. The Val-T framework from the IT Governance Institute helps address these challenges. The four "Ares" are the core of Val-IT framework. This is a sound framework which helps organisations ensure IT efforts are aligned and IT continues to deliver value.

1) Are we doing the right things?

To quote Peter Drucker: "There is nothing so useless as doing efficiently that which should not be done at all". This is the question about should we be doing something at all. It ensures strategic alignment between business and IT. Is what we are trying to do fit with the organisations vision and strategy? Is it consistent with the business principles?

2) Are we doing them the right way?

This is the question about architecture and standards. Is what we are doing conform to the architecture and process?

3) Are we getting it done well?

This is the question about the execution. Do we have the disciplined delivery and change management processes? Do we have the right skilled resources and are we managing them well? How does our performance measure up to others? Are we effectively managing risks?

4) Are we getting the benefits?

This is a question about realising value from investments in IT/projects. Are we clear about the benefits? Do we have metrics? Is the accountability for the benefits clearly defines?

Characteristics of Good IT Governance
  • IT investments and decisions are assessed in a manner similar to business investments and IT is managed as a strategic asset. This means there is top management participation in key IT decisions. There is board oversight of IT investments and executives are held accountable for realising benefits.

  • IT is essential part of corporate planning and strategic planning. IT understands the business dynamics and contributes to the development of business strategy, which is interlinked to IT strategy. IT and business work together to identify opportunities.

  • Top IT risks are considered within the enterprise risk management framework. Risks such as data protection, IT security and business continuity receive periodic board oversight.

  • IT performance is regularly measured and compared with peers and best practice.

  • How decisions are made and why, is well understood and outcomes are clearly and formally communicated to the stakeholders. Formal exception processes are established and promote transparency as well as allowing organisational learning.

Monday, September 20, 2010

Steps for Better IT Governance

Towards better IT Governance

Improving governance in organisations is a strategic change process. There is no silver bullet. Governance is not just a new process but it also needs a new mindset and behaviours at senior levels of both IT and business.

The established power centres within organisations do not always welcome greater transparency and accountability. Experience suggests that strong support from CEO and CIO and gradual increase in governance maturity usually works better than constant tinkering.

Here are ten steps for improving IT governance:
  1. Visible and active top management commitment is absolutely critical for the success of any governance initiative. Governance is a disciplined approach. There must be consequences for all the executives for non-compliance.

  2. Treat governance as a change program requiring resources and commitment. It must have a visible benefits for it to be considered successful. Also, consider organisation's culture, resources available and capacity for change. Establish credible goals, measure and communicate the benefits.

    If the IT is struggling to deliver reliable service, or have a poor track record of customer service or project delivery; focus the governance efforts for addressing these burning issues rather than going for the lofty goals of strategy alignment and such.

  3. Use recognised frameworks for the governance initiative. There are number of frameworks like COBIT, ITIL and others.

  4. Transparency of decision making and reporting gives governance its potency. Transparency, whether it be business cases, standards compliance or project health reports, create trust and creates peer pressure to address issues identified or to question unusual decisions.

  5. Create a formal process for handling exceptions. Then report on percent of exceptions and key reasons for these. May be the standard it inappropriate or the enforcement is poor. Openly discuss and address.

  6. Encourage peer group consensus at each governance tier and avoid escalations to higher levels. This will build trust and sense of compromise within the framework of good governance.

  7. Where possible align with the corporate governance mechanisms. Most companies would have risk management, investment management, and crisis or business continuity management mechanisms. Align IT with this where possible.

  8. Educate senior management on benefits of IT governance as well as on new technologies and challenges so that they can participate in an informed manner in key technology related decisions. Lack of technological knowledge should not be an excuse for executives not to be participate in key technology investment decisions.

  9. Build accountability for benefits realisation in the business case itself. This will encourage active interest in delivery governance.

  10. Avoid clogging the IT steering committee with technical or architectural details. Address the technical details at a technical forum and report only on compliance or non-compliance/risk to the top team. The top team can then focus on "is this the right thing to be doing or investing in" rather than "how".

Friday, September 17, 2010

Beware: Old-style email worm spreading

“Here you have” email worm spreads

An old-style email worm was spreading Thursday, antivirus vendors reported. The malware, named “Here you have” for the message it carries in the subject line, includes a link that appears to be a PDF file but instead is a malicious program, according to McAfee.

If someone clicks on the link, the malware sends itself to all the contacts in the recipient’s address book and tries to disable security software. The worm harkens back to the “I LOVE YOU” virus that inundated email boxes 10 years ago. In fact, the Anna Kournikova mass-mailer from 2001 also used “Here you have” in its subject line.

ABC News reported that it was hit by the new worm, along with NASA, Wells Fargo, Comcast and Disney. McAfee rated the malware as a medium risk.

Thursday, September 16, 2010

Companies are still not applying adequate controls

Protecting applications and databases key to IT security

The most effective data security approach involves technology to protect applications and databases alongside traditional approaches, a study has revealed.

The conclusion is based on a survey of over 1,000 IT security professionals at multinational companies by security firm Imperva and security research firm Securosis.

Respondents rated web application firewalls, network data loss prevention, full disc encryption, server hardening, and endpoint data protection as the most successful technologies in reducing the number of data breaches.

Malicious intentions are behind 62% of data theft with insider breaches comprising 33% and hackers 29%, while the remaining breaches were accidental, the survey found.

Nearly two-thirds of organisations either do not know whether they suffered any data breaches, or said they had not experienced any.

Of those companies that were hit by data breaches, 27% saw a decline in breaches, while 46% reported the same number of breaches as the previous year. This survey illustrates that data security as a practice is maturing. The survey is available online to enable security professionals to compare their data security practices with other survey respondents.

Tuesday, September 14, 2010

Google Instant may end-up infecting your machine

Malicious Search Suggestions with Google Instant

Google launched its streaming search engine yesterday called Google Instant, which provides people with instant, real-time search results, and also opens the doors to search engine optimisation (SEO) poisoning and other problems.

The problem comes from hackers who create malware or fake antivirus programs and then manage to poison Google's search results in order to get their software high on the list. This is often called blackhat SEO, as it will use traditional SEO tactics but for malicious reasons.All search engines, but Google in particular, are at risk of blackhat SEO and that is not a new problem.

However, because Google Instant literally searches for everything as you type, you could be forced into a situation where you are unwittingly searching for rogueware. “As a test, I thought I'd search for 'antivirus' and see what suggestions came up. Lo and behold, Antivir Solution Pro, a well-known rogueware infection was amongst the suggested search terms,”
said Sean-Paul Correll, threat researcher at Pandalabs and founder of the Malware Database.

For those who are not familiar with the rogueware, they may consider it legitimate, download and install it, resulting in their computer being infected. The fact that the rogueware was second on the list of suggested terms makes this a worrying possibility, as it amounts to Google's search engine recommending malware. It is also interesting to note that the fourth suggested search term is for the removal of that same rogueware.

Monday, September 13, 2010

New security flaw exploited on Adobe Reader and Acrobat

New security flaw exploited on Adobe Reader and Acrobat

Adobe has warned this week that a new security flaw in Reader and Acrobat is now being exploited, allowing for hackers to take over victim's systems. The company says the vulnerability can "cause a crash and potentially allow an attacker to take control of the affected system."

Affected softwares are Adobe Reader 9.3.4 and earlier for Windows and Mac, and Acrobat versions 9.3.4 and earlier for both operating systems. While Adobe would not give technical details on the flaw, security firm Secunia said it was caused by a "boundary error within the font parsing in CoolType.dll and can be exploited to cause a stack-based buffer overflow by ...tricking a user into opening a specially crafted PDF file."

Tuesday, September 7, 2010

IBM X-Force Mid-Year Trend and Risk Report

2010 Mid-year highlights

The IBM X-Force 2010 Mid-Year Trend and Risk Report reveals several key trends that demonstrate how, in the first half of 2010, attackers seeking to steal money or personal data increasingly targeted their victims via the Internet. The IBM X-Force Trend and Risk Report is produced twice per year: once at mid-year and once at year-end. This report provides statistical information about all aspects of threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity.


Attackers are increasingly using covert techniques like Javascript obfuscation and other covert techniques which continue to frustrate IT security professionals. Obfuscation is a technique used by software developers and attackers alike to hide or mask the code used to develop their applications.

Reported vulnerabilities are at an all time high, up 36%. 2010 has seen a significant increase in volume of security vulnerability disclosures, due both to significant increases in public exploit releases and to positive efforts by several large software companies to identify and mitigate security vulnerabilities.

PDF attacks continue to increase as attackers trick users in new ways. To understand why PDFs are targeted, consider that endpoints are typically the weakest link in an enterprise organization. Attackers understand this fact well. For example, although sensitive data may not be present on a particular endpoint, that endpoint may have access to others that do. Or, that endpoint can be used as a practical bounce point to launch attacks on other computers.

The Zeus botnet toolkit continues to wreak havoc on organizations. Early 2010 saw the release of an updated version of the Zeus botnet kit, dubbed Zeus 2.0. Major new features included in this version provide updated functionality to attackers.

Vulnerabilities and exploitation highlights

=> Advanced persistent threat—What concerns X-Force most about these sophisticated attackers is their ability to successfully penetrate well defended networks in spite of significant advances in network security technology and practices. In particular, we are concerned about increasingly obfuscated exploits and covert malware command-and-control channels that fly under the radar of modern security systems.

=> Obfuscation, obfuscation, obfuscation—Attackers continue to find new ways to disguise their malicious traffic via JavaScript and PDF obfuscation. Obfuscation is a technique used by software developers and attackers alike to hide or mask the code used to develop their applications. Things would be easier if network security products could simply block any JavaScript that was obfuscated,but unfortunately, obfuscation techniques are used by many legitimate websites in an attempt to prevent unsophisticated Web developers from stealing their code. These legitimate websites act as cover for the malicious ones, turning the attacks into needles in a haystack.

=> PDF attacks continue to increase as attackers trick users in new ways. To understand why PDFs are targeted, consider that endpoints are typically the weakest link in an enterprise organization. Attackers understand this fact well. For example, although sensitive data may not be present on a particular endpoint, that endpoint may have access to others that do. Or, that endpoint can be used as a practical bounce point to launch attacks on other computers.

=> Reported vulnerabilities are at an all time high—2010 has seen a significant increase in the volume of security vulnerability disclosures, due both to significant increases in public exploit releases and to positive efforts by several large software companies to identify and mitigate security vulnerabilities.

=> Web application vulnerabilities have inched up to the 55 percent mark, accounting for fully half of all vulnerability disclosures in the first part of 2010.

=> Exploit Effort versus Potential Reward—What are attackers really going after? With the number of vulnerability announcements rising and vendors scrambling to provide patches and protection to problem areas, how can enterprises best prioritize the efforts of IT administrators to provide adequate coverage? The Exploit Effort versus Potential Reward Matrix provides a simple model for thinking about vulnerability triage from the perspective of attackers.

Please refer here to download or view the report.

Sunday, September 5, 2010

Best Practices for Protecting ATMs and POS Terminals

10 Tips to Thwart Skimming

The keys to thwarting card skimming can be summed up in four ways - layered security, monitoring, system audits and education. Here are 10 best practices to follow in securing ATMs and point-of-sale devices at financial institutions and retail locations.

1. Deter Self-Service Terminal Skimming

Pay-at-the pump skimming incidents are on the rise, prompting some convenience stores and gas stations to change the locks on the enclosures that house self-service pumps. The Pantry, a convenience store chain in the south, has opted to use an anti-tampering security tape. The Pantry spokesman Scott Yates says the tape seals the area on a fuel pump where criminals install skimming devices to steal card information. If the tape is tampered with, the word "Void" appears on the tape. The tape is monitored by employees periodically each day. The Pantry operates more than 1,600 convenience stores in 11 states.

2. Respond Quickly to ATM Skimming

ATM skimming has taken off anew, and security experts say any institution has to be ready for the crime. First, banking institutions should have an incident response plan in place to react quickly to ATM skimming attacks when they are detected. Plans should include everything from whom should be contacted to immediate actions that need to be taken by the institution. If a device is found, all employees should know what to do. Educate branch employees and third-party vendors, as well as ATM service providers. Make sure they are monitoring the outside of the ATMs for residue or devices.

3. Use Layered Security Approach

Businesses should install a series of security layers, ranging from not storing card data to tokenizing the data using an outsourced service provider. If data needs to be stored, all data should be encrypted, while in transit and at rest. Strong network segmentation and comprehensive configuration change controls also should be implemented. A whitelist approach to data access control, as well as a whitelist approach to data transfer routines and destinations, are among other measures Litan recommends.

4. Increase Physical Security

To insert a skimming device, it is often necessary to remove a point-of-sale terminal from its location, or swap the existing terminal for another compromised terminal. Consider installing cable locks on POS terminals. Some have slots, so a cable lock can be attached to the terminal. This can then be threaded through the cable connecting the terminal to the cash register and then secured to prevent both the terminal and the cable from being compromised.

5. Ensure PCI Compliance

Make sure all POS terminals comply with the Payment Card Industry Council's Derived Unique Key Per Transaction (DUKPT) standard. Securely install terminals with unique hardware as a deterrent, and visibly inspect them, along with the registers, every day. Ensure all POS terminals are PCI compliant. Also, when any work is done on the devices, make sure it is done by an authorized service provider.

6. Audit PIN Entry Devices

PEDs need to be checked on a regular basis, recording them and cross-checking the serial numbers. Retailers are recommended to follow PED Security Guidelines and review the condition and placement of internal closed circuit TV systems to cover all areas.

7. Use CCTV to Monitor

Use applicable lighting to support payment environments and CCTV monitoring capabilities as required. Ensure ATMs and self-service pumps are well illuminated and meet minimum physical requirements, as defined by the appropriate regulatory mandates. Cameras should be situated such that they record the area around the point of sale PED device, without actually being capable of recording any PIN number entered. Save the CCTV images for 90 days.

8. Inspect All Locations

Frequently check the ATM fascia as well as the ATM's surroundings -- or those of external POS terminals -- ensuring nothing has been added or moved. Monitor the locations where ATMs and terminals are, especially if skimming attacks have been reported in the area. Have branch staff check these devices during off-hours as well as over weekends and holidays - all prime times for criminals to install skimmers.

9. Set Common Standards

Include visual standards for all ATMs and POS terminals, and maintain the standards at all branches or locations. Take a photograph of each machine, inside and outside. Show employees what the devices should look like, so when an ATM or POS terminal is quickly examined, employees readily recognize anything suspicious.

10. Educate Employees

Security-awareness training for all store and branch employees is a recommended place to start. Have a set of procedures for them to follow. Retailers should train staff to periodically check POS equipment, for instance, ensuring POS-device IDs still match, and no equipment has been swapped or changed.

Friday, September 3, 2010

Social Media: Business Benefits and Security

Tips for Addressing Social Media Risks

Does your organization use social media? How do you know for sure? Social media usually require no special technology, little or no involvement from IT, and no official project plan or explicit permissions to get started. Social media involve the creation and dissemination of information through social networks using the Internet. Social media tools include blogs, product review sites, Twitter, Facebook, LinkedIn, YouTube, Wikipedia and many other outlets.

Any Internet site that allows individual users to supply content can be considered a type of social media. Managing the risks from social media requires that the organization have a social media strategy, sound policy and a plan to address the risks that accompany social media technology. Here are some considerations for using social media in your organization:

1) Understand that blocking access to social media sites is not sufficient to prevent their use since many organizations use the tools to interact with customers or prospective employees. Blocking access also does not preclude the use of social media on employee-owned equipment.

2) Conduct a risk assessment to map the risks to the organization from the use of social media. The top five risks from social media as identified include:
  • Viruses/malware
  • Brand hijacking
  • Lack of control over content
  • Unrealistic customer expectations of “Internet-speed” service
  • Noncompliance with record management regulations

3) Develop policies to address the risks of social media. Existing policies on conflict of interest, professional conduct, acceptable use, privacy, client confidentiality, intellectual property and similar issues can and should be extended to apply in the context of social media. Things to cover in these policies include:

  • Whether these sites are allowed for business use
  • Personal use in the workplace and personal use outside the workplace
  • The process to gain approval for use
  • Standard disclaimers if the organization is identified
  • Copyright or other content rights to information posted to these sites
  • Scope of business-related content allowed
  • What is inappropriate
  • Escalation procedures for customer issues
  • Disciplinary procedures for violation of policy

4) Ensure that the business processes that utilize social media are aligned with the policies and standards of the organization.

5) Social media are just other forms of electronic communication. Understand the retention regulations or e-discovery requirements. Poor policies governing the use of social media increase the costs of social media forensics coming from an external inquiry, litigation or audit request and may result in regulatory sanctions, fines or adverse legal actions.

6) Include social media training in the organization’s regular awareness communications or information security training curriculum. Users need to understand what is (and is not) appropriate and how to protect themselves and the organization when using social media.