Issue No. 06 - Nov.-Dec. (2012 vol. 10)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2012.154
A sophisticated nine-month cyberespionage attack recently struck 4,000 machines at 900 organizations in the financial, technology, defense, utility, and other industries, as well as governmental agencies. VOHO, an advanced persistent threat, compromises websites that the targeted organizations are likely to visit. The sites redirect visitors to Web servers that try to infect them with malware. Researchers say VOHO -attackers—who have ties to China—implemented the Gh0st remote access tool Trojan and were considerably more successful at infecting targets than most similar drive-by assaults.
US Defense Secretary Leon Panetta said recent cyberattacks on two major Middle East energy companies were the most dangerous ever launched on private businesses. The assaults used the Shamoon modular virus to disable a reported 30,000 computers at Saudi Arabia's Aramco national oil and natural gas company as well as Qatar's RasGas liquefied natural gas business. US officials say Iran did this in response to cyberattacks it has suffered in the past few years.
Security researchers say a cybergang is recruiting hackers for Project Blitzkrieg, which will initiate destructive attacks against 30 US banks between now and spring 2013. According to security vendor RSA, the gang is looking for 100 hackers to design and launch botnets for the assaults, and banks should prepare for the possible onslaught. Industry observers have predicted the attack based on communications tied to a Russian hacker. The attacks reportedly would use the Gozi Prinimalka Trojan, part of a malware family that hackers have already used to steal US$5 million from banks.
The Sality botnet is now using advanced techniques to disguise its efforts to recruit new zombie computers from among Voice-over-IP (VoIP) servers. University of California, San Diego, and University of Napoli researchers say the huge, long-active botnet is hiding its activities by using reverse byte-order scanning, sending out relatively few packets over a long time period, and employing many bots so that security systems don't detect large amounts of incoming traffic from any one source. Sality was discovered in 2003 and now comprises hundreds of thousands of computers. The researchers say it's starting to look for targets to use in criminal activities such as obtaining free phone service or launching vishing attacks.
Hackers have attacked one of Adobe's software development servers and used one of its code-signing certificates to make their malware appear to be the vendor's own software. They then simply requested and obtained signatures for their malicious software. Adobe says its compromised certificate was used for only a few minor attacks. The company is revoking the certificate and has set up an interim signing service for its software before it issues new permanent certificates.
Two Romanians have pleaded guilty to breaking into US merchants' point-of-sale computer systems, stealing customers' payment card information, and using it to make $10 million in unauthorized purchases. Between 2009 and 2011, they worked with another -Romanian—who is in custody awaiting trial—to hack into hundreds of merchant systems and compromised approximately 146,000 accounts. The case was unusual, in part because of the degree of international cooperation involved. Romanian authorities helped the Secret Service and the New Hampshire State Police investigate the matter and extradited at least one of the suspects.
A stealthy malicious password-stealing tool is masquerading as the Windows CHKDSK utility. The real utility shows hard drives' file system integrity before a system boots, then fixes errors it finds. Hackers load the Evil Maid CHKDSK tool onto a computer using a USB drive. On booting up, victims see what looks like the legitimate CHKDSK screen. The tool then shows the following message: "One of your drives needs to be checked for consistency. You must perform this check before rebooting." It then asks users to enter their password. If users do so, the application writes the password to the USB drive, which the hackers can then recover.
According to security researchers, two Huawei Technologies routers contain serious vulnerabilities that could let hackers remotely control the devices. Researchers from Recurity Labs said there was a heap overflow vulnerability—a type of buffer-overflow flaw—in Huawei's AR18 and AR29 routers, which are designed for small- and mid-sized businesses, respectively. According to the researchers, the products use insecure code and an operating system that isn't hardened.
As part of its Project WestWind, the Team GhostShell group says it hacked into networks for schools such as Harvard University, Johns Hopkins University, the University of Michigan, and Princeton University and posted some information on the Pastebin text-sharing website. Security vendor Identity Finder analyzed the published records and said they appear sufficiently authentic to justify investigation by the affected schools. No credit card or Social Security numbers were released.
The Internet Engineering Task Force (IETF) has approved a draft HTTP Strict Transport Security (HSTS) standard that promises to make online communications safer by letting Web servers tell browsers that they require an encrypted connection. HTTPS is designed to make Web communications safer, but people frequently leave their online transmissions vulnerable because they don't use the technology, partly because many websites that provide HTTPS don't enable it automatically. With HSTS, websites could ask for such a connection via the Strict Transport Security HTTP response header field, agent configuration, or other means. The IETF is considering adopting HSTS as a full standard.
California has become the third US state to make it illegal for companies or universities to ask current and potential workers and students for their social media login information. The state joins Illinois and Maryland in responding to a trend in which employers and schools have asked for usernames and passwords to these websites. The two new California laws—one for companies and one for universities—will take effect on 1 January 2013.
A new US executive order would direct intelligence agencies to provide cyberthreat information to organizations operating critical parts of the public infrastructure so that they could defend themselves from attack. Under the order, the Department of Homeland Security would organize a network that would distribute information, not including classified material, about cyberthreats that specify a target. Proponents say this approach is critical to protecting computer systems run by critical infrastructure operators, including power companies and railroads. Current information-sharing efforts operate only within certain fields, such as the financial industry.
With concern about international cyberattacks rising, the US Defense Information Systems Agency (DISA) has adopted a new five-year electronic security plan. The DISA plan begins with an eight-part approach to help revamp the US Department of Defense (DoD)'s cybersecurity approaches, calling for a greater focus on the Asia-Pacific region as well as the synchronization of the DoD's Joint Information Environment activities. DISA will also streamline and coordinate the department's cloud services operations to enable fast service provisioning. Moreover, the agency will be the first to test DoD cybersecurity capabilities and will increasingly use agile development to speed up technology delivery.
The US National Institute of Standards and Technology (NIST) has selected Keccak as the new official government hash algorithm. Designed by cryptographers Guido Bertoni, Joan Daemen, and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors, Keccak is the third-generation official secure hash algorithm. The NIST evaluation team praised the algorithm for its "elegant design and its ability to run well on many different computing devices." The system reportedly requires 13 processor cycles on a 2.4-GHz Intel Core 2 Duo chip to process a byte of data. The US government uses its hash algorithms in security technologies such as Secure Sockets Layer, Secure Shell, Pretty Good Privacy, and IPsec.
Facing a deluge of data, the US National Security Agency (NSA) is using technology to automatically make some of its legal and policy decisions, including whether some of the records it wants to access are legally off limits. NSA officials say they're analyzing more and more messages and thus have less time to examine whether they should, by law, be able to access each one. Instead, they explain, they're using NSA legal requirements and policies to program and train computer systems on how to screen out certain types of information before the agency analyzes and processes it.
A recent "autoimmune" reaction affecting security vendor Sophos's antivirus software had a ripple effect that caused multiple problems for many of the company's customers. The problem began when Sophos's antivirus software began identifying some of its own malware definition update files as malicious software. It then either quarantined or deleted the files, shutting down the application and leaving users vulnerable. In some cases, the software also incorrectly determined that legitimate custom-built business applications were threats. As a result, many merchants' point-of-sale terminals crashed, particularly affecting major supermarkets and banking groups.
The computer system for the privately run Dragon spacecraft was able to adjust to an engine malfunction, enabling the ship to complete its recent mission to deliver cargo to the International Space Station. Shortly after one minute into the flight, the Falcon 9 rocket detected a problem—possibly a pressure loss—with a first-stage engine and turned it off. As designed, the flight computer took into account the engine shutdown and computed a new ascent profile to enable the spacecraft to reach its destination.