Saturday, March 31, 2012

Researchers Document Chinese Censorship in Detail

Via Technology Review -

We already knew that the "great firewall" barred many people in China from reaching websites deemed subversive or otherwise inappropriate by the government. Now comes evidence of just how sophisticated and widespread the censorship is even on sites inside the firewall.

Researchers at Carnegie Mellon analyzed how often posts to social networking sites in China will be deleted if they contain certain terms and found that, for example, at least 16 percent of the messages at one popular microblog site, Sina Weibo, were sent to the memory hole. The researchers document their work in great detail at http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3943/3169

Australian DSD: iOS Hardening Configuration Guide

http://dsd.gov.au/publications/iOS5_Hardening_Guide.pdf

About this Guide

This guide provides instructions and techniques for Australian government agencies to harden the security of iOS 5 devices.

Implementing the techniques and settings found in this document can affect system functionality, and may not be appropriate for every user or environment.

However agencies wishing to differ from the mandatory controls specified in this guide must note that the product will no longer fall under the evaluated configuration. In these cases, agencies should seek approval for non-compliance from their agency head and/or accreditation authority to allow for the formal acceptance of the risks involved.

iOS Evaluation

As per the Evaluated Product List, the Defence Signals Directorate (DSD) has found Apple iOS data protection classes A and B to be suitable for downgrading the handling of PROTECTED information to that of Unclassified. This document provides guidance on policy that either must be enforced or is at the agency’s discretion.

Thursday, March 29, 2012

Case Based in China Puts a Face on Persistent Hacking

Via New York Times -

A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese university — putting a face on the persistent espionage by Chinese hackers against foreign companies and groups.

The attacks were connected to an online alias, according to a report to be released on Friday by Trend Micro, a computer security firm with headquarters in Tokyo.

The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense.

Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.

“The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A. Lewis, a former diplomat and expert in computer security who is a director and senior fellow at the Center for Strategic and International Studies in Washington. “A private Chinese hacker may go after economic data but not a political organization.”

Neither the Chinese embassy in Washington nor the Chinese consulate in New York answered requests for comment.

The Trend Micro report describes systematic attacks on at least 233 personal computers. The victims include Indian military research organizations and shipping companies; aerospace, energy and engineering companies in Japan; and at least 30 computer systems of Tibetan advocacy groups, according to both the report and interviews with experts connected to the research. The espionage has been going on for at least 10 months and is continuing, the report says.

In the report, the researchers detailed how they had traced the attacks to an e-mail address used to register one of the command-and-control servers that directed the attacks. They mapped that address to a QQ number — China’s equivalent of an online instant messaging screen name — and from there to an online alias.

The person who used the alias, “scuhkr” — the researchers said in an interview that it could be shorthand for Sichuan University hacker — wrote articles about hacking, which were posted to online hacking forums and, in one case, recruited students to a computer network and defense research program at Sichuan University’s Institute of Information Security in 2005, the report said.

The New York Times traced that alias to Mr. Gu. According to online records, Mr. Gu studied at Sichuan University from 2003 to 2006, when he wrote numerous articles about hacking under the names of “scuhkr” and Gu Kaiyuan. Those included a master’s thesis about computer attacks and prevention strategies. The Times connected Mr. Gu to Tencent first through an online university forum, which listed where students found jobs, and then through a call to Tencent.

Reached at Tencent and asked about the attacks, Mr. Gu said, “I have nothing to say.”

----------------------------------------------

Lucky Cat might sound familiar? That is for good reason.

Wednesday, March 28, 2012

The Luckycat Hackers

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf

Overview

A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after.

[...]

The most useful information about the attackers is in one of the log files retrieved from a C&C server. This log file appears to record connections to an FTP server running on the C&C server. The attackers probably use FTP to easily retrieve stolen data uploaded to the C&C server. 45 unique IP addresses were identified in the log. Of these, all but two are from the same ISP, based in Sichuan province in China. The remaining two are from South Korea.

Despite this, the IP address used for the new connection changes regularly. In figure 7, during a period of approximately an hour and 15 minutes, four different IP addresses were used for six distinct connections. This is unusual because if the attacker is using DHCP, generally an IP address will remain allocated to a particular computer for a longer period of time.

A possible explanation is that the IP addresses used are the point of egress of a VPN-like service. The attackers may be using a service through which they can route their connections. The service periodically rotates connections amongst a pool of IP addresses in order to render the attacker anonymous or implicate China as the source of the attack. There are two potential reasons for the South Korean IP addresses. The first is that the IP addresses are part of the VPN service and were assigned to the attacker as the service rotated through the range of IP addresses available. The second explanation is that the attacker may have forgotten to enable the VPN by mistake and connected directly to the C&C server.

Adobe Flash Player w/ Automatic Updates!

Adobe has released Flash Player v11.2.202.228, which addresses critical vulnerabilities and introduces automatic updates.

Grab v11.2.202.228 here.

For more information, check out the Adobe Secure Software Engineering Team (ASSET) Blog, "An Update for the Flash Player Updater".

Adobe Reader and Adobe Flash Player has been heavily targeted by cyber criminals and APT actors in the past. It is good to see Adobe taking serious steps to make their product more resist to exploitation.

Oracle, are you listening? *cough* Java *cough*

Tuesday, March 27, 2012

Trojan.Taidoor Takes Aim at Policy Think Tanks

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_taidoor-targeting_think_tanks.pdf

Executive Summary

Trojan.Taidoor has been consistently used in targeted attacks during the last three years. Since May 2011, there has been a substantial increase in its activity. Taidoor’s current targets are primarily private industry and influential international think tanks with a direct involvement in US and Taiwanese affairs. Facilities in the services sector that these organizations may use have also been targeted. There are a number of additional ancillary targets.

Trojan.Taidoor dates back to March 2008 and in-field telemetry has identified Taidoor being used in targeted attack emails since May 2009. Fourteen distinct versions and three separate families of the Trojan have been identified to date. The threat continues to evolve to suit the attackers’ requirements.


Saturday, March 24, 2012

U.S. Intelligence Report Warns of Global Water Tensions

Via New York Times (March 22, 2012) -

The American intelligence community warned in a report released Thursday that problems with water could destabilize countries in North Africa, the Middle East and South Asia over the next decade.

Increasing demand and competition caused by the world’s rising population and scarcities created by climate change and poor management threaten to disrupt economies and increase regional tensions, the report concludes.

Prepared at the request of the State Department, the report is based on a classified National Intelligence Estimate completed last October that reflected an increasing focus on environmental and other factors that threaten security. An estimate reflects the consensus judgment of all intelligence agencies.

While the report concluded that wars over water are unlikely in the coming decade, it said that countries could use water for political and economic leverage over neighbors and that major facilities like dams and desalination plants could become targets of terrorist attacks. Coupled with poverty and other social factors, problems with water could even contribute to the political failure of weaker nations.

--------------------------------------

Global Water Security
https://s3.amazonaws.com/s3.documentcloud.org/documents/327371/report-warns-that-water-shortages-could-threaten.pdf
This report—requested by the Department of State—is designed to answer the question: How will water problems (shortages, poor water quality, or floods) impact US national security interests over the next 30 years? We selected 2040 as the endpoint of our research to consider longer-term impacts from growing populations, climate change, and continued economic development. However, we sometimes cite specific time frames (e.g., 2030, 2025) when reporting is based on these dates. For the Key Judgments, we emphasize impacts that will occur within the next 10 years.

[...]

This effort relied on previously published Intelligence Community (IC) products, peer-reviewed research, and consultations with outside experts. The Defense Intelligence Agency (DIA) was the principal drafter with contributions from NGA, CIA, State/INR, and DOE.

Friday, March 23, 2012

EU Approves Attacks on Land Bases to Combat Somali Pirates

Via BBC News (March 23, 2012) -

The European Union has agreed to expand its mission against Somali pirates by allowing military forces to attack land targets as well as those at sea.

In a two-year extension of its mission, EU defence ministers agreed warships could target boats and fuel dumps.

The BBC's security correspondent Frank Gardner says the move is a significant step-up in operations, but one that also risks escalation.

Up to 10 EU naval ships are currently on patrol off the Horn of Africa.

They have policed shipping routes and protected humanitarian aid since 2008. The extension means they will stay until at least December 2014.

An EU official said the new mandate would allow warships or helicopters to fire at fuel barrels, boats, trucks or other equipment on beaches, according to Agence France-Presse.

Spanish Foreign Minister Jose Manuel Garcia-Margallo told reporters: "The EU plan is to allow attacks on land installations when ships are assaulted at sea," adding that "much care" would be taken to avoid civilian deaths.

Rear Admiral Duncan Potts, the operation commander for the EU Naval Force in Somalia, said it had already made considerable progress targeting the pirates at sea.

Wednesday, March 21, 2012

US Scientist Gets 13 Years on Espionage Charge

Via Google News (AP) -

A leading US space scientist was sentenced to 13 years in prison Wednesday for selling classified material to a US undercover agent he thought was an Israeli spy, the Justice Department said.

Stewart Nozette, 54, entered a guilty plea in September as part of a deal with prosecutors that spared him a possible sentence of life in prison. His prison term was for charges of attempted espionage, conspiracy to defraud the United States and tax evasion.

Nozette agreed to provide classified information from his top-secret work as a government scientist after meeting an undercover FBI agent who persuaded him he was an agent for Mossad, the Israeli secret service.

[...]

The classified information he provided "directly concerned satellites, early warning systems, means of defense or retaliation against large-scale attack, communications intelligence information and major elements of defense strategy," the Justice Department said.

He also supplied information about research and development for an unidentified military weapon system.

After being paid a total of $225,000, Nozette allegedly demanded up to $2 million more in a final meeting with the undercover agent on October 19, 2009.

"I gave you even in this first run, some of the most classified information that there is... I've sort of crossed the Rubicon," he said at the time, according to court documents.

He was arrested the following day in Chevy Chase, Maryland, and has been in custody ever since.

In addition to the prison term, US District Court Judge Paul Friedman in Washington ordered that Nozette pay more than $217,000 in restitution to the government agencies he defrauded.

Neither Israel nor anyone acting on its behalf were charged with any offenses in the case.

"Stewart Nozette's greed exceeded his loyalty to our country," said US Attorney Ronald Machen.

"He wasted his talent and ruined his reputation by agreeing to sell national secrets to someone he believed was a foreign agent. His time in prison will provide him ample opportunity to reflect on his decision to betray the United States."


-----------------------------------

How did the FBI know that Nozette might be willing to steal secrets?

According to Wikipedia and the Washington Times...
Nozette was under investigation by the Justice Department for possible fraudulent billing on a NASA contract by a nonprofit corporation he ran, "Alliance for Competitive Technology.". An unnamed NASA Inspector had allegedly found billing to NASA for expenses including, among other things, three mortgages, nine credit cards, a Tennis club, pool cleaning, and the Mercedes-Benz Credit Corporation. Documents found by the Justice Department while investigating this allegation included classified documents and an e-mail in which Nozette "threatened to take a classified program on which he worked to an unnamed foreign country or Israel." This information was passed along to the FBI.

Targeted Attacks Against Tibet Organizations

Via Alien Vaults Labs (March 13, 2012) -

We recently detected several targeted attacks against Tibetan activist organizations including the Central Tibet Administration and International Campaign for Tibet, among others. We believe these attacks originate from the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defense companies late last year and are aimed at both spying on and stealing sensitive information about these organizations’ activities and supporters.

The attacks begin with a simple spear phishing campaign that uses a contaminated Office file to exploit a known vulnerability in Microsoft. The information in the spear phishing email is related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. After further investigation, we discovered that the malware being used in this attack is a variant of Gh0st RAT (remote access Trojan), a type of software that enables anything from stealing documents to turning on a victim’s computer microphone. Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.

It is no surprise that Tibetan organizations are being targeted – they have been for years – and we continue to see Chinese actors breaking into numerous organizations with impunity. Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.

Below is a detailed analysis of one of the dozens of campaigns that we’ve been tracking, which illustrates the method used by the attackers and the possible connection to the Nitro attacks.

These latest attacks are linked to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The spear phishing emails are not that sophisticated and feature a Microsoft attachment (Camp information at Bodhgaya.doc) that exploits a known Office stack overflow vulnerability (CVE-2010-3333).

[...]

Examining the resultant traffic confirms the code to be a variant of the Gh0st RAT (remote access trojan) using a data string of `ByShe’ in place of the more usual `Gh0st.’

[...]

We have found more samples using this modified header (“ByShe”):
http://www.threatexpert.com/report.aspx?md5=e4e64d365844dc7294e4a553fed7501f
http://www.threatexpert.com/report.aspx?md5=4A35488762F70170DC0D3F46F94A7BCB

It is worth noting that the sample – 4a35488762f70170dc0d3f46f94a7bcb – connects to jericho.3322.org using the `ByShe’ protocol, which was seen during the Nitro attacks we saw between April and November of last year.

This sample was used during the NitroAttacks last year, a targeted attack against chemical and defense companies that was traced to China.


Win32/Georbot: From Georgia, with Love

http://blog.eset.com/wp-content/media_files/ESET_win32georbot_analysis_final.pdf

At the beginning of the year, a curious piece of malware came to our attention. An analyst in our virus laboratory noticed that it was communicating with a domain belonging to the government of Georgia1 to retrieve updates.

Analysis revealed that this malware is an information stealing trojan and is being used to target Georgian nationals in particular. We were also able to gain access to the control panel of the threat, revealing the extent and the intent of this operation.

We present our findings in this document. It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to its own – still ongoing – monitoring, have cooperated with ESET on this matter.

The Win32/Georbot malware has the following functionalities for stealing information from an infected system:
  • Send any file from the local hard drive to the remote server.
  • Steal certificates
  • Search the hard drive for Microsoft Word documents
  • Search the hard drive for remote desktop configuration files
  • Take screenshots
  • Record audio using the microphone
  • Record video using the webcam
  • Scan the local network to identify other hosts on the same network
  • Execute arbitrary commands on the infected system
The commands are activated manually and were sent to each host individually rather than being broadcasted to all infected hosts.


-----------------------------------------

ESET's conclusion that unsophisticated attacks must not be state-sponsored misses the point, I think. Given the cyber activities of pro-Kremlin young groups in Russia, I wouldn't be surprised if this were conducted by a similar group. Are they military trained cyber warriors? No, but they are pro-state and are supported in a number of ways.

New Duqu Sample Found in the Wild

Via Symantec Security Response Blog (March 20, 2012) -

We recently received a file that looked very familiar. A quick investigation showed it to be a new version of W32.Duqu. The file we received is only one component of the Duqu threat however—it is the loader file used to load the rest of the threat when the computer restarts (the rest of the threat is stored encrypted on disk).

[...]

The compile date on the new Duqu component is February 23, 2012, so this new version has not been in the wild for very long. Checking the code we can see the authors have changed just enough of the threat to evade some security product detections, although this appears to have only been partially successful.

[...]

This is the first version of Duqu that we have found in 2012. Previously, we saw unique versions of Duqu released on the following dates:
  • 2010-11-03
  • 2010-11-03
  • 2011-10-17
We also saw evidence that older versions had been used.

Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.


------------------------------------------------------------------

CrySyS Duqu Detector Toolkit v1.23
http://www.crysys.hu/duqudetector.html
We are happy to introduce the Duqu Detector Toolkit v1.23 of CrySyS Lab as of 15/Mar/2012. Besides new versions of the previous detector tools that provide usability enhancements, we now also provide two brand new detector tools. The upgraded toolkit will provide better functionality for those who have already successfully used the former version.

Monday, March 19, 2012

DuQu Mystery Language Solved With the Help of Crowdsourcing

Via Wired.com (Threat Level) -

A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues.

The language, which DuQu used to communicate with command-and-control servers, turns out to be a special type of C code compiled with the Microsoft Visual Studio Compiler 2008.

Researchers at Kaspersky Lab, who put out the call for help two weeks ago after failing to figure out the language on their own, said they received more than 200 comments to a blog post they wrote seeking help, and more than 60 direct emails from programmers and others who made suggestions.

[...]

Most commenters who wrote in response to Kaspersky’s plea thought the code was a variant of LISP, but the reader who led them in the right direction was a commenter who identified himself as Igor Skochinsky and wrote in a thread posted to Reddit.com that he was certain the code was generated with the Microsoft Visual Studio Compiler and offered some cogent reasons why he believed this. Two other people who sent Kaspersky direct emails made crucial contributions when they suggested that the code appeared to be generated from a custom object-oriented C dialect — referred to as OO C — using special extensions.

This led the researchers to test various combinations of compiler and source codes over a few days until they found the right combination that produced binary that matched the style in DuQu.

The magic combination was C code compiled with Microsoft Visual Studio Compiler 2008 using options 01 and Ob1 in the compiler to keep the code small.

“Visual C can optimize for speed and it can optimize for size, or it can do some kind of balance between the two,” says Costin Raiu, director of Kaspersky’s Global Research and Analysis Team. “But they wanted obviously the smallest possible size of code” to get it onto victim machines via an exploit.

[...]

It suggests that whoever coded this part of DuQu was conservative, precise, and wanted 100 percent assurance that the code would work the way they wanted it to work.

But there was one other reason DuQu’s old-school programmers might have preferred C over C++ – its versatility. When C++ was initially developed, it was not standardized and wouldn’t compile in every compiler. C was more flexible. DuQu was delivered to Windows machines using a Microsoft Word zero-day exploit. But Raiu thinks DuQu’s programmers might have chosen C because they wanted to make sure that their code could be compiled with any compiler on any platform, suggesting they were thinking ahead to other ways in which their code might be used.

“Obviously when you create such a complex espionage tool, you take into account that maybe some day you will run it on servers, maybe you will want to run it on mobile phones or God knows what other devices, so you just want to make sure your code will work everywhere,” he says.

Sunday, March 18, 2012

Inside the Chinese Boom in Corporate Espionage

Via Business Week -

Last June, three men squeezed inside a wind turbine in China’s Gobi Desert. They were employees of American Superconductor Corp. (AMSC), a Devens (Mass.)-based maker of computer systems that serve as the electronic brains of wind turbines. From time to time, AMSC workers are required to head out to a wind farm in some desolate location—that’s where the wind usually is—to check on the equipment, do maintenance, make repairs, and keep the customers happy.

On this occasion, the AMSC technicians were investigating a malfunction. They entered the cylindrical main shaft of the turbine, harnessed themselves to a ladder, and climbed 230 feet in darkness up to the nacelle, an overpacked compartment that holds the machinery used to convert the rotation of the blades into electricity. AMSC had been using the turbine, manufactured by the company’s largest customer, China’s Sinovel Wind Group, to test a new version of its control system software. The software was designed to disable the turbine several weeks earlier, at the end of the testing period. But for some reason, this turbine ignored the system’s shutdown command and the blades kept right on spinning.

The AMSC technicians tapped into the turbine’s computer to get to the bottom of the glitch. The problem wasn’t immediately clear, so the technicians made a copy of the control system’s software and sent it to the company’s research center in Klagenfurt, Austria, which produced some startling findings. The Sinovel turbine appeared to be running a stolen version of AMSC’s software. Worse, the software revealed that Sinovel had complete access to AMSC’s proprietary source code. In short, Sinovel didn’t really need AMSC anymore.

Three days after that expedition in the Gobi, Daniel McGahn, AMSC’s chief executive officer, got the news on his cell phone while he was traveling in Russia. Hired in 2006, McGahn helped revamp the then-floundering company by focusing it on two things: China and wind power. Those bets paid off for a while, as Sinovel bought more and more turbine controllers from AMSC. Then in March 2011, Sinovel abruptly and inexplicably began turning away AMSC’s shipments at its enormous turbine assembly factory in Liaoning province.

[...]

On June 15, standing in a St. Petersburg office tower, McGahn listened to the report from the Austrian team for 30 minutes and felt the blood drain from his face. He had been trying for months to save the relationship with Sinovel and was making almost no progress. By the time he ended the call from his Austrian team, he knew why.

[...]

In other espionage cases, such as those involving Google (GOOG), Lockheed Martin (LMT), and DuPont (DD), thieves did a far better job of covering their digital tracks. Sinovel, however, was caught red-handed. AMSC has presented to law enforcement officials in Austria and China computer logs and messages that show Sinovel courting one of the U.S. company’s employees and paying him to aid in the code heist. “It’s a red-hot smoking gun example,” says John Kerry, chairman of the Senate Foreign Relations Committee and the Democratic senator from AMSC’s home state of Massachusetts. “If this is the way the Chinese choose to do business, it’s going to be very contentious and tough sledding ahead for this relationship.”

[...]

AMSC has filed four civil complaints against Sinovel in Chinese courts—where Sinovel has a steep home-field advantage—seeking $1.2 billion in damages. Sinovel has filed its own countersuits claiming that AMSC owes it $207 million for problems including defective equipment. Sinovel declined to make its chairman available for interview or to comment for this story. And because Chinese courts do not make legal documents available to the public, it was not possible to read Sinovel’s counterclaims. “How China responds to this is going to be central to how they respond to other issues of concern between us,” Kerry says.

[...]

According to court documents, in 2010, Sinovel began recruiting Dejan Karabasevic, a Serbian software engineer who worked at AMSC’s research facility in Klagenfurt. In December, Karabasevic sent his existing contract with AMSC to Sinovel employees for review; by January 2011, Sinovel was hunting for an apartment for him in Beijing. Once in China, the engineer was pressed to create software that could go on existing turbines as quickly as possible, using source code taken from AMSC’s server in Austria. For five days beginning on May 10, Karabasevic said in a confession to Austrian police, he worked steadily in his Beijing apartment and then traveled to a wind farm with three Sinovel employees to test the code in working turbines. By June it was done.

Karabasevic, who pleaded guilty, was sentenced in September to 12 months in jail and two years probation for distribution of trade secrets. His attorney, Gunter Huainigg, declined further comment.

Friday, March 16, 2012

Russia Ups the APT Bar

Via HBGary Blog -

Depending on who you ask, Russia and China are considered the top two espionage threats by the United States. China gets more media attention as an 'APT' threat, but this is only because China keeps getting caught with their hand in the cookie jar. In our own investigations, we still catch China more than any other country. Part of this might be the relative ease in which Chinese APT can be detected. As we have stated in numerous forums, detecting lateral movement is game-set-match for detecting Chinese APT. But China is not the only player.

We are investigating an increasing amount of economic espionage. In this, we are uncovering attackers from several countries other than China. Of particular note, Russia seems to be the next in line for APT-like economic espionage. And, Russian APT attacks seem much more technically advanced. Whether this is influenced by a long history and culture of malware development is unclear.

Russian APT contrasts sharply with Chinese attacks. As we have pointed out before, Chinese APT hides in plain sight. Their backdoors are simple in nature, doing only the minimum of command and control required to maintain remote persistent access. Once access is gained to the network, the Chinese APT is largely about lateral movement, use of command-line tools, and passing of credentials. Russian APT, on the other hand, clearly involves skilled malware development. Russian remote access tools have all of their capabilities hard-coded internally. There are no external, third-party tools. For example, password hash-dumping is performed by an internal function. Thus, a pass-the-hash toolkit is not required. Also, the command-and-control is more complex and richly featured. The malware is a one-stop shop of capability in the network. This shows a significantly different style between Chinese and Russian groups.

Of course, this cannot be a hard-and-fast rule for attribution. But, this is something we are witnessing and it's prudent to raise the alarm regarding advanced malware tactics. The threat may be evolving because simple APT tactics are easy to detect. Large corporations are certainly taking notice of the APT problem now, and just taking the time to look will likely uncover an attack. Some of the most advanced malware stealth techniques have emerged from the Russian underground. It is likely that these techniques will continue to be disseminated to the international malware development community, including those who participate in APT attacks.

It seems the cat is out of the bag with respect to APT. Cyberattacks are just too easy, and a state-level capability can be put together on a modest budget. We expect an increasing number of attacks of a more sophisticated nature over the next few years.

--Rich Cummings


-------------------------------------------------

Nov 2011 - NCIX: Foreign Spies Stealing US Economic Secrets in Cyberspace
"Chinese actors are the world’s most active and persistent perpetrators of economic espionage....Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets....We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace."

Geotagging Poses Security Risks

Via US Army Homepage (Cheryl Rodewig) -

The question was posed by Brittany Brown, social media manager of the Online and Social Media Division at the Office of the Chief of Public Affairs. It may sound outlandish, but in the age of social geotagging, it can be a reality.

There are a number of location-based social media applications and platforms, including Foursquare, Gowalla, SCVNGR, Shopkick, Loopt and Whrrl, currently on the market. They use GPS features, typically in the user's phone, to publish the person's location and offer rewards in the form of discounts, badges or points to encourage frequent check-ins.

Security risks for the military:

A deployed service member's situational awareness includes the world of social media. If a Soldier uploads a photo taken on his or her smartphone to Facebook, they could broadcast the exact location of their unit, said Steve Warren, deputy G2 for the Maneuver Center of Excellence, or MCoE.

"Today, in pretty much every single smartphone, there is built-in GPS," Warren said. "For every picture you take with that phone, it will automatically embed the latitude and longitude within the photograph."

Someone with the right software and the wrong motivation could download the photo and extract the coordinates from the metadata.

Warren cited a real-world example from 2007. When a new fleet of helicopters arrived with an aviation unit at a base in Iraq, some Soldiers took pictures on the flightline, he said. From the photos that were uploaded to the Internet, the enemy was able to determine the exact location of the helicopters inside the compound and conduct a mortar attack, destroying four of the AH-64 Apaches.

[...]

Ways to stay safe:

"In operations security, we talk about the adversary," said Kent Grosshans, MCoE OPSEC officer. "The adversary could be a hacker, could be terrorists, could be criminals; someone who has an intent to cause harm. The adversary picks up on pieces of information to put the whole puzzle together."

Grosshans suggests disabling the geotagging feature on your phone and checking your security settings to see who you're sharing check-ins with.

"If your husband's deployed and you go ahead and start posting all these pictures that are geotagged, now not only does an individual know your husband's deployed and he's not at home, but they know where your house is," he said.

Ultimately, it's about weighing the risks.

"Do you really want everyone to know the exact location of your home or your children's school?" Sweetnam said. "Before adding a location to a photo, Soldiers really need to step back and ask themselves, 'Who really needs to know this location information?'"

Grosshans said it's as important to Soldiers as to family members.

"Be conscious of what information you're putting out there," he said. "Don't share information with strangers. Once it's out there, it's out there. There's no pulling it back."

Thursday, March 15, 2012

A Practical Guide to Situational Awareness

Via STRATFOR (Security Weekly) -

For the past three weeks we have been running a series in the Security Weekly that focuses on some of the fundamentals of terrorism. First, we noted that terrorism is a tactic not exclusive to any one group and that the tactic would not end even if the jihadist threat were to disappear. We then discussed how actors planning terrorist attacks have to follow a planning process and noted that there are times during that process when such plots are vulnerable to detection.

Last week we discussed how one of the most important vulnerabilities during the terrorism planning process is surveillance, and we outlined what bad surveillance looks like and described some basic tools to help identify those conducting it. At the end of last week's Security Weekly we also discussed how living in a state of paranoia and looking for a terrorist behind every bush not only is dangerous to one's physical and mental health but also results in poor security. This brings us to this week, where we want to discuss the fundamentals of situational awareness and explain how people can practice the technique in a relaxed and sustainable way.

Situational awareness is very important, not just for personal security but as a fundamental building block in collective security. Because of this importance, Stratfor has written about situational awareness many times in the past. However, we believe it merits repeating again in order to share these concepts with our new readers as well as serve as a reminder for our longtime readers.


---------------------------------

Very informative article. Practicing to increase your situational awareness as you go about your daily activities is recommended.

Wednesday, March 14, 2012

Microsoft Adds New Exploit Mitigations to IE 10

Via Threatpost -

Windows 8 is still off on the horizon somewhere, but the new version of Internet Explorer that's coming with it--IE 10--already is in consumer preview and it includes some major changes to the exploit mitigations. In addition to the existing implementations of ASLR, DEP and others technologies in Windows and IE, Microsoft has included a couple of new ones designed to further inhibit memory attacks.

The biggest change in IE 10 is a technology called ForceASLR that's meant to help compensate for the fact that not every application on Windows is compiled with the flag that opts them into ASLR. One of the main exploit mitigations that Microsoft has added to Windows in recent years, ASLR (address space layout randomization) essentially turns memory modules into moving targets for attackers, making it far more difficult for them to locate their payloads where they want. This has made browser-based exploits more complicated, but it only works if developers compile their applications with a specific flag, called /DYNAMICBASE, set.

The new ForceASLR technology helps fix that shortcoming by allowing IE to tell Windows to load every module in a random location, regardless of whether it was compiled with the /DYNAMICBASE flag. Microsoft security officials say that this is among the more important additions the company has made to the security of its browser and Windows machines.

[...]

In addition to ForceASLR, Microsoft has included another mitigation called High Entropy ASLR that takes advantage of the larger address space that's available on 64-bit Windows machines. The more entropy that the operating system can add to the randomization, the more difficult life will be for attackers who are trying to place their payloads precisely.


----------------------------------

Enhanced Memory Protections in IE10
https://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx

Monday, March 12, 2012

Komatic - Night Drive



------------------------------------------------------------

Andy Powell, aka Komatic, is a Drum 'n' Bass producer and DJ from Bedford, London, UK.

Friday, March 9, 2012

Thoughts on the USCC’s New Report on Chinese Cyberattacks

Via CFR's Asia Unbound Blog -

Yesterday the U.S.-China Economic and Security Review Commission (USCC) released the second report prepared for it by Northrop Grumman on Chinese cyber capabilities. As numerous press reports noted, Occupying the Information High Ground argues that China’s improving cyber capabilities pose a threat to the United States military, that China could target U.S. logistic and transport networks in the case of a regional conflict, and that Chinese IT companies ZTE, Datang, and Huawei all have close collaborative ties with the People’s Liberation Army (PLA).

The report does a good job of bringing a great deal of Chinese-language and open-source information together, and is especially useful in laying out how information security research is funded in and conducted by military and civilian universities.

[...]

The specific findings of the report are useful and important, but we should remind ourselves of four things. First, it is easy to forget that much in the report is about aspirations, what the PLA hopes to accomplish, and that we are less certain about how capable it truly is.

[...]

Second, and again the authors make this point, Occupying the Information High Ground is not a net assesment. It makes no effort to “detail possible countermeasures and network defense capabilities that the U.S. military and government may employ that could successfully detect or repel the types of operations described.”

[...]

Third, as most of the writings cited in the report demonstrate, we know a lot more about Chinese thinking at the tactical level and much less about how the central leadership understands the political or strategic implications of a cyberattack on U.S. interests, especially one on critical infrastructure. The report notes that “the decision to move beyond strictly military targets for network attack operations would likely be made at the highest levels of China’s military and political leadership because of the recognized dangers of escalation that such a move presents.” How certain can leaders on either side of the Pacific be that it is possible to limit network attacks to “strictly military targets”? If the strategic is always a possibility in the tactical, then we need better insight into what central leaders in Zhongnanhai understand about and expect from cyber operations.

[...]

Finally, shadowing the report is the question of what the U.S. policy response should be. The report does not spend much time discussing cyber espionage threats (which was covered more expansively in the previous report, Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation), but it does suggest that continuous exfiltration of data from U.S. government networks exacerbates military instability

[...]

As I argue in my recent Foreign Affairs article, Chinese Computer Games, raising the costs and calling the perpetrators out is part of a strategy that will include bilateral and multilateral discussions on rules of the road for cyber, capacity-building, deterrence through denial, and possibly trade or other sanctions. Even using all these policy tools, it is going to take a long time; Chinese-based cyberattacks will not disappear anytime soon.

Thursday, March 8, 2012

U.S. Says Iranian General Key in Afghan Heroin Trade

Via Al Arabiya News (Saudi-owned new organization) -

Washington on Wednesday named a general in Iran’s elite al-Quds force as a key figure in trafficking heroin from Afghanistan.

The U.S. Treasury designated Gen. Gholamreza Baghbani, who runs the Revolutionary Guards’ Quds force office in Zahedan near the Afghan-Pakistan border, as a narcotics “kingpin” for facilitating Aghan drugrunners to move opiates into and through Iran.

In return, the smugglers helped move weapons for the Taliban from Iran “on behalf of Baghbani,” the Treasury said in a statement.

It said that Baghbani had also aided the smuggling of chemicals used to make heroin through the Iranian border into Afghanistan.

He was the first Iranian to be officially named as a “specially designated narcotics trafficker” under the US “Kingpin Act”, which allows the Treasury to prohibit any US citizens or entities from engaging in commercial or financial transactions with the named individual.

Treasury said that the designation of Baghbani “exposes (the Quds force’s) involvement in trafficking narcotics, made doubly reprehensible here because it is done as part of a broader scheme to support terrorism.”

The Quds force is the shadowy special operations unit of Iran’s elite Revolutionary Guards and often operates outside of Iran.


----------------------------------------------------

http://www.treasury.gov/press-center/press-releases/Pages/tg1444.aspx
The U.S. Department of the Treasury today designated Iranian Islamic Revolutionary Guard Corps Qods Force (IRGC-QF) General Gholamreza Baghbani as a Specially Designated Narcotics Trafficker pursuant to the Foreign Narcotics Kingpin Designation Act (Kingpin Act). This is the first use of the Kingpin Act against an Iranian official.

Wednesday, March 7, 2012

The Mystery of the Duqu Framework

Via Securelist.com (Kaspersky Lab) -

While analyzing the components of Duqu, we discovered an interesting anomaly in the main component that is responsible for its business logic, the Payload DLL. We would like to share our findings and ask for help identifying the code.

[...]

Conclusions
  • The Duqu Framework appears to have been written in an unknown programming language.
  • Unlike the rest of the Duqu body, it's not C++ and it's not compiled with Microsoft's Visual C++ 2008.
  • The highly event driven architecture points to code which was designed to be used in pretty much any kind of conditions, including asynchronous commutations.
  • Given the size of the Duqu project, it is possible that another team was responsible for the framework than the team which created the drivers and wrote the system infection and exploits.
  • The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked.
  • Compared to Stuxnet (entirely written in MSVC++), this is one of the defining particularities of the Duqu framework.

The Duqu Framework: What was that?

After having performed countless hours of analysis, we are 100% confident that the Duqu Framework was not programmed with Visual C++. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language.

We would like to make an appeal to the programming community and ask anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, to contact us or drop us a comment in this blogpost. We are confident that with your help we can solve this deep mystery in the Duqu story.