Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Researchers Crack Open Unusually Advanced Malware that Hid For 5 Years (arstechnica.com) 59

A malware dubbed ProjectSauron went undetected for five years at a string of organizations, according to security researchers at Kaspersky Lab and Symantec. The malware may have been designed by a state-sponsored group. Researchers say that Project Sauron can disguise itself as benign files and does not operate in predictable ways, making it very tough to detect. Ars Technica reports: Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus. Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.
The Military

Stuxnet/Cyberwar Documentary Reviewer: 'The U.S. Has Pwned Iran' (networkworld.com) 138

Slashdot reader alphadogg quotes an article from Network World: The new documentary about Stuxnet, "Zero Days", says the U.S. had a far larger cyber operation against Iran called Nitro Zeus that has compromised the country's infrastructure and could be used as a weapon in any future war. Quoting unnamed sources from inside the NSA and CIA, the movie says the Nitro Zeus program has infiltrated the systems controlling communications, power grids, transportation and financial systems, and is still ready to "disrupt, degrade and destroy" that infrastructure if a war should break out with Iran...

For the more technically inclined, the film contains some riveting interviews with researchers at Symantec who devoted their lives to unraveling the code line by line to figure out what it did, how it did it, who created it and what the target was. It was also a bit chilling in that after they figured out that governments were behind the worm they worried that the researchers themselves might be targeted to keep them silent. One Friday night, says Symantec researcher Eric Chien, he said to his research partner Liam O Murchu, "I'm not suicidal. If I should show up dead on Monday, it wasn't me."

In the film former NSA and CIA director Gen. Michael Hayden says "This stuff is hideously over classified."
Government

North Korea Restarts Plutonium Production For Nuclear Bombs (arstechnica.com) 151

New submitter ReginaldBryan45 quotes a report from Reuters: North Korea has restarted production of plutonium fuel, a senior State Department official said on Tuesday, showing that it plans to pursue its nuclear weapons program in defiance of international sanctions. The International Atomic Energy Agency (IAE) said on Monday that it had seen signs based on satellite imagery that show that the secretive country had re-activated the nuclear fuel production reactor at Yongbyon. The analysis by the IAEA pointed to "resumption of the activities of the five megawatt reactor, the expansion of centrifuge-related facility, [and] reprocessing -- these are some of the examples of the areas [of activity indicated at Yongbyon]." U.S. Intelligence tried to infect the Yongbyon site with a variant of the Stuxnet malware last year but ultimately failed. Experts at the U.S.-Korea Institute at John Hopkins University's School of Advanced International Studies in Washington predicted last year that the country's nuclear arsenal could grow to as many as 100 bombs within five years, from an estimated 10 to 16. Naturally, this news is a cause for concern as North Korea had four (failed) test launches in the last two months.
Security

There's a Stuxnet Copycat, and We Have No Idea Where It Came From (vice.com) 30

Joseph Cox, reporting for Motherboard: After details emerged of Stuxnet, arguably the world's first digital weapon, there were concerns that other hackers would copy its techniques. Now, researchers have disclosed a piece of industrial control systems (ICS) malware inspired heavily by Stuxnet. Although the copycat malware -- dubbed IRONGATE by cybersecurity company FireEye -- only works in a simulated environment it, like Stuxnet, replaces certain types of files, and was seemingly written to target a specific control system configuration. [...] IRONGATE works within a simulated Siemens environment called PLCSIM, used for testing programs before they are pushed out into the field. Like Stuxnet, IRONGATE replaces a Dynamic Link Library (DLL), a small collection of code that can be used by different programs at the same time, with a malicious one of its own. IRONGATE's DLL records five seconds of traffic from the Siemens' system to the user interface, and replays it over again, potentially tricking whoever is monitoring the system into thinking everything is fine, while the malware might manipulate something else in the background.Dark Reading's coverage on this is also worth a read.
Microsoft

Microsoft Sees Over 10 Million Cyberattacks Per Day On Its Online Infrastructure (softpedia.com) 63

An anonymous reader writes: Microsoft's user identity management systems, made up by Microsoft Account (formerly Live ID, for home users) and Azure Active Directory (for its cloud/corporate services), see over 13 billion user logins per day, with 1.3 billion for AAD. The company says that over 10 million (per day) of these login attempts are cyber-attacks, which the company is able to detect. This information comes via Microsoft's most recent Security Intelligence Report, which also reveals details about a new cyber-espionage group named Platinum and that hackers are still using the same vulnerability (CVE-2010-2568) even today, which was used in the Stuxnet attacks. According to Pew Research Center, there's an increasingly growing fear among Americans about cyberattacks. In fact, it's the second most feared entity to them, the first being ISIS.
Privacy

Apple's iPhone Already Has a Backdoor 401

Nicola Hahn writes: As the Department of Justice exerts legal pressure on Apple in an effort to recover data from the iPhone used by Syed Rizwan Farook, Apple's CEO has publicly stated that "the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone." But, as one Windows rootkit developer has observed, the existing functionality that the FBI seeks to leverage is itself a backdoor. Specifically, the ability to remotely update code on a device automatically, without user intervention, represents a fairly serious threat vector. Update features marketed as a safety mechanism can just as easily be wielded to subvert technology if the update source isn't trustworthy. Something to consider in light of the government's ability to steal digital certificates and manipulate network traffic, not to mention the private sector's lengthy history of secret cooperation. Related: wiredmikey writes: Apple said Monday it would accept having a panel of experts consider access to encrypted devices if US authorities drop efforts to force it to help break into the iPhone of a California attacker. Apple reaffirmed its opposition to the US government's effort to compel it to provide technical assistance to the FBI investigation of the San Bernardino attacks, but also suggested a compromise in the highly charged legal battle.

In his first public remarks since Apple CEO Tim Cook said he would fight the federal magistrate's order, FBI Director James Comey claimed the Justice Department's request is is about "the victims and justice."
Networking

Misusing Ethernet To Kill Computer Infrastructure Dead 303

Some attacks on computers and networks are subtle; think Stuxnet. An anonymous reader writes with a report at Net Security of researcher Grigorios Fragkos's much more direct approach to compromising a network: zap the hardware from an unattended ethernet port with a jolt of electricity. Fragkos, noticing that many networks include links to scattered and unattended ethernet ports, started wondering whether those ports could be used to disrupt the active parts of the network. Turns out they can, and not just the ports they connect to directly: with some experimentation, he came up with a easily carried network zapping device powerful enough to send a spark to other attached devices, too, but not so powerful -- at least in his testing -- to set the building on fire. As he explains: I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Over a 3 meters cable I connected a network HDD and over a 100 meters cable I connected my “deathray” device. I decided to switch on the device and apply current for exactly 2 seconds. The result was scary and interesting as well. The network switch was burned instantly with a little “tsaf” noise. There was also a buzzing noise coming from the devices plugged-in to the network switch, for a less than a second. There was a tiny flash from the network HDD and the laptop stopped working. It is not the cheapest thing in the world to test this, as it took all of my old hardware I had in my attic to run these experiments. I believe the threat from such a high-voltage attack against a computer infrastructure is real and should be dealt with.
Security

Researchers Create Mac "Firmworm" That Spreads Via Thunderbolt Ethernet Adapters 119

BIOS4breakfast writes: Wired reports that later this week at BlackHat and Defcon, Trammell Hudson will show the Thunderstrike 2 update to his Thunderstrike attack on Mac firmware (previously covered on Slashdot). Trammell teamed up with Xeno Kovah and Corey Kallenberg from LegbaCore, who have previously shown numerous exploits for PC firmware. They found multiple vulnerabilities that were already publicly disclosed were still present in Mac firmware. This allows a remote attacker to break into the Mac over the network, and infect its firmware. The infected firmware can then infect Apple Thunderbolt to Ethernet adapters' PCI Option ROM. And then those adapters can infect the firmware of any Mac they are plugged into — hence creating the self-propagating Thunderstrike 2 "firmworm." Unlike worms like Stuxnet, it never exists on the filesystem, it only ever lives in firmware (which no one ever checks.) A video showing the proof of concept attack is posted on YouTube.
Crime

Interviews: Ask Brian Krebs About Security and Cybercrime 53

Brian Krebs got his start as a reporter at The Washington Post and after having his entire network taken down by the Lion Worm, crime and cybersecurity became his focus. In 2005, Krebs started the Security Fix blog and Krebs On Security in 2009, which remains one of the most popular sources of cybercrime and security news. Brian is credited with being the first journalist to report on Stuxnet and one of his investigative series on the McColo botnet is estimated to have led to a 40-70% decline in junk e-mail sent worldwide. Unfortunately for Krebs, he's also well known to criminals. In 2013 he became one of the first journalists to be a victim of Swatting and a few months later a package of heroin was delivered to his home. Brian has agreed to give us some of his time and answer any questions you may have about crime and cybersecurity. As usual, ask as many as you'd like, but please, one per post.
Security

Eugene Kaspersky: "Our Business Is Saving the World From Computer Villains" 288

blottsie writes: While the nature of Kaspersky's relationship with the Kremlin remains, at the very least, a matter of contention, his company's influence is anything but hazy. On top of their successful antivirus business, Kaspersky Lab researchers have discovered key details about the now-infamous Stuxnet virus, which was deployed by the U.S. and Israel against Iran's nuclear facilities. Kaspersky analysts later uncovered Flame, which the Washington Post found was another American-Israeli cyberweapon against Iran. All of this is on top of building a highly successful antivirus business. In a new interview with the Daily Dot, Kaspersky elaborates on thoughts about his company, his wealth, and the state of modern cybersecurity.
Windows

Buggy Win 95 Code Almost Wrecked Stuxnet Campaign 93

mask.of.sanity writes: Super-worm Stuxnet could have blown its cover and failed its sabotage mission due to a bug that allowed it to spread to ancient Windows boxes, malware analysts say. Stuxnet was on the brink of failure thanks to buggy code allowing it to spread to PCs running older and unsupported versions of Windows, and probably causing them to crash as a result. Those blue screens of death would have raised suspicions at the Natanz nuclear lab.
Microsoft

Incomplete Microsoft Patch Left Machines Exposed To Stuxnet LNK Vulnerability 33

msm1267 writes: A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010. Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released Aug. 2, 2010. "That patch didn't completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch," said Brian Gorenc, manager of vulnerability research with HP's Zero Day Initiative. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.
Government

How "Omnipotent" Hackers Tied To NSA Hid For 14 Years and Were Found At Last 115

Advocatus Diaboli writes The money and time required to develop the Equation Group malware, the technological breakthroughs the operation accomplished, and the interdictions performed against targets leave little doubt that the operation was sponsored by a nation-state with nearly unlimited resources to dedicate to the project. The countries that were and weren't targeted, the ties to Stuxnet and Flame, and the Grok artifact found inside the Equation Group keylogger strongly support the theory the NSA or a related US agency is the responsible party, but so far Kaspersky has declined to name a culprit. NSA officials didn't respond to an e-mail seeking comment for this story. What is safe to say is that the unearthing of the Equation Group is a seminal finding in the fields of computer and national security, as important, or possibly more so, than the revelations about Stuxnet.
Security

Forget Stuxnet: Banking Trojans Attacking Power Plants 34

New submitter PLAR writes: Everyone's worried about the next Stuxnet sabotaging the power grid, but a security researcher says there's been a spike in traditional banking Trojan attacks against plant floor networks. The malware poses as legitimate ICS/SCADA software updates from Siemens, GE and Advantech. Kyle Wilhoit, the researcher who discovered the attacks, says the attackers appear to be after credentials and other financial information, so it looks like pure cybercrime, not nation-state activity.
Security

Regin Malware In EU Attack Linked To US and British Intelligence Agencies 131

Advocatus Diaboli writes The Regin malware, whose existence was first reported by the security firm Symantec on Sunday, is among the most sophisticated ever discovered by researchers. Symantec compared Regin to Stuxnet, a state-sponsored malware program developed by the U.S. and Israel to sabotage computers at an Iranian nuclear facility. Sources familiar with internal investigations at Belgacom and the European Union have confirmed to The Intercept that the Regin malware was found on their systems after they were compromised, linking the spy tool to the secret GCHQ and NSA operations.
Security

Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years 143

An anonymous reader points out this story at Ars about a new trojan on the scene. Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research. Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.
Security

First Victims of the Stuxnet Worm Revealed 39

An anonymous reader writes: Analyzing more than 2,000 Stuxnet files collected over a two-year period, Kaspersky Lab can identify the first victims of the Stuxnet worm. Initially security researchers had no doubt that the whole attack had a targeted nature. The code of the Stuxnet worm looked professional and exclusive; there was evidence that extremely expensive zero-day vulnerabilities were used. However, it wasn't yet known what kind of organizations were attacked first and how the malware ultimately made it right through to the uranium enrichment centrifuges in the particular top secret facilities. Kaspersky Lab analysis sheds light on these questions.
Books

Book Review: Countdown To Zero Day 58

benrothke writes A word to describe the book Takedown: The Pursuit and Capture of Americas Most Wanted Computer Outlaw was hyperbole. While the general storyline from the 1996 book was accurate, filler was written that created the legend of Kevin Mitnick. This in turn makes the book a near work of historical fiction. Much has changed in nearly 20 years and Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon has certainly upped the ante for accurate computer security journalism. The book is a fascinating read and author Kim Zetters attention to detail and accuracy is superb. In the inside cover of the book, Kevin Mitnick describes this as an ambitious, comprehensive and engrossing book. The irony is not lost in that Mitnick was dogged by misrepresentations in Markoff's book. Keep reading for the rest of Ben's review.
Security

"BadUSB" Exploit Makes Devices Turn "Evil" 205

An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
Security

Western Energy Companies Under Sabotage Threat 86

An anonymous reader writes In a post published Monday, Symantec writes that western countries including the U.S., Spain, France, Italy, Germany, Turkey, and Poland are currently the victims of an ongoing cyberespionage campaign. The group behind the operation, called Dragonfly by Symantec, originally targeted aviation and defense companies as early as 2011, but in early 2013, they shifted their focus to energy firms. They use a variety of malware tools, including remote access trojans (RATs) and operate during Eastern European business hours. Symantec compares them to Stuxnet except that "Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."

Slashdot Top Deals