CWmike writes: "The White House has issued the National Strategy for Information Sharing and Safeguarding, a framework for agencies and departments to follow that would help bolster defenses against state-sponsored hackers and other criminals (see the plan (PDF)). The move is seen as a small step, albeit an important one. Congress failed this year in passing legislation that would have required utilities and others responsible for the nation's critical infrastructure to share information with federal officials. While lawmakers are expected to revisit the issue next year, the guidelines released Wednesday will begin the process of government entities setting up data-sharing mechanisms. 'This is a good first step,' said Murray Jennex, a cybersecurity expert and associate professor at San Diego State University. 'Other agencies will open up to the NSA and the FBI and such, sharing what has happened to them, where before maybe they wouldn't.' He added: 'And it does free up the FBI to pass on information to other agencies.' Where data sharing within the government would likely fall short: the Department of Defense and the National Security Agency (NSA). Those departments can list information as classified, making it shareable only with authorized people. Therefore, a much more detailed order would be needed to set guidelines on declassifying cyberattack data. The Obama administration is expected in the near future to address the issue of data sharing with the private sector with an executive order. Because the president cannot require companies to share data, the order is seen as a stopgap measure while Congress hammers out much broader legislation. Volunteer sharing of data with the government has fallen short."
CWmike writes: "Security researchers fed up with what they see as the glacial pace with which vendors fix holes in industrial control systems have exposed vulnerabilities that raised concerns among federal officials. The latest security weaknesses, as well as troubling trends in the hacker underground, led the Department of Homeland Security to warn late last week of an increasing security risk to the control systems used by power utilities, water treatment plants and manufacturing. Friday's warning stemmed from a report of a vulnerability found in ICS equipment sold by 261 manufacturers. Researchers with security vendor Digital Bond reported that Smart Software Solutions' CoDeSys product lets anyone upload code without authentication. The software is used in programmable logic controllers (PLCs), which are computers used in control systems to automate tasks. Dale Peterson, chief executive for Digital Bond, said 3S designed the product without authentication, so the vendor knew about the vulnerability. 'They chose to design the product that way,' Peterson said Monday. Digital Bond, along with researchers from other organizations, have embarked on a research effort called Project Basecamp that is dedicated to exposing security weaknesses in ICS devices in order to prod manufacturers into fixing the problems. Many of the systems were built before the Internet was introduced in networks that also contain control systems. 'We call these insecure-by-design issues,' Peterson said. 'These PLCs that run power plants, oil pipelines and things like that were designed with no security in them and that's been allowed to continue.'"
CWmike writes: "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."
CWmike writes: "Cyberattackers who disrupted the websites of U.S. banks over the last two weeks used a highly sophisticated toolkit — a finding that points to a well-funded operation, one security vendor says. Prolexic Technologies said the distributed denial of service (DDoS) toolkit called 'itsoknoproblembro' was used against some of the banks which included Wells Fargo, U.S. Bank, PNC Bank, Bank of America and JPMorgan Chase. Each of the banks was struck on separate days. The attackers, who called themselves Izz ad-Din al-Qassam Cyber Fighters, claimed to be hacktivists angry over YouTube video trailers made in the U.S. that denigrated the Prophet Muhammad. Security vendors have questioned the attackers' claims, saying the assaults were far more sophisticated than those launched by typical hacktivists, a term used to describe hackers who target websites in the name of a political or social cause. Prolexic's findings bolstered that belief. The toolkit is capable of simultaneously attacking components of a website's infrastructure and application layers, flooding the targets with sustained traffic peaking at 70 gigabits per second. In addition, Prolexic found that traffic signatures were unusually complex and therefore difficult to reroute away from the targets."
CWmike writes: A new Trojan horse tries to covers its tracks by crippling the victim's computer after stealing data, a security researcher said on Friday. Dubbed 'Shamoon' by most antivirus companies, the malware has been used in targeted attacks aimed at specific individuals or firms, including at least one in the energy sector. The Israeli security company Seculert said Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization's network. The second stage — which kicks off after the malware has done its dirty work — overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable. 'They are looking for ways to cover their tracks,' Aviv Raff, CTO and co-founder of Seculert, told Computerworld on Friday.
CWmike writes: "Apple on Monday issued its first security-related update for OS X 10.5, or Leopard, in nearly a year, to disable long-outdated versions of Adobe's Flash Player. On May 9, Apple disabled older copies of Flash Player on Snow Leopard and Lion using an update to Safari 5.1.7. Security Update 2012-003 does not patch any known vulnerabilities, but is instead a Leopard-specific version of what Apple released last week for OS X 10.6, or Snow Leopard, and the newer OS X 10.7, better known as Lion. Because that version of Apple's browser doesn't support Leopard, the company instead updated the operating system. Also on Monday, Apple released a version of the Flashback malware removal tool designed for Leopard. Apple had offered the same tool to Snow Leopard and Lion users on April 12. Security experts and pundits have blasted Apple for its sluggish patching of Java bugs and for dropping support for older operating systems too quickly. It's unlikely that Monday's Leopard updates signal a change in Apple's support policy since they do not address any security vulnerabilities that may exist in Leopard."
CWmike writes: "A cybersecurity consulting firm has documented the existence of a China-based espionage operation that has infiltrated the computer systems of at least 22 organizations in the government and private sectors in the U.S., Europe and Asia. But the biggest surprise was how the compromised entities reacted when notified of the breach by e-mails, which were followed up by phone calls. 'Not a single company actually responded. No one said 'thank you,' no one said give me more information, how did you do this, nothing,' Adam Vincent, chief executive of Cyber Squared, said Tuesday. 'Either we notified the wrong people or people didn't care. I'm not sure which. The reason Cyber Squared believes the attacks were state sanctioned or sponsored is because all the victims were tied to Chinese strategic interests. For example, one organization was involved with efforts in the U.S. government to sell F-16 fighter jets to Taiwan, an action China opposed. Another was involved with efforts in the United Nations to minimize greenhouse gas emissions within the international maritime industry. The attackers are believed to have studied each organization closely in order to tailor the attack to specific people. The cyber criminals constantly updated the malware used in order to hide from antivirus software and other security technology found on most organizations' networks."
CWmike writes: "Is a cyberattack by Iran against the U.S. a realistic threat? And if so, could it be defeated by a technique called 'bullet time,' that slows Internet traffic just enough to give critical infrastructure defense systems time to respond? There is considerable disagreement over that, with some experts saying both that an attack is likely and the defense is possible, while others dismiss bot, reports Taylor Armerding. Meanwhile, a story in New Scientist this week profiles security engineers at the University of Tulsa who say they have developed a way to slow Internet traffic, including malicious data, to give networks time to deal with attacks. The technique has been named 'bullet time,' referring to the scenes in 'The Matrix,' when Keanu Reeves's character, Neo, was able to dodge bullets, as time appeared to slow down. But Gary McGraw, CTO of the security software consultancy Cigital, says the problem is not that 'bullet time' would be expensive or difficult, but that it is a fantasy to think it would work. 'It's ridiculous. When you're talking about cyberattacks, it's beyond milliseconds,' he said. 'It's picoseconds (one-trillionth of a second). And when you use Internet protocols to slow down traffic, that slows everything else, too.'"
CWmike writes: "The recent arrest of Higinio O. Ochoa III, of Galveston, Texas — allegedly a member of the Anonymous-linked CabinCr3w — generated considerable amusement (and some unbearably bad puns) when it was reported that the FBI tracked him down using photos he had posted of his girlfriend's breasts (covered somewhat by a bikini top). But the more interesting — and sobering — message of the case is that someone known as an elite hacker was busted because he forgot, or didn't know, about the fact that EXIF data (location, camera type, and other image information) is included in every photo taken with a smartphone. He forgot, or didn't know, that others can extract that information. That the photos were a bit racy is incidental. They could have been artsy shots of a landscape or snapshots of a sporting event. The problem for somebody who is trying to cover his tracks is that the images are embedded with data that will tell an investigator where and when they were taken. Why he didn't think about the risks of posting photos embedded with geo-tagging — common knowledge to most people who organize their photos by date and location on programs like iPhoto — is a question Ochoa is probably asking himself, writes Taylor Armerding."
CWmike writes: "Iran's oil ministry confirmed Monday that it was the target of malware attacks over the weekend, adding to reports by state-run media that the country's oil industry was hit by hackers. The Mehr News Agency, which is a semi-official arm of the Iranian government, reported Monday that the country's principal oil terminal on Kharg Island was disconnected from the Internet as part of the response to the attacks. Email systems associated with the targets were also pulled offline. Kharg Island, which is in the Persian Gulf off the western coast of Iran, handles the bulk of the country's oil exports. A spokesman for the Ministry of Petroleum acknowledged the attacks, but said that critical servers at the reported targets — the ministry, Iran's national oil company and Kharg Island — were not affected because they are isolated from the Internet. The ministry spokesman also said that the malware, which he did not identify, resulted in the theft of some user information from websites and some minor damage to data stored on the web servers. According to the ministry, no data was actually lost because backups were available. Later Monday, Mehr reported that the attacks had prompted authorities to create a crisis management committee to counter the threats."
CWmike writes: "The CEO of a certificate-issuing company that was hacked in March is even more certain now that a wave of attacks against similar firms is backed by the Iranian government. 'I think even more so now than before,' said Melih Abdulhayoglu, the CEO and founder of Comodo, a U.S. security company that is also one of hundreds of certificate authorities (CAs) allowed to issue SSL certificates. The newest attack, conducted against DigiNotar, a Dutch CA, only strengthened Abdulhayoglu's belief that Iranian authorities were involved. 'We just witnessed the biggest man-in-the-middle attack in history,' said Abdulhayoglu of the breaches that let to one certificate for google.com being used to spy on 300,000 Iranians. Someone who calls himself 'Comodohacker' and says he is a 21-year-old Iranian, has claimed credit for both the attack against DigiNotar and the earlier breach of Comodo. He has also declared he hacked four other CAs, including GlobalSign. In statements he has published on the Web and in an email exchange to The New York Times, Comodohacker has asserted he acted alone. However, he has acknowledged he 'shared some certs with some people in Iran.' According to The Times, the email replies it received from Comodohacker have been traced to a system in Russia, a hotbed of hacking. Although Comodohacker could be routing his messages through a compromised Russian computer, the evidence could also mean he is not, as he claims, Iranian."
CWmike writes: "Microsoft jumped the gun on Friday by prematurely releasing information on all five of the security updates it plans to ship next Tuesday. The gaffe is unprecedented, said Andrew Storms, director of security operations at nCircle Security. 'I don't remember this ever happening,' said Storms. Microsoft normally publishes the lengthy 'bulletins' only when it ships the actual patches that fix the described problems. Although the bulletins went live Friday, the updates did not: A quick search of Microsoft's download center, where the updates are typically posted for manual download, did not show any available patches. Nor did the updates apparently reach users through Windows Update or the business-oriented Windows Server Update Services (WSUS)."
CWmike writes: "Microsoft today updated Windows to permanently block all digital certificates issued by a Dutch company that was hacked months ago. The update moves all DigiNotar SSL certificates to Windows' block list, dubbed the Untrusted Certificate Store. IE uses that list to bar the browser from reaching sites secured with dubious certificates. The Windows update will be automatically downloaded and installed to machines that have Windows Update's Automatic Update enabled, Microsoft said in a security advisory. Microsoft's Dutch customers, however, won't see the update for another week. 'At the explicit request of the Dutch government, Microsoft will delay deployment of this update in the Netherlands for one week to give the government time to replace certificates,' Microsoft's Dave Forstrom said in a blog post on Tuesday. Dutch users can get the update here."
CWmike writes: "The Department of Homeland Security on Fridayissued a somewhat unusual bulletin warning the security communityabout the planned activities of hacking collective Anonymous over the next few months. It warns financial services companies especially to be on the lookout for attempts by Anonymous to 'solicit ideologically dissatisfied, sympathetic employees' to their cause. The unclassified communique is addressed broadly to those in charge of cybersecurity and critical infrastructure protection and also warns about new tools Anonymous has said it plans to use in launching future attacks. One is dubbed #RefRef, which is said to be capable of using a server's resources and processing power to conduct a denial of service (DoS) attack against itself. 'Anonymous has stated publicly that the tool will be ready for wider use by the group in September 2011,' the DHS said. But although there have been several publicly available tools that claim to be versions of #RefRef, so far it's unclear what the 'true capabilities of #RefRef are.' The bulletin also cites the so-called Apache Killer tool, for which there is a recent fix."