ole_timer writes: Brian Krebs id's the author of mirai
On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.
The FTC filed complaints against two separate groups of defendants, the leaders of which have both been involved in previous legal actions for robocalling operations. The defendants each controlled several different corporate entities that were involved in selling home security systems, extended auto warranties, and other products through repeated automated phone calls. Many of the calls were to numbers on the DNC list, a violation of the telemarketing regulations.
The two main defendants in the complaints are Justin Ramsey and Aaron Michael Jones, and in separate actions, they and many of their co-defendants have agreed to court-ordered bans on robocall activities and financial settlements. The FTC alleges that Ramsey directed an operation that made millions of robocalls a month.
The Anthem data breach is one of the larger health cae-related incidents ever in the United States and it has cost the company $260 million so far in technology improvements, credit monitoring, and other expenses. Anthem officials discovered the breach in January 2015 and disclosed it publicly the following month. The attack began, as many of the incidents do, with a spearphishing email, which an employee of one of Anthem’s subsidiaries opened. That led to the installation of malware on the employee’s machine, and the attacker then moved on to compromise at least 90 other computers in the organization, according to the report.
Anthem hired security firm CrowdStrike to investigate the intrusion, and the California Department of Insurance conducted an analysis of the event, as well. The analysts came to the conclusion that operators from a foreign government had initiated the attack. The report does not specify which government was involved, however.
The new report is the result of an order from President Barack Obama to investigate whether elements of the Russian government hacked U.S. networks in the months leading up to the election. There will be a classified version of the report delivered to Congress, as well as an unclassified version released to the public. In a hearing before the Senate Armed Service Committee Thursday, senior intelligence officials said they are highly confident that Russian intelligence was behind a number of intrusions tied to the election.
“This was a multifaceted campaign. The hacking was only one part of it. It included classical propaganda, fake news, disinformation,” said Director of National Intelligence James Clapper during Thursday’s hearing.
schwit1 writes: “According to one intelligence official who spoke to the publication, no U.S. intelligence agency has performed its own forensics analysis on the hacked servers. Instead, the official said, the bureau and other agencies have relied on analysis done by the third-party security firm CrowdStrike, which investigated the breach for the DNC.”
The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself.
In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.
chicksdaddy writes: The Washington Post’s story, Saturday, which claimed that Russian hacking groups had penetrated the United States electrical grid (https://www.washingtonpost.com/world/national-security/russian-hackers-penetrated-us-electricity-grid-through-a-utility-in-vermont/2016/12/30/8fc90cc4-ceec-11e6-b8a2-8c2a61b0436f_story.html) is a great example of why the Obama Administration's Grizzly Steppe report was a big mistake. It is also a case-in-point against casual attribution of cyber attacks, The Security Ledger writes. (https://securityledger.com/2017/01/opinion-confusion-over-vermont-utility-underscores-risks-of-cyber-attribution/)
As we now know, the Washington Post used claims that “code associated with the Russian hacking operation dubbed GRIZZLY STEPPE" had been detected within a system owned by Burlington Electric as proof that the Russians had hacked into the U.S. grid.
But no such hack of the electrical grid took place. The computer infected with the malware was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia told The Burlington Free Press on Saturday (http://www.burlingtonfreepress.com/story/news/local/vermont/2016/12/30/russia-hacked-us-grid-through-burlington-electric/96024326/)
The Washington Post subsequently corrected its article, saying that no hack of the U.S. grid took place.Though it did NOT retract the story as some have claimed. Still, the confusion over “the Vermont incident” gets to the heart of criticisms that followed the release of the DHS and FBI Joint Analysis Report (JAR) on Russian hacking activity on U.S. shores. Specifically: the U.S. Government’s Report lumped together under one banner a wide range of hacking groups and hacking tools – some of them long used and widespread. In some cases, the groups in questions have only tangential connections to the government of Russia. In other cases, tools and techniques for attacking organizations – including whole families of malware – were thrown under the GRIZZLY STEPPE umbrella. The effect was to water down the report while dangerously muddying the public’s understanding of what Russian government hackers are and are not doing.
The report about the Vermont hack proceeded from that assumption, citing intelligence from unnamed government sources that malicious code found at the utility was put there and controlled by “the Russians,” who “did not actively use the code to disrupt operations.”
The truth is that if any evidence exists linking the malware discovered on a machine owned by Burlington Electric to operatives of the government of Russia, none was presented. It’s not clear if the Washington Post ever asked for such proof. As Robert Lee noted in a blog post on Saturday: “the indicators supposedly were related to Russia because the DHS and FBI said so – and supposedly that’s good enough,” he wrote.(http://www.robertmlee.org/analytical-leaps-and-wild-speculation-in-recent-reports-of-industrial-cyber-attacks/)
By ignoring context and a fair amount of private and public sector research in lumping together Black Energy and a wide range of other, similar threats under a common banner (GRIZZLY STEPPE), a report that was supposed to nail the lid shut on Russian hacking in U.S. elections has only raised more questions about the U.S. government’s evidence against Russia and whether that evidence is being interpreted in ways that distort its actual meaning or import. The Washington Post story marked just the first, errant conclusions drawn from that errant report. Others are sure to follow – blurring rather than sharpening our understanding of the risks posed by Russia and other online adversaries.
randomErr writes: A new exploit has been found that will permanently disable the Messages app on iOS. The exploit discover by hacker vincedes3 who used a ridiculously complex vCard in a message. While the average vCard contains about 200-300 lines the offending vCard contains 14,281 lines of code. When the vCard is opened the large amount of data overloads the Messages app which makes it shut down. When you restart Messages it tried to read the first new message which still contains the same vCard data and shuts it down. There a fix to make Siri generate a new message that pushes the bad message out of the starting position. Current iOS version 8-10 and possibly some versions of Android are affected by this bug.
The new document is not a set of regulations, but is simply guidance designed to give manufacturers and regulators a framework for medical device security issues. This topic has become a major concern in the last few years as manufacturers have added networking and other capabilities to more and more medical devices such as insulin pumps and pacemakers.
A large portion of the FDA guidance concerns the ways in which manufacturers assess the potential exploitability of a given vulnerability and how they respond to vulnerability reports. There are well-defined processes for this kind of assessment in the normal software and hardware worlds. But medical devices are a much different story, given their dedicated purposes and the potential consequences if a vulnerability is exploited.
schwit1 writes: SCIENTISTS believe a massive object which could change our understanding of history is hidden beneath the Antarctic ice.
The huge and mysterious “anomaly” is thought to be lurking beneath the frozen wastes of an area called Wilkes Land. It stretches for a distance of 151 miles across and has a maximum depth of about 848 metres. This “Wilkes Land gravity anomaly” was first uncovered in 2006, when NASA satellites spotted gravitational changes which indicated the presence of a huge object sitting in the middle of a 300 mile wide impact crater.
The network came to light on Dec. 21 when researchers at Imperva saw a two-part DDoS attack that began with a 20-minute flood that peaked around 400 Gbps. A few minutes later, the attackers pushed the button again, this time hitting a peak volume of 650 Gbps and throwing more than 150 million packets per second at the targets. That volume of attack traffic approaches the enormous DDoS floods generated by the Mirai botnet over the last few months. The largest of the known Mirai floods was around 1 Tbps of traffic.
The Imperva researchers said the attacks from the new botnet, which they’ve named Leet, came from spoofed IP addresses and ended after a total of about 37 minutes. Aside from the high volume involved in the attacks, the other interesting piece is the makeup of the packets Leet is sending at its targets. Some of the packets are typical SYN packets, but others are more than 10 times as large as normal packets and include some very odd ingredients.
Officials said at the Apple Worldwide Developers Conference earlier this year that developers would have to support Apple Transport Security by the end of 2016. But on Thursday, the company announced that it has decided to extend the deadline indefinitely.
ATS is Apple’s collection of transport security standards designed to provide attack resistance for data that’s sent between iOS and macOS apps and back end servers. It requires apps to support a number of modern transport security technologies, including TLS 1.2, AES-128 or stronger, and certificates must be signed using SHA-2. ATS also requires the use of forward secrecy, a key-exchange method that protects encrypted sessions even if the server certificate is compromised at some point in the future.
chicksdaddy writes: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help (https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information) heading off what it calls “a looming threat to information security:” powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information, The Security Ledger reports.
In a statement Tuesday, NIST asked the public to submit ideas for “post-quantum cryptography” algorithms that will be “less susceptible to a quantum computer’s attack.” NIST formally announced its quest in a publication on The Federal Register. (https://www.federalregister.gov/documents/2016/12/20/2016-30615/announcing-request-for-nominations-for-public-key-post-quantum-cryptographic-algorithms)
Dustin Moody, a mathematician at NIST said the Institute's main focus is developing new public key cryptography algorithms, which are used today to protect both stored and transmitted information.
“We’re looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers,” Moody said. They are FIPS 186-4, NIST SP 800-56A and NIST SP 800-56B.
Researchers have until November, 2017 to submit their ideas. After the deadline, NIST will review the submissions. Proposals that meet the “post-quantum crypto” standards (http://csrc.nist.gov/groups/ST/post-quantum-crypto/minimum-accept-reqs.html) set up by NIST will be invited to present their algorithms at an open workshop in early 2018.
The Encryption Working Group, comprised of members of the House Judiciary Committee and House Energy and Commerce Committee, has been looking at the challenges that law enforcement and intelligence communities face with the wide deployment of strong encryption. The group said in its report that although encrypted communications present a serious obstacle for law enforcement agencies, officials in the national security community said encryption is a key part of protecting the nation’s critical infrastructure.
“Congress should not weaken this vital technology because doing so works against the national interest. However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities,” the report says.