Under the action plan, the US Department of Homeland Security and Public Safety Canada will cooperate to protect vital cyber systems and respond to and recover from any cyber disruptions, by improving collaboration on managing cyber incidents between their respective cyber security operation centers, enhancing information sharing and engagement with the private sector and pursuing US-Canadian collaboration to promote cyber security awareness to the public.
Cyber Europe 2012 will include several “technically realistic threats” into a single escalating Distributed Denial of Service (DDoS) attack on online services in all participating countries simultaneously. “This kind of scenario would disrupt services for millions of citizens across Europe,” ENISA said. When the exercise is completed, the participants will have managed more than 1000 simulated cyber incidents.
During the 2010 Cyber Europe exercise, ENISA said there were a few minor technical and communication problems. For example, some injects were delayed or slowed, along with some minor difficulties with the use of government emails in combination with VPNs.
It will be interesting to see the results of the 2012 exercise, and (hopefully) progress that has been made both in terms of technical ability to combat cyber attacks, and communications and cooperation between the Nations.
“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center’s Jonathan Ness wrote in a blog post.
Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks.
In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed.
“There are several intriguing and unusual aspects of the attacks and the US response to them not described in Friday's public notice,” CSM Staff Writer, Mark Clayton, noted. “One is the greater level of detail in these alerts than in past alerts. Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.”
The 136-page report details how China is advancing its cyber attack and exploitation capabilities, and examines the risks to U.S. national security and economic interests., including the electronics supply chain.
The report is timely as the United States Congress is currently considering cybersecurity legislation, and the Commission hopes that this work will be useful to the Congress as it deliberates on how to best protect our networks.
“There are nation-states that absolutely have the capability (to launch a major attack), but they don’t have the intent – mostly because it wouldn’t be in their own interest, and the spillover effects would be very damaging to the world economy and a lot of other things,” said Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense. “The other reason is, that type of attack, contrary maybe to what the conventional wisdom is, I think would be very difficult to disguise.”
Rosenbach was joined on the panel by Martin Libicki, senior scientist with the RAND Corporation, a global policy think tank; Adam Segal, senior fellow for counterterrorism and national security studies for the Council on Foreign Relations; Jim Lewis, senior fellow and program director for the Center for Strategic and International Studies; and Dmitri Alperovitch, co-founder of newly-created CrowdStrike.
Though the panel did not downplay the threat posed by nation-states, they did look to offer some perspective on the topic of cyber-war, discussions of which sometimes slip into hype. According to Rosenbach, countries like Iran that may have the strongest desire to launch crippling attacks against the U.S. government or the country’s critical infrastructure lack the capability.
Lewis noted it is important not to underestimate the capabilities of other countries, and he noted that the public and private sector should work to share more information – a sentiment also expressed in a keynote Tuesday by U.S. Deputy Secretary of Defense Dr. Ashton Carter.
It turns out that the hacker’s claims are off a bit. Norton is a consumer-focused product, and Symantec has confirmed, that from what they have seen thus far, the code that has been accessed by the attackers was from their Enterprise product line.
Unlike the RSA breach when hackers penetrated company networks to steal confidential data and intellectual property, Symantec confirmed that its systems had not been breached. “Symantec’s own network was not breached, but rather that of a third party entity,” the company said in a statement.
"“We are still gathering information on the details and are not in a position to provide specifics on the third party involved,” the company said. “Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."
Alexander Gostev and Igor Sumenkov have put together some interesting research. The key point being the person(s) behind what the world knows as Stuxnet and Duqu, have actually been using the same development platform for several years.
"The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans," explained Alexander Gostev, Chief Security Expert at Kaspersky Lab. "The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date." “We consider that these drivers were used either in an earlier version of Duqu, or for [an] infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team,” Gostev explained.
wiredmikey writes: "Oliver Rochford writes an interesting piece on how in the western world, there is an entire commercial class of security professionals, an underground of Black Hat hackers working for financial gain, but few Hackers serving as cyber warriors.
China has publicly announced the formation of a specialized cadre of cyberwar experts, although it was clear they already possessed such forces. At the same time, Iran, Pakistan, and Russia all seem to have developed cyberwar strategies as well, and are actively engaging in executing these.
Rochford argues there is a disjoint here. Why is a nation like China, that is seen as oppressive and controlling in the west, able to motivate, cultivate and harness their hacker types, whilst ours primarily seem occupied in hacking ourselves or for the highest bidder?
When a western government has to resort to a cheap media gimmick to attempt to find cybersecurity talent, and delivers a badly thought-out and executed fiasco, only to offer an even cheaper financial reward at the end of the farce, you sort of get a feeling that we’re in trouble.
The Pentagon recently outlined its working definition of what constitutes cyber-war and when subsequent military strikes against physical targets may be justified as result.
The main issue is attribution of cyber attacks. The Department of Defense is working to develop new ways to trace the physical source of an attack and the capability to identify an attacker using behavior-based algorithms. “..if a country is going to fire a missile at someone, it better be sure it has the right target,” said one expert.
A widely held misconception in the U.S. government is our offensive capabilities provide defensive advantage by identifying attacker toolkits and methods in foreign networks prior to them hitting our networks.
wiredmikey writes: This summer, Dmitri Alperovitch from McAfee revealed discoveries of a series of targeted intrusions into 70+ global organizations. Along with revealing the attacks dubbed “Operation Shady RAT”, Alperovitch commented, “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised.”
Some criticized the specifics of Shady RAT and Alperovitch’s comments, dismissing them as marketing FUD, but it appears many folks could be agreement with Alperovitch, at least in terms of the wide array of companies that could have experienced a breach.
This week, a report from The Enterprise Strategy Group revealed that a majority of mid-to-large U.S.-based corporations believe they have been the targets of cyber attacks looking to steal sensitive data.
Additionally, 46% of large organizations that ESG categorized as “most prepared for APTs” (based upon their existing security policies, procedures, and technical safeguards) say they are vulnerable to future sophisticated attacks.
According to the report, 93% of security professionals working at enterprise organizations are either “extremely concerned” or “concerned” about APTs and the impact that APT attacks could have on vital U.S. interests such as national security and the economy.
“Virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm,” Alperovitch noted during his revealing of Shady RAT. “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” Alperovitch concluded.
ESG's report suggests that the companies that have already taken proper steps to secure their assets still believe they are vulnerable to APTs. If those organizations with strong cybersecurity policies are vulnerable to APT attacks, it’s safe to conclude that nearly all organizations are vulnerable.
According to researchers, the campaign began in late April, and was initially focused on human rights organizations and later the motor industry. In late July, the attackers moved on to the chemical industry and began targeting 29 companies.
At least 48 companies are believed to have been targeted across various verticals, including the defense industry, Symantec found. Among the victims are multiple Fortune 100 companies involved in research and development of chemical compounds as well as companies that develop materials for military vehicles.
The infected computers were part of the ground control system that supports remotely-piloted aircraft (RPA) operations. The malware is not designed to transmit data or video or corrupt any files, programs or data, according to the Air Force, which explained the infected computers were part of the ground control system that supports drone flight operations. The ground system is separate from the flight control system used by RPA pilots to fly the aircrafts.
According to The Yomiuri newspaper, approximately 80 systems had been infected with malware at the company's headquarters in Tokyo, as well as manufacturing and research and development sites, including Kobe Shipyard & Machinery Works, Nagasaki Shipyard & Machinery Works and Nagoya Guidance & Propulsion System Works.
"We can't rule out small possibilities of further information leakage but so far crucial data about our products or technologies have been kept safe," a Mitsubishi Heavy spokesman told Reuters. "We've found out that some system information such as IP addresses have been leaked and that's creepy enough," the spokesman added.