Monday 28 October 2013

Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware

WhatsApp users, watch out! The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts. The good news? We’ve got you (proactively) covered.

Sample screenshot of the spamvertised email:
WhatsApp_Email_Spam_Malware_Malicious_Software_Social_Engineering_Cybercrime Detection rate for the malicious attachment: MD5: 0458a01e42544eacf00e6f2b39b788e0 – detected by 31 out of 48 antivirus scanners as Trojan.Win32.Sharik.qhd
Once executed, the sample creates the following Registry Keys on the affected hosts:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sewwe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sewwe\ShellNew
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\print
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\print\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\printto
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\printto\command
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\S6
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\S6\Settings
It then attempts to download additional malware from the well known C&C server at networksecurityx.hopto.org

Don’t pay up! How to avoid ransomware threats – and how to fight back

For computer users, Ransomware can be among the most frightening forms of malware – suddenly, your screen is replaced by a message from the police, demanding money, or a message saying your files are lost unless you pay a ransom to unlock them.
It’s a booming business – last year, security researcher Brian Krebs reported that gangs could earn up to $50,000 per day from such malware.
This year, the Home Campaign continued to deliver ransomware via infected websites, with up to 40,000 domains infected at one point, according to ESET researcher Sebastian Duquette.

One particular form of ransomware, filecoders, extort money by encrypting a user’s files and demanding sums to access them. “We’ve noted a significant increase in Filecoder activity over the past few summer months,” says ESET researcher Robert Lipovsky.
Below are some tips that can help – even if you’ve already fallen victim.
Don’t pay the money
No police force on Earth will lock your computer and demand money – the message is NOT from the FBI. Do not pay the money. Contact a computer professional instead, if you can’t unlock it yourself. In some cases – especially filecoders – there may be nothing you can do, but an IT professional should be your first stop.
Don’t pirate software, music or movies
Pirate sites offering free music, games or films are often infested with malware – but this summer, cybercriminals are “gaming” Google searches to infect wannabe pirates with ransomware. Ordinary internet searches lead people to such sites – with cybercriminals using “black hat” SEO to push infected sites high up in Google results, and deliver Nymaim ransomware, according to ESET researcher Jean-Ian Boutin. .
“When searching for downloadable content, especially illegal downloads, it is common to notice questionable websites in the search results. What is unusual in this case is to witness a malware downloaded right away when clicking on a Google result,” says Boutin.
Don’t think that if you get past the lock screen, it’s “gone”
It is sometimes possible to get “past” the lock screen displayed by some forms of ransomware – but that doesn’t mean you’re safe. Your computer is probably still infected. Either invest in AV software or contact an IT professional for help.
If you are backed up, you’re “immune” to filecoders
Filecoders rely on one thing – that you keep unique, precious files on your PC. Don’t. You don’t keep family heirlooms in your car – you keep them in a safe. Do the same with your data. “If they have backups, than the malware is merely a nuisance,” says ESET researcher Robert Lipovsky. “So, the importance of doing regular backups should be strongly reiterated.”
“There are, however, at least two “fortunate points” about this malware: It’s visible, not hidden, the user knows he’s infected – unlike many other malware types that could be stealing money/data silently (of course, that doesn’t mean that he’s not infected with something else together with the Filecoder!)”
Try and rescue your files
Unless you have in-depth knowledge, you should contact an IT professional to help with Filecoders – and don’t get your hopes up, as many use strong encryption which is basically impossible to break. “In some cases, when the Filecoder uses a weak cipher, or a faulty implementation, or stores the encryption password somewhere to be recovered, it may be possible to decrypt the files,” says Robert Lipovsky. “Unfortunately, in most cases, the attackers have learned to avoid these mistakes and recovering the encrypted files without the encryption key is nearly impossible.”
Learn what “backup” means – and choose the right solution for you
For home users, a simple way to start “backing up” – without delving into complex solutions – is to use cloud services such as Google Drive, Dropbox and Flickr to store documents, music, videos and photos. These services offer free versions, and can at least save some of the most personal files on your computer from being devoured by malware.ESET senior research fellow David Harley, writes, “What do you do if you’re a home or small business user, with no professional system administrator to explain/set you up with RAID, hot sites, replication, and all the other esoteric paraphernalia of disaster recovery? My friend and colleague Aryeh Goretsky’s paper Options for backing up your computer will help you understand the issues much better after reading it, without overdosing on jargon.”

PHP site WAS serving malicious code, owners admit after Google raises red flag

When Google’s Safe Browsing service said that programming site PHP.net was hosting and serving malware, it sparked furious discussion – but the site investigated, and has since admitted the infection, and moved to clean servers.
“The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive, but we kept digging,” the site said, but admitted that it had been serving a drive-by Javascript exploit.
Samples of the malware were posted in a discussion on Hacker News – and various posters discussed the “stealth” techniques used to avoid detection. .
PHP is an open-source programming language used on millions of websites. Google’s initial warning flagged just four out of 1500 pages analyzed, according to The Register. The site’s team are still not clear how many visitors have been affected.
“It’s possible some victims were targeted by attacks that exploited Java, Internet Explorer, or other applications,” said Martijn Grooten, a security researcher for Virus Bulletin, speaking to Ars Technica.
Grooten said that only some visitors to the site received the “extra” malicious payload, which caused browsers to connect to malicious sites and dowload code. The sites were UK domains which had domain name system server settings compromised, and resolved to IP addresses in Moldova.
“”Given what Hacker News reported (a site serving malicious JS) to some, this doesn’t look like someone manually changing the file,” Grooten said, in an interview with Ars Technica.
Grooten suggests that perhaps someone “somehow compromised the web server. It might be that php.net has yet to discover that (it’s not trivial—some webserver malware runs entirely in memory and hides itself pretty well.)”
CSS Online reported widespread speculation that the incident was a “watering hole” attack, designed to lure developers and infect their systems.
PHP has promised, “a full post-mortem on the intrusion when we have a clearer picture of what happened.”

The Preliminary NIST Cybersecurity Framework published and Workshop #5 scheduled

Need some fresh infosec reading this weekend? Try the newly minted Preliminary Cybersecurity Framework (PDF) from NIST, part of the federal effort to help critical infrastructure owners and operators reduce cybersecurity risks (primarily in industries like power generation, transportation and telecommunications). This is the latest and presumably penultimate iteration of the document we first discussed here and later on here.
At 44 pages, this new version is substantially longer that the 33 page “Discussion Draft of the Preliminary Cybersecurity Framework” that appeared in August. A new section highlighting the importance of the cybersecurity workforce has been added to the “Areas for Improvement for the Cybersecurity Framework” which is now Appendix C rather than Chapter 4. And it seems like quite a bit of work was done on the expanded Appendix B: Methodology to Protect Privacy and Civil Liberties for a Cybersecurity.
As with previous versions, we all get to say what we think. The official announcement says: the U.S. Department of Commerce’s National Institute of Standards and Technology will soon open a 45-day public comment period on the Preliminary Framework. The announcement of the opening of the official comment period will run in the Federal Register (the Preliminary Framework can be found at http://www.nist.gov/itl/cyberframework.cfm).
NIST frameworkNIST will hold one more workshop to discuss the Preliminary Framework—including implementation and further governance—on November 14 and 15, 2013, at North Carolina State University. Check http://www.nist.gov/itl/csd/5th-cybersecurity-framework-workshop-november-14-15-2013.cfm for more information and to register.
The plan is to release the official framework in February 2014, heroically meeting the schedule set forth in Executive Order 13636—Improving Critical Infrastructure Cybersecurity. despite the federal government being closed for 16 days this month (including the NIST website itself).
The idea of the framework is to “foster communications among internal and external stakeholders and help organizations hold each other accountable for strong cyber protections while allowing flexibility for specific approaches tailored to each business’ market and regulatory environment.”
From a technology perspective the framework—CSF as some folks are calling it—aims to be largely agnostic, focused on outcomes over specific technologies, ostensibly to encourage innovation but also, one assumes, to getting something agreed upon without seeming to favor any vendors.
Here’s how NIST director Dr. Patrick Gallagher describes the goals of the CSF:
We want to turn today’s best practices into common practices, and better equip organizations to understand that good cybersecurity risk management is good business…The framework will be a living document that allows for continuous improvement as technologies and threats evolve. Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies.
Having had just a short time to look at this latest version of the CSF I am impressed with the progress, particularly in the areas of workforce, privacy, and supply chain. But I’m a bit confused by the lack of references to a pair of topics that featured in discussions at past workshops: political resolve, and the role of cyber security insurance that my colleague Cameron Camp reported on from the Dallas workshop.
I’m sure that many privacy officers will appreciate “The Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program” as a way to steer organizations toward privacy best practices. The statement on cybersecurity workforce is worth reproducing in full.
A skilled cybersecurity workforce is necessary to meet the unique cybersecurity needs of critical infrastructure. While it is widely known that there is a shortage of general cybersecurity experts, there is also a shortage of qualified cybersecurity experts with an understanding of the specific challenges posed to critical infrastructure. As the critical infrastructure threat and technology landscape evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve the necessary practices within critical infrastructure environments.
Efforts such as the National Centers of Academic Excellence in Information Assurance Education (CAE/IAE) and the National Initiative for Cybersecurity Education (NICE) are currently creating the underpinnings of a cybersecurity workforce for the future, and establishing an operational, sustainable and continually improving cybersecurity education program to provide a pipeline of skilled workers for the private sector and government. While progress has been made through these and other programs, greater attention is needed to help organizations understand their current and future cybersecurity workforce needs, and to develop hiring, acquisition, and training resources to raise the level of technical competence of those who build, operate, and defend systems delivering critical infrastructure services.
I go along with all of that and I think NIST is right to append this to the CSF. What’s missing is an explicit acknowledgement that without commitment and resolve at the highest levels in government and industry, this is not going to happen. Indeed, without political will behind it, the CSF effort is in danger of becoming a very helpful, but ultimately ineffectual, blueprint for what should be done, rather than a road map for what we as a society are committed to achieve: an efficient digital infrastructure that can thwart cyber attacks.

Rebuffed! Social site Buffer fights off onslaught of fruity weight-loss spam

An invasion of fruity posts offering miraculous weight loss flooded Facebook and Twitter accounts linked to the social sharing app Buffer over the weekend – appearing on official accounts for companies such as Brussels Airlines and Startup Genome.
Thirty thousand users had spam posted on their behalf, linking to a weight loss site, according to Mashable.
In response, Buffer, a “social scheduling” app, which offers timed posts for individuals and companies with a global audience, shut down. The service is up and running again now – but the company’s rapid, open response drew admiration from users, according to ZDNet.
The attack offered links to a product containing Garcinia Camboga, a vegetable extract often used in weight loss supplements, according to TechCrunch. The posts appeared on both Facebook and Twitter.
Buffer’s staff responded rapidly, offering apologies via official Twitter accounts and an open  company blog – and even offered instructions on how to unlink Facebook from their own app. Service was restored quickly, and the company communicated with users via email, Twitter, Facebook and its blog.
“I wanted to get in touch to apologize for the awful experience we’ve caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now,”  the company said in an email to all users, according to Mashable.
“Proof positive that full transparency and openness is the only way to go when situations like this occur. Kudos to Buffer,” one user commented.
Buffer CEO Joel Gascoigne wrote, “Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We’re working hard to fix this problem right now and we’re expecting to have everything back to normal shortly.
We’re posting continual updates to keep you in the loop on everything.The best steps for you to take right now and important information for you: remove any postings from your Facebook page or Twitter page that look like spam. Your Buffer passwords are not affected/ No billing or payment information was affected or exposed.”
The attack has echoes of a recent attack on social app Hootsuite, where a link – promising a “free Groupon of garcinia cambogia” spread on both Twitter and Facebook, and was spread via celebrity accounts such as Jane Fonda’s.

Cyberattack in Israel “shuts down” road for hours

A major road artery in Israel was paralyzed for hours by a cyberattack this September, according to a security expert speaking to Associated Press.
Attackers used a Trojan program to target a security camera system in the Carmel Tunnels toll road in Haifa, shutting down the road for hours, and causing “hundreds of thousands of dollars” in damage, according to Associated Press.
A source, speaking anonymously to Associated Press, said that Israeli experts thought that the attack was the work of a rogue group, rather than a government, due to the level of expertise involved.
The Washington Post quoted Israel’s Lt General Benny Gantz, who warned earlier this year, “a cyberattack on websites which provide daily services to the citizens of Israel. Traffic lights could stop working, the banks could be shut down.”
Vulnerabilities in systems such as security cameras have become a hot topic this year, with researchers demonstrating vulnerabilities in “connected” systems as diverse as locks and toilets.
Craig Heffner, formerly of the National Security Administration, showed off a hack against security cameras at this year’s Black Hat security conference in Las Vegas, saying he had  found “zero-day vulnerabilities” which would allow attackers to control cameras made by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision.
“It’s a significant threat,” Heffner said.  ”Somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.”
ESET researcher Stephen Cobb discusses how such “connected appliances” can affect the home user – and offers tips on staying safe in a detailed blog post here.
According to Israeli newspaper Haaretz, utilities and infrastructure are frequent targets of cyberattacks in Israel. The Israel Electric Corporation’s servers register 6,000 unique electronic attacks every second. At a conference earlier this year, Haaretz reported Israeli intelligence experts discussing the scale of such attacks.
“What might seem like fiction, already exists, said Yair Cohen, a former commander of Unit 8200, the Central Military Intelligence and Cyber Unit of the Israeli army. “We are living in a world where 500 million cyber-attacks occur per second.”
“Most of these systems are automated, especially as far as security is concerned. They’re automated and they’re remotely controlled, either over the Internet or otherwise, so they’re vulnerable to cyberattack.”
Israeli President Benjamin Netanyahu said that Israel already faced constant attacks against its water system, electric grid, trains and banks. Utilities such as electrical companies are instituting training programs to deal with such threats, according to Business Insider.  

PRISM: NSA spooks spied on 60 million Spanish phone calls

spain-150450922-web
The US National Security Agency (NSA) tapped over 60 million Spanish phone calls in one month as part of its notorious PRISM campaign, according to local newspaper El Mundo.
El Mundo reported uncovering the spy operation after receiving a classified document originally leaked by ex-CIA analyst Edward Snowden. The paper said the NSA tapped 60.5 million phone calls in Spain between 10 December 2012 and 8 January 2013. The taps reportedly did not monitor the content of the phone calls, and only tracked their location and duration.
It is currently unclear if the Spanish government is aware of the phone tapping. At the time of publishing the Spanish government had not responded to V3's request for comment on El Mundo's report.
Spain is one of many countries believed to have been targeted by the NSA as part of its PRISM campaign. Last week, reports broke claiming the NSA was illicitly tracking 35 unnamed world leaders. The identities of the leaders remains unknown, however the German government has asked for clarification from the US government if any of its agencies tapped the phone of chancellor Angela Merkel.
News of the NSA's PRISM campaign broke earlier this year when Snowden leaked a number of classified documents to the media proving the NSA was siphoning vast amounts of web user data from companies like Google, Microsoft, Yahoo and Facebook.
The full extent of the NSA's PRISM snooping remains unknown as companies involved have been blocked from disclosing what data has been taken. The NSA has moved to downplay PRISM's significance, claiming its agents only monitored 0.00004 percent of the world's web traffic.
At the time of publishing, the US Department of Defense had not responded to V3's request for comment on El Mundo's report.

Google updates reCaptcha tool to beat the spambots

Google has updated its reCaptcha platform with advanced authentication powers to help prevent increasingly sophisticated software bots from getting past its defences.
ReCaptcha is a web authentication tool designed to force web users to prove they are a person rather than a software bot by asking the user to enter the letters displayed in a distorted panel.  It is used by numerous sites to try and stop spam bots creating millions of fake accounts.
Vinay Shet, Google product manager for reCaptcha, announced the update in a post on Google's Blog, explaining the new features are based on research about how humans behave online in order to try and improve the tool's performance.
"The reCaptcha team has been performing extensive research and making steady improvements to learn how to better protect users from attackers. As a result, reCaptcha is now more adaptive and better-equipped to distinguish legitimate users from automated software," he wrote.
Shet said the new reCaptcha platform will add numeric elements and constant monitoring to the traditional text-based solution to make it even better at spotting automated bots (an example is below).
Recaptcha service
"The updated system uses advanced risk analysis techniques, actively considering the user's entire engagement with the Captcha - before, during and after they interact with it. That means that today the distorted letters serve less as a test of humanity and more as a medium of engagement to elicit a broad range of cues that characterise humans and bots," he said.
Use of numbers should stop even the most advanced bot faking its way through the test.
"Humans find numeric Captchas significantly easier to solve than those containing arbitrary text and achieve nearly perfect pass rates on them," Shet claimed. "So with our new system, you'll encounter Captchas that are a breeze to solve. Bots, however, won't even see them."
Bot machines and programmes have been a growing problem facing the security community. The bot machines are usually owned by criminal groups and are part of a wider botnet of enslaved systems. The botnets have been used by organised criminal groups for a variety of purposes, including click fraud and Bitcoin mining.

PHP.net compromised and redirecting to Magnitude exploit kit

Google detected a malware on PHP.net website, the internal team confirmed that the website was compromised and redirecting to a Magnitude exploit kit.

php.net website was serving malware, the alert was launched by Google’s Safe Browsing service that alerted internet users.  Subsequent investigation confirmed that some of the project’s servers did get compromised, attackers succeeded to infect it injecting malicious JavaScript code (userprefs.js) some pages of the website.
Security experts from Barracuda have shared a PCAP file that shows the malicious behavior, the attackers were able to inject a malicious iframe in the PHP.net website that was redirected to an Exploit Kit. The obfuscated JavaScript “userprefs. js” inserts a hidden iframe into the webpage, which points out from an external site serving malware.
PHP.Net flagged as 'Contains Malware' by Google
Once the users visited the infected page the code started for automatic detection of vulnerable plug-ins within the only desktop browsers, and the serving of malicious SWF files. The PHP team is investigating on the attack, they confirmed that the servers which hosted the php.netstatic.php.net and git.php.net domain, and the server hosting bugs.php.net have been compromised.
“We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full,” they shared. 
PHP team has migrated all services to new servers to grant the continuity of services during the investigation phase, it also remarked that only a small portion of website users was infected.
“JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013,” they shared, adding that over the next few days they will force a password reset of php.net users.
php.net hacked2
Fabio Assolini, a researcher at Kaspersky Lab, revealed that attackers used the Magnitude Exploit Kit and dropped a variant of the Tepfer information-stealing Trojan due its efficiency and low AV detection rate. At the time of the attacks, the malware was detected by only five of 47 antivirus programs.
“An analysis of the pcap file suggests the malware attack worked by exploiting a vulnerability in Adobe Flash, although it’s possible that some victims were targeted by attacks that exploited Java, Internet Explorer, or other applications, Martijn Grooten, a security researcher for Virus Bulletin”  reported Arstechnica.
The following information provided by the official update published on the website:
“As it’s possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (includingbugs.php.net and wiki.php.net) in the next few hours.” 
To summarize, the situation right now is that:
  • JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
  • Neither the source tarball downloads nor the Git repository were modified or compromised.
  • Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
  • SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
In the next few days php .net users will have their passwords reset as part of incident response procedure.
“Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.”

LinkedIn Intro iOS app intercept user’s emails in iPhone and much more

LinkedIn launched LinkedIn Intro app for iOS to show LI profiles right inside the native iPhone mail client. Which is the effect on privacy and security?

LinkedIn, like any other social media platform is a mine of information for internet users, due this reason the number of attacks against it are soaring. The principal social media are integrating their offer with new services extended also to mobile platforms. LinkedIn for example has launched a new app for for iOS devices called Intro ’LinkedIn Intro‘ that allow to Apple’users to display a picture of the sender, and other useful profile info from LinkedIn, when they receive an email.

How does it work?
Simple, to use the service, a LinkedIn user must route all of their emails (e.g. Hotmail, Gmail, Yahoo, etc.) through LinkedIn’s ‘Intro’ servers, which will inject necessary code to display info related to the profiles in his emails.
The following image shows the way LinkedIn Intro propose the information.

LinkedIn Intro feature
The downside it that LinkedIn have to access the content of user’s emails to implement this feature and also can manage the user’s passwords for his email accounts on other providers, the consequences for privacy and security are clear.
LinkedIn replied to the accusations sustaining that the process is totally secure, according the company during the installation the servers only temporarily cache user’s password to add a new Mail account to user’s device, and the password is cached just for the time necessary to install LinkedIn Intro, and anyway never for more than two hours.
Even, LinkedIn also accesses to the contents of users’ iOS calendars, notes and call-in numbers, which they then transmitted in plain text, not encrypted.
Considering that Apple doesn’t provide any development tool (e.g. APIs) to implement the feature it is conceivable that LinkedIn operated asman in the middle to intercept the email to inject that HTML code.
Normally your device connects directly to the servers of your email provider (Gmail, Yahoo, AOL, etc.), but we can configure the device to connect to the Intro proxy server instead. The Intro proxy server speaks the IMAP protocol, just like an email provider, but it doesn’t store messages itself. Instead, it forwards requests from the device to your email provider, and forwards responses from the email provider back to the device. En route, it inserts Intro information at the beginning of each message body — we call this the top bar.
LinkedIn Intro feature2
Senior Software Engineer at LinkedIn Martin Kleppmann explaining in a blog post that LinkedIn Intro doesn’t represent a menace to a user’s security, users have in fact to install LinkedIn Intro app manually and all user data including credentials and email are not permanently stored by LinkedIn but are archived on the user’s iPhone.
“We understand that operating an email proxy server carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. Our principles and key security measures are detailed in our pledge of privacy.”
Personally I have no doubts … considering the recent revelations on the US surveillance programs I’m not able to find the utility of features such as LinkedIn Intro that in my humble opinion could enlarge our surface of attacks and menace user’s privacy.

Subcontractors are for hackers the weakest link in security chain

Hackers use to target subcontractors to hit big enterprises due the poor level of security they offer, in the energy sector this trend is very concerning.

Let’s follow the discussion on the hacking world and the way hackers impact business with their activities. We discussed about the role of hackers for companies and their employment in cybercrime ecosystem.
Let’s try to ask ourselves how would work a hacker in order to hit a company or an organization.
The numerous incidents daily occur teach us that one of the most common way to hack an organization is trying to exploit vulnerabilities within subcontractors networks and in the process that governs the partnership with target entity.
Big enterprises and organizations in many cases have been attacked exploiting the privileges channel of subcontractors, often subcontractor systems have been vulnerable to the attack of hackers and the data of target companies were poorly defended.
The problem seems to be extended to virtually all industries, from energy to the defense, while big enterprises have adopted all the necessary countermeasures to mitigate cyber threats, the economic crisis and the erroneous perception of security as a cost has caused serious misconducts in the subcontractors.
Large companies and organizations are accused of having a lack of careful assessment of the level of security offered by subcontractors, the price is often the only parameter assessed during the acquisition of services and products from third parties.
According  experts at Alert logic the energy industry customers are targeted more often than those in any other industry, the number of cyber threats observed from Jan. 1st to May 23th is nearly 9,000 and more that 50 percent of them is a malware-based attack.
Thirty-one percent of the threats were brute force attacks, in which hackers repeatedly attempt to crack passwords, the report said.
The ICS-CERT issued in July a Monitor report that revealed an intensification for brute force attacks against control systems mainly belonging to the energy sector. The ICS-CERT received notification for more than 200 cyber attacks against critical infrastructure operators between October 2012 and May 2013.
ICS-CERT Monitor Report Energy sector
According the ICS-CERT the victims were targeted by mostly by watering hole attacks, SQL injection, and spear phishing.
Alert logic released a security bulletin remarking the concerning trend.
“That’s higher than any other industry that’s going on out there,” “The only thing that might even come close to this would be financial.” said Stephen Coty, director of threat research for Houston-based security firm Alert Logic.
subcontractors energy report
The energy sector described in the report represents a meaningful example of how company cybersecurity policies, despite being very stringent of physical security, are deficient in the definition of requirements for cyber security of subcontractors.
“I don’t think that they hold their contractors up to the same standards that they do their employees. I think that’s a growth issue, or understanding the risks.” Coty said.
Alert Logic revealed that in March that about two-thirds of its 54 energy industry clients experienced brute-force or malware attacks, an impact  higher than in other sector.
The hackers that use to target subcontractors to hit a company usually following precise steps contextualized by Alert Logic for the energy sector:
  • Identify subcontractors that may have access to valuable information.
  • Identify the subcontractors’ employees.
  • Start spear phishing campaign or a watering hole attacks against the employees.
  • The information collected is used to penetrate the target computer systems.
  • The stolen credentials are used to access valuable information such as financial data or intellectual property.
Booz Allen Hamilton executive Emile Trombetti reported for example that hackers used that tactic to send a message that appeared to be from his daughter during an attack, this is the proof that attackers have collected information about him.
“They found out my daughter’s name,”“They found out what school she went to. And they found out her Yahoo address. And I get an email that says, ‘Dad, it’s an emergency.’”
Security level offered by subcontractors is crucial for companies business, subcontractors are similar to the appendices of the target company and should be carefully evaluated the process they implement for data and infrastructure protection A good starting point is to assess compliance with the standards of clients and contractors and carefully consider the information flows between the parties.
Until the subcontractors will be vulnerable, the entire chain of security is at risk!

Israel – AP Exclusive reveals tunnel hit by cyber attack

Cybersecurity experts revealed that a major artery in Israel’s national road network located in the northern the city of Haifa suffered a cyber attack.

Israel is considered one of the most advanced country in cyber security, but at the same time is a privileged target for hostile governments intent in sabotage and cyber espionage on his technology.
Isreal military officials are aware of cyber threats that could hit the infrastructure of the country and they afraid the possible effect of a cyber attack on a large scale. Israeli government websites suffer thousands of cyberattacks each day according Ofir Ben Avi, head of the government’s website division. The Israel Electric Corp. confirmed that its servers register about 6,000 unique computer attacks every second.
In June, Prime Minister Benjamin Netanyahu stated that Iran militia, Hezbollah and Hamas have targeted in numerous occasions Israel’s “essential systems,” including its water facilities, electric grid, trains and banks.
“Every sphere of civilian economic life, let’s not even talk about our security, is a potential or actual cyberattack target,” said Netanyahu.
Israel’s military chief Lt. Gen. Benny Gantz made a high-profile speech recently outlining that within the greatest threats his country might face in the future there is the computer sabotage as a top concern. A sophisticated cyber attack could be used to shut down a banking system of Israel, the national electric grids or a defense system, this is a nightmare for the Defense.
Cybersecurity experts revealed to The Associated Press that a major artery in Israel’s national road network located in the northern the city of Haifa suffered a cyber attack that has caused serious logistical problems and hundreds of thousands of dollars in damage.
The tunnel is a strategic thoroughfare in the third largest city of the country, and as a demonstration of its importance in the city is exploring the possibility to use the structure as a public shelter in case of emergency.
It seems that the attackers used a malware to hit the security camera apparatus in the Carmel Tunnel toll road in Sept. 8 and to gain its control.
“The attack caused an immediate 20-minute lockdown of the roadway. The next day, the expert said, it shut down the roadway again during morning rush hour. It remained shut for eight hours, causing massive congestion.”
Israel tunnel under attack
The experts that have investigated on the incident exclude that the hypothesis of a state-sponsored attack because the malicious code used  was not sophisticated enough to be the work of a hostile government, it is likely the involvement of a group of hacktivists.
Carmelton company that oversees the toll road, blamed a “communication glitch” for the incident, while Oren David, a manager at security firm RSA’s anti-fraud unit, said that although he didn’t have information about the tunnel incident similar attacks could represent a serious menace for population.
“Most of these systems are automated, especially as far as security is concerned. They’re automated and they’re remotely controlled, either over the Internet or otherwise, so they’re vulnerable to cyberattack,” “among the top-targeted countries.” said David.
In reality Iranian hackers and other hostile entities have penetrated successfully Israeli systems, Israel has controlled the attacks to track back the hackers, profile their methods of attack and to conduct a disinformation campaign making available false information.
To improve security of critical infrastructure the Israeli civilian infrastructure, Israel’s national electric company has recently launched a training program, jointly with cyber defense company CyberGym, to teach engineers and managers of critical plants to detect ongoing cyber attacks.
The attack scenario revealed portends to an escalation of attacks by hostile entities, whether they are cyber criminals, hacktivits or state-sponsored hackers, it’s crucial for the Israeli government to invest in improvement of cyber capabilities for its survival.