Tag Archive for Cyberwarfare

| March 28, 2011
Comments Off on Cyber Attack on Google, Yahoo, Skype Certs

Cyber Attack on Google, Yahoo, Skype Certs

TechyEye says that the Iranian paramilitaryBasij” group appears to have its own cyber warfare division which is launching attacks on the websites of Iran’s “enemies.” TechEye says the paramilitary group is an arm of the Revolutionary Guard.

Iran flagThe Associated Press cites General Ali Fazli, acting commander of the Basij, in the state-owned IRAN paper as saying Iran’s cyber army consists of university teachers, students, and clerics. He said its attacks were a retaliation for similar attacks on Iran. The AP quotes Fazli, “As there are cyber attacks on us, so is our cyber army of the Basij, which includes university instructors and students, as well as clerics, attacking websites of the enemy … Without resorting to the power of the Basij, we would not have been able to monitor and confront our enemies.”

Iran has sought to master the digital world as a crucial step to prepare for what it calls “soft war”, which includes fighting against cyber attacks such as the Stuxnet computer worm that Iran said was aimed at sabotaging its uranium enrichment program.

Until now the secretive “Cyber Army” that emerged to fight opposition websites and blogs after President Mahmoud Ahmadinejad’s disputed re-election in 2009 was believed to be part of the Revolutionary Guard. However in February according to the AP, General Mohammad Ali Jafari, signaled that the Revolutionary Guard supports the cyber army, describing it as a “defensive, security, political and cultural need for all countries”. Jafari claimed at the time that the Guard has been successful in cyber warfare.

Comodo logoIn another article TechEye recounts a possible Iranian cyber-warfare success. The article identifies Iran as the “state player” which hacked important Certificate Authority (CA) certificate information at Comodo. Digital certificates are used to vouch for the authenticity of a site owner and secure encrypted communications between sites and their users. A government that controls Internet traffic inside its country would be able to use such a server to gain access to encrypted e-mail and chat conversations and collect user names and passwords for individuals’ accounts, Mikko H. Hypponen, chief research officer at F-Secure, said in a blog post.

Security researcher and Tor developer Jacob Appelbaum found the compromise and alerted  Google and Mozilla.  USERTRUST Network, a part of Comodo issued the compromised certificates. Writing from his blog Mr. Appelbaum initially suspected the hack “was taken by a state-level adversary.” Comodo confirmed the attack and issued a statement naming Iran as the country it suspects. According to the Comodo blog, the incident happened on March 15th, when unknown attackers managed to get access to one of the user accounts for the RA.

An attacker obtained the username and password of a Comodo Trusted Partner in Southern Europe.  We are not yet clear about the nature or the details of the breach suffered by that partner other than knowing that other online accounts (not with Comodo) held by that partner were also compromised at about the same time.

The attacker used the username and password to log in to the particular Comodo RA account and effect the fraudulent issue of the certificates.

F-Secure logoAccording to F-Secure, the targets included Google (GOOG), Microsoft (MSFT), and Yahoo (YHOO):

  • login.live.com,
  • mail.google.com,
  • www.google.com,
  • login.yahoo.com,
  • login.skype.com,
  • addons.mozilla.com, and
  • “Global Trustee.”

Google patched Chrome last week and Mozilla managed to include the blacklist in Firefox 4.

rb-

It appears that Comodo did the right thing and made a responsible disclosure. According to reports, immediately after the breach was identified, they contacted the browser publishers and domain owners and filled them in on the situation.

As for the why? There is speculation that the Iranians wanted to control their internal dissidents. If they compromise the certificates, they could set up man-in-the-middle attacks by faking some of the world’s leading sites.

Some are speculating that it was China and not Iran behind this attack. The logic being, if they are good enough to take out a security company’s certificates, they are smart enough to spoof a few IP addresses as a decoy for investigators.

What do you think?

Did Comodo act fast enough?

Are Certificate Authority structures to complex for their own good?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| February 19, 2011
Comments Off on Hackers Can Target Cars

Hackers Can Target Cars

Hackers Can Target CarsWired reports that over 100 drivers in Austin, TX found their cars disabled or the horns honking out of control. This happened after an intruder ran amok in a web-based vehicle-immobilization system called Webtech Plus (PDF). Webtech Plus is normally used to get the attention of consumers delinquent in their auto payments. The app is operated by Cleveland-based Pay Technologies system. It allows car dealers to install a black box in the vehicle that responds to commands issued through a central website and relayed over a wireless pager network.

How he got in

Austin police claim the perpetrator was Omar Ramos-Lopez, a former Texas Auto Center employee who was laid-off. The hacker allegedly sought revenge by bricking the cars sold from the Austin-area dealership. Reportedly Mr. Ramos-Lopez’s account was closed when he was terminated but he allegedly got in through another employee’s account. At first, the intruder targeted specific customers. The attacker later moved to access the database of all 1,100 customers whose cars were equipped with the device. It is charged that he went through the database, vandalizing the records, disabling the cars, and setting off the horns.

Cars are targets

The Webtech attack was an external attack but Bob Brammer, CTO, and VP at Northrop Grumman Information Systems (NOC)  told GovInfo Security that cars themselves are likely to become targets. Mr. Brammer points out that most cars contain 50 to 100 or more tiny computers. The computers are controlled by over 100 megabytes of code that control the accelerator, brakes, displays, steering, etc. All of these systems can be accessed through a diagnostic port that serves as the vehicles’ USB port. Mr. Brammer cites a study published in an IEEE journal. “It’s possible to take over a car, controlling the brakes, the accelerator, the steering wheel, despite whatever the driver might want to do. Our automobiles are highly vulnerable from a cybersecurity view.

The paper, Experimental Security Analysis of a Modern Automobile, (PDF) says the potential attack window could widen as more automakers offer vehicle-to-vehicle and vehicle-to-infrastructure communications networks to third-party development, “An attacker who is able to infiltrate almost any electronic control unit can leverage this ability to completely circumvent a broad array of safety-critical systems.”  GigaOm cites data from iSuppli that Wi-Fi in automobiles will be integrated into 7.2 million cars by 2017.

The researchers said they took control of a number of the car’s functions and the driver could do nothing about it. They bypassed basic network security protections within the car. They then embedded malicious code in the telematics unit to erase evidence of the hack’s presence after a crash.

More theoretical than practical

I luv your PCMr. Brammer, for now, sees the threat to cars as more theoretical than practical. But he says it demonstrates that we must think about cyber-security more broadly than we have in the past. “As the trend is to put more IT into everything that we do – whether it’s cars, airplanes, power grids, water supplies, whatever – we have to think about the security aspects of the design. These systems, within reason, have to be able to withstand certain types of attempts to attack or exploit them. That’s a terrible thing have to say, but I think that’s the way world is these day.”

Wi-Fi can give attackers an entry point into critical systems. Professor Stefan Savage of the University of California, San Diego told Technology Review. “In a lot of car architectures, all the computers are interconnected, so that having taken over one component, there’s a substantive risk that you could take over all the rest of them. Once you’re in, you’re in.” This could lead to brakes failing or the steering wheel seizing on scores if not hundreds of cars simultaneously, causing catastrophic crashes.

rb-

Cars have become more computerized. They are linked through Wi-Fi and 3G networks making our daily transportation vulnerable to hackers and cyber-attacks. Cyber-terrorists could target cars to begin the chain of events leading to a Hollywood-style disaster. Hopefully, the Auto manufacturers are going to tighten up the security of our cars. They will delay improving security if safety belts and airbags are examples.

Will the auto industry tighten the security onboard cars?

Will the government have to step in?

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: , , , , , , , , ,
| February 7, 2010
Comments Off on Cyberattacks Coming

Cyberattacks Coming

Cyberattacks ComingDirector of national intelligence Dennis C. Blair, told lawmakers on Tuesday (02/03/2010) the prospect of a major terrorist attack on America, was the “primary near-term security concern of the United States.”  The New York Times reports that Mr. Blair began his annual threat testimony before Congress by saying that the threat of crippling cyberattacks on telecommunications and other computer networks was growing. America’s top intelligence official told Congress that an increasingly sophisticated group of enemies had “severely threatened” the sometimes fragile systems undergirding the country’s information infrastructure. “Malicious cyberactivity is occurring on an unprecedented scale with extraordinary sophistication,” he told the committee.

He said that the surge in cyberattacks, including the penetration of Google’s servers from inside China, was a “wake-up call” for those who dismissed the threat of computer warfare. “Sensitive information is stolen daily from both government and private-sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey,” Mr. Blair said The NYT says Mr. Blair’s emphasis on the threat points up the growing concerns among American intelligence officials about the potentially devastating results of a coordinated attack on the nation’s technology apparatus, sometimes called a “cyber-Pearl Harbor.”

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| September 7, 2009
Comments Off on Feds Still Want to Federalize Internet

Feds Still Want to Federalize Internet

Feds Still Want to Federalize InternetSenator Jay Rockefeller (D-WV) has released a revised version of his bill that would federalize the Internet (I covered this topic earlier here). The current draft would allow the president to “declare a cybersecurity emergency” on “non-governmental” computer networks and do what’s necessary to respond to the threat.

Feds Still Want to Federalize NetSection 3 (2) (B) Defines “Cyber” as any matter relating to, or involving the use of, computers or computer networks. Section 201 (2) (B), permits the president to “direct the national response to the cyber threat” if necessary for “the national defense and security.”

I think the redraft, while improved, remains troubling due to its vagueness,” Larry Clinton told CNETIt is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill,” said Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board.

Senate Intelligence Committee Chairman JAY ROCKEFELLER (D-WV)A Senate source familiar with the bill told CNET that the president’s power to take control of portions of the Internet is comparable to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.

Section 201 (5) the bill requires the White House to engage in “periodic mapping” of private networks deemed to be critical, and those companies “shall share” requested information with the federal government. The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco told CNET. “As soon as you’re saying that the federal government is going to be exercising this kind of power over private networks, it’s going to be a really big issue,” he says.

The language has changed but it doesn’t contain any real additional limits,” EFF’s Tien says. “It simply switches the more direct and obvious language they had originally to the more ambiguous (version)…The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There’s no provision for any administrative process or review. That’s where the problems seem to start. And then you have the amorphous powers that go along with it.

Rb-

If your network is determined to be “critical” by the Feds, there is likely a new set of regulations coming from the same people who are giving themselves failing grades for their own cyber-security.

These new rules could impact staffing decisions, disclosure policies and open the door to a government can take over your IT systems. This bill requires watching by anybody that uses or manages computers, a private network, or the Internet. It is likely they will sweep it in as pork on another unrelated bill, to limit public discussion.

Contact your representatives in DC.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| May 9, 2009
Comments Off on Lessons From Botnet Demise

Lessons From Botnet Demise

Lessons From Botnet DemiseBrian Krebs on the Washington Post blog Security Fix profiled a case where a bot-herder killed 100,000 zombie clients in his botnet. The bot-herder implemented a “kill operating system” or kos command resident in the Zeus bot-net crimeware. The kos command caused the infected PCs to Blue Screen of Death (BSOD). The Madrid-based security services firm S21sec reports that invoking the kos command only results in a blue screen and subsequent difficulty booting the OS. There appears to be no significant data loss and neither the Trojan binaries nor the start-up registries are removed, In this post, they look at what happens to an infected computer when it receives a Zeus kos.

Russian botnet

The Zeus crimeware was designed by the Russian A-Z to harvest financial and personal data from PCs with a Trojan. UK Computer security firm Prevx found the Zeus crimeware available for just $4,000. The fee includes a DIY “exe builder” which incorporates a kernel-level rootkit. According to the Prevx this means it can hide from even the most advanced home or corporate security software. RSA detailed the capabilities of Zeus crimeware in 2008. Zeus also includes advanced “form injection capabilities” that allows it to change web pages displayed by websites as they are served on the user’s PC. For example, criminals can add an extra field or fields to a banking website asking for credit card numbers, social security numbers, etc. The bogus field makes it look like the bank is asking you for this data after you have logged on and you believe you are securely connected to your bank.

rb-

The reason for BSODing 100,000 machines isn’t quite clear. Several security experts have offered up their opinions including S21sec and Zeustracker (currently down due to an apparent DDOS). What is clear are the implications of this action.

Botnets and their related crimeware are dangerous for more and more reasons. They can steal massive amounts of personal data. They can launch denial-of-service attacks and they can execute code. I agree with Krebs that the scarier reality about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker.

Politically motivated attackers

For the time being, it is still in the best interests of the attackers to leave the compromised systems in place. They can plunder more information. However, imagine the social chaos created if 9 million PCs infected with Conflicker including hospitals from Utah to the UK were under the control of Al-Queda or other similarly minded groups. These politically motivated attackers could order all the infected machines to BSOD, creating computer-enhanced chaos. One of the forgotten lessons of 9-11 is that our technology can be hi-jacked and turned against us.  This could be the opening into a new type of cyber warfare.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
  Recent Entries »