Attack on critical infrastructure is the main concern for worldwide security community, every government has become aware of the risks related to a cyber attack against their own country and is investing to improve its cyber capabilities.

Day after day the number of attacks against critical infrastructure is increasing at an alarming, US is among the most targeted countries, a report issued by U.S. Congressmen Ed Markey and Henry Waxman revealed that  that the quantity of assaults against core infrastructure continues to rise.

The report, titled “Electric grid vulnerability” report, states that a utility facing roughly 10,000 attacks every month, the study is based on 160 surveyed U.S. utilities.

The most concerning aspect is that around 10 % of US critical infrastructure are daily under attack of various types, such as malware based or spear-phishing attacks.

The report highlighted the economic impact of grid vulnerabilities, it is estimated that power outages and related damage cost the U.S. economy between $119 to $188 billion per year and a single successful cyberattack can cause losses upwards of $10 billion.

The Department of Homeland Security demonstrated that 2012 registered an increase of 68 percent in comparison to 2011 for the number of cyberattacks against US critical infrastructure, industrial bodies and Federal offices.

Every day there are numerous attacks conducted to discover vulnerabilities within these critical systems, many of these attacks is perpetrated in an automatic and method manner.

A Midwestern power provider declared that it was “subject to ongoing malicious cyber and physical activity. For example, we see probes on our network to look for vulnerabilities in our systems and applications on a daily basis. Much of this activity is automated and dynamic in nature – able to adapt to what is discovered during its probing process.”

To respond the increasing threat of cyber-attack security community has called on Congress to provide a federal authority with the necessary power to ensure the grid protection from potential cyber-attacks, but despite these calls for action since now Congress has not provided any governmental entity with the necessary capabilities.

Today the protection of  the nation’s electricity grid from cyber-attack is referenced “by voluntary actions recommended by the North American Electric Reliability Corporation (NERC), an industry organization, combined with mandatory reliability standards that are developed through NERC’s protracted, consensus-based process. Additionally, an electric utility “

“Almost all utilities surveyed are compliant with mandatory NERC standards but totally ignore recommendations by NERC. The report provided disturbing data, for example despite NERC has established both mandatory standards and voluntary measures to protect against Stuxnet warm, the implementation of voluntary countermeasures was overruled.”

Stuxnet voluntary measures have been implemented by only 21% of IOUs, 44% of municipally- or cooperatively owned utilities, and 62.5% of federal entities reported compliance, an alarming data in my opinion.

The cybercrime is considered the most dangerous threat for US critical infrastructure that are under unceasing cyber attacks, its menace is more concerning of terrorism, because the increasing sophistication level of the attacks.

Fortunately despite the delay in the adoption of proper countermeasures for many US critical infrastructures hasn’t yet caused a successful breach of their systems.

As usual there are different opinions, some say the report provides a false overview on real security of national critical infrastructure that are protected from external cyber attacks thanks the compliant of mandatory standards set by the NERC.

“The majority of those attacks, while large in number, are the same attacks that every business receives” through web-connected networks,” ”Those are very routine kinds of attacks and we know very well how to protect against those…Our control systems are not vulnerable to attack,” Arkansas Electric Cooperative Corporation Chief Executive Duane Highley told Reuters.

It is my opinion that whatever the actual state of infrastructure is necessary that all measures are taken to ensure  protection from the attacks of increasing complexity.

Pierluigi Paganini

(Security Affairs – Cyber Security, US critical infrastructure)

The post US critical infrastructure under unceasing cyber attacks appeared first on Security Affairs.

The Federation of Small Businesses issued an interesting study on cost of cybercrime suffered by small businesses in the UK.

Cost of cybercrime is usually evaluated for large corporate underestimating its dramatic effect on small business, small companies are in fact most vulnerable to the increasing cyber criminals and hacktivists.

An interesting study conducted by the Federation of Small Businesses on cost of cybercrime in UK revealed the incidence of the phenomena on the small business, worrying losses for billions of pounds every year, the average small firm facing a near £4,000 cost.

The Federation of Small Businesses declared that around 30% of its members had been victims of fraud, majority of crimes is related to virus infections, more than 50% of small business was hit by a malware, 8% of UK small business had been victims of hacking and around 5% had suffered security breaches.
The report of the Federation of Small Businesses revealed that cost of cybercrime and fraud for its 200,000 members is around £800m a year, (£3,926 each on average), but according the analysts the total cost is much bigger for total UK small business.
According the FSB estimation, by projecting the data related to the small business on a national scale the cost of cybercrime is greater than  £18.8bn based on the FSB’s average.

In the UK there are around 4.8 million small firms and despite the impact of cybercrime and the high frequency of malicious events almost 20% had taken no countermeasure to mitigate the cyber threats..

“Cybercrime poses a real and growing threat for small firms and it isn’t something that should be ignored,”

“Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth”.

“Many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime.”

“While we want to see clear action from the government and the wider public sector, there are clear actions that businesses can take to help themselves.”said Mike Cherry, the FSB’s national policy chairman, referring the effect of cybercrime on UK businesses.

The scenario is alarming, on one side the activities of cybercrime are becoming even more sophisticated and pounding, on the other side the response of Small business is still inappropriate with obvious repercussion, due this reason the FSB issued new advice to small firms encouraging the implementation of the security mechanisms and the adoption of best practices.

The FSB issued 10 tips to suggest businesses how to protect their assets from cybercrime, including a combination of standard security protection steps (e.g. Define and constantly update security policy, keep systems updated, protect networks with firewall, use and update antivirus and anti-spam software).

Security is a must for the growth of the entire United Kingdom, security minister James Brokenshire commented the results proposed by the study spurring the action and in the adoption of a proactive approach to cybercrime.

 ”We need to make sure that all businesses, large and small are engaged in implementing appropriate prevention measures in their business”

“This report will help give a greater understanding of how online security and fraud issues affect small businesses, giving guidance as well as valuable top tips to protect their business.”

“We know only too well of the importance of securing buy-in from both big and small business in implementing appropriate protection against cyber risks – business success can depend on it. Increasing security drives growth.” said Business minister David Willets added.

To limit the impact of cybercrime and reduce the cost of cybercrime another fundamental issue is the information sharing on cyber attacks, incidents and data breaches, the Government issued The Data Protection Bill will force companies to denounce every incidents and data breaches. Despite the Act there is still much to do, the strong support of the Government and principal enterprises is an essential factor to support the growth of a security culture that could help to reduce the effect of cybercrime.

Pierluigi Paganini

(Security Affairs – Cybercrime)

The post Cost of cybercrime for UK Small Businesses appeared first on Security Affairs.

Google data breach is reality and Google Company’s Surveillance Database has been violated by the same hackers who breached Google’network in 2010, the attackers have obtained the access to the company’s tracking system for management of surveillance requests from law enforcement.

The news has been published by the Washington Post and confirmed the voices on the Google data breach.

The database hacked is used by Google company to archive the court orders submitted by law enforcement who are investigating on a user’s profile, but the repository also includes classified Foreign Intelligence Surveillance Act (FISA) orders that are used in foreign intelligence surveillance investigations.

FISA is a US law which outlines practices for the physical and electronic surveillance and “collection of “foreign intelligence information” between “foreign powers” and “agents of foreign powers”, “the sections of FISA authorizing electronic surveillance and physical searches without a court order specifically exclude their application to groups engaged in international terrorism. “

The Google’s database contained precious information on surveillance activities conducted during the last years, it’s clear the purpose of the attack, it was arranged to gather information on law enforcement and intelligence agency’s investigation on Chinese intelligence operatives in the US, a former US official confirmed to the Washington Post it:

“Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,” 

The Post states:

“The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies.”

In 2010 numerous companies were hacked by Chinese hackers, including Adobe and many other financial institutions and defense contractors, with a series of sophisticated cyber attacks. The attackers stolen from Google source code and also tried to access to the Gmail accounts of Tibetan activists.

The hackers that targeted Google in December also hit 33 other companies using a zero-day vulnerability in Adobe Reader to deliver malware to the victims and steal  source-code management systems to obtain the access to company source code as well as to modify it to make customers who use the application vulnerable to attack.

The Google data breach was originated in China, Secretary of State Hillary Clinton publicly condemned the intrusion requesting for the Chinese Government to give information on the attack.

Google hasn’t confirmed the impairment of its systems for processing law enforcement surveillance requests, but announced to stop collaborating with Chinese authorities for censoring Google search results in that country.

Google isn’t unique victims of this new wave of attacks, last month, a senior Microsoft official denounced that Chinese hackers had targeted the company’s systems having the same function of Google Surveillance DB about the same time that Google’s was breached.

“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” David W. Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, said at a conference near Washington, according to a recording of his remarks. “If you think about this, this is brilliant counterintelligence,” he said in the address, which was first reported by the online magazine CIO.com. “You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case.”

According the Washington Post,  Justice Department faced with Google resistance to show evidence of the attacks providing full access to internal logs and to authorize a further forensic investigation of the breach … It is still unclear what Google provided to the investigators.

Michael M. DuBose, former chief of the Justice Department’s Computer Crime and Intellectual Property Section, commented the attacks defining them a wake-up call for the government that the overall security and effectiveness of lawful interception and undercover operations is dependent in large part on security standards in the private sector.

“Those,”  “clearly need strengthening.” DuBose said,

The incidents raise once again the need to share information on cyber attacks and data breaches, incidents like these are clear indications of ongoing sophisticated intelligence operations.

Pierluigi Paganini

(Security Affairs – Cyber espionage)

The post Google data breach, Company’s Surveillance Database hacked appeared first on Security Affairs.

Zero-days exploits are considered a primary ingredient for success of a cyber attack, the knowledge of zero-day flaw gives to the attacker guarantee of success, state-sponsored hackers and cyber criminals consider zero-day exploits a precious resources around which is grown a booming market.

Zero-day exploits could be used to as an essential component for the design of a cyber weapon or could be exploited for cyber espionage purposes, in both cases governments appear the most interested entities for the use of these malicious code.

Recent cyber attacks conducted by Chinese hackers might lead us to think Chinese Government is primary buyer/developer for zero-day vulnerabilities, but a report recently published by Reuters claimed the US government is the “biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.”

Reuters revealed that the US Government, in particular its intelligence agency and the DoD are “spending so heavily for information on holes in commercial computer systems, and on exploits taking advantage of them, that they are turning the world of security research on its head.”, it’s a news way to compete with adversary in cyberspace.

Recent tension between China and US gave security experts the opportunity to discuss about the development of the two countries of efficient cyber strategy that improve both offensive and defensive cyber capabilities.

Both countries are largely invested in the creation of new cyber units, but according intelligence sources, offensive approach seems to be most stimulated by the need to preserve the security in the cyberspace.

NSA chief General Keith Alexander told Congress that the US Government  is spending billions of dollars every year on “cyberdefense and constructing increasingly sophisticated cyberweapons” this led to the birth  of “more than a dozen offensive cyber units, designed to mount attacks, when necessary, at foreign computer networks.”

Popular hacker Charlie Miller, security researcher at Twitter, with a past collaboration with NSA confirmed the offensive approach to cyber security:

 ”The only people paying are on the offensive side,”

The emerging zero-day market is fueled by intense activities of talented hackers who sell information on flaws in large use products. According Reuters defense contractors and intelligence agencies “spend at least tens of millions of dollars a year just on exploits”.

The zero-day market is very complex due high “perishability” of the goods, following some key figures of a so complex business

Difficulty finding buyers and sellers – It’s a closed market not openly accessible. Find a buyer or identify a possible seller is a critical phase.

Checking the buyer reliability – The reduced number of reliable brokers able to locate a buyer pushes the researcher to try to tell many individuals about the discovery in an attempt to find a buyer with obvious risks.

Value cannot be demonstrated without loss – One of the most fascinating problems a researcher attempting to sell vulnerability information or a 0-day exploit may face is proving the validity of the information without disclosing the information itself. The only way to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously, revealing the information before the sale is undesirable as it leaves the researcher exposed to losing the intellectual property of the information without compensation.

Exclusivity of rights - The final hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs, the researcher must be willing to sell all rights to the information to the buyer. However, the buyer has no way to protect themselves from the researcher selling the information to numerous parties, or even disclosing the information publicly, after the sale.

Current approaches to zero-day vulnerabilities are to be bought up exploits avoiding that they could be acquired by government’s opponents such as dictators or organized criminals, many security firms sell subscriptions for exploits, guaranteeing a certain number per year.

The trend to exploit zero-day for offensive purposes has been followed by intelligence agencies and also private companies, both actors have started to code their own zero-day exploits.

“Private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive.”

The Reuters report also revealed the participation of government representatives to the Secret Snoop Conference for Government and law enforcement spying, clearly with the intent to acquire new technologies to conduct cyber espionage through malware based attacks able to compromise target  networks.

The choice of a government to acquire a zero-day exploit to use it against a foreign governments hide serious risks for its country, cyber terrorist, cyber criminals or state-sponsored hackers could  reverse engineer the source code to compose new malicious agent to use against the same authors.

The most popular example is the case of Duqu malware, a powerful spyware designed “to steal industrial-facility designs from Iran.”  which code was adopted by cybercrime industry to be the active components in popular Blackhole and Cool exploit kits.

In many cases the efficiency of these zero-day exploits has a long life due the presence of not updated target systems, typical zero-day attack has an average duration of 312 days and once publicly disclosed it is observable an increases of 5 orders of magnitude of the volume of attacks.

Reuters reported to have reviewed a product catalogue from one large contractor, it contained various applications for cyber espionage purposes. The article refer of a product “to turn any iPhone into a room-wide eavesdropping device” and another one “was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren’t connected to anything.

The product portfolio is very wide including tools for getting access to computers or phones and tools for grabbing different categories of data, it’s clear that majority of these products exploits zero-day vulnerabilities on various application and OSs …. most of the programs cost more than $100,000.

Based from my experience the cost of a zero day-day depends on a multitude of factors such as the product target, its diffusion level and of course the scope of use, a zero-day sold to a government could have a price up to 100 times an exploit kit sold to private industry.

Which are the principal mediators for zero-day sale?

The Grugq is the famous one but also small firms like Vupen and Netragard and other defense contractors such as Northrop Grumman operate this growing market.

Netragard’s founder Adriel Desautels says he’s been in the exploit-selling game for a decade, and describes how the market has “exploded” in just the last year.  He says there are now “more buyers, deeper pockets,” that the time for a purchase has accelerated from months to weeks, and he’s being approached by sellers with around 12 to 14 zero-day exploits every month compared to just four to six a few years ago.

Prepare for the worst, the explosion in demand for zero-day leaves little doubt about the true intentions of governments and the impact is certainly not confined to just cyberspace.

Pierluigi Paganini

(Security Affairs – Cyber security, Zero-day vulnerabilities)

The post Zero-day market, the governments are the main buyers appeared first on Security Affairs.

Operation Hangover, this is the name assigned by Norman Shark’s security analyst team to an interesting report revealing a large and sophisticated cyber-attack infrastructures that appears to have originated from India.
The cyber attacks have primary purpose of cyber espionage, they seem to be conducted by private entities over a period of three years. The attacks are still ongoing and there is no evidence of state-sponsored commitment, even if principal security experts are convinced that we are facing with a a government intelligence operation.

The concerning news is that the cyber espionage campaign Operation Hangover is still ongoing gathering information from national security targets and private sector companies mostly based in Pakistan and in the United States.

The story begun on March 17th, when a Norwegian newspaper revealed that Telenor, Norway’s major telecommunications company,  denounced to the authorities an unlawful computer intrusion, the attack was malware based and Norman Shark analyst team revealed that many other similar intrusions hit the company.

The Norman Shark’s team discovered that hackers of Operation Hangover used spear phishing emails targeting senior management of corporate and government institutions.

“Spear phishing to carefully-selected target individuals was the primary attack vector identified in the investigation. The attackers went to great lengths to make the social engineering aspects of the attack appear as credible and applicable as possible. In many cases, decoy files and websites were used, specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. Victims would click on what appeared to be an interesting document, and begin the long-running infection cycle.” Report states.

Analyzing IP addresses used by cyber criminals it appears that victims are located in more than a dozen countries, the claim that they are originate from India is based on analysis of IP addresses, website domain registrations and text-based identifiers contained within the malware used for attacks.

The malicious code used in the Operation Hangover campaign relied on various well-known previously identified vulnerabilities in popular software applications and browsers, such as Java and Word documents.

But how is it possible that well know vulnerabilities are exploited for a massive cyber espionage campaign?

The fact that the Operation Hangover was successful suggests that government organizations, defense and private businesses do not properly manage the update of their systems exposing them to serious risks. Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway declared:

“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” “The organization appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes—which makes this of considerable concern.”

The words of Fagerland leave no doubt, a group of hackers is targeting with sophisticated techniques an extreme diversity of the sectors, the investigation is still ongoing by international authorities.

The security analysts at Norman Shark evidenced a professional project management approach used for the campaign and the outsourcing of key tasks.

 “Something like this has never been documented before,” “This type of activity has been associated primarily with China over the past several years but to our knowledge, this is the first time that evidence of cyber espionage has shown to be originating from India,” commented Fagerland on code outsourcing and on the fact that hackers exploited well known flaws in popular applications.

Cyber ​​espionage is becoming one of the most frequent activities in cyberspace, its actions can cause devastating effects on entire economies and identify campaigns is becoming more and more complicated, but in cases like this the failure to update the target system has certainly contributed to the success of operations.

Pierluigi Paganini

(Security Affairs – Cyber espionage)

The post Operation Hangover, the Indian Cyberattack Infrastructure appeared first on Security Affairs.

The World Summit on the Information Society Forum (WSIS) represents the world’s largest annual gathering of the ICT for development  community, the event is organized by ITU (INTERNATIONAL TELECOMMUNICATION UNION) and during the last edition it was held a high level session dedicated to the topic “Securing Cyberspace in a borderless world: Vision 2015 and Beyond”.

I find the topic very interesting for all cyber security professionals, the dialogue at WSIS was moderated by Mr Kim Andreasson, Managing Director of DAKA advisory AB and editor, Cybersecurity: Public Sector Threats and Response.

The WSIS Forum 2013 was held from the 13-17 May 2013 at the ITU Headquarters in Geneva. This year the Forum attracted more than 1800 WSIS Stakeholders from more than 140 countries. Several high-level representatives of the wider WSIS Stakeholder community graced the Forum with more than 60 ministers and deputies, several ambassadors, CEOs and Civil Society leaders contributing passionately towards the programme of the Forum.

Several key panelists from different expert fields have taken part in the WSIS meeting:

• Dr Hamadoun Touré, Secretary-General, ITU
• H.E. Mr Diego Molano Vega, Minister, Ministry of ICT, Colombia
• H.E. Amb. Dr. Theodor H. Winkler, Director, DCAF, Switzerland
• Ms Ingrid Deltenre, Director General, EBU, Switzerland
• Mr Chris Painter, Cybersecurity Coordinator, Department of States, USA (http://www.state.gov/r/pa/ei/biog/161848.htm)
• Mr Stuart Carlaw, Chief Research Officer,  ABI Research, United States
• Mr Ilya Sachkov, CEO, Group IB, Russian Federation (http://group-ib.com)
• Mr John Carr, Secretary, Children’s Charities’ Coalition on Internet Safety, United Kingdom

I suggest to read the paper prepared by Dr Hamadoun Touré, Secretary General ITU which covers different problems, trends and views on the cybersecurity situation in the world, as well as key principles of ITU for making trust and peace in the modern world.

Dr.Hamadoun I. Toure also mentioned that according to the most recent statistics annual losses of over 100 billion dollars are being caused by cybercrime, and that some 550 million people are being targeted by cyberattacks every year. In financial terms, this is the equivalent of the entire GDP of a country like Morocco, Slovakia or Bangladesh. In population terms, it is the equivalent of more than all the inhabitants of Europe. Every second, 18 adults become a victim of cybercrime, resulting in more than 1.5 million cybercrime victims each day on a global level.

I decided to interview the Group-IB CEO, who was one of the representatives from the private sector during the WSIS meeting. Group-IB is one of the leading companies in fraud prevention, cybercrime and high-tech crime investigations and that often support me in my analysis on security issues.

1) Ilya, what were the most interesting topics of discussion during the high-level dialogue organized during WSIS 2013? 

The panelists shared their opinions on modern cybersecurity problems, starting from reducing the risks of harmful use of ICT to the child protection in WEB. I can say, that such dialogue on high level can help the governments, private sector of different countries and society to get an actual view on the situation in the field.

2) What key problems in modern cybersecurity can you figure out? 

One of the most important question is that private sector should collaborate with governments more closely, as the most actual and interesting information for reducing the cybersecurity risks is in private sector hands. Some countries have some political barriers of cooperation which makes cooperation absolutely not clear and impossible, as well as the same problems within own country. The role of private and non-commercial expert companies and organizations is increasing each day and one the best way is to link it with government efforts to make the cyber world safer.

Many private companies with cybercrime solutions are cooperating on the back-end by sharing data on cyber threats anonymously via signatures in a so called “Eco Systems”. This allows their big data analysis programs to flag malware and threats before damage is done to networks.

3) What do you think about the role of governments, along with intergovernmental bodies such us UN and the ITU in modern cybersecurity? 

I have already mentioned it a bit in the previous point, but it will be important to say that private-public partnership shows good results. In regard of Russia and former USSR countries, CERT-GIB (Group-IB’s CERT) acts in very close cooperation with international LEA, domain registers, ISPs and hosting provers to reduce cyber security threats .RU, .РФ, .SU and shows efficient results in botnets tracking and cyberthreat intelligence each day, operating 24x7x365.

Law enforcement agencies, such as FBI and Russia’s FSB, are seeing threats to national critical infrastructures like power grids and banking sectors, and are making overtures about “Sharing” data and intelligence with relevant private partners. Even some newly proposed cyber security laws and new agencies are reflecting this change from traditional law enforcement culture.

4) As far as I know Group-IB is a member of IMPACT-ITU, what benefits or advantages you have in this plan? Is this structure efficient for reducing the cybersecurity risks? What is your role there? 

Yes, we are very proud and happy, that Group-IB and its CERT are members of IMPACT-ITU. I can say, that it is one of the most powerful and expert organizations in the world, organized with the support of ITU. We share cyber threat intelligence information within IMPACT-ITU member community, targeted for public and critical infrastructure sectors.

The security in the cyberspace is a global need, the cyber threats are increasing in recent months, as has happened before, and the trend is to a relentless growth, to mitigate the risks it is necessary an approach on a global scale that request the participation of governments and private companies that must share information of principal cyber menaces and  define a global recognized law framework … only in this way we can reduce risks to an acceptable level.

Pierluigi Paganini

(Security Affairs – Cyber security)

The post WSIS Forum 2013 – Securing Cyberspace in a borderless world appeared first on Security Affairs.

A new Mac Malware has been detected at recent Oslo Freedom Forum workshop, the concerning discovery has been made by the popular security expert Jacob Appelbaum.

“Hundreds of the world’s most influential dissidents, innovators, journalists, philanthropists, and policymakers will unite in the Norwegian capital for a three-day summit exploring how best to challenge authoritarianism and promote free and open societies.”

Appelbaum is best known for his work in the fight of online anonymity (e.g. Tor Project) and for his participation in numerous activities in the defense of human rights and free access to the Internet.

During  workshop is debated the topic of government surveillance, the experts who participated to the event discussed the uncomfortable subject and many other topics such as dictatorship, censorship and activism.

During the recent months many cyber espionage campaigns have been uncovered, in majority of the cases governments used malicious codes to track dissident and political opponents, the phenomena have global diffusion and are of great concern to those who are fighting for humanitarian rights and freedom of expression.

This edition of the forum,  The fifth, will be reminded also for the discovery of  Appelbaum, a new strain of malware with backdoor capabilities on Mac OS has been detected on an Angolan activist’s machine.

Appelbaum sustained that the Angolan activist’s PC was compromised in a spear-phishing attack used to spread the Mac Malware.

F-Secure security firm was one of the first firm that investigated on the Mac Malware, the researcher known as “Brod,” is investigating on the malicious agent. F-Secure security advisor Sean Sullivan published an interesting post on the case, the Mac Malware code is signed with a legitimate Apple Developer ID and it is able to take screenshots storing them image files in a folder called “MacApp.”.

Appelbaum confirmed via Twitter that Apple has revoked the Developer ID with which the malware is signed

The spyware implements simple spying functions, it is able to capture images of the victim’s screen and transfer the data to a Command & Control server, the security researchers found two C&C server located in France and in the Netherlands.

Sullivan wrote that the French C&C server would not resolve and the Dutch displayed a “Forbidden” access message.

Sullivan and Appelbaum revealed on Twitter that Mac malware detected appeared to be linked to an older Mac malicious code called HackBack.

VirusTotal assigned to the Mac Malware a Detection ratio of 1/46 that means that  only F-Secure antivirus vendors is currently detecting the threat identifying it as as Backdoor: OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e).

Pierluigi Paganini

(Security Affairs – Cyber espionage)

The post Mac malware detected by Appelbaum at Oslo Freedom Forum appeared first on Security Affairs.

Yahoo Japan Corp is investigating on a possible data breach that exposed the user IDs of 22 million accounts, another shocking event that raise the necessity to improve security level of customer’s data.

22 million user IDs may have been stolen during an unauthorized access to the administrative system of Yahoo! Japan web portal,  the announce has been done by the same company:

“We don’t know if the file (of 22 million user IDs) was leaked or not, but we can’t deny the possibility given the volume of traffic between our server and external terminals,” the company reported in an official statement.

Why Yahoo! Japan?

Yahoo! Japan is controlled by Japan’s mobile phone operator SoftBank (35.5%) and  Yahoo! Inc (34.7%), what is interesting is the market share of the portal Yahoo! Japan that holds 50% of the top search engine position in Japan, a figure superior to the Google concurrence at 40%, it’s clear that the corporation represents a privileged target of cyber criminals and state-sponsored hackers.

Which information has been stolen exactly?

According first investigation it seems that the exposed information doesn’t include any data that could be used to identify the user’s identity or that could be exploited successively to force password reset.

Yahoo! has immediately started the incident response procedure adopting any countermeasure to prevent further incidents.

On the case is also working the Japan’s national police agency that recently announced the  launch an investigation team specialized in cybercrimes, let’s remind that in the last years the Japan has been hit by a huge quantity of cyber attacks that interested the Japan Aerospace Exploration Agency, Sony and Government itself.

Pierluigi Paganini

(Security Affairs – Data Breach)

The post Yahoo Japan suspects 22 million user IDs stolen appeared first on Security Affairs.

Facebook has many vulnerabilities exactly as any other software and daily hackers try to exploit them, the primary concerns of security experts are related to flaws in the popular social network that could all allow attackers to inject external malicious links or images to the Facebook bulletin board.

Using injection techniques the attackers could elude security mechanisms and hijack a Facebook account with serious repercussion on user’s privacy.

The popular security expert Nir Goldshlager,  Founder/CEO of Break Security, found  a serious vulnerability that allows attacker to post spoofed messages from any application on Facebook such as Spotify, Skype and Pinterest.

The vulnerability is still unfixed today and it makes possible data spoofing from any Facebook app.

Let’s step to 2012 analyzing the method used by Facebook to publish content on the wall called stream.publish, the Stream Publish Dialog has the following format:

https://www.facebook.com/dialog/stream.publish?app_id=xxxx&redirect_uri=http://www.facebook.com/&action_links=&attachment=%7B%27media%27:%20[%7B%27type%27:%20%27flash%27,%27swfsrc%27:%27http://files.nirgoldshlager.com/goldshlager2.swf%27,%27imgsrc%27:%27http://www.vectorstock.com/i/composite/41,30/hacked-pc-vector-194130.jpg%27,%27width%27:%27130%27,%27height%27:%27%20130%27,%27expanded_width%27:%27500%27,%27expanded_%20height%27:%27500%27%7D],%27name%27:%27xxxx%27,%27caption%27:%27xxxx%20Application%27,%27properties%27:%7B%27xxx%27:%7B%27text%27:%27Download%20xxx%27,%27href%27:%27http://nirgoldshlager.com%27%7D%7D%7D

A hacker could manipulate the  app_id and attachment (swfsr,imgsrc,href) parameters to conduct an attack. If the “Stream post URL security” option is disabled by the author of that application, a hacker can upload specifically crafted content, like a swf file, as attachment parameter.

In the post on the Break security web site is reported:

“every time a victim visits my wall post, they will see content spoofing from a Facebook application that they generally trust. Clicking the link on the post makes an swf file from the external website execute on his client machine.“

In 2013 the situation is changed, Facebook eliminated the stream.publish option, instead opting for a Feed Dialog to publish app activity.

Nir Goldshlager has not lost his nerve and analyzed the Feed Dialog and the parameters used to spoof app content.

Following the details of parameters used in Feed Dialog

1. Link parameter: With this parameter, we will include our malicious external link (virus exe file, 0days, Phishing site, or any other malicious link. 
2. Picture Parameter: This parameter is only usable if we want to spoof the content with an image. The content of the image will only display correctly on our Wall post. It will not display correctly in the newsfeed, making it relevant only to wall post app spoofing.
3. Caption Parameter: This parameter will allow to an attacker choose from which website the content came from, For Example: Facebook.com Zynga.com Ownerappdomain.com
4. Name Parameter: This parameter produces the title we desire. Whenever the victim clicks on that title, he will be taken to our malicious website.

The post proposes a proof of concept video that present the Facebook hack for some various applications such as Skype and SoundCloud.

SoundCloud:

https://www.facebook.com/dialog/feed?app_id=19507961798&link=http://nmap.org/dist/nmap-6.20BETA1-setup.exe&picture=http://www.atpfestival.com/assets/img/soundcloud.png&name=Download%20SoundCloud%20For%20Windows&%20caption=http://soundcloud.com&description=&%20redirect_uri=https://facebook.com

Skype:

https://www.facebook.com/dialog/feed?app_id=260273468396&link= https://touch.facebook.com/apps/sdfsdsdsgs &picture=http://he.downloadastro.com/static/files/24/3b/29/243b29a6163cc99e359f4c354422f238.jpg&name=Download%20Skype%20New%20Version&%20caption=http://skype.com&description=&%20redirect_uri=https://facebook.com

 The author suggests the following solutions to solve the problem:

• Use  Stream post URL security=Enabled in App settings (developers.facebook.com), To prevent  content spoofing on your App.
• Use Bonus Video (Advanced Spoofing Apps Links, Fixed By Facebook Security 2012)
• Use  Stream post URL security=Enabled

The flaw discovered by Goldshlager allow cyber criminals to spoof the content of any Facebook application, they could adopt the technique of attack to install malicious code on the user’s machine or deceive user with social engineering attack.

Pierluigi Paganini

(Security Affairs – Hacking)

The post Nir Goldshlager reveals how to hack Facebook Apps appeared first on Security Affairs.

Group-IB researchers have detected a new botnet named Kangoo that infected more than 150 000 machines, specialists dubbed it «Kangoo» due the presence of  a kangaroo logo on the WEB-interface of the C&C administrative panel. The botnet mainly targeted Australian banking with an emphasis on online-banking theft, customers of the leading AUS banks, such as Commonwealth Bank, Bank of Queensland, Bendigo and Adelaide Bank and ANZ, were affected.

According to the information provided by Group-IB, ANZ and Bank of Queensland reacted on the fraud alert immediately and the specialists from Group-IB shared with them information extracted from the botnet with the details of compromised customers, following some data collected by Group-IB Bot-Trek system.

Who is responsible for the banking theft? Is it the bank’s fault?

One of the most important issues currently facing  the bank is the incident response related to banking trojan infections of its customers, the procedure is still quite complicated, many banks prefer to notify the infected customer  and ask for online-banking credential reset.  Unfortunately this practice is absolutely not efficient because the malware is often still present in the victim’s PC and could capture a new credential a second time and forward to a controlled server.

 «The bank can suggest to the customer that their PC may be infected, but it is not their prerogative to insist the customer clean any possible malware” – said Dan Clements, Group-IB US Managing Partner.

What to do if your customers were infected?

«We recommend the banks to create an incident response action plan as well as to develop a customer awareness program with practical recommendations, what they need to do if they were notified by the bank that their banking account was compromised and their computer may be infected by the banking malware» – said Andrey Komarov, the Head of international Project, CERT-GIB CTO.

Previously, Group-IB has published a recommendation paper with action plan helping the Russian banks to gather all the most important digital evidences from the compromised PC. Reinstalling of the OS may not help, due the use of so called «bootkits» in modern banking malware which infect the MBR (Master Boot Record), such as Carberp 2 and new types of TLD, and affect BIOS. The presence of an antivirus product helps but not represents a complete solution, the majority of new banking trojans can not be detected by AV because the implementation of AV avoidance techniques.

Most common evasion techniques make use of stolen digital certificates from trusted partners, various obfuscators, encryption and new kernel levels of security solutions bypass, and in same rare cases the exploiting of OS vulnerabilities.

Group-IB recommends for the banking fraud and cybercrime analysis departments to proceed with the following steps:

1. To block the compromised customer from online-banking access and to change his credentials. Account block will help to prevent the potential theft during the incident response actions and investigation procedure.
2. To contact the compromised customer by phone and explain him the reason why his credentials are invalid right now and why they were changed by the bank.  It is important to not use the e-mail, because of the cybercriminals may have the access to it and the banking Trojan can make graphical screenshots from the infected PC to intercept the customer’s actions, which tips off the cybercriminals and makes an investigation more difficult.
3. To use another reserve PC, which is not infected, or to reinstall OS. The infected PC may be provided to the computer forensics laboratory or LEA with the bank’s help for further investigation. Some big banks have own computer forensic laboratories, some use third parties expert companies, which can help to create an image of the infected PC and then to research it in order to create necessary digital evidences for the reporting such as:

• Extracted malware sample for further analysis, it’s time of installation on the system, the source of installation;
• C&C used to send intercepted data from the infected PC.

Sometimes, such kinds of reports are widely used by an LEA and courts for successful cybercriminal prosecution, as today the legislation in cybercrime field is still quite weak, unfortunately, cyber criminals often go unpunished.

In many cases the customer request the support of experts specialized in computer forensics to produce such kind of expertise for the court after online-banking theft, the client requests to recover stolen funds from the bank side but it is a complicated dispute as well. Banks use flexible customer agreements that sometimes clearly declare that the banks have no responsibility for the customer’s safety and security against unauthorized access to his PC, malware and other cyber threat are considered a customer’s side event and due this reason out of Bank control.

Another possible approach is passive, no response action follows the alert or the incident, the bank can just receive the information about compromised customer and then to monitor it’s activity until suspicious transfer will be created (can be characterized by new transfer destination, suspicious amount and time of the transfer; IP and PC details are useless, as the most part of modern online-banking thefts are going from the same IP of infected customer through remote administration by VNC spawning techniques or patched RDP for multiple remote connections from the hacker’s side). Such approach is very efficient during cybercrime chain investigations, when it is important to get information about all the personalities involved in it such as “money mules”, botmaster and ISP that is maintaining it, of course the approach takes some efforts from the bank’s side.

Are there any «money mules» in Australia? Yes!

«Money Mule» services have increased during the period 2010-2012,  the following picture shows that the majority of money mules services of AUS work on sharing margin (fifty-fifty).

 Following the translation:

«Good day. We provide drops in Australia, for 2k and 5k transfers. We make drops by unique methodologies, use only own “projects” for it, and don’t use public solutions. All employees are passing special instruction and control. You will obtain special access to specialized system for controlling them. Work 50/50, costs on cashout are not included. The first contact – in PM.»

Group-IB experts found that blackmarket of banking theft for Australian banks is very well developed nowadays and can become one of the key targets for modern cybercriminals in 2013-2015

Рic. 3 –

Translation:

«Need money mules in AU. Will transfer any amounts. 50% – my share from the transferred amount. Private message.»

One of the reasons Australia is a target is a favorable  time zone for Eastern European cyber criminals to facilitate bank transfers.

Perspective of customer’s security

Even though a customer can execute any malicious program, which may compromise their online bank account, the bank is more or less in a partnership with its clients on the financial accounts, sharing some liability. It is in the banks best interest to insure programs and policies that keep the customer happy and retain its loyalty.

“We were really impressed with the time frame of ANZ Bank reaction. A specialized cybercrime analysis representative official responded immediately, and we have provided all the necessary information about the compromised customer credentials with IPs”, said Andrey Komarov of Group-IB.  “It seems the ANZ bank understands the value of getting all of their customers compromised information today, as opposed to moving slowly where more financial losses can affect the bottom line of both the customer and the bank.”

In the specific Kangoo case the investigation suggests that the botnet owners possibly locate CIS countries (former USSR) and use several WEB-injects methods for hidden automatic hijacking of the transfer’s destination.

WEB-injects is the main weapon of modern cyber criminals, which helps them to make a huge profit without any handy work. The market of WEB-injects nowadays is quite impressive.

In the above picture http://westpac.com.au personal and business online-banking accounts grabber based on WEB-inject and virtual keyboard interceptor.

The pricing on it is different and starts from 50$ to 500$, depending on the quality of WEB-inject. Some of it is traded in private communities where the programmer will receive % from all successful thefts. Many of the injects are developed for the well-known banking Trojans such as Citadel, Carberp and Zeus, as well as for quite private malware such as Andromeda.

Commonwealth Bank, Teachers Mutual Bank, DefenceBank, WestPac, Suncorp, BankWest, NAB – cybercriminals developed WEB-injects for the most famous banks in AUS

Group-IB is cooperating with the banks on this issue, as the cybercriminals are not still arrested, and the investigation is in the progress. The C&C and the personalities involved in the crime were detected and shared with the banks on a confidential basis for collaboration with Australian LEA. All the compromised data and customers IPs for finding botnets were imported into Group-IB Bot-Trek for further investigation and cyber intelligence sharing.

Pierluigi Paganini

(Security Affairs – Botnet)

The post Group-IB Exclusive details on Kangoo botnet that hit Australian banks appeared first on Security Affairs.