Convergence

After 30 days, many AV vendors cannot detect known attacks

Cyveillance testing finds AV vendors detect on average less than 19% of malware attacks

Even after 30 days, many AV vendors cannot detect known attacks, making it critical for enterprises to take a more proactive approach to online security in order to minimize the potential for infection.

http://www.cyveillance.com/web/news/press_rel/2010/2010-08-04.asp

Chinese Hack 101

Let me introduce three basic terminologies as they are commonly used in various China hacking forums:

肉雞 (Chicken) - It means machine trojaned with malware and backdoor.

網頁掛馬/挂马 (Injected iframe) - it is about injected iframe with malicious code in web page.

免杀 (Prevented to be killed) - It means a software is with anti-debugging technique.

攻击 - Attack

I simply captured a piece of attack service advertisement from a Chinese blog (URL:http://tieba.baidu.com/f?z=650017145&ct=335544320&lm=0&sc=0&rn=30&tn=bai...). You could feel free to translate it via Google translator:

免杀制作,网马挂马 入侵挂马 QQ空间挂马 视频传播木马

-> Anti-debugging, inject malicious iframe, trojans for QQ messenger, spreading trojan via video media.

Application Security Program Management with Vulnerability Manager

Check out this Presentation from my friends at the Denim Group

Application Security Program Management with Vulnerability Manager

View more presentations from Denim Group.

Pci Forensic What You Dont Know

Check out this SlideShare Presentation:

Pci Forensic What You Dont Know

View more presentations from davey64.

Military asserts right to return cyber attacks

The U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress.

he U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress.

Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

For more info check http://bit.ly/cH8wsn and http://bit.ly/bzo2TX

US Investigators Pinpoint Author Of Google Attack Code

The big news over the past few months were the Aurora attacks and how they seemed to originate from China, last month Microsoft took the unusual step and released an Out-Of-Band patch for the IE6 0-Day vulnerability used in the attacks.

Within the last few days the origin of the code was traced to 2 Chinese schools which both claimed they had no knowledge of the exploit.

It was always thought the exploit originated from China due to parts of the code only being discovered on Chinese language sites, the latest news is that the actual origin of the code has been discovered by US investigators.

US investigators have pinpointed the author of a key piece of code used in the alleged cyber attacks on Google and at least 33 other companies last year, according to a new report.

Citing a researcher working for the US government, The Financial Times reports that a Chinese freelance security consultant in his 30s wrote the code that exploited a hole in Microsoft’s Internet Explorer browser. The report also says that Chinese authorities had “special access” to this consultant’s work and that he posted at least a portion of the code to a hacking forum.

The story follows another report from The New York Times that traced the attacks to a pair of Chinese schools – Shanghai Jiaotong University and Lanxiang Vocational School – claiming that the latter had ties to the Chinese military. A day later, representatives of both schools denied involvement to the Chinese state news agency, and the Lanxiang representative denied ties to the military.

It all sounds like a conspiracy from the TV show 24 with schools tied to the Chinese military and ’special’ access to underground forums.

It’ll be interesting to watch which direction it heads after this and if it’s going to increase the tension between the US and China governments. The whole cyberwar has been going on for quite a while now with both sides trying to covertly steal information from each other.

So far the author of the code has not been named and his real identity or purpose is also a little vague.

If I understand correctly what is being implied above, the author of the code posted a PoC (proof of concept) type exploit to a hacking forum.

Someone took this PoC, turned it into a working exploit and attacked 33 US based companies. If the conspiracists are right this ’someone’ would be the Chinese government and they used to the exploit to steal commercially valuable data from some big US players.

European credit and debit card security broken

Seems like the problem with this system is that the problem is that the PIN is stored on the chip... and that's just as stupid as writing it on the card! The attacks are simple... either a card that always agrees the PIN given is correct, or a terminal that tries to authenticate all 10000 PINS and then learns the right one.

Payment processors have for years been wanting to have an offline secure system, but it just doesn't work. With cheap enough data systems available everywhere, it's not hard for every Wal-Mart most rural gas stations to see a satellite. Get a $20/mo. dial-up account if you have to... there's no reason for anything that does money to be off the grid.

If the PIN is stored online like traditional ATM cards, then there would be a quick way to be sure there's honest checking of the pin and alarms if somebody fails too many times. The American "contact" systems are actually reasons to not require a signature or a PIN... but those are also designed for small-dollar transactions and keeping the fast food line moving. Sure, they're open to cloning risk, but they're willing to take that downside because there's enough upside to using the system.

Questions pile up concerning the death of Hakimullah Mehsud

Reports continue to circulate claiming that Hakimullah Mehsud, the current leader of the Pakistani Taliban (Tehrik-i-Taliban Pakistan), is dead after suffering wounds from a mid-January drone strike. Several Pakistani officials have claimed that Mehsud had died sometime at the end of January based on "word of mouth" (aka HUMINT) confirmation, according to a report today from ABC News. However, US intelligence officials have yet to confirm the EKIA reports and the TTP was quick to issue a statement denying the death of their leader. According to Bill Roggio at the Long War Journal, reports of Mehsud's death are premature. Hakimullah's spokesman (Azam Tariq) issued a statement saying, "Hakimullah is alive and safe." Additionally, one of Mehsud's subordinate commanders, and a potential successor, (Qari Hussein Mehsud) called the Pakistani press to issue a similar statement.

For further background on Mehsud and the key role he plays within TTP, check out JD's excellent profile here and this article from the CTC Sentinel.

If in fact the reports are true, we are likely to see another potential struggle over who would take over leadership of the TTP (similar to the reported infighting that occurred after the August 2009 death of the former TTP leader, Baitullah Mehsud). The top three contenders to assume the key role include:

• Wali-ur-Rehman, the young deputy leader who functions as the group's operational commander



• 
  



• Qari Hussein, who oversees the suicide bomb program and is Hakimullah's cousin



• 
  



• Saeed Khan Mamozai, a local commander from Orakzai tribal agency

In Digital Combat U.S. Finds No Easy Deterrent

What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.

After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.

These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.

So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.

“States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in a speech on Thursday that drew an angry response from Beijing. “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.”

But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy.

There is, in fact, an intense debate inside and outside the government about what the United States can credibly threaten. One alternative could be a diplomatic démarche, or formal protest, like the one the State Department said was forthcoming, but was still not delivered, in the Google case. Economic retaliation and criminal prosecution are also possibilities.

Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the United States would justify a pre-emptive American cyberattack — something the president would have to authorize. In an extreme case, like evidence that an adversary was about to launch an attack intended to shut down power stations across America, some officials argue that the right response might be a military strike.

“We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb,” said Joseph Nye, a professor at the Kennedy School at Harvard. “It won’t have the same shape as nuclear deterrence, but what you heard Secretary Clinton doing was beginning to explain that we can create some high costs for attackers.”

Fighting Shadows

When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan. 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or Yemen. Instead, it was the simulated cyberattack — a battle unlike any they had engaged in.

Participants in the war game emerged with a worrisome realization. Because the Internet has blurred the line between military and civilian targets, an adversary can cripple a country — say, freeze its credit markets — without ever taking aim at a government installation or a military network, meaning that the Defense Department’s advanced capabilities may not be brought to bear short of a presidential order.

“The fact of the matter,” said one senior intelligence official, “is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.”

William J. Lynn III, the deputy defense secretary, who oversaw the simulation, said in an interview after the exercise that America’s concepts for protecting computer networks reminded him of one of defensive warfare’s great failures, the Maginot Line of pre-World War II France.

Mr. Lynn, one of the Pentagon’s top strategists for computer network operations, argues that the billions spent on defensive shields surrounding America’s banks, businesses and military installations provide a similarly illusory sense of security.

“A fortress mentality will not work in cyber,” he said. “We cannot retreat behind a Maginot Line of firewalls. We must also keep maneuvering. If we stand still for a minute, our adversaries will overtake us.”

The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not translate.

“We are looking beyond just the pure military might as the solution to every deterrence problem,” said Gen. Kevin P. Chilton, in charge of the military’s Strategic Command, which defends military computer networks. “There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.”

But first you would have to figure out who was behind the attack.

Even Google’s engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a “Trojan horse” — a backdoor entryway to attack — in Google’s search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. China’s denials, American officials say, are one reason that President Obama has said nothing in public about the attacks — a notable silence, given that he has made cybersecurity a central part of national security strategy.

“You have to be quite careful about attributions and accusations,” said a senior administration official deeply involved in dealing with the Chinese incident with Google. The official was authorized by the Obama administration to talk about its strategy, with the condition that he would not be named.

“It’s the nature of these attacks that the forensics are difficult,” the official added. “The perpetrator can mask their involvement, or disguise it as another country’s.” Those are known as “false flag” attacks, and American officials worry about being fooled by a dissident group, or a criminal gang, into retaliating against the wrong country.

Nonetheless, the White House said in a statement that “deterrence has been a fundamental part of the administration’s cybersecurity efforts from the start,” citing work in the past year to protect networks and “international engagement to influence the behavior of potential adversaries.”

Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Mr. Obama’s thinking on the issue, said: “Like most operational things like this, the less said, the better.” But he added, “there are authorities to deal with these attacks residing in many places, and ultimately, of course, with the president.”

Others are less convinced. “The U.S. is widely recognized to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this,” said James A. Lewis, director of the Center for Strategic and International Studies program on technology and public policy.

In its final years, the Bush administration started a highly classified effort, led by Melissa Hathaway, to build the foundations of a national cyberdeterrence strategy. “We didn’t even come close,” she said in a recent interview. Her hope had been to recreate Project Solarium, which President Dwight D. Eisenhower began in the sunroom of the White House in 1953, to come up with new ways of thinking about the nuclear threats then facing the country. “There was a lot of good work done, but it lacked the rigor of the original Solarium Project. They didn’t produce what you need to do decision making.”

Ms. Hathaway was asked to stay on to run Mr. Obama’s early review. Yet when the unclassified version of its report was published in the spring, there was little mention of deterrence. She left the administration when she was not chosen as the White House cybersecurity coordinator. After a delay of seven months, that post is now filled: Howard A. Schmidt, a veteran computer specialist, reported for work last week, just as the government was sorting through the lessons of the Google attack and calculating its chances of halting a more serious one in the future.

Government-Corporate Divide

In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation. But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cellphone networks, neutralizing its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.

So part of the problem is to calibrate a response to the severity of the attack.

The government has responded to the escalating cyberattacks by ordering up new strategies and a new United States Cyber Command. The office of Defense Secretary Robert M. Gates — whose unclassified e-mail system was hacked in 2007 — is developing a “framework document” that would describe the threat and potential responses, and perhaps the beginnings of a deterrence strategy to parallel the one used in the nuclear world.

The new Cyber Command, if approved by Congress, would be run by Lt. Gen. Keith B. Alexander, head of the National Security Agency. Since the agency spies on the computer systems of foreign governments and terrorist groups, General Alexander would, in effect, be in charge of both finding and, if so ordered, neutralizing cyberattacks in the making.

But many in the military, led by General Chilton of the Strategic Command and Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, have been urging the United States to think more broadly about ways to deter attacks by threatening a country’s economic well-being or its reputation.

Mrs. Clinton went down that road in her speech on Thursday, describing how a country that cracked down on Internet freedom or harbored groups that conduct cyberattacks could be ostracized. But though sanctions might work against a small country, few companies are likely to shun a market the size of China, or Russia, because they disapprove of how those governments control cyberspace or use cyberweapons.

That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.

An Obama administration official who has been dealing with the Chinese mused recently, “You could argue that Google came up with a potential deterrent for the Chinese before we did.”