Vulnerability in Building Control Systems

Vital buildings such as hospitals, universities and government offices are vulnerable to hackers

You're in intensive care at a hospital when the lights go out and the heating turns up. Meanwhile, doctors trying to get you to an operating theatre have been trapped in elevators for almost an hour as hackers take control.

The building control system for one of Google's offices in Sydney was hacked into by two IT security researchers who say hundreds more in Australia are also accessible via the internet.

A building control system, or building management system, is a computer-based system used to control and monitor a building's mechanical and electrical equipment using software. It monitors and controls things like ventilation, air conditioning, lighting and fire systems.

US researchers Billy Rios and Terry McCorkle of security firm Cylance found that the building control system for Google's Wharf 7 office in Pyrmont was vulnerable after finding it on the popular hacker search engine Shodan, which maps out vulnerable devices on the internet.

A search engine Shodan, indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. This makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities.

Please refer here for a good technical webcast explaining "How the information in SHODAN is put together and correlated".

The incident does highlight the need for sensitive systems (not just SCADA) to be isolated from hostile networks like the internet.

Hopefully, this incident will gain some more traction outside the security community.

4 Ways to Defend Against State Sponsored Attacks

Enterprises Challenged to Safeguard Their Infrastructure

With reports - the latest one issued this past week from the Defense Department - that document the Chinese military and government targeting key government, military and business computer systems in the United States and elsewhere, operators of those systems face a challenge of defending their IT assets.

Security experts generally agree that the best defense against nation-state attacks needn't be tailored to a specific attacker. No one solution will help organizations to defend against nation-state attacks, whether from China, Iran, Russia or elsewhere. Still, knowing who's attacking IT systems can help organizations better plan their defenses.

One of the key differences between state-sponsored espionage and organized crime or hackers is their level of persistence and determination to break through defenses.

Security experts say fundamental cybersecurity and risk management practices, if implemented properly, should reduce the damage done from all types of attackers, including those from nation-states.

Here are four steps organizations can take to shore up their defenses against nation-states cyber-attacks, although not all of these approaches would be appropriate for each organization:

• Avoid acquiring technology from companies based in nations that pose a threat;
  
• Isolate internal networks from the Internet;
  
• Share cyberthreat information with other organizations;
  
• Enhance employee cybersecurity awareness programs, including testing worker' knowledge of best IT security practices.

Australian Feds charge 17 year-old 'Anon' with four crimes

17-year-old suspected member of ‘Anonymous’ charged with unauthorised access to computer data

A 17-year-old youth appeared in Parramatta Children's Court on Friday (5 April 2013) to face charges relating to unauthorised access to computer data. The juvenile is suspected to be a member of the online issue motivated group "Anonymous" and allegedly committed serious offences on their behalf.

Commander Glen McEwen, Manager Cybercrime Operations, said the AFP takes any computer intrusion offences very seriously and remains committed to investigating offences that occur in cyberspace. "Protesting through computer intrusions and website defacements is not an appropriate method to raise public awareness about any issue," Commander McEwen said. "The AFP investigates various types of cybercrime and will continue to take a strong stance against these perpetrators."

Refer here to read more details.

Hackers steal photos, turn Wi-Fi cameras into remote surveillance device

Electronic manufacturers need to start putting some real thought into securing the devices and protecting privacy!

With so many people seizing the convenience of using their smartphone cameras to point, shoot and share, embedded GPS location and all, digital camera manufacturers have been offering more "social" options such as built-in Wi-Fi capabilities and camera apps to quickly share photos and videos.

In fact, if a digital single-lens reflex (DSLR) camera isn't Wi-Fi enabled, some photographers go the Wi-Fi SD card route and others create hacks to give that camera wireless file transfer capabilities.

While there have been plenty of researchers working on ways to exploit smartphones for remote spying, such as the scary PlaceRaider, an Android app that remotely exploits the camera and secretly snaps a picture every two seconds, there has not been as much research into exploiting DSLR Wi-Fi-enabled cameras. However, security researchers from ERNW changed that by showing how to exploit vulnerabilities in order to steal photos and turn a DSLR camera into a spying device.

In the presentation Paparazzi over IP, Mende and Turbing explained that there are four ways that the Canon EOS-1D X can communicate with a network via FTP, DLNA (Digital Living Network Alliance), WFT (Wireless File Transmitter) and the EOS Utility Mode.

They were able to attack and exploit all four, saying, "Not only did we discover weak plaintext protocols used in the communication, we've also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the 'upload to the clouds' feature resulted in an image stealing Man-in-the-Imageflow."

 

Refer here to read further details.

How Facebook Got Hacked?

Zero-Day Exploit Bypassed Java Protections to Install Malware

Even the most savvy information technologists aren't immune from cyber-attacks. Just ask Facebook. The social-media titan says it fell victim to a sophisticated attack discovered in January in which an exploit allowed malware to be installed on employees' laptops.

In a blog posted by Facebook Security on Feb. 15, the company said it found no evidence that Facebook user data was compromised.

Here's what happened at Facebook, according to its blog:

Several Facebook employees visited a mobile developer website that was compromised.

The compromised website hosted an exploit that then allowed malware to be installed on these employees' laptops. "The laptops were fully-patched and running up-to-date anti-virus software," the blog says.

"As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement and began a significant investigation that continues to this day." Facebook Security flagged a suspicious domain in its corporate DNS (Domain Name Servers) logs and tracked it back to an employee laptop.

The security team conducted a forensic examination of that laptop and identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.

The social-media company says it is working with law enforcement and the other organizations affected by this attack. "It is in everyone's interests for our industry to work together to prevent attacks such as these in the future," Facebook says.

The Facebook attack is reminiscent of the 2011 breach at security provider RSA, when a well-crafted e-mail tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems

Metasploit: The Penetration Tester’s Guide

Want a great book on Backtrack 5 and the Metasploit Framework?


Look no further than “Metasploit: The Penetration Tester’s Guide” written by the all star cast of David Kennedy (creator of the Social Engineering Toolkit), Jim O’Gorman (instructor at Offensive-Security), Devon Kearns (a BackTrack Linux developer), and Mati Aharoni (created BackTrack and founder of Offensive-Security). 


This is the most complete and comprehensive instruction book for Metasploit that I have seen so far. The authors walk you step by step, command by command through using the Metasploit Framework as a penetration tester. You move quickly from the basics of Penetration testing through using the platform to perform the different phases of intelligence gathering and exploitation. 


Excellent book for anyone interested in a hands on approach to computer security, the Metaslpoit pro who wants a great reference book and those new to Metasploit that want a step by step instruction manual.


Metasploit: The Penetration Tester’s Guide – Check it out!

How hackers could bring down Boeing's new Dreamliner jet

There is a hidden "back door" in the jet's computer chip


It would usually be a fairly safe bet to assume new passenger planes would be protected from hacking attacks, however this may not be the case with Boeing's new Dreamliner jet.


Experts have claimed a hidden “back door” in a computer chip used in the jets’ computer systems could be exploited by cyber-criminals in order to override and control the planes, the UK’s Guardian reported.


Researchers Sergei Skorobogatov of Cambridge University and Chris Woods of Quo Vadis Labs sent out a warning to governments around the world after reportedly discovering the hacking method. "The great danger comes from the fact that such a back door undermines the high level of security in the chip making it exposed to various attacks,” they noted in a document cited by the Guardian.


"An attacker can disable all the security on the chip, reprogram cryptographic and access keys… or permanently damage the device." Woods claims the “back door” is inserted into a device for extra functionality, offering a secret way to get into the chip and control it without needing an encrypted channel.


The chips are used in areas such as communications and consumer products as well as the military, medical and automotive industries.


Source from News.com.au

Ongoing Investments Have To Be Made To Protect Corporate And Online Perimeters

Why Hacktivists Attack?


Hacktivists usually attack because they want to embarrass their targets.


This week, Anonymous took credit for hacking a server at the United States Bureau of Justice Statistics, copying 1.76 GB of data and posting it online.


Why? "... to spread information, to allow the people to be heard and to know the corruption in their government. We are releasing it to end the corruption that exists, and truly make those who are being oppressed free," hackers claiming to be part of Anonymous posted on AnonNews.org.


Another example: this week's takedown of WHMCS, a UK-based online billing platform used by Web hosting providers throughout the world. The hacktivist group known as UGNazi took credit for a breach of WHMCS's database - a breach that likely exposed details on 500,000 payment cards.


The group also launched a denial of service attack on one of WHMCS's servers, which ultimately took the platform's site down for 24 hours and disrupted service to its global client base. Why? UGNazi says it targeted WHMCS because the company refused to address security vulnerabilities.


In a May 23 post on Pastebin, UGNazi hacker Cosmo says WHMCS's database was leaked because the company ignored UGNazi's warnings about security concerns linked to its Web hosting provider, HostGator.


Cosmo writes: "It is now 2 days after the attack from us and the site is back up and it still remains on HostGator after Matt knows it is insecure. ... We laugh at your security."


UGNazi hackers reportedly socially engineered customer service reps at HostGator into coughing up admin credentials to WHMCS's servers.


How could WHMCS have avoided this attack? Perhaps by publicly responding to the threats and admitting it needed to enhance security.

Insufficient security controls for smart meters

Smart meters are not secure enough against false data injection attacks


False data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection; experts say current generation of smart meters are not secure enough against false data injection attacks nCircle the other day announced the results of a survey of 104 energy security professionals.


The survey was sponsored by nCircle and EnergySec, a DOE-funded public-private partnership that works to enhance the cyber security of the electric infrastructure. The online survey was conducted between 12 March and 31 March 2012. 


When asked, “Do smart meter installations have sufficient security controls to protect against false data injection?” 61 percent said “no.” Power grids connect electricity producers to consumers through interconnected transmission and distribution networks. In these networks, system monitoring is necessary to ensure reliable power grid operation. 


The analysis of smart meter measurements and power system models that estimate the state of the power grid are a routine part of system monitoring. An nCircle release notes that false data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection. Smart meters vary widely in capability and many older meters were not designed to adequately protect against false data injection. It doesn’t help that some communication protocols used by the smart meter infrastructure don’t offer much protection against false data injection either. 


Together, these facts highlight a much larger potential problem with data integrity across the smart grid infrastructure. Because our nation relies on the smart grid to deliver robust and reliable power, we need to make sure that all systems that process usage data, especially those that make autonomous, self-correcting, self-healing decisions, assure data integrity.


Elizabeth Ireland, vice president of marketing for nCircle, noted, “A false data injection attack is an example of technology advancing faster than security controls."


This is a problem that has been endemic in the evolution of security and it’s a key reason for the significant cyber security risks we face across many facets of critical infrastructure. Installing technology without sufficient security controls presents serious risks to our power infrastructure and to every power user.

Microsoft's India store hacked

Microsoft website saying "unsafe system will be baptized"

Hackers, allegedly belonging to a Chinese group called Evil Shadow Team, struck at www.microsoftstore.co.in on Sunday night, stealing login ids and passwords of people who had used the website for shopping Microsoft products.

While it is troublesome that hackers were able to breach security at a website owned by one of the biggest IT companies in the world, it is more alarming that user details - login ids and passwords - were reportedly stored in plain text file, without any encryption.

Following the hack, the members of Evil Shadow Team, posted a message on the Microsoft website saying "unsafe system will be baptized". The story was first reported by www.wpsauce.com.

Later, the website seemed to have been taken offline by Microsoft. We advise the users at Microsoft India Store to change the password as soon the website comes online. Also, if they have used the same password or login id on any other web service, they should change it immediately.

Last year, hacker groups like Lulzsec had carried out several-profile high profile break-ins, putting focus on the security measures companies put in place. Sony allegedly suffered several security breaches and hackers stole user ids and passwords of customers from its network.

In a message posted on a website called Pastebin, Lulzsec claimed the group was bringing attention to the web security. "Do you think every hacker announces everything they've hacked? We certainly haven't, and we're damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn't silently sitting inside all of these right now," the group wrote.

But the incident at Microsoft Store on Sunday hints that lessons have not been learnt. Just like Sony, which later revealed that user ids and passwords were not encrypted at the time of security breach, Microsoft too seemed to have been casual about handling the user details by storing them in a plain text file.

Norway hit by major data-theft attack

Industrial secrets from companies were stolen and "sent out digitally from the country

Data from Norway's oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country's history.

Industrial secrets from companies were stolen and "sent out digitally from the country," the Norwegian National Security Authority said, though it did not name any companies or institutions that were targeted.

At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.

"This is the first time Norway has unveiled such an extensive and widespread espionage attack," it said. Spokesman Kjetil Berg Veire added it is likely that more than one person is behind the attacks.

The methods varied, but in some cases individually crafted e-mails that, armed with viruses, would sweep recipients' entire hard-drives for data and steal passwords, documents and confidential documents.

The agency said in a statement that this type of data-theft was "cost-efficient" for foreign intelligence services and that "espionage over the Internet is cheap, provides good results and is low-risk." Veire would not elaborate, but said it was not clear who was behind the attacks.

The attacks often occurred when companies were negotiating large contracts, the agency said. Important Norwegian institutions have been targeted by hackers before.

In 2010, some two weeks after Chinese dissident and democracy activist Liu Xiaobo was named that year's Nobel Peace Prize winner, Norway's Nobel Institute website came under attack, with a Trojan Horse, a particularly potent computer virus, being installed on it.

Other attacks on the institute in that same period came via email, containing virus-infected attachments.

Refer here to read further details.

DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack

Apparent cyberattack destroys pump at Illinois water utility

A pump at a public water utility in Springfield, Illinois was destroyed after cyberattackers gained access to a SCADA system controlling the device, according to a security expert who obtained an official report on the incident.

CS-CERT has released the following statement saying that DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack.

ICS-CERT is assisting the FBI to gather more information about the separate Houston incident.

>UPDATE - Recent Incidents Impacting Two Water Utilities
ICSJWG Communications [ICSJWG.Communications@HQ.DHS.GOV]

Greetings:

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

In a separate incident, a hacker recently claimed to have accessed an industrial control system responsible for water supply at another U.S. utility. The hacker posted a series of images allegedly obtained from the system. ICS-CERT is assisting the FBI to gather more information about this incident.

ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events. If DHS ICS-CERT identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available. ICS-CERT encourages those in the industrial control systems community who suspect or detect any malicious activity against/involving control systems to contact ICS-CERT.

Regards,

ICS-CERT
E-mail: ics-cert@dhs.gov
Toll Free: 1-877-776-7585
For CSSP Information and Incident Reporting: www.ics-cert.org

Hackers attack Norway's oil, gas and defence businesses

Oil, gas and defence firms in Norway have been hit by a series of sophisticated hack attacks.

Industrial secrets and information about contract negotiations had been stolen, said Norway's National Security Agency (NSM).

It said 10 firms, and perhaps many more, had been targeted in the biggest wave of attacks to hit the country.

Norway is the latest in a growing list of nations that have lost secrets and intellectual property to cyber thieves.

The attackers won access to corporate networks using customised emails with viruses attached which did not trigger anti-malware detection systems.

Targeted attacks

The NSM said the email messages had been sent to specific named individuals in the target firms and had been carefully crafted to look like they had come from legitimate sources.

Many of the virus-laden emails were sent while the companies were in the middle of negotiations over big contracts.

It said user names, passwords, industrial drawings, contracts and documents had been stolen and taken out of the country.

The NSM believes the attacks are the work of one group, based on its analysis of the methods used to target individuals, code inside the viruses and how the data was extracted.

The agency said it was publishing information about the attacks to serve as a warning and to encourage other targeted firms to come forward.

"This is the first time Norway has revealed extensive and wide computer espionage attacks," the NSM said in a statement.

Singled out

It said it found out about the attacks when "vigilant users" told internal IT security staff, who then informed the agency.

However, the NSM said, it was likely that many of the companies that had been hit did not know that hackers had penetrated their systems and stolen documents.

Security firms report that many other nations and industrial sectors have been targeted by data thieves in recent months.

The chemical industry, hi-tech firms and utilities appear to have been singled out.

Sourced: BBC News

Skype for iPhone may leak Address Book

A vulnerability could see your entire Address Book uploaded to a remote system

A cross-site scripting vulnerability in Skype for iOS has been used to remotely extract the victim device's Address Book. In the proof of concept (PoC) described on the Superevr blog, a piece of JavaScript is inserted in the Full Name field of the attacker's profile.

When a message is received by the victim, the JavaScript runs and initiates a connection to a server, which sends the real payload. That payload instructs the device to upload the entire Address Book file, which can then be read using SQLite-based programs.

The author of the PoC says there's no indication on the device that anything untoward is happening. The issue is said to affect Skype 3.0.1 and earlier, and the PoC was demonstrated on iOS 4.3.5.

The author of the PoC says he reported the issue to Skype in late August, and was told an update would be released early this month. He made a public disclosure this week after the update did not materialise.

The only current mitigations appear to be to ensure that Skype is set to accept messages only from existing contacts, and to be careful to only accept contact requests from people you trust.

Security Training Video: Investigating DoS Attacks

Introduction to DoS Attacks and techniques

CareerAcademy.com is offering a free EC-Council training video to try out their training delivery platform.

The course offered is on Computer Hacking Forensics Investigator (CHFI): Investigating DoS Attacks, and is intended for IT security professionals. The course outline is below, along with a link to try it out.

Please feel free to forward to others in your organization who may be interested this type of training.

Link to sign up for the free training course:
http://www.careeracademy.com/download/freeCHFIm31.html

Course Description:

This free introductory online training course (Value at $195) will immerse the student in an interactive environment where they will be shown how to investigate DoS attacks. Students will be introduced to the types of DoS attacks, buffer overflow, DoS attack techniques, intrusion detection systems, live demonstrations of SYN Flooding, Smart Sniff, 3D Trace Routes, and many more critical concepts.

Use the link above to sign up, and or more information, visit www.careeracademy.com or contact CareerAcademy.com at 1-800-807-8839 x201 (US), 1-781-453-3900 x201 (International), email: info@careeracademy.com

This course is Module 31 of a 51 module EC-Council Computer Hacking Forensic Investigator CHFI Training CBT Boot Camp.

Hacker breaches the security of Australian Tax Office, Defence and Banks

Cyber Security has been classified as Australian top priority

The security of hundreds of thousands of security tokens (SecurID) used by Australian banks and their customers, the Defence Force and organisations such as the Tax Office to access computer systems is in doubt after a cyber attack.

RSA said yesterday it would reissue an unknown number of the estimated 40 million RSA SecurID fobs used worldwide. SecurID fobs are small, portable devices that generate a digital security code that changes every 60 seconds. They are most commonly used with a static PIN or password to access a computer system.

In March RSA customers were told the company had been the victim of "an extremely sophisticated cyber attack". But it was not until recently that full details were known. RSA's admission follows an attack on the defence contractor Lockheed Martin. The contractor said an attacker had tried to access its network using information about the fobs stolen from RSA in the March attack. But it had stopped the attacker stealing information.

Certain characteristics of the attack on RSA indicated the perpetrator's most likely motive was to obtain an element of security information that could be used to target defence secrets and related intellectual property.

David Kenny, the deputy secretary of the Department of Parliamentary Services, said the department had 1800 of the SecurID tokens used by staff and MPs. The department was arranging replacement.

The Department of Veterans' Affairs was considering RSA's offer to replace SecurID tokens at no cost. Westpac bank confirmed that it did not see an immediate need to replace its customer fobs as it had not been compromised. The Tax Office was arranging replacements.

The attack meant many organisations would see a need to beef up their security. To be successful an attacker would need certain information from the SecurID token, such as the username and PIN or password.

This can often be swiped by a user handling over their details in an email to a hacker pretending to be from the organisation that issued the fob. Without some of these details it would be difficult for a hacker to gain entry to a network.

Refer here for further details.

'Tricked' RSA Worker Opened Backdoor to APT Attack

Threat Landscape is CHANGING!

A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems.

An Excel spreadsheet attached to the e-mail contained a zero-day exploit that led to the installation of a backdoor virus, exploiting an Adobe Flash vulnerability, which Adobe has since patched, writes Uri Rivner, head of new technologies, identity protection and verification at RSA, in a blog posted Friday.

RSA unveiled on March 17 that an attacker targeted its SecurID two-factor authentication product in what it termed an advanced persistent threat breach. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation. Rivner's blog is the first substantial public comment on the breach since Coviello's statement.

The exploit injected malicious code into the employee's PC, allowing full access into the machine. The attacker installed a customized variant of a remote administration tool known as Poison Ivy, which has been used in APT attacks against other companies. Such tools set up a reverse-connect model, which pulls commands from the central command and control servers, then execute the commands, rather than getting commands remotely, making them harder to detect.

The attacker gained access to staging servers at key aggregation points to prepare for extraction. Next, the attacker accessed servers of interest, moving data to internal staging servers to be aggregated, compressed and encrypted for extraction. Then, the attacker used file transfer protocol to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.

APT is characterized as a new attack doctrine built to evade existing perimeter and endpoint defenses, and analogized an APT attack to stealth jet fighters that circumvent radar.

WordPress Hacked

Attackers Get Root Access

A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'

'Tricked' RSA Worker Opened Backdoor to APT Attack

APT Presents New Attack Doctrine Built to Evade Existing Defenses

A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems, a top technologist at the security vendor says in a blog.

An Excel spreadsheet attached to the e-mail contained a zero-day exploit that led to the installation of a backdoor virus, exploiting an Adobe Flash vulnerability, which Adobe has since patched, writes Uri Rivner, head of new technologies, identity protection and verification at RSA, in a blog posted Friday.

RSA unveiled on March 17 that an attacker targeted its SecurID two-factor authentication product in what it termed an advanced persistent threat breach. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation. The RSA official says the attacker initially harvested access credentials from the compromised employee and performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and non-IT specific server administrators.

If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while. If they think they run the risk of being detected, however, they move much faster and complete the third, and most 'noisy' stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase.

While RSA made it clear that certain information was extracted, it's interesting to note that the attack was detected by its Computer Incident Response Team in progress

IBM report: computer hackers getting smarter

X-Force 2010 Trend and Risk Report from IBM

There is good news and bad news in this year’s X-Force 2010 Trend and Risk Report from IBM. The good news is that it seems that spam and phishing attacks are leveling off. Also, mobile devices have not been compromised in any big way, yet. The bad news is that IT security threats are getting increasingly sophisticated and targeted.

Based on intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150,000 security events per second during every day of 2010, the observations from the IBM X-Force Research team finds that more than 8,000 new IT security vulnerabilities were documented, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.

There seems to be a declining interest in spamming

IBM reports the historically high growth in spam volume leveled off by the end of 2010. This indicates that spammers may be seeing less value from increasing the volume of spam, and instead are focused on making sure it is bypassing filters. Spam volumes peaked, and then leveled off — In 2010, spam volumes increased dramatically, reaching their highest levels in history. However, the growth in volume leveled off by the end of the year. In fact, by year’s end, spammers seemed to go on vacation, with a 70 percent decline in traffic volumes occurring just before Christmas and returning early in the new year.

There were significantly fewer mass phishing attacks relative to previous years, but there has been a rise in more targeted attack techniques

Although phishing attacks still occurred, the peak volume of phishing emails in 2010 was less than a quarter of the peak volumes in the previous two years. This may indicate a shift toward other, more profitable, attack methodologies such as botnets and ATM skimming. Despite this decline, “spear phishing,” a more targeted attack technique, grew in importance in 2010, as meticulously crafted emails with malicious attachments or links became one of the hallmarks of sophisticated attacks launched against enterprise networks. 2010 saw some of the most high profile, targeted attacks that the industry has ever witnessed. For example, the Stuxnet worm demonstrated that the risk of attacks against highly specialized industrial control systems is not just theoretical.

These types of attacks are indicative of the high level of organization and funding behind computer espionage and sabotage that continues to threaten a widening variety of public and private networks.

Trojan botnet activity increased during 2010

This growth is significant because despite increasing coordinated efforts to shut down botnet activity, this threat appeared to be gaining momentum. However, IBM X-Force’s data did illustrate the dramatic impact of a successful effort in early 2010 to shutdown the Waledac botnet, which resulted in an instantaneous drop off in observed command and control traffic. On the other hand, the Zeus botnet continued to evolve and constituted a significant portion of the botnet activity detected by IBM X-Force in 2010. Due to its extreme popularity with attackers, there are hundreds, or even thousands, of separate Zeus botnets active at any given time. The Zeus botnet malware is commonly used by attackers to steal banking information from infected computers.

Smartphones are still safe, but for how long?

In 2010, IBM X-Force documented increases in the volume of vulnerabilities disclosed in mobile devices as well as the disclosure of exploits that target them. The desire to “jailbreak” or “root” mobile devices has motivated the distribution of mature exploit code that has been reused in malicious attacks. However, overall, IBM X-Force concludes, attacks against the latest generation of mobile devices were not yet widely prevalent in 2010. Still, growing end user adoption of smartphones and other mobile devices is making plenty of more work for IT security departments, who are struggling to bring these devices safely into corporate networks. According to the report, best practices for mobile security are evolving with enhanced password management and data encryption capabilities.

Market will drive more cloud security

The IBM report also tackled the security issues posed by cloud computing for the first time. The report highlighted a shift in perception about cloud security, still considered an inhibitor to adoption. Cloud providers must earn their customers’ trust by “providing an infrastructure that is secure by design with purpose-built security capabilities that meet the needs of the specific applications moving into the cloud. As more sensitive workloads move into the cloud, the security capabilities will become more sophisticated.”

Over time, the report says, the market will drive the cloud to provide access to security capabilities and expertise that is more cost effective than in-house implementations. This may turn questions about cloud security on their head by making an interest in better security a driver for cloud adoption, rather than an inhibitor.