http://www.reuters.com/article/2013/01/16/cybersecurity-powerplants-idUSL1E9CGFPY20130116
and.....
http://www.blacklistednews.com/Meet_Red_October%3A_The_Global_Cyber-Espionage_Ring_That_Spent_5_Years_in_the_Shadows/23620/0/38/38/Y/M.html
There are plenty of cyberweapons floating around out there, like Stuxnet, Flame, and that whole gang. Now, Kaspersky has turned upa cyber-espoinage operation its dubbed "Red October," and it's up there in the big leagues. But unlike its cohorts, it doesn't look state-sponsored. This is a freelance job, and it's professional grade.
http://gizmodo.com/5975793/meet-red-october-the-global-cyber+espionage-ring-that-spent-5-years-in-the-shadows
http://fromthetrenchesworldreport.com/warning-from-computer-experts-more-than-a-billion-computers-worldwide-at-risk/31054/#more-31054
Jan 16 (Reuters) - A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website.
The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.
It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.
DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure.
In addition to not identifying the plants, a DHS spokesman declined to say where they are located.
Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran's nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.
Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are "air gapped," or cut off from the public Internet.
"This is yet another stark reminder that even if a true 'air gap' is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur," he said.
AGING SYSTEMS
Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have "auto run" features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.
The Department of Homeland Security's Industrial Control Systems Cyber Emergence Response Team (ICS-CERT), which helps protect critical U.S. infrastructure, described the incident in a quarterly newsletter that was accessed via its website on Wednesday.
The report from ICS-CERT described a second incident in which it said it had recently sent technicians to clean up computers infected by common as well as "sophisticated" viruses on workstations that were critical to the operations of a power generation facility.
The report did not say who the agency believed was behind the sophisticated virus or if it was capable of sabotage. DHS uses the term "sophisticated" to describe a wide variety of malicious software that is designed to do things besides commit routine cyber crimes. They include viruses capable of espionage and sabotage.
A DHS spokesman could not immediately be reached to comment on the report.
The Department of Homeland Security almost never identifies critical infrastructure operators that are hit by viruses, or even their locations, but it does provide statistics.
It said ICS-CERT responded to 198 cyber incidents reported by energy companies, public water districts and other infrastructure facilities in the fiscal year ending Sept. 30, 2012.
Attacks against the energy sector represented 41 percent of the total number of incidents in fiscal 2012. According to the report, ICS-CERT helped 23 oil and natural gas sector organizations after they were hit by a targeted spear-phishing campaign - when emails with malicious content are specifically targeted at their employees.
The water sector had the second highest number of incidents, representing 15 percent.
and.....
http://www.blacklistednews.com/Meet_Red_October%3A_The_Global_Cyber-Espionage_Ring_That_Spent_5_Years_in_the_Shadows/23620/0/38/38/Y/M.html
Meet Red October: The Global Cyber-Espionage Ring That Spent 5 Years in the Shadows
January 15, 2013
Source: Gizmodo
There are plenty of cyberweapons floating around out there, like Stuxnet, Flame, and that whole gang. Now, Kaspersky has turned upa cyber-espoinage operation its dubbed "Red October," and it's up there in the big leagues. But unlike its cohorts, it doesn't look state-sponsored. This is a freelance job, and it's professional grade.
While Red October has only recently been discovered, it's been working behind the scenes for a long time. According to its domain names and various details dug up from the executable code, it's been doing its thing since 2007, if not earlier. And what is its thing? Harvesting loads of classified information from high-profile targets across the globe—including the United States, but mostly in Eastern Europe and Central Asia. And it's got quite the stash.
...
Part of the reason it's especially dangerous is that it's not confined to infecting, stealing from, and keylogging workstations. The malware also has to capability to get into mobile phones (iOS, Windows Mobile, and Nokia) connected to infected machines and snag a copy of their contacts, calls, messages, and browsing history. It can also scrub enterprise network equipment and removable disk drives, copy entire email databases from Outlook storage and POP/IMAP servers, and it can even take deleted files off USB sticks using its own recovery mechanism. Red October doesn't mess around.
and the detailed story....
Meet Red October: The Global Cyber-Espionage Ring That Spent 5 Years in the Shadows
There are plenty of cyberweapons floating around out there, like Stuxnet, Flame, and that whole gang. Now, Kaspersky has turned up a cyber-espoinage operation its dubbed "Red October," and it's up there in the big leagues. But unlike its cohorts, it doesn't look state-sponsored. This is a freelance job, and it's professional grade.
While Red October has only recently been discovered, it's been working behind the scenes for a long time. According to its domain names and various details dug up from the executable code, it's been doing its thing since 2007, if not earlier. And what is its thing? Harvesting loads of classified information from high-profile targets across the globe—including the United States, but mostly in Eastern Europe and Central Asia. And it's got quite the stash.
Red October has been infecting targets through vulnerabilities in MS Word and MS Excel. Once there's a foothold, the infected devices call back to command servers for customized packages of malware signed with victim-specific 20 digit codes. From there, it collects data straight from government institutions, embassies, research firms, military installations, and energy providers, nuclear and otherwise. Over the past half-decade, Red October has been able to dive deeper and deeper into classified intel by using its ever-growing store of pilfered credentials, logins, and other handy tidbits to intelligently guess its way through security.
Part of the reason it's especially dangerous is that it's not confined to infecting, stealing from, and keylogging workstations. The malware also has to capability to get into mobile phones (iOS, Windows Mobile, and Nokia) connected to infected machines and snag a copy of their contacts, calls, messages, and browsing history. It can also scrub enterprise network equipment and removable disk drives, copy entire email databases from Outlook storage and POP/IMAP servers, and it can even take deleted files off USB sticks using its own recovery mechanism. Red October doesn't mess around.
What it can get is one question, but who it's run by is a very different one. According to Kaspersky the exploits are probably Chinese in origin, and Russian slang in some of the code implies the operators speak Russian. Or they're running an in-depth long-con to make people think they do. Most of the command & control servers and domains that can be found are located in and around Germany and Russia, but an intense chain of proxies is still effectively masking the operation's real home base. And while it rivals state-sponsored projects in size and complexity, its never been known to tangle with or team up with them in any way. Red October is a solitary hoarder, sitting in some cyber-shack alone, surrounded by heaps of top secret info.
Likewise, it's still up for grabs what all this espionage is for. There's no evidence to suggest this is a state-sponsored affair, and it seems to be just trucking along, collecting as much classified information as possible just to have it around. Infections are most prominent in Russia (35 infections) but Afghanistan (10), Iran (7), the United States (6), and even Switzerland (5) are on the map as well. But there's no telling what's been done with any info. It could be being sold, acting on in some covert way, or just stockpiled for the right moment for...something.
It's hard not to imagine a man sitting behind a large desk, his face obscured by shadow, tapping his fingers and chuckling to himself sinisterly, watching his own private store of the world's confidential information grow before his very eyes as he ponders what do with it all. And that might not be too far off from the truth. This isn't just a game for nation-states to play; it looks like there's a free agent in the mix, and he/she/they/it/ is every bit as competent as the big names. [Kaspersky]
http://fromthetrenchesworldreport.com/warning-from-computer-experts-more-than-a-billion-computers-worldwide-at-risk/31054/#more-31054
Warning From Computer Experts: More Than A Billion Computers Worldwide At Risk
Computer security experts are warning of a worldwide Java security vulnerability that has put more than a billion computers at risk. Is this another computer virus developed by the US or Israeli government programs such as Stuxnet or Flame? The story below can be read in its’ entirety here.
Experts advise users and companies worldwide to disable Oracle’s Java due to severe security flaw
Security experts, researchers and analysts have discovered a vulnerability in the widely used Java software that has the potential to allow hackers to access to your computer.
Security experts, researchers and analysts have discovered a vulnerability in the widely used Java software that has the potential to allow hackers to access to your computer.
Oracle’s Java platform is used and installed on more than one billion user computers worldwide. Three billion mobile phones are running the software too.
Yesterday (Thursday), the US-CERT’s Vulnerability Notes Database, a service that provides timely information about software vulnerabilities, issued a warning that said “Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.”
and.....
http://www.esecurityplanet.com/network-security/cisco-acknowledges-security-flaw-in-ip-phones.html
Cisco Acknowledges Security Flaw in IP Phones
The vulnerability was first demonstrated last month by Columbia University graduate student Ang Cui.
Cisco this week published a security advisory warning of an arbitrary code execution vulnerability in its Cisco Unified IP Phone 7900 Series.
"This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace," the advisory states. "An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue."
"The company has provided some temporary workarounds for administrators and estimates that a permanent fix for this flaw will be released in the week of January 21," writes Softpedia's Eduard Kovacs.
"Last month, Ang Cui, a graduate student at Columbia University Intrusion Detection Systems Lab and co-founder of Red Balloon Security, demonstrated the attack on the Cisco Unified IP Phone 7900 series using a technique he developed with fellow Columbia researcher Salvatore Stolfo to attack printers," writesFierceEnterpriseCommunications' Fred Donovan. "Once the phone was compromised, an attacker could eavesdrop on the entire network of phones in the enterprise, according to Cui."
"During the presentation, systems expert Cui showed the Cisco phone at the White House and on Air Force One," writes CRN's Robert Westervelt. "The device is not really a phone, he said, but a general purpose computer put into a plastic case to make it look like a phone. The device runs Cisco's proprietary UNIX OS and Java. It uses the SSH protocol, but 'the way it's implemented makes it worse than Telnet,' Cui said."
"Cui and Stolfo have developed their own fix, called Software Symbiotes [PDF file], which they plan to demo at theRSA Conference in San Francisco in February," writes ReadWrite's Christina Ortiz. "The defensive technology will live alongside executable code or arbitrary software to ensure that it works properly. Symbiotes, according to Cui, will be able to tell whether a system has been compromised, and either stop the malware or turn off the host device altogether."
and......
http://www.esecurityplanet.com/hackers/mississippi-state-university-hacked.html
Mississippi State University Hacked
User names, encrypted passwords, mailing addresses, e-mail addresses and admission details were published online.
Mississippi State University (MSU) recently acknowledged that a university server was the target of a cyber attack on Wednesday, January 9, though MSU chief information officer Mike Rackley said no "secure data" (Social Security numbers, credit card information, health information or grades) was compromised.
"This represents only one of hundreds of servers in the MSU system," Rackley said in astatement. "In response to incidents like this one and the increasing number of Internet-enabled computer attacks, Mississippi State continually modifies its systems and practices to enhance the security of sensitive information."
Hacker Gevolus, a member of the Brazilian Cyber Army, published login information for more than 500 users onPastebin. "The data contains admission details, usernames, addresses, emails and encrypted passwords of [university] staff and students," HackRead reports.
"As a precaution, administrators advised those affected by the hacking to change their account passwords," WTVA reports.
"Joe Farris, an assistant to the president, was one of the MSU employees linked to the posted encrypted passwords," writes The Starkville Daily News' Carl Smith. "He said the entry was used for an administrative website he 'very rarely used in the past,' and the site itself contained 'no information of consequence' to his privacy."
and....
http://www.esecurityplanet.com/network-security/uk-report-warns-of-fatal-cyber-attack-on-armed-forces.html
UK Report Warns of Fatal Cyber Attack on Armed Forces
The Defence Committee report says a sustained cyber attack could fatally compromise the forces' ability to operate.
The UK's House of Commons Defence Committee recently published a report warning that a sustained cyber attack could "fatally" compromise the armed forces' ability to operate.
"MPs say their inquiry highlighted worrying gaps in strategy and thinking and said it was unclear to them who would be in charge if the UK came under sustained cyber-attack," writesThe Guardian's Nick Hopkins. "They also said the MoD was now totally reliant on cyber-systems. 'The evidence we received leaves us concerned that with the armed forces now so dependent on information and communications technology, should such systems suffer a sustained cyber-attack, their ability to operate could be fatally compromised,' the report says."
"Committee chairman James Arbuthnot said it was now essential that ministers took the lead in ensuring effective plans were in place to cope with the threat," writes The Independent's Gavin Cordon. "'It is our view that cyber security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention,' he said. 'The Government needs to put in place -- as it has not yet done -- mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents.'"
"In a statement, the UK Ministry of Defence (MoD) said that actually the UK is very well prepared and has a range of contingency plans in place," writes The Inquirer's Dave Neal. "'The UK Armed Forces and the equipment and assets they use are amongst the world's most modern and advanced, so of course information technology plays a vital role in their operation,' said defence minister Andrew Murrison. 'Far from being complacent, the MoD takes the protection of our systems extremely seriously and has a range of contingency plans in place to defend against increasingly sophisticated attacks although, for reasons of national security, we would not discuss these in detail."
and.....
http://www.esecurityplanet.com/hackers/anonymous-hackers-seek-recognition-of-ddos-attacks-as-legitimate-form-of-protest.html
Anonymous Hackers Seek Recognition of DDoS Attacks as Legitimate Form of Protest
The petition asks that anyone who has been jailed for participating in such attacks be released.
Anonymous recently set up a petition on the White House's We the People Web site asking the Obama administration to make distributed denial of service (DDoS) attacks a "legal form of protesting," similar to the Occupy protests.
"With the advance in internet techonology, comes new grounds for protesting," the petitionstates. "Distributed denial-of-service (DDoS), is not any form of hacking in any way. It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any 'occupy' protest. Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time."
"The petition goes on to demand that anyone who has been jailed for participating in a DDoS attack should be immediately released -- a nice touch -- and that anything related to the attack should be expunged from their criminal records," writes The Register's Neil McAllister. "DDoS attacks are indeed one of the go-to methods used when Anonymous wants to make a point. The group used the technique to take down UK government websites in August in protest of the treatment of WikiLeaks founder Julian Assange, and again in November in retaliation for Israel's bombing of sites in Gaza."
The petition, which was posted on January 7, has thus far only received just over 1,000 signatures. If the petition gets more than 25,000 signatures by February 7, it will receive an official response from the White House.
