US Government Urges Offensive Right to Cyber Self-Protection

Posted on May 21, 2013 by Bill Hagestad

Good day from AusCERT!

If you haven’t heard the latest regarding the People’s Republic of Hacking and countering cyber espionage and the significant loss of intellectual property you should be aware of the New York Times story today… “As Chinese Leader’s Visit Nears, U.S. Urged to Allow Retaliation for Cyberattacks”….folks we have reached a critical inflection point as US Government Urges Offensive Right to Cyber Self-Protection for commercial enterprises to defeat and disrupt the loss of key American inventions and ideas to the People’s Republic of China…this all stated in advance of China’s President Xi Jinping set to meet with President Obama in the next few weeks on US soil…

Read the full New York Times story here:

http://www.nytimes.com/2013/05/22/world/asia/as-chinese-leaders-visit-nears-us-urged-to-allow-retaliation-for-cyberattacks.html?

Red Dragon Rising @ AusCERT 2013

Posted on May 20, 2013 by Bill Hagestad

Good day from Gold Coast Australia!

Red Dragon Rising has arrived in Australia for AuSCERT 2013!

And of course, 5 hours ago here in Asia Pacific those pesky Dark Guests from the People’s Republic of China are up to their old hacking tricks again reports the New York Times:

“Chinese Hackers Resume Attacks on U.S. Targets”

You can read the direct story at the following link:

http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-targets.html?&pagewanted=all

Latest People’s Republic of China Cyber Conflict News….中華人民共和國信息战争

Posted on May 17, 2013 by Bill Hagestad

Latest People’s Republic of China Cyber Conflict News….中華人民共和國信息战争

Pentagon Continues Use of People’s Republic of China Satellite in New Lease – Bloomberg
…AFRICOM renews lease with People’s Republic of China’s APT Satellite Holdings Ltd.!

People’s Republic of China’s software industry growth quickens – Xinhua | English.news.cn
The growth of China’s software industry quickened last year despite sluggish market demand caused by an economic slump at home and abroad, showed official data revealed on Wednesday.

India’s NSC points to Huawei, ZTE’s links with Chinese military project PLA-863 http://articles.economictimes.indiatimes.com/2013-05-15/news/39282046_1_huawei-and-zte-telecom-equipment-nsc

Beijing’s ‘Bitskrieg’ – 中國人民解放總參謀部…信息战争
http://www.foreignpolicy.com/articles/2013/05/13/beijings_bitskrieg?page=full

US Intelligence & Military fears after People’s Republic of China missile test – Telegraph
http://www.telegraph.co.uk/news/worldnews/asia/china/10063455/US-fears-after-Chinese-missile-test.html

MicroSolved Announces International CyberThreat Intel Briefing

Posted on April 16, 2013 by Brent Huston

MicroSolved, Inc. is proud to announce a unique event for those interested in information security.

The 2013 International Cyber Threat Intelligence Briefing, featuring internationally recognized author William Hagestad, is an executive level briefing on the latest cyber threat intelligence from around the world. This briefing will provide a unique opportunity for C-Level decision makers to understand the cyber threat to their organizations through the loss of intellectual property via the determined use of cyber espionage. Attendees will be presented with two commercial case studies focusing on Global 50 companies. Recommendations, Short & Long Term Moves will accompany this interactive cyber threat intelligence briefing.

This is an opportunity for your management team to participate in a frank, focused discussion about the international cyber threats organizations face today in the global marketplace.

To learn more or sign up to participate, please register by clicking here.

Coming to Grips with DDoS – Prepare

Posted on March 29, 2013 by Brent Huston

This post introduces a 3 part series we are doing covering distributed denial of service attacks (DDoS) and helping organizations prepare for them. The series will cover 3 parts, Prepare, Defend and Respond.

Part 1 of 3 – Prepare.

Distributed Denial of Service (DDoS) attacks use networks of compromised computers (botnets) or web servers (brobots) to flood organization websites with so much traffic that it causes them to fail. This is especially worrying for financial institutions and utilities which rely so very heavily on the availability of their services and controls. DDoS attacks are also mounted by attackers to hide fraud or other hacking activities being perpetrated on networks. Although these types of attacks are not new, they are presently increasing in frequency and especially in sophistication. Application layer DDoS attacks do a good job of mimicking normal network traffic and recent DDoS attacks have been measured at a huge 65 Gb (nearly 10 times the previous high point). The purpose of this blog is to discuss some methods small organizations can employ to properly prepare for DDoS attacks. (Later articles in this series will discuss means for defending against and responding to these attacks).

The first thing any organization should do in this effort is proper pre-planning. Ensure that DDoS is included in your risk assessment and controls planning efforts. Include reacting to these attacks in your incident response and business continuity plans. And as with all such plans, conduct practice exercises and adjust your plans according to their results. In all our years in business, MSI has never participated in a table top incident responce or disaster recovery exercise that didn’t expose planning flaws and produce valuable lessons learned.

Next, your organization should consider DDoS when choosing an ISP. It helps immensely to have an Internet provider that has enough resources and expertise to properly assist if your organization is targeted for one of these attacks. Ensure that you develop a close relationship with your ISP too – communicate your needs and expectations clearly, and find out from them exactly what their capabilities and services really are.

Finally on the preparation side of the problem, make sure that you keep well informed about DDoS and the actual threat level it poses to your organization. Keep active in user groups and professional organizations. Use the net to gather intelligence. The Financial Service Information Sharing and Analysis Center (FS-ISAC) has plenty of useful and up to date information on DDoS. You can even turn the World Wide Web against the enemy and use it to gather intelligence on them!

–This article series is written by John Davis of MSI.

PS – This is NOT a problem you can “purchase your way out” of. Organizations can’t and should not buy huge amounts of bandwidth as a preparation for DDoS. The cost impacts of such purchases are not effective, nor is bandwidth size an effective control in most cases. Note that some technology solutions for packet scrubbing and the like do exist. Your milage may vary with these solutions. MSI has not reviewed or tested any of the DDoS technology products as a part of this series.

Quick Thought on CSRF Attacks

Posted on March 8, 2013 by Brent Huston

Yesterday, I listened to @Grap3_Ap3 present at the Columbus OWASP local chapter on Cross Site Request Forgery (CSRF). While this attack has been around since 2001, it continues to show a strong presence in web applications across a range of platforms. Phil spent a lot of his time talking about content management systems on the public Internet, but we have seen CSRF very widely exploitable on embedded devices.

Embedded devices, often equipped with rather rudimentery web servers and applications for management, have proven to be a searing hot pain point for CSRF in our research. While that isn’t shocking or new, I definitely see an interesting and potentially dangerous collision between the growth of the “Internet of Things” and web vulnerabilities. Today, some of these platforms are toys, or novelty tools built into home appliances – BUT, the future of internetworking of our devices and our physical lives means that these web controls will eventually have larger impacts on our day to day lives.

What happens when a CSRF attack can be used to trick your teenager into clicking on a picture on the web that while they view it, they also execute a command to raise the temperature on your refrigerator to unsafe levels? Or when an embedded link in an email tricks you into a click that turns your oven onto super heat clean mode without your knowledge? Sound like a prank? Maybe. Extend it to thermostats, home automation and consumer control over alternative energy controls like solar panels and such and it might take a new form.

We are on a course of collision. Our inattention to information security and the exploding complexity and technology dependencies will soon come together in ways that may surprise us. Ignore the hyperbole, but think about it rationally. Isn’t it time we worked with organizations who make products to demand an increase in protection from some of these basic known attacks? In the future, consumers and organizations alike will vote with their dollars. How will you spend yours?

Threat Update: Wide Scale Phishing in Progress

Posted on February 28, 2013 by Brent Huston

GlobalDisplay Orig

Just a quick update about the ongoing threat from malware dropped by phishing attacks. There are a lot of phishing attacks currently in progress. Fishing has been a leading form of compromise for quite some time and indicators appear to point to an increasing amount of phishing attacks and a larger amounts of damage from successful exploitation.

Many organizations are reporting wide spread phishing using recycled, older malware including Zeus, Tepfer and other common remote access tools. In some cases, these malware are repackaged or otherwise modified to evade anti-virus detection. Attackers are showing medium to high levels of success with these attacks.

Once compromised, the normal bot installation and exfiltration of data occurs. For most organizations that don’t play a role in critical infrastructure, this likely means credentials, customer information and other commercially valuable data will be targeted. For critical infrastrcuture organizations, more specific design, future state and architectural data is being targeted along with credentials, etc.

Organizations should be carefully and vigilantly reviewing their egress traffic. They should also be paying careful attention to user desktop space and the ingress/egress from the user workstation DMZ or enclaves (You DO have your user systems segregated from your core operations, correct???). Remember, you CAN NOT depend on AV or email filtering to rebuff these attacks at a meaningful level. Detection and response are key, in order to limit the length of time the attacker has access to your environment. Anything short of full eradication of their malware and tools is likely to end with them still maintaining some level of access and potentially, control.

Now is a good time to consider having a phishing penetration test performed, or to consider using MSISimplePhish to perform some phishing for yourself. Awareness alerts and training are also encouraged. This is going to be a long term threat, so we must begin to implement ongoing controls over the entire technology/ppolicy & process/awareness stack.

If you have any questions on phishing attacks, malware or incident response, please let us know. Our teams are used to working with these attacks and their subsequent compromises. We also have wide experience with designing enclaved architectures and implementing nuance detection mechanisms that focus on your critical assets. Feel free to touch base with us for a free 30 minute call to discuss your options for increasing security postures.

Event Announcement: ICS/SCADA Security Briefing

Posted on February 1, 2013 by Brent Huston

MSI, along with the teams at NexDefense and Critical Intelligence, will be participating in an online webinar about ICS/SCADA Security. The date of the event is February, 6th and you can learn more about it here.

The event is free to attend, though registration is required. You can earn a CPE for participating!

We hope you will tune in and check us out!

Overview of the event:

Learning Objectives

Significant trends in the threat and vulnerability environment
Relevant trends in ICS technology
What proactive steps you can take
How to leverage security intelligence

Agenda

Introductions
ICS Cyber Security Intelligence Briefing, Michael Assante
ICS Threat Update, Brent Huston
How to Leverage Security Intelligence, Bob Huber
Live Q&A

Who Should View?

Senior Information Security Leaders, CISOs and CTOs
Security and Risk Analysts
Control system security engineers
Security operation leads for ICS reliant organizations

From the HITME: Port 3131 “Gameframe” Scans

Posted on December 14, 2012 by Brent Huston

We’ve been watching some interesting scans primarily hitting our HITME sensors in Asia for the last couple of weeks. The connection occurs on port 3131/TCP and contains the following request:

GET http://gameframe.net/headers HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.10
Host: gameframe.net
Accept-Encoding: deflate, gzip
Proxy-Connection: Keep-Alive
Accept-Language: en-gb,en;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Pragma: no-cache
Cache-Control: no-cache

The scans we have seen seem to be originating primarily from Europe.

Have you seen similar scans and probes on this port? If so, please share with us in comments or via Twitter (@lbhuston).

In the meantime, it is worth checking your application logs if you have any custom applications deployed on this port, particularly exposed to the Internet. While we don’t see anything indicating an attack, review of anything exposed for errors or follow on attack traffic is suggested (it’s usually a good idea anyway).

Thanks for reading!

Threat Data Sharing in ICS/SCADA Needs Improvement

Posted on December 12, 2012 by Brent Huston

I had an interesting discussion on Twitter with a good friend earlier this week. The discussion was centered around information sharing in ICS/SCADA environments – particularly around the sharing of threat/attack pattern/vulnerability data.

It seems to us that this sharing of information – some might call it “intelligence”, needs to improve. My friend argues that regulation from the feds and local governments have effectively made utilities and asset owners so focused on compliance, that they can’t spare the resources to share security information. Further, my friend claims that sharing information is seen as dangerous to the utility, as if the regulators ever found out that information was shared that wasn’t properly reported “up the chain”, that it could be used against the utility to indicate “negligence” or the like. I can see some of this, and I remember back to my DOE days when I heard some folks talk along the same lines back when we showed up to audit their environments, help them with incidents or otherwise contribute to their information security improvement.

When I asked on open Twitter with the #ICS/#SCADA hashtags about what hampered utilities from sharing information, the kind Twitter folks who replied talked about primarily three big issues: the lack of a common language for expressing security information (we have some common languages for this (mitre’s work, VERIS, etc.)), legal/regulatory concerns (as above) and the perceived lack of mitigations available (I wonder if this is apathy, despair or a combination of both?).

I would like to get some wider feedback on these issues. If you don’t mind, please let me know either in comments, via private email or via Twitter (@lbhuston) what you believe the roadblocks are to information sharing in the ICS/SCADA community.

Personally, I see this as an area where a growth of “community” itself can help. Maybe if we can build stronger social ties amongst utilities, encourage friendship and sharing at a social level, empower ourselves with new mechanisms to openly share data (perhaps anonymously) and create an air of trust and equity, we can solve this problem ourselves. I know the government and industry has funded ISACs and other organizations, but it seems to me that we need something else – something more easily participatory, more social. It has to be easier and safer to share information between us than it is today. Maybe, if we made such a thing, we could all share more openly. That’s just my initial 2 cents. Please, share yours.

Thanks for reading, and until next time, stay safe out there!

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Threat-Centric