Cyber War/Guerre informatique

Rappel du premier message :

Citation :

la Marine victime du virus Conficker-Downadup
Thierry Noisette, publié le 9 février 2009

Sécurité - Le réseau interne de la Marine française a été touché par le virus Conficker (ou Downadup) qui a infecté des millions de PC dans le monde. Elle a dû couper son réseau pour le traiter le mois dernier, en collaborant directement avec Microsoft.
L'armée française a été victime en janvier du virus Downadup-Conficker, comme l'a rapporté la lettre Intelligence Online, elle-même citée sur le blog du spécialiste de la défense de Libération, Jean-Dominique Merchet.
Contactée par ZDNet.fr, la Marine confirme ce lundi que « dans la seconde quinzaine de janvier, le virus Conficker a été introduit par négligence, par une clé USB, dans le réseau interne de la Marine, Intramar ». Le lieutenant de vaisseau Rivayrol, du Sirpa Marine, nous indique que le réseau a dès lors été coupé « pour éviter la propagation du virus et procéder à la maintenance sur les postes ». « Intramar a été isolé des autres réseaux du ministère de la Défense, avec lesquels existent en temps normal des passerelles de communication. »
Mais « cela n'a eu aucun effet sur les systèmes opérationnels de la Marine, ni avions ni autres ». Intelligence Online affirmait que les Rafale de la Marine auraient été cloués au sol faute d'avoir pu télécharger leurs paramètres de vol. Ce qui a été arrêté quelques jours concernait seulement la messagerie, précise notre interlocutrice : « On a des réseaux sécurisés militaires, qui ont servi en remplacement pendant la coupure d'Intramar, et Internet. Mais ces trois réseaux, Intramar, Internet et réseaux sécurisés sont complètement séparés, il n'y a aucun lien entre eux. »
Intramar relie plusieurs milliers de postes informatiques, dont « moins de 2 % ont été touchés par le virus ».

Une faille traitée en 48 heures
Pourquoi ce décalage entre un patch publié par Microsoft (le virus touche une faille Windows, notamment sous Windows 2000, XP et Vista) en octobre et des ordinateurs atteints en janvier ?
« Il y avait un petit défaut dans le patch qui ne prenait pas en compte en totalité Conficker, explique le lieutenant Rivayrol. Ce patch avait été installé sur l'ensemble des postes de la Marine, mais cela n'a pas suffi. Par contre, le réseau d'alerte ministériel et interministériel a immédiatement été mobilisé. Il a directement travaillé avec Microsoft pour mettre au point un patch traitant cette faille-là, ce qui a été fait en moins de 48 heures. Le dispositif d'alerte a très bien fonctionné, et le virus n'a du coup eu aucune conséquence pour d'autres armes ni ailleurs dans le ministère. »
Les experts américains du Computer Emergency Response Team (Cert) avaient mis en cause la méthode de Microsoft pour bloquer la propagation du ver Downadup.
L'armée française n'est pas la seule à avoir été éprouvée par Conficker, qui a contaminé des millions d'ordinateurs dans le monde. Le ministère britannique de la Défense, et en particulier la Royal Navy, ont également été touchés par le virus le mois dernier.

http://www.zdnet.fr/actualites/informatique/0,39040745,39387036,00.htm

Yakuza a écrit:

je me demande si le succes sudcoreen en UAE contre areva y trouve source,tactiques de negociations oblige..

Selon le Firago, le hack n'a concerne que l'infrastructure

Citation :

Le géant français du nucléaire Areva a été victime d'une attaque informatique qui l'a contraint à renforcer la sécurité de ses réseaux avec le concours de spécialistes informatiques de l'Etat, a indiqué une porte-parole, confirmant une information de L'Expansion. "On a subi une attaque et c'est pour cela que nous avons pris des mesures de renforcement de nos systèmes de sécurité avec le support de l'Agence Nationale de la Sécurité des Systèmes d'Informations (ANSSI)", a déclaré à l'AFP une porte-parole du groupe public.

L'ANSSI est un organe de l'Etat chargé de la sécurité informatique, rattaché au Secrétariat général de la défense et de la sécurité nationale, dépendant lui-même de Matignon. Selon la porte-parole Areva, il y a eu un "accès frauduleux" au "réseau commun d'infrastructure, un réseau qui permet l'échange d'informations non critiques entre les différentes entités du groupe".

Interrogée sur un possible impact sur les activités militaires d'Areva, la porte-parole a dit que le réseau attaqué portait sur "des informations non critiques et pas sur des informations sensibles". Selon le site internet de L'Expansion, qui cite des sources internes, Areva a été victime d'une intrusion "de grande ampleur", qui s'est traduite par trois jours de renforcement des mesures de sécurité autour du 16 septembre.

Selon L'Expansion, qui évoque au conditionnel une "origine asiatique", ces intrusions "dureraient depuis deux ans".

On peut supposer que leur reseau est de qualite militaire, cependant 2 ans d'intrustion non detectee meme sur un reseau d'infrastructure, cela peut aussi signifier que l'attaquant a enfoui d'autres APT (advanced persistent threats) plus dures a detecter...

tout a fait,j´arrive pas a comprendre comment des grandes boites comme areva et autres agences de securité meme se font infiltrer des années sans s´en rendre compte,avec toutes les precautions couteuses hyper-sophistiquées qu´ils prennent..

Yakuza a écrit:

tout a fait,j´arrive pas a comprendre comment des grandes boites comme areva et autres agences de securité meme se font infiltrer des années sans s´en rendre compte,avec toutes les precautions couteuses hyper-sophistiquées qu´ils prennent..

Tout a fait

Le maillon faible dans n'importe quelle "automatisation" reste le facteur humain:

-Risque d'un employe mal intentionne (raison perso ou contre $$$ )

-Eternel probleme de sensibilisation/formation/encadrement des employes :
Le Social engineering = risque no1 d'insecurite informatique: les idee vont du simple coup de telephone audacieux a des astuces surfant sur la mode ou l'evenement du momement: "Hackers disguise malware as emailed docs from smart printers Clever ruse to catch out office workers"

http://www.theregister.co.uk/2011/09/28/smart_printer_malware_ruse/

Citation :

The trick involves sending emails that pose as scanned documents from office printers or scanners, forwarded by a work colleague. The unlikely source of attack is liable to fool many users, net security firm Symantec warns.

Ceci si on suppose le classique passage du cybercrime (privatise, moyens techniques limites) vers la cyberguerre (entite etatique achetant les informations/louant les services sur le marche noir par proxy).

Si l'Etat hostile est implique de facto, les ressources mises a disposition seront probablement capables de venir a bout de n'importe quelle mesure de securite d'une organisation non gouvernementale: supercalculateurs, mathematiciens, moeyns logistiques immenses qui confondent cyberguerre et guerre electronique (jamming/interception des lignes cuivres, fibre optique (qu'on croyait impossible a faire), GSM)

Un cas classique est la decouverte par le FBI durant la bulle TIC des annees 95-2000 d'un societe geree par le Mossad offrant des services de telephonie/internet a des compagnie de defense US

La securite est un processus, CAD qq chose qui fonctionne en continu, ignorer le facteur humain (y inclut l'education/la formation/la communication en 2 sens) est fatal.

On y ajoutera que la doctrine de securite (par exmple multi-facteurs et defense en profondeur) ainsi que les outils (Intrusion Detection / Inrustion prevention / Honeypots / anti-malware etc...) sont disponible pour tous, open source ou pas (reverse engineering pour deviner l'algorithme): ceci suppose que l'attaquant connait TOUS les instruments du defenseurs a l'avance, et aura le temps d'etudier a les contourner ou les defaire. Ce qu'il faut donc: cutomiser/adapter/modifier, ce qui suppose des RH competents et une integration des departement IT dans la strategie de la Gestion de l'Information comme ACTIF.

Dans la logique du cheap dans le domaine des RH (travail temporaire/outsourcing), ce qui entres autres demultiplie les security clearance (une autre breche de securite) et fait perdre l'effet d'experience et de loyaute, c'est une guerre perdu pour ces entitees privee. Sauf si les Etats s'en melent pour se porter garants/auditer/aider a renforcer la securite de ces enterrprieses (comme le fait la NSA qui propose dernierement des SGBD open source certifiee securisees).

ha ton bojor cher ami un plasir de lire tes eclaircissements logiques,on sent le connaisseur de son domaine,merci

je confirme, un régal de lire tes posts... effectivement l'ingeneering social pour hamecon afin que le virus puisse integrer l'architecture informatique et faire son oeuvre

PS: grace a tes posts je commence serieusement a m'interesser a l'informatique (notamment reseau et securité) alors qu'auparavant seule la physique et la chimie me passionnais, merci a toi

Merci les gars c'est un plaisir d'etre parmi vous

Operation sensibilisation des decideurs aux US:

Government simulates cyber attack for training

http://www.reuters.com/article/2011/10/01/us-usa-cyber-idaho-idUSTRE78T08B20111001

Citation :

"This is a game of strategy in how to best implement your defenses in an industrial control environment," said Marty Edwards, director of the DHS Control Systems Security Program. "This isn't all about technology, it's about people."

PS: farewell, l'informatique, tout comme sa maman les mathematique, est une science multi-disciplinaire tu peux y aterrir a partir de n'importe quelle autre voie.

Computer virus hits US Predator and Reaper drone fleet

.... Qu'est ce qu'on peut dire de plus...hchouma

Citation :

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other war zones.

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the US military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.

Drones have become America’s tool of choice in both its conventional and shadow wars, allowing US forces to attack targets and spy on its foes without risking American lives. Since President Obama assumed office, a fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times; all told, these drones have killed more than 2,000 suspected militants and civilians, according to the Washington Post. More than 150 additional Predator and Reaper drones, under US Air Force control, watch over the fighting in Afghanistan and Iraq. American military drones struck 92 times in Libya between mid-April and late August. And late last month, an American drone killed top terrorist Anwar al-Awlaki — part of an escalating unmanned air assault in the Horn of Africa and southern Arabian peninsula.

But despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don’t encrypt the video they transmit to American troops on the ground. In the summer of 2009, US forces discovered “days and days and hours and hours” of the drone footage on the laptops of Iraqi insurgents. A $26 piece of software allowed the militants to capture the video.

The lion’s share of US drone missions are flown by Air Force pilots stationed at Creech, a tiny outpost in the barren Nevada desert, 20 miles north of a state prison and adjacent to a one-story casino. In a nondescript building, down a largely unmarked hallway, are a series of rooms, each with a rack of servers and a “ground control station,” or GCS. There, a drone pilot and a sensor operator sit in their flight suits in front of a series of screens. In the pilot’s hand is the joystick, guiding the drone as it soars above Afghanistan, Iraq, or some other battlefield.

Some of the GCSs are classified secret and used for conventional warzone surveillance duty. The GCSs handling more exotic operations are top secret. None of the remote cockpits are supposed to be connected to the public internet, which means they are supposed to be largely immune to viruses and other network security threats.

But time and time again, the so-called “air gaps” between classified and public networks have been bridged, largely through the use of discs and removable drives. In late 2008, for example, the drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers. The Pentagon is still disinfecting machines, three years later.

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”

However, insiders say that senior officers at Creech are being briefed daily on the virus.

“It’s getting a lot of attention,” the source says. “But no one’s panicking. Yet.”

ArsTechnica / Wired.

Franchement je ne sais quoi dire:

-Serait-ce de l'incompetence? au moment ou des produit commerciaux < 100$ veroullent les modifs sur PC?!

-Serait-ce un signal politique envoye pour renforcer le budget?!

-Serait-ce une excuse pour effacer les HDD (osus pretexte de reconstruire les systemes de nouveau) qui contiendraient les infos sensibles en ces pediodes pre-electorales et le changement de rleation avec le Pakistan etc...?

-Est ce qu'ils veulent faire passer le message que leur reseaux sont trop vulnerables pour "inviter" des hackers "gouvernementaux" et les mettre sous "observation" en temps reel (la seule maniere d'etre sur d'identifier la source, surtout pour un pays qui dispose de SIGINT aussi sophistiquee qu'Echelon) ?????

La vieille nouvelle sur les insurges iraquiens qui interceptent la comm non cryptee des drones:

Citation :

Insurgents Intercept Drone Video in King-Size Security Breach (Updated, with Video)
http://www.wired.com/dangerroom/2009/12/insurgents-intercept-drone-video-in-king-sized-security-breach/

La raison etait le "cout" d'une solution de cryptage...


L'autre worm qui veut pas se separer des reseaux du Pentagone:

Citation :

Agent.btz Worm Won't Die After 2008 Attack On Military

http://www.huffingtonpost.com/2011/06/17/agentbtz-worm-attack-military_n_878880.html


La 7awla wa la qouwwata illa billah

si c'est comme ça , c'est tres grave alors, il faut penser à sameliorer

Anas hicham a écrit:

si c'est comme ça , c'est tres grave alors, il faut penser à sameliorer

Exact. Si c'est vrai, si ce n'est pas de la desinfo pour Dieu sait quelle raison.

Ces systemes sont en air-gap: pas de conexion reseau. Comment se fait t-il que la bestiole reinfecte leurs postes??!!!

Un autre possibilite est qu'un espion a introduit et continue de reintroduire le virus.

Y'a qq chose de louche en tout cas: meme les PME savent gerer une fois pour toutes ce genre d'incident

Chaos Computer Club analyzes government malware

http://www.ccc.de/en/updates/2011/staatstrojaner

Citation :

2011-10-08 19:00:00, admin
The largest European hacker club, "Chaos Computer Club" (CCC), has reverse engineered and analyzed a "lawful interception" malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.

Even before the German constitutional court ("Bundesverfassungsgericht") on February 27 2008 forbade the use of malware to manipulate German citizen's PCs, the German government introduced a less conspicuous newspeak variant of the term spy software: "Quellen-TKÜ" (the term means "source wiretapping" or lawful interception at the source). This Quellen-TKÜ can by definition only be used for wiretapping internet telephony. The court also said that this has to be enforced through technical and legal means.

The CCC now published the extracted binary files [0] of the government malware that was used for "Quellen-TKÜ", together with a report about the functionality found and our conclusions about these findings [1]. During this analysis, the CCC wrote its own remote control software for the trojan.

The CCC analysis reveals functionality in the "Bundestrojaner light" (Bundestrojaner meaning "federal trojan" and is the colloquial German term for the original government malware concept) concealed as "Quellen-TKÜ" that go much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court. The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an "upgrade path" from Quellen-TKÜ to the full Bundestrojaner's functionality is built-in right from the start. Activation of the computer's hardware like microphone or camera can be used for room surveillance.

The analysis concludes, that the trojan's developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," commented a CCC speaker. "Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan – is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified "evidence" against the PC's owner, or to delete files, which puts the whole rationale for this method of investigation into question.

But the trojan's built-in functions are scary enough, even without extending it by new moduls. For the analysis, the CCC wrote it's own control terminal software, that can be used to remotely control infected PCs over the internet. With its help it is possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.

The official claim of a strict separation of lawful interception of internet telephony and the digital sphere of privacy has no basis in reality. [NB: The German constitutional court ruled that there is a sphere of privacy that is afforded total protection and can never be breached, no matter for what reason, for example keeping a diary or husband and wife talking in the bedroom. Government officials in Germany argued that it is possible to avoid listening in on this part but still eavesdrop electronically. The constitutional court has created the concept of "Kernbereich privater Lebensgestaltung", core area of private life. The CCC is basically arguing that nowadays a person's laptop is intrinsically part of this core area because people put private notes there and keep a diary on it] The fact that a judge has to sign the warrant does not protect the privacy, because the data are being taken directly from the core area of private life.

The legislator should put an end to the ever growing expansion of computer spying that has been getting out of hand in recent years, and finally come up with an unambiguous definition for the digital privacy sphere and with a way to protect it effectively. Unfortunately, for too long the legislator has been guided by demands for technical surveillance, not by values like freedom or the question of how to protect our values in a digital world. It is now obvious that he is no longer able to oversee the technology, let alone control it.

The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the trojan infrastructure.

"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities", commented a speaker of the CCC. "The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'".

To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data center in the USA. The control of this malware is only partially within the borders of its jurisdiction. The instrument could therefore violate the fundamental principle of national sovereignty. Considering the incompetent encryption and the missing digital signatures on the command channel, this poses an unacceptable and incalculable risk. It also poses the question how a citizen is supposed to get their right of legal redress in the case the wiretapping data get lost outside Germany, or the command channel is misused.

According to our hacker ethics and to avoid tipping off criminals who are being investigated, the CCC has informed the German ministry of the interior. They have had enough time to activate the existing self destruct function of the trojan.

When arguing about the government authorized infiltration of computers and secretly scanning suspects' hard drives, the former minister of the interior Wolfgang Schäuble and Jörg Ziercke, BKA's president (BKA, German federal policy agency), have always claimed that the population should not worry because there would only be "a handful" of cases where the trojan would be used at all. Either almost the complete set of government malware has found their way in brown envelopes to the CCC's mailbox, or the truth has been leapfrogged once again by the reality of eavesdropping and "lawful interception".

The other promises made by the officials also are not basis in reality. In 2008 the CCC was told that all versions of the "Quellen-TKÜ" software would manually be hand-crafted for the specifics of each case. The CCC now has access to several software versions of the trojan, and they all use the same hard-coded cryptographic key and do not look hand-crafted at all. Another promise has been that the trojan would be subject to exceptionally strict quality control to make sure the rules set forth by the constitutional court would not be violated. In reality this exceptionally strict quality control has neither found that the key is hard coded, nor that the "encryption" is uni-directional only, nor that there is a back door for uploading and executing further malware. The CCC expressed hope that this farce is not representative for exceptionally strict quality control in federal agencies.

The CCC demands: The clandestine infiltration of IT systems by government agencies must stop. At the same time we would like to call on all hackers and people interested in technology to further analyze the malware, so that at least some benefit can be reaped from this embarrassing eavesdropping attempt. Also, we will gladly continue to receive copies of other versions of government malware off your hands. [4]

Citation :

'Government' backdoor R2D2 Trojan discovered by Chaos Computer Club

http://nakedsecurity.sophos.com/2011/10/09/government-backdoor-trojan-chaos/

Citation :

...
But the CCC's claim is controversial, as the Trojan they have uncovered has more snooping capabilities than that. For instance, it includes functionality to download updates from the internet, to run code remotely and even to allow remote access to the computer - something specifically in violation of Germany's laws.

Sophos's analysis of the malware confirms that it has the following functionality:

* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger.
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls.
* The Trojan attempts to communicate with a remote website.
...
...In many ways, I'm reminded of the kerfuffle which occurred almost ten years ago when there were concerns that the FBI would ask anti-virus companies to deliberately not detect spyware that they had written - dubbed "Magic Lantern".
...

Citation :

Possible Governmental Backdoor found ("case R2D2")

http://www.f-secure.com/weblog/archives/00002249.html

Citation :

...
The malware in question is a Windows backdoor consisting of a DLL and a kernel driver.

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.

We do not know who created this backdoor and what it was used for.
...

voila ou on en est arrivés malheureusement,sous une 2eme Stasi,tu te fais espionner en toute democratie sans que quelqu´un puisse s´opposer,et meme les jugements de justice se font contourner.
finit la liberté des 80/90s ou la police a ete downgradée au minimum,mtn ils profitent de l´amplification du "terrorisme" virtuel pour brider au maximum la vie des gens,tristes temps..

Yakuza a écrit:

voila ou on en est arrivés malheureusement,sous une 2eme Stasi,tu te fais espionner en toute democratie sans que quelqu´un puisse s´opposer,et meme les jugements de justice se font contourner.
finit la liberté des 80/90s ou la police a ete downgradée au minimum,mtn ils profitent de l´amplification du "terrorisme" virtuel pour brider au maximum la vie des gens,tristes temps..

La democratie est, par definition, a geometrie variable. Contrairement a la Republique ou a la Monarchie
Je ne crois pas que l'Allemagne ait beacuoup de liberte vis a vis de la politique securitaire J'imagine mal que ses renseignement aient la moindre autonomie, excepte pour faire passer les infos vers la CIA? ou je me trompes...

Deutsche Welle:

Citation :

Several German states admit to use of controversial spy software

A hacker group says Berlin may have software to spy on citizens
A number of other German states have followed Bavaria in confirming the use of a controversial software program to spy on people through their computers. The German justice minister has demanded an investigation.

Citation :

.......
Several additional German states have admitted to deploying spyware in order to investigate serious criminal offenses, according to regional media sources.

The interior ministers of the states of Baden-Württemberg, Brandenburg, Schleswig-Holstein and Lower Saxony said that regional police had used the software within the parameters of the law. In Lower Saxony, the software has been in use for two years, according to the public broadcaster NDR.

......

What's worse, the CCC said, is that poor data encryption protocols in the Trojan could allow the software to be used by third parties. (l'incompetence des gouvernement est encore pire que leurs magouilles)

http://www.dw-world.de/dw/article/0,,15449054,00.html

Citation :

In one case, the trojan was installed on a suspect's laptop while he was passing customs & immigration at the Munich International airport.

http://www.f-secure.com/weblog/archives/00002250.html

Citation :

Chinese army mobilizes cybermilitias

KATHRIN HILLE
BEIJING— Financial Times
Published Wednesday, Oct. 12, 2011 4:08PM EDT
Last updated Wednesday, Oct. 12, 2011 4:16PM EDT

Nanhao Group is, in many ways, an ordinary technology company. Its staff make online scoring systems, exam-mark scanners and other educational hardware and software.

But many of its 500 employees in Hengshui, just southwest of Beijing, have a second job. Since 2005, Nanhao has been home to a cybermilitia unit organized by the People’s Liberation Army.

MORE RELATED TO THIS STORY
Hackers learn to ditch black hats for white collar security jobs
A chilling tour of the far-flung places crime thrives online
Japan denies sensitive data breach in hacker attack on largest defence contractor
“All staff under the age of 30 belong to the unit,” said Bai Guoliang, Nanhao vice-president. It is unclear what exactly the unit does, but according to a local government announcement when it was set up, it consisted of two groups tasked with cyberattack and cyberdefence.

The Nanhao operation is one of thousands set up by the Chinese military over the past decade in technology companies and universities around the country. These units form the backbone of the country’s Internet warfare forces, increasingly seen as a serious threat at a time of escalating global cybertensions.

Governments, companies and Internet security experts around the world have blamed China for many of the past year’s global hacking attacks. U.S. officials point to the Chinese government or its supporters for the theft of neutron bomb designs, the defence secretary’s e-mails and private sector intellectual property worth many billions of dollars.

Western cybersecurity analysts look to matching patterns between malware, which played a role in intrusions and codes, discussed on Chinese hacker forums as evidence of Chinese involvement. U.S. investigators say attacks on Google and other American companies originated from computers at Lanxiang, a vocational school in the Chinese province of Shandong, and Jiaotong University in Shanghai.

Attacks on companies have “a level of sophistication and are clearly supported by a level of resources that can only be a nation state entity,” said Mike Rogers, chairman of the U.S. House permanent select committee on intelligence, last week.

Mr. Rogers describes these corporate attacks as “a massive and sustained intelligence effort by a government to blatantly steal commercial data and intellectual property.” Several U.S. State department cables obtained by WikiLeaks and marked as secret elaborate on these theories.

Even if attacks clearly originate in China, it is much harder to prove that they were sponsored by the Chinese government or military. Beijing insists the state does not sponsor hacking and its cyberwarfare strategy is purely defensive.

“China is a victim of cyberattack,” Senior Colonel Geng Yansheng, spokesman of the ministry of national defence, said in May when announcing the PLA had set up a “cyber blue team” to “better safeguard the Internet security of the armed forces.”

But the PLA’s actions over the past decade deliver a different message. As early as 1999, senior PLA officers argued that China should use electronic techniques to attack adversaries. Since 2002, the PLA has been searching for external talent to put that strategy into practice.

“The PLA is reaching out across a wide swath of the Chinese civilian sector to meet the intensive personnel requirements necessary to support its burgeoning information warfare capabilities,” said a 2009 report by Northrop Grumman, the U.S. defence contractor, on China’s cyberwarfare capabilities.

The most concrete result of this search for talent was the creation of specialized units – such as the one in Nanhao – in China’s 8-million-strong militia, which is part of the PLA’s reserve force.

“[These militia] should preferably be set up in the telecom sector, in the electronics and Internet industries and in institutions of scientific research,” said a paper by three officers from the Jiangsu provincial PLA command’s mobilization department.

The paper was published in National Defence, the magazine of the Academy of Military Science. The cybermilitia’s tasks include “stealing, changing and erasing data” on enemy networks and their intrusion with the goal of “deception, jamming, disruption, throttling and paralysis,” the paper said.

Nanhao’s Mr. Bai confirmed that its cybermilitia unit was led by the local PLA command and has “regular exchanges” with it, training PLA officers. Asked whether the group would carry out cyberattacks, he said: “That has nothing to do with you.”

This push to create cybermilitias could mean that even some of China’s largest and best-known technology companies could become part of the information warfare complex. An employee of China Telecom in the coastal province of Jiangsu said the state-owned carrier’s local affiliate had a cybermilitia unit and he believed similar groups had been set up in other provinces.

The PLA’s efforts to tap and foster civilian cyberwarfare talent also reach beyond the corporate sector.

The military sponsors hacking competitions in universities and information warfare research in academia. Tang Zuoqi, a lecturer at the College of Computer Science and Information at Guizhou University, secured his job after winning prizes in a 2005 Internet warfare competition held by the Chengdu military command, according to his biography on the university’s website.

China already has a thriving hacking scene. Tightly-knit groups of young hackers, mostly men, discuss code on online bulletin boards or even meet in offline classes, sometimes advertised on streets.

“Hacking for criminal purposes in China is growing, it is getting more professional and more organized,” says Liu Deliang, a professor at Beijing Normal University and one of China’s leading experts on cybercrime.

Although the Northrop Grumman report said it is difficult to establish firm links between the PLA and this criminal community, the military is trying to forge those links. The AMS paper says: “[We must] recruit experts who research Internet technology, especially those who are good at ‘hacking’ attacks and virus technology.”

Additional reporting by Joseph Menn in San Francisco.

The Globe And Mail

Raytheon's cyberchief describes 'Come to Jesus' moment
Network World

Citation :

After Raytheon began selling missiles to Taiwan in 2006, the defense company's computer network came under a torrent of cyberattacks.

"We truly had the 'come to Jesus moment' five years ago because we decided ... to sell missiles to Taiwan," said Vincent Blake, head of cyber security at Raytheon U.K., during a panel session at the RSA security conference in London on Wednesday.

"For some reason, a country next door to Taiwan didn't really like that so they got very interested in our IPR [intellectual property rights]," he said. "We've had to very, very rapidly catch up with our own internal networks."

Blake described a "huge leap in attacks" that prompted the company to make cybersecurity one of its top five priorities, and eye security companies for acquisition. Since that time, Raytheon has continued to be an attractive target for hackers, given its breadth of defense technologies that supply militaries around the world.

Now, the company sees an incredible 1.2 billion -- that's billion -- attacks on its network per day, Blake said. About 4 million spam messages target Raytheon's users, and the company sees some 30,000 samples per day of so-called Advanced Persistent Threats, or stealthy malware that seeks to stay long-term on infected computers and slowly withdraw sensitive information.

"We are the most targeted industry in the world," Blake said.

So how does Raytheon defend itself?

Raytheon uses sophisticated analysis engines that can sort through network alerts, Blake said. Some decisions are automated, while other alerts are assigned to a dedicated analyst for investigation.

Zero-day exploits, or attacks actively being used on the Internet against vulnerabilities that do not have a patch, are a big problem, said Blake, speaking to the IDG News Service after the panel. Last year, Raytheon detected 138 zero-day attacks against some 5,000 employees, he said.

The zero-day attacks were detected through RShield, a Raytheon product that examines e-mail attachments and embedded URLs. If an e-mail attachment comes through Raytheon's system, it is first scanned through commercial antivirus software and then through RShield, which scans the attachment in a hypervisor, Blake said.

The hypervisor is custom-built and not VMware, Blake said. Many hackers engineer their malware to not execute within VMware. The behavior of the attachment is observed, and if it does something suspicious, it is blocked. Blake said it's the only way these days to detect advanced malware.

"That's where the future is," Blake said. "If you haven't seen it [the malware] before, you're not going to find it."

Last week, Blake said Raytheon saw its first cloud-based attack on its network: 20 Raytheon employees received a targeted e-mail with a link to an application hosted with a cloud service provider. The style of attack -- a malicious email -- is a typical social engineering technique known as spear phishing that can give hackers an easy foothold in an organization. Unfortunately, two people clicked on the link, Blake said.

Blake said his team was able to detect the attack once the affected Raytheon computers started "beaconing" to the cloud service provider, or trying to make a network connection.

Raytheon only lets an attacker sit on its network for two hours or less, a response time that Blake said the company hope to cut down to 10 minutes.

"You will be attacked," Blake said. "You will be exploited. It's not a matter of whether something will get in your system, but more how long you will continue to have them in your system."

In March, Blake said Raytheon mounted a "companywide response" when RSA revealed that part of its SecurID system had been compromised in March. Passwords were changed. Raytheon still uses SecurID but has since added other layers of security in their authentication systems.

Due to the breach, "we had to significantly change our attitude to not being so reliant on RSA," he said.

Cela va de pair avec les idee suivantes:

Essayer de faire du custom build autant que possible: les attaques en general sont basees sur la reponse generique des OS/logiciels/Procedures...en les conaissants a l'avance, l'attaquant gagne du temps.

Un changement de la doctrine classique se fait en allouant plus d'attention (budget/formation/process) vers la Detection d'intrusion (IDS) et prevention d'intrusion (IPS) car aujourdhui l'idee est qu'il est pratiquement impossible de se premunir contre les attaques, donc il s'agit de minimiser les degats et d'identifier l'attaquant le mieux possible.

les risques du metier,voila ce qui se passe quand on arme l´ennemi de la chine
je comprend pas pourquoi pas tout simplement priver les employés des grandes firmes d´internet,et laisser une sorte d´intranet,vu que certains ne peuvent tjs pas s´empecher de cliquer sur des liens envoyés(ce qui est bete)?
j´espere enfin qu´elle n´a pas eu les plans des AIM120C/D ou AIM9X

Yakuza a écrit:

je comprend pas pourquoi pas tout simplement priver les employés des grandes firmes d´internet,et laisser une sorte d´intranet

C'est le cas en France.

mais Alstom et autres firmes francaises ne se sont pas faites hackés avant?

Je n'ai pas connaissance de ce qui s'est passé avec Alstom, mais d’expérience personnelle, je sais que c'est le cas dans un bon nombre d'entreprises (PSA, GE, ...)

à PSA par exemple, seul certains cadres ont accès à internet. Pour l'avoir, il faut l'accord du directeur d'usine un e-mail de motivation du directeur d'usine et pleins d'autres choses.

Pas forcément Scorpion, dans la plupart des boite que je connais (banques, assurances), tous les salariés ont accès à internet, avec juste des limitations sur certains sites (X, L'equipe, E.bay...).Simplement, pour internet, nous passons par des serveurs qui n'abritent pas de données propres à l'entreprise, et en principe, il y a une "muraille de Chine" entre les différents serveurs pour assurer une étancheité entre l'intra et l'extra.
C'est plutot du coté des clés USB que le doute s'est déplacé, car d'expérience, c'est par ce canal que son introduit des "chevaux de troie".
La guerre contre les instrusions, comme toute guerre bien menée suppose le mouvement perpétuel et l'adaptation constante au type de menace.

PGM

PGM a écrit:

Pas forcément Scorpion, dans la plupart des boite que je connais (banques, assurances), tous les salariés ont accès à internet, avec juste des limitations sur certains sites (X, L'equipe, E.bay...).Simplement, pour internet, nous passons par des serveurs qui n'abritent pas de données propres à l'entreprise, et en principe, il y a une "muraille de Chine" entre les différents serveurs pour assurer une étancheité entre l'intra et l'extra.
C'est plutot du coté des clés USB que le doute s'est déplacé, car d'expérience, c'est par ce canal que son introduit des "chevaux de troie".
La guerre contre les instrusions, comme toute guerre bien menée suppose le mouvement perpétuel et l'adaptation constante au type de menace.

PGM

Bloquer l'acces au web est certainement une decision rationelle mais pas toujours faisable pour tous les departements

Il existe d'autres services internet (email) qui necesittent un access externe (partenaire).

Bref comme l'as dit PGM, il faut d'abord maitriser les processus metiers (au moins pour identifier qui a besoin de quoi et comment, quand) pour commencer a whitelister+blacklister+segreger "physiquement" les reseaux.

Par contre si un Etat insiste pour pirater, il piratera. d'ou l'omportance de pouvoir detecter les anolmalies sur le reseaux (pour faire simple une station de travail qui se transforme en "serveur web", meme si les astuces ne manquent pas pour camoufler...)

Il est possible aussi que la technologie de virtualisation, dont la maturite et le rapport qualite/prix au niveaux des stations de stravail (Virtual Desktop Infrastructure VDI) n'a pas encore atteint celle des serveurs, remette au gout du jour le modele Mainframe-terminal (majorite du traitement sur le Mainframe, Terminal etant clavier+ecran sans persistence) au lieu de l'actuel Client-Serveur (traitement partage par les 2, le serveur delocalisation une grande partie du traitement, comme par les scripts web, vers le browser sur le client).

Un article du The Register:

Citation :

If the name’s not on the whitelist it can’t come in

The poor old corporate endpoint has had a bit of a battering in the last few years. Malware is more widespread and complex than ever and it is easy to get infected simply by visiting legitimate sites that have been hacked.

Now that the internet has become such a dangerous neighbourhood, are malware blacklists enough to keep the nasties out? Or are whitelists a better way to go?

Most anti-malware tools use blacklists. They scan system and application files and compare them against a list of signatures matching known malicious files.

But there are a couple of problems with blacklists. Increasingly sophisticated technology means the number of variants on a particular strain of malware has grown exponentially.

Drive-by download sites will often custom-bake a file with a unique hash for a visitor, making it difficult for anti-malware tools to spot them.

Suspicious behaviour

Catching these files is not impossible, thanks to techniques such as behavioral analysis. Scanning what the file does, rather than simply what it looks like, is a useful way to spot malicious activity.

However, this can generate its own problems. Occasionally, system files can look as though they are doing malicious things when they are simply doing their job. McAfee suffered that problem in April last year – and again in October.

An alternative is whitelisting. If the malware base is growing all the time, then maybe the right question to ask is not what you shouldn’t let in but what you should.

A whitelist contains only the files that you are willing to allow to be installed on your organisation’s computers.

Elusive prey

The disadvantage of a blacklist is that by the time malware is documented and added to a list, it is already out there in the wild. Some organisations will be infected before a blacklist is updated.

With rapidly propagating malware, waiting until a blacklist is updated can be disastrous. But it is also problematic for highly targeted software exploiting zero-day vulnerabilities.

Some of the most effective attacks have been targeted at high-value machines as part of long-term, highly orchestrated “advanced persistent threat” attacks.

A whitelist can be made to be failsafe. If a piece of software tries to install but is not on a whitelist, it can be denied access.

That would seem to provide adequate protection against all malware, albeit at the cost of some inconvenience to the user. The question for the organisation then becomes whether the trade-off is worth it.

Let the right one in

The extent of the inconvenience depends on the size of the organisation’s whitelist and its internal disciplines. A relatively large whitelist has a better chance of allowing through legitimate software.

The National Institute of Science and Technology maintains the National Software Reference Library (NSRL), a collection of hashes for known, legitimate software releases.

The SANS Institute’s Internet Storm Centre has created a list of hashes using the NSRL as a base, adding in a searchable web front end to make it useable as a whitelist.

Lumension also provides a whitelist of application data, collected from sources that include vendors and its customers’ own application scanning processes.

A legitimate file could be compromised and made to perform malicious acts

One potential drawback of a whitelist is that a legitimate file could be compromised and made to perform malicious acts. If there is an inherent vulnerability in the file, it may not even be necessary to change the hash.

The other challenge is keeping a whitelist up to date. How often do you need to update machines, and how often are you ensuring that the whitelist is also updated?

“Whitelists are good if you’re not going to be updating a machine,” says Gunter Ollman, vice-president of research at security firm Damballa, adding that a Windows 7 installation uses hundreds of thousands of files.

“If you’re not patching or putting out automatic updates, then whitelisting can serve as an ideal baseline,” he says.

In reality, of course, we all update our machines, so ensuring that a whitelist is up to date is vital if you are to avoid file problems.

If you can integrate patch management with your whitelist, you can automate those updates to lessen the burden of maintaining a whitelist over time. Trust engines allow you to make decisions based on publisher, file location, updaters and so on. They also facilitate whitelist management.

Ebony and ivory

Using both whitelisting and blacklisting together may create a more effective means of endpoint protection, say experts.

Overlaying a whitelist on a blacklist can provide another layer of verification and help to avoid some of the false positives that occasionally befall blacklists.

The whitelist could also help to filter out some of other, such as “greylisted” applications that are technically legitimate but frowned upon by company policy.

“When the culture of the firm is ‘anything goes’, it’s hard to say turn the taps off,” says Eldon Sprickerhoff, co-founder of security consulting and services firm ESEntire.

Deployment of a whitelist should begin with a profiling phase, he advises.

“We work out what’s going on right now, and then we gradually close down the scary things,” he says.

Deploying a whitelist alongside a malware blacklist could also be a useful rationalisation exercise. By taking a long, hard look at what really needs to be running on PC endpoints, organisations might be able to simplify their application portfolio, freeing up some support and maintenance budget.

tshaashh a écrit:

Bloquer l'acces au web est certainement une decision rationelle mais pas toujours faisable pour tous les departements

Il existe d'autres services internet (email) qui necesittent un access externe (partenaire).

On peut ne laisser l'accès qu'aux boites mail, mais là encore, le problème n'est pas résolu (pour toutes les raisons qu'on connait même les plus misérables d'entre elle(Social engineering) ) , le ministère des finance en a payé le prix l'année dernière je crois.

La virtualisation, mwé, pour les grandes entreprises = très complexe à mettre en œuvre + performance vue à la baisse + un host très costaud + en cas de perte kaput pour tout, enfin il ne faut pas oublier le software de virtualisation, une faille du software et tout le mythe sécuritaire part en fumé.

Pour finir, tant qu'il y a de l'information, il y a du risque.

ScorpionDuDesert a écrit:

tshaashh a écrit:

Bloquer l'acces au web est certainement une decision rationelle mais pas toujours faisable pour tous les departements

Il existe d'autres services internet (email) qui necesittent un access externe (partenaire).

On peut ne laisser l'accès qu'aux boites mail, mais là encore, le problème n'est pas résolu (pour toutes les raisons qu'on connait même les plus misérables d'entre elle(Social engineering) ) , le ministère des finance en a payé le prix l'année dernière je crois.

La virtualisation, mwé, pour les grandes entreprises = très complexe à mettre en œuvre + performance vue à la baisse + un host très costaud + en cas de perte kaput pour tout, enfin il ne faut pas oublier le software de virtualisation, une faille du software et tout le mythe sécuritaire part en fumé.

Pour finir, tant qu'il y a de l'information, il y a du risque.

Absolument.

Eventuellement pour le VDI, le rapport qualite/cout augmentera.

Concernant les faille de virtualization: les Proofs of Concepts deja dans la nature.

Citation :

Security threats to virtual environments less theoretical, more practica

http://searchsecurity.techtarget.com/magazineContent/Security-threats-to-virtual-environments-less-theoretical-more-practical

Two vulnerabilities found in VMware virtualization products
http://www.scmagazineus.com/two-vulnerabilities-found-in-vmware-virtualization-products/article/107207/

merci pour ces informations, meme si ça me fait peur

Citation :

Air Force Officials Share Details on Malware That Infected Drone Systems

Air Force officials revealed more details about a malware infection that impacted systems at the Creech Air Force Base in Nevada.

The malware attack received media attention last week when Wired.com reported malware had infected the cockpits of fighter drones used by the Air Force. Citing sources on the base, Wired reported that the malware was first discovered in September and had resisted attempts to clean computer systems.

According to the Air Force, the 24th Air Force (24th AF) first detected the malware – which they characterized as a “credential stealer” as opposed to a keylogger as originally reported - and notified Creech Air Force Base officials Sept. 15 that malware was found on portable hard drives approved for transferring information between systems.

The infected computers were part of the ground control system that supports remotely-piloted aircraft (RPA) operations. The malware is not designed to transmit data or video or corrupt any files, programs or data, according to the Air Force, which explained the infected computers were part of the ground control system that supports drone flight operations. The ground system is separate from the flight control system used by RPA pilots to fly the aircrafts.

Military drones have played a significant role in the War on Terror and operations associated with the wars in Afghanistan and Iraq. Due to the classified nature of the drone program, military officials had been relatively tight lipped about the incident during the past several days. However, Col. Kathleen Cook, spokesperson for Air Force Space Command, said it was important to “declassify portions of the information associated with this event to ensure the public understands that the detected and quarantined virus posed no threat to our operational mission and that control of our remotely piloted aircraft was never in question.”

In comments to the Associated Press, one defense official reportedly characterized the malware as the type used to steal log-in and password information for online games such as Mafia Wars.

“We continue to strengthen our cyber defenses, using the latest anti-virus software and other methods to protect Air Force resources and assure our ability to execute Air Force missions,” Cook said in a statement. “Continued education and training of all users will also help reduce the threat of malware to Department of Defense systems.”

SecurityWeek.

Ca sent le fiasco

=========================

Citation :

General Dynamics Awarded Information Assurance and Cyber Security Contract by Defense Intelligence Agency

FAIRFAX, Va. – General Dynamics Information Technology, a business unit of General Dynamics (NYSE: GD), has been awarded an $86 million task order to provide information assurance and cyber security services to the Defense Intelligence Agency (DIA) in the U.S. and worldwide. The single-award task order, competed under the Solutions for the Information Technology Enterprise (SITE) contract, will extend to May 2016 if all options are exercised.

Through the contract, General Dynamics will provide services to ensure the security, authenticity, integrity and confidentiality of the DIA’s information, as well as computer network defense of the DIA’s enterprise-level assets, networks, security domains and data resources globally.

General Dynamics plans to hire 80 employees to support this contract. The work will be performed in the Washington, D.C., area and at U.S. Department of Defense combatant commands worldwide.

“General Dynamics will provide the highest level of information assurance and cyber security support to DIA’s enterprise, networks and security domains,” said Thomas Kirchmaier, senior vice president and general manager of General Dynamics Information Technology’s Intelligence Solutions Division. “Our cadre of cyber professionals has over 40 years of experience supporting the DIA worldwide and will provide unparalleled service.”

General Dynamics was selected by the Defense Intelligence Agency for the Solutions for the Information Technology Enterprise (SITE) indefinite delivery, indefinite quantity contract in May 2010.

“This contract enables General Dynamics to continue providing exceptional and responsive services in safeguarding critical DIA and Department of Defense networks and information systems,” said Ron Ehrenfeld, vice president and general manager of the Defense Agencies Sector of General Dynamics Information Technology’s Intelligence Solutions Division.

General Dynamics

oui apparamment les hackers ont trouver le doigt la ou sa fait tres mal...

ps: merci pour te nous tenir informer continuellement dans ce domaine ou tout change du jour au lendemain