messages : 7134 Inscrit le : 14/08/2008 Localisation : Rabat Maroc Nationalité : Médailles de mérite :
Sujet: Cyber War/Guerre informatique Mer 11 Fév 2009 - 15:01
Rappel du premier message :
Citation :
la Marine victime du virus Conficker-Downadup Thierry Noisette, publié le 9 février 2009
Sécurité - Le réseau interne de la Marine française a été touché par le virus Conficker (ou Downadup) qui a infecté des millions de PC dans le monde. Elle a dû couper son réseau pour le traiter le mois dernier, en collaborant directement avec Microsoft. L'armée française a été victime en janvier du virus Downadup-Conficker, comme l'a rapporté la lettre Intelligence Online, elle-même citée sur le blog du spécialiste de la défense de Libération, Jean-Dominique Merchet. Contactée par ZDNet.fr, la Marine confirme ce lundi que « dans la seconde quinzaine de janvier, le virus Conficker a été introduit par négligence, par une clé USB, dans le réseau interne de la Marine, Intramar ». Le lieutenant de vaisseau Rivayrol, du Sirpa Marine, nous indique que le réseau a dès lors été coupé « pour éviter la propagation du virus et procéder à la maintenance sur les postes ». « Intramar a été isolé des autres réseaux du ministère de la Défense, avec lesquels existent en temps normal des passerelles de communication. » Mais « cela n'a eu aucun effet sur les systèmes opérationnels de la Marine, ni avions ni autres ». Intelligence Online affirmait que les Rafale de la Marine auraient été cloués au sol faute d'avoir pu télécharger leurs paramètres de vol. Ce qui a été arrêté quelques jours concernait seulement la messagerie, précise notre interlocutrice : « On a des réseaux sécurisés militaires, qui ont servi en remplacement pendant la coupure d'Intramar, et Internet. Mais ces trois réseaux, Intramar, Internet et réseaux sécurisés sont complètement séparés, il n'y a aucun lien entre eux. » Intramar relie plusieurs milliers de postes informatiques, dont « moins de 2 % ont été touchés par le virus ».
Une faille traitée en 48 heures Pourquoi ce décalage entre un patch publié par Microsoft (le virus touche une faille Windows, notamment sous Windows 2000, XP et Vista) en octobre et des ordinateurs atteints en janvier ? « Il y avait un petit défaut dans le patch qui ne prenait pas en compte en totalité Conficker, explique le lieutenant Rivayrol. Ce patch avait été installé sur l'ensemble des postes de la Marine, mais cela n'a pas suffi. Par contre, le réseau d'alerte ministériel et interministériel a immédiatement été mobilisé. Il a directement travaillé avec Microsoft pour mettre au point un patch traitant cette faille-là, ce qui a été fait en moins de 48 heures. Le dispositif d'alerte a très bien fonctionné, et le virus n'a du coup eu aucune conséquence pour d'autres armes ni ailleurs dans le ministère. » Les experts américains du Computer Emergency Response Team (Cert) avaient mis en cause la méthode de Microsoft pour bloquer la propagation du ver Downadup. L'armée française n'est pas la seule à avoir été éprouvée par Conficker, qui a contaminé des millions d'ordinateurs dans le monde. Le ministère britannique de la Défense, et en particulier la Royal Navy, ont également été touchés par le virus le mois dernier.
C'est bizarre, mais quelques jours plus tôt, la Turquie a lancée sa plus grande exercice électronique et informatique pour se protéger des attaques informatique..
Edit:
Citation :
Many commentators are in consensus that such a massive undertaking could only be the work of state-level players, not rogue or small-time hackers. Israel, the United States, Russia and China are known to have high-level capabilities in this field. But according to Avi Weisman, head of See Security / Information Security & Cyber Warfare College, the number of countries, international organizations or agencies with such abilities is growing constantly.
"We'd better get used to this fact," Weisman said in a radio interview, listing Iran, Turkey and Egypt, among others, as countries with such capabilities.
C'est bizarre, mais quelques jours plus tôt, la Turquie a lancée sa plus grande exercice électronique et informatique pour se protéger des attaques informatique..
Edit:
Citation :
Many commentators are in consensus that such a massive undertaking could only be the work of state-level players, not rogue or small-time hackers. Israel, the United States, Russia and China are known to have high-level capabilities in this field. But according to Avi Weisman, head of See Security / Information Security & Cyber Warfare College, the number of countries, international organizations or agencies with such abilities is growing constantly.
"We'd better get used to this fact," Weisman said in a radio interview, listing Iran, Turkey and Egypt, among others, as countries with such capabilities.
Israel a ce que j'ai vu jusqu'ici c'est les "territoires palestiniens" que certains medias assimilent a israel.
La presence de serveurs Command & control en turquie, allemagne, vietnam, tout comme les liens renvoyant vers la Chine pour les autres attaues RAT, ne signifie rien a priori, Certains de ces malwares recoivent des ordres depuis des "blogs" ou d'autres artifices qui se servent des ports les plus utilises sur internet (HTTP 80 et HTTPS 443) pour ne pas soulever de suspiscion (pattern de traffic moins dans le normal, par exemple USENET, TELNET, SSH ou IRC ces jours-ci) et de n'importe qui de n'importe ou peut en creer ou emme pirater en silence des systemes individuels (ce qui ne souleverait aucune suscpiscion) et s'en servir comme relais...le nombre de relais pour camoufler les traces peut etre potentiellement illimite...
Que l'attaque soit d'origine turque (gouvernement) n'est pas une bonne nouvelle car dans ce genre d'attaques tu veux eloigner au maximum la suscpition depuis que c'est assimile a une declaration de guerre, quitte a pointer des doigts ton "ennemi"
l'une des manieres de voir d'ou ca vient est de se poser la question a qui profite le crime
Il est a noter que ces malwares sont concus pour echapper aux AV. les gouv peuvent a voir accces a certaines donnes confidentielles des AV pour les contourner, a certaines routines non documentee des OS dans un niveau encore plus technique, a certaines failles structurelles detaillees par les universitaires, il existe meme des instructions sur CPU non documentees dans le pire des cas ces gouvernements ont les moyens et peuvet s'achter les services de petits genies (a ne pas confondre avec les script kiddies qui se servent de l'arsenal souvent pieges sur internet se prenant pour des hackers).
On Sunday, May 27 2012, the Iranian MAHER CERT posted a note announcing the discovery of a new targeted attack dubbed “Flamer”. On Monday 28 May 2012 aat 9am EST, after an investigation prompted and supported by the International Telecommunication Union, Kaspersky Lab and CrySyS Lab from Hungary announced the discovery of Flame (aka Skywiper), a sophisticated cyber-espionage toolkit primarily targeting Windows computers in the Middle East.
Several hours later, around 4PM GMT, the Flame command-and-control infrastructure, which had been operating for years, went dark.
For the past weeks, Kaspersky Lab has been closely monitoring the C&C infrastructure of Flame. In collaboration with GoDaddy and OpenDNS, we succeeded in sinkholing most of the malicious domains used by Flame for C&C and gain a unique perspective into the operation.
Before going further, Kaspersky Lab would like to thank the “GoDaddy Network Abuse Department” and to William MacArthur for their fast reaction and exceptional support of this investigation. The OpenDNS security research team also offered invaluable assistance during the course of this investigation.
Our findings from analysing the infrastructure can be found below.
Introduction
Since both Flame and Duqu appear to be targeting similar geographical regions and have been created with similar goals in mind, we will provide an analysis from the point of view of comparing the Flame C&C infrastructure with the Duqu infrastructure.
In the past, Kaspersky Lab analyzed the Duqu C&C infrastructure and found several important details, such as the attackers’ preference for CentOS, the use of SharpSSH to control the proxy servers and the huge number of hacked proxies used to hide the true identity of the attackers.
In the case of Flame, we performed a similar analysis. First of all, it’s interesting to point out a big difference from Duqu: while all the Duqu C&C proxies were CentOS Linux hosts, all of the known Flame C&C are running Ubuntu.
Additionally, while Duqu used the super stealthy way of hiding the true IP of the mothership using SSH port forwarding, Flame’s scripts are simply running on the respective servers. The reason is simple — on Monday May 28, all control scripts started returning 403/404 errors. In the case of Duqu, the real malware scripts were on a remote server and were never found.
From this point of view, we can state that the Duqu attackers were a lot more careful about hiding their activities compared to the Flame operators.
Here’s a comparison of the Duqu and Flame C&C infrastructure:
Duqu Flame Server OS CentOS Linux Ubuntu Linux Control scripts Running on remote server, shielded through SSH port forwarding Running on servers Number of victims per server 2-3 50+ Encryption of connections to server SSL + proprietary AES-based encryption SSL Compression of connections No Yes, Zlib and modified PPMD Number of known C&C’s domains n/a 80+ Number of known C&C IPs 5 15+ Number of proxies used to hide identity 10+ Unknown Time zone of C&C operator GMT+2 / GMT+3 Unknown Infrastructure programming .NET Unknown Locations of servers India, Vietnam, Belgium, UK, Netherlands, Switzerland, Korea, etc... Germany, Netherlands, UK, Switzerland, Hong Kong, Turkey, etc... Number of built-in C&C IPs/domain in malware 1 5, can update list SSL certificate self-signed self-signed Servers status Most likely hacked Most likely bought SSH connections no yes
When a computer is infected with Flame, it uses a default configuration which includes 5 C&C server domains. Before contacting these servers, the malware validates the internet connection by trying to access www.microsoft.com, windowsupdate.microsoft.com and www.verisign.com using HTTPS. If the connection is successful, it will proceed to talk to the C&C domains.
In addition to the static configuration, Flame maintains a database of additional C&C servers. We have seen the additional database, which can be updated from the C&C server itself, contain 5-6 extra domains. In total, a running Flame installation can use a list of about 10 domains to try to contact the C&C. Interestingly, Flame maintains a log of activities which includes reports of connections to the C&C servers - together with timestamps.
While analysing the Flame samples recovered from the Middle East, we noticed they were trying to contact 5 different domains. Additional configuration included 6 other domains. From activity logs, we recovered 5 other domains, for a total of 11 unique domains used by our specific malware sample.
By looking at the IPs where the servers were hosted, we identified another 30 domains which were hosted on the same machines. By checking the IP history of the additional domains, we discovered another 40 domains which appear to be connected. In total, we discovered over 80 different domains which appear to belong to the Flame C&C infrastructure.
The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008. In general, each fake identity registered only 2-3 domains but there are some rare cases when a fake identity registered up to 4 domains.
The largest batch of Flame C&C domains was registered with GoDaddy.
Some of the fake identities used to register domains include names such as: Adrien Leroy, Arthur Vangen, George Wirtz, Gerard Caraty, Ivan Blix, Jerard Ree, Karel Schmid, Maria Weber, Mark Ploder, Mike Bassett, Paolo Calzaretta, Robert Fabous, Robert Wagmann, Romel Bottem, Ronald Dinter, Soma Mukhopadhyay, Stephane Borrail, Traian Lucescu, Werner Goetz or Will Ripmann.
Many of these forged identities have fake addresses in Germany and Austria, notably Vienna. We do not know what is the reason why Vienna was such an attractive choice for the attackers.
Let us take a closer look at the fake registrations. For instance, let’s consider the domain “chchengine.com” which is used by the malware. It is registered to a certain “Karel Schmid”, address “rue dizerens 7, Geneva”. This is actually the address of a hotel named “Appart’Hotel Residence Dizerens”:
The domain owner’s address is listed as “Koninginneweg 93, Oslo”. Searching for this address reveals there is no such place in Oslo, however, there is one in Amsterdam. Coincidentally, this is the address of another hotel, named “Apple Inn”:
All the other fake identities used addresses of hotels, various shops, organizations, doctor’s offices or simply non-existent addresses.
By collecting information on the Flame C&C infrastructure, we were able to put together a big picture into this hugely complex operation. The amount of domains and servers which were used in the Flame operation matches our previous opinion about the complexity of this malware:
The total number of known domains used by Flame for C&C and related domains is currently at more than 80. These have been registered between 2008 and 2012. During the past 4 years, servers hosting the Flame C&C infrastructure moved between Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland, to name just a few. Such is the size of this huge operation.
Having seen the large variety of fake domains, we contacted GoDaddy and sought the redirection of all the malware domains to our sinkhole. Additionally, the OpenDNS security team supported with the redirection of malicious domains to our sinkhole in order to protect OpenDNS users.
The Flame C&C servers
If we count the IP addresses used by the Flame C&C domains during the past 4 years, eliminating the IPs of known shared hosting servers temporarily used during registration, we count up to 22 different server IPs.
Since the discovery of Flame, we got the chance to look at 5 such servers. All the servers have ports 22, 443 and 8080 open. They appear to be running Ubuntu Linux, if we are to trust the Apache and SSH headers. One of them used to have port 80 open as well, however, it was shutdown in the aftermath of the announcement of Flame.
The SSL certificates used by the Flame C&C are all self signed; the certificate of the last active domain (in Netherlands) seems to have been generated on May 18th, 2012.
Perhaps an interesting details, on Saturday June 2nd, 2012, at 20:40 GMT, a number of the Flame C&C domains which previously pointed to a server in Netherlands (91.203.214.*) have been redirected to a server in Germany (78.46.253.*). The new server went offline on Sunday 3rd.
Statistics from KSN
The Kaspersky Security Network (KSN) is the cloud infrastructure used by Kaspersky Lab products to report telemetry and to deliver instant protection in the forms of blacklists and heuristic rules designed to catch the newest threats.
We used KSN to track Flame based on the fact that it was using certain filenames which are otherwise unique to the project. Later, we obtained a sample of the malware code and used it to track the distribution around the world.
The current KSN statistics for Flame:
It’s obvious that the vast majority of targets are in the Middle East. It is important to point out that some victims might have used VPN/proxy services. In such cases, for example an infected machine could show up with a European IP while physically being located in the Middle East. Also some 'victims' counts might in fact be machines of other researchers. Overall though, the statistic should be exact enough to reflect the real geographical distribution of infections.
Here’s a look at the geographical distribution:
The vast majority of Flame infections are machines running Windows 7 32 bit. Windows XP is following next. It’s important to say that Flame does not run on Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware.
Statistics from Sinkhole / OpenDNS:
Our partner, OpenDNS, put together a timeline of the registration of Flame C&C domains during the past years.
You can view their animated timeline at: https://www.opendns.com/flame-timeline/
During the past week, our sinkhole registered multiple hits from infected users - you can see a breakdown by location below. It’s important to note that the vast majority of infections have already been cleaned by AV products, so what we are seeing are victims that either do not run an AV product, or, have an outdated one.
Additionally, we have been able to pinpoint infections in UK, Spain, Russia and Romania as being security companies.
Currently, the following 28 Flame-related domains are sinkholed by Kaspersky Lab:
When Flame connects to the sinkhole, it does a POST request identifying itself. Then it uploads a bigger chunk of data, which contains a lot of “interesting” information such as malware version, malware configuration, a history of activities performed in the system, data extracted from documents and so on.
In all the configurations we have seen, the same password “LifeStyle2” is used. The password is stored in the Flame configuration file and can be changed.
The packets of data uploaded to the sinkhole contain encrypted logs and other compressed information. By decrypting the data, one can find the specific version of Flame which is reporting back to its master.
The distribution of Flame versions connecting to our sinkhole looks like the following:
Most of the victims have version 2.242, which is also the version we discovered and are analyzing. This appears to be the most popular variant. Interestingly, it’s not the most recent one, there is a victim currently infected with version 2.243!
Version 2.080 is also interesting - this is a much smaller “mssecmgr.ocx” (~890K), which is missing many of the modules present in the 6MB variants. We have a copy of this variant and we are analysing it in parallel to the larger version.
Of the computers connecting to our sinkhole, there are some very interesting cases: three computers in Lebanon, Iraq and Iran. During the sinkhole operation, the Flame versions on these machines changed; suggesting Flame upgraded itself in the process. For instance, version 2.212 became 2.242 in two of the cases. This indicates the presence of yet unknown C&Cs which were operational during the sinkholing process or an unknown updating mechanism.
Between the data extracted from systems, the attackers seem to have a high interest in AutoCAD drawings. This is an interesting detail because it is known AutoCAD drawings were also targeted by the Duqu malware. In addition to DWG files, which is the native file format of AutoCAD, the malware goes through PDF and text files and other documents and makes short text summaries. It also hunts for e-mails and many different kinds of other “interesting” (high-value) files that are specified in the malware configuration.
The data uploaded to the C&C is encrypted using a simple XOR cypher, coupled with a substitution cypher. In addition to this, many blocks inside are compressed using zlib and ppdm compression libraries.
Interestingly, the data uploaded to the sinkhole is split into packets of 8192 bytes. This is probably done for error recovery -- it is known that the Internet in Middle East countries is very slow and unreliable.
Another interesting feature of Flame is the use of SSH connections to exfiltrate data. Although we haven’t been able to reproduce this behavior, it seems that when the Internet works, but the C&C servers are not reachable via SSL, it uses a SSH connection instead.
The SSH connection is established by a fully integrated Putty-based library. At the moment, the IP address of the server and the username/password scheme are not known. It’s possible they are updated from the C&C at some point and only used if there are temporary SSL problems. One of the reasons for using SSH connections could be the common banning of SSL/HTTPS traffic in countries such as Iran. If SSL is down, the malware can sometimes use SSH to contact the C&C.
During the last week, Kaspersky Lab contacted CERT’s in multiple countries to inform them about the Flame C&C domain information and IP addresses of the malicious servers. We would like to thank them for their support of this investigation.
If you are a GovCERT institution and would like to receive more information about the C2 domains, please contact us at theflame@kaspersky.com.
Summary and conclusions:
The Flame command-and-control infrastructure, which had been operating for years, went offline immediately after our disclosure of the malware’s existence last week. We identified about 80 total domains which appear to belong to the Flame C&C infrastructure. The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008. The attackers seem to have a high interest in PDF documents, Office and AutoCad drawings. The data uploaded to the C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression. Flame is using SSH connections (in addition to SSL) to exfiltrate data. The SSH connection is established by a fully integrated Putty-based library. Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame
Sinon:
Citation :
Microsoft Security Advisory (2718704) Unauthorized Digital Certificates Could Allow Spoofing
Published: Sunday, June 03, 2012
Version: 1.0
General Information Executive Summary Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:
Microsoft Enforced Licensing Intermediate PCA (2 certificates) Microsoft Enforced Licensing Registration Authority CA (SHA1) Recommendation. For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information, see the Suggested Actions section of this advisory. For affected devices, no update is available at this time
Citation :
Microsoft releases Security Advisory 2718704
MSRCTeam 3 Jun 2012 4:41 PM 0 Hello,
We recently became aware of a complex piece of targeted malware known as “Flame” and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.
We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.
We are taking several steps to remove this risk:
• First, today we released a Security Advisory outlining steps our customers can take to block software signed by these unauthorized certificates.
• Second, we released an update that automatically takes this step for our customers.
• Third, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.
These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft.
We continue to investigate this issue and will take any appropriate actions to help protect customers. For more information, please refer back to this site and check with your anti-malware vendor for detection support.
Additionally, we offer more technical details about the steps we are taking on the SRD Blog.
If you have not done so already, we highly recommend registering for our comprehensive security alerts. Sign up here: Microsoft Technical Security Notifications.
Thanks, Mike Reavey Senior Director, MSRC Microsoft Trustworthy Computing
Sujet: Re: Cyber War/Guerre informatique Ven 8 Juin 2012 - 17:43
Citation :
Intel Community’s Sharing of Cyber Tools Raises Legal Questions
Defense News
Before the establishment of U.S. Cyber Command in 2010, a combatant commander who wanted to take down an enemy’s surface-to-air missile sites or other defenses without blowing them up had only one option: Call the National Security Agency at Fort Meade, Md., and plead for assistance.
NSA jealously guarded its role as steward of the nation’s offensive cyber weapons, said one retired intelligence official, but that is changing. In May 2010, the Senate added “chief of Cyber Command” to the duties held by NSA’s director, Army Gen. Keith Alexander. Alexander subsequently directed NSA to begin turning over offensive cyber tools to Cyber Command.
Over the last few months, the dual-hatted general has set in motion an even bigger change. Cyber Command has begun arming combatant commanders with a selection of offensive tools and establishing teams of cyber warriors, called combat-support elements, at military sites beyond Fort Meade.
This is adding complexity to the legal questions being asked by members of Congress, retired defense officials and independent experts.
Alexander made a vague reference to the shift earlier this year in prepared testimony to Congress: “Our goal is to ensure that a commander with a mission to execute has a full suite of cyber-assisted options from which to choose, and that he can understand what effects they will produce for him,” he told the House Armed Services Committee.
These tools are at the moment focused on narrow, tactical goals — like taking a surface-to-air missile site offline — but observers wonder if the change amounts to opening the door to broader use of cyber weapons in military operations, or possibly outright normalization — meaning cyber weapons would be treated by the same rules governing the use of conventional weapons.
A U.S. Cyber Command spokesman said that the command would not comment on the deployment of cyber tools.
“As a matter of policy, we don’t discuss operational matters, perceived or otherwise,” said Army Col. Rivers Johnson.
Currently, each use of cyber weapons is approved by the government case by case.
“These are untested or untried things,” said a retired senior intelligence official. “Every time you use a cyber weapon, I know the discussion that they’re having: ‘Are we establishing a precedent that we are comfortable attaching the name of the United States to?’Ÿ”
Legal Authorities During his confirmation hearings in 2010, Alexander acknowledged his concerns about the framework governing the use of cyber weapons, and little has changed since. Although Cyber Command was declared fully operational in October 2010, there are still no rules of engagement specific to cyber weapons and their use offensively.
Outside experts said it remains unclear who would be legally authorized to use cyber weapons, especially if they are applied beyond the battlefield, for example to cut power to a city. The roles of the intelligence community are covered by Title 50 of the U.S. Code, while the armed forces are covered by their Title 10 authority. The laws predate the emergence of cyberspace and weapons.
“There are those that ardently believe that there is no role [for] cyber in Title 10,” said retired Marine Corps Gen. James Cartwright, who stepped down as vice chairman of the Joint Chiefs of Staff in August.
Cartwright, who is now with the Center for Strategic and International Studies, said that while there is some ambiguity overall, existing laws leave certain areas very clear: the right to use cyber tools in traditional military environments and the right to self-defense.
“You have the right to self-defense. You have the right to proceed with hot pursuit,” he said.
But by moving cyber weapons into the hands of combatant commanders, Alexander is beginning to treat them like traditional weapons. In one view, cyber weapons that might generate massive power outages or other dramatic effects are so tied to intelligence and presidential approval that they could not be placed under the authority of combatant commanders. But targeting a SAM site seems to be covered by existing laws on warfare, said current and retired officials knowledgeable about the program.
In his March congressional testimony, Alexander acknowledged that small combat-support elements will be stood up at each command’s headquarters. Contingents of Cyber Command personnel will be placed at those sites, and software information technology would be added to handle the tools.
So far, only U.S. Central Command has a contingent that is fully operational, while the effort at U.S. Pacific Command is in the development stages and a time line has yet to be drawn up for the other geographic commands.
The creation of these support elements has not been without friction. Exactly who “pushes the button” remains unclear, said a person with knowledge of the program. The integration of outside personnel at the commands also has been difficult because commanders don’t always like it when cyber experts show up, this person said. Cyber Command has been sending a combination of offensive and defensive tools to the commands as infrastructure and personnel are rolled out. In theory, at least, that should provide easier access to the offensive tools once the operational kinks are ironed out.
That doesn’t mean, however, that combatant commands will have carte blanche to apply the tools. Alexander has said any major strike outside of an existing operational zone and against anything other than an obvious military target would require high level approval, likely from the president.
Still, creating greater familiarity would be beneficial, the retired official said. “I can understand moving some tools forward so that combatant commanders get used to them, they train with them, they exercise with them, they fold it into their operational thinking. That’s all good stuff.”
Before Cyber Command could move some tools out of its own headquarters at Fort Meade, it had to receive them from the NSA. The decision to let Cyber Command have the tools was based on a combination of needed attention in the area, and a longstanding debate over the application of the legal codes defining who in government is in charge of military actions, and who is in charge of intelligence activities, and the situations in which those actions are allowed.
The intelligence community’s Title 50 authority does not expressly cover the use of weapons, leading some to argue that cyber capabilities needed to be transferred to a new command. This thinking played prominently in the decision to create Cyber Command.
In the year and a half that Cyber Command has been in full operation, interest has grown among defense officials for distribution of offensive tools beyond Fort Meade.
“What you’re seeing is that the commands want to treat them like all the other weapons,” said the retired senior intelligence official.
Some experts, however, said that the ongoing debate about legal authority and cyber is not a top priority at the Defense Department.
“From my personal experience, the friction between Title 10 and Title 50 is more of a Washington, D.C., thing and less an area of operations thing,” said Dale Meyerrose, former associate director of national intelligence and founder of the Meyerrose Group.
Meyerrose said that while the discussion remains, the line between what intelligence agencies can and cannot do has shifted in part due to the use of drones by the intelligence community in recent years.
“There’s been an evolution brought about by what’s happened in the Middle East in the last decade,” he said. “It’s an evolution of warfare. Think about how instrumental remotely piloted vehicles have become in the prosecution of combat operations, and so you’re not hearing of F-16 strikes, you’re hearing of drone strikes. So the view that has been a traditional mindset that says that Title 50 and Title 10 are always in a friction-filled situation has been modified.”
Balance of Power Cyberspace also exists in an unusual domain, making the traditionally debated division difficult to apply. Intelligence agencies are constantly using networks to gather information, monitoring activity and maintaining a field of view. The awareness and position on networks means that intelligence agencies are uniquely positioned to recognize vulnerability and have the tools to exploit them. While Cyber Command has the ability to push the button on an attack or ability previously held by the NSA, the command still needs essentially targeting information from the NSA in many cases.
“In the cyber world, the intel guys actually take the Title 10 guys to the point of attack,” said a person who works on the project. “The intel guys map the network. The intel guys take them to the point where they say, ‘Hit the return button and everything will be OK.’Ÿ”
That reliance on the intelligence community to lead the way so that weapons can be used means that the balance of cyber power is unlikely to shift even as tools themselves are moved.
“The IC [intelligence community] and DoD missions will not change because of transfers of tools,” said Bob Gourley, chief technology officer at Crucial Point LLC, who previously held the same position at the Defense Information Agency. “Missions change when authorities change. The IC mission has always been to achieve deep penetration of our adversaries by all means possible. The DoD mission has always been to deter or fight wars. The change in cyberspace-related missions has been the tight coupling between the two missions, and that will likely continue even if responsibility for tools change.”
Gourley pointed to the technical capability of the NSA as being critical.
“NSA has a great ability to provide focus to highly technical activities, so my hope is that they will always have insight into and oversight of all cyber tools,” he said.
But while the intelligence community continues to play a critical role in cyber operations, a senior Cyber Command official said that standing up the command has allowed action.
“What’s changed is: We’ve got a much closer relationship with those organizations that have the authorities and the capabilities to provide that picture in real time, so that we can do something about it rather than after the fact — that’s what’s changed,” the official said in a late 2011 interview. “We can’t bring the intelligence mission in, but we can be the beneficiary of that, and that’s why sitting next to the NSA gives us the ability to have that relationship and benefit from that relationship.”
Now that Cyber Command has been declared fully operational, and it is beginning to help the geographic combatant commanders get up to speed in cyber, the intelligence community’s control over all things cyber is starting to loosen, if only slightly. Just how far the shift goes could depend on who succeeds Alexander, who has led NSA since 2005.
“They’re going to be even more eager to distribute tools when Alexander leaves, to accelerate this trend,” said Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council. “An intelligence guy is going to be worried about control and intelligence gain/loss and all of these intelligence equities, whereas someone else — ”
Healey doesn’t fill in the blank, but he means, “Who knows?”
Invité Invité
Sujet: Re: Cyber War/Guerre informatique Ven 8 Juin 2012 - 18:22
Germany confirms existence of operational cyberwarfare unit
By MICHAEL FISCHER, JOERG BLANK AND CHRISTOPH DERNBACH Deutsche Presse-Agentur Published: June 5, 2012 BERLIN — German authorities confirmed Tuesday in a parliamentary document that their military possesses a top secret cyberwarfare unit which is already operational, but gave no details of how big it is or what kind of attacks it could conduct.
The German armed forces have been working for 20 years to defend the country's computer networks from external attack, but have never disclosed before that they have an offensive capacity as well.
The existence of the unit, set up in 2006, was disclosed in a six-page paper presented to the parliamentary committee on defence in Berlin.
"The initial capacity to operate in hostile networks has been achieved," the paper said, adding that the unit did "simulations" of attacks in a "closed laboratory environment."
The location and size of the Computer Network Operations Unit was not disclosed. It reports to the joint forces strategic intelligence command, based in the western city of Bonn, officials said.
Legislators from both the government and opposition voiced surprise at the disclosure. Several questioned whether military commanders had the legal authority to mount attacks on foreign computer networks without parliamentary clearance.
Symantec:
Citation :
Flamer: Urgent Suicide
Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider.
Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller". ... ... http://www.symantec.com/connect/blogs/flamer-urgent-suicide
NEW DELHI: India is set to take steps to protect its cyber infrastructure and designate agencies for carrying out offensive cyber attacks on other countries. The move comes at a time when proof shows countries launching cyber attacks — not only for intelligence gathering — and many nations describing the attacks as an act of war.
According to sources, the National Security Council (NSC) headed by Prime Minister Manmohan Singh would soon approve the comprehensive plan and designate the Defence Intelligence Agency (DIA) and National Technical Research Organization (NTRO) as agencies for carrying out offensive cyber operations, if necessary. All other intelligence agencies would be authorized to carry out intelligence gathering abroad, but not offensive operations, sources said.
The detailed policy for national cyber infrastructure protection is presently before the NSC awaiting its approval. The policy would identify all government agencies that would have a role in the protection of Indian cyber infrastructure and define their roles.
The move to not just define defensive mechanism but also designate agencies for offensive operations comes as New Delhi tackles repeated waves of cyber intrusions, though all of them are aimed at gathering information from critical networks. But the next stage, of an adversary carrying out offensive cyber attack, of bringing down a power grid, stalling air traffic control systems, or manipulating controls of a dam are now believed to be a real possibility.
Stuxnet, the cyber worm created by US's National Security Agency and Israeli military and specifically targeted at Iran's nuclear enrichment center at Natanz, was found to have infected Indian systems. "It was probably unintentional, but an intentional attack on India's critical infrastructure cannot be ruled out," says a senior official. "We haven't yet seen a cyber attack, but only intelligence gathering. An attack that can debilitate our infrastructure is what we must be prepared for," he said.
CERT-IN (Computer Emergency Response Team India) would be responsible for protection of most of the cyber space, while NTRO would be tasked to protect the critical infrastructure such as important government networks. NTRO would be tasked to create the National Critical Information Infrastructure Protection Centre (NCIPC), which would be a command-and-control centre for monitoring the critical infrastructure. It would be a round-the-clock centre, providing real time response to cyber security breaches.
The proposal before NSC also envisages creation of sectoral CERTs in order to respond quickly to protect power distribution networks, Air Traffic Controls, traffic networks and other areas that heavily dependent on networked systems, and thus are susceptible to attacks.
The policy suggests that the defence forces would be responsible for their own networks' protection.
NTRO and Intelligence Bureau (IB) would primarily be responsible for security of various government networks. While NTRO would operate through NCIPC, IB would be mainly looking at the physical security of networks. State polices, CBI, NIA etc would be tasked to do follow up action, if any intrusions are detected.
farewell Général de corps d'armée (ANP)
messages : 2468 Inscrit le : 13/02/2011 Localisation : ****** Nationalité : Médailles de mérite :
Sujet: Re: Cyber War/Guerre informatique Mer 20 Juin 2012 - 14:58
Citation :
Flame, un virus espion d'Etat http://www.lemonde.fr/technologies/article/2012/06/20/flame-un-virus-espion-d-etat_1721182_651865.html
Après la bombe atomique, la bombe diplomatique ( veto) voilà la bombe informatique qui est arriver à une maturité de destruction.
_________________ "Les belles idées n'ont pas d'âge, elles ont seulement de l'avenir"
Invité Invité
Sujet: Re: Cyber War/Guerre informatique Mer 20 Juin 2012 - 19:41
farewell a écrit:
Citation :
Flame, un virus espion d'Etat http://www.lemonde.fr/technologies/article/2012/06/20/flame-un-virus-espion-d-etat_1721182_651865.html
Après la bombe atomique, la bombe diplomatique ( veto) voilà la bombe informatique qui est arriver à une maturité de destruction.
IMHO Il s'agit d'un domaine profondement sous exploite (en apparence) meme par les pays avances.
Il s'agit d'un domaine que nos pays peuvent et on le devoir de maitriser, meme techniques et connaissance aussi bien pour l'attaque que pour la defense. Le cout de formation est tres bas il faut vouloir chercher et trouver les perles rares et les prendre en charge.
Invité Invité
Sujet: Re: Cyber War/Guerre informatique Mer 20 Juin 2012 - 19:58
Pourquoi j'aime Japaaaan efficiency and to the point...
Physorg
Citation :
Daedalus catches cyber-attacks realtime
(Phys.org) -- Japan's National Institute of Information and Communications Technology (NICT) has developed a national cyber-attack alert system that can render network attacks as visible in realtime. The system, announced earlier this month and showcased at Interop Tokyo 2012, is called Daedalus, standing for Direct Alert Environment for Darknet and Livenet Unified Security. The system views computers for any suspicious activity and if it spots an attack it can visualize its progression as it moves through the network. It sees how data flows through the network and looks for inconsistencies.
Where administrators may have to comb through hundreds of lines of server logs to isolate a problem, the Daedalus system can reveal where attackers are focusing their flood of packets, as a stream of arrows moving along iridescent lines.
According to a NICT video on DigInfo TV, “the sphere in the center represents the Internet, and the circles moving around it represent networks under observation. The state of an attack is shown using 3-D graphics, and can be viewed from any perspective.”
Today's cyber-attacks represent an assortment of malware via USB memory stick, mail attachments, and zero-day exploits. Daedalus can act as an alert system for the cyber-attacks; it can see if a USB flash drive with a virus infects a machine, for example. Daedalus can identify and isolate the malignant traffic on-screen, sending an email to support staff and displaying a red alert through its user interface.
Further descriptions of an attack showing up realtime are provided in the video demo:”The blue part in this organization shows IP addresses that are used, and the black part shows addresses that are not used. This character indicates an alert. When you click on the alert, a message showing the cause appears. In this case, only two packets have been sent. But because the packets go from an address that's used to an address that's not used, this indicates that a virus is starting to spread within the organization." The system sends out an alert, saying, 'This IP address of yours is spreading a virus using this protocol at this time'."
Daedalus is designed to be used together with conventional systems, to improve network security within organizations. "We previously created a system called nicter for observing cyber-attacks. We also built an observation network in Japan, called the Darknet Observation Network, to cover IP addresses not used in nicter,” said a NICT source in the video.
The nicter is a system for early detection and in-depth analysis of cyber-attacks. That word stands for Network Incident Analysis Center for Tactical Emergency Response.
NICT is to provide Daedalus free of charge to educational institutions where nicter sensors can be installed. NICT will also transfer access to the system to Clwit, a company described as a Tokyo-based business providing Internet security countermeasures. According to reports, Clwit will develop it into the product, SiteVisor.
http://www.diginfo.tv/v/12-0116-r-en.php
qui a dit GITS ...
Invité Invité
Sujet: Re: Cyber War/Guerre informatique Jeu 21 Juin 2012 - 19:46
Citation :
Syrian Activists Targeted with BlackShades Spy Software
The use of remote surveillance software against activists has been a feature of the ongoing conflict in Syria. In February 2012, CNN reported that “Computer spyware is the newest weapon in the Syrian conflict”. Since then numerous electronic campaigns targeting Syrian activists have been observed. These have included: a phishing campaign involving the compromise of a high profile Syrian opposition figure; malware targeting activists by claiming to be documents regarding the foundation of a Syrian revolution leadership council; and, malware purporting to be a plan to assist the city of Aleppo.
The majority of these attacks have involved the use of Dark Comet RAT. Remote Administration Tools (RAT) provide the ability to remotely survey the electronic activities of a victim by keylogging, remote desktop viewing, webcam spying, audio-eavesdropping, data exfiltration, and more.
The use of Dark Comet in this conflict has been well documented. This RAT was the toolkit used in the malware reported on by CNN and also in the campaigns using fraudulent revolutionary documents.
In addition to Dark Comet, we have seen the use of Xtreme RAT reported on by the Electronic Frontier Foundation (EFF) and F-Secure.
Today, the EFF and Citizen Lab report on the use of a new toolkit by a previously observed attacker. This actor has been circulating malware which surreptitiously installs BlackShades RAT on victims machines. This RAT is a commercial tool which advertises the following:
“Blackshades Remote Controller also provides as an efficient way of turning your machine into a surveillance/spy-device or to spy on a specific system.”
It is being distributed via the compromised Skype accounts of Syrian activists in the form of a “.pif” file purporting to be an important new video. ...
PLUS DE DETAILS https://citizenlab.org/2012/06/syrian-activists-targeted-with-blackshades-spy-software/
Citation :
New Trojan Spread Over Skype as Cat and Mouse Game Between Syrian Activists and Pro-Syrian-Government Hackers Continues
Since March of this year, EFF has reported extensively on the ongoing campaign to use social engineering to install surveillance software that spies on Syrian activists. Syrian opposition activists have been targeted using several Trojans, including one disguised as a Skype encryption tool, which covertly install spying software onto the infected computer, as well as a multitude of phishing attacks which steal YouTube and Facebook login credentials.
As we've tracked these ongoing campaigns, patterns have emerged that links certain attacks to one another, indicating that the same actors, or groups of actors are responsible. Many of the attacks have installed versions of the same remote access tool, DarkComet RAT, and reported back to the same IP address in Syrian address space. The latest attack covertly installs a new remote access tool, Blackshades Remote Controller, whose capabilities include keystroke logging and remote screenshots. Evidence suggests that this campaign is being carried by the same pro-Syrian-government hackers responsible for the fake YouTube attack we reported in March, which lured Syrian activists in by advertising pro-opposition videos, stole their YouTube login credentials by asking them to log in before leaving a comment, and installed surveillance malware disguised as an Adobe Flash Player update.
This malware is distributed via Skype. It is distributed in the form of a “.pif” file. This sample was sent via the compromised Skype account of an officer of the Free Syrian Army. In the conversation shown in the screenshot below, a malicious link is sent claiming to be an important new video. Two hours later his friend asks the officer if his account is ok. The officer replies that his account was compromised and this link sent out to various people from his address book.
messages : 21656 Inscrit le : 15/09/2009 Localisation : 511 Nationalité : Médailles de mérite :
Sujet: Re: Cyber War/Guerre informatique Jeu 21 Juin 2012 - 19:55
tres malin de cibler Skype,c´est le porte malheur des rues arabes,mais faut vraiment etre stupide pour cliquer sur des fichiers etrangers
_________________
Invité Invité
Sujet: Re: Cyber War/Guerre informatique Jeu 21 Juin 2012 - 20:38
Yakuza a écrit:
tres malin de cibler Skype,c´est le porte malheur des rues arabes,mais faut vraiment etre stupide pour cliquer sur des fichiers etrangers
les gens ignorent que la communication skype est deja solidement cryptee et decentralisee.
Deja se servir des logiciels repandus (windows+IE+msn+skype+word+...) augmenete tes chances de chopper qq chose...
le social engineering alias lqwaleb reste la porte d'entree la moins securisee dans les systemes d'information. il suffit de seduire ou faire peur a l'utilisateur lambda pour le pousser a cliquer sur tel ou tel "image" ou "video"
Ceque je trouve admirable c'est que les syriens se servent de malware OTS...un tres bon debut...
Invité Invité
Sujet: Re: Cyber War/Guerre informatique Ven 22 Juin 2012 - 0:50
ESET Threat Blog
Citation :
ACAD/Medre.A – 10000′s Of AutoCAD Files Leaked in Suspected Industrial Espionage
The malware news today is all about new targeted, high-tech, military grade malicious code such as Stuxnet, Duqu and Flamer that have grabbed headlines. So imagine our surprise when an AutoCAD worm, written in AutoLISP, the scripting language that AutoCAD uses, suddenly showed a big spike in one country on ESET’s LiveGrid® two months ago, and this country is Peru.
We have seen other small number of infections of ACAD/Medre.A in other countries, but they are all in countries that are near Peru or have a large Spanish speaking contingent. The odd one out in the infection table would be the People’s Republic of China, but not quite so weird when we started to analyze the worm based on this sudden spike. More about China will follow later.
Why (mainly) Peru? Of course it does not mean much that we see high detection numbers because they may not all be live infections. But watching ESET’s LiveGrid, where we can also see detections at specific URLs., which made it clear that a specific website supplied the AutoCAD template that appears to be the basis for this localized spike as this template was also infected with ACAD/Medre.A. If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then infecting their own environment. Other information that is described later also points to live infections.
So what exactly is ACAD/Medre.A doing?
The sample is able to infect versions 14.0 to 19.2 of AutoCAD by modifying the corresponding native startup file of AutoLISP (acad.lsp) by being named as the auto-load file acad.fas. It employs Visual Basic Scripts that are executed using the Wscript.exe interpreter that is integrated in the Windows operating system since Windows 2000. The author assumes that his code will even work for future versions of AutoCAD as it has support for the AutoCAD versions that will be released in 2013, 2014 and 2015.
After some configuration, ACAD/Medre.A will begin sending the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider. Remarkably, this is done by accessing smtp.163.com and smtp.qq.com with the different account credentials. It is ill advised to have port 25 outgoing allowed other than to your own ISP. Obviously the Internet Providers in Peru do allow this. Also it is reasonable to assume that the companies that are a victim of this suspected industrial espionage malware do not have their firewalls configured to block port 25 either.
Besides the drawings that are sent, ACAD/Medre.A will create a password protected RAR-file containing the drawing and the requisite “acad.fas” file and a “.dxf” file and send it separately by e-mail. The password used, just one character long being “1”, on the RAR-file brings back some memories (you may remember that Win32/Bagle used the same password on RAR-files).
The included .DXF file is generated by ACAD/Medre.A and consists of information that the recipient needs to load the stolen drawing into the right system with the right language:
For a technical details of ACAD/Medre.A refer to Robert Lipovsky’s blog post and the description in ESET’s Threat Encyclopedia.
When our analysts looked into the e-mail accounts used by ACAD/Medre.A, they noticed that the Inbox for each of them was already full (over 100,000 mails). All of the messages In the Inbox were error-messages as the Inbox of the final recipient is full. And there were still almost 5,000 emails to be sent.
As the path and filename are sent with the attachment, we could do some analysis just based on the location where the drawings are stored and their possible content. Our analysis also shows that several people actually use an Administrator Account or store their projects on the Desktop. The pie-chart does not reflect all the different possibilities, just the most frequently used ones.
From our analysis of all the used e-mail accounts we can derive the scale of the attack and conclude that tens of thousands of AutoCAD drawings (blueprints) leaked. This is a significant amount of data leakage and we felt it called for further action. Upon realisation of the magnitude of the problem ESET reached out to Tencent, owners of the qq.com domain. Due to swift quick action on the part of Tencent the accounts used for relaying the e-mails with the drawings have been blocked and thus no further leakage will occur. We would like to express our appreciation to the distinguished team at Tencent’s Desktop Security Business Division for their cooperation and their prompt action.
ESET has also reached out to CVERC, the Chinese National Computer Virus Emergency Response Center, and they also responded quickly by word of the First Deputy Director of CVERC, who also assisted in getting the accounts removed.
There is code in ACAD/Medre.A that will check to see if either Outlook version 11.0, 12.0 or 13.0 is present or Foxmail. If Outlook is present the worm tries to email PST files found on the computer to the final recipient in China via the qq.com relays. Outlook PST (Personal STore) files contain email, calendars, contacts, and more. If Foxmail is present, there is code in ACAD/Medre.A that is designed to exfiltrate the Foxmail Address Book and the Foxmail Send Folder, but errors in the code cause that this does not happen.
After the discovery of ACAD/Medre.A, ESET decided to make a free stand-alone cleaner available. The utility can be found here. We established contacts with Autodesk, producers of AutoCAD, who immediately took the problem seriously and full assistance was given.
ACAD/Medre.A is a serious example of suspected industrial espionage. Every new design created by a victim is sent automatically to the authors of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals will have designs before they even go into production by the original designer. The attacker may even go so far as to get patents on the product before the inventor has registered it at the patent office. The inventor may not know of the security breach until his patent claim is denied due to prior art.
If there is one thing that becomes obvious from our experience with this piece of malware it is that reaching out to other parties to minimize damage is not only the right thing to do, it really works. We could have tried to clean up the problem without the assistance of Autodesk, Tencent and CVERC and solely focus on removal of the malware from the infected machines. By working with Autodesk, Tencent and CVERC, we were able to not only alert and inform users but also defeat the e-mail relay system used by the attackers and deny them access to the e-mail boxes, so the damage is now contained.
Sujet: Re: Cyber War/Guerre informatique Ven 29 Juin 2012 - 20:44
Encore!
BBC
Citation :
Researchers use spoofing to 'hack' into a flying drone
American researchers took control of a flying drone by hacking into its GPS system - acting on a $1,000 (£640) dare from the US Department of Homeland Security (DHS).
A University of Texas at Austin team used "spoofing" - a technique where the drone mistakes the signal from hackers for the one sent from GPS satellites.
The same method may have been used to bring down a US drone in Iran in 2011.
Analysts say that the demo shows the potential danger of using drones.
Drones are unmanned aircraft, often controlled from a hub located thousands of kilometres away.
They are mostly used by the military in conflict zones such as Afghanistan.
Todd Humphreys and his colleagues from the Radionavigation Lab at the University of Texas at Austin hacked the GPS system of a drone belonging to the university.
They demonstrated the technique to DHS officials, using a mini helicopter drone, flown over a stadium in Austin, said Fox News, who broke the story.
What if you could take down one of these drones delivering FedEx packages and use that as your missile?" Fox News quoted Mr Humphreys.
"That's the same mentality the 911 attackers had."
Potential dangers
The spoofed drone used an unencrypted GPS signal, which is normally used by civilian planes, says Noel Sharkey, co-founder of the International Committee for Robot Arms Control.
"It's easy to spoof an unencrypted drone. Anybody technically skilled could do this - it would cost them some £700 for the equipment and that's it," he told BBC News.
"It's very dangerous - if a drone is being directed somewhere using its GPS, [a spoofer] can make it think it's somewhere else and make it crash into a building, or crash somewhere else, or just steal it and fill it with explosives and direct somewhere.
"But the big worry is - it also means that it wouldn't be too hard for [a very skilled person] to work out how to un-encrypt military drones and spoof them, and that could be extremely dangerous because they could turn them on the wrong people.
Citation :
SPOOFING EXPLAINED
"Imagine you've got a plane in the air and it sends back information to the person controlling it on the ground.
So if I wanted to fly my drone on a route between London and Birmingham, delivering mail for instance, I would get continuous signals coming back telling me where it is at all times.
And I would get GPS co-ordinates, using a signal from the satellite to navigate.
But if the drone is near Birmingham, but it receives GPS co-ordinates for Gloucester, it would then think it is in Gloucester and make an adjustment to go further north, changing the course."
Noel Sharkey
La source de l'info, Fox News
Citation :
EXCLUSIVE: Drones vulnerable to terrorist hijacking, researchers say
... “Spoofing” is a relatively new concern in the world of GPS navigation. Until now, the main problem has been GPS jammers, readily available over the Internet, which people use to, for example, hide illicit use of a GPS-tracked company van. It’s also believed Iran brought down that U.S. spy drone last December by jamming its GPS, forcing it into an automatic landing mode after it lost its bearings.
'Spoofing a GPS receiver on a UAV is just another way of hijacking a plane.'
- University of Texas Radio Navigation Laboratory researcher Todd Humphreys
While jammers can cause problems by muddling GPS signals, spoofers are a giant leap forward in technology; they can actually manipulate navigation computers with false information that looks real. With his device -- what Humphreys calls the most advanced spoofer ever built (at a cost of just $1,000) -- he infiltrates the GPS system of the drone with a signal more powerful than the one coming down from the satellites orbiting high above the earth.
Initially, his signal matches that of the GPS system so the drone thinks nothing is amiss. That’s when he attacks -- sending his own commands to the onboard computer, putting the drone at his beck and call. ...
Stress Test de nouvelles techniques de cryptogtraphie...
IDG News Service
Citation :
Researchers set new cryptanalysis world record for pairing-based cryptography
923-bit encryption key was cracked in 148 days, researchers from Japan say
IDG News Service - Researchers from Fujitsu Laboratories, Japan's National Institute of Information and Communications Technology (NICT) and Kyushu University have set a new cryptanalysis world record by cracking a 278-digit-long (923-bit) key used in a pairing-based cryptography system, Japanese IT services provider Fujitsu said Monday.
The cryptanalysts who worked on this project cracked the 923-bit encryption key in 148.2 days by using 21 computers with a total of 252 cores.It had been previously estimated that pairing-based cryptography of this length would require several hundred thousand years to break, the researchers said.
The previous record dated from 2009 when researchers from NICT and Japan's Hakodate Future University cracked a 204-digit-long (676-bits) key. Cracking a 923-bit key was hundreds of times more difficult.
The researchers explained that they overcame this problem by using several new technologies, including optimization techniques, a new two-dimensional search algorithm and parallel programming.
Pairing-based cryptography (PBC) can be used for identity-based encryption, keyword searchable encryption and other applications for which traditional public key cryptography is unsuitable.
PBC has been very attractive for cryptographers since 2000, when it was used to develop a one-round three-party key agreement protocol as an alternative to the two-round three-party Diffie-Hellman key exchange. However, being a novelty in the cryptographic world, its security has not been thoroughly studied.
The researchers hope that their cryptanalysis effort will help standardizing organizations and governments determine what role PBC will play in developing the next-generation cryptography standards and what is the appropriate key length to use with this type of encryption going forward.
China hackers enter Navy computers, plant bug to extract sensitive data
Manu Pubby : New Delhi, Sun Jul 01 2012, 03:49 hrs
Hackers have broken into sensitive naval computer systems in and around Visakhapatnam, the headquarters of the Eastern Naval Command, and planted bugs that relayed confidential data to IP addresses in China.
The Eastern Naval Command plans operations and deployments in the South China Sea — the theatre of recent muscle-flexing by Beijing — and beyond. India’s first nuclear missile submarine, INS Arihant, is currently undergoing trials at the Command.
The extent of the loss is still being ascertained, and officials said it was “premature at this stage” to comment on the sensitivity of the compromised data. But the Navy has completed a Board of Inquiry (BoI) which is believed to have indicted at least six mid-level officers for procedural lapses that led to the security breach.
The naval computers were found infected with a virus that secretly collected and transmitted confidential files and documents to Chinese IP addresses. Strict disciplinary action against the indicted officers is imminent.
Responding to a questionnaire sent by The Sunday Express on whether highly classified data had been sent to IP addresses in China due to the bug, the Navy said: “An inquiry has been convened and findings of the report are awaited. It needs to be mentioned that there is a constant threat in the cyber domain from inimical hack ers worldwide.”
Sources, however, confirmed that classified data had been leaked, and the breach had possibly occurred because of the use of pen drives that are prohibited in naval offices. The virus was found hidden in the pen drives that were being used to transfer data from standalone computers to othersystems, said a person familiar with the investigation.
The Navy — and the other armed forces — stores sensitive data only in standalone computers that are not connected to the Internet. These computers are not supposed to have ports or access points for pen drives or external storage devices.
The virus apparently created a hidden folder and collected specific files and documents based on certain ‘key words’ that it has been programmed to identify.
The documents remained hidden on the pen drives until they were put in computers that were connected to the Internet, after which the bug quietly sent the files to specific IP addresses.
The cyber espionage came to light in January-February this year. Besides the Navy’s resources, other cyber forensic agencies were involved in tracing the hackers, sources said. China has been accused earlier of using “cyber battalions” — specially trained military staff — to break into sensitive computer systems across the world.
The Naval HQ in New Delhi is monitoring the case closely. Besides the Arihant trial, several other sensitive projects are being undertaken near Visakhapatnam, including an upcoming underground nuclear submarine base that is expected to house India’s strategic assets.
Decidement les techniques d'attaques malicieuses a but lucratif ou policier/militaire sont dechainees.
Ici la technique de clickjacking (click+hijacking qui consiste a frauder les clics en executant des actions differentes de ce que l'utilisateur crois avoir choisi) vient d'etre demontree pour le systeme google Android (pour cellulaires) dans sa derrniere version (Ice Cream Sandwich), ce qui veut dire que les superbes capacitee des smartphones: GPS, localisation par triangualtion des antennes, camera, micro, etc... pourraient s'averer aux service du clickjacker. Apres la vague des clickjacks sur browsers qui avait permi d'activer les webcams a l'insu de leur proprio et engergistrer tout un tas de choses (et faire du blackmail apres avec ca) voici les possibilite etendues aux smartphones. Et tout ceci sans pouvoir etre detecte apr aucun antimalware car se servant de faille structurelle dans le framework d'Android. Il faut songer a enlever les batteries des cellphones en zones "Secret defense".
Pour info un rootkit = un kit (ensemble d'outils) qui permet d'acceder au niveau root (=admin=plein pouvoir sur systemes unix) et donc non seulement d'outrepasser tout les mecanismes d'autorisation et d'authentification mais en plus de modifier le systeme en profondeur pour ne plus faire qu'un et passer indetecte par les grande majorite des anti-malware.
Citation :
Clickjacking Rootkits for Android: the Next Big Threat?
Mobile security researchers have identified an aspect of Android 4.0.4 (Ice Cream Sandwich) and earlier models that clickjacking rootkits could exploit.
A research team led by Xuxian Jiang at NC State has been trying to identify potential weaknesses in various smartphone platforms as part of an overall effort to stay ahead of attacks from “black hat” attackers.
As part of this work, Jiang was able to develop a proof-of-concept prototype rootkit that attacks the Android framework, rather than the underlying operating system kernel. The rootkit could be downloaded with an infected app and, once established, could manipulate the smartphone.
For example, the rootkit could hide the smartphone’s browser and replace it with a browser that looks and acts exactly the same – but steals all of the information you enter, such as banking or credit card data. But the rootkit’s functionality is not limited to replacing the browser – it could be used to hide and replace any or all of the apps on a smartphone. Here is a video demonstration of the app.
“This would be a more sophisticated type of attack than we’ve seen before,” says Jiang, “specifically tailored to smartphone platforms. The rootkit was not that difficult to develop, and no existing mobile security software is able to detect it.
“But there is good news. Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”
Jiang is also the founder of the Android Malware Genome Project, which is a collaborative research effort designed to improve our understanding of existing Android malware. The project was announced May 22.
Gadhafi-Era Spy Tactics Quietly Restarted in Libya
BY MARGARET COKER IN TRIPOLI, LIBYA, AND PAUL SONNE IN LONDON
Libya's caretaker government has quietly reactivated some of the interception equipment that fallen dictator Moammar Gadhafi once used to spy on his opponents.
The surveillance equipment has been used in recent months to track the phone calls and online communications of Gadhafi loyalists, according to two government officials and a security official. Two officials say they have seen dozens of phone or Internet-chat transcripts detailing conversations between Gadhafi supporters. One person said he reviewed the transcript of at least one phone call between Saadi Gadhafi, the exiled son of the former dictator, and one of his followers inside Libya. Saadi ...
The Register resume l'article:
Citation :
Libya's new rulers fire up Gaddafi's surveillance tech Snooped-upon become snoopers, snoop on former snoopers By John Leyden
Posted in ID, 6th July 2012
Libya's transitional government has quietly reactivated the surveillance technology it inherited from the Gaddafi regime, the Wall Street Journal reports.
The technology is been used to track the mobile phone calls and online communications of Gaddafi loyalists. Government officials told the paper that they have seen dozens of phone or Internet-chat transcripts, one of which featured a phone call between Saadi Gaddafi, exiled son of the former dictator, and a supporter inside Libya. Saadi Gaddafi fled to Niger during the course of the civil war that ousted his father.
Libya's caretaker government has established created two national-security agencies—Preventive Security and Foreign Security. Salem al-Hasi, 50, a former language teacher at a US military college, has been appointed as Libya's new national intelligence chief. Hasi's deputy, Mustafa Nu'ah, denied claims that the transitional government was using electronic surveillance."We don't have the staff or know-how to do this," Nu'ah told the WSJ.
However this account is contradicted by two unnamed government officials and a high-ranking security official who spoke to the paper. Security briefings routinely feature transcripts of phone calls or internet chats. It's unclear how many people are under surveillance but the National Transitional Council might be particularly inclined to switch on in the run-up to elections, due to take place this weekend.
Surveillance equipment was sold to the Gaddafi regime by suppliers in France, China and South Africa. During the civil war the equipment went unused – until last autumn when it was allegedly reactivated. According to the WSJ's sources, some of the interception equipment was removed from the offices of Libya's main ISP since the regime's fall.
Adel al-Morsi, commander of the Tripoli branch office of Preventative Security, told the WSJ that he classifies schoolteachers who don't allow children to sing the new national anthem and businessmen who became rich in the Gaddafi era as threats – along with the obvious suspects, former Gaddafi officials. Those with ties the former regime have not been allowed to contest the upcoming elections, resulting in the exclusion of 320 potential candidates, or 7 per cent of the field.
Some activists are concerned that the use of surveillance equipment without judicial oversight or a legal framework represents a slide towards authoritarianism.
"In a few short months, the NTC has shown a pattern of creating bad laws that breach human rights," says Elham Saudi, head of the nongovernmental group Lawyers for Justice in Libya, a group that helped gather evidence of possible war crimes by Gaddafi. "The lack of respect for rule of law is astonishing."
Gaddafi maintained a police state, featuring arbitrary arrests and torture, during his 42 years in power at home, while employing assassins to kill political dissident abroad. In interviews with Arab language newspapers, Hasi has set out an agenda to reform Libya's security apparatus. He described turning Libya's security operations "into civilised services at the service of the country, based on the protection of the country and the citizens."
Un vieil article mais il faut rappeler que le net n'est pas seulement anonymes (pour nous autres utilisateurs et non pour les organisations et les gouvernements) il se prete egalement a la manipulation. Les gens qui croient en la sincerite la veracite et la representabilite des "commentaires" laisses sur tel ou tel site web, croyant que de "simples personnes du meme pays" donnent une opinion totalement "desinteressee" se gourent la plus part du temps et font preuve de naiviete encore plus grave que ceux qui croient au "vu a la tele".
Ars Technica
Citation :
Iranian gov't pays paramilitary hackers, bloggers to bring you Islamic Revolution 2.0
TALLINN, ESTONIA—Iran has significantly stepped up its use of corporate acquisitions, online propaganda, and hacking capabilities in recent years, according to an open source intelligence expert.
Jeff Bardin, the chief intelligence officer at Treadstone 71—an American company that researches publicly available materials—told a packed session at the International Conference on Cyber Conflict on Wednesday that Iran has become much more sophisticated and pervasive in its use of online tools.
He outlined the major paramilitary organizations that operate within Iran, including the Islamic Revolutionary Guard Corps (IRGC), the Basij, and Ashiyane. The latter is a notorious hacker group that works in conjunction with the Iranian government. All of these groups, he said, share an overarching focus on an Iranian concept used to promote the movement that became the philosophic foundation of the Islamic Revolution: westoxification. It's the loss of Persian language, culture, and influence to Western countries.
“[Iranians'] patience is, in my view, legendary,” he told Ars. “The United States is famous for underestimating the adversary.”
The IRGC, known in Persian as the “Pasdaran,” is a massive organization that touches nearly every part of the Iranian economy, including owning or controlling major corporations. Most notably, just months after the disputed presidential election of June 2009, the Iranian government sold a majority $7.8 billion stake in the Iran Telecommunications Company, a former monopoly.
“It smacks of a communist model,” Bardin said of the uncompetitive nature of awarding contracts to the IRGC. He added that by controlling the infrastructure itself, the Iranian government’s agencies could capture even tighter control over what was being said and done online.
Bardin also said that the IRGC has been paying bloggers and online activists to promote the Islamic Republic and its policies in comments, forums, Facebook pages, and other online venues. Bardin says that the going rate was about “$7 per hour.” However, an Israeli organization, the Meir Amit Intelligence and Terrorism Information Center, cited a figure of about $4.30 per hour as of January 2012.
The IRGC is also behind the Center for Investigating Organized Cyber Crimes, and its website, gerdab.ir, which notoriously published photos of street protestors in July 2009 and asked citizens to turn them in.
According to a 2009 Rand Corporation paper on the IRGC, the group “plays a role in monitoring Internet communications to mitigate the influx of corrupting foreign ideals and antiregime material. In this effort, it coordinates closely with other security entities. In a 2007 interview, the head of the Internet section of the Tehran Public and Revolutionary Prosecutor’s office explained, 'On the whole, filtering is being carried out between... the government, the judiciary, the officials of the law-enforcement forces and the Basij.'”
Bardin also outlined that these groups come together in very public meetings in Iran, as evidenced in the recent get-together of “Hizbullah Cyber,” which took place on May 24, 2012 (Google Translate).
"This war is getting more and more complicated; in cyberspace, where you're working as soldiers, we have to go until [we occupy] New York and the White House,” said Hussein Yekta, an IRGC leader, at last month’s event, according to an account by Raja News (Google Translate), a government-affiliated conservative news site.
The Treadstone 71 researcher also said that another one, entitled “Liberation of Khorramshahr,” is scheduled to take place in Tehran between June 17 and 20.
Despite the large amount of noise online, he conceded that while the government’s online sophistication has grown recently, a significant portion of the Iranian population (and particularly its diaspora) does not agree with the Islamic Republic’s policies.
"The IRGC's omnipresence does not necessarily guarantee its omnipotence,” Bardin concluded in his talk at the conference’s Wednesday session.
Tentative de contaminer le reseau de la multinational neerlandaise DSM apr une cle USB laissee dans un parking dans l'espoir qu'un employee l'emportrait au travail...encore un autre rappel: plus les departement IT activement les mesures d'hygiene sur les reseau en utilisant les outils disponibles couplee a un (risk) management de qualite, la porte d'entree principale restera le social engineering et les tentative de duper les utilisateurs/employes...mais ne meme temps ceci augmente al possibilite de remonter a la source de l'attaque plus facilement (empreinte digital, log des conversations telephonqiue, camera de securite)
The Register
Citation :
Chemical giant foils infected USB stick espionage bid
Malware-laden drive falls into the right hands
An attempt to infiltrate the corporate systems of Dutch chemical giant DSM by leaving malware-riddled USB sticks in the corporation's car park has failed.
Instead of plugging the discarded drives into a workstation, which would have infected the machine, the worker who first found one of the devices handed it in to DSM's IT department.
Sysadmins subsequently found an unspecified password-stealing keylogger, according to local reports by Elsevier.nl (Google translation here).
The spyware was designed to upload stolen usernames and passwords to a server under the control of hackers. This site was blocked by DSM's sysadmins, effectively thwarting the password-snatching object of the attack, so the company would be protected even should any other workers find and use the infected USB sticks on corporate laptops.
It's unclear who was behind the plan, but regular cybercriminals or industrial spies are two strong possibilities. It's even possible the infected keystroke logger was planted there by a firm hired to test DSM's cyber-defences, which on the basis of this case are better than those of many other firms.
Using infected USB sticks as a method of smuggling malware into firms has become a regular occurrence over recent years, security researchers note, especially since they featured as the presumed delivery mechanism of the infamous Stuxnet worm. Penetration testers might regard the ruse as too easy, akin to shooting fish in a barrel, a blog post by net security firm Sophos comments.
sur Sophos
Criminals in USB key espionage attempt against Dutch multinational. Or not.
Tridium’s Niagara Framework: Marvel of connectivity illustrates new cyber risks
John Sublett and his colleagues had an audacious, digital-age plan. They wanted to use the Internet to enable businesses to manage any kind of electronic device, anywhere on the planet, through the computer equivalent of a universal remote control. In 1996, nothing like it had been seen before.
“We said, ‘Hey, there’s this cheap network, ready to use,’ ” Sublett recalled.
Their company, Richmond-based Tridium, would succeed — but with far-reaching implications for the security of the online universe known as cyberspace.
Tridium’s driving technology, 4 million lines of software code called the Niagara Framework, is a marvel of innovation. With the click of a mouse, Niagara enables plant managers to view video streams, high-rise superintendents to operate air conditioners and elevators, security officials to track personnel inside U.S. military facilities, and nurses to monitor medical devices in hospitals.
At least 11 million devices and machines in 52 countries, including security and surveillance systems in homes, have been linked to the Internet through Niagara, most of them in the past two years. But behind that success is a looming threat: an unknown number of Niagara-run networks are vulnerable to attacks from hackers, an examination by The Washington Post has found.
Last week, after more than a month of conversations with The Post, the company in a confidential security bulletin warned customers about the vulnerabilities and described ways to mitigate them.
“We’re not going to say Niagara is secure,” Sublett said in an interview. “We try to soften it and say we’re trying to make it as secure as possible.”
Tridium’s story illustrates the unintended consequences of the world’s rush to connect machines and devices in cyberspace. It also demonstrates how even small missteps in writing software or configuring systems can have huge implications. In cyberspace, determined hackers routinely transform obscure gaps into major security holes.
Over the past two years, hackers and cyberwarriors who once focused primarily on traditional computers and networks have put control systems in their crosshairs, damaging machinery, stealing information from networks and spying on facilities. Warnings from the Department of Homeland Security about the threats have become a drumbeat, while officials at the Pentagon and the White House consider them a national security priority.
After discussing Tridium with a Post reporter, a pair of security researchers decided on their own to zero in on Niagara and discovered gaps that would enable hackers to download and decrypt user names and passwords. The researchers, Billy Rios and Terry McCorkle, shared their findings with The Post and reported them to cybersecurity officials at the Department of Homeland Security, who recommended several measures to Tridium, including better security training for customers.
“There are hundreds of thousands of installations on networks, including [Defense Department] installations and Fortune 500 firms,” said Rios, a 34-year-old security researcher and a co-author of “Hacking: The Next Generation,” a handbook for security experts. “These customers have no idea they are exposed.”
In interviews, Sublett defended Niagara’s security, saying it follows industry “best practices” and “is basically secure.” He said Tridium has long recommended, to customers who asked, that users protect against intrusions by placing Niagara behind more-secure “virtual private networks.”
Sublett said executives learned about the vulnerabilities almost a year ago, when a Niagara customer that uses the software to manage Pentagon facilities turned up issues in an audit. He said Tridium is working on fixes. The firm also is doing more to train customers about security than it has in the past, he said.
“We’re committed to making our framework more secure,” Sublett said. “And we know it’s our responsibility to educate our community.”
No longer off the radar
For more than a decade, few people gave much thought to the security of commercial control systems on the Internet.
Tridium executives said attacks seemed unlikely, because hackers had not traditionally targeted such systems [Raisonnement DANGEREUX ]. In interviews, the executives said they and their customers generally assumed that control systems were buffered somewhat by their obscurity. [Il n'y a pas de security by obscurity l'obfuscation n'est qu'une etape et un aspect parmi d'autres...]
Rios and other “white hat” hackers — those who seek to improve security by exposing flaws — noticed Niagara systems popping up online in recent years, as office buildings, apartment complexes and other facilities automated heating systems, security and other operations. One researcher documented thousands of “portals” online. Others shared details about Niagara locations and speculated about their security.
But the interest did not take hold beyond a small cadre of security specialists, because few people grasped the implications of Tridium’s business and its expanding reach.
Commercial control systems rely on computer software, microprocessors and networks. They do not have to be as quick or as finely calibrated as the industrial control systems that run power generators, manufacturing equipment and other heavy machinery. But they are far more numerous.
In 1996, Sublett and five colleagues wanted to give customers options to connect a wide variety of devices into a single network. At the time, devices had to be controlled separately by each manufacturer’s software.
The team formed Tridium and designed Niagara to leverage the technology that is at the core of the Web. The Web uses the universal Hypertext Transfer Protocol, or HTTP, to facilitate computer-to-computer communication over the Internet.
In 1999, Tridium introduced the software framework to the market. Niagara permitted other companies to tailor the software to incorporate any device. At its core, Niagara serves as a kind of middleman that transforms the electronic babble of every network-connected device into a single manageable language.
Like the Web, Niagara was easy to use, and word spread in the world of control systems. Over the next few years, so many smaller companies began licensing Niagara to use in building automation projects that the big makers of commercial control systems began to follow suit.
In 2005, as the notion of connecting machines to cyberspace was gaining momentum, Honeywell International bought the company for an undisclosed amount and allowed Tridium to operate independently. Sales of the system soared, and Tridium’s promotional materials include examples of Niagara’s growing presence around the world.
In Chicago, the Niagara software manages heating, lighting, security and more for two federal government buildings that house the FBI, the Drug Enforcement Administration, the U.S. Attorney’s Office, the Internal Revenue Service and other agencies.
In Dubai, in the United Arab Emirates, managers of the 53-story 21st Century Tower apartment complex use the software to control fire detection, security sensors, air conditioning and myriad other operations.
At Singapore’s Changi Airport, Niagara helps manage more than 110,000 devices and sensors. The James Cook University Hospital in Middlesbrough, England, relies on Niagara to manage everything from “critical medical systems” to elevators, security, lighting and kitchen refrigeration.
Some Defense Department facilities in the United States also depend on Niagara. That includes the giant Tobyhanna Army Depot in Pennsylvania, which uses Niagara to control boilers.Some military installations use Niagara to provide surveillance and access control at “high security” facilities, said Marc Petock, Tridium’s vice president for global marketing and communications.
Growing numbers of home-automation companies are using Niagara to enable homeowners to control lighting and security systems.
One of the most widespread uses of Niagara involves about 575 Wawa convenience stores nationwide, where the software connects oven doors, gasoline pumps, exterior lights, freezers and security cameras, all controlled or monitored from a Wawa command center.
Wawa embodies Tridium’s lofty ambitions, as Petock describes them: “Any device, any system, any network, any protocol from anywhere at any time.”
Inside Niagara
Rios first noticed Niagara more than a year ago, while working on a security project. He became intrigued about the framework while attending a security conference in January, as he drank beers and smoked a cigar on a veranda at a conference center in Miami.
Rios is a former Marine captain who served in Iraq with a signals intelligence unit and later as an information assurance analyst at the Defense Department, helping to protect networks. Since then, he has held senior security positions at Microsoft and Google.
On their own time, Rios and his research partner, McCorkle, also a corporate security specialist, have made a specialty of finding vulnerabilities in industrial and commercial control systems. The two have been credited with reporting at least 25 serious vulnerabilities to cybersecurity officials at the Department of Homeland Security and vendors.
Rios was troubled by what he was hearing about Niagara in Miami. Another researcher described how he had mapped thousands of Niagara-driven networks. He said they were linked directly to the Internet even though many apparently required only user names and passwords for access. To a hacker such as Rios, that was virtually no security at all.
Following the conference, after a Post reporter called and shared new details about Tridium — including the use of Niagara by the Pentagon and other federal agencies — Rios decided to take a closer look.
On Jan. 26, sitting in his family’s San Jose living room and working on a laptop, Rios began to work. He created an account on a Tridium Web site devoted to helping users, lurking quietly as he read complaints and recommendations. The comments from users helped him to construct a “mental map” of how the software worked.
“I’m learning about its weaknesses, and I’m learning about the common configurations that I’ll likely see in the wild,” he said later.
A key moment came when someone in the online forum referred to technical manuals and a Web address where they were located. Rios and McCorkle downloaded the manuals and pored over them for clues. Rios saw a reference to a Niagara demonstration site online and turned his attention there.
As he toyed with the demo and hunted for an exploit, his insights gleaned from the manuals crystallized. “Within five minutes, I’ve found what I’m looking for,” Rios later wrote in an e-mail to The Post. “I find a flaw that gives remote attackers the ability to download all the user names and passwords for all the users on the Niagara server. I test it against the demo server . . . it works. I test it against a couple of other places . . . it works. The attack is trivial and very reliable.”
The exploit, well known in the hacker world, is called a directory traversal attack. It enabled Rios to turn the Web’s core function — the communication protocol that is intended to make everything easier — to his advantage. With some deft alterations to the Niagara Framework’s Web address, he was able to order the framework to perform certain tasks. One of them was to electronically hand over a “configuration file,” which happens to contain user names, passwords and other sensitive material.
By the time he was finished, it was 3 a.m. on Saturday, Jan. 28. Rios crafted a technical note about his exploit to cybersecurity officials at DHS and, after encrypting the message for security, sent it off. “All total, it took me 2 days to go from zero knowledge to remote password theft,” Rios wrote.
The passwords Rios had grabbed were scrambled for security by a mathematical formula called a “hash.” But that offered limited protection. Automated computer tools can crack the hashed passwords with relative ease. (In a recent attack on LinkedIn, a social-networking site, hackers made off with 6.5 million hashed passwords and immediately began cracking them.) “Once the passwords are decrypted, you can simply log in to the Niagara Framework as any user you desire,” Rios said.
A senior cybersecurity official at DHS acknowledged that the department had received Rios’s information and had talked to Tridium.
Tridium officials attributed the demo vulnerability to an employee who they said set it up incorrectly. They said some Niagara Framework users have also misconfigured their systems. Other users have never bothered to take secure measures, such as using a hard-to-hack virtual private network.
Sublett said the company intends to change the location of the configuration file to make it harder for hackers to find. Tridium also is trying to figure out the best way to change the framework’s default security settings “so it’s not as easy to make a mistake.” And it is going to improve the hash that scrambles passwords because “it’s not as strong as it should be,” Sublett said.
The company, still in talks with DHS officials, has begun a push to better communicate to Niagara users about the security risks in cyberspace. The security bulletin last week was part of that process.
“We’re not out there claiming we are bulletproof secure,” Sublett said. “Nobody is 100 percent secure.”
Ca me rappelle ceci pour RuggedCom qui fabrique des equipement reseaux industriels:
Citation :
Backdoor in mission-critical hardware threatens power, traffic-control systems A secret backdoor account imperils utilities using mission-critical routers.
In the world of computer systems used to flip switches, open valves, and control other equipment inside giant electrical substations and railroad communications systems, you'd think the networking gear would be locked down tightly to prevent tampering by vandals. But for customers of Ontario, Canada-based RuggedCom, there's a good chance those Internet-connected devices have backdoors that make unauthorized access a point-and-click exercise.
Mahdi, the Messiah, Found Infecting Systems in Iran, Israel
Who knew that when the Messiah arrived to herald the Day of Judgment he’d first root through computers to steal documents and record conversations?
That’s what Mahdi, a new piece of spyware found targeting more than 800 victims in Iran and elsewhere in the Middle East, has been doing since last December, according to Russia-based Kaspersky Lab and Seculert, an Israeli security firm that discovered the malware.
Mahdi, which is named after files used in the malware, refers to the Muslim messiah who, it’s prophesied, will arrive before the end of time to cleanse the world of wrongdoing and bestow peace and justice before Judgment Day. But this recently discovered Mahdi is only interested in one kind of cleansing – vaccuuming up .PDFs, Excel files and Word documents from victim machines.
The malware, which is not sophisticated, according to Costin Raiu, senior security researcher at Kaspersky Lab, can be updated remotely from command-and-control servers to add various modules designed to steal documents, monitor keystrokes, take screenshots of email communications and record audio.
While researchers have found no particular pattern to the infections, victims have included critical infrastructure engineering firms, financial service companies, and government agencies and embassies. Of the 800 targets discovered so far, 387 have been in Iran, 54 in Israel and the rest in other countries in the Middle East. Gigabytes of data were stolen over the last eight months.
According to Aviv Raff, CTO of Seculert, his lab received the first sign of the malware last February in the form of a spear-phishing email with a Microsoft Word attachment. The document, once opened, contained a Nov. 2011 article from the online news site The Daily Beast discussing Israel’s plan to use electronic weapons to take out Iran’s electric grid, internet, cellphone network, and emergency frequencies during an airstrike against Iran’s nuclear facilities.
If users clicked on the document, an executable launched on their machine that dropped backdoor services, which contacted a command-and-control server to receive instructions and other components. Researchers have discovered other variants that used malicious .pdf and PowerPoint attachments, some of them containing images with various religious themes or tropical locations, that use simple social engineering techniques to confuse users into allowing the malware to load onto their machines.
As Kaspersky Lab explains in a blog post, one of the PowerPoint variants displays “a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system” by confusing them into ignoring virus warnings that might appear on their screen.
“[W]hile PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper,” Kaspersky writes.
According to Kaspersky, the backdoors that infected machines were all coded in Delphi. “This would be expected from more amateur programmers, or developers in a rushed project,” they write in their blog post.
The earliest variant found so far infected machines in Dec. 2011, but a compilation date on some of the files indicates the malware may have been written before last September.
The malware communicates with at least five servers – one in Tehran, and four in Canada, all hosted in different locations. Researchers at Kaspersky Lab created a sinkhole to divert traffic from some of the infected machines, but at least one server is still up and running, meaning the spy mission is still active.
Seculert contacted Kaspersky about Mahdi last month after researchers in its lab discovered Flame, a massive, highly sophisticated piece of malware that infected systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. Flame is also a modular malware that allows its attackers to steal documents, take screenshots and record audio of Skype conversations or communications conducted in the vicinity of an infected machine.
Raff says his team in Israel reached out to Kaspersky because they thought there might be a connection between the two pieces of malware. But researchers have found no parallels between Mahdi and Flame. Raff notes, though, that “the guys behind them may be different, but they do have very similar purposes,” which is to spy on targets.
Recently, U.S. government sources told the Washington Post that Flame is the product of a joint operation between the U.S. and Israel.
Raff says it’s not clear if Mahdi is the product of a nation-state, but notes that the researchers found strings of Farsi in some of the communication between the malware and command-and-control servers, as well as dates written in the format of the Persian calendar.
“This is something we didn’t see before, so we thought it was interesting,” he says. “We are looking at a campaign that is using attackers who are fluent in Farsi.”
The infections in Iran and Israel, along with the Farsi strings, suggest the malware may be the product of Iran, used to spy primarily on domestic targets but also on targets in Israel and a handful of surrounding countries. But the malware could also be a product of Israel or another country that’s simply been salted with Farsi strings in order to point the finger at Tehran.
[Note: Mahdi est le messie chez les chiites. Il n'y a rie nde tel dans la religion islamique.]
Siemens has provided the STEP 7 software update V5.5 SP1 (equivalent to V5.5.1) that resolves the vulnerability, but recommends that the latest Service Pack, V5.5 SP2, e
b. CWE-114: Process Control, be installed as soon as possible. SIMATIC PCS 7 users should also apply this update.
The updates implement a mechanism that rejects DLLs in the STEP 7 project folders, which contain executable code, thus preventing unintended execution of unchecked code. For further information please review the Siemens Security Advisory (SSA-027884) that can be found at the Siemens ProductCERT Web site. f ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks. • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. • Locate control system networks and remote devices behind firewalls, and isolate them from the business network. • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. g Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
Citation :
Kyodo Saturday, July 21, 2012 [Japanese] Finance Ministry reveals 2010-2011 computer virus; info leak feared
The Finance Ministry said Friday it has found that some of its computers were infected with a virus from 2010 to 2011 and admitted information may have been leaked.
The ministry denied confidential information such as personal data on taxpayers had been leaked but declined to provide details, including which departments had been affected by the apparent cyber-attack. It will probe the incident with police.
The infection was reported to the ministry Tuesday by a company it had commissioned to check its computer security system starting in May.
The contagion started in January 2010, the ministry said based on the company's report, suggesting information could have been leaked for over two years. The last infection occurred in November 2011, after which the apparent attack suddenly stopped.
An ongoing probe, in which around 2,000 computers at the ministry were checked, turned up 123 that were infected with Trojan horse malware, which is often sent as an e-mail attachment with the purpose of giving a hacker unauthorized access to a computer.
The ministry, which has yet to identify the route of the infection, has already changed the hard-disks on the affected computers while limiting data transmission when they are connected to the Internet.
The virus was not detected by antivirus software installed on the computers, triggering speculation it could be a new type of Trojan horse, ministry officials said.
The infection has been found mainly with computers used by relatively junior officials, and data possibly leaked may include documents prepared for meetings within the ministry, one of the officials said. Computers used by senior officials, including the minister, vice ministers and directors general, were not affected.
"It is not that the personal information that we have was widely leaked," one official told reporters.
Last month government websites, including the ministry's, were accessed by unauthorized users. The incident came after a group of Internet hackers called Anonymous threatened an attack. It is not known if Anonymous is connected to the Trojan horse attack.
Article fascinant sur Mr. Karspersky (naturellement a mettre dans le contexte de media americain "revelant" des infos sur la compagnie de securite IT russe qui a devoile/sabote le plan stuxnet/flame)
Citation :
Russia’s Top Cyber Sleuth Foils US Spies, Helps Kremlin Pals
It’s early February in Cancun, Mexico. A group of 60 or so financial analysts, reporters, diplomats, and cybersecurity specialists shake off the previous night’s tequila and file into a ballroom at the Ritz-Carlton hotel. At the front of the room, a giant screen shows a globe targeted by crosshairs. Cancun is in the center of the bull’s-eye.
A ruddy-faced, unshaven man bounds onstage. Wearing a wrinkled white polo shirt with a pair of red sunglasses perched on his head, he looks more like a beach bum who’s lost his way than a business executive. In fact, he’s one of Russia’s richest men—the CEO of what is arguably the most important Internet security company in the world. His name is Eugene Kaspersky, and he paid for almost everyone in the audience to come here. “Buenos dias,” he says in a throaty Russian accent, as he apologizes for missing the previous night’s boozy activities. Over the past 72 hours, Kaspersky explains, he flew from Mexico to Germany and back to take part in another conference. “Kissinger, McCain, presidents, government ministers” were all there, he says. “I have panel. Left of me, minister of defense of Italy. Right of me, former head of CIA. I’m like, ‘Whoa, colleagues.’”
He’s bragging to be sure, but Kaspersky may be selling himself short. The Italian defense minister isn’t going to determine whether criminals or governments get their hands on your data. Kaspersky and his company, Kaspersky Lab, very well might. Between 2009 and 2010, according to Forbes, retail sales of Kaspersky antivirus software increased 177 percent, reaching almost 4.5 million a year—nearly as much as its rivals Symantec and McAfee combined. Worldwide, 50 million people are now members of the Kaspersky Security Network, sending data to the company’s Moscow headquarters every time they download an application to their desktop. Microsoft, Cisco, and Juniper Networks all embed Kaspersky code in their products—effectively giving the company 300 million users. When it comes to keeping computers free from infection, Kaspersky Lab is on its way to becoming an industry leader.
But this still doesn’t fully capture Kaspersky’s influence. Back in 2010, a researcher now working for Kaspersky discovered Stuxnet, the US-Israeli worm that wrecked nearly a thousand Iranian centrifuges and became the world’s first openly acknowledged cyberweapon. In May of this year, Kaspersky’s elite antihackers exposed a second weaponized computer program, which they dubbed Flame. It was subsequently revealed to be another US-Israeli operation aimed at Iran. In other words, Kaspersky Lab isn’t just an antivirus company; it’s also a leader in uncovering cyber-espionage.
Serving at the pinnacle of such an organization would be a remarkably powerful position for any man. But Kaspersky’s rise is particularly notable—and to some, downright troubling—given his KGB-sponsored training, his tenure as a Soviet intelligence officer, his alliance with Vladimir Putin’s regime, and his deep and ongoing relationship with Russia’s Federal Security Service, or FSB. Of course, none of this history is ever mentioned in Cancun.
What is mentioned is Kaspersky’s vision for the future of Internet security—which by Western standards can seem extreme. It includes requiring strictly monitored digital passports for some online activities and enabling government regulation of social networks to thwart protest movements. “It’s too much freedom there,” Kaspersky says, referring to sites like Facebook. “Freedom is good. But the bad guys—they can abuse this freedom to manipulate public opinion.”
These are not exactly comforting words from a man who is responsible for the security of so many of our PCs, tablets, and smartphones. But that is the paradox of Eugene Kaspersky: a close associate of the autocratic Putin regime who is charged with safeguarding the data of millions of Americans; a supposedly-retired intelligence officer who is busy today revealing the covert activities of other nations; a vital presence in the open and free Internet who doesn’t want us to be too free. It’s an enigmatic profile that’s on the rise as Kaspersky’s influence grows.
Skype rachete par Microsoft commence a se "centraliser" pour faciliter l'interception "legale" (le modele orginel de skype est p2p et decentralise)
Washington Post
Citation :
Skype makes chats and user data more available to police
Skype, the online phone service long favored by political dissidents, criminals and others eager to communicate beyond the reach of governments, has expanded its cooperation with law enforcement authorities to make online chats and other user information available to police, said industry and government officials familiar with the changes.
Surveillance of the audio and video feeds remains impractical — even when courts issue warrants, say industry officials with direct knowledge of the matter. But that barrier could eventually vanish as Skype becomes one of the world’s most popular forms of telecommunication.
The changes to online chats, which are written messages conveyed almost instantaneously between users, result in part from technical upgrades to Skype that were instituted to address outages and other stability issues since Microsoft bought the company last year. Officials of the United States and other countries have long pushed to expand their access to newer forms of communications to resolve an issue that the FBI calls the “going dark” problem.
Microsoft has approached the issue with “tremendous sensitivity and a canny awareness of what the issues would be,” said an industry official familiar with Microsoft’s plans, who like several people interviewed for this story spoke on the condition of anonymity because they weren’t authorized to discuss the issue publicly. The company has “a long track record of working successfully with law enforcement here and internationally,” he added.
The changes, which give the authorities access to addresses and credit card numbers, have drawn quiet applause in law enforcement circles but hostility from many activists and analysts.
Authorities had for years complained that Skype’s encryption and other features made tracking drug lords, pedophiles and terrorists more difficult. Jihadis recommended the service on online forums. Police listening to traditional wiretaps occasionally would hear wary suspects say to one another, “Hey, let’s talk on Skype.”
Hacker groups and privacy experts have been speculating for months that Skype had changed its architecture to make it easier for governments to monitor, and many blamed Microsoft, which has an elaborate operation for complying with legal government requests in countries around the world.
“The issue is, to what extent are our communications being purpose-built to make surveillance easy?” said Lauren Weinstein, co-founder of People for Internet Responsibility, a digital privacy group. “When you make it easy to do, law enforcement is going to want to use it more and more. If you build it, they will come.’’
LE Monde
Citation :
Plainte contre Qosmos pour avoir vendu du matériel de surveillance à la Syrie
La Fédération internationale des droits de l'homme (FIDH) et la Ligue des droits de l'homme (LDH) vont déposer plainte, mercredi 25 juillet, contre la société française Qosmos, accusée d'avoir fourni à Damas du "matériel de surveillance électronique nécessaire à la répression de toute opposition politique ou intellectuelle", selon le texte écrit par écrit Me Patrick Baudouin, de la FIDH, et qui doit être adressée dans l'après-midi à la justice. Lire : En Syrie, les dangers d'utiliser des moyens de communication
L'avocat demande au parquet de "prendre l'initiative d'ouvrir une enquête préliminaire ou une information judiciaire" sur la question. "Il a un délai de trois mois ; à défaut, nous nous réservons la possibilité de déposer plainte avec constitution de partie civile" afin qu'un juge soit désigné, a-t-il précisé.
"La société n'a absolument rien à se reprocher et attend sereinement tous les actes d'enquête", a affirmé Me Benoît Chabert, avocat de Qosmos.
"ANALYSE EXHAUSTIVE DE L'ACTIVITÉ DES RÉSEAUX"
Sur son site Internet, la société française explique fournir "une technologie d'intelligence réseau qui identifie et analyse en temps réel les données qui transitent sur les réseaux". Sa technologie "rend possible une analyse précise et exhaustive de l'activité des réseaux en temps réel".
La FIDH et la LDH avaient déjà porté plainte contre une autre société française, Amesys, une filiale de Bull, pour des faits similaires concernant la Libye de Kadhafi, cette fois. Les associations lui reprochent "la fourniture au régime de Kadhafi, à partir de 2007, d'un système de surveillance des communications destiné à surveiller la population libyenne". "Ce sont les deux sociétés pour lesquelles nous avons des éléments, mais il y en a sans doute d'autres", a déclaré Me Baudouin à l'AFP.
Article sur Qosmos depuis TMCnet datant de 2009
Citation :
Qosmos Network Intelligence Helps Development of Smart Pipe Solutions
Qosmos, a provider of software and hardware solutions that analyze and gather information from networks in real time, recently announced that its enabling technology solutions are available on the market. These network intelligent solutions are specially designed for the mobile market and will help network equipment providers and software vendors to create Smart Pipe solutions.
The company provides network technology that is designed to work with several other applications such as network protection, service optimization, lawful interception, data retention, content-based billing, regulatory compliance and audience measurement.
The newly available platform consists of a software development kit and a few other appliances. It will assist vendors and allow them to increase their range of technological offerings. This solution will also allow vendors to cut down on the developing time consumed and costs incurred for building their own intelligent network solutions.
“We see an increased demand for our Network Intelligence technology from vendors who want to deliver innovative solutions to their Mobile Network Operator customers,” said Thibaut Bechetoille, Qosmos (News - Alert) chief executive officer.
“Using Qosmos platforms, Network Equipment Providers and Software Vendors can leverage best-in-class expertise to avoid costly and lengthy in-house development, and focus their own resources on the development of applications for which they already have domain expertise,” added Bechetoille.
The company created this technology and made it available for Smart Pipes. The new solution is able to gather detailed information from various Internet Protocol (IP) applications from many other networks. It has also been outfitted with an easy drill down that can manage both the service and customer levels. It can also control event levels. The intelligent network solution from Qosmos allows vendors to provide solutions for tiered services, user behavior analysis, application and content -aware billing and so on.
“Operators must invest in technologies that provide greater network intelligence to offer differentiated service to subscribers,” said David Vorhaus, analyst at Yankee Group (News - Alert).
“They must evolve their business models and exploit existing technologies to overcome bandwidth constraints and the economic burden of over-provisioning in order to protect their profitability,” he added.
The new network intelligence technology from Qosmos can also be launched as software embedded into a Smart Pipe solution or even a hardware probe on the network. The software can also be directly embedded into the network equipment.
Don’t forget to check out TMCnet’s White Paper Library, which provides a selection of in-depth information on relevant topics affecting the IP Communications industry. The library offers white papers, case studies and other documents which are free to registered users. Today’s featured white paper is Fixed Service Strategies for Mobile Network Operators, brought to you by Comverse (News - Alert).
Une vrai petite beaute:
A simple application powered by Qosmos Network Intelligence Technology
Citation :
An example of a simple application based on Qosmos, which enables users to generate a query (e.g. what websites are visited, and with what device), and displays the results in real time, in a tabular format.
Citation :
Qosmos technology goes beyond traditional Deep Packet Inspection (DPI) technology. In addition to recognizing traffic, Qosmos also extracts information (metadata) and feeds applications with detailed visibility on all network-based activity. In fact, we treat the network as a real-time database, to identify, query and extract specific data with great precision and detail.
En gros les appliances de Qosmos, surtout son software, permet de deshabiller la communication et de la classifier, ceci en offrant les interfaces programmatiques pour adapter tout ca
farewell Général de corps d'armée (ANP)
messages : 2468 Inscrit le : 13/02/2011 Localisation : ****** Nationalité : Médailles de mérite :
Retour des pirates Chinois dans nos pc http://www.zataz.com/news/22306/spy--espionnage--Huawei--ZTE-Corporation--Byzantine-Candor--CEIEC--Rakshasa.html
_________________ "Les belles idées n'ont pas d'âge, elles ont seulement de l'avenir"
Mer 11 Fév 2009 - 15:01
efficiency and to the point...
, where we can also see detections at specific URLs., which made it clear that a specific website supplied the AutoCAD template that appears to be the basis for this localized spike as this template was also infected with ACAD/Medre.A. If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then infecting their own environment. Other information that is described later also points to live infections.
