Posts Tagged ‘Night Dragon’

Five Years of Hacking (Updated)

August 3, 2011 8 comments

Strange Days for Information Security, you may watch my July 2011 Attacks Chart for noticing how troubled July has been. August promises to be even worse, but this is not the point…

The point is that in an Interview to Vanity Fair, which is not tipically an Information Security Magazine, Dmitri Alperovitch, Vice President of threat research at McAfee reported that, for at least five years, a high-level hacking campaign, dubbed Operation Shady RAT (like Remote Access Tool), has infiltrated the computer systems of national governments, global corporations, nonprofits, and other organizations. This infiltration has made more than 70 victims in 14 countries for what has been defined “Biggest-ever series of cyber attacks uncovered”, an attack so big that, according to Alperovitch: “It’s been really hard to watch the news of this Anonymous and LulzSec stuff, because most of what they do, defacing Web sites and running denial-of-service attacks, is not serious. It’s really just nuisance.”

Victims included government agencies in the United States, Taiwan, South Korea, Vietnam, and Canada, the Olympic committees in three countries, and the International Olympic Committee. Rounding out the list of countries where Shady rat hacked into computer networks: Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India. The vast majority of victims—49—were U.S.-based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors—13 in all.

Courtesy Of McAfee

In addition to the International Olympic Committee, the only other victims that McAfee has publicly named are the World Anti-doping Agency, the United Nations, and ASEAN, the Association of Southeast Asian Nations (whose members are Indonesia, Malaysia, the Philippines, Singapore, Thailand, Brunei, Burma, Cambodia, Laos, and Vietnam).

All the signs of the attack point to China. If confirmed this would be the third attack discovered by McAfee originating from China, after Operation Aurora and the Night Dragon.

One thing is clear: if Vanity Fair is dealing with Information Security, there is really something strange. At least let us hope this is not the sign Information Security is simply becoming a matter of fasion.

Meanwhile, after the Vanity Fair preview, McAfee has released its report on Shady RAT. McAfee was able to gain access to one specific Command & Control server used by the intruders, collecting logs that reveal the full extent of the victim population since mid-2006 when the log collection began. The results are described inside the documents and Curiously China, which was reported by the press as the alleged author of the attack, is never expressely quoted.

Courtesy Of McAfee

Interesting to say, this report raised several doubts on McAfee Competitors. As an example, Sophos, on a dedicated post, considers that there’s nothing particularly surprising in McAfee’s report since companies get often targeted by hackers, who install malware to gain remote access to their computers and data, sometimes driven by motivations for hacking which extend beyond purely financial (for instance, IP theft, economic, political, etc motivations).

Moreover, Sophos wonders why McAfee did not disclose what kind of information was stolen from the targeted organisations, and how many computers at each business were affected.

In any case I noticed with pleasure that, like I did, Sophos was also surprised from the fact the preview was first released on Vanity Fair…

What do RSA, Epsilon and Sony breaches have in common?

You need to give people information and transparency so that they can understand security. It’s essential to make them a part of the security process and ensure they are aware of the company security policy.

These words were told yesterday, may, the 4th 2011 on Barcelona during the Check Point Experience, by Gil Shwed, the founder and Chairman of the Information Security Vendor, for unleashing the 3D Security model of the company, a model which focuses on policy people and enforcement.

No better moment could be found for emphasizing the role of the user inside the information security process!

The dramatic events of RSA, Epsilon and Sony Data Breach are redefining the information (in)security landscape and consequently rising many questions and concerns among the security professionals for the true extent of the events. RSA tokens, whose seeds were allegedly compromised during the breach are used in more than 25.000 corporations all over the Globe. The Epsilon Data Breach involved 2% of customers: for a company which sends out over 40 billion e-mails a year on behalf of over 2,500 clients, this means millions of individuals at risk and needing to be on alert from scams and phishing for years. Last but not least Sony, for which a total of more than 100 million records were stolen during two separate waves of attack on its PlayStation Network and Qriocity Service.

Now the question is: what do Mr. Shwed’s words deal with the latter events?

Well, (too) many words have been spent so far: recalling the security concerns for cloud based services (mostly in case of Epsilon and Sony) and the role of Advanced Persistent Threats which are becoming an harmful attack vectors for Enterprises, using spear-phishing mail to overwhelm the first line of defence made by the employees. Apparently old school techniques under renewed dresses. Nevertheless there is a point which, in my opinion, has not been adequately emphasized so far, and the point is just the answer to the previous question.

Simply said the uncovered point is the role of the people in the (in)security process which led to the breach. Hopefully this is not exactly the kind of role wished by Mr. Swhed, anyway if we reverse the paradigm, the result is exactly the same: on one hand, if it is true that the individual made aware of the policy enforces the first level of security and is the core of the security process itself, it is also tue that the unaware individual is the core of the breach. This is exactly what happened in the affair of RSA and Epsilon where the people, the first line of defense of any organization, was the first line to be breached, well before the systems, and the breach in the people was the trigger for the breach in the systems as well.

RSA clearly explained this occurrence in a blog post, and the appealing subject “2011 Recruitment Plan” of the phishing e-mail, hiding a zero-day Adobe Flash vulnerability (CVE-2011-0609) embedded into an excel spreadsheet, went into the annals of Information Security. Clearly the poisoned spreadsheet injected a RAT (Remote Access Tool) used to gain privileges and move freely into the network up to the final target.

Things were not so different for Epsilon, in which individual company employees were initially targeted for email scams and used to gain access to the internal database as happened.

So far there is not evidence of a similar occurrence for Sony, however  today’s Sony’s Response to the U.S. House of Representatives, written by Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, in response to questions posed by the subcommittee members of the House Commerce Committee, in some steps closely resembles original RSA announcement.

Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.

And in case of RSA:

Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA.

(Not too much) curiosly the two steps are very similar, and likely the adjective sophisticated was used to emphasize an external origin of the attack aimed to exclude an internal fault and the presumable consequent fall of shares), nevertheless I could not help joining the two sentences and, presumably the two events, even if so far Sony did not show the same transparency of RSA and only few details are known.

Ultimately these events (to which I should add the Night Dragon malware), show that the new cyber-attacks are targeting users, and employees inside the Organization. Not only they targeted users to achieve the attack, but also the aftermaths will keep on targeting users for years: as a matter of facts, even if the full consequences of the RSA breach are not completely clear so far, PSN and epsilon users will presumably be the targets of a new wave of spear-phishing and spam emails (so far no news have been reported of a fraudulent use of Credit Cards Number stolen, which, according to Sony, were encrypted).

In all the cases, quoting Mr. Shwed’s words, we deduce the need for the user to be the core of the security process. The security process must shift to a level which involves policy definition, people awareness and, policy enforcement, at the device level, through an appropriate configuration, and most of all at the user level, through an appropriate education.

Some Random Thoughts On RSA Breach

April 10, 2011 15 comments
Security tokens from RSA Security designed as ...

Image via Wikipedia

June 7 Update: RSA admits some stolen seeds were used to attack Lockeed Martin and will replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.

May 31 Update: Wired reports that L-3, a Second Defense Contractor, has been targeted by an attack using information stolen during the RSA Breach

May 28 Update: Other Random Thoughts after Several Sources reported that Lockeed Martin the “largest U. S. Defense contractor” was presumably hit by an alleged attack led by mean of compromised seeds.

Some days have passed since the RSA breach, but the echo has not yet gone. Maybe RSA did not contribute efficiently to suppress rumors as, in the meantime, has continued to issue ambiguous advices to its customers, and, more in general to the infosec community. Only few days ago a post from the Company has explained some more details about the breach. According to the above mentioned post written by Uri Rivner, RSA Head of New Technologies, the breach was due to an APT (Advanced Persistent Threat) exploiting a zero-day Adobe Flash vulnerability (CVE-2011-0609) embedded into an excel spreadsheet attached to an email from an appealing subject “2011 Recruitment Plan”. The poisoned file injected a RAT (Remote Access Tool) used by the attackers to gain privileges and move freely into the network up to the final target.

Curiously, the subject was so appealing to convince some users to recover it from the quarantine folder: to lure victims through pecuniary topics is a consolidated method of cyber scam at all levels, and RSA has not made exception in this circumstance.

This attack deserves much attention from the infosec community as we are used to think to multi-layer protection technologies but too often forget that the individuals are the first (and weakest) layer of defense, hence also the best technology, even that from a primary manufacturer as RSA is, risks to be very little useful, or even useless, if not supported by an adequate education of users. Phishing is considered an old attack method, mainly used in the past to lure individuals. Today its combination with 0-day vulnerabilities is proving to be a devastating weapon for Cybercrime targeting enterprises. (It is not a combination that also the Night Dragon Attack, maybe amplified by McAfee Marketing in response to the attention gained by its eternal competitor Symantec for the role played in the identification of Stuxnet, was initiated by a some phishing emails). Is this the reason why, on April the 1st, RSA decided to acquire NetWitness, a company whose technology, as stated in the press release:

provide precise and pervasive network visibility, enabling security teams to detect and remediate advanced threats while automating the incident investigation process.

Without invoking philosophical considerations, the main question is: are secureID users really safe or do they need to worry about their level of security after the breach?

My opinion is that the RSA breach was conceived as the final stage of a large scale attack to a wide organization making use of RSA tokens, since in most cases (we should hope in all cases), the alleged stolen information, alone, is not enough to perpetrate a successful attack unless the RSA breach was not preceded by other attacks perpetrated by the same author(s) aimed to steal the missing piece of the puzzle.

Taking a step back, on March, the 17th when the breach was announced, the open letter on the RSA web site, stated that:

Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

Of course the “potentially be used to reduce the effectiveness” sounds a little bit ambiguous. Anyway a subsequent bulletin for RSA customers was released on March, the 21th 2010, stating that:

RSA SecurID technology continues to be a very effective authentication solution. Whoever attacked RSA has certain information related to the RSA SecurID solution, but not enough to complete a successful attack without obtaining additional information that is only held by our customers.

Said in few words according to the Company, the stolen information, alone, may not be used to perform a successful attack. Even if the RSA algorithm (in its post-2003 implementation using AES hash with 128 bit ECB blocks) is not public, RSA statements sound true since some quantities used in the hash are neither related to the 128 bit random seed nor to the 64 bit standard ISO representation of Current Time: they are a 32-bit token-specific salt (supposedly the serial number of the token, which may have been subtracted in the breach, and a 32 bits padding). Today this quantities are not used for security purposes, but simply to shape the blocks to 128 bits as requested by AES hash (enjoy the math of AES hash algorithm at this link).

Courtesy of Wikipedia

Of course, together with the PIN known only by the user, there is, in theory, enough stuff to make an attack unsuccessful in case a (organized) gang of cybercrooks come in possess of the database mapping a SecurID token with its seed. But unfortunately, as often happens, reality is much worse than theory, so one discovers that someone reversed the RSA algorithm and developed Cain & Abel, which, by mean of an RSA SecurID Token Calculator is able to retrieve the One Time Password from an RSA token, provided the malicious user owns the file contained in the RSA Authentication Server (mapping the token serial number with the seed) and knows the User PIN. Small “negligible” detail: from version 4.9.10 (released in 2007), Cain & Abel supports AES-128 of post-2003 securID implementation.

So at the end, supposed the information stolen from RSA is comparable, or could be brought in some manner to be comparable (in form and content) with that contained in each RSA Authentication Server (and it should be since each RSA token must be synchronized with its own authentication server), Cain & Abel (or a similar tool) could be applied to successfully obtain the password for each token whose seed was stolen, provided the attacker come somehow in possess of the only missing information: the user PIN.

There are several ways to steal a user PIN, from Social Engineering to sniffing. Often social engineering leverages the shallowness of the user or the lack of policies of the organization (yes… In my life I have also seen some SecurID tokens with attached a post-it containing the PIN). Of course when I mention sniffing I do not mean network sniffing since both in case of an organization adopting SecurID tokens either in native ACE mode or RADIUS mode, the PIN is never transmitted in clear, anyway we have not to forget that many organizations adopt software tokens (also in mobile devices), so one might not exclude a priori that a large scale attack had deserved the development and the deployment  of a Trojan tailored to steal PIN from RSA software tokens.

This is the reason why I expect that the target of the attackers was not RSA but an important organization making use of RSA securID authenticators. As a consequence I would not be surprised if a malicious tool to sniff PINs from RSA Software authenticators were discovered.

Seeds on the Black Market?

If I fly with my imagination I do not feel to completely exclude that the stolen information one day could be available in the black market to target other major organizations besides the presumed original victim: in fact do not forget that Banks worldwide are among the bigger customers of RSA). This is the reason why, RSA users should take in serious consideration the recommendations provided by the Company the day after the breach.

Personal Note 1

The Italian Security Professional group on Linkedin dedicated an interesting post to the RSA affaire (in Italian) which is continuously updated as new information is released. Today the last controversial advice: it looks like RSA will provide hack data in exchange of customer secrecy (thanks to Andrea Zapparoli Manzoni for reporting this information). This advise comes in the same day in which I discovered a further controversial article (actually dating back to a couple of weeks ago) reporting a possible (unconfirmed) backdoor in the SecurID tokens requested by the NSA in exchange of the authorization to export the technology…  Very strange the temporal proximity with the breach, as much strange the fact that this information is passed nearly unnoticed…

Personal Note 2

I must confess I was really intrigued on better understanding how the SecureID algorithm works for understanding which is the missing part “to make the successful attack complete” (to use the same words in the RSA bulletin).

Since, as already mentioned, the RSA algorithm is not public (even if the first version pre-2003 was reversed in 2000) I only may perform some kind of speculations. In these days I searched all the possible documentation and probably in this link I found a scenario which might be quite close to reality. Please notice that what follows is a mere speculation.

Since the beginning of 2003, SecurID performs an AES hash operation, in standard ECB mode, to hash

  • a 128-bit token-specific true-random seed;
  • a 64-bit standard ISO representation of Current Time in the following format: year/month/day/hour/min/second;
  • a 32-bit token-specific salt (the serial number of the token);
  • another 32 bits of padding, which can be adapted for new functions or additional defensive layers in the future.

The latter two are not a specific security feature but are needed since the AES-Hash operation needs 128 bit multiples. The 64 bit standard ISO representation is derived from a 32-bit representation of the current time (GMT) in seconds since midnight on 01/01/86, from which, only 22 bits are used from the original value, leaving 222 or 4,194,304 total possible time values. These inputs, conflated and hashed by the AES, generate the series of 6-8 digit (or alphanumeric) token-codes that are continuously displayed on the SecurID’s LCD as a “one-time password.” Rolled over every 30 or 60 seconds. In order to implement a pure two factor authentication, the user must insert a known PIN in order to complete the authentication process (but this is configured by the administrator).

Will Energy Facilities Be The Next Targets Of Cyber-War?

April 3, 2011 6 comments

I spent some time in reading the declarations of Comodo Hacker, the alleged author of the fake Certificates issued by mean of the compromising of a couple of (sigh!) Italian Comodo Partners, and I found some very interesting points far beyond the single event.

Actually, it had been clear from the beginning that the attack had been performed from an Iranian ISP, feeding the hypothesis of an Iranian Cyber Army action aimed to intercept emails from dissidents in a quite troubled moment from the Middle East after the winds of change blowing from the Maghreb.

Anyway Comodo Hacker was anxious to quickly put the record straight, declaring he was the only author of the attack, and, if one just wanted to involve an army on the event, had to consider that he was the only army, being able to rely on his own experience of 1000 programmers, 1000 project managers, 1000 hackers:

Now, even if the political connotation of the message still makes me think that behind this act there might be a real cyber army (but this is my personal opinion), this is not the real point. The real point is that this attack occurred as a kind of revenge against Stuxnet, and more in general the fact, supported by Comodo Hacker, that the U.S. and Israel where behind it.

Fight fire with fire, fight code with code…

The attack to Comodo Certificates has left a wide impact in the INFOSEC world and probably things will not be the same anymore since in few days  all the strongholds, the identity security model relied on, have been miserably compromised (I took the liberty to add the RSA affaire to this event even if there is no evidence so far of a political matrix behind it). But there is another interesting point, and it is the third law of motion (you will not probably know I was a physic in my previous life) which, with not too much imagination, could be applied to infosec as well, if one considers the events that are happening: “the mutual forces of action and reaction between two bodies are equal, opposite and collinear”, which, in few and simple words should sound as: “to every cber-action corresponds an equal and opposite cyber-reaction”. If this is true, this means to me, as an infosec professional, that we will have to get used to similar cyber actions. Also from this point of view things will not be the same anymore…

Armed with this awareness, my mind runs inevitably among the dunes of the Libyan desert, where a civil war is being fought, now sadly familiar to all. Let me fly (but not too much) with my imagination and think that the Civil War will end up with the exile of Mr. Muammar Gaddafi. In this case it is likely to expect that he will find his revenge, not only with real terrorists act, but also with (cyber)terrorist acts, in the wake of the Comodo affaire, which, even if related to Iran, is the first known example of a cyber-terrorist act strictly related not only to the Stuxnet attack, but also to the movements flooding from Maghreb to Middle East, what I called the Mobile Warfare due to the primary role played by the mobile technologies inside these events.

We don’t have privacy in internet, we don’t have security in digital world, just wait and see… These lines can be considered as a kind of Declaration of Cyber-war against everything…

Targets of Cyberwar

Nowadays everything has a stream of bit inside and as a matter of fact is vulnerable to malware. What is happening in Libya (and the consequences on our energy bills), together with the risk of nuclear meltdown in Fukushima is pushing the so called Western world to reconsider its energy policy and accelerate the development of Smart Grids in order to promote a better, wiser use of energy. In these circumstances compromising an energy facility would have a huge practical and symbolic impact (do you remember the Night Dragon APT, tailored specifically for Oil Facilities?), that is the reason why, in my opinion, the first targets of this Cyber-terrorism reaction will be energy utilities. Few weeks ago I wrote an article (in Italian) concerning vulnerabilities and security of Smart Grids, which can be considered the “world of unknown” from a security perspective since they adopt an Internet open model to interconnect old legacy SCADA systems and, to make matters worse, the structures that govern the IT world and the SCADA world have a silo-ed approach being often mutually suspicious against each other. As a dark omen, few days later, a list of 34 0-day SCADA vulnerabilities was released by Luigi Auriemma, an Italian Researcher.

Think about it: compromising a smart grid with a SCADA malware could have potentially devastating consequences and should sound as a kind of dark revenge: imagine an Iranian SCADA malware sabotaging the energy facilities of U.S., and more in general the facilities the Western World is building to cut the umbilical cord that ties him strictly to the Middle East countries (that often are also the hottest as far as the political temperature is concerned).

Moreover, the development of electric vehicles will further complicate the scenario since they will be able to interconnect Directly to Home Area Networks (the borderline of Smart Grids), offering an unexpected (and probably not so complicated) ingress point for Cyber-Terrorists to Smart Grids, if it is true that nowadays a small car owns 30-50 ECU (Electronic Control Units) interconnected by a bidirectional Synchronous bus and governed by something like 100 millions of lines of codes. My dear friend and colleague, ICT Security expert and Aviation Guru, David Cenciotti will be glad to know that an F-22 Raptor owns about one tenth of lines of codes (“only” 1.7 millions), the F-35 Joint Strike Fighter about 5.7 millions and Boeing 787 Dreamliner about 6.5 millions used to manage avionics and on-board systems. Of course one may not exclude a priori that these systems may be target as well of specific tailored malware (do you remember the intrepid Jeff Goldbum injecting on the mother ship of Aliens on Independence Day?)

Prepare ourselves for a Smart Grid Stuxnet? I think there is enough to be worried about for the next years…

Violati i Server RSA

Stamattina mi sono svegliato con una di quelle notizie la cui eco rimbomberà per un bel pezzo nell’arena Infosec. Il blog di Sophos riporta difatti che la nota azienda di sicurezza RSA, specializzata in sistemi di autenticazione forte (in pratica da lei inventati) è stata vittima di un attacco informatico che ha portato alla sottrazione di alcune importanti informazioni.

La notizia è stata comunicata da RSA stessa mediante uno stringato comunicato sul proprio sito. Sebbene l’Azienda sia riuscita a rilevare l’attacco e abbia da subito rafforzato le misure di sicurezza, purtroppo non ha potuto impedire la sottrazione di preziose informazioni dai propri server tra cui alcune relative al sistema di autenticazione forte OTP a due fattori, RSA Secure-ID, che da anni costituisce la soluzione ammiraglia della Casa (che di fatto ha inventato l’omonimo algoritmo di crittografia asimmetrica). Chi di noi non ha mai utilizzato almeno una volta il piccolo quadrante con i numerini magici che cambiano ogni 10 secondi?

I dettagli dell’attacco non sono noti: RSA ha dichiarato di essere stata vittima di un extremely sophisticated cyber attack, ma sembra che alla base ci sia comunque un Advanced Persistent Threat, un attacco quindi estremamente sofisticato, portato su molti livelli e, probabilmente, avente l’utente come punto di ingresso (a questo link una ottima definizione della tipologia di attacco).

Come accennato in precedenza, il lato peggiore della vicenda risiede nel fatto che sembra siano state rubate anche alcune informazioni relative alla soluzione di autenticazione a due fattori. Allo stato attuale non ci sono notizie di possibili attacchi ai danni dei clienti (RSA produce la maggioranza dei token OTP presenti sul mercato utilizzati per gli usi più variegati: dalle transazioni bancarie all’accesso remoto di operatori), tuttavia:

this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

Ovvero i dati sottratti potrebbero essere utilizzati per mitigare l’efficacia dell’attuale sistema di autenticazione a due fattori all’interno di un attacco di più ampio respiro.

RSA fornirà presto ai propri clienti alcune raccomandazioni per rendere più sicura la propria infrastruttura di autenticazione a due fattori, nel frattempo, in collaborazione con la U.S. Securities and Exchange Commission ha pubblicato le seguenti raccomandazioni:

  • Aumentare il livello di sicurezza relativamente alle applicazioni di social media e all’utilizzo delle stesse (e di eventuali altri siti web) a chiunque abbia accesso a porzioni di reti critiche;
  • Utilizzare password complesse, corredate da PIN;
  • Utilizzare la regola del least privilege nell’assegnare ruoli e responsabilità agli amministratori di sicurezza (qualsiasi amministratore deve accedere al livello minimo di informazione indispensabile per effettuare la propria attività);
  • Educare gli utenti all’importanza di evitare mail sospette e ricordare loro di non fornire nomi utente o altre credenziali a nessuno senza averne prima verificato identità e autorità. Non fornire mai credenziali in seguito a richieste effettuate tramite mail o telefono e denunciare subito questi comportamenti;
  • Porre attenzione alla protezione dei repository Active Directory, utilizzando tecnologie SIEM (Security Information & Event Management) e autenticazione a due fattori per l’accesso agli stessi repository;
  • Monitorare attentamente i cambiamenti dei privilegi utente e relativi diritti di accesso utilizzando tecnologie di monitoraggio (ad esempio il già citato SIEM) e considerando l’aggiunta di livelli di approvazione manuale per questi cambiamenti;
  • Effettuare l’hardening, il monitoraggio attivo, e contestualmente limitare l’accesso fisico alle infrastrutture che ospitano informazioni critiche;
  • Esaminare le procedure dell’help desk alla ricerca di eventuali brecce di informazioni che possano implicitamente aiutare un attaccante ad effettuare un attacco di tipo social engineering;
  • Aggiornare sempre tutta l’infrastruttura di sicurezza ed i sistemi operativi con le ultime patch di sicurezza.

Ancora una volta nel corso del 2011 l’equazione APT=furto di informazioni si rivela tristemente vincente ed efficace. Non sono ancora trapelati dettagli sull’attacco ma, dall’analisi delle raccomandazioni fornite, si delineano alcuni tratti comuni: la “compromissione” dell’utente come punto di ingresso per la compromissione dell’infrastruttura. D’altronde se si analizzano le raccomandazioni fornite e le si confrontano con la morfologia dell’attacco Night Dragon, non trovate che siano perfettamente coincidenti con le vulnerabilità umane e tecnologiche sfruttate in quel contesto?

Parigi val bene una messa (In Sicurezza)

A conferma delle previsioni dei produttori di sicurezza sembra proprio che dovremo abituarci, nel corso di questo 2011, ad attacchi informatici con matrice politica. Ultima vittima illustre in ordine di tempo il Ministero Del Tesoro Francese  vittima, a Dicembre 2010, di un attacco che ha portato alla sottrazione di documenti economici e finanziari inerenti la presidenza francese di turno del G20 ed altre questioni economiche.

Nel periodo in questione, secondo il quotidiano d’Oltralpe Paris Match che ha rivelato la vicenda, più di 150 computer appartenenti al Ministero dell’Economia Francese sono stati vittima di intrusioni malevole che hanno portato alla sottrazione illecita di numerosi documenti.

Le indagini condotte successivamente hanno rivelato che i file rubati sono stati inviati verso alcuni server cinesi. Già di per sé la questione sembrerebbe alquanto sospetta considerando il fatto che tra i temi discussi durante la presidenza francese del G20 c’era anche l’annosa questione dei rapporti economici tra la Cina e il resto del mondo.

Indipendentemente dalla cautela riguardo la presunta origine dell’attacco, ci sono due aspetti che mi hanno particolarmente colpito in questa vicenda: il primo è la presunta matrice politica dell’attacco. Il secondo, ancora più curioso, e per certi versi sconcertante, è il fatto che in questo attacco ho trovato molti aspetti in comune con il caso di Night Dragon, il malware con velleità energetiche concepito con lo scopo di sottrarre piani di progetto ed economici, relativi a raffinerie e centrali energetiche oil & gas. Questi aspetti prefigurano il modello di attacco di cui sentiremo parlare molto nel 2011 e sono relativi al fatto che il malware è riuscito a far breccia nella linea Maginot delle difese informatiche francesi, nel modo più ingenuo possibile, ovvero mediante un Trojan inviato via mail. Una volta eseguito, il malware è stato in grado di creare una porta di servizio backdoor, mediante la quale i gli attaccanti sono entrati all’interno dei computer vittima e presumibilmente nei server che ospitavano le informazioni sensibili.

Il punto nodale della questione risiede proprio in questo secondo aspetto. In questo attacco, come nel caso di Night Dragon, gli attaccanti hanno utilizzato come punto di ingresso un metodo piuttosto tradizionale, ovvero un trojan ricevuto via mail, strumento questo principalmente utilizzato, nella precedente era informatica, più per scopi personali (ad esempio rubare le credenziali di acesso al conto bancario), che politici. In effetti, le previsioni di sicurezza per il 2011 prevedevano il furto delle informazioni come uno dei principali refrain di questo 2011 cyber-informatico, eventualmente mediante l’utilizzo di quello che è stato definito lo Spyware 2.0, ovvero spyware rimodulato per scopi ben più ampi del semplice furto di informazioni personali.

Il DLP è sicuramente una tecnologia che può esesere a supporto per la prevenzione di eventi analoghi. Ad ogni modo, e non mi stancherò mai di dirlo, l’utente rimane al centro del processo di sicurezza, pertanto non dovrebbe mai dimenticare le conseguenze, a volte non immediate e inimmaginabili, di un comportamento superficiale, soprattutto in concomitanza di eventi simili.

Report Cisco 4Q 2010: Il Malware Web ha fatto il Bot(net)

February 20, 2011 Leave a comment

Dopo i turni di McAfee e Symantec è la volta di Cisco: il gigante dei router e della sicurezza perimetrale ha da poco pubblicato il proprio Cisco 4Q10 Global Threat Report che riflette i trend della sicurezza su scala globale da ottobre a dicembre 2010.

Il report Cisco si differenzia leggermente dai documenti precedentemente citati poiché proviene da un produttore di sicurezza focalizzato su soluzioni di rete, e si basa inoltre su dati di traffico raccolti dalla propria rete di sensori di Intrusion Prevention (IPS), di dispositivi di sicurezza IronPort per la posta e per il traffico Web, dai propri servizi di gestione remota Remote Management Services (RMS), ed infine dai porpri servizi di sicurezza basati sul Cloud ScanSafe.

Picco di Malware in Ottobre

Gli utenti Enterprise in media hanno registrato, nel periodo in esame, 135 impatti di nuovo malware al mese, con un picco di 250 eventi al mese in ottobre, mese che ha visto anche il più elevato numero di host intercettati ospitanti web malware  che si è attestato a 16.905. In totale nel periodo sono stati rilevati 38.811 eventi web risultanti, in totale, a 127.622 URL.

Il traffico correlato ai motori di ricerca si è attestato a circa l’8% del web malware con la maggior percentuale, pari al 3.84%, proeveniente da Google, in notevole calo rispetto al 7% della stessaa tipologia di traffico rilevata nel terzo quarto. Il traffico di tipo webmail si è invece attestato all’1%.

Il malware Gumblar (caratterizzato del redirigere le ricerche) ha compromesso in media il 2% delle ricerche nel periodo Q4 2010,  anche in questo caso in netto calo rispetto al picco del 17% raggiunto a maggio 2010.

Per quanto concerne gli exploit applicativi, Java l’ha fatta da padrone: la creatura di SUN Oracle ha sbaragliato la concorrenza, posizionandosi al 6.5%, una percentuale quasi quattro volte maggiore rispetto alle vulnerabilità inerenti i file PDF.

I settori verticali più a rischio sono risultati essere il Farmaceutico, Il Chimico, e il settore dell’energia (gas and oil), probabilmente per quest’ultimo ha contribuito anche il malware Night Dragon.

Attività delle BotNET

Le analisi rese possibili dai dati raccolti mediante i sensori IPS e i servizi gestiti hanno consentito di tracciare le attività delle botnet nel periodo preso in esame. I dati hanno evidenziato un leggero aumento del traffico generato dalle Botnet, soprattutto per quanto riguarda Rustock, la rete di macchine compromesse più diffusa, che ha avuto un picco notevole al termine dell’anno.

Per quanto riguarda le signature di attacco maggiormente rilevate, al primo posto spiccano le “Iniezioni SQL” (Generic SQL Injection), a conferma del fatto, indicato da molti produttori, che nel 2011 le vulnerabilità tradizionali verrano utilizzate in modo più strutturato per scopi più ampi (furto di informazioni, hactivisim, etc.).

Interessante notare che ancora nel 2011 sono stati rilevati residuati virali quali Conficker, MyDoom e Slammer. Per contro, a detta del produttore di San Francisco, i virus di tipo più vecchio quali infezioni dei settori di boot e file DOS, sarebbero in via di estinzione (ironia della sorte era appena uscito il report ed è stata rilevata una nuova infezione informatica diretta al Master Boot Record che ha sollevato una certa attenzione nell’ambiente).

Interessante anche l’impatto degli eventi mondiali sulla qualità e quantità del traffico: la rete di sensori Cisco ha difatti rilevato un picco di traffico peer-to-peer (in particolare BitTorrent) nell’ultima parte dell’anno coincidente, temporalmente, con la rivelazione dei “segreti” di Wikilieaks che ha portato gli utenti, viste le misure di arginamento tentate dalle autorità statunitensi, a ricercare vie parallele per avere mano ai documenti.

Meno Spam per tutti!

I produttori di sicurezza raramente vanno d’accordo tra loro, tuttavia, nel caso dello Spam, le indicazioni del gigante di San Jose sono in sostanziale accordo con quelle di McAfee. Il quarto trimestre del 2010 ha registrato un calo considerevole delle mail indesiderate, verosimilmente imputabile alle operazioni di pulizia su vasta scala compiute all’inizio dell’anno passato nei confronti delle grndi botnet: Lethic, Waledac, Mariposa e Zeus; e più avanti nel corso del medesimo anno nei confronti di Pushdo, Bredolab e Koobface.


Get every new post delivered to your Inbox.

Join 3,201 other followers