News from around the Internet
U.S. Homes In on China Spying
Dec 13, 2011link link
The Chinese cyberspying campaign stems largely from a dozen groups connected to China's People's Liberation Army and a half-dozen nonmilitary groups connected to organizations like universities, said those who were briefed on the investigation. Two other groups play a significant role, though investigators haven't determined whether they are connected to the military.
Still, diplomatic considerations may limit the U.S. interest in taking a more confrontational approach because some U.S. officials are wary of angering China, the largest holder of U.S. debt.
The U.S. is starting to name names, but decades of fiscal irresponsibility is hampering our ability to respond.
USB Sticks Lost by Railway Commuters Are Unencrypted and Often Infected
Dec 7, 2011link link
An analysis of  USB memory sticks lost on trains in Sydney revealed that two thirds of them were infected with one or more strains of malware and none was secured with an encryption solution.
Don't even think about sticking a USB stick you find into your computer.
The Future of the Electric Grid
Dec 5, 2011link link
The scale of investment required to improve cybersecurity [of the electric grid] is not insignificant. A 2011 EPRI report estimated that a $3.7 billion investment is needed for grid cybersecurity, although this amount is relatively low compared to its estimate of a net total investment over 20 years of between $338 and $476 billion needed to realize the benefits of the smart grid. But as GAO points out in a 2007 report, it is difficult to make the business case for investing in critical infrastructure cybersecurity because the probability of a serious event is still very low and the consequences are so difficult to quantify.
The lack of a business case to invest in cybersecurity doesn't leave me with a warm comfortable feeling. The amount planned for cyber security is only about 1% of the investment costs for the smart grid. If the electric grid goes down, pretty much everyone's networks will go down shortly.
No Austerity in Cybersecurity: Double-Digit Growth Predicted
Nov 30, 2011link link
A new forecast for cybersecurity spending cements the industry's status as a growth sector, rather than a passing fad. The study, published Dec. 1, predicts more defense contractors will be scooping up information-technology companies in the coming years as a means to capture market share.
Analysts at the global accounting and auditing firm PwC project that overall global cybersecurity spending will reach $60 billion in 2011, and will grow at a rate of 10 percent annually during the next three to five years.
Army Gen. Keith Alexander, commander of U.S. Cyber Command, has described the theft of sensitive information and trade secrets from corporate networks as staggering and the "greatest raid on intellectual property" in history.
The last quote doesn't square with the first quote. As can be seen in the other articles cited here, the current technologies are not stopping "greatest raid on intellectual property". Instead of buying "market share", companies should be investing in and buying original solutions.
2011 Report to Congress of the U.S.-China Economic and Security Review Commission
Nov 2011link link
This report responds to the mandate for the Commission "to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People's Republic of China."
In continuation of previous practice, China in 2011 conducted and supported a range of malicious cyber activities. These included network exploitations to facilitate industrial espionage and the compromise of U.S. and foreign government computer systems. Evidence also surfaced that suggests Chinese state-level involvement in targeted cyber attacks.
I didn't even realize such a commission existed. There is really nothing new here, at least if you read this blog.
The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world
Nov 2011link link
Around half of the £650 million funding will go towards enhancing the UK's core capability, based mainly at GCHQ at Cheltenham, to detect and counter cyber attacks. The details of this work are necessarily classified, but it will strengthen and upgrade the sovereign capability the UK needs to confront the high-end threat.
GCHQ is home to world-class expertise in cyber security. Government will explore ways in which that expertise can more directly benefit economic growth and support the development of the UK cyber security sector without compromising the agency's core security and intelligence mission.
Government Communications Headquarters (GCHQ) sounds like the UK's version of Cyber Command. The report hits on the standard messages for government reports on cyber crime and cyber espionage.
National Counterintelligence Office: Foreign Spies Stealing US Economic Secrets in Cyberspace
Oct 2011link link
This report differs from previous editions in three important ways. The first and most significant is the focus. This report gives special attention to foreign collectors' exploitation of cyberspace, while not excluding other established tactics and methods used in foreign economic collection and industrial espionage. This reflects the fact that nearly all business records, research results, and other sensitive economic or technology-related information now exists primarily in digital form.
Many victims of economic espionage are unaware of the crime until years after loss of the information.
Estimates from academic literature on the losses from economic espionage range so widely at to be meaningless—from $2 billion to $400 billion or more a year—reflecting the scarcity of data and the variety of methods used to collect losses.
Just say "it's a lot of money", and many, if not most, victims don't even know they are being robbed.
Pentagon to Help Defend Cyber Networks
Sep 26, 2011link link
As hackers and hostile nations launch increasingly sophisticated
cyberattacks against U.S. defense contractors, the Pentagon is extending
a pilot program to help protect its prime suppliers.
That program could serve as a possible model for other government agencies. It is being evaluated by the Department of Homeland Security, as part of a potential effort to extend similar protections to power plants, the electric grid and other critical infrastructure.
The analysts dissect intrusions, malware and other attacks that have breached or tried to burrow into the defense contractors' computer systems. And while those investigations are just a small fraction of the lab's work, the number has grown steadily over the past three years.
If the defense contractors have troubles protecting their networks, think how hard it is for regular enterprises or small to medium-sized businesses. I haven't seen any indication that DHS has the manpower, or budget to do something similar for critical infrastructure.
With turnkey solutions like antivirus software failing to keep out intrusions, I think there will be a growing need for third-party companies to provide security expertise to companies.
Hackers may have had head start in Ottawa cyber-attack
Sep 25, 2011link link
"Indications are that data has been exfiltrated and that privileged accounts have been compromised," the incident report says.
Three days later, there were fears about the email accounts of senior Finance Department officials being targeted. A bulletin sent Jan. 21 noted "the risk of loss of sensitive information resulting from these targeted emails is HIGH."
When the attack was first reported Jan. 24, Treasury Board seized on the crisis to fast-track a request for better tools, asking that the procurement be considered a matter of protecting national security.
The Canadian Treasury Board and Finance Department, described as the federal government's two main economic nerver centers, were targeted in January. Nine months later full Internet access has not yet been restored. Lots of information about the attack has been censored, and given the reported chaos they experienced, and still are experiencing to some extent, I suspect much about the attack will remain a mystery.
Here is an article by CBC News back in February.
The Lurid Downloader
Sep 2011link link
It constantly communicates with a C&C server to perform certain info-stealing tasks. The main feature of the Trojan is that all communication is started by the client by http. Firewalls and other security devices will never see any communication from outside in. Even the interactive command line is built this way so everything is done from the inside out. The communication is always encrypted although it's a simple XOR single- byte encryption. This means that network security devices won't readily see anything suspicious going on.
While we were unable to recover the data obtained by the attackers, we were able to collect some of the command issued by the attackers that hint at their objectives. We found that the attackers often issued the "LS" command to send a directory listing from specific directories on the compromised computers back to the command and control server. We also observed the use of the "SEND FILE" that ordered the compromised computers to compress, split and upload specific files (.rar, .xls, .doc) to the command and control server. However, we were unable to recover the ex-filtrated data.
APTnets are the new Botnets. Several years ago large numbers of computers were compromised and organized into Botnets. These Botnets were typically used to send out spam or launch DDoS attacks. Today large numbers of computers are compromised to steal the information on them.
This APTnet, named Lurid by the investigators, penetrated 1,465 hosts as determined by the addresses of machines sending information to the command and control computers. A large number of space and research-related as well as government systems were penetrated, especially in Russia. Computers in 61 different countries were penetrated.
As is usually the case, because of encryption and lack of host-based sensors, no one will probably know exactly what information was stolen.