CISPA Bill Passed by Representatives Again – Trouble on the Horizon!

The Cyber Information Sharing and Protection Act, AKA CISPA, has once again passed in the US House of Representatives. Reminder that this bill gives government agencies and their other agencies access to personal, private user data to help monitor for the presence of hackers.

Now, when CISPA was first passed, Senate said NO! Also, President Barack Obama has said that he’d veto the bill if it came through his office. Because of the different privacy issues, many advocates against this bill will fight it to the end.

This bill has been backed by bigwig business for a long period of time, almost since the beginning of the talks of this bill. Maybe it could be the big government contract ($$$) for these big businesses that seem attractive or maybe could be the fact that these business truly believe to end hackers’ abilities.

Will it completely stop hacker initiatives? Probably not. However, it would provide the ability to try to limit some of the bigger initiatives.

Government sectors of China, Russia, etc. are a bit of a cyberthreat to the United States, information access is what the US will need if it wants ahead of the game. Do you agree?

Of course the president of the US doesn’t want it passed if it violates the rights of citizens. But, in the end, realize that if money among other things, like personally-identifiable-information were to be stolen every year — and people would realize this, then people should have no problem with their data being accessible to US authorities rather than hackers.

The bright side would be, is if government authorities have access to your private data, it isn’t going to spread around like wildfire, unlike what’d happen if a hacker got a hold of it.

It’s easy to do an Internet search for lists of email addresses, and pull up loads upon loads of private email addresses that hackers posted in public to humiliate those that haven’t been smart enough to keep it secret.

Spammers and phishers, all the time, access your private information on Facebook, if you accidentally click the wrong link or follow a malicious email link – which asks you to ‘enter your Facebook username and password to continue.’

Some people argue that the government doesn’t care for internet users but rather cares for the money they’d get. Well, actually, if you think about it, the government is paying these big businesses to participate in the information sharing process, so the American people’s pocketbooks/wallets can be protected, and their own privacy.

Who else has protested this? Anonymous:

Even the Reddit co-founder is urging the US Government to NOT pass it.

What should be our take? You decide. My vote is neutral. I see this bill as a good thing in spots (because of potentially ending hacker initiatives and malware/virus threats), however, it poses a major privacy threat. For most advocates of privacy, I agree with them.

Your opinion matters too! Contact your local senator and let your voice be heard. It’s usually best to write a letter, which provides good results. Providing written documentation of a fair but firm protest is the best way to go.

Mandiant is investigating hacks in efforts to better their research

Mandiant, the company behind the big research report we talked about on APT1, is now asking for people to talk about their hacking episodes they’ve been affected with. They’re trying to be the go-to investigators, it seems, for the Fortune 1000.

When trying for importance, first of all, let your work speak for yourself instead of trying so hard and stating your intents. Anyway, back on topic…When the New York Times was hacked back in late 2012, phone calls were made to Mandiant. When Mandiant investigated this issue, reports were shown that the hacks were coming from a hidden firm in the Chinese military, called APT1.

Sketch of the 12-Story Shanghai-based defense headquarters of unit 61398.

A 60-page report (PDF), which was created by Mandiant, detailed the issues behind cyber-espionage group APT1.  The New York Times detailed all about APT1 as well (which summarized some info in the 60-pg. report), and by rights done so out of anger/reply against the crime group.

One of the surprising aspects of the report, is that APT1 practiced spearphishing attacks on the NYT, but what were they targeting? A big organization with big media possibilities. That’s the point in spearphishing.

Mandiant’s data forensic capabilities are stepping it up, and now they want to know about your hacks that have been experienced. They’re looking to investigate more of the issues behind some of the hacks. They want to target the organizations, whomever they are, that are behind these small-to-large scale attacks.

Check out this video from Mandiant:

Some of Mandiant’s operations can be read on their annual report.

This proves that the investigations are continuing in trial for the cyberwars that are going on around the world. It’s still continuing, and even stepped up in some means.

Feel free to comment on this story below.

US and South Korea Embrace Partnership before North Korea Prowls

South Korea, unbelievably will be stepping up partnership with the US, as North Korea becomes a more emerging threat (after declaring war late last week). Seems like North Korea, recently, has made its intentions known to attack the United States and South Korea. Although it may not seem like a large attack, we must still keep guard.

A news agency in South Korea identified that its defense ministry is planning to increase their forces and attempt to deter any further attacks. A customized deterrence strategy is in the works between the US and South Korea. Therefore, it plans to begin military drills sometime late this Summer (some are thinking August).

It’s hoped that South Korea could also aid as an ally, especially if it means the US has to battle North Korea in the future. Although this is like a small dog yapper trying to intimidate a big dog, a pre-meditated terror plot, like Al-Qaeda, is nothing to sneeze at.

The cyberwar continues to step it up little-by-little, but it seems like things have slowed a bit. Which is never a good sign, usually, because slowing down activity means that they are just meditating on a much bigger or more planned attack, and to take the US by surprise.

Stuxnet Attack on Iran was Illegal? Read more inside…

The North Atlantic Treaty Organization’s (NATO) researchers have uncovered a serious reality in the Stuxnet case against Iran (brought on by the US and Israel). NATO’s researchers call it an “act of force”, which was apparently an illegal move.

“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force” and likely violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, a study produced by international legal experts at the request of NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.

Apparently, it is prohibited, “according to the U.N. charter, the use of force is prohibited, except in self-defense,” says Michael N. Schmitt, a lead author on The Tallinn Manual on the International Law Applicable to Cyber Warfare.

According to the Washington Times, The international group of researchers who wrote the manual were unanimous that Stuxnet — the self-replicating cyberweapon that destroyed Iranian centrifuges that were enriching uranium — was an act of force, said Mr. Schmitt, professor of international law at the U.S. Naval War College in Newport, R.I.

Also, the article stated that neither Israel nor the United States has publicly acknowledged being behind Stuxnet, but anonymous U.S. national security officials have told news outlets that the two countries worked together to launch the attack, which set the Iranian nuclear program back as much as two years, according to some estimates.

A manual produced by 20 researchers in NATO, as well as some legal scholars and senior military lawyers, details 300 pages worth of important cybersecurity analysis.

“We wrote it as an aid to legal advisers to governments and militaries, almost a textbook,” Schmitt told the paper. “We wanted to create a product that would be useful to states to help them decide what their position is. We were not making recommendations, we did not define best practice, we did not want to get into policy,” he said.

More detailed investigation is probable in this matter.

Another missing link in Stuxnet Reveals Earlier Infection Time

Stuxnet, the government malware believed to have been created by a dual-venture of the US and Israel, and the one used to attack the Iran nuclear enrichment facility, is now believed to have an earlier attack link. It is believed now that sometime in 2008 was when the facility may have been in progress of attacks from Stuxnet.

Iran leaders met in Kazakhstan this week to discuss with members of the UN Security Council the nuclear program. The researchers there announced a new variant of the sophisticated Stuxnet cyberweapon.

Some have noted that the US and Israel may have partnered way before doing similar activities to try to take down the nuclear enrichment program in Iran.

The new variant was designed as a different attack vector against the centrifuges for the uranium enrichment program, versus later versions released. This “new variant” was apparently released in 2007. Here we are six years later, knowing the discovery of such variant. This shows that the current versions of Stuxnet were made in 2009, which means this variant now recognized predated the original code that researchers found. Therefore, its first version may have been in 2007. That tells security experts this: Stuxnet was attacking much earlier than previously thought.

Still to make a rebuttal, Iran is awaiting and planning new cyberwarriors, which can construct cyberattacks and cyberterrorism on the US.

Looking in the code of the 2007 version, it was used for Siemens PLCs, which are used in the Iran nuclear enrichment program in Natanz. It was aimed at sabotaging the valves’ operations, by controlling the flow of uranium.

The list of new information goes on. According to Wired Magazine, the new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.

Recent Hacks: NBC.com, Twitter, and Zendesk – Warnings: Tumblr, Pinterest

After dealing with multiple attacks on several sites, including Apple, Facebook, and Twitter – this being Java exploits. Now, it’s time to deal with more hacks, including NBC.com (which has been serving up malware for a day now) and Twitter. As in recent reports now, Tumblr and Pinterest have been forewarned.

The latest high profile organization that was recently hacked is the National Broadcast Company (NBC), more specifically on their website. The idea from the hackers is to use the website to infect visitors, using exploits and other JavaScript injections.

NBC.com’s hacked pages were modified to include additional HTML component called IFRAME, which is inline frame. This allows at least a 1px x 1px frame to be included independently in the webpage, which may contain malicious code. In HTML code, frames can be made to host web content. But, in the hands of the evildoers, aka cybercriminals, it is used as an effort to launch malware campaigns.

Malicious JavaScript was added to the mix, and also used the exploit kit called RedKit. It delivers one of two exploit files to try to take control of your browser.

I recognized something was wrong with NBC.com, which may have already been hacked a few weeks ago, and I posted the information on my Twitter account that a downloaded file was sent to my browser asking me to save or open it. This was on a sister site/blog, RedTape. I asked people to replicate it. The Twitter status can be found here.

What type of malware was delivered? Citadel or ZeroAccess, which are both crimeware families and botnets. They are usually part of several exploit kits.

This drive-by download situation is no good, as the pages were taken offline. Therefore, that dropped the traffic of those specific areas of the site. It is sure that this situation is a matter of cybercrime aimed at a financial side of things, not defacement or pranks.

Was it a big deal that it was NBC? No. In fact, it is sure the hackers were aimed at using a high-profile site, and apparently NBC.com was the easiest or quickest to access. Hackers rely on time and many other factors to make their approach(es).

Zendesk hacks and other various warnings

Zendesk is all about customer support…therefore no one really knows, except for those in the business of customer support. Big names use this service, which include Tumblr, Twitter, and Pinterest, among others. Hackers broke into the Zendesk systems, accessing email addresses of those big name customers, namely Twitter, Tumblr, and Pinterest.

How “pinteresting” that another hack has been born, which is related to a social network. Zendesk detailed the hack:

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

The companies involved made a point to tell its customers that they haven’t been hacked, but private information was stolen. Luckily, no password thievery was involved.

Obviously, an incident like this, just like the NBC.com incident, needs to be taken very seriously. Something must be done to stop the continuous hacks.

Twitter hacks additionally are nothing new. Many times, hackers used a backdoor, such as the tools the support team uses, to infiltrate the information of Twitter users. It’s not a huge gain, more possibly a waste of time.

Cyberspy Group of Chinese Army Spotted

Visiting the outskirts of Shanghai, China, you’ll notice the 12-story People’s Liberation Army base Unit 61398, a defense headquarters. What is this building for? Cyberwarriors as they’re called, or more specifically those trained to get involved in cyberwar (internet war and crimes, hacking, etc.).

American Intelligence Officials have found a growing body of digital forensic evidence, according to the New York Times, which has been in operation for years. Speculation remains that this building, as sketched above, is the originating point for all the recent cyberattacks on US corporations, government agencies, and other organizations.

There is a 60-page report (PDF), detailed by Mandiant, an American computer security firm, released today, talking about exposing the cyber-espionage group APT1 (a Chinese organized unit).

“In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources,” Mandiant said in its report. “PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.”

Goes on… “Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”

When contacted recently, the Chinese Embassy in Washington, swears their government does not engage in computer hacking, according to the New York Times, and that such activity is illegal. They were quick to point out that they have no hacking groups, but the US clearly has many hacking groups. Sounds a bit childish to say they have none, but blame others, right?

The US is planning more aggressive defense toward these Chinese hacking groups, and under such directive last week by President Barack Obama signing the Executive Order, unique digital signatures from the groups will be provided to American internet providers.

More information on the investigation is detailed in the New York Times.

 

Zero-Day Java Exploit Affects Facebook

After all of the latest attacks on government, corporate, and social networking organizations, Twitter the most recent, it appears Facebook had their share this year.

Facebook revealed yesterday that it was hit in January from an unidentified group of hackers, however, no user information was compromised during the attack.

Here is a snippet from the note issued:

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.

It was said also that a zero-day Java exploit was found, when the suspicious domains in their logs revealed in the Java sandbox many vulnerabilities. The update was provided to Oracle who shipped patch(es) for the specific vulnerabilities found.

The company also stated, “We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.”

Other websites were additionally affected by this, and that the computers affected at Facebook were fully patched and clean before the attack.

Kelihos Botnet Appears Again with New Variant

Kelihos appears again with a new variant as many researchers have discovered. The variant enables it to remain dormant on the machine with sinkholing techniques, and other rootkit-style operations. It hides domains, and does many other things to conceal itself, as researchers have discovered.

This is the third attempt for the Kelihos botnet. When it got shutdown back in 2011 by a collaborative effort between Kaspersky Lab and Microsoft, it was figured that it was a P2P botnet, which made it more difficult to shutdown completely all operations for the botnet. At least its main servers were cut off, but it didn’t stop the malware from spreading since tons of blackhats still had the malcode on their own server/computer.

Researchers at Deep End Research and FireEye have new samples that have been analyzing, and after some impressive research, it was found that the Kelihos network is back on the rise.

“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.

Experts are trying to discover the new roots, and another takedown may be in order. This is insanity.

All-Out Cyberwar is Going On in the Dark, Pentagon Increasing Cybersec Teams

Could there be a “cyber 9/11”? Would there be an all-out cyberwar happening right now? There is a war going on, a cyber one at that, going on here in the states. If you work for a defense contractor, bank, train and plane transportation providers (also including RTAs and other digitally-depending transportation methods), power company, water and utilities plants, etc. are in direct line of fire of potential cyberwar problems.

A brewing cyberwar has been going on in the past year, and usually people view it as governments going head to head (like it would in actual wars). However, there is more of a cyberwar against governments, corporations, and of course the entities we named above.

With seeing government threats, like Stuxnet, Flame, etc., to cybercrime units like Red October, Rustock, even Virut/Waledec – seems like the threat is getting out of hand. With the use of tactics like from these malware powerhouses, our worry for a severe (life-threatening) attack should be a lot greater…mainly to the fact that the US should seriously prepare itself.

“The cyber war has been under way in the private sector for the past year,” says Israel Martinez, a board member of the U.S. National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.

“We’re finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it’s ever detected,” Martinez says.

Martinez studies different issues, such as US entities being targeted by fronts from China, Iran for intellectual property theft to other cybercrimes such as stealing identities or cash.

When we look at Stuxnet for example, the US and Israel crafted it jointly to disrupt Iranian nuclear facilities. Problem here is, doing that may have just been a provoking edge to the cybcerwar for Iran to develop something else and revenge. Doing this caused Iran then, to strike back with cyber attacks on US banks. Some have thought Iran was behind the Shamoon virus as well, which wipes out 30K hard drives and taking computers offline at Saudi Aramco for several weeks.

Defense firms in the US are hoping that some of the Fortune 500 cybersecurity companies have a good plan to counterattack and defend for the US to these opponents.

The Pentagon has come back with newer accounts of management for this cyberwar by planning to increase cybersecurity teams. The Senate is continually pushing for legislation for information sharing on threats and cyber attacks. President Obama prepares to issue executive order on cybersecurity, so the Department of Defense is looking for a massive increase in the number of trained cybersecurity personnel helping to defend our country’s public and even private networks.

The government has had trouble in the past looking for the right personnel, since most are employed by agencies that don’t discuss operations publicly (due to the risk of the information getting in to the wrong hands). The Pentagon is planning to push up the number of security professionals up to 5,000 in the next few years (which is up from a little under 1,000). They’re hoping for both military and civilian security personnel to join up, so the diversity helps the US prepare for any issue.

Expect a better take charge situation by corporate, government, and private firms in this cyberwar situation!