Mandiant is investigating hacks in efforts to better their research

Mandiant, the company behind the big research report we talked about on APT1, is now asking for people to talk about their hacking episodes they’ve been affected with. They’re trying to be the go-to investigators, it seems, for the Fortune 1000.

When trying for importance, first of all, let your work speak for yourself instead of trying so hard and stating your intents. Anyway, back on topic…When the New York Times was hacked back in late 2012, phone calls were made to Mandiant. When Mandiant investigated this issue, reports were shown that the hacks were coming from a hidden firm in the Chinese military, called APT1.

Sketch of the 12-Story Shanghai-based defense headquarters of unit 61398.

A 60-page report (PDF), which was created by Mandiant, detailed the issues behind cyber-espionage group APT1.  The New York Times detailed all about APT1 as well (which summarized some info in the 60-pg. report), and by rights done so out of anger/reply against the crime group.

One of the surprising aspects of the report, is that APT1 practiced spearphishing attacks on the NYT, but what were they targeting? A big organization with big media possibilities. That’s the point in spearphishing.

Mandiant’s data forensic capabilities are stepping it up, and now they want to know about your hacks that have been experienced. They’re looking to investigate more of the issues behind some of the hacks. They want to target the organizations, whomever they are, that are behind these small-to-large scale attacks.

Check out this video from Mandiant:

Some of Mandiant’s operations can be read on their annual report.

This proves that the investigations are continuing in trial for the cyberwars that are going on around the world. It’s still continuing, and even stepped up in some means.

Feel free to comment on this story below.

Twitter Hacked: 250,000 Accounts Compromised

Seems like a lot of US companies, particularly media companies, are being attacked recently. Some of the recent slew of attacks in the past year include the New York Times and Wall Street Journal, as well as the Washington Post even. Now, looks like Twitter has had a bit of a compromise of approximately 250,000 accounts.

Bob Lord, the Director of Information Security at Twitter stated that any accounts that were compromised, the data at risk includes usernames, email addresses, session tokens and encrypted/salted passwords:

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”

They have reset passwords and reset session tokens for the accounts that were compromised. How do you know if your account is compromised?

Some last words in the blog by Bob Lord include, “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”

We’d agree with him, it had to be pretty darn sophisticated. Even though that would be a small number compared to their extremely large userbase, that is still a lot of accounts statistically speaking. No doubts.

Read more about this on the Twitter blog.

Saudi Aramco Incident Investigated Much Closer

We reported back in October about the damage swell of Saudi Aramco, Saudi Arabia’s oil company, which fell victim to a cyberattack. Some new details have been revealed by a few investigating/reporting organizations…

The New York Times reported the following yesterday:

The attack on Saudi Aramco — which supplies a tenth of the world’s oil — failed to disrupt production, but was one of the most destructive hacker strikes against a single business.

“The main target in this attack was to stop the flow of oil and gas to local and international markets and thank God they were not able to achieve their goals,” Abdullah al-Saadan, Aramco’s vice president for corporate planning, said on Al Ekhbariya television. It was Aramco’s first comments on the apparent aim of the attack.

Hackers from a group called Cutting Sword of Justice claimed responsibility for the attack, saying that their motives were political and that the virus gave them access to documents from Aramco’s computers, which they threatened to release. No documents have yet been published.

The “Cutting Sword of Justice” made a post on PasteBin.com about taking credit for the attack.

We explained previously that most of the cyberattacks this year have been aimed at erasing data on energy companies’ computers. However, renewed thoughts of Aramco are showing the want by hackers to stop the flow of production. Good thing it got sorted out.

The Damage Swell of Saudi Aramco Attack

The New York Times reported about the damages of the attacks on Saudi Aramco, a Saudi Arabian oil firm. The article stated the following, blaming Iran for the attacks on Saudi Aramco along with supporting evidence:

That morning, at 11:08, a person with privileged access to the Saudi state-owned oil company’s computers, unleashed a computer virus to initiate what is regarded as among the most destructive acts of computer sabotage on a company to date. The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.

United States intelligence officials say the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim. But the secretary of defense, Leon E. Panetta, in a recent speech warning of the dangers of computer attacks, cited the Aramco sabotage as “a significant escalation of the cyber threat.” In the Aramco case, hackers who called themselves the “Cutting Sword of Justice” and claimed to be activists upset about Saudi policies in the Middle East took responsibility.

Intelligence officials are still investigating the nature of the RasGas hack also, because it is related to this attack, which involved a malware called Shamoon.

The investigations of Saudi Aramco and RasGas, Qatar’s top natural gas firm, are coming together. Most of the cyberattacks this year have been aimed at erasing data on energy companies’ computers. More updates to come.

Related articles

• How hackers attacked Saudi oil company’s computers (seattletimes.com)
• US Increasingly Convinced Iran Behind Attack On Saudi Aramco (techweekeurope.co.uk)
• Shamoon Virus that Attacked Saudi Aramco is the Most Dangerous to Date (oilprice.com)

Facebook Given Short Notice to Stop Breaching Privacy

A consumer group in Germany has alleged over Facebook App Center about violating privacy laws.

According to the Washington Post, the Federation of German Consumer Organisations has given Facebook one week to stop automatically giving user information to third-party applications without explicit consent.

Legal action is possibly to Facebook, if these solutions are not met to fix privacy flaws, by September 4, 2012.

According to the New York Times about two week ago, “The company’s use of analytic software to compile photographic archives of human faces, based on photos uploaded by Facebook’s members, has been problematic in Europe, where data protection laws require people to give their explicit consent to the practice.”

Officials say this investigation and alleged charges are related to the Google Street View investigation, and similar actions can be taken, if necessary, to resolve the problem.

For the App Center, it’s put in place, some speculate, to help the Facebook mobile market and increase revenue for the company. With its competition against Apple or Android stores, it’s trying to gain attention quickly as an app store itself.

What makes governments and privacy experts nervous, is when Facebook developers make users opt-out, instead of opt-in. This means that new, potentially problematic, features are turned on by default. This requires too much work on the user, and an unfair advantage for Facebook.

Related articles

• Facebook given one week to stop breaching privacy laws (nakedsecurity.sophos.com)
• German consumer group sets Facebook privacy ultimatum (reuters.com)
• Facebook’s new app bazaar ‘violates’ punters’ privacy – lobbyists (go.theregister.com)

Cyberwar for Iran Heating Up

Apparently, Iran’s intelligence minister has blamed key countries, US, UK, and Israel for plotting a cyberattack against the country.

Also, earlier this month, The New York Times reported that President Obama ordered similar attacks on the super-computers that run Iran’s nuclear plants.

According to Reuters, “Based on obtained information, America and the Zionist regime (Israel) along with the MI6 planned an operation to launch a massive cyber attack against Iran’s facilities following the meeting between Iran and the P5+1 in Moscow,” Iran’s English-language Press TV quoted him as saying.

Another crazy issue would be that since Iranian leaders could not talk to the US/UK/Israel, they assumed an attack was planned. I guess what they don’t know WILL hurt them…right?

What is big about this, is the fact that the cyberwar between the US-based allies (UK + Israel + US) and Iran is heating up. Prepare for more stories like this here on seCURE Connexion!

Related articles

• Iran Says It Has Detected ‘Massive Cyber Attack’ Against Its Nuclear Facilities: State TV (huffingtonpost.com)