November 2009 Archives

Here's an interesting story about the second worm detected for Apple's iPhone platform. While the worm itself seems rather limited in its target audience (Dutch banking customers with a "jailbroken" iPhone running SSH with the default password), there are 2 interesting points here:

The first is that this worm enables the infected devices to act as a botnet. PC-based botnets have long been a problem on the Internet, but I am not aware of any other major platform to support a botnet until now.

The other point is that the popularity of the iPhone is making it a more desirable target for malware. I am not going to use this opportunity to take sides in the quasi-religious debate about the inherent security of Windows v. Mac v. Linux, but it does give some credence to the argument that Windows is not less secure than other operating systems but is simply targeted more due to its ubiquitous deployment.

To what degree does malware follow a platform's popularity? Time will tell.

The mission and function of the task force will be to provide advice to the Attorney General for the investigation and prosecution of cases of banks, mortgage, loan, lending fraud; securities and commodities fraud, mail and wire fraud, retirement fraud, tax crimes, false claims, unfair competition, discrimination, and other financial crimes and violations.

Federal Register Executive Order 13519--Establishment of the Financial Fraud Enforcement Task Force

Bankinfosecurity.com's article outlines the comments made by the Attorney Generals Office:

"That the nation faces unprecedented challenges in responding to the financial crisis that has gripped the economy for the past year. Mortgage, securities and corporate fraud schemes have eroded the public's confidence in the nation's financial markets and have led to a growing sentiment that Wall Street does not play by the same rules as Main Street."

Recently in the Brazilian Power outage events, even an implied weakness in the controls of Critical Infrastructure could be used to destabilize the financial stability in markets, subverting the controls that are involved in financial trading. There have been conflicting reports about whether the attack was caused by an attack on the controls of its Dam's systems. Employees and Contractors of the system complained that their pay checks and statements had been modified to include a message from the attackers.

With all of this talk on financial fraud and critical infrastructure vulnerabilities, I could not help but be reminded of the 1983 movie Superman III where Robert Vaughn's character sites "Computers rule the world today and the fellow that rules the computer, rules the world." and Richard Pryor hacking into secret defense systems to ruin the coffee crop for the next 5 years, Superman III: Tornado Scene.

While it all may seem very tongue and cheek and some what unrealistic, the simultaneous collapse of the financial markets due to fraudulent transactions combined with the failure of major Scada Systems would have a serious effect on a nation's stability. In 2002 the U.S. Naval War College conducted a study that concluded it would probably take about 5 years to plan and cost about 290 million dollars to plan a significant electronic attack.

Digital Stenography: The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves.

Infosectoday's article: Digital Steganography Threat or Hype: by James E. Wingate - Summary:
Use of steganography will never be detected if no one ever looks for it.

Oct 24, 2008 - Futures halted as trading enters `panic mode` The Financial Post

Related articles by Zemanta

• Obama's financial fraud task force has miles to go in restoring public confidence (dailyfinance.com)
• Madoff computer programmers arrested; could face 30 years in $60B fraud (dailyfinance.com)
• Cyber gang indicted (ecombizcenter.blogspot.com)
• Feds Launch Anti-Fraud Crackdown (huffingtonpost.com)

The National Interest online's article by Richard Clarke outlines the difficulties in of countries in protecting their economies from disruption of processing data that manages the controls of the nations power grid, fuel supply, or food supply chains, etc... or the ability for private commerce to perform business.

Although the article concentrates on the United States economy, it is a concern world wide that the electronic infrastructure that controls physical and logical stability of nations is fragile and vulnerable and that our systems are complex and perhaps too overly complex.

There is real concern that between nations that having the superiority to disable the other nations ability to perform commerce or defend it's controls on infrastructure that supplies services to it's citizens in times of political or resource conflict is way too much of an advantage, and then there is as Richard Clarke points out the "who dun it" piece.

Although I don't necessarily think that this is limited to cyber warfare, certainly in conventional warfare through covert activities groups have tried to blame conflicts on others not involved to escalate hostility between factions already at odds with each other.

As in the recent denial of service attacks in July, was it really who we thought it was or was it some one else trying to make it look like that. It is always not the recent notification or alert that may allow you to traverse an incident but being able to perform historical correlation on transactions that were allowed through trust environments.

The other point is although not discussed, usually, where are all the electronics made? Who makes all the components inside the equipment?

Richard Clarke -
"The major differences between cyber war and conventional war--one that makes the battlefield more perilous--is what cyber warriors call "the attribution problem." Put more simply, it is a matter of whodunit. In cyberspace, attackers can hide their identity, cover their tracks. Worse, they may be able to mislead, placing blame on others by spoofing the source."

"The "critical infrastructure" of the transportation, finance, energy and communications sectors are owned and operated by nongovernmental entities, corporations that have proven highly resistant to regulation. The Federal Energy Regulatory Commission (FERC) issued new cybersecurity guidelines to U.S. power companies in January 2008, requiring greater separation of the operations systems from the public Internet."

Richard Clarke was special adviser to the president for cybersecurity in the George W. Bush administration. He is now chairman of Good Harbor Consulting. His book Cyber War, coauthored with Robert Knake, will be published by HarperCollins in the spring.

National Interest Article on War from Cyber Space

On 11/2/2009 Microsoft published it's Security Intelligence Report.

Microsoft published that Windows XP users experienced significantly more security violations compared to Window Vista users and that the Conficker infections is the top threat in enterprise environments but not even in the top 10 in home computing environments.

Microsoft from their statistical data points out that there are differences in the types of threats per country while the U.S. and UK seem to have a high presence in Win32/Alureon and Win32/Vundo while some EU countries saw Win32/Wintrim as most active and in China Win32/BaiuSobar, Win32/Frethog also in Brazil it is Win32 Bancos.
Client side and Server Side Polymorphic Viruses seem to account for the large amount of the Virus Misc variations, polymorphic viruses can mutate its structure to avoid detection by antivirus programs. It can mutate usually by changing a variable or variables in its code without changing its overall algorithm.

There is a lot of interesting data published in this report that is about 232 pages long with information about organizations that are actively involved in mitigating exploits.

Microsoft Security Intelligence Report

References:
Conficker Working Group

This document covers the People's Liberation Army conceptual framework for delivering "integrated Network Electronic Warfare". This includes Space and Satellite warfare and EMP attacks. The document also points out the the U.S. Military NIPRET are a high priority of attack. The article mentions that organizations are still not doing enough to use analyzer tools like SIEM products. While the article sites that SIEM products may rely on signature based solutions, nFX One products correlate events beyond IDS/IPS based signature events from a number of disparate Operating Systems, Netflows, and other host and network security devices to alert on abnormal behavior and provides built-in Incident Response Management work flow and integratrion with ITIL uCMDB processes.

The document provides a graphic on the "Timeline of Significant Chinese Related Cyber Events 1999-Present, including pointers to the very public GhostNet cyber espionage events as well as information on the National University of Defense Technology (NUDT)."

Reference:
US-China Economic and Security Review Commission Report on the Capability of the People's Republic of China to Conduct Cyber Warefare and Computer Network Exploitation
National University of Defense Technology