Lockheed Martin investigates possible link between cyber attack and RSA data breach

US-based global defence firm Lockheed Martin says it has beefed up security around remote access to its IT network after a “significant and tenacious attack” on 21 May, which could be linked to an earlier breach at security firm RSA.

Lockheed maintains that its systems remain secure and that no customer, project or employee personal data was compromised in the attack, reported a week after the event.

“The company’s information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data,” Lockheed said in a statement.

Lockheed and RSA Security, which supplies access tokens to millions of corporate users, say they are still trying to determine whether the attack used data hackers stole from RSA in March or if it had exploited another weakness, according to the New York Times.

Shortly after RSA announced the breach, Lockheed said it had added an additional password to the process employees used to connect to its system from remote locations.

At the time of the RSA data breach, Art Coviello, executive chairman of RSA, said the information extracted did not enable a successful direct attack, but he did not exclude the possibility that the information could be used as part of a broader attack.

Investigating the attack

Officials at Lockheed and RSA Security, a division of EMC that provides the SecurID electronic access tokens, say they are working with federal officials to find out how the attack was carried out and who was behind it.

EMC said in a statement at the weekend that it was “premature to speculate” on the cause of the Lockheed attack.

Ross Brewer, vice-president and managing director of international markets at log management firm LogRhythm, says although Lockheed Martin was quick to spot and disclose this breach, and has offered reassurance that none of its critical systems were compromised, it now faces the substantial task of tracing the source of the attack.

“When you consider the monetary and political value of the information held on its IT systems, there will be no shortage of candidates,” he said.

According to Brewer, critical clues to how the attack was launched and spread will be held in the log data generated by each and every device and application on Lockheed Martin’s network.

“By analysing these logs, the company should be able to spot patterns of suspicious behaviour and work backwards to pinpoint the cause,” he said.

  • 0

Civil-service union hit by invisible DDoS is back up

The Public and Commercial and Services union’s website was back up and running in time for its annual conference on Wednesday, following a week-long denial of service assault.

The attack started on Wednesday 11 May and left the website “struggling to cope with average hourly traffic 1,000 times greater than normal,” according to the union. Curiously, the attack failed to hit the radar screens of Arbor Networks, the firm that supplies traffic management and DDoS mitigation tools to the vast majority of the world’s biggest telcos.

“So far nothing in our monitors for that IP being a victim of a DDoS attack, and no signs of a DDoS attack there, either, in our monitoring,” Jose Nazario, senior manager of security research at Arbor told El Reg.

The union, which represents 300,000 members, mostly civil servants, plans to stage a ballot for strike action against cuts to jobs, pensions and pay at its conference. In a statement, PCS general secretary Mark Serwotka described the attacks as a “clear attempt to undermine our union at what is a critical time”.

Occasionally server or coding problems can present with the same symptoms as a denial of service attack, something that happened in the case of alternative news site Newsnet Scotland only last month.

We spoke to two union officials, who were both adamant that a denial of service attack was the cause of problems that have made the site intermittently difficult to access or slow over the last week. The duo each said the union had worked with web development firm Pixl8 to resolve the problem.

A spokesman at Pixl8 explained traffic and load on the site had surged despite no increase in visitor numbers. He was quite certain that the site had come under DDoS attack. He suggested that Arbor had not seen anything amiss because, while serious locally, the site did not cause problems for upstream ISPs.

  • 0

Cyberwar Is Harder Than It Looks

In wartime, combatants often attempt to disrupt their enemies’ supply systems, generally by blowing them up. Modern life is made possible by a set of tightly interconnected systems supplying us with electricity, water, natural gas, automobile fuels, sewage treatment, food, finance, telecommunications, and emergency response. All of these systems are increasingly directed and monitored through the Internet. Would it be possible for our enemies to disrupt these vital systems by “blowing up” the Net?

The Obama administration is worried that they will. In May 2009, the administration issued its Cyberspace Policy Review, which described threats to the Internet as “one of the most serious economic and national security challenges of the 21st Century.” A year later, the U.S. Cyber Command was launched with the aim of protecting American information technology systems and establishing U.S. military dominance in cyberspace. A January report by the U.K.-based market research firm Visiongain identifies cyberwar preparedness as the “single greatest growth market in the defense and security sector,” forecasting that global spending will reach $12.5 billion this year.

A January report from the Organization for Economic Cooperation and Development—Reducing Systemic Cybersecurity Risk, by the British researchers Ian Brown and Peter Sommer—evaluates the most widely discussed threats to cyberspace security, from viruses to denial-of-service attacks. Such weapons already have become common in government and industrial espionage, identity theft, Web defacements, extortion, system hijacking, and service blockading.

Two recent episodes should give us some sense of these weapons’ effectiveness. In 2007, hackers launched cyberattacks against Estonian websites, apparently as a protest against relocating a Soviet-era statute. And a 2008 border dispute with Russia provoked a series of denial of service attacks against Georgia’s Internet infrastructure. Good news: As James Lewis of the Center for Strategic and International Studies (CSIS) noted in a 2009 report, “in neither case were there casualties, loss of territory, destruction, or serious disruption of critical services.” Brown and Sommer conclude that it’s “unlikely that there will ever be a true cyberwar.”

By cyberwar the writers mean a war fought solely over and with information technologies. It takes a lot of effort, they point out, to figure out new vulnerabilities in already protected critical systems. Furthermore, the effects of an attack are difficult to predict and could include blowback against the perpetrators. Most important, “There is no strategic reason why an aggressor would limit themselves to only one class of weaponry.” In a real war, cyberattacks would be combined with conventional efforts to blow up critical infrastructure.

Because attacks can be launched from any set of computers, attackers can remain hidden. Consequently, a strategy of deterrence will not work in cyberwarfare, since the target for retaliation is unknown. This means the main defense against cyberweapons has to be resilience: a combination of preventive measures and contingency plans for a quick post-attack recovery.

As Brown and Sommer observe, the Internet and the physical telecommunications infrastructure were designed to be robust and self-healing, so that failures in one part are routed around. “You have to be cautious when hearing from people engaging in fear-mongering about huge blackouts and collapses of critical infrastructures via the Internet,” University of Toronto cyberwarfare expert Ronald Deibert writes in the January/February 2011 Bulletin of the Atomic Scientists. “There is a lot of redundancy in the networks; it’s not a simple thing to turn off the power grid.” Our experience with current forms of malware, such as hacker-generated viruses and trojans, is also somewhat reassuring. Responses to new malware have generally been found and made available within days, and few denial-of-service attacks have lasted more than a day. In addition, many critical networks, such as those carrying financial transactions, are not connected to the Internet, meaning insider information is required to make them vulnerable.

While not everyone uses up-to-date malware detection, most governments and major businesses do, which means would-be attackers must take the time and effort to find new flaws and develop new techniques. The success of the Stuxnet worm, which attacked and disabled Iranian nuclear centrifuges in the summer of 2010, required very extensive intelligence gathering and knowledge of specific software flaws as well as someone able to walk into the facilities with an infected USB drive. Developing Stuxnet likely took the kind of financial and research resources that are available only to a government.

Brown and Sommer want more governments to ratify the CyberCrime Convention, which promotes international law enforcement cooperation against computer crimes. The chief holdouts are Russia and China, and many recent cyberattacks appear to have originated from those territories. “We should not forget that many of the countries that are havens for cybercrime have invested billions in domestic communications monitoring to supplement an already extensive set of police tools for political control,” notes Lewis of the CSIS. “The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept. A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service were [sic] cut off, his door was smashed down and his computer confiscated.”

Electronic privacy activists are less enthusiastic about the treaty. When the U.S. ratified the Cybercrime Convention in 2006, the Electronic Privacy Information Center and other watchdogs worried that the treaty could require American law enforcement agencies to turn people over to foreign police for engaging in activities that are legal here but treated as crimes in other countries.

More constructively, Brown and Sommer suggest strengthening connections between national computer emergency response teams. These largely private groups, mostly associated with universities, operate as a kind of early warning system and devise software fixes to stop the spread of new malware. The government also can encourage the development of properly tested hardware and software through its procurement policies. While full-fledged cyberwar probably won’t happen, espionage, hacking, and malware will be with us always. Americans’ decentralized, distributed efforts to defend against them will also defend against the threat of cyberwarfare.

Advocates of an open Internet were shocked at how easily the Egyptian government, in an effort to disrupt communications among protesters, shut down the Net inside Egypt in January. Disturbingly, Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper (D-Del.) have introduced legislation authorizing the president to shut down the Internet here during an emergency. If you’re worried that someone might limit your access to information or disrupt vital systems that rely on the Internet, Washington may turn out to be more of a menace than a savior.

  • 0

Youth arrested for selling Call of Duty DDoS tool

A teenager in Manchester has been arrested after being caught selling a ‘booting tool’ used to attack and kick players of the hugely popular Call of Duty online game.

The software used to launch the attacks, ‘Phenom Booter’, was traced to the UK by game publisher Activision, which found it for sale on an forum allegedly connected to the unnamed 17 year old.

The youth is currently under arrest and is likely to be charged with offences under the Computer Misuse Act, Police have said.

Such shell tools have spread around the dark underside of gaming in recent times as a way of ‘booting’ or ‘kicking’ rival players by locating their IP address from online gaming websites using a technique known as ARP poisoning.

Anyone using such a tool can wield considerable negative power, removing one or more players from games hosted on servers, even making it impossible for anyone to use them at all.

The server or servers attacked were not named but the incident must have been on a large enough scale to attract the attention of the normally remote Activision. Call of Duty Modern warfare or Black Ops were probably affected, both of which are making the company serious amounts of cash.

Activision also hosts master server lists, which players scroll through to choose specific games, but Phenom Booter would not normally be effective in attacking these servers.

Phenom Booter is by no means the only such tool that is being marketed to annoyed game players – a tool known as ‘Atomic Booter’ is probably more notorious.

Clearly Activision wants to send a message to anyone marketing such tools that they risk being tracked down and prosecuted. Actually finding the people who use them to attack real games is much harder because IP addresses used by rogue players are rarely traceable to anything other than an ISP with many customers.

Call of Duty uses a series of software ports from 28960 onwards but few ISPs bother to monitor traffic through them, or relate this to individual users.

“Programmes marketed in order to disrupt the online infrastructure not only affect individual players but have commercial and reputational consequences for the companies concerned,” said Detective Inspector Paul Hoare of the Police Central e-crime Unit (PCeU), which was involved in the arrest.

“These games attract both children and young people to the online environment and this type of crime can often be the precursor to further offending in more traditional areas of online crime,” he said.

The youth becomes the first person ever to be arrested in the UK in connection with an alleged online gaming offence.

  • 0

Anonymous unimpressed with Sony-Geohot settlement

Famed Playstation 3 hacker Geohot may have settled his outstanding legal issues with Sony, but cyber activists associated with Anonymous remain unimpressed with the deal.

Nevertheless, the group recently decided to halt all DDoS attacks against the Japanese-based corporation, as the impact of such an operation has apparently “surpassed” its peak.

“In the eyes of the law, this case is over. We disagree. We believe Sony’s actions in this case are unjust. We do not agree with Sony forcing social media sites like Youtube to hand over the IP addresses of people who viewed GeoHots videos. We view this as a severe violation of privacy rights,” Anonymous explained in a communiqué.

“We disagree with Sony forcefully gathering personal information from other companies like PayPal. We find it unacceptable that Sony is even permitted to request this information in the first place. These acts are completely disrespectful and unforgivable.”

According to Anonymous, Sony’s actions have “far-reaching” implications for every individual who has purchased a piece of equipment – regardless of the manufacturer.

“The current solution will only embolden other greedy corporations to employ similar unfair tactics, so it is necessary to continue our protest to make our voices heard.

“Where the judicial system has failed, Anonymous will persevere, by standing up for the rights of everyone, not just those who dared to challenge these corporations. Geohots’ belief was in the freedom of information dissemination. We will stand with him.”

As such, Anonymous has designated April 16th as a day to protest against Sony “in the streets.”

“We encourage anyone who is able to come to a nearby Sony Store to support the cause, even if you are not usually involved with Anonymous. This is not just about Anonymous – this is about your rights.

“If you wish to attend, be sure to check on your local laws and regulations regarding hiding your face during protests and, if allowed, cover your face, whether it is the usual Guy Fawkes masks or some other form of facial covering. Let us show Sony that all information is free and that we own the things we buy, now and forever. ”

  • 0

Microsoft Fixing 64 Security Flaws for April’s Patch Tuesday

Microsoft’s massive April Patch Tuesday will tie the record for the most security bulletins released at one time. It is a dramatic contrast to last month’s skimpy Patch Tuesday release, which only contained three security bulletins.

On April 12, Microsoft plans to release 17 security bulletins, including nine that are rated “Critical” and eight rated “Important.” Fifteen of the bulletins address vulnerabilities that allow attackers to remotely execute code.

All totaled, the bulletins will address a stunning 64 vulnerabilities spanning Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and the Graphics Device Interface (GDI+).

The last time Microsoft included this many bulletins in one update was in December, according to Jason Miller, a data team manager with Israel-based Shavlik Technologies. Microsoft will set another record with the number of vulnerabilities patched in one release. The previous Microsoft record was 49 vulnerabilities fixed for October’s Patch Tuesday, according to Miller.

While the advance notification bulletin released April 7 did not include any specific details about the individual patches, Microsoft said some of the fixes will address the Windows MHTML vulnerability and the Server Message Block Browser bug in Windows XP.

First reported last January (Security Advisory 2501696), the MHTML flaw allows attackers to run scripts in the wrong security context on Windows XP, Vista, Windows 7 and all supported Windows Server releases. An attacker could exploit the vulnerability to inject a client-side script in a Website the user is viewing in Internet Explorer. Once executed, the script could collect user information and spoof content. Attackers have exploited the vulnerability in “limited, targeted attacks” using the public proof-of-concept code, according to Microsoft.

The Server Message Block Browser bug in Windows XP, which could trigger a blue screen in kernel mode, was publicly disclosed on Feb. 15. French security firm Vupen rated the flaw as “Critical” and warned that the exploit could cause a denial-of-service attack or completely take over the compromised system.

“While RCE [remote code execution] is theoretically possible, we feel it is not likely in practice. DoS [denial of service] is much more likely,” Microsoft Security Research Center Engineering’s Mark Wodrich said on Feb. 17.

“This is a huge update and system administrators should plan for deployment,” Wolfgang Kandek, CTO of Qualys, wrote on The Laws of Vulnerabilities blog.

Affected operating systems include Windows XP, Windows XP Professional x64 Edition, Windows Server 2003, Windows Server 2003 x64 Edition, Windows Vista (32-bit and 64-bit), Windows Server 2008 and Windows 7.

There are updates for Internet Explorer 6 through 8. Despite Microsoft’s attempts to sunset IE6, it appears IE6 bugs in Windows XP and Windows Server 2003 have been addressed.

The patches cover commonly used Office applications, including Microsoft Excel 2002 through 2010, Microsoft PowerPoint 2002 through 2010, and Microsoft Office 2004 for Mac through 2011.

Other included applications are Open XML File Format Converter, Microsoft Visual Studio .NET 2003 Service Pack 1 through Visual Studio 2010, Microsoft Visual C++ 2005 through 2010, Microsoft Excel Viewer Service, Microsoft PowerPoint views 2007, Microsoft Office Compatibility Pack, and Microsoft PowerPoint Web App.

  • 0