Aurora Report: Around The Horn vol.2,2

Zero Day

Tracking the hackers

Microsoft confirms 17-year-old Windows vulnerability

By Ryan Naraine on Windows Vista

Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode.

Following the Google attack malware trail

By Ryan Naraine on People's Republic of China

A researcher discovers that several components of the malware were written in mid-2006, more than three years before the attacks on Google, Adobe and others were first discovered.

Critical out-of-band IE patch coming tomorrow (Jan 21)

By Ryan Naraine on Zero-day attacks

The update, rated critical for all versions of IE, will cover a remote code execution flaw that has already been used in targeted attacks.

Researcher demos clickjacking attack on Facebook

By Ryan Naraine on Zero-day attacks

A demo exploit shows how easy it is to trick Facebook users into adding apps or other malicious content by hijacking clicks to what appears to be harmless links.

Critical flaws haunt Adobe Shockwave Player

By Ryan Naraine on Vulnerability research

The vulnerabilities affect Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Mac operating systems.

Mac OS X dirty dozen: Apple plugs critical security holes

By Ryan Naraine on Responsible disclosure

The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.

Google-China cyber espionage saga - FAQ

By Dancho Danchev on Zero-day attacks

How did the attack take place? Did Google strike back at the attackers? Was the Chinese government behind the attacks, and if not who orchestrated them and for what reason? It's time to answer some of the most frequently asked questions.

Microsoft readies emergency IE patch to counter public exploits

By Ryan Naraine on Zero-day attacks

The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows.

Microsoft says Google was hacked with IE zero-day

By Ryan Naraine on Zero-day attacks

According to Microsoft, the vulnerability is still unpatched and can lead to remote code execution attacks if a target is lured to a booby-trapped Web site or views a malicious online advertisement.

Haiti earthquake themed blackhat SEO campaigns serving scareware

By Dancho Danchev on Web 2.0

Cybercriminals quickly mobilized following the news of a massive earthquake that hit Haiti on Tuesday. The blackhat SEO campaigns are only the tip of the iceberg. Here's what else to look for, and how to make sure you're donating money to the right organization.

Yahoo! News: Security News

Security News

Clinton urges China to investigate Google case (AP)

In technology

AP - Secretary of State Hillary Rodham Clinton on Thursday urged China to investigate cyber intrusions that led Google to threaten to pull out of that country — and challenged Beijing to openly publish its findings.

China says Google case not linked to Sino-US ties (AFP)

In business

AFP - Google's threat to leave China over censorship and cyberattacks should not be "overinterpreted" or linked with Sino-US ties, state media quoted Vice Foreign Minister He Yafei as saying Thursday.

Google puts focus on China cyberwar fears (Reuters)

In technology

Reuters - Google Inc's threat to quit China over cyber attacks and censorship highlights U.S. fears that a more powerful Beijing is tapping government and corporate computer networks to steal secrets and to prepare for potential conflicts.

Controversial App Provides Background Checks On the Go (PC World)

In technology

PC World - Online privacy is a constant and growing concern as the evolving landscape of Web sites and services erode the traditional expectations of privacy. A new app from BeenVerified is adding even more controversy to the privacy dilemma by enabling users to conduct background checks on anyone in a matter of seconds from their iPhone.

Comcast Replaces McAfee, Widens Security Program (PC Magazine)

In technology

PC Magazine - Comcast on Wednesday expanded a test of its new security program to all customers, but will replace McAfee's Internet security suite with Symantec's Norton offering.

China's Baidu sues US web firm over hacker attack (AFP)

In technology

AFP - China's top Internet search engine Baidu said Wednesday it had sued a US web firm after its site was hacked, a new salvo in a growing spat after Google's threat to quit the country because of cyber attacks.

Beijing denies China hackers attacked Indian govt (AFP)

In technology

AFP - China on Tuesday rejected reports that Indian government computers had been attacked by Chinese hackers as "groundless", one week after US Internet giant Google made a similar accusation.

Google postpones launch of mobiles in China (AFP)

In business

AFP - Google said Tuesday it had postponed the launch of two mobile handsets in China, in the latest fallout from its threat last week to withdraw from the Asian giant over cyberattacks and censorship.

Yahoo! slammed by China partner for Google support (AFP)

In technology

AFP - China's e-commerce giant Alibaba on Sunday condemned as "reckless" its partner Yahoo!'s support of Google, which has threatened to pull out of the Asian nation over censorship and cyberattacks.

Are Facebook Private Items Private? Not Really (PC Magazine)

In technology

PC Magazine - F-Secure shows that private items on Facebook are, at least in some cases, public.

Juniper confirms cyber attack after Google case (Reuters)

In technology

Reuters - Juniper Networks Inc said on Friday it was one of the victims of a cyber attack in China first brought to light by Google Inc, which has threatened to quit the country.

China plays down Google dispute but U.S. concerned (Reuters)

In technology

Reuters - China sought on Friday to play down a threat by Google Inc to quit the country on hacking and censorship concerns, but the United States said it will formally express concern over the cyber attacks the Internet search giant said originated in China.

U.S. to send formal message to China on Google case (Reuters)

In technology

Reuters - The U.S. State Department said on Friday it will soon give China a formal diplomatic message expressing its concern about cyber attacks that prompted Google Inc to threaten to pull out of China.

Google row will not affect trade ties with US: China (AFP)

In technology

AFP - China said Friday that Google's threat to stop operating in the country would not affect Sino-US trade ties, after Washington pressed for an explanation of China-based cyberattacks on the Internet giant.

China: Google case will not affect trade with US (AFP)

In business

AFP - China said Friday that Google's threat to pull out of the country over cyberattacks and official censorship would not affect Beijing's overall trade and economic ties with the United States.

Microsoft's browser flaw exposed Google to hackers (AP)

In technology

AP - Microsoft says a security flaw in its Internet Explorer browser played a role in the recent computer attacks against Google and at least 20 other companies.

Web browser vulnerability used in Google attacks: Microsoft (AFP)

In technology

AFP - Microsoft said Thursday that a security vulnerability in its Internet Explorer browser was used in cyberattacks which prompted Google to threaten to shut down its operations in China.

Microsoft CEO says no China exit (Reuters)

In technology

Reuters - Microsoft Corp has no plans to pull out of China, its chief executive said on Thursday, playing down concerns about recent cyber-attacks and censorship raised by rival Google Inc.

Microsoft CEO says no China exit: report (Reuters)

In technology

Reuters - Microsoft Corp has no plans to pull its business out of China after rival Google Inc threatened to quit the country over claims of cyber attacks on its email service, the company's chief executive said on Thursday.

Analyst's View: Facebook's Automated Security Could Do More (PC Magazine)

In technology

PC Magazine - Facebook automatically cleans up malware-infested accounts—now it has help from McAfee. But the social-networking site could do much more to ensure safe computing for all its users.

TrendLabs | Malware Blog - by Trend Micro

Hottest news about malware -- worms, viruses, trojans, adware and other internet or web threats by Trend Micro.

New IE Zero-Day Exploit Attacks Continue

By Carolyn Guevarra (Technical Communications) on Vulnerabilities

Trend Micro has identified new malware samples that exploit the still-unpatched Internet Explorer (IE) vulnerability. These samples have been detected as JS_ELECOM.C and HTML_COMLE.CXC Further analysis by TrendLabs threat experts found that the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent and still [...]

Post from: TrendLabs | Malware Blog - by Trend Micro
New IE Zero-Day Exploit Attacks Continue

SASFIS Fizzles in the Background

By Loucif Kharouni (Threats Analyst) on Security

The number of systems infected by various SASFIS Trojan variants has been increasing since the end of 2009, affecting networks across the globe. SASFIS variants have recently been spotted in relation to spoofed messages supposedly from Facebook. SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishing in the Guise of Enhancing Security

By Ralph Hernandez (Fraud Analyst) on Spam

Trend Micro fraud analysts recently came across spammed messages targeting customers of the Fifth Third Bank. The messages urged recipients to log in to a temporary link, http://www.53.com.{BLOCKED}.com.pl/wpserver/cmportal/cblogin.php?session=667882698791972326077742654898739&email=p2t2all@tacobell.com, in order to download and install a digital certificate that would supposedly reinforce the bank’s security. Clicking the link, however, led users to a phishing page that [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Spam Attack Against the U.S. Defense Department Exploits an Adobe Vulnerability

By Oscar Abendan (Technical Communications) on Vulnerabilities

Trend Micro was alerted to the discovery of a new attack that exploits a vulnerability in certain Adobe Reader and Acrobat versions. The said vulnerability allows remote attackers to execute arbitrary code via a crafted .PDF file using ZLib compressed streams on Microsoft OS-based systems. Cybercriminals targeted contractors of the U.S. Department of Defense with [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Cyber Attacks on Google and Others—Who Is Really at Risk?

By Ria Rivera (Technical Communications) on Vulnerabilities

Recent cyber attacks on Google and other organizations have been greatly covered by the media, owing much to the size and notability of the companies affected. However, what this incident really does is bring to light the true complexity and sophistication of computer threats and that any user or organization—large or small—can potentially be at [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Google, China, Chicken Little and Cyber Armageddon.

By Rik Ferguson on security

In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads [...]

DarkMarket Closes Its Doors, Finally

By David Sancho (Malware Researcher) on Security

DarkMarket closed shop recently. If you have not heard from them, do not worry too much. This website, which operates from different places worldwide managed to join all sorts of credit card crooks and provided different levels of seller verification, escrow services, and malware consulting. It finally went offline and its owners put in custody, thanks [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Twitterbuilding.com—Stealing Your Passwords One Tweet at a Time

By Robert McArdle (Senior Malware Researcher) on Security

I, like many others, am a big fan of Twitter, although I’m fairly ruthless about pruning those I follow. Most of the people I follow are either other security professionals or close friends and they normally Tweet content that I am genuinely interested in. The first hint of someone going to the dark side, e.g., In [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Iranian “Cyber Army” Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate

By Carolyn Guevarra (Technical Communications) on News

Less than a month after the so-called “Iranian Cyber Army” reportedly “hacked” the popular micro-blogging site, Twitter, they are back with another attack, this time against another Internet giant, Baidu. Baidu is the China’s most popular search engine, as 62 percent of the total number of Web searches in China are done compared with Google’s [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

BANKER Scams New Spam Victims

By Loucif Kharouni (Threats Analyst) on Spam

Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files (see Figure 1). The second campaign was more elaborate, as the involved [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Search Results in Microsoft’s Site May Lead to FAKEAV

By Oscar Abendan (Technical Communications) on Microsoft

Trend Micro was alerted to the discovery of a recent threat that takes advantage of malicious search results generated from the Microsoft Office’s site. This threat targets users looking for tips and help-related information on using Microsoft Office products on Microsoft’s official website, particularly those looking to delete meeting notices without notifying the other invitees. Using the [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

One Patch for January’s Patch Tuesday

By Jovi Umawing (Technical Communications) on Vulnerabilities

Following the usual cycle of monthly patch releases, Microsoft just issued its first for this year yesterday. Microsoft has released one advisory to address the vulnerability found in the way the Embedded OpenType (EOT) Font Engine can render a specially crafted EOT font file in several Microsoft applications such as Internet Explorer, PowerPoint, and Word. An [...]

Bogus IRS W-2 Form Leads to Malware

By Mary Ermitano (Anti-spam Research Engineer) on Security

After the holidays, spammers now are capitalizing on the upcoming tax season. Recently, Trend Micro threat analysts found spammed messages purporting to come from the Internal Revenue Service (IRS). The spammed message bears the subject, “W-2 Form update,” and informs users to update the said form because of supposed “important changes.” The W-2 form states an employee’s [...]

Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild

By Jessa De La Torre (Threat Response Engineer) on Vulnerabilities

Another PDF sample that exploits an unpatched vulnerability in Adobe Reader and Acrobat has been spotted in the wild. The sample (detected by Trend Micro as TROJ_PIDIEF.WIA) uses the heap spray technique to execute shellcode in its stream. As a result, a malicious file detected as BKDR_POISON.UC is dropped into the system. When executed, BKDR_POISON.UC opens an [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Can IDN Usage Open a Can of Unicode Worms?

By Ben April (Advanced Threat Researcher) on Security

I recently made up two nonsensical domain names—eixpay.com and eixpay.com—can you spot the difference between them? In a modern Unicode-capable browser, they are likely to appear identical but if you copy and paste each one into a search engine, you will get different results. The domain on the right was created using Cyrillic characters while the [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

From KOOBFACE with Love

By Robert McArdle (Senior Malware Researcher) on Security

We have received a lot of positive feedback for our three-part paper on KOOBFACE (I, II, III) from all parts of the IT industry, but how the malware authors themselves have chimed in. The KOOBFACE gang (who are attempting to make people believe that they are a legitimate company) have left a Christmas message on each of [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Malicious JavaScript Infects Websites

By Bernadette Irinco (Technical Communications) on Security

Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, redirecting the user to several malicious websites. This is done so users will [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Christmas Greetings from Spammers

By Mary Bagtas (Anti-spam Research Engineer) on Spam

Spammers are clearly putting the holidays to good use, as they have made Christmas just another reason to spread malware. Trend Micro threat analysts recently received a spammed message purporting to come from 123greetings.com, a legitimate site that users can access to send e-cards to family and friends. The email message even sported the site’s logo [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

PH: Mayon Volcano Eruption Spews Out SEO Attack

By Joseph Pacamarra (Threats Analyst) on Security

While scouting the Web for the latest threats, Trend Micro threat analysts stumbled upon FAKEAV variants riding on the impending eruption of the Mayon Volcano. Renowned for its “perfect cone” shape, the Mayon Volcano became one of the candidates for inclusion in the New 7 Wonders of Nature list. It is not surprising, therefore, that [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

TaoSecurity

Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.

Attribution Is Not Just Malware Analysis

By Richard Bejtlich

In a recent Tweet I recommended reading Joe Stewart's insightful analysis of malware involved in Google v China. Joe's work is stellar as always, but I am reading more and more commentary that shows many people don't have the right frame of reference to understand this problem.
In brief, too many people are focusing on the malware alone. This is probably due to the fact that the people making these comments have little to no experience with the broader problems caused by advanced persistent threat. It's enough for them to look at the malware and then move to the next sample, or devise their next exploit, and so on. Those of us responsible for defending an enterprise can't just look at the problem from a malware, or even a technical, perspective.
I was reminded of this imperative when I read Waziristan: The Last Frontier in a recent Economist magazine.
[I]t is tempting to think Waziristan has hardly changed since those colonial days... Mostly, [the Pakistani Frontier Corps] discuss their belief that India is behind the current troubles on the frontier. Lieutenant-Colonel Tabraiz Abbas, just in from fighting the Mehsud militants, describes finding Indian-made arms on the battlefield. Substitute “Russian” for “Indian” and you have the standard British Great-Game gripe. As late as 1930, a senior British official, in dispatches stored in India’s national archives, reported that a clutch of Russian guns had been found in Waziristan: “Of these 36 are stamped with the ‘Hammer and Sickle’ emblem of the Soviet government, while one is an English rifle bearing the Czarist crest.”
Imagine if policy decisions were made on "rifle analysis" alone. Think of the havoc that an interloper could introduce by scattering weapons from other armies where a target of psychological operations would find them.
In summary, malware analysis is definitely an important part of attribution, but it's not the only part. Malware analysis is also not the only relevant aspect of Google v China. If you address the malware you won't solve the problem. The same goes for any vulnerabilities discovered during this event.
For some related thoughts on profiling an adversary using indicators and not just malware, see Mike Cloppert's post Security Intelligence: Attacking the Kill Chain.

Is APT After You?

By Richard Bejtlich

Jeremiah Grossman made the following request via Twitter today:
@taosecurity blog post request. Signs that an individual or organization is or may be an APT target. + other threat naming conventions
Tough but great questions. I better answer, or Jeremiah will find me and apply Brazilian Jiu Jitsu until I do. Let me take the second question first.
As I mentioned in Real Threat Reporting in 2005, "Titan Rain" became the popular term for one "intrusion set" involving certain actors. DoD applies various codewords to intrusion sets, and Titan Rain became popular with the publication of the Time article I referenced. If you read the Time article again you'll see at least one other reference, but I won't cite that here.
Some of you may remember "Solar Sunrise" from 1998 and "Moonlight Maze" from 1998-1999. Open reporting links the former to Russia and the latter to an Israeli named Ehud Tenenbaum. These are other examples of "intrusion sets," but they are not related to the current threat.
As far as other names for APT, they exist but are not shared with the public. Just as you might maintain code names for various intrusion sets or campaigns within your CIRT, various agencies track the same using their own terms. This can cause some confusion when different CIRTs try to compare notes, since none of us speak of the private names unless in an appropriate facility. The Air Force invented "APT" as an unclassified term that could be used to quickly keep various parties on the same page when speaking with defense partners.
Regarding who may be an APT target, I liked Steven Adair's Shadownserver post. The way most organizations learn that they have a problem is by receiving an external notification. The FBI and certain military units have been fairly active in this respect for the previous three years. This marks quite a change in the relationship between the US government and private sector, and it's not limited to American companies. A little searching will reveal reports of other governments warning their companies of similar problems.
If your organization has not been contacted by an external agency, you might want to look at the potential objectives that I posted in What is APT and What Does It Want? Does your organization possess data that falls into one of the political, economic, technical, or military categories that could interest this sort of threat? Overall, my assessment of APT progress can be summarized this way:

Phase 1, late 1990s: mainly .mil
Phase 2, 2000-2004: .gov added to target list
Phase 3, 2005-2009: cleared defense contractors, research institutes, political and infrastructure added to target list (significant expansion)
Phase 4, 2010- ? : expansion only limited by resources?

Probably the next best way to determine if you are a target is to join whatever industry groups you can find and network with your peers. Develop relationships such that your peers feel comfortable sharing threat information with you. Do the same with government actors, especially the FBI. Many times these agencies are just sitting on data trying to figure out the right contacts.
I would beware of organizations that claim any product they sell will "stop APT" or "manage APT" or act as another silver bullet. We're already seeing some vendors jump on the counter-APT bandwagon with little clue what is happening. There's a couple consultancies with deep knowledge on this topic. I'm not going to name them here but if you review the Incident Detection Summit 2009 agenda you can find them.
The degree of counter-APT experience on the speaker list varies considerably, but you can try using that list to validate if Company X has any relationship whatsoever to this problem. That doesn't mean companies or organizations not listed as speakers are "clueless;" a lot of counter-APT activity is simply "good IT." However, you shouldn't expect a random consultant to be able to sit down and explain the specifics of this problem to your CIO or CEO. Incidentally this is NOT a commercial for my company; I run an internal CIRT that only protects our assets.

Review of Inside Cyber Warfare Posted

By Richard Bejtlich

Amazon.com just posted my three star review of Jeff Carr's Inside Cyber Warfare. From the review:
Jeff Carr is a great digital security intelligence analyst and I've been fortunate to hear him speak several times. We've also separately discussed the issues he covers in Inside Cyber Warfare (ICW). While I find Jeff's insights very interesting and valuable, I think his first book could have been more coherent and therefore more readable. I believe Jeff should write a second edition that is more focused and perhaps more inclusive.

Bejtlich Teaching at Black Hat EU 2010

By Richard Bejtlich

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year.
After Black Hat DC comes Black Hat EU 2010 Training on 12-13 April 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain.
I will be teaching TCP/IP Weapons School 2.0.
Registration is now open. Black Hat set five price points and deadlines for registration.

Super early ends 1 Feb
Early ends 1 Mar
Regular ends 1 Apr
Late ends 11 Apr
Onsite starts at the conference

Seats are filling -- it pays to register early!
If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide parade.
Feedback from my 2009 sessions was great. Two examples:
"Truly awesome -- Richard's class was packed full of content and presented in an understandable manner." (Comment from student, 28 Jul 09)
"In six years of attending Black Hat (seven courses taken) Richard was the best instructor." (Comment from student, 28 Jul 09)
If you've attended a TCP/IP Weapons School class before 2009, you are most welcome in the new one. Unless you attended my Black Hat training in 2009, you will not see any repeat material whatsoever in TWS2. Older TWS classes covered network traffic and attacks at various levels of the OSI model. TWS2 is more like a forensics class, with network, log, and related evidence.
I recently described differences between my class and SANS if that is a concern.
I will also be teaching in Barcelona and Las Vegas, but I will announce those dates later.
I look forward to seeing you. Thank you.

What Is APT and What Does It Want?

By Richard Bejtlich

This has been the week to discuss the advanced persistent threat, although some people are already telling me Google v China with respect to APT is "silly," or that the attack vectors were what everyone has been talking about for years, and were somewhat sloppily orchestrated at that.
I think many of these critics are missing the point. As is often the case with sensitive issues, 1) those who know often can't say and 2) those who say often don't know. There are some exceptions worth noting!
One company that occupies a unique position with respect to this problem is Mandiant. Keep an eye on the APT tag of their M-unition blog. Mandiant's role as a consulting firm to many APT victims helps them talk about what they see without naming any particular victim.
I also recommend following Mike Cloppert's posts. He is a deep thinker with respect to counter-APT operations. Incidentally I agree with Mike that the US Air Force invented the term "advanced persistent threat" around 2006, not Mandiant.
Reviewing my previous blogging, a few old posts stand out. 4 1/2 years ago I wrote Real Threat Reporting, describing the story of Shawn Carpenter as reported by Time magazine. Back then the threat was called "Titan Rain" by Time. (This reflects the use of a so-called "intrusion set" to describe an incident.) Almost a year later Air Force Maj Gen Lord noted "China has downloaded 10 to 20 terabytes of data from the NIPRNet. They're looking for your identity, so they can get into the network as you."
Now we hear of other companies beyond Google involved in this latest incident, including Yahoo, Symantec, Adobe, Northrop Grumman, Dow Chemical, Juniper Networks, and "human rights groups as well as Washington-based think tanks." (Sources 1 and 2.)
Let me put on the flight cap of a formally trained Air Force intelligence officer and try to briefly explain my understanding of APT in a few bullets.

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.
Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.

Looking at the target list, we can perceive several potential objectives. Most likely, the APT supports:

Political objectives that include continuing to suppress its own population in the name of "stability."
Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.
Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.
Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.

Notice "stealing money" is not listed here. Although threats exist that target cash, those groups are not considered "APT".
Footnote: my Google query for advanced peristent threat that omits a few organization names (including this blog) now yields 169 non-duplicative hits as of this writing, up from 34 in July 2009.

Why Google v China is Different

By Richard Bejtlich

I've been reading various comments on the Google v China issue. One caught my eye:
Security experts say Google cyber-attack was routine
"This wasn't in my opinion ground-breaking as an attack. We see this fairly regularly," said Mikko Hypponen, of security firm F-Secure.
"Most companies just never go public," he added.
In some ways this comment is true, and in other ways I think it can mislead some readers. I believe it is true in the sense that many organizations are dealing with advanced persistent threats. However, I believe this comment leads some readers to focus incorrectly on two rather insignificant aspects of the Google incident: vulnerabilities and malware.
On the vulnerability front, we have a zero-day in Internet Explorer. I agree that this is completely routine, in a really disappointing way.
On the malware front, we have code submitted to Wepawet. I agree that this is also not particularly interesting, although I would like to know how it ended up being posted there!
Five issues make Google v China different for me.

The victim made a public statement about the intrusion. I read that this was a difficult decision to make and it took strong leadership to see it through:
Google Inc.'s startling threat to withdraw from China was an intensely personal decision, drawing its celebrated founders and other top executives into a debate over the right way to confront the issues of censorship and cyber security.
Google's very public response to what it called a "highly sophisticated and targeted attack on our corporate infrastructure originating from China" was crafted over a period of weeks, with heavy involvement from Google's co-founders, Larry Page and Sergey Brin.
The victim is not alone. Google isn't alone in the sense that firms suffering from Conficker last month weren't alone, i.e., this isn't a case of widespread malware. Instead, we're hearing that multiple companies are affected.
The victim is not a national government. Don't forget all the China incidents involving national governments that I followed from summer 2007 through 2008.
The victim named the perpetrator. This amazes me. We need more of this to happen. By doing so a private company influenced a powerful policy maker to issue a statement of a diplomatic nature.
The victim could suffer further damage as a result of this statement and decision. Every CIO, CTO, CSO, and CISO magazine in the world talks about "aligning with business," blah blah. Business is supposed to rule. Instead, we have a situation where the self-reported "theft of intellectual property from Google" plus "accessing the Gmail accounts of Chinese human rights activists" resulted in a business decision to alter and potentially cancel operations. That astounds me. You can claim Baidu is beating Google, but I don't buy it as the real reason Google is acting like this.

Bravo Google.

Security Team Permissions

By Richard Bejtlich

Every so often I receive questions from blog readers. The latest centered on the following question:
What level and extent should a security team and investigators be allowed to operate without having to ask for permission?
This is an excellent question, and as with most issues of authority it depends on the organization, its history, culture, purpose, and people.
From the perspective of the security team, I tend to want as much access as is required to determine the security state of an asset. That translates into being able to access or discover evidence as quickly and independently as possible, preferably in a way that involves no human intervention aside from the query by the security team. When the security analyst can retrieve the information needed to make a decision without asking for human permission or assistance, I call that self-reliant security operations. Anything short of that situation is suboptimal but not uncommon.
Simultaneously, I want the least amount of access needed to do the work. If the security team can get what it needs with a read-only mechanism, so much the better. I actively avoid powerful or administrative accounts. Possessing such accounts is usually an invitation to being blamed for a problem.
Assume then that there is a situation where the security team believes it needs a certain elevated level of access in order to do its mission. In my experience, it is rare to obtain that permission by making some sort of intellectual or process-oriented argument. Rather, the security team should make a plan and justify the need for such access, but wait for an intrusion to occur that demonstrates why elevated access would improve the incident detection and response process.
In many cases, management with authority to grant or expedite granting access lacks the focus or mental environment ready to think about making changes until an incident rocks their world. Once management is ready to devote attention to a problem, they are often eager to hear of changes that would improve the situation. At that point one should make a case for the new capability. We see this pattern repeatedly in high-profile security cases; airline travel is the most obvious.
Aside from waiting for a catastrophe, the next-best option is to collect some sort of metric that shows how the current suboptimal state of affairs should be unacceptable to management. If you could show a substantial decrease in response time, an increase in capability, a decrease in cost, etc., you might be able to convince management to make a change without resorting to an incident scenario. This second option is less likely to work than the disaster method, but at the very least it does lay useful groundwork prior to an incident.

Friday is Last Day to Register for Black Hat DC at Reduced Rate

By Richard Bejtlich

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year.
First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA.
I will be teaching TCP/IP Weapons School 2.0.
Registration is now open. Black Hat set five price points and deadlines for registration, but only these three are left.

Regular ends 15 Jan
Late ends 30 Jan
Onsite starts at the conference

Seats are filling -- it pays to register early!
If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide parade.
Feedback from my 2009 sessions was great. Two examples:
"Truly awesome -- Richard's class was packed full of content and presented in an understandable manner." (Comment from student, 28 Jul 09)
"In six years of attending Black Hat (seven courses taken) Richard was the best instructor." (Comment from student, 28 Jul 09)
If you've attended a TCP/IP Weapons School class before 2009, you are most welcome in the new one. Unless you attended my Black Hat training in 2009, you will not see any repeat material whatsoever in TWS2. Older TWS classes covered network traffic and attacks at various levels of the OSI model. TWS2 is more like a forensics class, with network, log, and related evidence.
I will also be teaching in Barcelona and Las Vegas, but I will announce those dates later.
I strongly recommend attending the Briefings on 2-3 Feb. Maybe it's just my interests, but I find the scheduled speaker list to be very compelling.
I look forward to seeing you. Thank you.

SecurityFocus News

SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.

Brief: MS readies patch, as fraudsters target IE flaw

MS readies patch, as fraudsters target IE flaw

Brief: Attack on IE 0-day refined by researchers

Attack on IE 0-day refined by researchers

Brief: Law firm suing China suffers attack

Law firm suing China suffers attack

Brief: IE flaw gave attackers entry, says McAfee

IE flaw gave attackers entry, says McAfee

Security - RSS Feeds

Microsoft Patches IE Security Vulnerability Involved in Google Attack

Microsoft issued a patch today to close a security hole in Internet Explorer (IE) linked to the recent attacks on Google and other companies. The update addresses 7 other vulnerabilities as well.
- Microsoft issued an emergency fix today to patch the Internet Explorer vulnerability at the center of a spate of cyber-attacks against Google, Adobe Systems and dozens of other companies. The update actually addresses a total of eight vulnerabilities in Internet Explorer (IE), the mos...

How to Protect Against Insider Security Breaches

One of the most common ways of preventing insider security breaches is to have an auditing system in place, which monitors who is doing what within the system. Another method of preventing insider security breaches is to implement a system of job rotation or separation of duties. But Multi-Party Authorization is a better method for proactively preventing insider security breaches because, as Knowledge Center contributor Craig Palmore explains here, Multi-Party Authorization requires two or more people in order to allow access to certain sensitive files.
- XYZ Corporation's trusted employee, Harry, scanned his computer screen, whistling through his teeth. quot;Nearly there now, quot; he thought. quot;Just a few more clicks and I'll get what I need to know. They're going to pay me for what I find out. quot; Harry's fingers flew over the keyboard,...

Microsoft IE Patch for Zero-Day Vulnerability Coming Jan. 21

Microsoft is releasing a patch to plug the Internet Explorer security hole exploited in a spate of cyber-attacks against Google and others.
- Microsoft will release an out-of-band patch Jan. 21 to fix the Internet Explorer vulnerability at the center of recent attacks on Google and other enterprises. According to Microsoft, the patch is slated to be ready around 1 p.m. EST. If all goes according to plan, the patch will close a hole ...

IBM Acquisition to Expand Public Sector Services Business

IBM has agreed to buy National Interest Security Company (NISC) to bolster its ability to offer services to the public sector. The deal is expected to be finalized in the first quarter.
- IBM today announced it has agreed to acquire National Interest Security Company, LLC (NISC) to bolster its advanced analytics business as it takes aim at the public sector. The financial terms of the deal were not disclosed. However, NISCs bread and butter is providing IT, information management...

10 Security, Quality Issues Microsoft Must Address Quickly

News Analysis: Microsoft is having a rough start to 2010. The company is facing criticism over a security issue in Internet Explorer, regulators have it under the microscope, and Windows Mobile 7 is still nowhere to be found. Microsoft needs to do something soon or see its credibility with customers continue to erode.
- Microsoft is all over the news this week, but unfortunately for the company, it's for the wrong reasons. Early this week it was revealed that a security flaw in Internet Explorer caused opened the way for cyber attacks on Google users and some corporate networks. Now officials in France and Germany ...

Microsoft Preps IE Patch for Google Attack Vulnerability

Microsoft is planning an out-of-band patch for the Internet Explorer vulnerability attackers exploited to hit Google and other companies.
- Microsoft plans to release an out-of-band patch to plug the zero-day security hole exploited recently in attacks on Google and other companies. George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Security group, announced that Microsoft would offer a timeline for the pat...

eWEEK's Products to Watch January 2010

Each month, eWEEK editors name new or newly updated enterprise-class products that we think should be on IT professionals' radars-products and services that promise to create efficiencies as well as competitive advantage. This month, eWEEK recommends checking out 3PAR's Autonomic Groups, Black Box's Veri-NAC family of access control products, Zenoss' Zenoss Enterprise 2.5, Sophos' Endpoint Security and Data Protection 9, Vorex's Vorex 2.5, Greenview Data's Greenview Data Encryption Service, SailPoint's IdentityIQ 4.0, WatchGuard's WatchGuard XCS, Splunk's Splunk 4 Free, Gideon Technologies' SecureFusion, Xerox's Phaser 6140, KnowledgeTree's KnowledgeTree 3.7 and Knowledge Tree CP, Fortify's Fortify on Demand, BP Logix's Process Director 1.0, Motorola's MC3090-Z RFID reader and TmaxSoft's OpenFrame 6.0.
- ...

Foreign Journalists' Gmail Hijacked in China

The Foreign Correspondents' Club of China said correspondents working in bureaus in Beijing had their Google Gmail accounts hijacked.
- An association of journalists based in Beijing said reporters have recently had their Google Gmail accounts hijacked. In a statement, the Foreign Correspondents' Club of China (FCCC) stopped short of accusing the Chinese government or any other entity of taking part in the hijacking, but w...

France, Germany Say Avoid IE Until Security Vulnerability Patched

France and Germany are advising users to switch from Internet Explorer to another Web browser until Microsoft patches the zero-day vulnerability linked to attacks on Google and others.
- France and Germany have advised their citizens to ditch Internet Explorer in the wake of reports that an IE zero-day bug was involved in the massive cyber-attack against Google and other companies. Officials in both countries issued warnings in the past few days telling users to consider ...

Exploit Code from Google Attack Goes Public on Web

Attack code linked to the Internet Explorer vulnerability exploited by hackers in recent cyber-attacks against dozens of companies is circulating on the Internet.
- Attack code targeting the Internet Explorer vulnerability used to hit Google and other companies has hit the Web. According to McAfee, researchers have seen references to the code which exploits an unpatched vulnerability in Microsoft Internet Explorer on mailing lists and have confirmed that t...

U.S. to Seek Cyber-attack Explanation from China

Updated: State Department spokesperson Philip Crowley says the United States will lodge a formal complaint against China regarding cyber-attacks that struck Google, Adobe Systems and dozens of other companies.
- The United States plans to ask China for an explanation regarding the cyber-attacks that recently hit Google, Adobe Systems and dozens of other companies. In remarks Jan. 15 to the press, State Department spokesperson Philip Crowley said the United States will be issuing a formal demarche to...

IETF Completes Fix for SSL Security Vulnerability

A fix that addresses a security vulnerability that could threaten SSL-protected Websites has been given the greenlight.
- The Internet Engineering Task Force (IETF) has finished work on a fix to a vulnerability in the Secure Sockets Layer protocol security researchers uncovered last August. The vulnerability partially invalidates the SSL lock and allows attackers to compromise sites that use SSL for security inc...

McAfee Says Cyber-attack Details Point to IE Security Vulnerability

Updated: Security vendor McAfee is reporting that the cyber-attack that hit more than 30 businesses, including Google and Adobe Systems, involved the use of a zero-day exploit targeting Internet Explorer.
- The more details that leak out about the cyber-attack that hit Google, Adobe Systems and roughly 30 other companies, the more complex the picture gets. According to a Jan. 14 analysis by McAfee, which has dubbed the situation quot;Operation Aurora, quot; one of the malware samples involved in ...

Security

The Art of Technology

feature: Locating and managing the IS security function

By editors@arstechnica.com (Ars Staff) on @attns

Deciding that you need an Information Systems (IS) security function within your business is easy. Deciding where to put it and how to manage it isn’t nearly as straightforward. Security, IT, and even Engineering all bring value to the table, but they also bring their own unique priorities, biases, and politics. Let’s examine the variables, review some options, and offer some suggestions for where to put IS Security in your org chart.

Microsoft patching "Google hack" flaw in IE tomorrow

By p_emil@hotmail.com (Emil Protalinski) on internetexplorer

Microsoft has issued an Advanced Notification for the out-of-band security bulletin it is releasing tomorrow for Internet Explorer at approximately 10 am PST. The patch will fix vulnerabilities in IE6, IE7, and IE8 on supported editions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2—vulnerabilities notably exploited in the recent series of Chinese-based attacks against Google and 30 other tech companies.

Microsoft has previously insisted that the publicly posted exploit code only affects IE6 and as such recommended its users to upgrade. While the software giant says the attacks it sees in the wild are still only successful against IE6, Redmond has rated the flaw "Critical" for all versions of the browser.

"This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical," a Microsoft spokesperson told Ars. "It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized."

The fact that the update is being released out-of-band (meaning that Microsoft is not going to wait until its next Patch Tuesday on February 9) shows how serious the company is taking this particular vulnerability. The company admitted that its own investigations into the highly organized hacking attack in late December against various companies (including Google) had concluded that a Remote Code Execution vulnerability in IE was used by the perpetrators. That vulnerability is triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model element; attack code may be executed if it is successfully placed in a random location of freed memory.

We will update this post when Microsoft releases the patch for all supported versions of Windows. The company will also be hosting a webcast to address customer questions on the out-of-band bulletin tomorrow at 1:00 PM Pacific Time (US and Canada).

Microsoft investigates 17-year-old Windows flaw

By p_emil@hotmail.com (Emil Protalinski) on windows

Reports have surfaced about a new security hole that has been in Windows since the release of Windows NT 3.1 on July 27, 1993. The vulnerability is present in all 32-bit versions of Windows released since then, including all supported versions: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Microsoft has issued Security Advisory (979682) to address the elevation of privilege vulnerability in the Windows kernel, making sure to note that 64-bit versions of Windows, including Windows Server 2008 R2, are not affected.

Thankfully, the flaw isn't in a commonly used application but in the Virtual DOS Machine (VDM) used to support 16-bit applications. There are several vulnerabilities in this implementation, according to Google security team member Tavis Ormandy, who found the issues.

An unprivileged 16-bit program can manipulate the kernel stack of each process, potentially enabling attackers to execute code at system privilege level. The exploit can be used to open a command prompt with the highest privilege level.

Ormandy claims he informed Microsoft of this hole on June 12, 2009, and the company confirmed receiving his report 10 days later, but it has yet to fix the issue.

"Microsoft is investigating new public claims of a possible vulnerability in Windows," a Microsoft spokesperson told Ars. "We are currently not aware of active attacks against this vulnerability and believe risk to customers, at this time, is limited. To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system. To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, can disable the NTVDM subsystem." Microsoft will either provide a security update on Patch Tuesday or issue an out-of-band security update (less likely).

Despite the fact that there is no patch available from Microsoft, Ormandy decided to publish the information because he believes the workaround is simple enough: disable the MS-DOS subsystem.

"As an effective and easy-to-deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch," he writes in his disclosure. "It should be noted that very few users rely on NT security; the primary audience of this advisory is expected to be domain administrators and security professionals."

To enable the workaround, use the policy template "Windows Components\Application Compatibility\Prevent access to 16-bit applications" within the group policy editor to prevent unprivileged users from executing 16-bit applications.

After Google hack, Microsoft asks users to abandon IE6, XP

By p_emil@hotmail.com (Emil Protalinski) on windowsxp

Microsoft is using a widely publicized flaw in Internet Explorer as a way to push users to upgrade both their browsers and operating systems.

On its Security Research & Defense blog, Microsoft explains that while IE7 and IE8 on Windows Vista and Windows 7 both include the flawed code that was exploited in the recent Chinese attacks on Google, the publicly published exploit code only works against IE6 on Windows 2000 and Windows XP. So the company is urging users to think about upgrading their version of IE, or even their OS (which also results in a newer version of IE).

Microsoft warns of IE bug used in Chinese attacks on Google

By p_emil@hotmail.com (Emil Protalinski) on internetexplorer

Microsoft has issued Security Advisory (979352) after its own investigations into the highly-organized hacking attack in late December, the one that Google earlier this week insinuated came from China, led the software giant to conclude that a Remote Code Execution (RCE) vulnerability in Internet Explorer was used by the perpetrators.

"The company has determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks targeted against Google and other corporate networks," a Microsoft spokesperson told Ars. "Microsoft continues to work with Google, other industry partners and authorities to actively investigate this issue. To date, Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE6."

While Microsoft says it is only aware of limited, active attacks attempting to use this vulnerability in IE6, and has not seen attacks against other versions of IE, the vulnerability is not limited to version 6, according to the security advisory. Internet Explorer 5.01 on Windows 2000 SP4 is not affected, but IE6 on Windows 2000 SP4, as well as IE6, IE7 and IE8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are all affected.

"The vulnerability exists as an invalid pointer reference within Internet Explorer," the advisory reads. "It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

Microsoft did not give any workarounds for the flaw in the security advisory, but it did list five mitigating factors:

Protected Mode in IE7 on Windows Vista limits the impact of the vulnerability.
In a Web-based attack scenario, an attacker could host a webpage that is used to exploit this vulnerability or do so via a webpage that accepts or hosts user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these websites and would have to convince them to do so, which is typically achieved via an e-mail or instant message.
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High and so is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
By default, all supported versions of Outlook, Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which should mitigate attacks trying to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Microsoft says it will continue to monitor the situation and will either post a patch on Patch Tuesday or will release an out-of-cycle security update. We will keep you posted when Microsoft does release an update.

Online scammers try to hijack Haiti donation bandwagon

By jacqui@arstechnica.com (Jacqui Cheng) on scam

News of the this week's devastating earthquakes in Haiti spread quickly across the Internet as people looked for ways to help in the recovery efforts from home. As usual, scammers have seized the opportunity to take advantage of search engine trends by setting up fake charity sites and sending out spam soliciting donations that will go anywhere but Haiti.

Scammers pop up anytime something significant happens, whether it's a natural disaster or the death of a celebrity, trying to redirect users to their just-registered domains to infect people with malware. Disasters such as the Haiti quakes, though, have the added benefit of concerned citizens wanting to donate money—indeed, as we learned during Hurricane Katrina, large numbers of ignorant Internet users were duped by fake donation sites and ended up sending their money to those with ill intentions instead of charities that could help those in need. And not all of them are obvious scams, either—one e-mail circulating in the UK claims to come from the British Red Cross and even displays the real Red Cross address in London, but directs users to a different domain when they try to click through.

Researchers identify command servers behind Google attack

By segphault@arstechnica.com (Ryan Paul) on Security

VeriSign's iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies. The iDefense researchers traced the attack back to its origin and also identified the command-and-control servers that were used to manage the malware.

The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.

Citing sources in the defense contracting and intelligence consulting community, the iDefense report unambiguously declares that the Chinese government was, in fact, behind the effort.

"The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," the report says.

The iDefense report initially stated that malicious PDFs were crafted to deploy the malware that was used in the attack. Adobe disputed that claim and issued a statement saying that they have found no evidence that their technology was used as an attack vector. This is supported by independent research conducted by security firm McAfee, which has found evidence that a vulnerability in Internet Explorer—but not Acrobat Reader—was exploited in the attack. iDefense later retracted its claim about PDFs, but stands behind the rest of its report.

The researchers have determined that there are significant similarities between the recent attack and a seemingly related one that was carried out in July against a large number of US companies. Both attacks were apparently managed through the same command-and-control servers.

"The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting. The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other," the report says. "Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July."

If the report's findings are correct, it suggests that the government of China has been engaged for months in a massive campaign of industrial espionage against US companies.

SearchSecurity: Security Wire Daily News

The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.

PhoneFactor bolsters authentication using voiceprint identification

By Robert Westervelt

The telephone-based out-of-band authentication vendor adds voice recognition technology for banks and government agencies.

Microsoft emergency IE update to block latest corporate attacks

By Robert Westervelt

Patch being released Thursday repairs multiple flaws in Internet Explorer, including a zero-day vulnerability being exploited in ongoing attacks against corporate users.

Microsoft to release emergency Internet Explorer update

By Robert Westervelt

Patch will block ongoing attacks targeting Internet Explorer 6. Exploit code is available targeting all versions of IE.

Security architects fear savvy botnet attacks, IPv6 security issues

By Robert Westervelt

Arbor Networks Inc. survey finds angst over botnet attacks targeting underlying systems, including DNS, load balancers and other back-end infrastructure.

Latest zero-day attacks only target IE 6, Microsoft says

By Robert Westervelt, News Editor

Security protections in newer versions of Internet Explorer help defend against ongoing attacks. Software giant urges users to implement workarounds.

Social networking security: Twitter, Facebook hacker attacks climbing

By Maggie M. Wright

Roundup: Get the latest news on social networking security and stay up to date on the tactics, methods and techniques that cybercriminals are using to break into Twitter, Facebook, and other social network accounts to steal data.

Microsoft issues advisory on Internet Explorer zero-day

By Robert Westervelt

Targeted attacks against Google, Adobe and other firms used a hole in Internet Explorer. The flaw affects nearly all versions of the browser.

Hackers used IE zero-day in Google, Adobe attacks, McAfee says

By Robert Westervelt, News Editor

The recent targeted attacks against Google, Adobe and possibly dozens of other firms used an unpatched vulnerability in Internet Explorer, according to researchers at McAfee.

Self-defending Web applications thwart attacks

By Robert Westervelt

Michael Coates, a volunteer with OWASP, is leading a project that helps developers inject code into applications to give them self-defense mechanisms.

SANS%20RSS%20Feed

SANS NewsBites

All Stories From Vol: 12 - Issue: 5

Google Has No Immediate Plans to Leave China (January 18, 2010)

According to a Reuter's news service report, Google says it is not leaving China and is instead seeking to negotiate with authorities there over the next several weeks regarding information filtering restrictions.......

France and Germany Warn Users Against IE Until Fix is Available (January 16 & 18, 2010)

Germany and France have both issued warnings urging computer users not to use Internet Explorer (IE) until a fix for a zero-day flaw is available.......

UK Man Acquitted in Filesharing Case (January 15 & 18, 2010)

A UK man has been acquitted of charges in the country's first music file sharing trial.......

US Will Send Official Protest to China Over Attacks (January 15, 16 & 18, 2010)

The US government plans to issue an official protest to China's government regarding the cyber attacks against Google and more than 30 other US companies that are alleged to have originated in China.......

Google Attack May Have Had Inside Help (January 18 & 19, 2010)

Google China is investigating allegations that company insiders abetted the attacks.......

Researchers Say Malware Used in Google Attack is Too Sophisticated for Amateurs (January 15, 2010)

According to researchers brought in to investigate the attack on Google, the malware used to exploit a zero-day vulnerability on Internet Explorer (IE) is too sophisticated for run-of-the-mill attackers to have developed; they surmise that the code was designed and deployed with the support of Chinese authorities.......

IE Exploit Code in the Wild (January 15 & 18, 2010)

Exploit code for the zero-day Internet Explorer (IE) vulnerability used to launch attacks against Google and other us companies has been made available on the Internet, increasing the likelihood that broader attacks will follow.......

Microsoft Working on Fix for Zero-Day IE Flaw (January 13, 2010)

Microsoft has issued a security advisory warning of a zero-day Internet Explorer vulnerability that was allegedly exploited to launch attacks on Google and more than 30 other US companies.......

DoD Contractors Receiving Malicious PDF Attachments (January 18, 2010)

Cyber attackers have targeted US Defense Department (DoD) contractors with emails that appear to come from the DoD and have malicious PDF attachments.......

FCC Proposed Rulemaking on Net Neutrality Generates Strong Comments (January 15, 2010)

Comments have poured in to the US Federal Communications Commission (FCC) in response to its notice of proposed rulemaking on net neutrality.......

Lincoln National Warns Customers of Potential Data Security Breach (January 14 & 15, 2010)

Lincoln National Corp.......

Guilty Plea in Spam Case (January 15, 2010)

A Romanian man has pleaded guilty in court in US District Court in Bridgeport, Connecticut to conspiracy to commit fraud related to spam.......

IETF Finishes SSL Fix (January 12 & 14, 2010)

The Internet Engineering Task Force (IETF) has completed a fix for a vulnerability in the secure sockets layer (SSL) protocol that was disclosed last summer.......

Google Considering Leaving China (January 12, 2010)

In the wake of the attacks on Google and other companies, Google has indicated that it may no longer cooperate with Chinese censorship rules and that it may consider pulling out of China altogether.......

Zero-Day IE Flaw Used in Attacks on Google, Adobe and Others (January 14, 2010)

Attackers exploited a zero-day vulnerability in Internet Explorer (IE) to launch attacks on Adobe, Google and about 30 other US companies.......

UK ICO Will Have Authority to Levy Fines Up to GBP 500,000 (US $817,000) (January 14, 2010)

As of April 6, 2010, the UK Information Commissioner's Office (ICO) will have the authority to fine organizations up to GBP 500,000 (US $817,000) for violations of the Data Protection Act.......

Connecticut AG Sues Health Net for HIPAA Violations (January 14, 2010)

Connecticut Attorney General Richard Blumenthal plans to sue Health Net for failing to protect personally identifiable information of nearly 450,000 Connecticut residents.......

DarkMarket Member Sentenced to Prison (January 14, 2010)

A UK man has been sentenced to 10 years in prison for his role in the creation and operation of the DarkMarket site.......

Google to Enable HTTPS on All Gmail Traffic by Default (January 13, 2010)

Google plans to start using HTTP technology to encrypt all Gmail traffic by default.......

Chinese Search Engine Baidu Attacked (January 12 & 13, 2010)

A deliberate attack is suspected to be the reason China's top search engine Baidu was unavailable earlier this week.......

US Army Website Vulnerable to SQL Injection Attack (January 12, 2010)

A hacker has posted proof-of-concept exploit code for an SQL injection vulnerability in a US Army military housing website.......

Microsoft, Adobe and Oracle Release Security Updates (January 12, 2010)

On Tuesday, January 12, Microsoft issued one security bulletin to address a critical flaw in Windows 2000; the vulnerability was rated low for other supported versions of the operating system.......

Intruders Steal Bank Login Data (January 12, 2010)

Attackers gained access to a server at a small New York state bank and made off with login information for 8,600 accounts.......

SANS%20Internet%20Storm%20Center,%20InfoCON%3A%20green

SANS Internet Storm Center, InfoCON: green

* Microsoft Out Of Band Patch Release, (Thu, Jan 21st)

Microsoft released the out of band security bulletin and patch it announced yesterday. MS10-002 is a ...(more)...

Microsoft January Out of Band Patch, (Thu, Jan 21st)

Overview of the Out of band January 2010 Microsoft patch and status. ...(more)...

Security Update Available for Shockwave Player, (Thu, Jan 21st)

Rex and Chris (thank guys!) wrote in to tell us that Adobe has released a security update for Shockw ...(more)...

New Microsoft Advisory: Vulnerability in Windows Kernel Privilege Escalation (CVE-2010-0232), (Thu, Jan 21st)

Yesterday, we reported about a new Windows Kernel vulnerability [1] . The vulnerability affects all ...(more)...

New stable version of Nmap (5.20) available for download: http://nmap.org/download.html, (Wed, Jan 20th)

...(more)...

Using Curl to Retrieve Malicious Websites, (Wed, Jan 20th)

Here's how to use Curl to download potentially-malicious websites, and why you may want to use this ...(more)...

Microsoft Announces Out-of-Band Security Bulletin for the IE Vulnerability, (Wed, Jan 20th)

Microsoft posted an advance notification of one out-of-band security bulletin that Microsoft i ...(more)...

Weathering the Storm Part 1: An analysis of our SANS ISC weblogs http://appsecstreetfighter.com, (Wed, Jan 20th)

------ Johannes B. Ullrich, Ph ...(more)...

When Rogue On-Line Pharmacies Take Over Forum Discussions, (Wed, Jan 20th)

Rogue on-line pharmacy sites, claiming to sell legitimate medicine to naive shoppers, continue to ...(more)...

Security Patch for for BIND 9.6.1 Released, (Wed, Jan 20th)

Internet Systems Consortium (ISC) announced the release of the BIND 9.6 ...(more)...

Apple Security Update 2010-001, (Tue, Jan 19th)

In an effort not to be left out, Apple has released Security Update 2010-001 which patches a dozen v ...(more)...

Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released, (Tue, Jan 19th)

In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulne ...(more)...

The IE saga continues, out-of-cycle patch coming soon, (Tue, Jan 19th)

No, there still isn't a patch, but there will be one before the regular Microsoft patch day in ...(more)...

49Gbps DDoS, IPv4 exhaustion, and DNSSEC, oh my!, (Tue, Jan 19th)

Arbor has released their 2009 Worldwide Infrastructure Security Report and it is an interesting read ...(more)...

Forensic challenges, (Tue, Jan 19th)

Even when Iam doing some of it as part of my day job, Istill enjoy participating in, and ...(more)...

Uplift in SSH brute forcing attacks, (Mon, Jan 18th)

A number of our readers have submitted that they have both experienced, or noticed the uplift in sou ...(more)...

Buffer overflow in Quicktime, (Sun, Jan 17th)

A Dutch reader, G. Smit, gave us a heads up about a remotely exploitable vulnerability in Quicktime ...(more)...

Why not Yellow?, (Sun, Jan 17th)

A few people have written in to ask us why we have not gone to Infocon Yellow regarding the IE ...(more)...

Exploit code available for CVE-2010-0249 , (Fri, Jan 15th)

The details for CVE-2010-0249 aka Microsoft Security Advisory 979352 (http://www.microsoft ...(more)...

Clearing some things up about Adobe, (Fri, Jan 15th)

The word Adobe conjures up a number of meanings here. When we get an email that ...(more)...

Doing the Right Thing, (Fri, Jan 15th)

Disclaimer: the author speaks from his experience both responding to national disasters with the Ame ...(more)...

0-day vulnerability in Internet Explorer 6, 7 and 8, (Thu, Jan 14th)

Microsoft just published an advisory about a critical security vulnerability in all versions of Inte ...(more)...

DRG (Dragon Research Group) Distro available for general release, (Thu, Jan 14th)

The Dragon Research Group is a volunteer research organization dedicated to further understanding of ...(more)...

Rogue AV exploiting Haiti earthquake, (Thu, Jan 14th)

Just when you think they couldn't possibly go any lower . ...(more)...

The Register - Security

Biting the hand that feeds IT

RockYou hack reveals easy-to-crack passwords

ABC, easy as 123

Analysis of the 32 million passwords recently exposed in the breach of social media application developer RockYou last month provides further proof that consumers routinely use easy to guess login credentials.…

Exeter Uni goes offline to fight mystery malware

Great late coursework excuse

The University of Exeter took the unusual step of temporarily taking its network down this week in response to a virulent virus outbreak.…

Cardiff tops UK plastic fraud list

Er, in your face, London!

Cardiff has displaced London as the worst place in the UK for card fraud, according to a new survey of fraud hotspots.…

Cyber sleuth sees China's fingerprints on 'Aurora' attacks

Jury still out

A security researcher who reverse engineered code used to attack Google and other large companies has said he found what he believes are the fingerprints of Chinese hackers.…

Targeted attacks replace botnet floods in telco nightmares

We the IPv6-unready

Targeted attacks against backend systems have replaced botnet-powered traffic floods as the main concerns for security staff at telcos and large ISPs.…

Microsoft will issue emergency IE patch on Thursday

Copycat hackers, take notice

Updated A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday.…

Adobe fixes critical Shockwave bugs with neanderthal patch

Manual uninstall required

The critical patches for Adobe Systems software keep coming. This time, they fix serious security bugs in the company's Shockwave Player.…

Baidu sues registrar over DNS records hack

Legal salvo lands in New York

Baidu has filed suit against its US-based domain registrar after a recent DNS records hack that redirected surfers towards a defaced page, instead of the Chinese search engine.…

Modest Apple update slices third-party bugs

Dirty dozen vulns pureed

Apple has pushed out a major security update designed to crush a dozen security bugs, some of which present a critical security risk on unpatched systems. Many of the fixes involve flaws in third-party applications bundled with Mac OS X, rather the flaws in the OS itself.…

New avast freebie security scanner aims to keel-haul MS

Free 5.0 tweaked to work faster on multiple cores

A new version of avast aims to offer users of free anti-malware technology faster running protection against the latest hacking attacks, while offering alternatives to AVG and Microsoft Security Essentials.…

Google: Keep user data safe by letting us hoard it forever

Fleischer demands EU trust Google

Google has sought to turn its China crisis to its advantage by arguing it demonstrates why it should be allowed to hang onto search logs indefinitely.…

BOFH-making bug plugged in D-link update

I'm the king of the... oh

D-Link has plugged a security vulnerability involving protocol handling by some of its wireless routers that creates a potential means for normal users to grab super-user privileges.…

Opera and Firefox downloads soar after IE alerts

The Teutonic Leap

After Microsoft confirmed that a hole in its Internet Explorer browser was used in the December cyber attacks on Google and at least 33 other outfits, a trio of security-conscious nations - Germany, France, and Australia - went so far as to warn their citizens against the use of IE. And that led to a very good week for the likes of Opera and Mozilla.…

Big Brother Blue seeks biometric anti-terror patents

Tracks eyes, breath, aftershave

IBM has filed applications for a dozen patents that seek a whole new level of airport security.…

Windows plagued by 17-year-old privilege escalation bug

All 32-bit versions vulnerable

A security researcher at Google is recommending computer users make several configuration changes to protect themselves against a previously unknown vulnerability that allows untrusted users to take complete control of systems running most versions of Microsoft Windows.…

MS to issue emergency patch for potent IE vuln

Researchers show exploits for IE 7 and 8

Microsoft will release an emergency update that patches the Internet Explorer vulnerability used to breach the security defenses of Google and other large companies.…

New service hamstrings Google data hoarding

All your searches aren't belong to us

Alarmed by the vast amount of personal information Google collects from its users, a hacker has unveiled an anonymization service that prevents the internet giant from tracking searches and websites visited by a specific individual.…

Berserker Bing bots bring down Perl network

When spiders attack!

Misfiring Microsoft search bots managed to render a site used by Perl Testers almost unusable last week.…

Microsoft finally cuts Bing data retention time to six months

Anonymise this!

Microsoft has finally slashed the amount of time it keeps some online search query data to just six months, over a year after it declared it would make the change if the likes of Google and Yahoo! agreed to play ball.…

IE6 exposed as Google China malware unpicked

Why search engine giant was using IE6 remains a mystery

Fresh analysis has revealed the sophistication of malware used in attacks against Google and other hi-tech firms originating from China last month.…

Poisoned PDF pill used to attack US military contractors

Yet more cyber-espionage shenanigans

Unidentified hackers are running an ongoing cyber-espionage attack targeting US military contractors…

British government ignores MS browser fears

France, Germany line up to bash Internet Explorer

France and Germany have already told their citizens to avoid Microsoft's Internet Explorer because of a critical hole in the browser, so what does the British government think?…

Yahoo!'s Chinese affiliate disowns parent for siding with Google

Other Tech giants keep mum over China syndrome

Yahoo!'s Chinese affiliate has slammed its part owner for siding with Google in an ongoing row over cyber-espionage attacks on Western businesses, widely blamed on the Chinese government.…

HMRC fraud warning emails baited by phishers

Spotting scams doesn't have to be taxing

UK taxpayers were targeted by a tax fraud scam mail run late last week.…

Palestinian hackers deface Jewish Chronicle

Hacktivists protest Gaza blockade

The Jewish Chronicle website was defaced over the weekend by hackers calling themselves the "Palestinian Mujaheeds" who posted a rant against Israel's blockade of the Gaza Strip.…

ACLU challenges US laptop border searches

Civil liberties assessment still pending

Privacy campaigners are continuing a legal challenge against random laptop border searches by US customs amid concerns there may be a racial bias in those delayed and inconvenienced by stop and search powers introduced as part of the war on terror.…

Exploit code for potent IE zero-day bug goes wild

'Fairly reliable'

Updated Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow.…

Texas Instruments to patch smart meter crypto blunder

Trivial key cracking

Texas Instruments plans to patch a cryptography flaw in a widely used chip that could allow attackers to remotely tamper with electronic power meters and other devices that connect to smart electricity grids.…

US will complain to China about Google hacking

Whatever good that will do

The United States will issue a formal diplomatic note to China expressing concern about cyber attacks that hit Google and dozens of other companies, and that researchers say originated in that country.…

UK.gov dismisses Tory claims UK cyberspace is defenceless

Say what, Dave?

The government has dismissed Tory claims that the UK is not equipped to battle digital attacks on its national security.…

False Moscow CCTV feed scam leads to fraud charges

You've not been framed

The discovery that some CCTV cameras around Moscow streamed prerecorded images, instead of live pictures, has resulted in criminal charges against StroyMontageService, the firm that maintained the network.…

Tories: We will set up a permanent 'War Cabinet'

Cyber, security, defence rebranding policy unveiled

Analysis Today the Conservative Party - the bookies' favourite to be the next government of old Blighty - sets out as much of its plans on national-security matters as it is willing to share before this year's election.…

Iraqi weapons inspector accused in online sex sting

Facing seven years

A former head of UN weapons inspections in Iraq has been charged with child sex offences after being caught in an online sting.…

'Domestic extremism' police called in on climate hack

Animal rights nut squad lends a hand

Norfolk police investigating the "Climategate" hack have called in colleagues from the National Domestic Extremism Team (NDET), it has emerged.…

McKinnon: The longest ever game of pass the parcel

After eight years, the music may finally be stopping

Comment Pentagon hacker Gary McKinnon has won breathing space in his long-running fight against extradition, with news on Wednesday that judges have granted a further judicial review. This time it is to consider whether the Home Secretary was right to disregard medical evidence that he might harm himself or even commit suicide if extradited to the US.…

Cyber attack hits law firm that sued China

Coincidence?

A law firm that filed a lawsuit against the Chinese government says it was hit by a cyber attack that looks strikingly similar to one that targeted Google, Adobe Systems, and 32 other large companies.…

IE zero-day used in Chinese cyber assault on 34 firms

Operation Aurora unveiled

Updated Hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used a potent vulnerability in all versions of Internet Explorer to carry out at least some of the attacks, researchers from McAfee said Thursday.…

Pizza delivery man cops to life in DarkMarket

Ran 'eBay for criminals' from net cafe

A former London pizza delivery man faces a 10-year prison sentence after admitting he helped found the notorious DarkMarket forum for computer crime, several news sites reported.…

China silent on Google, welcomes compliant internet firms

Washington worries about other stuff for now

China went on a wide-ranging charm offensive today to show the world it is open to the internet and is in fact the biggest victim of hacking attacks.…

Network World on Security

The latest security news, analysis, reviews and feature articles from NetworkWorld.com.

Panel: After Google, others should reconsider China business

Web content providers based in the U.S. should think twice before entering the Chinese market, given a track record of censorship and attempts by the government there to monitor the Internet activities of dissidents, a group of China watchers said Wednesday.

The Great PCI Security Debate of 2010: Transcribed

For those who prefer to read as well as listen, here's a partial transcript of the PCI security debate that appeared on CSO Senior Editor Bill Brenner's Security Insights podcast and Martin McKeay's Network Security podcast.

Military contractors targeted in Chinese attacks, says F-Secure

A security vendor reports that internal systems of U.S. defense contractors have been targeted by hackers believed based in China.

Cardiff becomes UK card crime capital

Credit and debit card fraud is booming in the UK, with Cardiff overtaking London to become the top hotspot, a financial services company has claimed.

What Researchers Are Learning About DDoS Tactics

Two IT security specialists -- one with experience in dealing with DDoS attacks against government systems, the other a specialist from the corporate side -- share what they've learned about the targets chosen for DDoS attacks and how to adjust security strategies based on those lessons. (Second in a series)

Heartland moves to encrypted payment system

Responding to its widely reported and massive data breach that took place a year ago, Heartland Payment Systems will be moving to an end-to-end encryption system for payment transactions, according to Chairman and CEO Robert Carr.

Google, Facebook, and the China Syndrome

So far, 2010 has started off with a bang. Google decides to take on Apple in the ultra-smartphone market, while Apple appears on the verge of creating yet another new market for touchscreen tablet PCs. Google says "bite me" to China, after Chinese cyber attackers target it and three dozen other tech firms. Yahoo chimes in with support for Google and gets spanked by its Chinese partner, Alibaba. This story isn't going away any time soon.

Apple patches 12 Mac bugs in Flash, SSL

Apple on Tuesday patched 12 vulnerabilities in Leopard and Snow Leopard, including seven in Adobe Flash Player and one in the protocol used to secure Internet traffic.

Security researcher IDs China link in Google hack

The malicious software used to steal information from companies such as Google contains code that links it to China, a security researcher said Tuesday

China's Baidu sues US domain registrar after hack

Top Chinese search engine Baidu.com has sued its U.S. domain registrar over a hack that took down the Web site, alleging negligence by the U.S. company, Baidu said Wednesday.

iPass gives IT more control of mobile access

Mobile connectivity provider iPass, which for many years has consolidated network accounts for workers on the go, is now shifting its focus to helping enterprises manage mobile data use.

Microsoft Promises Early Patch for IE Zero-Day

Microsoft announced that it will release an out-of-band patch--meaning a patch that breaks the standard Patch Tuesday release cycle--to address the Internet Explorer flaw at the heart of the attacks in China against Google and other targets. The announcement was short on details, but Microsoft promised to provide more information on Wednesday.

Hackers hit Network Solutions customers

Hackers have managed to deface several hundred Web sites hosted by Network Solutions, the company said Tuesday.

Three lessons for businesses from the Google attack

The cyberattacks against Google and more than 30 other technology companies by adversaries operating out of China highlights what some call the Advanced Persistent Threat (APT) confronting a growing number of U.S commercial entities.

Hackers wield newest IE exploit in drive-by attacks

A security researcher said hackers are attacking some PC users by using an Internet Explorer exploit allegedly used last month to break into Google's network.

Microsoft cuts time Bing stores some user data to six months

Microsoft announced plans to cut the length of time it stores IP addresses of Web searchers using its Bing search engine from 18 months to six in a bid to improve its privacy track record.

Virgin Media starts monitoring customers' downloads

Virgin Media is trialling a scheme that will identify whether its broadband customers are illegally downloading.

ISPs could cut spam easily, says expert

Two simple techniques could be used to strangle botnets, a security expert has claimed. First, block email port 25 by default. Second, tell users when they are spewing spam from compromised PCs.

Google to call for creation of EU privacy, security panel

Google needs to keep hold of information about people's search history if it is to combat the sort of hacking it experienced in China last month, the company's top privacy lawyer, Peter Fleischer, said Tuesday.

China: We are biggest victim of cyberattacks

China on Tuesday denied any role in alleged cyberattacks on Indian government offices, calling China itself the biggest victim of hackers.

Windows 7 troubles and business continuity

Do you ever simultaneously feel like an idiot and also grateful that you've done at least something – anything – right?

Google cyberattack investigation includes employees

Google's investigation of a cyberattack that rocked the company's infrastructure in mid-December includes a probe of its staff in China, a source familiar with the investigation said on Monday.

Report: India claims it was also hacked by Chinese

The office of India's National Security Advisor, M.K. Narayanan, and other government offices in India were targeted by hackers believed to be from China, according to a report.

Gmail of foreign journalists in China hijacked

The Gmail accounts of foreign reporters in at least two news bureaus in Beijing have been hijacked, a journalists' group in China said Monday.

What Gmail hack? China spins news of Google threat

Chinese state media has spun Google's threat to leave China as a purely commercial move, as authorities there apparently work to limit discussion of human rights issues raised by Google.

User Authentication No Longer Thwarts Online Bank Thieves

A Gartner analyst says banks need to take more steps to prevent online fraud, because cybercrooks are outmaneuvering current authentication techniques.

European governments warn against Internet Explorer

The French government has become the second in days to warn its citizens to steer clear of Internet all versions of Explorer (IE) until a serious security flaw is fixed in the browser.

U.S. to lodge formal protest with China over alleged cyberattacks

The U.S. will lodge a formal protest with China over the nation's alleged involvement in cyberattacks against Google.

Google runs Microsoft's IE, attacks show

Google's corporate network was hacked because its workers were running rival Microsoft's Internet Explorer browser, a point that didn't escape the notice of security researchers and Web users.

Is Google hack an attack on cloud computing?

Industry observers debate whether the Google hack reveals security flaws in cloud computing.

Financial firm notifies 1.2M after password mistake

A Concord, New Hampshire, financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers.

Alibaba calls Yahoo's support of Google 'reckless'

Alibaba Group, the owner of Yahoo China, rejected as "reckless" a Yahoo statement supporting Google's stance in the country, after Google said it was hit by cyberattacks from China and may cease business there.

Vendor retracts claim of Adobe flaw's part in Google attack

A vendor that earlier this week claimed that a vulnerability in Adobe Reader appeared to have resulted in the recent attacks against Google and other companies has retracted that claim.

Attack code used to hack Google now public

The dangerous Internet Explorer attack code used in last month's attack on Google's corporate networks is now public.

Chinese authorities behind Google attack, researcher claims

The malware used to hack Google is so sophisticated that researchers brought in by the company to investigate believe the attack code was designed and launched with support from Chinese authorities.

How To Protect Ourselves from Chinese Cyberwarriors

Better user education might have played a role in stopping the apparent Chinese cyberattack on American businesses. Once targeted employees clicked on a link in an e-mail or instant message, however, most current security technology was defenseless.

Google's China problem (and ours)

Well, that was the biggest news bombshell to land in quite a while. Google reveals that it's been hacked by Chinese cyber attackers and says it will no longer play along with China's repressive Internet rules.

Smartphones targeted by porn scams

Cyber criminals have gone back to their old-school tricks to target innocent smartphone users.

D-Link issues fixes for router vulnerabilities

Router manufacturer D-Link admitted Friday that some of its routers have a vulnerability that could allow hackers access to a device's administrative settings, but it has issued patches.

You don't know tech: The InfoWorld news quiz

Google gives China the finger, Facebook privacy questions linger

Romanian faces five years in prison for phishing scheme

A Romanian national pleaded guilty on Thursday to a charge related to a phishing operation that sought to defraud customers of banks such as Citibank and Wells Fargo, and of Web sites such as eBay.

UK businesses not prepared for Olympics challenge

The majority of UK companies are not prepared for the impact that the 2012 Olympic Games in London could affect their business, according to a survey by BT Global Services.

Smartphone security next big thing

Future smartphones will come pre-loaded with anti-virus software clients to prevent the loss of data and services to malware. And mobile banking and person-to-person payments will be authenticated by fingerprint sensors on the handset.

UK defendants await sentencing in carding scheme

Two U.K. men have pleaded guilty to charges related to the infamous DarkMarket payment-card fraud ring busted by authorities in October 2008, according to British police.

IE Exploit Used to Launch Chinese Attacks on Google

Early speculation focused on the Abobe Reader zero-day exploit as the source of the Chinese attacks on Google and other corporations earlier this week, but Adobe may be off the hook--or at least share the blame. Microsoft has determined that an unknown flaw in Internet Explorer was one of the holes used to launch the attacks which have led to Google threatening to shut down its Chinese operations.

Kids as young as 6 illegally downloading

Almost a third of six to 14 year olds illegally download US TV shows before they are aired in the UK, says New Media Age.

Microsoft confirms IE zero-day behind Google attacks

Microsoft issued a security advisory today that warned users of a critical and unpatched vulnerability in Internet Explorer (IE), and acknowledged that it had been used to hack several companies' networks.

Microsoft to patch bug used in Google hack

Microsoft is scrambling to patch an Internet Explorer flaw that was used to hack into Google's corporate networks last month.

Ballmer: Microsoft will stay in China

Microsoft does not plan to follow Google’s lead in pulling out of China, the software giant’s CEO told news outlets on Thursday.

Microsoft Warns of IE Zero-day Used in Google Attack

A critical zero-day flaw in Internet Explorer was exploited as part of the attack on Google and other companies, according to both Microsoft and McAfee.

Juniper, Symantec investigating after Google attack

Juniper Networks and Symantec said Thursday that they were investigating a widespread cyber-espionage incident that has hit dozens of technology companies, including Google and Adobe.

Conficker worm hasn't gone away, Akamai says

Variants of the Conficker worm were still active and spreading during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies.

Facebook's Automated Security Fails to Impress

Facebook's new, automated security offering is almost, but not quite, a joke. Business users who consider Facebook "part of their job" should be aware of the significant limitations.

Intego intros VirusBarrier X6 for Mac with 100+ new features

Intego has announced a new and improved VirusBarrier X6 for Mac.

Hackers used IE zero-day, not PDF, in China-Google attacks

Hackers exploited an unpatched vulnerability in Microsoft's Internet Explorer (IE) browser to break into some of the firms targeted in a widespread attack that compromised Google's and Adobe's networks, McAfee said today.

Alleged China attacks could test U.S. cybersecurity policy

The attacks on Google and more than 30 other Silicon Valley companies by agents allegedly working for China raises a question: How should the U.S. government respond?

Facebook offers users free McAfee protection

Facebook has joined forces with McAfee to offer social networkers a free six-month subscription of security software.

FBI warns of bogus Haiti online donation scams

The U.S. Federal Bureau of Investigation is advising people to be careful when evaluating donation programs related to the earthquake in Haiti as one security firm is already seeing scam e-mails circulate.

Gary McKinnon extradition delayed again

Gary McKinnon who is facing extradition to the US for hacking Pentagon and NASA computers, has had another reprieve.

The Impact of Google's Bold Stance on China

Google's war of words with China over censorship of its search results and cyber-attacks against human rights advocates has sparked a widespread debate among technology thinkers who both applaud and question the company's motives.

Google hack hit 33 other companies

The plot thickens. According to iDefense Labs, the recent Internet attack that has so upset Google affected 33 other US tech and defence firms and is directly related to an Adobe Reader-based attack of last July.

McAfee Avert Labs

Cutting edge security research as it happens.......

Update on Recent Microsoft 0day (CVE-2010-0249)

By Craig Schmugar on Zero-Day

Here’s a quick update on CVE-2010-0249, aka the Aurora exploit. A few days ago exploit code was made public. Since then malware authors have been customizing the exploits payload to install their own malicious creations. Much of the field telemetry we’ve been receiving has been coming from McAfee users in China visiting websites in China. [...]

Investigating a Possible Charity Scam

By Francois Paget on Web and Internet Safety

On Saturday, my McAfee Labs colleague Craig Schmugar wrote about phishing sites and email scams related to the recent earthquake in Haiti. The people behind these frauds deserve to be caught by the law. I have a story that demonstrates that when several researchers join forces the bad guys run the risk of being punished. On [...]

McAfee ‘Hacking Exposed’ Webcast Series Fights Cybercrime

By David Marcus on iPhone

We are pleased to announce the next event in our complimentary monthly “Hacking Exposed Live!–A Webcast Series,” which educates attendees to protect against cybercrime and hackers. The monthly webcast, hosted by Hacking Exposed coauthor and McAfee Senior Vice President Stuart McClure, walks attendees through the latest hacking techniques and explains countermeasures for preventing attacks. The [...]

An Insight into the Aurora Communication Protocol

By Guilherme Venere on malware

As we know, the recent Operation Aurora has been making waves due to a highly organized attack targeting companies such as Google, Adobe and other high profile companies. A security breach due to a vulnerability in Microsoft’s Internet Explorer, CVE-2010-0249, caused remote code execution leading to download of malware on compromised systems. At McAfee Labs, researchers [...]

Went Looking for IE Exploits in “Haiti”, Found Something Else

By Craig Schmugar on Web and Internet Safety

In my last post I mentioned that the “Operation Aurora” exploit code was public and that we could expect other attacks leveraging the CVE-2010-0249 exploit to emerge. Given the significance of the recent earthquake in Haiti, and the slew of phishing sites, email scams, etc; it makes sense that attackers would try to incorporate an [...]

“Operation Aurora” Leading to Other Threats

By Craig Schmugar on Zero-Day

Operation Aurora has received a lot of attention over the past couple of days. To recap, Google, Adobe, and many other companies were attacked with code exploiting a zero-day vulnerability in Internet Explorer. Since the announcement of this vulnerability (CVE-2010-0249), exploit code has been made public and already revised into a more usable form. History tells [...]

More Details on “Operation Aurora”

By Craig Schmugar on Zero-Day

Earlier today, George Kurtz posted an entry, ‘Operation “Aurora” Hit Google, Others’, on the McAfee’s Security Insight blog The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details. How were systems compromised? When a user manually loaded/navigated to a malicious web page from [...]

InSecurity Complex

Keeping tabs on flaws, fixes, and the people behind them.

Microsoft fixes 8 IE holes, including one used in attacks

By Elinor Mills

Internet Explorer hole targeted in attacks on Google and others is one of a group of critical holes fixed in cumulative patch released out-of-band by Microsoft.

Microsoft warns of flaw in 32-bit Windows kernel

By Elinor Mills

Google engineer discloses vulnerability to public security e-mail list one day before a Microsoft advisory and says he told Microsoft about it last June.

Apple fixes a dozen holes in Mac OS X

By Elinor Mills

Several holes addressed in Apple's security update could allow an attacker to take control of the computer, including a hole in Flash Player plug-in.

Microsoft to release patch for IE hole on Thursday

By Elinor Mills

Software giant will issue its out-of-band patch for the hole in Internet Explorer used in the recent attack on Google.

Using Twitter to help Haiti

By Elinor Mills

Recently a vacation site, Haiti.com has been transformed, now allowing anyone to filter through Twitter reports from Haiti and send the information on to relief workers.

Google's spy case: Not the first, nor the last

By Elinor Mills, Tom Krazit

Corporate spying is an unfortunate fact of life for U.S. corporations, which have seen a surge in attacks from Chinese perpetrators in the last several years.

Researchers: Facebook vulnerable to clickjacking

By Elinor Mills

Security researcher also says Facebook should warn users that when they click on apps, they are giving those apps access to all their profile information.

AT&T fixes mobile Facebook problems

By Elinor Mills

Some AT&T customers logging into Facebook on their mobile phones accessed Facebook accounts of strangers as a result of two separate glitches, AT&T says.

Google China insiders may have helped with attack

By Elinor Mills

Google looking into whether employees in China could have played a part in what looks like a multi-prong attack on the company, sources familiar with the investigation tell CNET.

IE exploit code released on the Internet

By Elinor Mills

McAfee and Microsoft warn that code used to attack computers has been released in the wild, while the German government urges citizens to avoid using the IE browser for now.

New IE hole exploited in attacks on U.S. firms

By Elinor Mills

Microsoft warns about zero-day hole in Internet Explorer that was used in targeted attacks on Google and other U.S. companies, and which Google claims originated in China.

Info Security News

Carries news items (generally from mainstream sources) that relate to security.

Google Hack Code Released, Metasploit Exploit Now Available

Posted by InfoSec News on Jan 18

http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=222301235
By Kelly Jackson Higgins
DarkReading
Jan 16, 2010
Internet Explorer exploit code used in the so-called Aurora attacks out
of China against Google and other companies has been posted online --
and now the popular Metasploit hacking tool has released a working
exploit of the attack as well.
The malware, which exploited a zero-day...

Army mulls realignment to fortify cyber command

Posted by InfoSec News on Jan 18

http://fcw.com/articles/2010/01/15/army-mulls-realignment-to-fortify-cyber-command.aspx
By Amber Corrin
FCW.com
Jan 15, 2010
Army mulls realignment options to build cyber command
As the Army strengthens its military presence in the cyber realm,
officials are planning for full operational capabilities by October 2010
for a unified Army cyber component that would report directly to the
U.S. Cyber Command, according to a senior Defense...

Other Targets In Google Cyber Attack Surface

Posted by InfoSec News on Jan 18

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222301222
By Thomas Claburn
InformationWeek
January 15, 2010
The names of other companies targeted in the cyber attack disclosed by
Google earlier this week have started to emerge.
Google reportedly asked the other 33 companies targeted in the attack to
come forward.
A Google spokesperson said that while the company provided technical
information, that...

McAfee Calls Operation Aurora A "Watershed Moment In Cybersecurity", Offers Guidance

Posted by InfoSec News on Jan 18

http://www.techcrunch.com/2010/01/17/mcafee-operation-aurora-2/
By Robin Wauters
TechCrunch.com
January 17, 2010
Computer and software security company McAfee last week identified a
vulnerability in Microsoft Internet Explorer as a key vector in the
cyberattacks that hit Google and over 30 other companies in a
high-profile, multi-staged and concentrated effort to hack into specific
computer systems in order to obtain intellectual property....

Key ministry officials asked not to use Blackberry for emails

Posted by InfoSec News on Jan 18

http://beta.thehindu.com/news/national/article81598.ece?homepage=true
The Hindu
January 17, 2010
Against the backdrop of concerns over hacking of crucial official
websites, central security agencies have again warned the government
about the use of multi-tasking blackberry instruments by some of the
officials working in sensitive ministries including the Prime Minister.s
office.
Agencies have also cautioned against the practice of...

Call for Papers: ICITST-2010

Posted by InfoSec News on Jan 18

From: "d.lin (at) icitst.org" <d.lin (at) icitst.org>
Kindly email this Call for Papers to your colleagues,
faculty members and postgraduate students.
CALL FOR PAPERS
************************************************************
The 5th International Conference for Internet Technology and
Secured Transactions (ICITST-2010), Technical Co-Sponsored
by IEEE UK/RI Communications Chapter
November 8-11, 2010, London, UK...

Defence repelled 2400 cyber attacks in 2009

Posted by InfoSec News on Jan 18

http://www.theaustralian.com.au/news/defence-repelled-2400-cyber-attacks-in-2009/story-e6frg8yo-1225819966202
[That number seems abnormally low and missing an extra 0! - WK]
By Nicola Berkovic
The Australian
January 15, 2010
DEFENCE department computers sustained about 2400 cyber attacks last
year, Defence Minister John Faulkner revealed today.
Launching a new cyber warfare centre in Canberra, Senator Faulkner
outlined the scale of...