Tag Archives: Iran

The EconomistThe photo splashed across front pages worldwide in July 2008 showed four Iranian test missiles blasting skywards. Released by the media arm of Iran’s Revolutionary Guard, Sepah News, the picture was soon found to have been manipulated: one missile had been cloned and appeared twice, evidently to conceal the fact that another had failed to lift off. Governments have long doctored photos for political reasons. In Nazi Germany and Communist Russia, senior figures who fell from favor were commonly airbrushed out of photographs. Now, thanks to digital technology, image manipulation is available to everyone, and nefarious uses are becoming far more widespread.

Picture Imperfect | DFI News.

ShutterstockWhite House officials are revealing details of President Barack Obama’s initial plans for protecting the computer networks of crucial American industries from cyberattacks.

Their description of Obama’s executive order was planned for Wednesday, a day after the president signed it. The announcement was also coming hours after the president urged Congress in his annual State of the Union address to pass legislation taking even tougher steps.

In his speech, Obama said America’s enemies are “seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

He added, “Now, Congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”

On Tuesday, senior administration officials said Obama’s order starts the development of voluntary standards to protect the computer systems that run critical sectors of the economy like the banking, power and transportation industries. It also directs U.S. defense and intelligence agencies to share classified threat data with those companies.

Obama’s executive order has been months in the making and is the product of often-difficult negotiations with private sector companies that oppose any increased government regulation.

While largely symbolic, the plan leaves several practical questions unanswered:

  • Should a business be required to tell the government if it’s been hacked and U.S. interests are at stake?
  • Can a person sue her bank or water treatment facility if those companies don’t take reasonable steps to protect her?
  • If a private company’s systems are breached, should the government swoop in to stop the attacks — and pick up the tab?

Under the president’s new order, the National Institute of Standards and Technology has a year to finalize a package of voluntary standards and procedures that will help companies address their cybersecurity risks. The package must include flexible, performance-based and cost-effective steps that critical infrastructure companies can take to identify the risks to their networks and systems and ways they can manage those risks.

There also must be incentives the government can use to encourage companies to meet the standards, and the Pentagon will have four months to recommend whether cybersecurity standards should be considered when the department makes contracting decisions.

The order also calls for agencies to review their existing regulations to determine whether the rules adequately address cybersecurity risks.

Congress has been struggling for more than three years to reach a consensus on cybersecurity legislation. Given that failure and the escalating risks to critical systems, Obama turned to the order as a stopgap measure with the hope that lawmakers will be able to pass a bill this year. Leaders of the House Intelligence Committee said they plan to reintroduce their bill that encourages the government to share classified threat information, empowers companies to also share data and provides privacy and liability protections.

The process has exposed how difficult and complex the issue is, turning the long-awaited executive order into a bureaucratic scramble aimed at showing countries like China and Iran that the U.S. takes seriously the protection of business secrets. It has been an intensive effort by White House staff and industry lobbyists wary of government intervention but fearful about their bottom line.

The cyberthreat to the U.S. has been heavily debated since the 1990s, when much of American commerce shifted online and critical systems began to rely increasingly on networked computers.

White House Reveals Obama’s Cybersecurity Plan | DFI News.

Courtesy of Daniel Rosenbaum/The New York Times James Lewis of the Center for Strategic and International Studies in Washington believes that recent online attacks on American banks have been the work of IranCourtesy of Daniel Rosenbaum/The New York Times

The attackers hit one American bank after the next. As in so many previous attacks, dozens of online banking sites slowed, hiccupped or ground to a halt before recovering several minutes later.

But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

Online Bank Attacks were Iranian Retaliation, Officials Say | DFI News.

The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.

Cool Exploit Kit.

Cool Exploit Kit.

An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October  2012, security researchers began noticing that a new exploit pack called Cool Exploit Kit was showing up repeatedly in attacks from “ransomware,” malicious software that holds PCs hostage in a bid to extract money from users.

Kafeine,” a French researcher and blogger who has been tracking the ties between ransomware gangs and exploit kits, detailed Cool’s novel use of a critical vulnerability in Windows (CVE-2011-3402) that was first discovered earlier in the year in the Duqu computer worm. Duqu is thought to be related to Stuxnet, a sophisticated cyber weapon that experts believe was designed to sabotage Iran’s nuclear program.

About a week after Kafeine highlighted the Duqu exploit’s use in Cool, the same exploit showed up in Blackhole. As Kafeine documented in another blog post, he witnessed the same thing happen in mid-November after he wrote about a never-before-seen exploit developed for aJava vulnerability (CVE-2012-5076) that Oracle patched in October. Kafeine said this pattern prompted him to guess that Blackhole and Cool were the work of the same author or malware team.

“It seems that as soon as it is publicly known [that Cool Exploit Kit] is using a new exploit, that exploit shows up in Blackhole,” Kafeine said in an interview with KrebsOnSecurity.

As detailed in an excellent analysis by security firm Sophos, Blackhole is typically rented to miscreants who pay for the use of the hosted exploit kit for some period of time. A three-month license to use Blackhole runs $700, while a year-long license costs $1,500. Blackhole customers also can take advantage of a hosting solution provided by the exploit kit’s proprietors, which runs $200 a week or $500 per month.

Paunch acknowledged being responsible for the Cool kit, and said his new exploit framework costs a whopping $10,000 a month.

Blackhole is the brainchild of a crimeware gang run by a miscreant who uses the nickname “Paunch.” Reached via instant message, Paunch acknowledged being responsible for the Cool kit, and said his new exploit framework costs a whopping $10,000 a month.

At first I thought Paunch might be pulling my leg, but that price tag was confirmed in a discussion by members of a very exclusive underground forum. Not long after Kafeine first wrote about Cool Exploit Kit, an associate of Paunch posted a message to a semi-private cybercrime forum, announcing that his team had been given an initial budget of $100,000 to buy unique Web browser exploits, as well as information on unpatched software flaws. Here is a portion of that post, professionally translated from Russian:

Dear Ladies and Gentlemen!

Everyone is aware of the problem which exists now on the exploit market! To solve this problem, our team prepared the following exclusive program of purchasing new browser and browser plugin vulnerabilities. Not only do we buy exploits and vulnerabilities, but also improvements to existing public exploits, and also any good solutions for improving the rate of exploitation.

The “meat” of the project: We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public (not counting the situations, when a vulnerability is made public not because of us).

Not only do we purchase weaponized (ready) exploits, but also their descriptions and proof of concepts (with subsequent joint work with our specialists).

Paunch’s team emphasized that they would not buy exploits that were already public, and that newbies to the fraud forum who nevertheless had good exploits could work with the crimeware team via an agreed-upon 3rd party.

It’s unclear how many takers Paunch is attracting to Cool Exploit Kit with its hefty price tag, but according to Kafeine and others, the new kit is being used exclusively by two different crimeware gangs. One of the gangs is using Cool to spread the Reveton ransomware that I profiled recently.

If any miscreants have the ability to pay $10,000 per month to rent an exploit pack, the gangs spreading Reveton certainly fit the bill. Symantec recently published an in-depth analysis of the ransomware scourge (PDF), and in it the company managed to gain access to a control panel used by one ransomware gang that showed the number of incoming connections to the booby-trapped sites used in the scheme. Symantec estimated that this group extorted from ransomware victims more than $30,000 per day, and likely close to $400,000 per month. This is on par with the amounts I found one ransomware operation was earning back in August 2012.

Source: Symantec

Source: Symantec

The best way to avoid ransomware and other nasties is to keep your system up-to-date with the latest security patches, and to remove software you don’t need or use. If your system does get infected with ransomware, by no means should you pay the ransom. F-Secure offers a free removal tool, and Microsoft claims its Windows Defender Offline Disc can remove most ransomware.

Crimeware Author Funds Exploit Buying Spree — Krebs on Security.

ShutterstockThe U.N. nuclear watchdog has said information stolen from one of its former servers had been posted on a hacker website and it was taking “all possible steps” to ensure its computer systems and data were protected.

The stolen information was contained in a statement by a group with an Iranian-sounding name calling for an inquiry into Israel‘s nuclear activities. The International Atomic Energy Agency (IAEA) is investigating Iran‘s nuclear program.

The IAEA said the theft concerned “some contact details related to experts working” with the Vienna-based agency but it did not say who might have been behind the action.

A Western diplomat said the stolen data was not believed to include information related to confidential work carried out by the IAEA. One of the agency’s tasks is preventing the spread of nuclear weapons.

UN Nuclear Agency Says Stolen Information on Hacker Site | DFI News.