Brown, F. (2012, March). Using Google to find vulnerabilities in your IT environment (S4440312). Retrieved from http://goo.gl/GPzBt
Attackers are increasingly using a simple method for finding flaws in websites and applications: they Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. Sound scary? It is, but there is good news: You can use these same methods to find flaws before the bad guys do. In this special report,we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services—and to fix them before they can be exploited.
Cobb, M. (2012, March). Detecting and defending against advanced persistent threats (S4390312). Retrieved from http://goo.gl/Qznbi
APTs are a growing problem for enterprises big and small. Protecting your organization from these targeted threats requires constant vigilance, ongoing employee training and a concerted effort to align security systems to address every phase of an APT. Companies also need to develop a remediation and response plan if, despite best efforts, defenses are breached.
Doyle, C. (2012, March 12). Cybersecurity: Cyber Crime Protection Security Act (S. 2111): A legal analysis (R42403). Retrieved from http://www.fas.org/sgp/crs/misc/R42403.pdf
The Cyber Crime Protection Security Act (S. 2111) would enhance the criminal penalties for the cyber crimes outlawed in the Computer Fraud and Abuse Act (CFAA). Those offenses include espionage, hacking, fraud, destruction, password trafficking, and extortion committed against computers and computer networks. S. 2111 contains some of the enhancements approved by the Senate Judiciary Committee when it reported the Personal Data Privacy and Security Act (S. 1151), S.Rept. 112-91 (2011).
The bill would (1) establish a three-year mandatory minimum term of imprisonment for aggravated damage to a critical infrastructure computer; (2) streamline and increase the maximum penalties for the cyber crimes proscribed in CFAA; (3) authorize the confiscation of real property used to facilitate the commission of such cyber offenses and permit forfeiture of real and personal property generated by, or used to facilitate the commission of, such an offense, under either civil or criminal forfeiture procedures; (4) add such cyber crimes to the racketeering (RICO) predicate offense list, permitting some victims to sue for treble damages and attorneys’ fees; (5) increase the types of password equivalents covered by the trafficking offense and the scope of federal jurisdiction over the crime; (6) confirm that conspiracies to commit one of the CFAA offenses carry the same penalties as the underlying crimes; and (7) provide that a cyber crime prosecution under CFAA could not be grounded exclusively on the failure to comply with a term of service agreement or similar breach of contract or agreement, apparently in response to prosecution theory espoused in Drew. With the exception of this last limitation on prosecutions, the Justice Department has endorsed the proposals found in S. 2111. The bill has been placed on the Senate calendar. As of this date, S. 2111 has no House counterpart.
Glennon, M. J. (2012). State-level cybersecurity. Policy Review, (171), 85-102. [Full text available in ABI/INFORM Complete database].
No air traffic controllers or airport check-ins; no electronically regulated rail traffic; no computer-dependent overnight deliveries of packages or mail; no paychecks for millions of workers whose employers depend on payroll software; no financial records of funds on deposit and no ATMS; no reliable digital records in hospitals and health centers; no electrical power, resulting in no light, no heat, no operating oil refineries or heating fuel or gasoline; no traffic signals, and no telephone or internet service or effective police protection – such is the list of what could be disabled by an attack on America’s computer networks. Espionage conducted by other nations has been regarded as a matter for the federal government, whereas theft, the destruction of property, and related offenses committed by individuals and criminal organizations are thought to be the purview of both state and federal governments. […] as with terrorist attacks, vexing issues of legal categorization arise.
Grace, M., Zhou, W., & Jiang, X. (2012, April 12). Unsafe exposure analysis of mobile in-app advertisements. Paper to be presented at the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Tucson, AZ. Retrieved from http://www.csc.ncsu.edu/faculty/jiang/pubs/WISEC12_ADRISK.pdf
In recent years, there has been explosive growth in smartphone sales, which is accompanied with the availability of a huge number of smartphone applications (or simply apps). End users or consumers are attracted by the many interesting features offered by these devices and the associated apps. The developers of these apps are also benefited by the prospect of financial compensation, either by selling their apps directly or by embedding one of the many ad libraries available on smartphone platforms. In this paper, we focus on potential privacy and security risks posed by these embedded or in-app advertisement libraries (henceforth “ad libraries,” for brevity). To this end, we study the popular Android platform and collect 100,000 apps from the official Android Market in March-May, 2011. Among these apps, we identify 100 representative in-app ad libraries (embedded in 52.1% of them) and further develop a system called AdRisk to systematically identify potential risks. In particular, we first decouple the embedded ad libraries from host apps and then apply our system to statically examine the ad libraries, ranging from whether they will upload privacy sensitive information to remote (ad) servers or whether they will download untrusted code from remote servers. Our results show that most existing ad libraries collect private information: some of them may be used for legitimate targeting purposes (i.e., the user’s location) while others are hard to justify by invasively collecting the information such as the user’s call logs, phone number, browser bookmarks, or even the list of installed apps on the phone. Moreover, additional ones go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks. Our investigation indicates the symbiotic relationship between embedded ad libraries and host apps is one main reason behind these exposed risks. These results clearly show the need for better regulating the way ad libraries are integrated in Android apps.
Lennon, M. (2012, March 19). Mystery of programming language used in Duqu framework solved. SecurityWeek. Retrieved from http://www.securityweek.com/mystery-programming-language-used-duqu-framework-solved
Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to “Duqu”, the Trojan often referred to as “Son of Stuxnet”, which surfaced in October 2010. The mystery rested in a section of code written in an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected a system.
Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.
Mills, E. (2012, March 21). Verizon: Hacktivists stole 100 million + records in 2011. CNet. Retrieved from http://news.cnet.com/8301-27080_3-57402063-245/verizon-hacktivists-stole-100-million-records-in-2011/
Financially motivated criminals were behind most of last year’s data breaches, but hacktivists stole almost twice as many records from organizations and government agencies, according to the Data Breach Investigations Report being released by Verizon today.
While more than 80 percent of the data breaches in 2011 were due to organized criminal activity, the number of records pilfered from activist groups represented 58 percent of the total, the report finds.
In particular, hacktivists targeted corporations and big agencies, and consumer data. Activist groups accounted for more than 22 percent of the data breaches targeting large organizations. Meanwhile, 95 percent of the records compromised last year included personal information about individuals, compared with only 1 percent the year before, Verizon said.
Financially motivated cyberthieves tend to do more breaches in total than hacktivists, but grab smaller amounts of data at a time and target smaller organizations that are low-hanging fruit, according to the report.
Pellerin, C. (2012, March 21). Officials: Cyber research needs innovation, talent. Armed Forces Press Service. Retrieved from http://goo.gl/345Jw
As a critical enabler of Defense Department business and military operations and the DOD command-and-control backbone, cyber is the focus of intense research and development in an environment where success means getting out ahead of an evolving threat.
During the unclassified portion of a hearing of the Senate Armed Services subcommittee on emerging threats and capabilities yesterday, experts from DOD, the Defense Advanced Research Projects Agency and the National Security Agency discussed the department’s vulnerabilities and needs.
“DARPA’s bottom-line message today [is] that DOD is capability-limited in cyber, both defensively and offensively,” DARPA Acting Director Kaigham “Ken” J. Gabriel told the panel. “We need to change that.”
Ponemon Institute. (2011, March). 2011 cost of data breach study: United States. Retrieved from http://goo.gl/HmErV
Symantec Corporation and Ponemon Institute are pleased to present 2011 U.S. Cost of Data Breach, our seventh annual benchmark study concerning the cost of data breach incidents for U.S.-based companies. While Ponemon Institute research indicates that data breaches continue to have serious financial consequences for organizations, there is evidence that organizations are becoming better at managing the costs incurred to respond and resolve a data breach incident. In this year’s study, the average per capita cost of data breach has declined from $214 to $194 . . .
This year’s study examines the costs incurred by 49 U.S. companies in 14 different industry sectors after those companies experienced the loss or theft of protected personal data and then had to notify breach victims as required by law. Results are not based upon hypothetical responses; they represent cost estimates for activities resulting from actual data loss incidents. More than 400 individuals were interviewed over a nine-month period. To date, 268 organizations have participated in this research.
Shin, S., Gu, G., Reddy, N., & Lee, C. P. (2012). A large-scale empirical study of Conficker. IEEE Transactions on Information Forensics and Security, 7(2) [NEW ISSUE – table of contents], 676-690. [Full text can be requested from DocumentExpress.]
Conficker is the most recent widespread, well-known worm/bot. According to several reports, it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large scale, about 25 million victims, and study various interesting aspects about this state-of-the-art malware. By analyzing Conficker, we intend to understand current and new trends in malware propagation, which could be very helpful in predicting future malware trends and providing insights for future malware defense. We observe that Conficker has some very different victim distribution patterns compared to many previous generation worms/botnets, suggesting that new malware spreading models and defense strategies are likely needed. We measure the potential power of Conficker to estimate its effects on the networks/hosts when it performs malicious operations. Furthermore, we intend to determine how well a reputation-based blacklisting approach can perform when faced with new malware threats such as Conficker. We cross-check several DNS blacklists and IP/AS reputation data from Dshield and FIRE and our evaluation shows that unlike a previous study which shows that a blacklist-based approach can detect most bots, these reputation-based approaches did relatively poorly for Conficker. This raises a question of how we can improve and complement existing reputation-based techniques to prepare for future malware defense’ Based on this, we look into some insights for defenders. We show that neighborhood watch is a surprisingly effective approach in the case of Conficker. This suggests that security alert sharing/correlation (particularly among neighborhood networks) could be a promising approach and play a more important role for future malware defense.
Torres-Soriano, M. R. (2012). The vulnerabilities of online terrorism. Studies in Conflict & Terrorism, 35(4), 263-277. [Full text can be requested from DocumentExpress.]
Jihadist terrorism has discovered in the Internet a valuable instrument to strengthen its activities. However, in using this technology the terrorists are exposed to new vulnerabilities. The Internet plays a leveling role: each new advantageous use it brings is accompanied by a new opportunity to weaken terrorist groups. The present article examines the main vulnerabilities of radical groups who have accorded the Internet a central role in their strategy, namely, less anonymity and security, a loss of content visibility, a major credibility problem, and an undermining of the legitimacy of the terrorist discourse as a consequence of their use of Web 2.0.
[USEFUL WEEKLY PUBLICATION]. United States. Computer Emergency Readiness Team. US-CERT cyber security bulletin. Retrieved from http://www.us-cert.gov/cas/bulletins/
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).
[USEFUL DAILY PUBLICATION] United States. Department of Homeland Security. DHS daily open source infrastructure report. Retrieved from http://www.dhs.gov/files/programs/editorial_0542.shtm
The DHS Daily Open Source Infrastructure Report is collected each business day as a summary of open-source published information concerning significant critical infrastructure issues. Each Daily Report is divided by the critical infrastructure sectors and key assets defined in the National Infrastructure Protection Plan.
Wolchok, S., Wustrow, E., Isabel, D., & Halderman, J. A. (2012, February). Attacking the Washington, D.C. internet voting system. Paper presented at the 16th Conference on Financial Cryptography and Data Security, Bonaire, Netherlands. Retrieved from https://jhalderm.com/pub/papers/dcvoting-fc12.pdf
In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website. Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security. This paper describes our experience participating in this trial. Within 48 hours of the system going live, we had gained nearcomplete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election oﬃcials did not detect our intrusion for nearly two business days —and might have remained unaware for far longer had we not deliberately left a prominent clue. This case study —the ﬁrst (to our knowledge) to analyze the security of a government Internet voting system from the perspective of an attacker in
a realistic pre-election deployment —attempts to illuminate the practical challenges of securing online voting as practiced today by a growing number of jurisdictions.
Zetter, K. (2012, March 19). DuQu mystery solved with help of crowdsourcing. Wired. Retrieved from http://www.wired.com/threatlevel/2012/03/duqu-mystery-language-solved/
A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues.
The language, which DuQu used to communicate with command-and-control servers, turns out to be a special type of C code compiled with the Microsoft Visual Studio Compiler 2008.
Researchers at Kaspersky Lab, who put out the call for help two weeks ago after failing to figure out the language on their own, said they received more than 200 comments to a blog post they wrote seeking help, and more than 60 direct emails from programmers and others who made suggestions.
Wen, Z. (2012, March 21). Hacker, suspected of 6 million user info leak, detained. Shanghai Daily. Retrieved from http://goo.gl/vxKVg
The man suspected of hacking into China’s largest website for programmers and leaking personal information of over 6 million users last December has been detained on charges of illegal acquisition of computer data, the Beijing News reported today. The suspect surnamed Zeng was held in Wenzhou, eastern Zhejiang Province on February 4 after Beijing police opened an investigation into the case on December 22, the paper said.
The leak, considered the biggest in China’s Internet history, occurred on December 21 when the personal information of more than 6 million users of the China Software Developer Network was exposed on the Internet for free downloading.