PCWorld – A recently patched Java remote code execution vulnerability is already being exploited by cybercriminals in mass attacks to infect computers with scareware, security researchers warn.
The vulnerability, identified as CVE-2013-2423, was one of the 42 security issues fixed in Java 7 Update 21 that was released by Oracle on April 16.
According to Oracle’s advisory at the time, the vulnerability only affects client, not server, deployments of Java. The company gave the flaw’s impact a 4.3 out of 10 rating using the Common Vulnerability Scoring System (CVSS) and added that “this vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.”
However, it seems that the low CVSS score didn’t stop cybercriminals from targeting the vulnerability. An exploit for CVE-2013-2423 was integrated into a high-end Web attack toolkit known as Cool Exploit Kit and is used to install a piece of malware called Reveton, an independent malware researcher known online as Kafeine said Tuesday in a blog post.
Everything we do is online. If you’ve been the victim of identity theft or an email phishing scam, you know how quickly your personal data can be stolen or threatened.
It’s important to know the difference between types of cyber threats and the right approach to fighting them.
There are three tiers of cyber threats, as explained by Heritage experts Steven Bucci, Paul Rosenzweig, and David Inserra:
1. Cyber crime. Cyber crime hits many Americans in the form of identity theft, phishing, or cyber vandalism. In 2006, the Government Accountability Office estimated that cyber identity theft cost U.S. citizens and companies almost $50 billion, and the threat has only grown since then. These crimes are usually committed by individual criminals, so-called hacktivists, or criminal organizations, and represent the most common form of cyber threat.
2. Cyber espionage. Espionage pursues large, important targets, such as military blueprints or proprietary business plans, and is often state-sponsored. China, for instance, is a known bad actor in cyberspace. The Chinese not only allow and sponsor hackers, but have entire military and government units dedicated to stealing data from governments and private companies. China has been engaged in a prolonged campaign of stealing U.S. intellectual property and military secrets. Together with other hackers and cyber operations, China has stolen billions, if not trillions of dollars in U.S. intellectual property, not to mention compromising U.S. national security secrets.
3. Cyber warfare. While cyber crime and espionage are serious problems, the U.S. also faces a threat from cyber warfare. Taking down communications, transportation, or other critical systems would severely impair the U.S. response to a physical attack, increasing the damage sustained. While such an event is “unlikely” according to Director of National Intelligence James Clapper, the U.S. must prepare for these threats, since terrorists or isolated states are likely to use such attacks as they gain the capabilities to do so.
Across all three tiers, poor information sharing is one of the main problems—and in this case, the government could offer protection, rather than regulating. Heritage experts recommend that “entities that share information about cyber threats, vulnerabilities, and breaches should have legal protection. The fact that they shared data about an attack, or even a complete breach, with the authorities should never open them up to legal action.”
The government hasn’t meaningfully addressed these problems—and it can’t solve them by regulation. Think about Obamacare: The law passed in 2010, yet we are just now seeing tens of thousands of pages of regulations being written. If cybersecurity regulations were created the same way, online threats would have changed many times by the time the regulations went into effect.
President Obama was dissatisfied with Congress’s lack of action last year, so he went around them with an executive order favoring a regulatory approach to cybersecurity. This was the wrong way to go, but Congress can still help.
To learn more about what Congress can and should do to protect Americans online, read the full report: A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace
Understand that the Dark Side is greatly motivated by social and political interests that are difficult to predict and not necessarily useful in forming strategic or tactical defense plans. This understanding will help organizations craft strategic decisions about layered protections in all verticals exposed to the Internet.
We live in times when technology is exceeding the understanding of educational institutions and corporations. A highly social Web and a bad economy is making the Dark Side — the Internet underworld where cybercrime and hacking run rampant — overwhelming.
Hacktivism is the new, hip thing; it has become a hobby for people with higher-than-average computer knowledge. The movement is led by an elite few who have a deep, lifelong knowledge of computers, and it includes senior Fortune 100 corporate executives and highly placed governmental employees, as well as the ranks of the unemployed.
The elite world of hacktivism is at the center of the Internet’s Dark Side. While governmental agencies are looking for the individuals responsible for various acts of hacktivism, they struggle with using their tried-and-true methods to move up the food chain to identify hacktivist leaders. What is not well understood is that these layers cannot be penetrated by the standard law enforcement methods that were once effective in collapsing organized crime groups.
Hacktivism exists because the Internet is an open society that has no boundaries in which normal legal process can be applied without taking significant and draconian action, like direct control of the systems that keep the Internet alive. The traditional legal requirements for evidence are hampered by the very void in which the elites live.
The Next Revolution
In the past, various law enforcement tools were enough to provide direct evidence of illicit activity. In today’s environment, the legal framework is not capable of supporting more than “reasonable suspicion” (also known as the “Terry Stop”), the precursor to “probable cause,” which gave rise to “beyond a reasonable doubt” — the requirement to convict an individual charged with a crime in the U.S. More
“To our hacker allies, our fellow occupiers, our militant comrades all over the world, the time for talk is over: it’s time to hack and smash, beat and shag.”
The call to arms issued last week by the international hacker group Anonymous was accompanied by a frenzy of online hacking. Attackers took down the websites of a tear-gas manufacturer in Pennsylvania, the Nasdaq and BATS stock exchanges and the Chicago Board Options Exchange. A few days later they hacked into websites owned by the Federal Trade Commission and the Bureau of Consumer Protection.
The messages they left behind—about their opposition to everything from the Anti-Counterfeiting Trade Agreement, a controversial new treaty for enforcing intellectual property rights, to violent suppression of democracy protestors in the Middle East—had the air of giddy jubilation.
“Guess what? We’re back for round two,” the hackers wrote in reference to their attack on the FTC websites, their second such raid on the agency in less than a month. “With the doomsday clock ticking down on Internet freedom, Antisec has leapt into action. Again. Holy deja vu hack Batman! Expect us yet?”
Comic posturing aside, the hackers seemed amazed by their success: A barely organized ragtag “team of mayhem,” as one Anonymous offshoot dubbed itself, was knocking down the Web infrastructure built by major corporations and large government agencies as if it were nothing but paper backdrops in a school play. More
According to the memo, train service on the unnamed railroad located in the Pacific Northwest “was slowed for a short while” on Dec. 1, and rail schedules were delayed about 15 minutes after the interference. The next day, shortly before rush hour, a “second event occurred,” but this one did not affect schedules, NextGov reports.
An investigation determined that hackers — possibly from overseas — had penetrated the system from three IP addresses, according to the memo, which did not name the country from which the hack occurred.
“Some of the possible causes lead to consideration of an overseas cyberattack,” the memo said.
Information stating that a targeted attack occurred was sent out on Dec. 5, along with alerts listing the three IP addresses, to several hundred railroad firms and public transportation agencies, in addition to unnamed partners in Canada.
A DHS spokesman acknowledged the breach in a statement to Threat Level.
“On December 1, a Pacific Northwest transportation entity reported that a potential cyber incident could affect train service,” said spokesman Peter Boogard in a statement. “The Department of Homeland Security (DHS), the FBI and our federal partners remained in communication with representatives from the transportation entity in support of their mitigation activities and with state and local government officials to send alerts to notify the transportation community of the anomalous activity as it was occurring.”
A DHS official added that after more in-depth analysis of the incident, it did not appear to be a targeted attack aimed at the railway and halting service, but was more of a random incident that simply hit the transportation entity. He would not elaborate. More
After Wednesday’s unprecedented unified online yelp against SOPA and PIPA, Thursday saw a new milestone: the first direct and public activist malware from Anonymous.
A version of Anonymous’ voluntary botnet software, known as LOIC (Low Orbit Ion Canon), was modified to make it not so voluntary, drafting unwary bystanders, journalists and even anons who don’t support DDoS tactics into attacks on the U.S. Justice Department. Thursday’s trickery seems not to have been central to the successful takedown of sites like justice.gov, RIAA.com and MPAA.com, but not all anons are pleased with forcing unwitting bystanders to join in a potentially illegal action.
Several anons speaking to Wired on condition of anonymity voiced dismay that a tactic they consider to be the modern-day equivalent of a sit-in (denial-of-service attacks leave no lasting damage) was ethically corrupted by the new version.
“Preying on unsuspecting users is despicable,” said one anon, speaking to Wired in an online chat. “We need to fight for the user, not potentially land them in jail.”
As part of Thursday’s raging reaction from Anonymous to the Megaupload arrests, people by the thousands voluntarily pointed the LOIC at targets like FBI.gov, DOJ.gov, MPAA.org, BMI.org, RIAA.org and copyright.gov, part of an effort that knocked these sites offline for parts of the day. The tool bombards a targeted site with traffic, in hopes of overwhelming servers so that no one can visit the site. More
Just minutes after the U.S. Department of Justice repossessed the domains of Megaupload, Megavideo, Megaporn and a collection of other popular filesharing sites, the hacker collective Anonymous got to work on a few takedowns of its own.
On Thursday afternoon, Anonymous claimed credit for cyberattacks that knocked offline the websites of the U.S. Department of Justice, Recording Industry of America, Motion Picture Association of America and Universal Music. The so-called denial of service attacks that overwhelmed those sites with junk traffic came less than an hour after the Justice Department announced the takedown of the Mega sites, along with the arrest of former hacker and Mega founder Kim Dotcom and six others, who are being indicted on charges of copyright infringement and money laundering.
“One thing is certain: EXPECT US!,” wrote the Anonymous-linked Anonops Twitter feed Thursday just after the Mega raid, adding a hashtag for Megaupload.
“Anonymous/Megaupload backlash update: http://RIAA.ORG is now Tango Down,” wrote the Twitter feed Anonnews less than one hour later, as other Anonymous feeds claimed credit for downing Justice.gov and Universalmusic.com.
Attackers will increasingly leverage the lack of cybersecurity preparedness of utilities and other critical infrastructure in 2012, predicts McAfee Labs.
Many of the environments where supervisory control and data acquisition (SCADA) systems are deployed do not have stringent security practices, noted McAfee’s 2012 Threat Predictions report.
“There are a lot of different people looking at infrastructure, SCADA, utilities, energy. It’s an area that we think is going to be a big deal in 2012….What you are looking at is unpreparedness”, said Dave Marcus, director of research and communications at McAfee Labs.
Marcus told Infosecurity that the “most fascinating thing” about the Duqu attack against industrial systems was that it used rogue certificates. “That is a big deal, because it undermines the trust in secure socket layers and secure website communication; if you are going to generate rogue keys and fake certificates, that undermines the underlying trust in the operating system”, he said.
Duqu also demonstrated advancements in rootkits, Marcus noted. “We are seeing a lot more targeting of lower layers of the operating system. We think we will see more hardware and BIOS [basis input/output system] targeting, and even targeting of the master boot record….Duqu had a lot of that stealth rootkit activity.”
In its report on Duqu, Symantec judged that it is “essentially the precursor to a future Stuxnet-like attack” against industrial control systems. These systems are used to control everything from nuclear power plants and the electricity grid to oil pipelines and large communication systems. More
Hackers with the loose-knit movement “Anonymous” have claimed to have stolen a raft of emails and credit card data from US-based security think tank Stratfor, promising it was just the start of a weeklong, Christmas-inspired assault on a long list of targets.
One alleged hacker said the goal was to use the credit data to steal a million dollars – including, apparently, from individuals’ accounts – and give the money away as Christmas donations. Images posted online claimed to show the receipts.
A Twitter account tied to Anonymous posted a link to what they said was Stratfor’s tightly-guarded, confidential client list. Among those on the list: The US Army, the US Air Force and the Miami Police Department.
The rest of the list, which the hacking movement said was a small slice of its 200 gigabytes worth of plunder, included banks, law enforcement agencies, defence contractors and technology firms such as Apple and Microsoft.
“Not so private and secret anymore?” the group taunted in a message on the microblogging site.
Austin, Texas-based Stratfor provides political, economic and military analysis to help clients reduce risk, according to a description on its YouTube page. It charges subscribers for its reports and analysis, delivered through the web, emails and videos.
Lt Col John Dorrian, public affairs officer for the Air Force, said that “for obvious reasons” the Air Force doesn’t discuss specific vulnerabilities, threats or responses to them.
“The Air Force will continue to monitor the situation and, as always, take appropriate action as necessary to protect Air Force networks and information,” he said in an email. More
This year is already being called “The Year of the Hack,” due to the unprecedented number of damaging attacks against major companies like Sony, RSA Security, Google (GOOG: 624.82, -0.83, -0.13%) and even the U.S. government. It’s hard to remember a time when businesses faced as many online threats as they do today.
From hacktivist groups like Anonymous, corporate and state-sponsored cyber espionage and organized crime and rogue hackers, every business, regardless of its size, is finding itself in the cross hairs of cyber attacks.
Why is so much hacking happening now? The answer is simple: More valuable information is stored online now than ever before, and at the same time, many companies have been lax about IT security.
Most of this year’s high-profile attacks should have been prevented. It’s the job of every business owner to learn valuable lessons about why these companies were hacked and how they could have prevented it.
Here is a recap of 2011’s significant hacks with important tips for businesses:
RSA Security, hacked in March 2011:
RSA, best known for its SecurID tokens, was severely jeopardized by a clever cyber attack earlier this year. The attackers used social engineering (just another term for “con”) to trick RSA employees into opening a spoofed, or fake, email and downloading an infected Excel spreadsheet. This attack gave the hackers access to the computer network and from there, they stole SecurID tokens and used them to hack military contractors.
Key Lesson No.1: Protect Critical Data. RSA should not have had its SecurID token secrets online. What valuable information does your business store in online databases? Many executives don’t know, and classifying business data should be near the top of their chief information security officer’s (CISO) to-do list. Business owners should thoroughly examine the information they store online and store critical data offline or behind strict network segmentation.
Key Lesson No.2: Segment Your Network. The attack on RSA used employees to get inside the company. Employee training isn’t reliable, therefore it’s more important for businesses to safeguard their network by segmenting the network so if one employee’s PC is infected it can’t spread laterally through the entire system.
Sony, hacked April to June 2011
The attack on Sony made news for weeks as the company was attacked by LulzSec and the Playstation network shut down. All told, the damage to Sony from these attacks reportedly more than $170 million. More