New Hiding Place for Hackers...

May 2008

Hackers find a new place to hide
rootkits. Security researchers have developed a new type of malicious
rootkit software that hides itself in an obscure part of a computer's
microprocessor, hidden from current antivirus products. Called a System
Management Mode (SMM) rootkit, the software runs in a protected part of a
computer's memory that can be locked and rendered invisible to the operating
system, but which can give attackers a picture of processes in a computer's
memory. The SMM rootkit comes with keylogging and communications software
and could be used to steal sensitive information. The proof-of-concept
software will be unveiled for the first time at the Black Hat security
conference in Las Vegas this August.

DARK READING...

May 2008

New intrusion tolerance technology
treats attacks as inevitable. First there was intrusion detection, then
intrusion prevention, and now, intrusion tolerance. A professor and
researcher at George Mason University is readying the commercial rollout of
a new, patent-pending technology that basically assumes an attack or
infection on a server is inevitable, so it instead minimizes the impact of
an intrusion. Called self-cleansing intrusion tolerance (SCIT), the new
security method does not replace IDS, IPS, firewalls, or other traditional
security tools, but rather adds another layer that minimizes the damage of
an attack, says the professor of computer science and director of the
Laboratory of Interdisciplinary Computer Science at GMU in Fairfax, Va. "An
intruder is going to get through irrespective of how much investment you
make [with security tools] and how hard you try. It's about how you contain"
an intrusion, he says. "Intrusion tolerance is different than intrusion
detection and intrusion prevention - it doesn't do any detection and
prevention," he says. "Today's servers are all exposed. we try to contain
the losses by reducing the exposure time of the server to the Internet." The
professor, who will outline his SCIT technology this week at IntrusionWorld
in Baltimore, says the basic idea is to regularly rotate Web, DNS, or other
servers on- and offline to "cleanse" the exposed machine to a previously
unblemished state that has never been online - and automatically have
another clean (virtual) machine take its place. This cycle would occur at
regular intervals, regardless of whether an intrusion had occurred or not.
It's a fatalistic approach to Internet-borne attacks: "Because servers are
online for such a long time, if someone wants to deliberately intrude, he
has a sitting duck on which he can work," he says.

A Digital Haven...

May 2008

A digital haven for terrorists on our own shores? If you use one of Americas top Internet service providers, you may share server space with an organization that enables worldwide terrorism, says a new study by Tel Aviv University. A workshop on terrorist organizations and the Internet was organized for the North American Treaty Organization (NATO) by the Netvision Institute for Internet Studies (NIIS) and the Interdisciplinary Center for Technology Analysis & Forecasting, both of Tel Aviv University. Berlins Institute for Cooperation Management and Interdisciplinary Research (NEXUS), affiliated with the Technical University of Berlin, also participated. The findings were presented in Berlin to a closed audience of high-ranking representatives from NATO in February 2008. Enlisted by NATO officials to study the web activity of terrorist organizations, researchers found that some of the world’s most dangerous organizations are operating on American turf. Hezbollah, the Islamic Jihad, and al-Qaeda all have websites hosted by popular American Internet service providers - the same companies that most of us use every day.

A Cyberattack on NASA

May 2008

Nigerian gets 18 months for cyberattack on NASA employee. A Nigerian man has been sentenced to 18 months in prison for wooing a NASA employee so he could sneak malware onto her work computer and steal passwords, banking information, and 25,000 screenshots. The man pleaded guilty and was sentenced to 18 months in prison by the Lagos State High Court in Nigeria late last month. He was initially charged with four counts but pleaded guilty to two counts of obtaining goods by false pretenses and forgery. The U.S. attorney for the District of Columbia said the man did not target the woman because she worked for the government. He tried to scam several hundred women and was successful with several. The man, posing as a Texan by using a phony picture and background information, courted the woman for several weeks before he sent an e-mail to her work address with an attachment that contained a phony photo of his phony persona. When she opened the attachment to see the picture, her system was automatically infected with a commercially available piece of spyware. The spyware, which did not spread to other computers on the NASA network, was first downloaded onto her computer on November 21, 2006. It harvested private e-mail, the woman’s passwords, her Social Security number, driver’s license information, and her home address before it was detected on December 7. During those few weeks, it also captured 25,000 screenshots of whatever she had on her screen at the time, according to a U.S. Department of Justice official, who worked on the investigation, but asked not to be identified.

Pentagon wants Cyberwar...

May 2008

Pentagon wants cyberwar range to ‘replicate human behavior and frailties’. The Pentagon’s researchers do not just want to build an Internet simulator, to test out cyberwar tactics. They want the range’s operators to “realistically replicate human behavior and frailties,” too. Congress has ordered the Defense Advanced Research Projects Agency (Darpa) to put together a National Cyber Range, as part of a massive $30 billion, government-wide effort better prep for battle online. The project is now considered a top priority for the Agency. To make sure the facility is as true-to-life as possible, Darpa wants the contractors running the Range to be able to “replicate realistic human behavior on nodes,” a request for proposals, released today, reveals. Several examples of the specifics the Agency wants to have from its contractors include: provide robust technologies to emulate human behavior on all nodes of the range for testing all aspects of range behavior; replicants will produce realistic chain of events between many users without explicit scripting behavior; replicants must be capable of implementing multiple user roles similar to roles found on operational networks; replicants will interact with authenticate systems, including but not limited to DoD authentication systems (common access cards – CAC), identity tokens. These mock people have to be able to “demonstrate human-level behavior on 80 percent of all events,” the Agency adds. And mimicking humans is only one of a wide array of tasks Darpa wants to see operators of the National Cyber Range pull off. The facility should also feature a “realistic, sophisticated, nation-state quality offensive and defensive opposition forces” that can fight military info-warriors in mock combat

Bot vs. Bot

May 2008

Beating the “botnets.” A team at the University of Washington wants to marshal swarms of good computers to neutralize the bad ones. They say their plan would be cheap to implement and could cope with botnets of any size. Current countermeasures are being outstripped by the growing size of botnets, says the Washington team, but assembling swarms of good computers in defense could render DDoS attacks obsolete. Their system, called Phalanx, uses its own large network of computers to shield the protected server. Instead of the server being accessed directly, all information must pass through the swarm of “mailbox” computers. The many mailboxes do not simply relay information to the server like a funnel – they only pass on information when the server requests it. That allows the server to work at its own pace, without being swamped. Phalanx also requires computers wishing to start communicating with the protected server to solve a computational puzzle. This takes only a small amount of time for a normal web user accessing a site. But a zombie computer sending repeated requests would be significantly slowed down. The Washington team simulated an attack by a million-computer botnet on a server connected to a network of 7,200 mailboxes organized by Phalanx. Even when the majority of the mailboxes were under simultaneous attack, the server was not overwhelmed and could still function normally. A paper on Phalanx was presented at the USENIX symposium on Networked Systems Design and Implementation, held last week in San Francisco.

Hackers Jack Sites...Nah!!! Really???

May 2008

Hackers jack thousands of sites, including UN domains. Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations (UN), have been hacked and are serving up malware, a security researcher said today as massive java_script attacks last detected in March resume. “They’re using the same techniques as last month, of an SQL injection of some sort,” said the vice president of security research at Websense Inc., referring to large-scale attacks that have plagued the Internet since January. Among the sites hacked were several affiliated with either the UN or U.K. government agencies. The exact number of sites that have been compromised is unknown. He estimated that it is similar to the March attacks, which at their height infected more than 100,000 URLs, including prominent domains such as MSNBC.com. “The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack,” Websense said in an alert posted yesterday to its Web site. “We have no doubt that the two attacks are related.” Although the malware-hosting domain has changed, it is located at a Chinese IP address, just like the one used in March, he said. “It also looks like they’re using just the one [hosting] site, but changing the link within the java_script,” he added, talking about an obfuscation tactic that the attackers have used before.