For those of you who haven't heard (I saw a report of Fox News as well as an article on yahoo), Stuxnet, a piece of malware that essentially targeted software that is used to run industrial systems, such as a water management plants, electric grid, and nuclear plants, is a essential a weapon used to take out a particular system. What that means is when/if this worm found its target, it would cause some type of action that would destroy it. While to my knowledge researchers have not found what it will actually do, some possible things that it could do is cut the cooling water to machinery which causes it to overheat and burn up, stop supplying lube oil to gears to wreck the machinery, or even more sinister things like put too much of a given chemical in the water supply. Welcome to a new world.
I wouldn't be surprised as security researchers spend more time reverse enginering the malware that they keep finding more nuances that haven't seen before in malware. The sophistication of the malware leads researchers to believe it was created by a government or a highly, highly organized, well-funded group. My only hope is the US created it, if not, we need to develop these capabilities in a hurry.
The suspected target of the malware is an Iranian nuclear plant because of the concentration of infected systems within Iran. To add further to this theory is the fact that the plant should have been up and running but has been postponed for unknown reasons. I'm not usually a conspiracy theorist but sometimes there are one too many coincidences. Considering the fact that Isreal has said they will not tolerate a nuclear Iran, this sophisticated worm may have prevented a war or at the very least delayed it a while.
PS: USB drives are thought to be the method the worm was introduced and spread since the nuclear plant's control systems are not accessible through the Internet.
Friday, September 24, 2010
Saturday, September 11, 2010
Snail Mail
Not all attacks are high tech cyber crimes that require a high degree of technical skills. Some attacks can be pulled off with rather unsophisticated means. Here’s an example of such an attack:
You get a letter in the mail from your bank stating that for security reasons you need to use this new complex pin code that is impossible to remember. It also gives you a 1-800 number to call to change your pin if you desire. After calling the number, an automated voice tells you to enter your account number followed by the pound key. Then, it asks for your pin code followed by the pound key. After entering your pin, it tells you the pin is incorrect and to reenter your pin. You again enter the pin correctly but the automated voice says it is incorrect and to stay on the line for an operator. Shortly thereafter, an operator answers and states the bank’s name and his name and asks how he can help. You explain the situation which the operator says he can solve once he verifies your identity. He asks for your phone number, the last 4 of your social, your mother’s maiden name and any other information they need. Since you called them, there is little chance you even realize you are being compromised.
Lessons to be taken away from this scam.
- Verify any number you call with a legitimate source (website, prior bill, back of credit card) Don’t trust, Verify!
- Get to know a bank employee at a local branch and call them with any questions you may have
- Be careful with your personal information at all times
You get a letter in the mail from your bank stating that for security reasons you need to use this new complex pin code that is impossible to remember. It also gives you a 1-800 number to call to change your pin if you desire. After calling the number, an automated voice tells you to enter your account number followed by the pound key. Then, it asks for your pin code followed by the pound key. After entering your pin, it tells you the pin is incorrect and to reenter your pin. You again enter the pin correctly but the automated voice says it is incorrect and to stay on the line for an operator. Shortly thereafter, an operator answers and states the bank’s name and his name and asks how he can help. You explain the situation which the operator says he can solve once he verifies your identity. He asks for your phone number, the last 4 of your social, your mother’s maiden name and any other information they need. Since you called them, there is little chance you even realize you are being compromised.
Lessons to be taken away from this scam.
- Verify any number you call with a legitimate source (website, prior bill, back of credit card) Don’t trust, Verify!
- Get to know a bank employee at a local branch and call them with any questions you may have
- Be careful with your personal information at all times
Hardware Malware
Imagine buying a new shiny toy, taking it out the package, plugging it into your computer and then having your anti-virus catch a virus on it (you do have anti-virus right?). Couldn’t happen right or maybe only on a product from some second rate company. Well, several notable devices have been manufactured with malware already installed on them, including cameras (Olympus), smartphones (Samsung), Video iPods (Apple) and everyone’s favorite, USB drives (SanDisk).
Story time! After a few workers returned from an overseas trip, they noticed all their laptops had been affected by a virus. After IT examined the laptops, all of which showed the same infection, IT asked if they had been sharing USB drives. They insisting that they had not shared USB drives though they did mention they had all bought USB drives while overseas. Examining the purchased USB drives, we noticed that they were the same exact USB drives with the same malware on them...coincidence...perhaps.
Better quality assurance measures at the manufactures are the only way to stop this problem, however, since it is unlikely the malware is new, anti-virus should have definitions to block it. A few quick tips to protect you.
- Disable auto-run
- Scan all devices with anti-virus before connecting
- Update anti-virus definitions
Story time! After a few workers returned from an overseas trip, they noticed all their laptops had been affected by a virus. After IT examined the laptops, all of which showed the same infection, IT asked if they had been sharing USB drives. They insisting that they had not shared USB drives though they did mention they had all bought USB drives while overseas. Examining the purchased USB drives, we noticed that they were the same exact USB drives with the same malware on them...coincidence...perhaps.
Better quality assurance measures at the manufactures are the only way to stop this problem, however, since it is unlikely the malware is new, anti-virus should have definitions to block it. A few quick tips to protect you.
- Disable auto-run
- Scan all devices with anti-virus before connecting
- Update anti-virus definitions
Telephony Denial of Service
Everyone has heard of denial of service (DoS) attacks. These attacks are well publicized when they bring down a large corporation or website such as Yahoo. However, a new twist on this attack has been occurring; telephony DoS attacks against individuals. Here’s how it works.
Attackers uses automated programs to dial your landline or cell phone numbers you registered with your bank or credit card. When the calls are answered, victims hear dead air, an advertisement, or a telephone sex menu. The calls are short but frequent enough some victims have had to have their numbers changed.
While that’s a pain, here’s the real danger. While they are making your line busy, they are changing information, transferring funds, or making charges on your personal accounts. When your bank’s anti-fraud monitor goes off, it tries to call you but guess what, your line is busy. By the time the bank can reach you, the damage has already been done.
To mitigate this attack, AT&T offered this advice: “We urge anyone who suspects they may be the target of a TDOS attack to immediately contact their telephone provider after notifying their financial institutions.”
Information gathered from: www.njtoday.net/2010/05/12/phony-phone-calls-distract-consumers-from-genuine-theft-%E2%80%94-fbi-partners-warn-public/
Attackers uses automated programs to dial your landline or cell phone numbers you registered with your bank or credit card. When the calls are answered, victims hear dead air, an advertisement, or a telephone sex menu. The calls are short but frequent enough some victims have had to have their numbers changed.
While that’s a pain, here’s the real danger. While they are making your line busy, they are changing information, transferring funds, or making charges on your personal accounts. When your bank’s anti-fraud monitor goes off, it tries to call you but guess what, your line is busy. By the time the bank can reach you, the damage has already been done.
To mitigate this attack, AT&T offered this advice: “We urge anyone who suspects they may be the target of a TDOS attack to immediately contact their telephone provider after notifying their financial institutions.”
Information gathered from: www.njtoday.net/2010/05/12/phony-phone-calls-distract-consumers-from-genuine-theft-%E2%80%94-fbi-partners-warn-public/
AT&T iPad Breach
I’m sure many of you are aware of the latest high profile loss of personal data. AT&T exposed 114,000 e-mail addresses including some high profile figures such as NYC Mayor Michael Bloomberg.
AT&T decided to pre-populate a form when users entered their SIM card number. The “attackers” generated random numbers that mimicked the SIM card numbers and when one matched, the authentication page with the e-mail address and associated card number was displayed. So they now had the person’s e-mail address and associated SIM card number.
Imagine an e-mail coming from Apple that says go to this website to update your account with SIM card number XYZ. You check and it’s the right number so you have to believe it is legitimate right? Another great example of how with just a little bit of information you can trick people into providing even more personal data.
The “attackers” portion of the story is even more interesting. A “security group” said they exposed the flaw to AT&T and once the flaw was fixed they publically released information about the flaw. AT&T refutes their claim and blames them for jeopardizing their customers data. Either way, expect an interesting debate and possible legal action on the matter.
Remember:
-All information is important
-Don’t click on links in e-mails, yes I’m serious.
-Don’t save info on forms using browser related tools
AT&T decided to pre-populate a form when users entered their SIM card number. The “attackers” generated random numbers that mimicked the SIM card numbers and when one matched, the authentication page with the e-mail address and associated card number was displayed. So they now had the person’s e-mail address and associated SIM card number.
Imagine an e-mail coming from Apple that says go to this website to update your account with SIM card number XYZ. You check and it’s the right number so you have to believe it is legitimate right? Another great example of how with just a little bit of information you can trick people into providing even more personal data.
The “attackers” portion of the story is even more interesting. A “security group” said they exposed the flaw to AT&T and once the flaw was fixed they publically released information about the flaw. AT&T refutes their claim and blames them for jeopardizing their customers data. Either way, expect an interesting debate and possible legal action on the matter.
Remember:
-All information is important
-Don’t click on links in e-mails, yes I’m serious.
-Don’t save info on forms using browser related tools
Subscribe to:
Posts (Atom)