Cyber Security Intelligence

Twitter< Follow on Twitter >

December Newsletter #1 2014


Recently Symantec issued a report about the Regin family of malware. The malware appears to be sophisticated and many security analysts and researchers believe it to have been developed by a western Government specifically for cyber espionage.

This family of malware has been compared to Stuxnet; however, this is a poor comparison since Regin does not spread the way Stuxnet did. In fact, the purposes of each malware are quite different.

Stuxnet was designed for sabotage, whereas Regin was likely designed for espionage and as a result was deployed with a great deal more of precision. If anything, the purpose and behavior of the malware is similar to Flame, another malware family, specifically designed for espionage purposes.

There is still very little known about the initial attack vector used to deploy Regin. It appears to have been dropped using a variety of methods, including social engineering, an exploit in Yahoo Messenger and a link to a fake LinkedIn page that functioned as a watering hole.

Although Regin was designed to be stealthy, the various phases of the malware deployment can still be detected. The Regin malware actually makes a lot of ‘noise’ given the number of changes it makes on a host system if you have the right tools in place to monitor these changes on host systems.

Many of the methods used by Regin are not necessarily new and from conversations with developers are actually more like general best practices for developing Windows drivers.
The sophistication of the malware isn’t necessarily in the technical implementation, but in what appears to be a mature software development lifecycle. The malware has evolved and adapted, using best practices for development, borrowing techniques from other successful malware and has clearly been tested thoroughly to ensure it avoids detection by most antivirus tools.

It is important to realize that malware is now rarely created through ad hoc development, but is a business in itself. Many of the tools, techniques and strategies commercial software vendors use are also in use by malware developers.

Since the details of the malware are now available to the general public, there is a high likelihood that similar malware may be created by criminal groups or other state actors.

Cyber warfare: Is it possible to prevent hostile hijacking of nuclear facilities’ computers and systems

The following is a realistic scenario: the enemy succeeds in taking over the computers at a nuclear power station’s command center. The operators’ screens display no alert and they have no way of knowing the facility had just been remote-breached. The production array and critical parameters, including the reactor’s core cooling, are changing in an alarming way, but the perpetrators carefully saw to it that the monitoring system would not update technicians. The time it takes the on-site staffs to realize they are under attack, to track the hackers and avert disaster is way too long, posing a risk to both the reactor and to national security.

How realistic is this scenario? With 90% of all targeted cyber-attacks aiming at critical infrastructure sectors, there is no doubt a real change is called for in the overall cyber security doctrine of such facilities, along with a transition to innovative technologies to ensure more advanced security for computerized, operational and communications systems.

The cyber warfare arena has been heating up in recent years. Sophisticated hackers, hostile countries, disgruntled employees within organizations, terror groups and the like, are each capable of posing a major threat. The situation each CEO is concerned with these days is someone taking over the organization’s central computing/operational systems and wreaking havoc in them.

This challenge of securing critical infrastructure has intensified considerably, since beyond integrating advanced computing, the industrial world is fast approaching a new age in which machines interface with online command and control systems. Progress indeed entails numerous advantages, but at the same time it exposes such organizations to cyber threats and real dangers on both the virtual and physical levels.

Traditional security measures used by almost any organization do not amount to much of a solution. They rely upon known elements an assailant can use: signatures of malware files, rules, pattern identification, behavioral modes and so on, in hope that given the opponent’s modes and means, they could be neutralized in advance. Such methods have worked in the past, and may still constitute some defense against foreseeable threats or ones, which can be anticipated. Nevertheless, in a world undergoing a third industrial revolution and is already at an age when machines ‘talk’ with each other and make decisions dealing with unprecedented attacks is something CEOs must take into strategic and tactical plans today.

Where Do Big Data and Internet of Things Intersect?

You are likely benefitting from The Internet of Things (IoT) today, whether or not you’re familiar with the term. If your phone automatically connects to your car radio, or if you have a smart watch counting your steps, congratulations! You have adopted one small piece of a very large IoT pie, even if you haven't adopted the name yet.

The Internet of Things (IoT) may sound like a business buzzword. In reality, it’s a technological revolution that will impact everything we do—a gigantic wave of new possibility poised to alter the face of technology.

First, some background: IoT is the interconnectivity between things using wireless communication technology (each with their own unique identifiers) to connect objects, locations, animals, or people to the internet, thus allowing for the direct transmission of and seamless sharing of data.

In essence, it refers to everyday devices that are able to automatically exchange information over a network. IoT will also impact on our everyday lives by changing how we monitor traffic, weather, pollution, and the environment, and how we collect relevant data.

And so what if two of the biggest technology trends -- Big Data and the Internet of Things (IoT) -- actually converged or intersected? Actually, they are spanning everything from kitchen appliances to smart buildings. Not by coincidence, technology giants and start-ups are seeking to help CIOs and CFOs make sense of the convergence.

If you examine Gartner's Top 10 Technology Trends for 2015, the Internet of Things (IoT) will create opportunities to manage, monetize, operate and extend IP systems. Within that same trend report, Gartner mentions that advanced, pervasive and invisible analytics will emerge.

Gartner states: "Analytics will take center stage as the volume of data generated by embedded systems increases and vast pools of structured and unstructured data within and outside the enterprise are analyzed."

Some 4.9 billion connected “things” will be in use in 2015, up 30% from 2014, and will reach 25 billion by 2020, according to recent research from Gartner Inc. The Internet of Things (IoT) has become a powerful force for business transformation, the firm says, and its disruptive impact will be felt across all industries and all areas of society.

For a prime example, consider where Tellient is heading. In a recent podcast conversation, Tellient co-founder Tristan Barnum explained how Big Data applications allows businesses to analyze information gathered from a new generation of endpoints.

Barnum's example points to a new generation of kitchen appliances. What if a manufacturer were able to remotely track customers' favorite appliance settings; the most used (and unused) features; and more? The result, Barnum believes, will lead to better product designs, fewer defects and other improvements each time the manufacturer releases a new generation of appliances.

The Internet of Things will expand beyond small, remote devices, sensors and beacons to blanket much larger IP deployments including physical buildings.

Market research firm Frost & Sullivan sees "Big Data as an enabler for Smart Buildings" -- suggesting that three big trends will drive the development of smart buildings: 1 - Urbanization 2 - Connectivity and convergence of smart technologies; and 3 - Connectivity between smart devices.

The result: Watch for new partnerships between data analytics companies and building technology providers.

In another prime example, Enterprise Management Associates (EMA) Research Director John Myers describes how analytics running on sensor and machine data from smart devices delivers quantifiable cost savings and revenue, and more CFOs are taking notice of people like Eugene Kaspersky, founder and chief executive of Kaspersky Lab, the world's largest private cybersecurity company. Speaking recently on Advanced Threat Protection (APT) and IoT Kaspersky said, “We expect to see growth in the number of and sophistication of new criminal attacks, including on large companies, particularly on banks and other financial institutions. We are seeing growth in attacks on industrial systems coming from traditional, offline organized crime — from the mafia, essentially. The Internet of things is the Internet of threats for us. We expect attacks on smart TVs, watches, smart glasses. As the number of connected smart devices expands fast, more and more of them will be targeted to obtain criminal profit”.

Cyber Insurance: Don’t Count On General Liability To Cover Your Risk

As the legal troubles for the US restaurant chain P.F. Chang’s kept piling up over the cyber breach discovered this summer affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works.

Travelers asked the US District Court in Connecticut to clear it of any obligation to defend or indemnify the restaurant company during breach litigation. Its argument to the court: that not only is a breach like this not covered in its general policy definitions, but that even if it were, the restaurant company hadn't met a $250,000 basement floor limit up to which the firm needed to self-insure for covered events.

According to a number of legal and insurance experts, the case is about as open and shut as it gets for Travelers.

"The likelihood that PF Chang's would prevail seems quite slim," says Francoise Gilbert, an attorney with Palo Alto-based IT Law Group.

That's because this is hardly the first time that the cyber mettle of CGLs has been tested in court. Dating back to Sony Entertainment's case against its CGL insurer Zurich American in 2011, the rulings have been pretty clear that cyber incidents are rarely on the table for coverage under general liability policies.

Unfortunately, misconceptions by enterprise IT risk managers about the insurance industry are still prevalent, in spite of a rapidly maturing cyber insurance market. According to Carey, the assumption that a CGL will transfer breach risks to an insurance company is a prevalent one.
"This is a mistake many companies are making. Many business owners assume their current insurance, including CGL, covers cyber, but it often does not," says Carey, who offers a pretty simple rule of thumb: "If you are not sure your business is covered for cyber, it probably is not."

NSA chief defends agency's surveillance

The US National Security Agency's surveillance programs are legal and under close scrutiny by other parts of the government, the agency's internal privacy watchdog said recently in an online Q&A.

NSA surveillance and data collection programs conform to the U.S. Constitution, Rebecca Richards, the agency's first civil liberties and privacy director, wrote during an hour-plus Q&A on Tumblr.

The NSA operates under rules that "ensure that its activities fall within the parameters of the Constitution," Richards wrote when asked why she believes the surveillance programs are constitutional.

"The oversight regime governing NSA is extensive, spanning all three branches of government," she added. "The fact that NSA created my job highlights the value and importance NSA leadership places on privacy and civil liberties protections."

Critics like Edward Snowden have said some NSA surveillance programs violate the Constitution's Fourth Amendment, prohibiting unreasonable searches and seizures by the government. One Q&A participant asked if US residents' fears of being "discreetly spied on" are merited. The fears are not merited, Richards wrote. "NSA is a foreign intelligence agency," she wrote. "Our mission is to collect critical intelligence on foreign powers or their agents necessary to defend the country."

US law requires that the NSA, when targeting a US citizen for foreign intelligence purposes, to obtain a court order "based on a finding of probable cause to believe the intended target is a foreign power or an agent of a foreign power," she added.

Meet the Man Leading the Snowden Damage Investigation

Among the many actions the Obama administration took in the “post-Snowden” era of insider threats was to appoint a new government wide counterintelligence chief.

The man filling that role, or the “NCIX,” as acronym-inclined national security feds call the National Counterintelligence Executive, is Bill Evanina, 47, a former FBI special agent with a counter-terrorism specialty.

Tapped in May 2014 by James Clapper, director of the Office of National Intelligence, Evanina is now immersed in coordinating multi-agency efforts to mitigate the risk of foreign infiltration, assess damage from intelligence leaks and tighten the security clearance process.

He spends most days at the NCIX office in Bethesda, Md., but spoke to Government Executive from ODNI headquarters in McLean, Va., as part of the intelligence community’s “marketing strategy of new openness, which includes explaining which part of the federal government does what,” he said.

As of this summer, this administration has brought eight prosecutions of agency leaks under the 1917 Espionage Act—more than all other administrations combined, according to Jesselyn Radack, an attorney who works national security and human rights issues for the nonprofit Government Accountability Project. Her group and others warn that crackdowns on leakers and agency overreliance on classification inhibit the free pursuit of journalism in a democratic society.

Dealing with insider threats—a priority goal in the fiscal 2015 budget—has actually been on the intelligence community front burner since the WikiLeaks debacle in 2010, Evanina noted. “But it sped up from a regional railway to the Acela train,” the Pennsylvania native added, with the June 2013 leaks on National Security Agency domestic surveillance exposed by contractor Edward Snowden, the former Booz Allen Hamilton contractor with NSA now exiled in Russia.

One of Evanina’s central tasks now is chairing the government wide assessment of the damage caused by Snowden, a report slated for completion next summer.

Asked about suggestions by House Intelligence Committee Chairman Mike Rogers, R-Mich., that Snowden may have had prior links to the Russians, Evanina said, “There is no evidence on that either way.”

Evanina, who most recently headed the CIA’s Counterespionage group, smiles when a visitor mentions a new biography of Kim Philby, the notorious upper-crust Briton who betrayed both the British and American intelligence agencies in the 1940s through 1960s, when he defected to Russia.

China and Russia are probably both the No. 1 threats, Evanina said, because they target U.S. industry’s communications security and intellectual property. “They don’t have a robust research and development effort, and in the long-term what’s at stake is not just our ships and missiles, but our economic leadership in the world.”

Both the Snowden breach and the September 2013 shootings at the Washington Navy Yard by a mentally ill contractor “might have been helped if we’d employed a risk-based approach to prioritizing employees to get new background checks sooner than others,” he said.

One crisp action taken following agency auditing after Snowden’s exposure: 100,000 fewer people have security clearances than did a year ago, Evanina said. “That’s a lot.”

Australia to begin a cyber-security review

Speaking today at the launch of the new Australian Cyber Security Centre in Canberra recently, prime minister Tony Abbott put network security on par with physical security, said it is a guarantor of economic security and added “it is so important we keep one step ahead of this particular game” because the last such review was in 2008 and “in this area that is several lifetimes”.

The review will be conducted by a panel comprising Business Council of Australia CEO Jennifer Westacott, Telstra CISO Mike Burgess, Australian Strategic Policy Institute international cyber policy director Tobias Feakin and Cisco's US chief security officer John Stewart.

The panel has been given four jobs:

The panel's been given six months to "explore how industry and the government can work together to make our online systems more resilient against attacks" and "look for practical ways to improve our national security and work with business to make online commerce more secure".

The new Centre brings together the network security arms of several Australian government agencies, namely the Australian Crime Commission, the Australian Federal Police, the cyber elements of the Australian Security Intelligence Organisation (ASIO), the Australian Signals Directorate and the Attorney General’s Department Computer Emergency Response Team (CERT) Australia.

FBI’s Operation Onymous: Tor Project are puzzled…

When the administrator of Silk Road 2.0 was busted, the agent who penned the indictment was tight-lipped about how, exactly, the FBI got its hands on the supposedly hidden server the dark net market was using, saying that the Bureau simply "identified the server located in a foreign country," and that law enforcement managed to image it sometime around 30 May 2014.

In or about May 2014, the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time (the “Silk Road 2.0 Server”). On or about May 30, 2014, law enforcement personnel from that country imaged the Silk Road 2.0 Server and conducted a forensic analysis of it. Based on posts made to the SR2 Forum, complaining of service outages at the time the imaging was conducted, the Silk Road 2.0 server was taken offline for imaging and the Silk Road 2.0 website went offline as well, thus confirming that the server was used to host the Silk Road 2.0 website.

But that's all that law enforcement was willing to share about how it managed to slice through the layers of the Tor network, which is designed to mask users' identity by means of software that routes encrypted browsing traffic through a network of worldwide servers.

Night-Vision Capability for a Nano UAV

The name of the game in today’s world of Unmanned Aerial Vehicles (UAVs) is technology miniaturization and focusing most of the effort in small systems capable of operating silently up in the air, but large UAVs are also making great strides.

Most tactical missions do not call for a flight altitude of 20,000 feet and carrying a heavy-duty camera – because you can get to the destination and the target by deploying a small, compact, silent UAV flying at a low altitude using an electric engine and carrying a state of the art dedicated payload complete with a camera and advanced sensors.

Now there are miniature drones with night sight. Prox Dynamics has unveiled a night-capable version of its PD-100 Black Hornet unmanned air vehicle, believed to be the world’s smallest operational military UAV.

The 18-gram single-rotor helicopter is fitted with both long-wave infrared and day video sensors, and can transmit video streams or high-resolution still images via a digital data link with a 1-meter range.

More than 3,000 PD-100 air vehicles have been delivered, the company says, and the system has been used operationally in Afghanistan by British army units since 2013. The results, according to British army reports, were very good.

The complete system weighs 1.3 kg and comprises two vehicles, a charging and transport case and a ground control station. The helicopter has an endurance of 25 min. and can operate in a 15-kt. wind.

Norway-based Prox Dynamics produces most components of the PD-100 itself, above the chip level. For example, the company buys the IR detector but has designed and built the new camera itself, and also designs and builds the high-efficiency propulsion motor. Component design, the company says, allows the PD-100 to achieve a useful endurance while powering the cameras, data link and GPS receiver.

Amazon hires former NASA personnel for drone program

Amazon’s goes full force for using UAV’s for deliveries. The company’s biggest hurdle to using flying delivery drones is approval from the Federal Aviation Administration. Now, the company is hiring people familiar with those government regulations to work on the Prime Air team.?According to Triangle Business Journal, former U.S. Navy and NASA employees have joined the team in recent months, several LinkedIn profiles show.?Neil Woodward, a technical program manager for flight test and certification, joined the team in April. He was previously an astronaut at NASA and a flight officer in the Navy.

Russian MPs back law on Internet data storage

Russia's lower house of parliament has passed a law requiring Internet companies to store Russian citizens' personal data inside the country.

The Kremlin says the move is for data protection but critics fear it is aimed at muzzling social networks like Twitter and Facebook. The Russian government is thought to be seeking greater access to user data. Social networks were widely used by protesters opposing President Vladimir Putin's return to the Kremlin in 2012.

Analysts say there are fears that Russia may be seeking to create a closed and censored version of the Internet within its borders. The new bill must still be approved by the upper chamber and President Putin before it becomes law.

If passed, the new rules will not take effect until September 2016 but will give the government grounds to block sites that do not comply.


The full web site is currently under development and will be available during 2014