Spies and Spying
The increasing attacks against Danish websites first reported on last week's column (which preempted other public reporting by several days) has started to see efforts directed against Australian sites. New intelligence gathered by S?nnet Beskerming researchers has provided indication that Australian sites are now being selected as targets for defacement in relation to the Danish caricature publication affair.
The defacement of the victim's website appears to have been perpetrated by Iranian hackers or their sympathizers, and carries the primary message of supporting Iran's Nuclear program. The secondary message is a short hate message targeted against the US, Israel and Denmark. The attack is believed to have utilised a known recent set of flaws in the OsCommerce e-commerce software, which has left the front page of the site damaged.
While Australia is not identified by name in the above attack, it is considered a matter of timing before it is linked by name. The reproduction of some of the caricatures by different Australian media sources is considered to be taken as just cause by interest groups to stage attacks on Australian sites.
Not a lot of international spying cases have been publicised in recent years, but recent weeks and months have seen quite a number being publicly announced. The first was a case from last year, where Israeli companies were the victims of an involved industrial espionage case following intentional infection with computer malware designed to obtain various trade secrets. The perpetrators of this case, an Israeli couple in London, have been arrested and are awaiting extradition to Israel to face charges.
A second, more recent, case came to light in late January, when Russia accused the United Kingdom of spying when a television program aired footage of what was claimed to be spies and their handlers using a sophisticated 'dead drop'. In this case, the 'dead drop' is a fake rock, with a wireless transmitter and storage device built into it, designed to receive information and pass information to designated devices which pass within range of the rock. It was not explained how the case was discovered, but footage showed someone collecting the fake rock, presumably for servicing or replacement.
Although it wasn't reported in English until recently, a spying case in Greece has been uncovered, where it is claimed that the United States was spying on several Greek politicians, Greek companies, police, the miliatary, and possibly some diplomats as well over the period of the 2004 Athens Olympics, and lasted until March 2005, when it was discovered. The discovery came when network engineers discovered non-standard software running on the mobile phone network in Greece, which was set up to conference call a set of numbers whenever one of a specific set of mobile phones was in use. The link to the United States is assumed due to the physical proximity of the extra call numbers to the US embassy. The suicide of the network chief for the mobile phone network provider in March 2005 is now being revisited. The suicide came after the discovery and shut down of the malicious software, but before notification was provided to the Greek government.
Late last week, news was also reported of a Taiwanese national and a French national who are accused of trying to smuggle US military hardware into China. The Taiwanese national is currently under arrest, while the French national has fled the United States.
The news of spying and surveillance didn't just stop with publicised cases of suspected spying. Surveillance and data mining programs being established by various Governments and companies also drew attention.
Following claims that the US Government is planning to spider the complete Internet, through their ADVISE program, it prompted ridicule from some technical commentators, who quickly pointed out that it isn't all that hard to prevent such programs from seeing anything at all that you don't want them to see. It also drew complaints that they feared the Government would end up overstepping their boundaries with the software, and that it would provide better results on monitoring Americans than it ever would on finding terrorists.
Similar claims have been made about the US security screening programs at airports, in particular US-VISIT, where it is claimed that nearly a thousand individuals of interest have been trapped by the system at a cost, when averaged out of the cost of the system, and across the 44 million travelers who have passed through it, of around $15 million USD per individual caught. Besides the questions asked about cost effectiveness, the greater cost is increased inconvenience to normal travelers.
The updated version of the Google Desktop Toolbar has attracted the interest and ire of many concerned users, with the introduction of a component only known as the 'search across computers' option, which temporarily uploads and stores the content of a user's local hard drive on Google owned servers. The content which is transferred includes PDF files, Word files, spreadsheets and other text-based files. It is believed that the intent is to allow users to search for the content of their files from multiple systems, even if the desired files are not on that particular system. Privacy advocates are concerned that it is possible that this information may be subpoenaed from Google by any agency, without any need to subpoena the original owner. If a hacker has obtained the login credentials from a user, then it could allow them to access a victim's files through this feature. Google have also indicated that they are not searching / indexing the files for advertising suitability, but have not ruled out the possibility in the future. At this stage, the feature is an optional extra, which is not activated by default on a simple install.
For users who activate this feature, a fair amount of bandwidth is going to be used transferring the files initially, and Google outline in the terms of use that the data will eventually be automatically purged from their servers, and can be manually cleared at any time (but it will mean that the content of the files can not be searched from anything other than the original computer). Even encrypting data files will not provide a realistic advantage, as the content of an encrypted document is not really searchable in the first place. It is also more likely to cause issues for companies that have to comply with privacy and accountability regulations, such as HIPAA and SOX in the United States, the Data Privacy Act in the UK, and comparable legislation across the globe. Some workplaces have already implemented bans on the software.
The discovery of this feature has already gotten security researchers working at a way to prevent this feature from functioning on their networks, even if a user has enabled it. It will also be likely that malware will be written in the near future which makes use of this feature to intercept the flow of data and copy it to the hacker's systems.
A recent breach of credit card details from an unnamed US source appears to have come from a part of the mega-retailer, Walmart. Originally reported as affecting the 'Regions Bank', at least 100,000 credit cards have been exposed through a breach at an unidentified credit card processor in the United States.
The card processing company, later identified as CardSystems (the same processing firm which had more than 40 million credit card details stolen), claimed responsibility for discovering the breach, which has now spread to other financial providers, including the Bank of America, where an undisclosed number of cards were reissued. Concern is spreading about how the breach occurred at what is believed to be Sam's Club, a part of the Walmart chain. While no official confirmation has been given of which company was compromised (an office-supply retailer has been suggested as an alternative breach point), more worry is spreading about what mechanism was used to acquire the details. One theory is that it was the result of a hacker that penetrated the company, targeting the financial information. Others have claimed that this is related to a series of earlier reported incidents that alluded to a larger data breach.
At least one observer believes that it is only a matter of time until major litigation is launched against credit processing facilities following repeated privacy and financial data breaches.
Hackers targeting financial information is nothing new, and another case was made public last week, where Russian hackers stole more than 1 million Euros from French bank account holders over 11 months in 2004. A dozen arrests have been made, and several Ukrainians (thought to have masterminded the efforts) have been arrested in Moscow and St. Petersburg. The criminals used various spyware and keyloggers to capture banking details from victims prior to the account funds being captured by the criminals.
The US Department of Homeland Security recently undertook a scenario-driven paper exercise dubbed 'Cyber Storm', designed to test the effectiveness of communication and interaction between various government agencies and corporations in a number of countries following 'realistic' attacks and threats to critical infrastructure. The large exercise, which ran from February 6 to 10, was originally scheduled for last year, but was cancelled not long before it was meant to start.
Some critics have slammed the exercise as only testing known threats within a narrow scope - that it provides no indication of response following an unexpected attack which uses unidentified threats. Even if this has been the case, the exercise will have provided valuable information about any inter-agency communications issues and any internal problems with rapid response groups, and help improve them so that they will be able to respond better in the case of a real attack.
They have since declared the exercise a success, at a press conference following the conclusion of the exercise on 10 Feb.
A suspected vulnerability in Apple's Quicktime software has recently been announced in an odd way. In addition to posting a basic outline of the vulnerability, and a screen capture which demonstrates the vulnerability, the researcher who discovered it also posted it to the news aggregator site, Digg.com in an attempt to have information (and credit) widespread, possibly in an attempt to boost his credibility as a researcher.
Finally, Microsoft have announced that they are to be releasing seven patches as part of their February Security Patch release, due on Tuesday. Of the seven, at least two have been rated as critical - which means remotely exploitable.
13 February 2006
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.