Saturday, 24 May 2014

China to start cyber security vetting on computer systems

China will begin checking computer systems used in government departments to protect "sensitive data". The state internet information office announced the measures amidst rows of cyberspying between China and the United States.
New checks will be the norm for computer systems used by government departments and businesses here in China. According to the State internet Information office, a handful of foreign governments and businesses have taken advantage of their technological monopolies, collecting sensitive data on a large scale from the Chinese government, businesses and institutions.
"In recent years, Chinese government departments, institutions, businesses, university and key telecom networks have been intruded into and spied on. The Snowden incident last year have given a warning to countries all over the world. It’s certainly true that without cyber security there would be no national security.” State Internet Information Office spokesman Jiang Jun said.
The office says it’s a measure long overdue, and comes at time when fingers are pointed at China with groundless accusation.
China finds these charges baseless and provocative as the United States holds a track record of cyber spying, the most conspicuous case shown by the Snowden incident.
"It’s really amazing to see that some people still believe they have the moral high ground and credibility to accuse others." Chinese Ambassador To the US Cui Tiankai said.
This particular incident won’t likely be the last spat of cyber espionage between the two countries. Even corporates have been caught in the fray. Just last November, Chinese telecoms giant Huawei decided to pull out of the US market amidst claims of spying. A spokesperson for the State Internet Information Office said that China may initiate countermeasures if the U.S. keeps up its cyber spying activities.

Cybercrime is big money for hackers

  • Hackers take electronic info from eBay employees to steal customers' data
  • James Lewis: Cybercrime is a growth industry and breaches won't stop
  • He says cybercrime is risk free, hard to stop, and big money for hackers
  • Lewis: The least that companies can do is to put in more safeguards
Editor's note: James Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies. The opinions expressed in this commentary are solely those of the author.
(CNN) -- In the early days of the Internet boom, some thought we would enter an era where there would be one integrated world economy with no borders, where we would share similar democratic values, and where governments would be less important and civil society could pick up many governmental tasks.
But that turned out not to be the case. Many countries don't share our values. There are conflicts, and the Internet has become a good place for these conflicts to play out.
One outcome is espionage, whether it is the National Security Agency listening to foreign leaders or China's People's Liberation Army stealing trade secrets. Another outcome is cybercrime.
It seems every month there is a story about a giant retailer being hacked and the personal data of hundreds of thousands of people being stolen by faceless cybercriminals. The last big story was Target. This week it's eBay, where hackers stole electronic credentials from eBay employees and used the credentials to access and steal customers' data.
According to one estimate, more than 800 million records were stolen in 2013. Fortunately, that doesn't actually mean all 800 million people suffered financial loss. Only a small fraction of people who have their data taken become victims of fraud or theft, because it is hard for criminals to "monetize" data -- to turn your personal information into cash. But the cleanup costs for the victimized company can be gigantic. After Target's hack, its CEO was fired for not doing enough.
Cybercrime is a growth industry and online security breaches are not going to stop any time soon.
The Internet was designed to ensure easy, reliable connectivity and in this it has been an immense success. When the Internet was commercialized in the 1990s, the U.S. government thought it was better to immediately start using an imperfect technology and get the economic benefits rather than wait for a completely safe Internet.
That was the right decision. The Internet has drastically changed all facets of our lives, including the way we communicate and do business. It has brought us immense economic benefits.
But the downside is that the Internet is not a secure place. Cybersecurity would not be as big a problem as it is today if the pioneers had paid more attention to security issues.
For example, encryption (software that scrambles your data into unintelligible patterns) was decontrolled in 1999. But many encryption products turned out to be hard to use, slowing computers and adding cumbersome steps to simple transactions. Encryption is still not widely used. Many companies don't encrypt the data of their customers and rely on passwords, which are very easy to hack for many transactions.
Cybercrime is an issue that needs more attention. According to one European intelligence service, there are 20 to 30 criminal gangs in the former Soviet Union that have hacking skills as good as most nations. There are many other groups with lesser skills. These criminals are nimble and inventive, and there are thriving cybercrime black markets where you can buy the latest hacking tools. This means there are highly skilled criminals who live in safe havens but can use the Internet to commit crimes that can earn millions of dollars, for which they will never be arrested or tried. Why would they stop? While there is good cooperation among Western countries against cybercrime, Russia has little interest in stopping these groups.
Eventually, the Internet will become less risky. There are basic things that companies can do to make sure their networks are more secure -- at least from all but the high-end criminals and big intelligence agencies.
Many companies are now taking cybersecurity seriously in a way different from even a year or two ago. The United States can work with other governments to improve law enforcement cooperation and to close down criminal networks.
The question is whether there will be enough progress before hackers get better at using what they steal. Right now, cybercriminals can steal millions of records but only be able to "monetize" a few thousand of them. If cybercriminals get better at monetizing the personal data they steal, there will be a spike in losses. And if countries like China continues to hack U.S. businesses to steal trade secrets and make competing products, American companies will lose sales and jobs.
The eBay hack reminds us that cybercrime is risk free, hard to stop, and big money for hackers. Even the best defenses may have holes in them. The least we can do is to try to put in the safeguards.

China Cyber Spying Indictment Reveals Hacking Techniques

Part of the building of 'Unit 61398', a secretive Chinese military unit accused of cyber espionage in Shanghai
Part of the building of 'Unit 61398', a secretive Chinese military unit accused of cyber espionage in Shanghai
— The alleged hacking of U.S. corporate computers by elements of China’s military wasn’t in and of itself all that unique.

As cyber attacks go, it was moderately sophisticated in technique.

But that raises a more troubling question.

How could major international corporations - such as U.S. Steel, Alcoa and others with millions of dollars of intellectual property - get robbed by a small, low-cost group of hackers working from China?

The answer:  it’s surprising it doesn’t happen much more often.

Over its 48 pages and 31 counts of criminal misconduct, the U.S. Justice Department’s indictment unveiled this month details how five Chinese army officers – with Internet identities such as “Ugly Gorilla”, “Kandygoo” and “WinXYHappy” – went about infiltrating the computer networks of six large U.S. corporations.

Sections of the indictment are so detailed that they read like a primer – a virtual ‘how-to manual’ for anyone interested in how hackers do what they do.

Social engineering

While some of the terms such as “spearphishing”, “beacon” or “hop-points” may need a little technical explaining, it’s clear from the indictment that the defendants generally employed something security analysts call social engineering.

In essence, social engineering is a tactic where hackers pretend to be somebody else to try and trick the target into trusting them.

The aim is getting them to reveal information directly (such as a password) or infect their computers by clicking on malicious links and attachments. Social engineering, in the end, is just a fancy label for little more than a con job.

There are many different tricks a hacker might employ to earn their target’s trust.

But once they have it, it’s relatively easy to fool unsuspecting targets into releasing sensitive information.

A common example: if someone you believe is a trusted co-worker sends you an email urgently asking for a password they’ve forgotten, you’re probably much more likely to send it to them without thinking twice than someone you don’t know, analysts say.

“Given that these types of attacks can be attempted with very little consequence if they don't succeed,” said Mike Auty, senior security researcher at the firm MWR Infosecurity,

“It allows the attacker to launch a number of attacks, over a long period of time, and the chances are high that there will be a mistake, and someone will grant them access,” he said.

Which, as the indictment details, is  what the Chinese are alleged to have done.

One particular social engineering trick allegedly used by the defendants was “spearphishing” - sending links or attachments via email that, if clicked, would infect the target’s computer system without them knowing.

Once infected, the malware would create what’s called a “back door” or secret entrance into the system that could likely go undetected for prolonged periods.

In the recent indictment papers, U.S. prosecutors say that, defendant “SUN” - short for Sun Kailiang - “sent spearphishing e-mails purporting to be from two U.S. Steel e-mail accounts to approximately eight U.S. Steel employees, including U.S. Steel’s Chief Executive Officer.

“The e-mails had the subject line “US Steel Industry Outlook” and contained a link to malware that, once clicked, would surreptitiously install malware on the recipients’ computers, allowing the co-conspirators backdoor access to the company’s computers,” the indictment said.

“ unidentified co-conspirator sent approximately 49 spearphishing e-mails to U.S. Steel employees with the same subject, “US Steel Industry Outlook,” according to the indictment.

But it didn’t stop with basic spearphishing.

Researcher Auty said successful social engineering hacks often require more than just bad emails.

And the indictment lays out another, more sophisticated attack strategy that required much greater planning, research and patience.

Persistence over technology

Throughout the document, the Justice Department describes how the defendants would first try to gain lists of current and former employees at each of the six targeted companies and then went about researching who they were.

The defendants then went about purchasing a variety of web site domain names, such as ‘’ or ‘’ (readers are advised NOT to visit these sites) and populating them both with content that appeared legitimate, but also contained hidden Trojan-horse malware.

These websites both served to create an appearance of trust and also to serve as “hop-points” between the infected computers and the main attack servers in China to coordinate and control all the malware-infected computers in the U.S.

In the indictment, attorneys detail how these hop-points could surreptitiously allow the hackers to grab documents and “exfiltrate” – a computer term that basically means stealing – the data back to China.

As the indictment put it: “Between intrusions, the co-conspirators used the domain accounts to reassign the malicious domain names to non-routable or innocuous IP addresses, (e.g., IP addresses for popular webmail services, like Gmail or Yahoo), which would obscure any beacons their malware sent during that period.”

“Bad guys want my stuff”

Technologically speaking, it wasn’t anywhere near the sophistication of something like the Stuxnet virus.

But for sheer persistence and imagination, it was quite a clever operation.

“People need to realize: the bad guys are persistent, they’re organized,” said Stephen Cobb, a senior security researcher at the cyber security firm ESET North America. “Maybe this would help: it’s not an individual who’s trying to break into your web server every five seconds.”

“Let’s face it: every company today has information on their computers that they need to protect,” Cobb said. “If you’ve got a website, there’s an attempt to break into it every five, six seconds. It’s automated programs.

"So people from all around the world who want to get into somebody else’s computer are running automated script looking for holes," he said. "There’s a constant probing of systems.”

Still, it’s hard for most people to understand cyber security, analysts say.

“If you work for a bank, you should be fairly aware that people might want to rob you, that’s where the money is,” Cobb said. “But if you’re a doctor, or an engineer designing a product, you’re not necessarily thinking ‘there are bad guys who want my stuff.’‘”

But security expert Auty said that’s not a cause to lose hope.

“People will always be a weak element, but given that organizations have learnt to harden their perimeter, the next area of improvement required within the industry is ensuring internal visibility and appropriate segregation,” he said.

For both Auty and Cobb, the segregation of data into specific areas with different levels of security is key.

“You can’t protect what you don’t know about,” Cobb told VOA. “One of the very first things on my list for remediation or security programs for small business or big business is know what you’ve got.”

Microsoft promises fix for Internet Explorer zero day flaw

Microsoft Internet Explorer
Microsoft has confirmed it is working on a fix for a critical vulnerability in its Internet Explorer 8 web browser, following the flaw's public disclosure by researchers at the Zero Day Initiative (ZDI).
The flaw came to light after the researcher who found it revealed Microsoft had not patched the problem within 180 days of being informed, thereby allowing ZDI to make information public under its own guidelines.
Despite the lengthy wait for a fix, a Microsoft spokesperson told V3 the company is aware of the flaw and is working to fix it, but added it is yet to uncover any evidence it is being actively exploited.
"We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers. We build and thoroughly test every security fix as quickly as possible," said the spokesperson.
"Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers."
The vulnerability was disclosed by the ZDI earlier this week and could theoretically be exploited by hackers to infect machines running the web browser with malware. The researchers claim they privately reported the bug to Microsoft on 10 November 2013.
Microsoft added that while the company is going to fix the bug, to remain truly secure users should upgrade to a newer version of Windows and IE.
"We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which includes further protections," said the spokesperson.
Microsoft has been calling for users to upgrade to new Windows versions since it officially ceased support for its 13-year-old Windows XP operating system in April. The cut-off means Microsoft will not officially issue security fixes for newly found vulnerabilities on XP.
Microsoft was forced to issue an emergency XP fix, despite the official cut-off, when a separate zero-day vulnerability was discovered in IE earlier in May.
Meanwhile, the researcher who originally found the flaw defended Microsoft for taking its time on the fix, saying there could well be a good reason for the delay.
"The fact that the vulnerability was reported back in October 2013 and still has not been patched may sound disconcerting, but I’m sure there must be a very good reason," he wrote in a blog post.
"Everybody agrees that 180 days is a very long time, but I don’t believe this is an indication that Microsoft is ignoring bug reports or doesn’t care about security at all, so let’s not exaggerate things.
"In fact, Microsoft is doing an excellent job in handling vulnerability reports, issuing patches and crediting researchers."

eBay faces investigations over massive data breach

eBay eBay is facing several investigations into its data breach
The UK's information commissioner is working with European data authorities with a view to taking action against eBay over its recent data breach.
Three US states are also investigating the theft of names, email addresses and other personal data, which affected up to 145 million eBay customers.
The online marketplace has begun the process of notifying its customers about the need to reset passwords.
However some customers reported problems when attempting to do so.
EBay told the BBC that it was not aware of any technical problems with the password reset function on the site.
"The site is busy, but our secure password reset tool is working," a spokesman said.
The firm has been criticised for its slow reaction in informing customers about the theft of personal data.
"We are sending out millions of emails, and it will take some time. The process is certainly well under way," the firm told the BBC.
It warned though that its official password reset email contained no links and that customers should be wary of messages that did.
"Any email with links is a phishing attempt," it said.
Serious breach Meanwhile the fallout from the data breach was beginning to kick in.
In the US, Connecticut, Florida and Illinois said they were conducting a joint investigation.
Speaking on BBC Radio 5 live, the UK's information commissioner said that the eBay breach was "very serious" but that outdated and complex data protection laws meant the ICO could not begin an immediate investigation.
He said the watchdog would have to first liaise with the Luxembourg data protection, where eBay has its European headquarters.
"There's millions of UK citizens affected by this, and we've been clear that we're monitoring it, but by taking the wrong action under the law now we risk invalidating any investigation," an ICO spokesman told the BBC when pressed on why the watchdog had not yet launched any action.
Identity theft Questions are starting to be asked about how well eBay safeguarded its customers' data.
Hugh Boyes from the Institution of Engineering and Technology questioned why eBay stored so much data in the first place.
"The Information Commissioner makes the point that organisations should keep the minimum information necessary so why do eBay need to hold and store dates of birth and addresses?"
"As an occasional eBay user, I am concerned that not only have they lost my email, username and password, but according to their website the loss includes home address, phone number and date of birth.
"This is serious from an identity theft perspective. The only item they are missing is the mother's maiden name and they have sufficient information to impersonate an individual when dealing with many financial organisations."
Reports that large numbers of eBay customer details have begun appearing for sale in Pastebin - a site where hackers publicise their attacks - have been denied by eBay.
Lysa Myers, a security research at ESET agreed that the data was unlikely to have originated from the auction site.
"The users that are shown in the sample would represent an odd subset of users for an international company like eBay. And the price asked (1.45 Bitcoin) would seem to be astonishingly low for the data of 145 million users," she said.
"Even if the sample is not in fact from the eBay breach, it could potentially be data from another company's leak."

eBay says database leak dump offers are fake

Cybercrooks are offering to sell "stolen copies" of the leaked eBay database through an advert posted through Pastebin.
However eBay says the sale is fake. "We have checked all published data and so far none are authentic eBay accounts," eBay's press office told El Reg.
Security experts, although far from certain, seem inclined to agree.
The dodgy seller is offering to sell the "full eBay database dump" with 145 million records on a non-exclusive basis for 1.453 BTC (or $750).
A sample lump purporting to contain the compromised details of more than 12,000 users from the APAC region has been uploaded through Mega. The validity of the data on sale is unverified.
The Mega sample contains name, email address and postal addresses. Passwords are hashed and not revealed.
Security expert Kenn ‪White reported finding several of the leaked email ‬addresses in existing dumps. Other security experts are also wary.
"It’s not yet been verified that these are legitimately eBay credentials, and it’s possible that a criminal has just spotted an opportunity to cash in on the attack with some other credentials dump they have," said Trey Ford, global security strategist at Rapid7.
"That said, during initial analysis of 12,663 of the records which have been provided as a free sample, we were able to find some matches between email prefixes and eBay profile name where people are using the same handle."
“This doesn't necessarily mean these credentials are from the eBay attack – it could be that people use the same handle across multiple sites including one that was previously compromised, and the creds are actually from that. In fact, we also found matches between these email addresses and a popular Malaysian web forum, which may point to the true source of these credentials. We have no way to confirm how statistically representative the leaked APAC sample is of the broader eBay dataset," he added.
If genuine the leaks were hashed using a strong algorithm and attempts to find hashes corresponding with the simplest passwords have failed to come up with anything, which is in itself suspicious.
The credentials set is using PBKDF2 (Password-Based Key Derivation Function 2) SHA-256 hashes. "This means they employ a strong hash function and also intentionally make cracking them more difficult and slow by individually salting and using a high number of hash iterations," Ford explained.
Security consultant Per Thorsheim is also skeptical. "PBKDF2 with 12K iterations takes a looooong time to crack. No hashes cracked yet, 123456 should have been found among 12K," he said in a Twitter update. "it looks like we call FAKE on the ‪@KbcdPfA‬ alleged eBay leak up for sale."

Cyber threats to critical energy projects up sharply over five years

Cyber threats to critical energy infrastructure in Canada have risen significantly in the past five years, with the most advanced attacks coming via state-sponsored cyber espionage, federal records show.
A briefing memo to the deputy minister of Natural Resources Canada says terrorist use of the Internet and cyber crime by organized groups are also on the rise and that the trend is a major worry for governments and businesses.
Canada, the U.S. and private companies in both countries have partnered to try to meet these threats. However, the memo explains that cyber threats are a “growing concern” to critical energy infrastructure systems in Canada, such as power grids and oil and gas pipelines, and that incidents have risen significantly over the past half-decade.
The Citizen obtained the briefing material using access to information law.
“The most sophisticated cyber threats come from the intelligence and military services of foreign states. In most cases, these attackers are well resourced, patient and persistent. Their purpose is to gain political, economic, commercial or military advantage,” says a presentation to the deputy minister.
“All technologically advanced governments and private businesses are vulnerable to state sponsored cyber espionage. These attacks have succeeded in stealing industrial and state secrets, private data and other valuable information.”
The briefing material, from fall 2013, explains that terrorist networks also are moving to incorporate cyber operations into their own strategic doctrines, and are using the Internet to support recruitment, fundraising and propaganda.
“Terrorists are aware of the potential for using the Western World’s dependence on cyber systems as a vulnerability to be exploited,” says the briefing material.
Earlier this week, the U.S. charged five Chinese military officers with stealing trade secrets from six U.S. nuclear, steel and clean-energy companies. It marks the first time the U.S. has charged specific foreign government officials with criminal cyber hacking. China denies the charges, calling them absurd.
The Canadian Security Intelligence Service (CSIS) has warned that some state-owned foreign companies have been pursuing “opaque agendas” in Canada and that attempts by some state-owned firms to acquire control over strategic sectors of the Canadian economy pose a threat to national security.
Canada remains an attractive target for economic espionage, CSIS has warned, because the country is a world leader in areas including mineral and energy extraction.
“I do believe that cyber espionage is on the same plane today, on the same level of national security threat, as is terrorism and the public safety question,” Ray Boisvert, former assistant director with CSIS, told the Citizen.
“It’s much bigger than we all really knew and understood and now it’s starting to emerge more and more,” added Boisvert, president of I-Sec Integrated Strategies, a company specializing in countering cyber threats.
The federal government is working closely with Canadian energy and utility companies, and with U.S. federal agencies to monitor and address cyber security threats to critical energy infrastructure, says the briefing material.
Canada has created a national cyber security strategy and action plan to protect critical infrastructure. Energy companies also have an agreement with the RCMP to share information through the Suspicious Incident Reporting System.
According to the briefing notes, the most common types of cyber incidents between July and September 2013 were “malicious code/compromise,” which accounted for 55 per cent of the incidents (no total number of incidents is provided), and “phishing/targeted” emails, at 28 per cent.
Boisvert said the charges this week by the U.S. against Chinese officials are meant to help fight state-sponsored cyber attacks by publicly shaming countries. The number of cyber threats has been dramatically rising because hostile countries have realized how valuable cyber attacks are in obtaining economic advantages, he said.
“The West really had its guard down and we were very much focused on terrorism because that was the issue, and companies as well were not thinking about cyber (security),” he said.

Canada’s cyber security strategy focuses on three areas:

1. Securing government systems.
2. Partnering with the private sector to secure vital cyber systems outside government.
3. Helping Canadians be secure online

Types of cyber threats to Canada’s critical energy infrastructure

1. State sponsored cyber espionage and military activities:
“The most sophisticated cyber threats come from the intelligence and military services of foreign states,” according to Natural Resources Canada. “Their purpose is to gain political, economic, commercial or military advantage.”
2. Terrorist use of the Internet:
“Terrorist networks also are moving to incorporate cyber operations into their strategic doctrines. Among many activities, they are using the Internet to support their recruitment, fundraising and propaganda activities.”
3. Cybercrime:
“Organized criminals have expanded their operations into cyberspace. The more sophisticated among them are turning to skilled cyber attackers to pursue many of their traditional activities, such as identity theft, money laundering and extortion.”

What is a Man-in-the-Middle Attack?

There’s a reason why most people feel uncomfortable about the idea of someone eavesdropping on them—the eavesdropper could possibly overhear sensitive or private information. This is exactly the risk that computer users face with a common threat called a “Man-in-the-Middle” (MITM) attack, where an attacker uses technological tools, such as malware, to intercept the information you send to a website, or even via your email.

Just imagine you are entering login and financial details on an online banking site, and because the attacker is eavesdropping, they can gain access to your information and use it to access your account, or even steal your identity.
There are a variety of ways that attackers can insert themselves in the middle of your online communications. One common form of this attack involves cybercriminals distributing malware that gives them access to a user’s web browser and the information being sent to various websites.
Another type of MITM attack involves a device that most of us have in our homes today: a wireless router. The attacker could exploit vulnerabilities in the router’s security setup to intercept information being sent through it, or they could set up a malicious router in a public place, such as a cafĂ© or hotel.
Either way, MITM attacks pose a serious threat to your online security because they give the attacker the ability to receive and request personal information posing as a trusted party (such as a website that you regularly use).
Here are some tips to protect you from a Man-in-the-Middle attack, and improve your overall online security:
  • Ensure the websites you use offer strong encryption, which scrambles your messages while in transit to prevent eavesdropping. Look for “httpS:” at the beginning of the web address instead of just “http:” which indicates that the site is using encryption.
  • Change the default password on your home Wi-Fi connection so it’s harder for someone to access.
  • Don’t access personal information when using public Wi-Fi networks, which may, or may not, be secure.
  • Be wary of any request for your personal information, even if it’s coming from a trusted party.
  • Protect all of your computers and mobile devices with comprehensive security software, like McAfee LiveSafe™ service to protect you from malware and other Internet threats.