ClearSky Cyberdefense Forum

RasGas, the second largest producer of Qatari LNG after Qatar Petroleum, has been hit with an “unknown virus” which has taken the company offline. A RasGas spokesperson confirmed that “an unknown virus has affected its office systems” since Monday 27 August.

http://www.arabianbusiness.com/cyber-attack-takes-qatar-s-rasgas-offline-471345.html

A new academic study has set out to illuminate for the first time the size and structure of the Chinese online underground, and found it affected nearly a quarter of the country’s internet users last year and cost the economy over 5 billion yuan (£500m).

Investigating China’s Online Underground Economy was put together by researchers at California University’s Institute on Global Conflict and Co-operation to highlight the scale and sophistication of China’s cyber black market and to aid global collaboration efforts against hi-tech crime.

To calculate these figures, the report used stats provided by the major local security vendors, court room documents detailing high profile cases and messages from the underground markets themselves which were relatively easy to track down on certain public web platforms.

Link to the research : http://igcc.ucsd.edu/assets/001/503677.pdf

http://www.theregister.co.uk/2012/08/18/baidu_tencent_used_by_chinese_cyber_crims/

The computer virus that may be responsible for a cyberattack on Saudi Aramco was intended to overwrite computers with an image of a burning American flag.

Just hours after an unknown group of computer hackers took credit for a cyberattack on Saudi Aramco, the world’s largest oil company, last Wednesday, security researchers at Symantec received a sample of the malware that may be responsible. The malware, named Shamoon after a word that appeared in its code, was designed to spy on computers and then overwrite critical files with a small parcel of a larger image of a burning United States flag.

http://bits.blogs.nytimes.com/2012/08/24/among-digital-crumbs-from-saudi-aramco-cyberattack-image-of-burning-u-s-flag/

Pastebin – IP addresses in Aramco : http://pastebin.com/tztnRLQG

http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736

The National Institute of Standards and Technology (NIST) published the finalversion of its guide to managing computer security incidents.

The publication, said the institute, is based on best practices from government, academic and business organizations, and includes a new section expanding on the important practice of coordination and information-sharing among agencies.

Government agencies face daily threats to their computer networks. The Federal Information Security Management Act (FISMA) requires government agencies to establish incident response competencies, and NIST said its researchers revised the guidance in the publication to cover challenges related to today’s evolving threats.

The revised NIST guide provides step-by-step instructions for new, or well-established, incident response teams to create a proper policy and plan, it said. NIST recommends each plan have a mission statement, strategies and goals, an organizational approach to incident response, metrics for measuring the response capability, and a built-in process for updating the plan as needed. The guide recommends reviewing each incident afterward to prepare for future attacks and to provide stronger protections of systems and data.

“This revised version encourages incident teams to think of the attack in three ways,” explained co-author Tim Grance. “One is by method—what’s happening and what needs to be fixed. Another is to consider an attack’s impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident. Finally, share information and coordination methods to help your team and others handle major incidents.”

A draft version of the guide, said NIST, covered agencies sharing and coordinating information, but public comments called for more detailed information in this area, and the authors added a section on this topic to meet the requests. The guidance suggests that information about threats, attacks and vulnerabilities can be shared by trusted organizations before attacks so each organization can learn from others. By reaching out to the trusted group during an attack, one of the partners may recognize the unusual activity and make recommendations to quash the incident quickly. Also, some larger agencies with greater resources may be able to help a smaller agency respond to attacks.

The guide provides recommendations for agencies to consider before adding coordination and information sharing to the incident response plan, including how to determine what information is shared with other organizations and consulting with legal departments.

http://www.gsnmagazine.com/node/26951?c=cyber_security

BOSTON (Reuters) – A team of top hackers working for Intel Corp’s security division toil away in a West Coast garage searching for electronic bugs that could make automobiles vulnerable to lethal computer viruses.

Intel’s McAfee unit, which is best known for software that fights PC viruses, is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car.

http://articles.chicagotribune.com/2012-08-20/classified/sns-rt-us-autos-hackersbre87j03x-20120819_1_computer-viruses-computer-attacks-damage-cars

This series is based on a lecture by Marcus Ranum  presented at RSA Conference in March 2012. In it, I will attempt to isolate some of the strategic elements of the “cyber” battlefield so that we can better understand the inner dynamics of its components. This is important to do, because cyberwar frequently combine elements of the battlefield in ways that are confusing and perhaps even contradictory. In order to incorporate cyberwar into grand strategy, it is important not to do it in a way such that we step on our own toes.

Parsing Cyber war – Part 1: The Battlefield   http://fabiusmaximus.com/2012/08/09/41557/

Parsing Cyber war – Part 2 the logistical train  http://fabiusmaximus.com/2012/08/10/41561/

Parsing Cyber war – Part 3 Synergies  http://fabiusmaximus.com/2012/08/13/41567/

translation of the entire Dutch Defense Cyber Strategy document (.pdf, in Dutch) that was published by the Ministry of Defense on June 27th 2012. Don Eijndhoven already wrote a proper (English) piece about this on June 29th.

http://blog.cyberwar.nl/2012/07/full-translation-of-dutch-defense-cyber.html

“The armed forces want to make optimal use of the possibilities offered by the development of digital technology. This technology is already being used by the MoD on a large scale and enables it to perform its task more effectively and more adequately. For example, nearly all weapons systems function due to the use of IT components. Command and control, and logistical support rely heavily on digital systems. In addition, the information position and situational awareness of the armed forces are significantly improved using digital means. Digital networks and systems, including both weapon systems and measurement/control systems, and the information they carry, have become of vital importance to the armed forces.”

The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers’ activity.

http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html