ClearSky Cyberdefense Forum

The computer virus that may be responsible for a cyberattack on Saudi Aramco was intended to overwrite computers with an image of a burning American flag.

Just hours after an unknown group of computer hackers took credit for a cyberattack on Saudi Aramco, the world’s largest oil company, last Wednesday, security researchers at Symantec received a sample of the malware that may be responsible. The malware, named Shamoon after a word that appeared in its code, was designed to spy on computers and then overwrite critical files with a small parcel of a larger image of a burning United States flag.

http://bits.blogs.nytimes.com/2012/08/24/among-digital-crumbs-from-saudi-aramco-cyberattack-image-of-burning-u-s-flag/

Pastebin – IP addresses in Aramco : http://pastebin.com/tztnRLQG

http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736

The National Institute of Standards and Technology (NIST) published the finalversion of its guide to managing computer security incidents.

The publication, said the institute, is based on best practices from government, academic and business organizations, and includes a new section expanding on the important practice of coordination and information-sharing among agencies.

Government agencies face daily threats to their computer networks. The Federal Information Security Management Act (FISMA) requires government agencies to establish incident response competencies, and NIST said its researchers revised the guidance in the publication to cover challenges related to today’s evolving threats.

The revised NIST guide provides step-by-step instructions for new, or well-established, incident response teams to create a proper policy and plan, it said. NIST recommends each plan have a mission statement, strategies and goals, an organizational approach to incident response, metrics for measuring the response capability, and a built-in process for updating the plan as needed. The guide recommends reviewing each incident afterward to prepare for future attacks and to provide stronger protections of systems and data.

“This revised version encourages incident teams to think of the attack in three ways,” explained co-author Tim Grance. “One is by method—what’s happening and what needs to be fixed. Another is to consider an attack’s impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident. Finally, share information and coordination methods to help your team and others handle major incidents.”

A draft version of the guide, said NIST, covered agencies sharing and coordinating information, but public comments called for more detailed information in this area, and the authors added a section on this topic to meet the requests. The guidance suggests that information about threats, attacks and vulnerabilities can be shared by trusted organizations before attacks so each organization can learn from others. By reaching out to the trusted group during an attack, one of the partners may recognize the unusual activity and make recommendations to quash the incident quickly. Also, some larger agencies with greater resources may be able to help a smaller agency respond to attacks.

The guide provides recommendations for agencies to consider before adding coordination and information sharing to the incident response plan, including how to determine what information is shared with other organizations and consulting with legal departments.

http://www.gsnmagazine.com/node/26951?c=cyber_security

BOSTON (Reuters) – A team of top hackers working for Intel Corp’s security division toil away in a West Coast garage searching for electronic bugs that could make automobiles vulnerable to lethal computer viruses.

Intel’s McAfee unit, which is best known for software that fights PC viruses, is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car.

http://articles.chicagotribune.com/2012-08-20/classified/sns-rt-us-autos-hackersbre87j03x-20120819_1_computer-viruses-computer-attacks-damage-cars

This series is based on a lecture by Marcus Ranum  presented at RSA Conference in March 2012. In it, I will attempt to isolate some of the strategic elements of the “cyber” battlefield so that we can better understand the inner dynamics of its components. This is important to do, because cyberwar frequently combine elements of the battlefield in ways that are confusing and perhaps even contradictory. In order to incorporate cyberwar into grand strategy, it is important not to do it in a way such that we step on our own toes.

Parsing Cyber war – Part 1: The Battlefield   http://fabiusmaximus.com/2012/08/09/41557/

Parsing Cyber war – Part 2 the logistical train  http://fabiusmaximus.com/2012/08/10/41561/

Parsing Cyber war – Part 3 Synergies  http://fabiusmaximus.com/2012/08/13/41567/

translation of the entire Dutch Defense Cyber Strategy document (.pdf, in Dutch) that was published by the Ministry of Defense on June 27th 2012. Don Eijndhoven already wrote a proper (English) piece about this on June 29th.

http://blog.cyberwar.nl/2012/07/full-translation-of-dutch-defense-cyber.html

“The armed forces want to make optimal use of the possibilities offered by the development of digital technology. This technology is already being used by the MoD on a large scale and enables it to perform its task more effectively and more adequately. For example, nearly all weapons systems function due to the use of IT components. Command and control, and logistical support rely heavily on digital systems. In addition, the information position and situational awareness of the armed forces are significantly improved using digital means. Digital networks and systems, including both weapon systems and measurement/control systems, and the information they carry, have become of vital importance to the armed forces.”

The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers’ activity.

http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html

Since February 2011, members of the Dell SecureWorks Counter Threat Unit(TM) (CTU) have been engaged in a project to uncover and track as many elements as possible of the so-called “Advanced Persistent Threat” (APT), the term commonly used to refer to cyber-espionage activity carried out against governments, activists, and industry. “Elements” can be anything that provides a point of information — malware, command and control (C2) domains, hostnames, IP addresses, actors, exploits, targets, tools, tactics, and so on. Even though this project is not (and probably never will be) complete, CTU researchers have learned a great deal about the scope and scale of the threat so far, and the insights have been disturbing.

http://www.secureworks.com/research/threats/chasing_apt/

A hacker attack that leads to planes dropping from the sky is the stuff of every cyberwar doomsday prophesy. But some security researchers imagine a less sensational, if equally troubling possibility: Hundreds or thousands of aircraft radioing their approach to an air traffic control tower, and no way to sort through which are real and which are ghost plane signals crafted by a malicious hacker.

http://www.forbes.com/sites/andygreenberg/2012/07/25/next-gen-air-traffic-control-vulnerable-to-hackers-spoofing-planes-out-of-thin-air/

It doesn’t take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.

http://online.wsj.com/article/SB10000872396390444330904577535492693044650.html?mod=googlenews_wsj

http://www.infosecisland.com/documentview/21980-The-Revised-Cybersecurity-Act-of-2012.html