Technology is one of the strategic factors driving the increasing use of the Internet by terrorist organizations and their supporters for a wide range of purposes, including recruitment, financing, propaganda, training, incitement to commit acts of terrorism, and the gathering and dissemination of information for terrorist purposes. While the many benefits of the Internet are self-evident, it may also be used to facilitate communication within terrorist organizations and to transmit information on, as well as material support for, planned acts of terrorism, all of which require specific technical knowledge for the effective investigation of these offenses.
It's good to see that this publication does not wonder off to discuss cybercrime, hactivism, or piracy but indeed focuses on the real terrorist and extremist groups and their activities online.
However, a little bit disappointingly the document does not go deeper into the potential of actual online attacks launched by such groups. To quote: "While a considerable amount of attention has focused in recent years on the threat of cyberattacks by terrorists, that topic is beyond the scope of the present publication and, as such, will not be a subject of analysis."
The Washington Post has a long and interesting article series on US Drone operations in Africa.
The article has this interesting snippet, taken from declassified US Drone incident reports:
Air Force mechanics have reported mysterious incidents in which the airborne robots went haywire. In March 2011, a Predator parked at the camp started its engine without any human direction, even though the ignition had been turned off and the fuel lines closed. Technicians concluded that a software bug had infected the "brains" of the drone, but never pinpointed the problem. "After that whole starting-itself incident, we were fairly wary of the aircraft and watched it pretty closely," an unnamed Air Force squadron commander testified to an investigative board, according to a transcript. "Right now, I still think the software is not good."
US Defense Secretary Leon E. Panetta has warned that the United States faces a possible 'Cyber Pearl Harbor' attack by foreign computer hackers.
Is the risk level really so high?
In order to estimate the risk of an attack, you have to understand your enemy.
There are various players behind the online attacks, with completely different motives and with different techniques. If you want to effectively defend against attacks, you have to be able to estimate who is most likely going to attack you, and why.
A common fear people have is that somebody would somehow take down the Internet. If we forget the technical difficulties of such an attack, let�s think for a moment who would want to do that and why. Spammers and online crime gangs definitely wouldn�t want to take down the Internet, as they need it to earn their living. Hactivists groups or movements like Anonymous probably wouldn�t really want to do it either, as these people practically live online. And a foreign nation-state could probably benefit much more by tapping Internet traffic, using the net for espionage or by inserting forged traffic.
We can apply a similar thinking model to any other critical infrastructure sector, including electricity distribution, water supply, nuclear systems and so on. Some of them are more likely to be targeted than others, but the defense must start from understanding the enemy. It�s quite clear that real-world crisis in the future are very likely to have cyber components as well.
If we look for offensive cyber attacks that have been linked back to a known government, we mostly find attacks that have been launched by United States, not against them. So far, antivirus companies have found five different malware attacks linked to operation 'Olympic Games' run by US and Israel. When New York Times ran the story linking US Government and the Obama administration to these attacks, White House started an investigation on who had leaked the information. Note that they never denied the story. They just wanted to know who leaked it.
As United States is doing offensive cyber attacks against other countries, certainly other countries feel that they are free to do the same. Unfortunately the United States has the most to lose from attacks like these.
So, who is @k8em0? Katie Moussouris, Senior Security Strategist at Microsoft.
Katie Moussouris. Also: Roguery.
She and Mikko were convinced to take part in an auction for a cancer charity at the HITB2012KUL conference:
And it was quite a success! Mikko's ponytail went for 7000MYR. (1770EUR/2288USD)
On a serious note.
Two years ago, while going through stuff during some office renovations, I came across a photo of Mikko with (relatively) short hair. When Mikko saw the photo he said, "I'm never going to do that again…".
(I can tell you that he didn't want to cut off his ponytail.)
But he did.
For a very good cause. I am proud of him for it. I am very proud to work with him.
And I'm confident in saying the same is true for the rest of the folks here at F-Secure.
He's one of the good guys.
—————
On a different (and threat related) note:
After watching the video, I sent a link to an internal F-Secure list.
This is by far the best reply I received:
Indeed. That would have been the perfect link bait! Why didn't I think of that? ;-)
The report recommends excluding the companies from sensitive systems and for U.S. network providers to seek other vendors, among other things. In response, Huawei claims U.S. protectionism is the real reason behind the charges of Chinese government ties and potentially backdoored equipment.
But seemingly lost in all of the news is not whether Huawei can be trusted, but can it be hacked?
If you follow DEFCON news, you may already know that the answer is… yes.
So perhaps vendors have another less jingoistic reason why they wouldn't want to use Hauwei.
Today, October 5th is Global James Bond Day celebrating the 50th anniversary of Agent 007 (in film). Okay, it's a promotional thing for the upcoming film — Skyfall — but it's still pretty cool.
And it got us thinking, over the last 50 years, how many "fantastic" James Bond gadgets now seem to be quaint?
Hmm, well, we still don't have Jet Packs… but fingerprint scanners are common place. And a TV watch? Not likely. Watches went from utilities to fashion accessories years ago. Today, we're more likely to watch television on our phones. So it makes you wonder, what kind of "Q-tech" currently exists in the Internet security world?
Perhaps it's espionage tech such as Stuxnet and Flame?
Fortunately for most of us, such things are likely to remain in the realm of jet packs. Unfortunately, just like Q, people get ideas when they see fantastic gadgets. And that may just spur malware innovations so that what seems fantastic today, could be common place tomorrow. Enjoy your James Bond Day.
An important judgment to be sure, but remember, Ross is one of yesterday's scareware vendors getting the hammer.
Here's a site where you can see example's of today's: S!Ri.URZ.
And the second headline:
On October 3rd Australian, Canadian, UK, and U.S. agencies announced action against another type of "virus scam". Here's the FTC's release: FTC Halts Massive Tech Support Scams.
Excellent work! But, there appears to be some confusion as to just what was halted. Some news networks appear to be confusing this action with October 2nd's, possibly due to FTC Chairman Jon Leibowitz when he said the following:
"And the tech support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem."
Err… no, no they haven't. There's no "ware" (malware) involved in tech support phone scams — it's pure social engineering. He really shouldn't have used the term scareware.
Tech support phone scams involve: people calling up from call centers; telling the receiver that "IP traffic" or some other such nonsense indicates their computer is infected with a virus; making a remote connection to the computer in order to "clean" it; and then selling them free or trial security software.
It's a social engineering scam — there's no scareware, there.
On Tuesday, we shared a rather silly video which made a serious point about the need to keep websites secure.
Unfortunately, limiting potential website vulnerabilities is not exactly intuitive. There's always additonal stuff one needs to consider.
For example, let's take the very popular WordPress(.org) publishing platform. WordPress itself does a pretty good job when it comes to maintaining its security. Unfortunately, the same cannot be said for everybody that runs WordPress websites. Many website admins allow their WordPress installations to fall out of date, and there are numerous compromised WordPress sites online as a result.
But even those admins that do keep their platform up to date still have things to worry about, such as themes.
Product security professional and pentester, Janne Ahlberg, has discovered several WordPress themes by Parallelus that are affected by a reflected cross-site scripting (XSS) vulnerability.
Here's a screenshot of the XSS vulnerability demonstrated with the Unite theme:
Based on Ahlberg's tests, the XSS vulnerability can be used to execute remote JavaScript. Affected sites include personal blogs, but also corporate websites. You can read more information on his blog: Janne's corner.
And for more information on securing your WordPress installation, see this article: Hardening WordPress.
Update: According to the developer — affected Parallelus themes are now corrected.