The Finnish National Defence University has published a 250-page book called The Fog of Cyber Defence. The book discusses cyber warfare, cyber arms race, and cyber defense from a Nordic viewpoint.
The book was written by twenty authors:
Insights into Cyberspace, Cyber Security, and Cyberwar in the Nordic Countries - (Jari Rantapelkonen & Harry Kantola) Sovereignty in the Cyber Domain - (Topi Tuukkanen) Cyberspace, the Role of State, and Goal of Digital Finland - (Jari Rantapelkonen & Saara Jantunen) Exercising Power in Social Media - (Margarita Jaitner) Victory in Exceptional War: The Estonian Main Narrative of the Cyber Attacks in 2007 - (Kari Alenius) The Origins and the Future of Cyber Security in the Finnish Defence Forces - (Anssi Kärkkäinen) Norwegian Cyber Security: How to Build a Resilient Cyber Society in a Small Nation - (Kristin Hemmer Mørkestøl) Cyber Security in Sweden from the Past to the Future - (Roland Heickerö) A Rugged Nation - (Simo Huopio) Contaminated Rather than Classified: CIS Design Principles to Support Cyber Incident Response Collaboration - (Erka Koivunen) Cyberwar: Another Revolution in Military Affairs? - (Tero Palokangas) What Can We Say About Cyberwar Based on Cybernetics? - (Sakari Ahvenainen) The Emperor's Digital Clothes: Cyberwar and the Application of Classical Theories of War - (Jan Hanska) Theoretical Offensive Cyber Militia Models - (Rain Ottis) Offensive Cyber Capabilities are Needed Because of Deterrence - (Jarno Limnéll) Threats Concerning the Usability of Satellite Communications in Cyberwarfare Environment - (Jouko Vankka & Tapio Saarelainen) The Care and Maintenance of Cyberweapons - (Timo Kiravuo & Mikko Särelä) The Exploit Marketplace - (Mikko Hyppönen)
A few days after Oracle released its critical patch for Java, and CVE-2013-2423 is already being exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening (as of this post):
For a closer look, the image below contains a comparison of the classes found in the Metasploit module and that of the ITW sample:
Interestingly, the Metasploit module was published on the 20th, and as mentioned earlier, the exploit was seen in the wild the day after.
As I used to subscribe to the magazine around '93-'96, I went looking for my old copies, and I did find a stack. One of the weirdest things about these old magazines was that while they were speaking about the net from cover to cover, they did not have a single URL or a web address. Because the web didn't really exist in 1993.
I found this one cover from August 1996 especially striking. Somewhere below the mugshots of John Romero (@romero) and John Carmack (@ID_AA_Carmack) is the text "Ready for Cyberwar". Cyberwar? In 1996? I had to look up the article.
Turns out, the article in question is an interview with Winn Schwartau. I'll take the liberty of quoting the most interesting part of the article — which was well ahead of it's time — below.
Several weeks ago, an McAfee researcher named Michael Zhang analyzed an Android trojan which specifically targets South Korean phones. It's called Smsilence, and it uses bait such as "Starbucks coupon" apps (ex: starbug.apk).
Here's the phone number check looking for country code +82:
A detail not included in Zhang's post: the URLs / IP addresses to which SMS are forwarded are associated with Hong Kong.
And given the current political tensions in the region… a trojan which very specifically targets South Korean phones and then forwards information to China seems… worrisome.
Last Thursday's post links to "Stels" analysis by Dell SecureWorks. (Read it!) Stels is a versatile Android trojan which has recently started spreading via the Cutwail spam botnet.
Android malware being distributed by a mass-market crimeware gang — could be a game changer.
So, how did Stels spread before Cutwail?
Here's a few slightly older Stels variants and the dates we first saw them, all distributed (at least) via a web portal called spaces.ru.
• efb387ae109f6c04474a993884fe389e88be386f — Dec 5th • 8b99a836572231ffdcb111628fc1dcfb5d9ee31d — Dec 7th • 109b2adde84bb7a4ebf59d518863254e9f01c489 — Dec 10th • 9384480d82326e89ce52dd3582cf0d6869d59944 — Dec 13th • 8abc7ee0071ac32188c3262cf4ff76cc6436b48f — Jan 3rd
We detect numerous versions of Stels as Trojan:Android/SmsSpy.K. And this screenshot from our Malware Sample Management System (MSMS) gives a very good idea of the social engineering involved:
Games, utilities, and other "freeware" applications targeting Russians.
Targeting Russians… that's actually unusual in the world of Windows malware.
Conficker.A, for example, checks what keyboard layout is currently being used on the system with the GetKeyboardLayout Windows API and does not infect the system if the layout is Ukrainian.
A more recent example is Citadel (banking trojan), which does not run on machines that have either Russian or Ukrainian keyboards among the available input languages, checked with GetKeyboardLayoutList API.
From Citadel's machine(?) translated "readme" (http://pastebin.com/gRqQ2693):
# Important Note: # Our software does not work on Russian systems, if found Russian or Ukrainian keyboard layout – the software allows failure. This introduction is done in order to combat the CIS downloads. Treat it as you want, for us it is a taboo.
Here's what happens with an old version of Citadel when it encounters a Ukrainian keyboard layout.
Current versions of Citadel silently quit without the crash error.
Thus far, Russian authored Android malware has needed to target fellow Russians due to the billing schemes related to SMS fraud. (Premium numbers only work within their country of origin.)
Now that Android malware has expanded into a more "traditional" distribution channel — is it only a matter of time before we discover an Android trojan that reestablishes old taboos and refuses to infect Android devices using Russian as its display language?
Protip: don't install an Android application package file if it's named "Certificate.apk".
It's not legit (obviously).
Trojan:Android/Pincer.A is able to forward SMS messages and perform other actions based on commands it receives from its C&C. When installed, it will appear in the application menu as "Certificate" and will display related bogus messages when run.
Previous malicious mobile applications pretending to be certificates have been mobile components of banking trojans aimed at defeating two-factor authentication. The fact Pincer is able to forward SMS messages means it can certainly also be used as such.
The trojan includes a class called USSDDumbExtendedNetworkService. The URI_AUTHORITY variable is set to [redacted].com — and the redacted word is either associated with a French Canadian concrete company or else it may be the Twitter handle of a young Russian whose Google+ page lists employment as "Android developer".
We don't have any "concrete" evidence… but we're pretty sure Pincer doesn't have anything to do with Canada.
Technical analysis by — Mikko Suominen
Updated to add:
Here's two more Pincer samples discovered from data mining:
This one is essentially the same as previous three, but has a different C&C URL (https://xxx-xxxxx.com/android_panel/gate.php) and certificate. It was first seen in VirusTotal a week earlier than the first of the previously discovered samples.
This is a more interesting sample, clearly an earlier variant (submitted on March 19th to VirusTotal). This version doesn't pretend to be certificate. Instead it calls itself "Mobile Security".
The sample crashed on start, but based on static analysis, it would display the message "Mobile Security System is active now. You are protected." The icon is the same as in other variants. The name of the package is also different. The other samples use com.security.cert or com.security.certificate, this one is com.[redacted].diverter.
Yeah… that's a feature you don't want in your "mobile security".
He's asking an important question. Why do people trust Google more than Facebook?
Well here's an example of why…
Recently, I tested Graph Search. And at the time, I pointed out the "Clear Searches" option in Facebook's settings, which can be used to purge one's search history. Or at least it could.
Late last week… poof! The option disappeared from Facebook's settings.
And it's gone. Just like that. Like it never existed.
And what showed up (temporarily) over the weekend?
I've been waiting for something like this to pop up ever since I noticed "Gifts" returned to Facebook's settings:
Why, if I didn't know any better… I'd suspect Facebook's Graph Search was not designed to help me locate things of interest, but rather, to generate interactions which can be used to profile me. And then that consumer analysis can used to prompt my friends and family to buy me gifts?
Seriously, why should anybody "trust" Facebook?
I didn't sign up to have my searches, and other data, used to recommend things. (That's Amazon's job.)
Both Amazon and Google provide an option to pause/suspend/purge search history.
I expect no less from Facebook.
Whatever else its faults, at least Google never seems to just up and delete a component of its privacy dashboard. And when Google rolls out a new service, it doesn't just come and go seemingly on a whim.
Facebook privacy controls: here today and gone tomorrow. — And that's no way to build trust.