Archive - 2011

India becomes top spam-sending nation in the world: Trend Micro
The war on botnets
Kaspersky and cyber terrorism
U.S. Advises Secure Control Systems Against Anonymous
Zeus Trojan P2P update makes take-downs harder
Malware victim loses net connection to iCode
Cases of hacking accused heard
Hackers may try to disrupt World IPv6 Day
Lockheed Martin Cyber Attack Highlights Cyber-Blame Snags
3 Reasons Why Security Appliances are Hot

India becomes top spam-sending nation in the world: Trend Micro

India’s Internet base may be swelling but so are the online risks. India, it turns out, has become the top spam-sending nation in the world, according to the latest report by IT security company Trend Micro.

India ranked second in this list of spamming countries during the first quarter of 2011, fell to third position in the following quarter, before finally rising to the pole position in the just-concluded quarter. Previously, it was the US and South Korea which were placed on top of the list in the first and second quarter, respectively.

?As in the previous quarter, India and South Korea continued to be part of the top three spam-sending countries. Surprisingly, however, the US, which commonly takes the top spot was not on the top 10 spam-sending countries list,? said the report. India’s share in the global spam statistics was an alarming 12 per cent and that of South Korea was 9 per cent.

As the top spam-sending countries are also the most spambot-infected ones, the US’ drop in ranking possibly indicates a lower infection level, the report said adding that ?this may be a result of the botnet takedowns that occurred in the last few months.?


As it is, even in the past, reports by various other security vendors have revealed that India continues to be a hotbed for ?bots’. If anything, India’s share in the worldwide spam bots has only gone up. ?Bots’ are software programs that run automated tasks over the internet.

This type of malware allows an attacker to get full control of the affected computer to use it to launch attacks against Web site. Spambot is an automated computer program which assists the attacker in sending out spams.

?If a computer is vulnerable and becomes part of a ?botnet’ community, the infected computer may be sending out multiple spams without the user being actually aware of it. In India, we are not protected enough, and people do not realise seriousness of the security threats,? said Mr Amit Nath, Country Manager India and SAARC at Trend Micro.


For India, this unhappy milestone in the online threat landscape comes at a time when the increasing affordability of computers and the Internet have pushed up the country’s Internet base to 100 million users in September. India is projected to have 121 million Internet users by December 2011, estimates Internet and Mobile Association of India.

The Trend Micro report further said that Google has replaced Microsoft as the software vendor with the greatest number of reported vulnerabilities for the quarter – 82.

Meanwhile, in a written reply in the Lok Sabha, the Minister of State for Communications and IT, Mr Sachin Pilot, said that Indian Computer Emergency Response Team in co-ordination with the industry and service providers is working towards disablement of ?spam bots’ located in India to curb span sources.

The war on botnets

This week saw one of the most significant successes ever in the fight against cyber crime when the DNS Changer botnet was dismantled and seven people were charged.

It followed a slew of botnet takedowns achieved in the past two years alone. It’s a good time to be a crime fighter on the internet.

Yet during the eight years between the birth of malicious networks at the turn of the millennium and the decapitation of major botnet-hoster McColo in 2008, the security industry and law enforcement were in the doldrums.

Unable to cooperate efficiently or find a way to counter cyber criminals and their megalithic botnets, they were looking as hopeless as Eeyore on a hangover.

It took far longer for the industry and police forces to find some answers than it did for hackers to up their skills and exponentially increase the sophistication and size of their networks. But answers did nevertheless arrive and since 2008 we’ve seen just how dramatically the pendulum has swung in the favour of the ‘good guys.’

When McColo was shut down, taking with it a tonne of malware and botnet activity, the impact was immediately felt. Spam levels fell by as much as 80 per cent.

Mariposa, which had infected 13 million PCs, and Mega-D were the first major botnets to fall after the McColo operation. Then came Waledac and Bredolab in 2010 ?bringing down two massively powerful botnets surreptitiously controlling tens of millions of machines.

What seemed like a freak spate of successes for the anti-botnet warriors soon became a roll. This year saw Coreflood, which had compromised millions of Windows machines, taken out by the FBI. The crowning moment came in March, with the head of Rustock. Again, a massive drop in spam was recorded following the takedown.

The winning streak didn’t stop there either. Just last month, it emerged the Kelihos botnet was terminated, with legal action taken against 24 individuals in connection with the case. And now DNS Changer.

The tide has evidently turned. We are learning how to fight the war on botnets. More importantly, we are learning how to win key battles.

The McColo failure

Data sharing and?collaboration?has been at the heart of this shift. Yet prior to 2008, there was little cooperation whatsoever.

It was when McColo was shut down that the broken system really became apparent. Despite McColo’s success, it showed how poorly data was being used. Ultimately, the operation was a failure.

“When the McColo takedown happened people really understood just how much intelligence was lost in the lack of coordination,” Alex Lanstein, FireEye’s senior security researcher, told?IT Pro. “Here you have the biggest malicious data centre in the history of the internet. It gets wiped out and there wasn’t a single arrest. A lot of people watching were asking how could they have blown it so badly.”

In the days before and during McColo’s demise, efforts to kill botnets were hampered by a “willy-nilly approach” where members of different bodies could be investigating the same threat without any joined up coordination, Lanstein said.

In some cases, companies were fighting the botnet war for more unscrupulous, self-serving means, only exacerbating the situation. “If you were just trying to get a little PR, you might not necessarily have spent the amount of time digging into the malware as you should have,” Lanstein continued.

“If you take down the first level of infrastructure, all the bots are going to automatically failover to another [infrastructure]. Not only are you not going to have any operational impact, you’re going to have a tonne of negative impact in that the bad guys will know someone is targeting them.”

Cyber criminals are nimble. Once they become alerted to a concerted effort to crack their operations, they will move fast to up their resiliency. Hence why in the old days, when bodies didn’t work with one another on tackling botnets, they did just half the work and unwittingly supported their common enemies.

To kill botnets, you need to go the whole way and dismantle the entire infrastructure. And to do that, you need as much information and cooperation as you can get.

Microsoft to the rescue

To bring the different sides together, the security industry needed a big player to step up the plate. Microsoft did just that. It took on the role of chief botnet slayer.

Microsoft hasn’t always been the friendliest giant – ? just look at its various ongoing squabbles with Google – but the Redmond firm has been the linchpin in many significant battles against botnets. It was responsible for drawing together industry players and law enforcement in smashing Waledac, Rustock and Kelihos. All have formed part of Project Microsoft Active Response for Security (MARS), which has one core aim: “To annihilate botnets and help make the internet a safer place.”

“Microsoft has really stepped up in a lot of different ways to try to bring together multiple groups that might not have known each other,” Lanstein added. “They’ve really put a lot of money in going after botnets and it has worked.”

The MARS team has worked with a host of security companies, including Kaspersky and FireEye, to share information relating to infections. In the case of Kelihos, Kaspersky loaned Microsoft its live botnet tracking system. The Russian company also led the operation to reverse-engineer the bot malware, crack the communication protocol and develop tools to take apart the botnet’s the peer-to-peer infrastructure. It was another truly communal effort.

Microsoft should be proud of its work here. No other tech vendor has initiated such a concerted campaign against botnets. That’s not to say others haven’t played a big part, however. There have been some significant successes that haven’t involved Microsoft. The software behemoth was not part of two of the most significant botnet shutdowns in history – Mariposa and DNS Changer. Both of those led to complete disarmament of the bot masters and arrests of suspects.

Microsoft has shown what is possible when everyone cooperates – others have subsequently proven that point: the simple act of sharing is key in identifying botnets and successfully destroying them.

The long arm of the law

Collaboration?might be vital, but the nail in the coffin of any botnet is only hammered in if arrests and prosecutions follow. In the past year, a plethora of suspects have been apprehended, but why now? Largely because tech companies and law enforcement have worked out how to twist judges’ arms into opening up legal pathways to take botnet infrastructure down before warning its owners.

Just a few years back, efforts to end botnets were not only hampered by an industry as fractious as the Greek Government – the legal system was doing the good guys no favours either. Instead of immediately asking registrars to shut down domains or ordering datacentre owners to allow police to switch off servers helping run botnets, courts required bot-herders be sent warning first.

Now, cyber criminals aren?t so lucky. The cases of Waledac and Rustock have set legal precedents that will be of huge benefit to the good guys in the long run. In the case of the former, Microsoft convinced a judge to issue an ex parte temporary restraining order (TRO), which meant Verisign, the administrator of the .com domain registry, had to hand the 276 domains used by Waledac for its command-and-control operations over to the Redmond company. Microsoft achieved this simply by pointing to the continuing harm that would be caused by the botnet if immediate action was not taken.

With Rustock, Microsoft filed a lawsuit against the anonymous operators of the botnet, basing its argument in part on the abuse of Microsoft trademarks in the bot?s spam. These clever legal manoeuvres are necessary to open the door to complete botnet destuction.

?As a private company we can only use civil process – we do not pretend to be law enforcement. But we wanted to do something proactively to protect our customers,? said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit.

?We looked at the body of laws that were in place in the civil world in the US and asked ?how could we adopt these to be able to confront some of these 21st centutry problems?? There is always a cry for new laws and new legislation, but the reality is there are a lot of good laws on the books that were passed for other purposes ? that are easily translatable.?

It?s all about creative use of the current laws, rather than begging for fresh legislation, Boscovich argues. In this week?s DNS Changer takedown, courts were again convinced to let law enforcement take a botnet apart. Datacentres in Chicago and New York were raided and dirty servers replaced with clean ones all thanks to a court order. If the perpetrators had been warned in that case, it could have ruined five years? worth of work.

Indeed, the ?company? responsible for running the botnet, an Estonian organisation called Rove Digital, had previously moved servers when they sensed law enforcement was closing in on some of its other suspicious operations, according to Trend Micro. Imagine if they?d been given notice again. Four million computers would still be infected and the crooks would continue making millions fraudulently.

The future

Whilst the work of law enforcement, industry and others involved in the war on botnets is more than commendable, it would be unwise to get carried away. There remain some major obstacles to overcome. The first is how to tackle the subdomain issue.

At the current time, there is no requirement for domain hosts to know anything about those using their subdomains. In the case of Kelihos, Microsoft got a little lucky. Dominique Alexander Piatti of Czech domain hoster dotFREE Group was accused, along with a number of unidentified suspects, of owning a domain and using it to register other subdomains which were running the Kelihos botnet.

Yet Microsoft dropped a lawsuit against Piatti late last month as it seemed dotFREE was simply being used by Kelihos?s controllers. Anyone hoping the case would inspire law makers to create fresh legislation were to be sorely disappointed. Domain hosts will still not be forced into knowing who their customers are. The crooked ones will simply turn a blind eye to pernicious activity on their servers.

?There are a lot of domains hosting hundreds of thousands of subdomains that are really hosting nasty stuff,? said Boscovich. He explained dotFREE had been highly proactive in cleaning up its game and learning about its customers. The domain industry should follow suit, he said. Either that or extra regulation is required.

?We would really like to see either the other subdomainers employ the same kind of business practices or maybe even have ICAAN require that if you?re going to provide subdomains that you?re required to get the same information registrars are asked to get,” he added.

?It is time for the community to put more rules in place internationally through ICANN, hopefully, to get more transparency as to who is really behind these domains and subdomains that are causing a lot of problems.?

Subdomainers aren?t the only ones who need to be brought into line. The young up-starts of the info-sec world need to be convinced to join the party too. The divisions between the new players and the old guard could mean certain important data isn?t being shared. If these schisms aren?t dealt with, ironically, industry in-fighting will only benefit the cyber criminals.

In essence, it?s all about greater and greater?collaboration. The war against botnets will always be one of attrition. As in the real world, you can?t ever completely kill crime. Yet if you can build a sizeable enough army, and keep its various factions at peace with one another, you?ll be winning the fight even if you won?t win outright.

Kaspersky and cyber terrorism

Of all the pronouncements coming out of the London Cyber Summit this week, the?statements?of Eugene Kaspersky are the most provocative.? Rather than pile on and criticize him for uttering the words ?cyber terrorism? it is worth taking a deep breath and considering what could give rise to his statements.

Kaspersky of course is the founder of anti-virus powerhouse?Kaspersky Lab, responsible for some of the best research into malware and the cyber criminals who create it.? It is safe to assume that he has pretty good insight into the world of cyber threats.? He is rather flamboyant and has led a turbulent life; most recently?rescuing his son?from kidnappers in Russia.? So yes, he may be prone to making controversial statements.

Sky News provides the following quotes:

?I don?t want to speak about it. I don?t even want to think about it,? he said.
?But we are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists ? and then?oh, God.?
?There is already cyber espionage, cyber crime, hacktivisim? soon we will be facing cyber terrorism,?

Before the semantic police jump all over this (Terrorism involves death and destruction! You can?t do that over the Internet!)? let?s define our terms.? What would we call it when terrorists engage in cyber attacks?? I am going to assume Kaspersky thinks along the lines I do.? Cyber terrorism would be cyber attacks carried out by terrorist organizations.? Is that possible? Has it happened? Is it likely to happen soon?

First, is it possible for terrorist organizations to engage in cyber attacks? Of course.? Denial of Service, defacements, doxing (publishing private information about public figures),? extortion, cyber crime,? even Stuxnet-like cyber sabotage, could all be carried out by terrorists as easily as by the current bad actors (organized crime, Anonymous, Lulzsec, etc).? I think the ease with which terrorists could engage in cyber attacks is what spurred Kaspersky to say what he did.

Have terrorists engaged in cyber attacks??? In 2006 a popular e-commerce site received an email claiming to be from Islamic Jihad and demanding that they take offensive material, offered by one of their resellers, off of their site.?? When they elected to ignore the demands their domain was subjected to a DDoS (Distributed Denial of Service) attack that took them down for several days. Forensics verified that the attacks originated in the Mid-East.? I understand they reported the attacks to the FBI but never publicized the event, although it was clearly visible in up-time records kept by Netcraft.

This year the?CommodoHacker, who claims to be a supporter of the Iranian regime, broke in to the Dutch Certificate Authority DigiNotar and created signed certificates for at least 500 organizations including CIA, MI6, Facebook, Microsoft, Skype, and Twitter.?? These fake certificates were used by Iran to spy on its own populace who use Google for email.

And of course trying to keep track of the hacking that goes on in the Mid-East against Israel is an overwhelming task.? But just because a hacker supports the same cause as terrorist organizations is a tenuous claim of cyber terrorism.?? At the same time just follow the ?Tango Down? posts of?Th3J35t3r on Twitter?to see all of the Jihadi recruitment sites that he has tasked himself with taking down.? There is no question that terrorists use the Internet.

The final question of will terrorists engage in cyber attacks depends on their motivations more than their abilities, since the tools and capabilities are easily acquired.? Will disrupting the Internet, major stock exchanges, banks, or government web sites be attractive to them? Since the costs and risks are so low you can see why Kaspersky is concerned.


U.S. Advises Secure Control Systems Against Anonymous

The latest report provides an assessment of Anonymous’ capability to penetrate Industry Control Systems (ICS) and gain access to infrastructural networks, which follows up on a previous?report?that investigated the group’s ability to develop new cyber attack tools.

According to the current evaluation, the government believes that Anonymous has shown that it can access ICS, but may not have the ability to actually understand the structure and inner workings of such software yet. There is speculation that Anonymous may be interested in gaining that knowledge, especially through freely available sources: “Free educational opportunities (conferences, classes), presentations at hacker conferences, and other high profile events/media coverage have raised awareness to ICS vulnerabilities, and likely shortened the time needed to develop sufficient tactics, techniques, and procedures (TTPs) to disrupt ICS,” the report states.

However, the government’s concern is that the simple capability of “recognizing and posting code”, which Anonymous has done, for example, in the case of Siemens Simatic control software, “could gain the attention of those knowledgeable in control systems”. However, at least in this unclassified report, there is no clear answer why the government believes that Anonymous appears to have increased interest in ICS, especially those that are tied to its “hacktivist” campaigns.

The report concludes:

“While Anonymous recently expressed intent to target ICS, they have not demonstrated a capability to inflict damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methods, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web-based applications and windows systems) by employing tactics such as denial of service.”

The advice to ICS owners is to make sure their security needs of their control system assets are addressed.

Zeus Trojan P2P update makes take-downs harder

The Zeus financial malware has been updated with peer-to-peer functionality that makes it much more resilient to take-down efforts and gives its controllers flexibility in how they run their fraud operations.

The new version of the infamous banking Trojan was discovered and analyzed [] by Swiss security expert Roman Hssy, the creator of the Zeus and SpyEye tracking services.

One year ago security researchers from antivirus vendor Trend Micro managed to link a file infector dubbed LICAT to Zeus, concluding that it serves as a delivery platform for the Trojan and is designed to prolong its infections.

LICAT uses a special algorithm to generate random domain names for updating purposes in a similar manner to the Conficker worm. Its creators know in advance what domains the malware will check on a certain date and can register them if they need to distribute a new version.

“A few weeks ago I’ve noticed that no new murofet/LICAT C&C [command and control] domain names have been registered by the criminals. I was a little bit confused and decided to analyse a recent Zeus sample (spread through a Spam campaign targeting US citizens),” Hssy wrote on his blog on Monday.

“When I ran the binary in my sandbox, I’ve seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I’ve analysed the infection I came to the conclusion that it is actually ZeuS,” he noted.

Once installed on a computer, the new Zeus variant queries a set of hardcoded IP addresses that correspond to other infected systems. The Trojan downloads an updated set of IPs from them and if those computers are also running a newer version, it updates itself.

Zeus is one of the oldest and most popular crimeware toolkits available on the underground market. Up until this year the Trojan could only be acquired for significant sums of money from its original author. However, a few months ago the source code leaked online and now anyone with the proper knowledge can create variations of the malware.

Hssy believes that this new version is a custom build used by a particular fraud gang or a very small number of cybercriminal groups. Fortunately, the variant still relies on a single domain for receiving commands and submitting stolen data, and this allows researchers to hijack the botnet temporarily, at least until it is updated to use another domain via the P-to-P system.

Using this method, which is known as sinkholing, Hssy managed to count 100,000 unique IP addresses in 24 hours. This doesn’t reflect the exact size of the botnet, because infected LAN computers can use the same IP on the Internet, while others might get new IP addresses assigned to them by their internet service providers on each restart.

The effort did, however, allow the Swiss researcher to determine that the biggest number of computers infected with this new Zeus variant are located in India, Italy and the U.S.

“We all know that the fight between criminals and security researchers is a cat and mouse game. I’m sure this wasn’t the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar,” Hssy concluded.

According to a recent report from security vendor Trusteer, Zeus and SpyEye are the biggest threats faced by financial institutions, the company estimating that the number of Zeus infections exceeds that of SpyEye four to one.

Malware victim loses net connection to iCode

An Australian woman this month has had her internet connection cut off under the iCode initiative after she received 42 consecutive emails warning that her computer was infected.

The customer of a small unnamed telco had her machine hijacked by a botnet, rendering it what is known as a zombie machine. It then pumped malicious traffic over her internet connection which alerted her ISP.

The woman had struggled to remove the notoriously stubborn malicious?fake anti-virus program? because it had disabled her legitimate anti-virus software and prevented her from executing applications.

Her internet connection was cut to all but a single web page with the provider, referred to as a walled garden, after she failed to remove the infection.

The telco then phoned her to assist in the removal of the malware.

Internet connections were cut only in the “most severe” cases, iCode chief and former director of the Internet Industry Association (IIA) Peter Coroneos said.

Normally customers would be contacted by phone or email after ISPs detected malicious botnet traffic from their accounts, and then direct to a web page which contains security tools.

Large internet providers typically implemented network traffic analysis and automated email alerts to detect and warn customers of infections.

Smaller telcos often manually examined data, sinkholed botnet traffic and phoned compromised users, Coroneos said.

Recent information from the Australian Communications and Media Authority found the average number of daily reported botnet infections had declined from 16,000, between June 2010 and 2011, to 11500 in July alone this year.

The IIA did not have figures detailing the number of machines cleaned by telcos operating under the iCode.

Heading offshore

Australia’s voluntary internet industry iCode may be adopted in the US and will be trialled in South Africa under an increasing drive by governments and industry to wipe out botnets.

Some ISPs in South Africa would soon begin trials of the code, Coroneos said.

The US Department of Homeland Security may also adopt the iCode. It flagged the strategy in request for information document issued this month to research ways to reduce botnet infections.

Also flagged was a similar government-run initiative in Japan where botnet infections were discovered in honeypots.

In both initiatives, compromised customers were directed to a web page to download security tools that could remove the infections.

Coroneos said he thought the iCode would fit well with US legal frameworks because the country’s largest telco, Comcast, had already implemented a similar in-house framework.

“The internet providers have far from won the fight against botnets, but there is progress and customers are accepting of the iCode,” Coroneos said.

The code was pushed out to pre-empt looming government regulation that may have made providers responsible for the security of end-users.

Cases of hacking accused heard

The case of two teenagers accused of hacking into websites including that of the UK’s Serious Organised Crime Agency has been heard in court.

Jake Davis, 18, and Ryan Cleary, 19, were not at Southwark Crown Court for the short hearing, but it is understood to be the first time their cases have been grouped together.

Judge Nicholas Loraine-Smith said they will both need to appear at the court for a plea and case management on January 27 next year.

Davis, from the Shetland Islands, was arrested by officers from the Metropolitan Police’s e-crime unit as part of an investigation into hacking groups LulzSec and Anonymous. He is said to use the online nickname “Topiary” and present himself as a spokesman for the two groups.

The teenager faces five charges, including conspiring to carry out a distributed denial of service (DDos) attack on the police agency. Such attacks see websites flooded with traffic to make them crash.

Davis is also charged with gaining unauthorised access to a computer system, encouraging or assisting offences, and with two counts of conspiracy to commit offences.

At a hearing earlier this month, the teenager was bailed to an address in Spalding, Lincolnshire, where his mother lives. He was also told he was not allowed to access the internet through a computer or mobile phone, either himself or by asking someone to do it for him.

Cleary, from Wickford in Essex, who has been diagnosed with Asperger’s syndrome since he was arrested at his family home on Monday June 20, is charged with conspiring with other people on or before that date to create a remotely-controlled network of zombie computers, known as a “botnet”, which crashes websites.

He is also alleged to have carried out attacks on or before June 20 against Soca, the British Phonographic Industry’s website, and the International Federation of the Phonographic Industry’s website, and with making, adapting or supplying a botnet for a DDos attack.

He was given bail earlier on condition that he does not access the internet or have in his possession any device that could access the web. The alleged hacker was told he is to live and sleep at his address, and not leave the house other than in the company of his mother Rita Cleary.

Hackers may try to disrupt World IPv6 Day

Hundreds of popular websites — including Google, Facebook, Yahoo and Bing — are participating in a 24-hour trial of a new Internet standard called IPv6 on June 8, prompting worries that hackers will exploit weaknesses in this emerging technology to launch attacks.

Dubbed World IPv6 Day, the IPv6 trial runs from 8 p.m. EST on Tuesday until 7:59 p.m. EST on Wednesday.

Security experts are concerned that the 400-plus corporate, government and university websites that are participating in World IPv6 Day could be hit with distributed denial of service (DDoS) or other hacking attacks during the 24-hour trial.

“In the last five months, there has been a huge increase in DDoS attacks,” says Ron Meyran, director of product marketing and security at Radware, a network device company that is participating in World IPv6 Day. “IPv6 is going to be even easier for attackers … because IPv6 traffic will go through your deep packet inspection systems uninspected.”

Meyran says another concern is that IPv6 packet headers are four times larger than IPv4 headers. This means routers, firewalls and other network devices must process more data, which makes it easier to overwhelm them in a DDoS attack.

“With a DDoS attack, you need to reach 100% utilization of the networking and security devices to saturate the services,” Meyran says. The longer headers in IPv6 “must be processed completely to make routing decisions.”

“I wonder if there’s going to be any sort of DDoS type of things going on … or hackers probing servers that are dual-stack enabled [running IPv6 and IPv4 at the same time],” says Jean McManus, executive director of Verizon’s Corporate Technology Organization, which is participating in World IPv6 Day. “Content providers need to be careful and watch to make sure that everything is appropriately locked down.”

Many security threats related to IPv6 stem from the fact that the technology is new, so it hasn’t been as well-tested or de-bugged as IPv4. Also, fewer network managers have experience with IPv6 so they aren’t as familiar with writing IPv6-related rules for their firewalls or other security devices.

“We know from security breaches that the security rules that allow you to see the network and applications better … is where there is a lack of training and expertise with IPv6,” Meyran

World IPv6 Day participants say the event was advertized to everybody in the Internet engineering community, including hackers, and they are beefing up the security measures on their sites accordingly.

“This is a well-publicized event,” says John Brzozowski, distinguished engineer and chief architect for IPv6 at Comcast, which is participating in World IPv6 Day both as a provider of IPv6-based cable modem services and as an operator of seven IPv6-enabled websites. “Anything can happen. IPv6 is no different than any other new technology. The potential [for attacks] is there. Protecting the network is key to us.”

Lockheed Martin Cyber Attack Highlights Cyber-Blame Snags

WASHINGTON | Mon May 30, 2011 6:48pm EDT
(Reuters) – Past patterns may point to China, but top investigators say they will never know for sure who mounted a “significant” cyberattack against Lockheed Martin Corp, the Pentagon’s No. 1 arms supplier.
Lockheed, which is also the government’s top information technology provider, said on Sunday it was a “frequent target of adversaries around the world.”

The company has not disclosed which of its business units was targeted, but people with experience plugging holes after such strikes said that cyberspies likely sought trade secrets or weapons-related data.

The Bethesda, Maryland-based company did not respond to a request to clarify whom it deemed adversaries, and whether it suspected a foreign state in the digital assault it said it had detected “almost immediately” on May 21.

Lockheed said it had countered with stepped-up security measures and that no customer, program or employee personal data has been compromised in the “significant and tenacious attack” on its information systems network.

China has generally emerged as a prime suspect when it comes to keyboard-launched espionage against U.S. interests, although the Pentagon says more than 100 foreign intelligence groups have been trying to pierce U.S. networks.

“China’s government, the Chinese Communist Party, and Chinese individuals and organizations continue to hack into American computer systems and networks as well as those of foreign entities and governments,” the bipartisan U.S.-China Economic and Security Review Commission said in its 2010 annual report to Congress.

The body was created by the Congress in 2000 to advise it on implications of trade with China. It said in its report the methods used in suspected Chinese-launched attacks were growing more sophisticated and increasingly piggy-backing on social networking tools.


Beijing, at odds with the United States over Taiwan and other issues, has “laced U.S. infrastructure with logic bombs,” a cyberweapon, former U.S. National Security Council official Richard Clarke wrote in his 2010 book “Cyber War.”

Beijing steadfastly dismisses such charges.

“I’d say it’s just irresponsible to arbitrarily link China to such cyber hacking activities in each and every turn,” Wang Baodong, the Chinese Embassy spokesman in Washington, said in an email to Reuters. “As a victim itself, China is firmly against hacking activities and strongly for international cooperation on this front”.

Pinning down responsibility for an attack like that reported by Lockheed is “incredibly difficult” given the sophisticated ways that an attacker may misdirect, said Anup Ghosh, a former senior scientist at the Pentagon’s Defense Advanced Research Projects Agency, or DARPA.

Encoded clues in the Stuxnet virus that may have slowed progress on Iran’s nuclear program, for instance, seemed designed to point to Israel.

But “it is impossible to know if these are red herrings or genuine,” said Ghosh, who worked on securing military networks for DARPA from 2002 to 2006 and who now runs Invincea, a software security company.

Eugene Spafford, who heads the CERIAS cybersecurity research facility at Purdue University in Indiana, said the digital residue of an attack would not suffice to lead to a person or place.

“Records may show a network address where those bits came from, and that network address may tie to a machine in a country, but that is only the address of the most recent ‘hop’,” he said in an email interview.

“It is always possible that it is a system that itself was compromised, by another system that was compromised,” and so on and so on, Spafford said. In addition, one could never rule out the possibility that a given cyberstrike might be launched by someone in the pay of yet a third party, no matter where it originated.

Spafford, whose CERIAS lab has partnered with a dozen major companies and national laboratories, including defense contractors and Fortune 500 companies, said the bottom line is that “we likely never really will know who did it.”

Investigators first look for hard evidence — searching for stolen data that may be traveling across the Internet or seeking out people looking to sell information culled in a cyber attack. They typically rely heavily on circumstantial evidence, including whether the attack details match known methods from a suspect and if the targets are consistent with a group’s perceived interest.

It is also possible that the U.S. intelligence community, using its vast electronic eavesdropping and other spying capabilities, may make a judgment about the origin independent of forensic analysis, but that too would be subject to doubt.

3 Reasons Why Security Appliances are Hot

For many SMBs, security appliances are the best solution to their security needs as they are very affordable, offer excellent protection, and require little or no technical expertise to install or maintain. For those same reasons, valued-added resellers (VARs) find appliances to be a relatively easy sell.


Among the easiest appliances for VARs to sell are functional, manageable and upgradeable devices, notably unified threat management (UTM) appliances, which are available from many vendors such as Cisco, Fortinet, SonicWall and WatchGuard. The UTM concept is based on the assumption that a combination of security solutions bundled in the same appliance creates a better security umbrella for organizations, said Ariel Avitan, an analyst at Frost & Sullivan.

“Another main advantage of UTM solutions is their low cost in comparison to purchasing many different security solutions,” said Avitan. “These two advantages are driving the rapid adoption of UTM solutions by SMB customers.”

Typical UTM solutions include a firewall, intrusion prevention system/intrusion detection system (IPS/IDS), an AV (Antivirus), an AS (Anti-Spam) component and a virtual private network (VPN).

The shift in business to the Web has exposed small businesses to multiple security risks, which they often struggle to counteract due to limited IT and financial resources.

“The solution for many SMBs is a security appliance, because it is easy to manage, affordable and doesn’t require them to be security experts,” said John Keenan, VP of Distribution, Americas for SonicWALL, a security vendor. Keenan said three factors are driving appliance sales in the SMB market: the proliferation of broadband; intelligent controls on the boxes; and SMBs’ appetite for enhanced security.


Security appliances are very affordable

Products range in price from a hundred dollars to several thousand dollars.

A low-end offering such as the ZyWALL 2 Plus costs a little more than $100 but delivers quite a bit. It supports IPSec VPN, which makes it suitable for remote site to central server deployment and home to office or office to home deployments. Data encryption over the Internet ensures secure transmission between two sites, eliminating the need for expensive leased lines, and enabling global interconnectivity at a minimal expense.

The ZyWALL 2 Plus provides robust firewall protection, based on stateful packet inspection (SPI) and denial of service (DoS) technology. The ZyWALL 2 Plus provides the first line of defense against hackers, and other malicious threats.

If you choose to go up a notch, a Cisco ASA 5500 will set you back anywhere from $700 to $5000 dollars. A low-end Cisco ASA 5500 is an easy to deploy solution that integrates world class firewall, unified communications (voice/video) security, SSL and IPsec VPN, intrusion prevention (IPS), and content security services in a flexible, modular product family.

Designed as a key component of the Cisco Self-Defending Network, the ASA 5500 provides intelligent threat defense and secure communications services that stop attacks before they impact business continuity.

A high-end appliance can cost several thousand dollars. For example, the Blue Coat ProxyOne, a new device aimed at SMBs, starts at $8,999 for 100 users. The price includes the appliance, software licenses, automatic security updates and 24X7 support. The appliance can scale to support up to 2,000 users.

For your money, you get Web filtering, inline malware and anti-virus scanning, as well as on-box reporting (reports generated by the product; no add-ons needed) to enable safer use of Web 2.0 applications. A ProxyOne box delivers real-time Web defense, using the cloud-based Blue Coat WebPulse service. Additionally, Blue Coat security experts continually update the WebPulse defenses to protect against new threats.


Excellent protection

A security appliance, such as a UTM solution, provides comprehensive protection to customers as it has tightly integrated security features that work together on a single appliance, said Keenan. This class of appliance makes it easy for SMBs to manage their security because they only have to deal with one box and one source of support. Such an appliance solution is highly cost-effective as it offers a centralized console that enables monitoring of network security at remote locations.

Besides UTMs, the security appliance market includes standalone appliances (which deliver a single security application), blade appliances (a hybrid between UTMs and standalone devices) and software appliances.

All-in-one security appliances require little or no user technical expertise to install or maintain. This makes them appealing to SMBs and VARs. SMBs like these boxes because of their simplicity and practicality, while VARs like them because they are generally bullet proof in their reliability, and provide the proverbial foot-in-the-door to sell services.

“Some SMBs still need our expertise, whether it’s assessing their securing vulnerabilities, configuring the products, or providing remote monitoring through a managed service,” said Alvin Myers, president of United Systems, a VAR in Oklahoma City.

Copyright © 2013. Created by Meks. Powered by WordPress.