Duqu – It’s Back!

March 28, 2012

Computerworld is reporting that the nasty malware Duqu is back.  After being undetected for several months, Symantec discovered a new driver release on February 23, 2012.

Liam O Murchu, manager of operations at Symantec’s security response team, is quoted as saying that the functionality of the new driver was “more or less the same” as earlier versions, including the one spotted last October and another from late 2010 that later surfaced. According to O Murchu,

It’s hard to tell whether they really did take several months off, and if so, why. It’s installed on a very small number of computers, and that low, low distribution number means that they could have released more attacks between November and February, but everyone missed that. Or it could mean that they have been quiet.

Alexander Gostev, who leads Kaspersky’s global research and analysis team, is quoted as saying that the Duqu driver was probably modified to slip past security software and Duqu-sniffing programs like the open-source Duqu Detection Toolkit.

Duqu appears to be spread by spearphishing, the hacking technique in which highly targeted socially engineered emails are sent to a very small number of people.  The purpose of a spearphishing email is to deceive the recipient into taking an action — in the case of Duqu that action is downloading an attachment that delivers the DuQu malware.

How effective is spearphishing?  The Department of Homeland Security researched this question.  DHS found that untrained employees opened spearphishing emails 22% of the time — after training the open rate was 21%.  Training people to avoid suspicious emails is essentially impossible because, as Lt. Col.  Gregory Conti,  IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

This is where SP Guard from Iconix comes into play.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.

Advertisements

Cyberattack Simulation for Senate

March 26, 2012

On March 7, 2012, senior officials of the Obama administration conducted a cyberattack simulation for 50 United States Senators.  The Washington Post Blog described the simulation:

The scenario: a computer attack on the electricity grid in New York City during a summer heat wave.

Using PowerPoint graphics, officials explained that the attack is launched by a software virus inserted into the system when an unsuspecting power company employee clicks on an infected attachment in an e-mail — a technique known as “spear phishing.”

The virus spreads unchecked through the system, causing power outages and blackouts. The effects, officials said, could cascade. People living on the upper floors of high-rises could lose water. They might not be able to withdraw cash from ATMs, which no longer work.

The bill, S 2105 The Cybersecurity Act of 2012,  is co-sponsored by Sens. Joseph I. Lieberman (I-Conn.), Susan Collins (R-Maine), John D. Rockefeller IV (D-W.Va.), and Dianne Feinstein (D-Calif.).  According to Secretary Napolitano , the power companies “would have performance standards that could have prevented the spear phishing attack.”  This would be accomplished by more mandatory reporting of cyberattacks and increased penalties for violations of the law.

It is interesting that the attack vector chosen to demonstrate the need for this law was spearphishing.  As Cisco reported in it June 2011 study, “Email Attacks: This Time It’s Personal“, spearphishing uses unique and previously unseen exploits to compromise systems.  Because these attacks are previously unseen, knowing about attack A does not defend against attack B.  Spearphishers do not infiltrate systems with attacks on computers, they infiltrate systems by tricking email recipients.  You can see how this works by watching  Spearphishing – The Movie.

When the cyberattacks target the human, the human must be hardened. A tool that hardens the human  is available now from Iconix. That tool is SP Guard from Iconix.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.


Spearphishing – The Movie

March 15, 2012

Eric Fiterman of Rogue Networks/Methodvue demonstrates how to construct a malicious email that effectively impersonates President Obama. Using malware delivered in an attachment, Fiterman takes control of the recipient’s computer.

click to access video

He steals passwords, searches for files and even takes a picture of his victim using the computer’s camera.  Watch the video at  http://money.cnn.com/video/technology/2011/07/25/t-tt-hacking-phishing.cnnmoney/

What permits Fiterman to infiltrate this computer?  The recipient can’t distinguish a real email from the President from a fake email from the President.  People need to know if an email is really from the President. They need to know if an email is really from a co-worker.  SP Guard from Iconix lets email recipients quickly and easily determine if the sender really is the President or a co-worker.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342 , ext 3 or use our online form.


Linked-In – The Social Engineer’s Dream Tool

March 13, 2012

Hackers frequently infiltrate networks by attacking the people who use the network rather than the network itself.  How do the hacker’s attack the people? A common method is spearphishing, in which a highly personalized email is sent to a small number of people. Because the email appears to be real — it contains personalized information — the recipient responds to the email. This creates a relationship of trust between the victim and the hacker.

CNN Money reports on how security researcher Ryan O’Horo of IOActive used Linked-In to obtain personal information about a firm’s employees.  He used Linked-In to figure out the corporate reporting structure.  He then sent targeted emails to his intended victims and was able to obtain access to company information.

Of particular interest in this article is a video in which Eric Fiterman of Rogue Networks/Methodvue demonstrates how to construct a malicious email that effectively impersonates President Obama. Using malware delivered in an attachment, Fiterman takes control of the recipient’s computer.

click to access video

He steals passwords, searches for files and even takes a picture of his victim using the computer’s camera.  Watch the video at  http://money.cnn.com/video/technology/2011/07/25/t-tt-hacking-phishing.cnnmoney/

People need to know if an email is really from the President. They need to know if an email is really from a co-worker.  SP Guard from Iconix let’s email recipients quickly and easily determine if the sender really is the President or a co-worker.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.


Iconix Whitepaper – DMARC

March 5, 2012

Today Iconix released its whitepaper, “DMARC – Less Than Meets The Eye.”  In this whitepaper, Iconix discusses the limitations of DMARC in solving the problem of deceptive emails. 

In the whitepaper, Iconix focuses on Section 2.2 of the DMARC spec.  Iconix discussed how, while the DMARC standard is important, it addresses only one technical avenue exploited by the creators of deceptive email. 

You can download a copy of the whitepaper here.


Cyberattacks Could Overtake Terrorist Threat — FBI Chief

March 2, 2012

Yesterday (March 1, 2012), FBI Director Robert Mueller addressed the RSA Conference in San Francisco.

FBI Director Mueller

These are a few of Director Mueller’s observations:

Terrorism remains the FBI’s top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country.

Terrorists are increasingly cyber savvy. Much like every other multi-national organization, they are using the Internet to grow their business and to connect with like-minded individuals. And they are not hiding in the shadows of cyber space.

Terrorist use of the Internet is not our only national security concern. As we know, state-sponsored computer hacking and economic espionage pose significant challenges.

Just as traditional crime has migrated online, so, too, has espionage. Hostile foreign nations seek our intellectual property and our trade secrets for military and competitive advantage.

State-sponsored hackers are patient and calculating. They have the time, the money, and the resources to burrow in, and to wait. They may come and go, conducting reconnaissance and exfiltrating bits of seemingly innocuous information—information that in the aggregate may be of high value.

You may discover one breach, only to find that the real damage has been done at a much higher level.

Unlike state-sponsored intruders, hackers for profit do not seek information for political power—they seek information for sale to the highest bidder. These once-isolated hackers have joined forces to create criminal syndicates. Organized crime in cyber space offers a higher profit with a lower probability of being identified and prosecuted.

Unlike traditional crime families, these hackers may never meet, but they possess specialized skills in high demand.

They exploit routine vulnerabilities. They move in quickly, make their money, and disappear. No company is immune, from the Fortune 500 corporation to the neighborhood “mom and pop” business.

You can read the Director’s entire remarks at:  http://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies