PandaLabs says the fight against cybercrime is being won

network SECURITY

ISSN 1353-4858 June 2013

www.networksecuritynewsletter.com

Featured in this issue:

Contents

The security implications of IPv6

T

he pool of IPv4 addresses is quickly being exhausted. Yet today IPv4 still carries the majority of Internet traffic. And while organisations are now beginning to migrate to IPv6, switching poses a series of security challenges.

There are several important issues that IT administrators must be aware of during a changeover, including: IPv6

ICMP vulnerabilities; multiple protocol stack vulnerabilities; the lack of experience in countermeasures for IPv6 attacks; hacking tools that now support IPv6; IPv6 multicast vulnerabilities; IPv6 header information vulnerabilities; and tunnelling IPv6 through IPv4 networks. Keith Barker explains these issues in detail. Full story on page 5…

Getting lost on the Internet: the problem with anonymity

T

he Internet was never designed with anonymity in mind. In fact, the very design of the system allows for easy tracking, at least as far as an IP address.

Early on in the net’s development, questions were being raised about

privacy and anonymity. Steve Gold outlines the historical foundations of the issue, in the very development of the Internet, and goes on to explain why achieving anonymity is so difficult. Full story on page 10…

Classic enterprise IT: the castle approach

T

here have been proclamations for many years now that the centralised ‘castle’ IT model is no more. But there’s one thing that must remain in the ‘keep’ of core resources – the user’s identity.

Identity has become the new perimeter. Every organisation has a

core database of identities. The key is ensuring that users have a reliable way of proving their identities. Tim Brooks of Signify shows how your core resource that manages identity can be used to keep your organisation secure. Full story on page 14…

PandaLabs says the fight against cybercrime is being won

I

n the midst of all the doom and gloom that normally surrounds reporting

of cybercrime, security firm PandaLabs believes there is reason for optimism.

The research arm of Panda Security has just published research which suggests that international co-operation among

security agencies is beginning to pay off and criminals around the world are being brought to justice. “The start of the year has seen some serious cyber-attacks, including the hacking of the Twitter accounts of major Continued on page 2...

NEWS PandaLabs says the fight against cybercrime is being won McAfee says it’s business as usual

1 2

US warns of increased cyber-attacks by Iran

19

Journalists threatened with data protection laws after using exposed information

20

NATO under attack

20

FEATURES The security implications of IPv6 5 For a while now, IPv6 has been touted as the answer to the problem of Internet address exhaustion. Its massive address space offers an IP for every device. But the slow, piecemeal roll-out of IPv6, and the fact that it is so poorly understood, is opening up potential weaknesses. Keith Barker explains how vulnerabilities in the protocol stack and implementations, and the appearance of dedicated hacking tools, are creating a major security problem. Getting lost on the Internet: the problem with anonymity 10 Every time you use the Internet, you leave traces. The system was designed to make connections, and sometimes those are tracks you’d rather not have lead directly to you. Steve Gold describes the net’s early history, how that led to the creation of organisations concerned with privacy and anonymity and goes on to explain why anonymity is hard to achieve even today. He concludes that you can never be fully anonymous on the Internet, but you can protect your privacy to a degree. Classic enterprise IT: the castle approach 14 The traditional method of protecting an organisation is no longer valid. Putting up defences at the perimeter has been rendered ineffective now that so many net-connected devices – such as smartphones – are coming into the heart of the organisation. Tim Brooks of Signify explains how the best approach is to make identity the foundation of your security. Interview: Colin Tankard – raising security awareness 16 Educating people about the need for security is a tough job. Many companies still do the minimum when it comes to securing their systems. And the general public seems equally reluctant to adopt more secure practices. Colin Tankard of Digital Pathways discusses whether the public actually holds the key to improving security, by demanding better custodianship of their private data from the companies with which they interact. REGULARS News in brief Book Review Events

3 4 20

ISSN 1353-4858/13 1353-4858/10 © 2013 2011 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Web: www.networksecuritynewsletter.com Publisher: GregHopwood Valero Publisher: David E-mail: [email protected] Editor: Steve Mansfield-Devine Editor: Mansfield-Devine E-mail:Steve [email protected] E-mail: [email protected] Senior Editor: Sarah Gordon Senior Editor: Sarah Gordon International Editoral Advisory Board: International Advisory Board: Dario Forte, Edward Editoral Amoroso, AT&T Bell Laboratories; Dario Forte, Edward Amoroso, AT&T BellJon Laboratories; Fred Cohen, Fred Cohen & Associates; David, The Fred Cohen, Fred Cohen & Communications; Associates; Jon David, The Fortress; Bill Hancock, Exodus Ken Lindup, Fortress; BillatHancock, ExodusLongley, Communications; Lindup, Consultant Cylink; Dennis QueenslandKen University Consultant at Cylink; Queensland University of Technology; TimDennis Myers, Longley, Novell; Tom Mulhall; Padget of Technology; TimMarietta; Myers, Novell; Mulhall; Padget Petterson, Martin EugeneTom Schultz, Hightower; Petterson, Martin Marietta; Eugene Hightower; Eugene Spafford, Purdue University; WinnSchultz, Schwartau, Inter.Pact Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas Production Support Manager: Lin Lucas E-mail: [email protected] E-mail: [email protected] Subscription Information Subscription Information An annual subscription to Network Security includes 12 An annual issues and subscription online accesstoforNetwork up to 5 Security users. includes 12 issues and online access for up to 5 users. Prices: Prices: 1221 for all European countries & Iran 1112 forfor allall European & Iran and Japan US$1367 countriescountries except Europe US$1244 countries except Europe and Japan ¥162 000 for for all Japan ¥147 foruntil Japan (Prices525 valid 31 December 2013) (Prices valid until June 2013) To subscribe send 31 payment to the address above. To subscribe send payment to the address above. Tel: +44 (0)1865 843687 Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 or via www.networksecuritynewsletter.com Email: [email protected], Subscriptions run for 12 months, from the date payment or via www.networksecuritynewsletter.com is received. Subscriptions run for 12 months, from the date payment is received. postage is paid Rahway,Global NJ 07065, PermissionsPeriodicals may be sought directly fromat Elsevier Rights USA. Postmaster send all Oxford USA address corrections to: Network Department, PO Box 800, OX5 1DX, UK; phone: +44 1865 Security, 365 Blair Road, Avenel, NJ 07001, USA 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page Permissions may beselecting soughtfirst directly from Elsevier then Global Rights (www.elsevier.com), ‘Support & contact’, ‘Copyright Department, OX5 clear 1DX, permissions UK; phone: and +44 make 1865 & permission’.POInBox the 800, USA,Oxford users may 843830, +44 1865 853333, Clearance email: [email protected]. You paymentsfax: through the Copyright Center, Inc., 222 Rosewood may contact through Elsevier’s home Drive,also Danvers, MAGlobal 01923,Rights USA; directly phone: +1 978 750 8400, fax: +1page 978 (www.elsevier.com), firstthe ‘Support & contact’, ‘Copyright 750 4744, and in theselecting UK through Copyright Licensingthen Agency Rapid & permission’. In (CLARCS), the USA, users may clear permissions and make Clearance Service 90 Tottenham Court Road, London W1P payments through the Copyright Clearance Center, Inc., 222 Rosewood 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 countries may have a local reprographic rights agency for payments. 750 4744, and in the UK through the Copyright Licensing Agency Rapid Derivative Works Clearance (CLARCS),tables 90 Tottenham Court Road, London SubscribersService may reproduce of contents or prepare lists of W1P arti0LP, UK; tel: +44 (0)20 7631 5555; circulation fax: +44 (0)20 Other cles including abstracts for internal within7631 their5500. institutions. countries may have a local reprographic rights agency for payments. Permission of the Publisher is required for resale or distribution outside Derivative Works the institution. Permission of the Publisher is required for all other Subscribers may reproduce tables of contents or prepare lists of artiderivative works, including compilations and translations. cles including abstracts internal circulation within their institutions. Electronic Storage orfor Usage Permission outside Permission of of the thePublisher Publisherisisrequired requiredfortoresale storeorordistribution use electronically the Permission of the Publisher is required for orallpart other any institution. material contained in this journal, including any article of derivative compilations an article. works, Exceptincluding as outlined above, noand parttranslations. of this publication may Electronic Storage or Usage be reproduced, stored in a retrieval system or transmitted in any form Permission of the Publisher required tophotocopying, store or use electronically or by any means, electronic,ismechanical, recording or any material contained this journal, including anyPublisher. article orAddress part of otherwise, without priorinwritten permission of the an article. Except as outlined above, no part of this publication may permissions requests to: Elsevier Science Global Rights Department, at be a retrievalnoted system or transmitted in any form thereproduced, mail, fax andstored emailinaddresses above. or by any means, electronic, mechanical, photocopying, recording or Notice otherwise, without prior written of any the injury Publisher. Address No responsibility is assumed by thepermission Publisher for and/or dampermissions requests to: Elsevier ScienceofGlobal Rights Department, at age to persons or property as a matter products liability, negligence the mail, fax and email addresses noted above. or otherwise, or from any use or operation of any methods, products, Notice instructions or ideas contained in the material herein. Because of No responsibility is assumed by thesciences, Publisherinforparticular, any injury independent and/or damrapid advances in the medical age to persons or propertyand as drug a matter of products verification of diagnoses dosages should liability, be made.negligence Although or from anyis use or operation of anytomethods, products, all otherwise, advertisingormaterial expected to conform ethical (medical) instructions or ideas contained in the material herein. Because of standards, inclusion in this publication does not constitute a guarantee rapid advances of in the thequality medical sciences, in product particular, independent or endorsement or value of such or of the claims verification of its diagnoses and drug dosages should be made. Although made of it by manufacturer. all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

12987 Pre-press/Printed by Mayfield Press (Oxford) by Limited Pre-press/Printed Mayfield Press (Oxford) Limited

2

Network Security

...Continued from front page organisations such as the BBC or Burger King, and one of the biggest attacks ever, targeting some of the world’s leading technology companies: Apple, Facebook, Microsoft and Twitter,” said Luis Corrons, technical director of PandaLabs. “But there have been some victories for security forces as well, including the arrest of a group of hackers accused of extortion using the infamous ‘Police Virus’.” The year started with the inauguration of a new European cybercrime centre, designed to co-ordinate law enforcement activities among member states. Also in January, the FBI published details of an investigation that began in 2010 and thwarted a gang of cyber-criminals who had infected more than a million computers since 2005. This operation stands out not least because of the co-ordination between security forces in different countries. The FBI had the support of police in Moldavia, Romania, Holland, Germany, Finland, Switzerland and the UK. According to PandaLabs, one of the most infamous cases of the past year or so has been the ‘Police Virus’. In February this virus once again hit the headlines, but this time for a very different reason. The Technological Investigation Brigade of Spain’s National Police, together with Europol and Interpol, dismantled the cybercrime ring responsible for the malware. This is no time be complacent though, the firm warns. “We noticed that the news mentioned the arrest of ‘the gang’ of cybercriminals, yet the information we have at PandaLabs points to the existence of several gangs responsible for these attacks,” said Corrons. “We reached this conclusion after analysing numerous variants of the malware over time, and observing significant differences between them. In short, we are afraid the Police Virus is not likely to go away anytime soon. Users shouldn’t lower their guard.” Nevertheless, new threats continue to appear. Kaspersky Lab has recently announced that it has uncovered a family of malware, dubbed ‘NetTraveler’. According to the firm’s report, this has been used in so-called Advanced Persistent Threats (APTs) to successfully compromise more than 350 high-profile victims in

40 countries. The targets include people working in multiple establishments in both the public and private sectors, including government institutions, embassies, the oil and gas industry, research centres, military contractors and activists. According to Kaspersky Lab’s report, this threat actor has been active since as early as 2004; however, the highest volume of activity occurred from 2010 to 2013. Most recently, the NetTraveler group’s main domains of interest for cyber-espionage activities include space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications. The full report is available here: http:// bit.ly/201306kaspersky.

McAfee says it’s business as usual

U

nlike PandaLabs (above), McAfee’s report for the first quarter of 2013 says that it’s business as usual in the malware and cybercrime worlds. Mobile malware – which means Android – continues to rise, while most of the other threats are familiar names, with a few old-timers coming back into the picture.

The Facebook malware Koobface has made a reappearance. First seen in 2008 it has been relatively dormant for a year. But levels of infection tripled in the first quarter of 2013, reaching record levels. There’s also been a rise in Master Boot Record (MBR) infections, which aim to compromise storage devices at a low level, giving the malware full control over the system. After declining over the past three years, spam is also on the rise again, as is the pump-and-dump scam involving near-worthless stocks. In the case of spam, the senders are using ‘snowshoe’ tactics, spreading the sending across many domains in order to fool the reputation metrics used by anti-spam systems. As for Android: “Our count of mobile malware samples, just about exclusively for the Android OS, continues to skyrocket,” says the report. “Almost 30% of all mobile malware appeared this quarter. Malicious spyware and targeted attacks highlighted the latest assaults on mobile phones.” The full report is available here: http:// bit.ly/201306mcafee.

June 2013