Google spear-phishing targets governments and military

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Web: www.networksecuritynewsletter.com Publisher: Greg Valero E-mail: [email protected] Editor: Steve Mansfield-Devine E-mail: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas E-mail: [email protected] Subscription Information An annual subscription to Network Security includes 12 issues and online access for up to 5 users. Prices: 1112 for all European countries & Iran US$1244 for all countries except Europe and Japan ¥147 525 for Japan (Prices valid until 31 December 2011) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

Pre-press/Printed by Mayfield Press (Oxford) Limited

2

Network Security

...Continued from front page the breach – achieved through a socalled Advanced Persistent Threat (APT) – undermined the security of its SecurID two-factor authentication system. There has been speculation that the hackers obtained the seed used to generate unique codes on the hardware tokens, which would allow them to duplicate valid authentication codes, although they would still need usernames and PINs. “What’s extremely interesting about this attack is the careful planning and co-ordination,” said Mickey Boodaei, CEO of Trusteer. “It shows that cybercriminals start by targeting various organisations that may hold information which could potentially help them launch a better attack against their final target. This puts most service providers at direct risk. We’re seeing many attacks against service providers lately. Most of these attacks are of little interest to the service provider as they don’t cause direct losses to them. However, in a wider context these attacks are part of information gathering and preparations that enable other attacks on other organisations.” At the time, security evaluation firm NSS Labs said: “This was a strategic move to grab the virtual keys to RSA’s customers – who are the most security conscious in the world. One or several RSA clients are likely the ultimate target of this attack. Military, financial, governmental and other organisations with critical intellectual property, plans and finances are at risk.” This prediction came true shortly after. Lockheed Martin announced that it had come under a “significant and tenacious attack” related to the use of SecurID, but that it had noticed the intrusion almost immediately and was able to shut it down. The company immediately reset all passwords when the breach was discovered in late May and began the process of replacing 45,000 tokens. L-3 Communications, another major defence company, also came under attack used cloned SecurID codes, according to a memo leaked to Wired. It’s not clear if the attacks, which took place in April, succeeded. There were also rumours that a third defence firm, Northrop

Grumman, shut down remote access to its networks five days after the Lockheed Martin attack. Initially, RSA insisted that the attacks did not undermine the value of SecurID as a security mechanism. It later offered to replace all tokens for companies “with concentrated user bases typically focused on protecting intellectual property and corporate networks”, although it didn’t make clear what it meant by that. The firm also said it would work with other firms to analyse their security needs. Later still, RSA clarified its position and said it would offer token replacements for virtually all customers. It’s estimated that this could involve the replacement of as many as 45 million tokens. The cost to RSA’s customers of deploying the new tokens could run into the billions of dollars. These customers include a number of banks that issue SecurID tokens to their customers. In Australia, for example, both Westpac and ANZ Bank have already started the replacement process. “Enterprises are facing a serious threat from sophisticated cyber-criminals and the tools and methodology used by enterprises today are not tuned for targeted attacks.” said Boodaei. “They’re tuned for untargeted attacks that may eventually hit the organisation but most likely hit others first. RSA has announced the appointment of a chief security officer, Eddie Schwartz, who was previously CSO at Netwitness.

Google spear-phishing targets governments and military

A

large-scale campaign to steal login credentials for the Gmail service was recently uncovered by Google. The campaign involved spear-phishing techniques aimed at senior military officials in the US, officials in several Asian countries – most notably South Korea – plus Chinese political activists and journalists.

The spear-phishing emails contained links to fake Gmail pages. The links were customised for each target and the Continued on page 20...

June 2011

CALENDAR ...Continued from page 2 sites to which they were taken – in some cases via the dyndns.org dynamic DNS service – were virtually indistinguishable from the real Google pages. According to Google the emails originated from Jinan, China, although analysis reveals that the IP addresses from which they originated also include South Korea and the US. Jinan is home to the Lanxiang Vocational School, which was linked to the 2009 attacks on Google’s back-end systems. The Chinese Foreign Ministry has condemned Google for blaming these attacks on China. “The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change people’s forwarding and delegation settings,” said a Google blog post. “Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. Company officials have alerted the victims and relevant government authorities.” In one example shared by Google, an email sent to Pentagon and US State Department addresses read: “This is the latest version of the State’s joint statement. My understanding is that State put in placeholder econ language and am happy to have us fill in but in their rush to get a cleared version from the WH, they sent the attached to Mike.” A file, appearing to be a Word document, was attached to the email. “Spear-phishing demonstrates precision and sophistication, not necessarily in terms of technical expertise but in terms of researching the target,” said Paul Vlissidis, technical director of NGS Secure. “Poor levels of user awareness about basic security are once again at the heart of this attack.”

More malware for Android

G

oogle’s Android platform has been the target of more malware, with infected apps finding their way into the Market application store. Meanwhile, researchers have uncovered structural flaws in Android that could be exploited to steal login credentials.

20

Network Security

At the end of May, Google withdrew at least 25 apps, and perhaps as many as 34, from Google Market, some of them modified versions of legitimate apps that had been available for some time. Lookout Mobile Security estimated that 30,000-120,000 users may have been infected by the malicious software. This follows the withdrawal of more than 50 apps back in March. The downloader trojan has been dubbed Droid Dream Light – a modified version of the Droid Dream code that led to the earlier withdrawal of apps. The code first injects a broadcast receiver and the malware is then activated by an incoming call or SMS message. It then sends device information (device model, IMEI, IMSI and SDK version) as well as data about installed apps to the cyber-criminals. “Android is the number one delivery mechanism for spyware and trojans,” said Claus Villumsen, CTO of mobile security firm BullGuard. He noted that part of the problem is the users themselves who have become accustomed to simply clicking through Android’s warning mechanisms that ask if the user wants to give a new app access to data on the device. Juniper Software said that it had seen a sharp rise in smartphone malware infections, with infections on Android platforms rising 400% during 2010. And McAfee noted that, for mobile malware, Android became the second-most common platform, behind Symbian. It had previously been third. Researchers at the University of Ulm in Germany found that Android’s ClientLogin authentication protocol, which stores authentication tokens after users have logged into services such as Twitter, Facebook and so on, received these tokens in clear text. They were therefore vulnerable to interception by hackers if victims were using open wifi hotspots or other unsecured networks. They could then be used to impersonate the user. The issue was patched in Android 2.3.4 and 3.0, but around 99% of Android devices in use run version 2.3.3, which remained vulnerable. Google said it was rolling out a patch for the servers sending the tokens which would ensure they were encrypted.

EVENTS CALENDAR 1–9 July 2011 SANS Canberra Canberra, Australia www.sans.org/info/72344

5–6 July 2011 Smart Grid Security China 2011 Beijing, China www.pyxisconsult.com/sgsc

7–8 July 10th European Conference on Information Warfare and Security Tallinn, Estonia http://bit.ly/dlZD3e

7–8 July Eighth Conference on Detection of Intrusions and Malware & Vulnerability Assessment Amsterdam, The Netherlands www.cs.vu.nl/dimva2011/

15–24 July SANSFIRE Washington DC, US www.sans.org/info/72774

18–22 July Cloud Computing and Ethical Hacking World Symposium and Exhibition Johannesburg, South Africa www.amabhubesi.com

25–30 July SANS Tokyo Tokyo, Japan www.sans.org/info/72889

30 July–4 Aug 2011 Blackhat 2011 Las Vegas, Nevada, US www.blackhat.com

June 2011