One of the most interesting aspects of this range of coverage is the way in which the story has been treated at each level. The reports by ESET and Norman focused on the mechanics of the attack campaign as well as the functionality and capabilities of the malware created to implement that campaign. However, as one moves from the security press to the trade press to the mainstream media, the focus changes from attack mechanisms to commentary about threat attribution, or identifying the attackers, even though the public commentary  by the researchers analyzing the attack has only been speculative. To quote from Norman’s excellent write-up, Operation Hangover: Unveiling an Indian Cyberattack Infrastructure [PDF, 2768KB]:

None of the information contained in the following report is intended to implicate any individual or entity, or suggest inappropriate activity by any individual or entity mentioned.

This statement seems to have been largely ignored by those reporting on events.

This is not the first time we have seen what some believe to be a nation-state motivated, if not targeted, attack. Stuxnet and its siblings Duqu, Flamer and Gauss are sophisticated pieces of malware, yet positive confirmation of their ownership and origin remains unproven. The same is true for the Medre Worm, which sent documents from Peruvian government contractors’ computers to mailboxes in China, and also the Georbot worm (which the Georgian government identified as being the work of a Russian hacker in the employ of his own government, although the government of Georgia has changed since that claim was made). We have also seen numerous targeted attacks against Tibetan NGOs traced back to Chinese computers.

All of these different cases around the world have one thing in common: We don’t really know who the masterminds behind the attacks were or where they are actually located. All we know is where the trail ended for our researchers. In the case of Stuxnet, et al, trying to trace the origins of the malware came up with dead-end after dead-end. At one point the Georgian CERT (Computer Emergency Response Team) seems have had the best luck in identifying their attacker, but however strong the evidence was against him, the evidence they provided of his ties to nation-state action were still circumstantial.

The fact is, it can take months, if not years, of careful detective work to follow the digital trail of malware back to its point of origin, and plenty of additional research to overlay data about the attackers behind it (identity, location, affiliations, accomplices and so forth). And in many cases that intelligence is never located.

In the case of the current round of targeted attacks, while we do see some careful targeting of victims, that’s not particularly unusual these days. See ESET’s A Pretty Kettle of Phish white paper written by David Harley and Andrew Lee in 2007 for a description of spear phishing. As Jean-Ian Boutin noted in his blog post, the malicious software created by the attackers for this campaign was childishly simple, exploiting vulnerabilities long since patched, lacking any of the mechanisms normally used in malware to prevent analysis, with the exception of using a Caesar cipher to encrypt some of the text strings in the binary files; a technique I learned about in the third grade of elementary school. Likewise, the network of C&C (command and control) servers, drop zones and domain registrations shows a similar lack of security, with data about them generating evidence to link specific organizations to this campaign.

All of this “evidence,” a series of near-continuous poor choices building upon each other from the design of the malware to the building of its exfiltration networks, seem more like the work of skiddies than the work of a competent, if criminal, hacker. In fact, the information gathered about the attackers so far seems so strong and incontrovertible—especially when compared to other targeted attacks—that we cannot help but wonder if it was specifically planted in plain sight in order to divert attention or otherwise mask the identity of the true attacker.

The one remaining puzzle is how this targeted campaign was successful for so long. While bits and pieces of it have now been detected for several years, the campaign as a whole went unexamined until last year: One does not expect amateurish malware to be hallmark of a targeted attack, let alone one that is nation-state sanctioned. The defenders must also take some of the blame, for failing to follow basic information security guidelines such as keeping systems up-to-date, examining logs and network traffic for suspicious behavior, using security software and so forth. While none of these measures guarantee protection against a determined adversary, practicing them does allow an organization to greatly reduce the attack surface of its computers.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

The post Needles and haystacks – the art of threat attribution appeared first on We Live Security.

Clearly, the abuse of technology reduces the productivity gains possible from technology, but does this mean we should delay deployment until all abuses can be ruled out? This is a critical question faced by organizations in many fields, none more so than healthcare, a sector that has seen rapid growth in the deployment of digital systems aimed at delivering better medical care at lower cost. Unfortunately, despite an explicit regimen of rules aimed at safeguarding the privacy and security of patient data in the U.S. the sector is currently rife with security breaches.

If you examine the breaches of unsecured protected health information since late 2009, as reported by the U.S. Department of Health and Human Services, you can see that more than 17,000 records have been exposed every day, on average, for more than three and a half years. No wonder that a Washington Post headline late last year proclaimed: Health-care sector vulnerable to hackers. The article includes a pretty damning quote from Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University:

“I have never seen an industry with more gaping security holes. If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”

A case in point: telemedicine

One area of healthcare where this security shortfall is apparent is telemedicine, the practice of electronically connecting geographically separate doctors, patients, and other elements of healthcare delivery. Telemedicine is not new, but it’s now growing faster than ever before. Right now, the pressure on telemedicine to deliver both health benefits and cost savings has never been greater. As a result, the global telemedicine market is expected to grow by nearly 20% per year for the next few years, on track to exceed $27 billion by 2016. America probably represents more than a quarter of that market, around $7 billion. Such a rapid pace of technology deployment, particularly one which is partially driven by changes in industry regulation, tends to ring alarm bells for information security professionals because of a long history on unhappy consequences.

Consider the electronic filing of tax returns, first introduced in 1986, and from which telemedicine could learn some lessons. Recently, Treasury Secretary Jack Lew testified that more than 80% of Americans now file their tax returns electronically, “saving the Department [the IRS] millions of dollars every year.” Sounds like a success story, right? Unfortunately, Lew avoided mentioning that in July of last year the Treasury Inspector General for Tax Administration estimated fraudulent tax refunds made possible by electronic filing have already cost the Treasury $5.2 billion. Furthermore, over $20 billion in potentially fraudulent refunds could be issued, electronically, in the next five years.

These are not theoretical losses. In cities like Miami and Tampa we’ve seen multiple cases of criminals “earning” a million dollars or more, each, from such schemes, which rely on a form of identity theft. Why is this relevant to telemedicine? Because it tells us that any security vulnerabilities in telemedicine technology that can be used to make money will eventually be exploited, mercilessly and at scale. It also tells us that building security into systems from the outset works way better than bolting on security after technology has been deployed (think healthy lifestyle preventing heart disease versus fixing up a diseased heart).

A trio of symptoms

So, what are the chances that telemedicine will succeed in maintaining the confidentiality, integrity, and availability of health-related information in the foreseeable future? Right now, they do not look good, and I base that assessment on three symptoms:

1. The sad state of healthcare security in general

You need look no further than the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security, published in late 2012, to know that all is not well:

“Healthcare organizations seem to face an uphill battle in their efforts to stop and reduce the loss or theft of protected health information (PHI) or patient information…The consequence of not having adequate funding, solutions and expertise in place is clear. Since first conducting this study in 2010 the percentage of healthcare organizations reporting a data breach has increased and not declined.”

During the roll out of the HIPAA privacy and security rules a decade ago, I had the pleasure of working with Dr. Larry Ponemon and know that he does not jump to conclusions or make casual assessments. The above is his considered opinion and it is a chilling one when you flesh it out with statistics like the percentage of organizations in the study that had at least one data breach in the past two years: 98%. Indeed, the average number of breach incidents for each participating organization in the past two years was not one or two, but four. Clearly, the existence of a framework of privacy and security regulations and fines has not forced healthcare institutions to do a stellar job of protecting patient data.

2. Historic lack of focus on security within telemedicine

The systematic review of telemedicine literature published in 2011 by Garg and Brewer made it pretty clear that the sector was not yet living and breathing security in the way it must if it wants to survive exposure to the malicious elements that will eventually attack it:

“There is a dearth of standardization in telemedicine security across all chronic illnesses under study. It also appears that many telemedicine researchers are unfamiliar with the field of security in general.”

While there may be products and service in development to help telemedicine protect patient data, the anecdotal evidence is not promising. At a recent healthcare IT conference I spoke to a company that sells secure medical report delivery systems for doctors and hospitals. When I asked him how most doctors deliver medical reports he said 60% send them as faxes, a method which he characterized as “the slowest, most expensive, and least secure”.

Just yesterday the Wall Street Journal reported that the U.S. Food and Drug Administration has asked medical-device makers to fortify products against hackers and malware, citing “a recent uptick in cybersecurity incidents affecting equipment such as patient monitors and imaging devices”. (Further reading: ESET’s coverage of the story here and David Harley on the security of medical devices.)

3. The emergence of the malware industry

While factors 1 and 2 would be bad news enough for telemedicine, the third factor, the emergence of a sophisticated malware industry, is perhaps the scariest. Why? Because it is not yet on the radar of enough people in the world of healthcare IT. Indeed, right now there are not enough people in general who know that all it takes to engage in cybercrime is a lack of ethics and a basic knowledge of how to surf the web.

In recent years we have entered a new phase of digital malfeasance, in which all of the elements you need to rip off people and companies, from malware to mules, are available to rent or buy in a system of markets. For those not familiar with the jargon of this thriving underworld that exists just below the surface of the web, malware is malicious code, the software that infects and suborns digital devices, from desktops to smartphones, laptops to tablets, card readers to web servers. Mules are the people who turn fake credit cards into cash, like the $45 million that was taken from ATM machines around the world earlier this year, in a matter of hours.

Thanks to these markets, and the natural processes of specialization and division of labor that they foster, the people who write the elements of malicious code – the droppers, bootkits, rootkits, keyloggers, exploit packs, DDoS modules, spam modules, obfuscators, packers, and injection scripts – have been able to focus on what they do best, then sell their wares and services to the highest bidder, in most cases with very little risk of detection, let alone prosecution. That means new exploits can be developed and deployed quicker than ever. (Here are my slides and notes on this industrialization of malware.)

As soon as they figure out how to profit from compromising the massive amounts of data flowing through telemedicine systems, the bad guys will attack that “market” with the same vigor we have seen in their exploitation of the banking system, retailers, telecomm operators, and just about any business that handles a lot of money. The fact that, in the case of telemedicine, malware-based attacks may put people’s lives at risk will pose no impediment to their perpetrators.

Healthcare IT Security Prognosis

Despite some media stereotypes, security researchers tend to be big fans of technology, and I can see the enormous benefits to people and society that could be reaped from telemedicine. The President of the American Telemedicine Association, Edward Brown, MD, recently pointed to exciting new initiatives “like ACOs, Medicare re-admission penalties and the medical home – programs that need telemedicine at their core – including telehomecare, remote monitoring, text messaging, videoconferencing and eConsultation.”

Yet there is one set of bars in a chart in the Ponemon study that tell me the task of realizing these benefits in a safe and sustainable way is not going to be easy. It shows the percentage of healthcare data security incidents classified as criminal attacks. That number rose from 20% in 2010 to 33% in 2012. I fear we are seeing the result of too little security expertise applied too late. Whether it is healthcare in general, or telemedicine in particular, failing to respond adequately to this situation could have painful and tragic consequences for an industry full of promise.

 Note: Portions of this article first appeared in the San Diego Business Journal.

The post Healthcare IT: seeking better outcomes through smarter security appeared first on We Live Security.

“We have made cybersecurity one topic when it is many. Countries can’t see eye-to-eye on what is most important and what needs to be done first,” said Melissa Hathaway. Hathaway was Director of the Joint Interagency Cyber Task Force under George W Bush, and also worked for the Barack Obama administration.

“We need to start to talk about this as gross domestic product loss, and the instability of the financial institutions we are all dependent on as a global economy,” Hathaway said in an interview in Tel Aviv, reported by Bloomberg.

Hathaway urged the G20 group of finance ministers and central bank governors to focus on the damage done.

““If you couch the conversation on the economy and not in espionage and warfare, we can all agree. The economy is common and safe ground. Until this is on the agenda of the G20, we aren’t going to make progress,” said Hathaway. “It is the most effective in talking about economic stability and overall growth, health and wellbeing of the world.”

Hathaway estimated in a report that governments and consumers lose $125 billion to cyber attacks annually. Hathaway pointed to research showing that countries such as the UK lose $42.4 billion a year to cybercrime, with officials admitting that 3% of GDP was lost due to security issues.

The post Cyber attacks “erode world economic growth”, says former White House official appeared first on We Live Security.

The vulnerability affects 300 medical devices made by approximately 40 vendors, according to two reports, issued simultaneously by the FDA and Industrial Control Systems Emergency Response Team (ICS-CERT).

“The vulnerability could be exploited to potentially change critical settings and/or modify device firmware,” ICS-CERT says in its statement about the medical device vulnerabilities. “ICS-CERT and the FDA are not aware that this vulnerability has been exploited, nor are they aware of any patient injuries resulting from this potential cybersecurity vulnerability.”

Both organisations are working directly with device manufacturers to mitigate the threat. The vulnerability affects “most” medical device manufacturers, according to a report in Ars Technica. ICS-CERT suggested that hospitals should, “Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.”

The FDA said in its statement,  “The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices. Specifically, we recommend that manufacturers review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device.”

The post FDA issues cyber attack warning over 300 medical devices appeared first on We Live Security.

Google says the attacks originate within Iran – and claims to have disrupted previous attacks by the same group.

Writing on Google’s Security Blog, Eric Grosse said, “For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users.”

“These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region. The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.”

Google said that what appeared to be the same group had previously misused SSL certificates to conduct attacks against Iranian internet users in 2011, but that this wave of attacks appeared to be “more routine”.

Users were directed to a fake Google sign-in page, which harvested passwords and usernames. Google’s post did not elaborate on how attackers might be using the data.

Friday’s election is set to be critical for the country. Current incumbent Mahmoud Ahmadinejad is not permitted to stand for a third term, and voters will choose between six new candidates.

The post Iranian election phishing campaigns thwarted by Google appeared first on We Live Security.

Google has filed a patent for a secure password system which would require specific facial gestures to unlock Android devices – preventing the current Face Unlock utility being fooled by photos of the user.

The system would prompt users to perform actions such as a frown, sticking a tongue out, smiling with an open mouth or moving an eyebrow. It would then compare the position of a “facial landmark” in frames taken from a video stream  to come up with a “liveness score”,

Google’s patent suggests that the system could be augmented with other technologies, such as a “3D rangefinder” and “technologies such as lasers to determine distances to remote objects, depth of remote objects.”

The patent also suggests that phones could “emit light beams having different colours or frequencies, that are expected to induce in the eyes of a user a reflection of light having a corresponding frequency content”.

ESET Senior Research Fellow David Harley says in a blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

The post Secure passwords – could sticking your tongue out be the password of the future? appeared first on We Live Security.

Banks should look to spam emails and their own server errors as a source of information, says Nicholas Scott of National Australia Bank (NAB), speaking at the RSA Conference Asia-Pacific in Singapore.

“These signs are all there. They’re probably sitting in half of your systems today, but you’re ignoring either as anomalies or errors, or you’re ignoring them because it’s spam and it’s annoying,” said Scott, in a report by ZDNet. “It’s there; you’ve just got to look for the information.”

Spam is a “gold mine”, Scott said. Scott claimed to own 15 fake online businesses as a “honeypot” to collect attack data, as reported by IT News.

“We mine it and go, ‘Oh, look at that, CitiBank, Bank of America, and JP Morgan are starting to be phished, and there’s a new payload.’ I can tell you now, that payload is coming to me in the next month or two,” said Scott. Scott advised that businesses keep a record of spam and use the information to tweak systems in advance of attacks.

Scott also says that banks should watch for online forms being filled in suspiciously quickly, or in the wrong order  – as this can be an early warning of attackers performing reconnaissance against their systems.

“If I was expecting five fields to come back and six fields get posted, I immediately want to go and freeze the account of that customer, because that customer is being owned,” said Scott. Server errors can also offer information on attackers plans.

“Please don’t throw the errors away. Collect them and have a look at them, because I think you’re in for a bit of a surprise. You’ll actually find that these errors are people trying to do things that your system doesn’t recognise, and it’s the first sign that they are trying to do something.”

The post Banks “ignore early warnings” of cyber attacks, says Australian security chief appeared first on We Live Security.

The parliamentary Intelligence and Security Committee is expected to highlight the central role played by Chinese company Huawei in Britain’s telecoms network, and recommend measures to identify where its products are in use, according to a Yahoo! report.

Last year, a U.S. Congressional report labelled Huawei a “national security threat”, according to the Washington Post. The Chinese company has been the subject of national security concerns in several countries including Australia and India. ESET Security Evangelist Stephen Cobb said in an earlier piece relating to Huawei, “There is no cheap or easy fix for an attack carried out at the switch and router level.”

Huawei won a contract to supply equipment to BT for a network backbone upgrade in 2005. Its products are also used by cellphone networks such as EE in the UK. Questions were raised by government ministers when Huawei was awarded the contract, according to The Register.  The company is headed by Ren Zhengfei, a former telecoms research chief in the People’s Liberation Army.

Huawei denies that it is linked to the Chinese Communist Party, and says that its equipment cannot be used to steal information.

The committee is expected to recommend that future British contracts relating to “critical infrastructure” have to be approved at ministerial level, and that Huawei’s facility in Banbury, Oxfordshite, should be overseen by security services. The committee is also expected to recommend that Britain’s telecoms network should be audited to identify where Huawei products are in use.

The post British Prime Minister warned over Huawei security risks appeared first on We Live Security.

“Microsoft executed a simultaneous operation to disrupt more than 1,400 Citadel botnets, which are responsible for over half a billion dollars in losses to people and businesses worldwide,” said Richard Domingues Boscovich of Microsoft’s Digital Crimes Unit.

Working with banking organisations in the U.S., Microsoft filed a civil suit against the operators of the Citadel botnet. This week, the company received authorization from the U.S. District Court for the Western District of North Carolina to cut off communication between 1,462 networks and millions of infected machines.

“Due  to Citadel’s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware,” said Boscovitch in a blog post. “However, we do expect that this action will significantly disrupt Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.”

Infected machines had been blocked from visiting many legitimate antivirus/anti-malware sites, meaning that the infection was hard to remove. Microsoft says there was also a link with fraudulent product keys for Windows XP.

“Microsoft found that the cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating a continued connection between software piracy and global cybersecurity threats,” the company said in a statement.

“Crimes used to happen through stickups, but today criminals use mouse clicks,” said Greg Garcia, a consultant and former Department of Homeland Security cyber official, acting as a spokesman for three major  financial industry associations who worked with Microsoft. “This action aims to stop the ongoing harm of these Citadel botnets against people and businesses worldwide, and you can be assured that we will continue to partner with the public and private sectors to help financial institutions protect our customers from threats like this.”

The post FBI and Microsoft break up $500 million Citadel botnet appeared first on We Live Security.

Here are some of the key findings from the first six months with Windows 8:

• About 3.3% of ESET’s 100M+ customers have adopted Windows 8 (which is a slightly higher adoption rate than most organizations tracking Windows 8 – such as NetApps – have reported, but lower than that of at least one reporter, Valve, which collects data from gamers’ PCs)
• The replacement of the Start Menu with the Start Screen has generated a whole new ecosystem of Start Menu substitutes.  ESET does not treat these programs as malware or PUAs simply because of this functionality, which offer a more traditional interface that many people seem to appreciate. It is important to keep in mind such programs could contain malware, be bundled with potentially unwanted software, or engage in other behavior that causes them to be classified as a threat, unsafe, unwanted or even a suspicious application.
• No malware was identified in the Windows Store, which now has about 60,000 apps. There have been problems with fake apps in the Windows Store, though, as well as ebook piracy. The current nature of the Windows Store may be hampering Windows 8′s acceptance in BYOD scenarios because of manageability or legal concerns by corporate customers.
• Windows 8′s Secure UEFI Boot process appears to be intact, with no signs that malware has bypassed it so far.
• Windows RT comes with a somewhat-hidden copy of Windows Defender app bundled in it. Like its counterpart in Windows 8, Windows Defender provides a base level of security for the operating system. Unlike its counterpart in Windows 8, the Windows RT version it cannot be replaced by another solution.

For more information, you can download the white paper directly at Six Months with Windows 8 [PDF, 787KB] or to see all of ESET’s white papers, click on the Papers tab, above.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

Are you using Windows 8 yet? What’s been your experience so far, security-wise? Has Windows 8 been more secure or less secure for you than your previous version of Windows? If you are not yet running Windows 8, do you plan on upgrading for its increased security?

The post Six months with Windows 8 (white paper) appeared first on We Live Security.