06 May 2013
The Syrian Electronic Army has hacked the Twitter account of satirical news website the Onion.
Early reports had the hack pegged as a bit of satirical comedy from the site. However, a picture from the Syrian Electronic Army seems to validate reports that the Onion was indeed hacked.
Among the villainy performed by the hackers was a picture of the group's logo posted on the Onions Twitter page. The Syrian Electronic Army also tweeted out a slew of tweets displaying Onion articles before their actual posting.
The Onion being the comedy site that it is took the hack in good fun. Following the hack, the site posted stories recommending the best practices to avoid getting hacked and a reminder that the firm had changed its password.
"Reduce interest in your website by cutting down on stories about very popular subjects, such as Syria," read one of the websites anti-hacking tips.
Hacks on Twitter have led to calls for two-factor authentication on the social networking site. Following the requests, Twitter has been said to be working towards bringing the feature into the fold later this year.
While two-factor authentication is a good option, we don't think the Onion will mind going without for a few months. The satirical news site seems like a terrible company to go after with a hack. The Onion, more than any other site, seems capable of turning a cyber attack to its advantage.
Following the high-profile compromise of the Associated Press Twitter account, the microblogging service is said to be mulling some major security changes.
According to a Wired report citing company sources, Twitter is now working to introduce a two-factor authentication option which can help to prevent account theft from phishing attacks. After hearing how the AP incident occurred, such protections are more than welcome.
In the aftermath of the breach, which resulted in fraudulent claims that the White House had been bombed and president Obama had been injured, staffers reported receiving some suspicious emails which were later found to be connected to a phishing attack.
It seems that the Syrian Electronic Army used a series of targeted phishing emails to harvest the credentials of AP staffers and eventually gain access to the company's main Twitter account. The stolen password was then used to access the account and launch a hoax that managed to temporarily disrupt the stock market.
If the reported series of events is true, then the AP hack could have been easily thwarted, and if reports on new developments are to be believed, it soon will be.
Wired has posted a report which claims that Twitter will soon be launching a two-factor authentication platform. The site uncovered a job report from earlier this year which would suggest that additional protections would soon be arriving.
Why is that so important? Two-factor authentication ties the account credentials and log-in to actual holder. The platform not only requires a username and login, but also a numerical code which is randomly generated and then sent to a user's mobile phone for one-time use.
It's not easy to see how this can help to protect users. Even when a username and password are harvested, the attacker would have to steal the mobile device of a user in order to access an account. This can dramatically reduce the number of attacks, especially high profile breaches, which result from phishing.
Of course, in order to be effective, these efforts have to be put in place. Corporate accounts will have to identify a single manager who can receive and provide the one-time credentials for protected accounts, and that may prove to be another headache for corporate marketing and public relations teams who share an 'official' Twitter feed.
McAfee recently announced that it has begun to work with the National Institute of Standards and Technology (NIST) to strengthen cybersecurity infrastructure. The move is another reminder of public and private groups' efforts to shore up cybersecurity together.
The partnership along with enterprise support of the revised CISPA bill is another sign that private industry is willing to work with the government to slow cyber attacks.
Over the last few years, it has become clear that cyber security isn't just an enterprise issue. With news of the Chinese military perpetrating a variety of attacks on private industry, it is now obvious that many cyber threats effect both governments and corporations.
Both hackers large and small are now using the same methods for hacks. The recent Mandiant report on Chinese military hackings outlined the fact that military actors were using the same tactics as cyber criminals.
Through social engineering and patience Chinese military hackers were able to get inside over 140 private enterprise systems. Those sorts of tactics are also used by independent cyber crooks.
The widespread use of advanced tactics is a key reason why companies and the government are finding it necessary to begin working together on the issue of cyber security. By partnering on the issue they can share information and work together to decipher potential threats.
However, the cross-industry work may also cause some privacy concerns for end users. Privacy advocates have continuously questioned CISPA because of its ability to let personal data get into the hands of government agencies without proper oversight.
According to advocates, the ability for companies to hand over data to government officials without any sort of oversight could cause problems on the privacy front.
On one hand, the unfiltered sharing of data between government and enterprise would drastically help the fight against cyber security. However, on the other hand, the open sharing could lead to data being used for the wrong reasons.
Both sides share fair points on the issue. And overtime, hopefully, they will be able to come to a compromise that increases cyber security while addressing potential privacy concerns.
Unfortunately, the cyber attacks don't look like they will go away anytime soon. Cyber-espionage is only expected to grow over the years and hackers will continue to get more sophisticated over time.
Something will need to change to promote a stronger sense of information sharing. At the same time, hopefully, advocates will continue to fight for online privacy and stand their ground in the face of growing support in Silicon Valley.
17 Apr 2013
Twitter hacking is a serious issue. Take for instance, the recent hack of National Public Radio's (NPR) Twitter account. NPR's account was hacked and erroneous tweets were sent out following the attack.
The slew of hacks makes it obvious that something needs to be done. Twitter called on its users to create stronger passwords in February, but that isn't enough. The company needs to take action and implement two-factor authentication for those that want to use it.
It's not a ground-breaking idea. Security experts have called on the firm to implement authentication for the last couple of years. Other companies like Microsoft even plan to use multi-factor authentication later this year.
Yet, Twitter has failed to get the memo (tweet?). At a time when more and more businesses begin to use Twitter for PR, something has got to be done. Enterprise can't have hackers getting a hold of their feeds and sullying their names. It's bad for business, both Twitters and the users.
It's becoming clear that something is wrong. Even the words "#IveBeenHacked" have become something of a meme on the micro-blogger site.
Luckily, something may be on the horizon. Earlier this year, a Twitter job posting popped-up calling for a software engineer to build multi-factor authentication.
The job posting looks to be leading to some sort of security update. Hopefully, it comes sooner rather than later.
12 Apr 2013
The Cyber Intelligence Sharing and Protection Act (CISPA) is back again. Rising from the ashes of a failed Senate vote, the bill has found renewed life thanks to the House Intelligence Committee.
Committee members approved the bill by an 18 to two vote. This go-around includes amendments which supporters say resolve issues with the bill.
Of course, opponents once again disagree. Advocacy groups and the White House continue to express alarm over the bill's failure to address privacy concerns.
Opponents' issues with the bill are the same ones they had last year when the original CISPA bill died on the Senate floor. They fear that a lack of governmental oversight will cause defence agencies to use personal user data for the wrong reasons.
The issues remained unresolved because of proponents of CISPA who say the government needs to be able to handle whatever data they do receive with as little bureaucratic interference as possible.
Both sides have their points and both sides will be fighting for a compromise. CISPA, or something like it, will keep cropping up because both the government and private enterprise have too much riding on some sort of data-sharing initiative.
With reports of state-sponsored cyber-attacks on the rise and the constant threat of local hackers, CISPA is an important piece of legislation for the tech lobby.
Unlike SOPA, which didn't have the support of Silicon Valley, CISPA is technology company approved. SOPA was made for the entertainment industry and its bid to fight piracy. CISPA (and new-CISPA) isn't really about piracy. It's about cyber attacks.
The bill lays the ground work so private industry can share cyber-threat intelligence without the possibility of getting sued. With CISPA, Facebook can send data about a local cyber-attack to the DOD so it can be informed and alert other tech companies of the threat.
In its current form, the DOD can also use that data in broad strokes. For example, it can pick up personal information that was received from a Facebook security data dump and use it for non-cyber threat purposes.
New-CISPA discourages that sort of tactic. However, what exactly constitutes a cyber-threat is currently an expansive definition.
The bill is making its rounds to Congress next week. It may get passed their but will most likely fail in the Senate. From that point it will either revive itself with amendments or its ideas will be reinterpreted in another bill.
Some sort of data-sharing act will keep coming and with the right opponents may come out with stronger privacy protections. How a data-sharing bill turns out will be determined by who ends up fighting for and against it.
Over the course of the coming year it will be interesting to see how bills like CISPA evolve. It will be interesting to see how the public debate grows and changes. Theirs no telling how it's going to turn out, but its becoming obvious that it isn't going away.
Hackers are consistently breaching enterprise's systems by going after the end user through the use of things like phishing attacks. Even as security technologies are getting smarter hackers are going after the one thing that hasn't improved: The end users' security knowledge.
Even the major attacks on Apple and Facebook last month started because of a human error. High-value users were sought out by hackers and attacked through clever social engineering.
No matter how good cyber security tools get, a lack of education for the end user will mean that attacks never dissipate. Attacks will always exist but better education will at least make it harder for hackers to get the job done.
During this year's RSA conference, security researchers repeatedly called out hackers as "lazy". Meaning, in essence, that a hacker will use the easiest and most efficient methods to get what they want.
In the case of enterprise security, the easiest method to get what they want is a social engineered attack on an end user. The only way to at least slow down these "lazy" hackers is to train an end user about what not to do on the web.
A recent Microsoft study highlighted the issue of end-users downloading their own software on business computers. According to the study, 57 percent of end-users download software on company systems.
If those end users don't have some kind of grasp on cyber security they are likely to download dangerous software. A figure backed up by the fact that those end users who downloaded software ended up putting malware on company computers 21 percent of the time.
That is an alarming statistic. Not just because end users were putting bad software on company machines, but because they had no idea they were doing it.
This idea that a firewall and frequent updates will save a company from cyber attack is now dead. Hackers are smarter and end users have stayed the same. The time has come for companies to get serious about security training.
That doesn't mean some handbooks and an educational video. To really train end-users companies need to get involved, create periodic education labs, and implement programs that constantly keep users aware of the threats they face.
An educated person should be able to spot a phishing attack. An educated person should be able to know the difference between bad software and clean software. But today's end users are not educated about cyber security.
It's time for enterprise to stop focusing on the latest attacks and the newest security tools. To really get ahead of hackers in the cyber security war, enterprise needs to fortify its systems at their base by educating its employees.
Over and over again we've heard security vendors and government workers warn that hackers currently have the upper hand in their ongoing game of cat and mouse with the law enforcement agencies.
Big names like F-Secure, RSA and even the UK GCHQ have openly said, current privacy, geographical, political and even educational roadblocks mean that things are easier for the blackhats than the whitehats.
After all, what realistically can any law enforcement agency do when it links a cyber scam or black marketplace to a Russian or Chinese gang safely nestled in their extradition blocking homelands?
In these situations, the best companies can do is work to remotely take down the operation, either by working with local law enforcement to seize the servers or mount a sinkhole operations.
This tactic has been used to great effect by numerous companies, like Microsoft and Symantec which recently reported successfully taking down the Bamital botnet by seizing control of its command and control servers.
However, while a positive move on the part of Microsoft, these takedowns are only band-aids to the wider problem posed by cyber crime.
After all, as demonstrated by the recently resurrected Kelihos botnet, following the takedowns there's nothing really stopping the gangs moving on and starting another cyber scam.
For this reason, when law enforcement do catch one of the cyber bad guys, we expect them to keep pretty tight tabs on them, making sure they don't get the chance to restart their nefarious activities.
However, it seems we've been giving law enforcement a wee bit too much credit.
On Monday it came to light that the teenager author of the stolen credit card store GhostMarket, Nicohlas Webber, managed to not only get accepted into a prison IT class, but also hack into the prison's network.
Even more bewildering reports have emerged suggesting the teacher running the class was never made aware of the youth's criminal record - hence how he was able to get on a computer in the first place.
It seems evident that this embarrassing turn of events could have easily been avoided it law enforcement and the prison service had shared information with one another.
Luckily this fact isn't lost on government officials, with both the UK Cabinet Office and European Commission having introduced plans to increase information sharing between law enforcement, government and industry regarding cyber threats.
Here's hoping these policies are introduced sooner rather than later so we don't let more hacking masterminds continue their schemes from behind bars, otherwise what's the point in any of the activity to try and stop them?
Written by V3's Alastair Stevenson
Twitter handle: @Monkeyguru
Now a group of researchers in New Zealand have come up with a biology-inspired method for detecting 'genetic' characteristics of malware, enabling it to recognise new variants, even if a signature for it has yet to be built.
Ajit Narayanan and Yi Chen of the School of Computing & Mathematical Sciences, Auckland University of Technology, Auckland, New Zealand reasoned that data mining techniques might be used to improve antivirus defences, by being able to understand whether a particular program was likely to be benign or potentially malware.
“One of the problems in applying automatic data mining techniques to malware code directly, even if it is available, is the variable length of the code, since most data mining and other machine learning techniques assume fixed length sequences with a column representing measurements of the same variable across many samples,” they explain in their research paper.
To get round this problem, the researchers developed a technique to turn malware hexadecimal signatures into amino acid representations. They then used established protein modelling systems to analyse the malware.
They tested out the system with the signatures of 60 computer viruses and 60 worms. This showed the system can be used to create genetic fingerprints for the malware, with far greater accuracy than is currently possible.
The researchers think it may ultimately allow them to build an algorithm that can analyse a program and work out whether it contains malware. The research was submitted to the ArXiv repository.