Suspected US Department of Defense Hacker Arrested in UK

An individual suspected to have stolen data from the global communication system used by the US Department of Defense (DoD) has been arrested by the officers of the National Crime Agency in UK.

The hacker, 23, allegedly breached the computer network of DoD on June 15, 2014, and exfiltrated information from the Enhanced Mobile Satellite Services, a communication system used for contacting DoD employees around the world via email or phone.

Hacker boasted about the unauthorized intrusion

Although the incident did not result in loss of sensitive information, it seems that the hacker managed to obtain contact details (names, titles, email addresses and phone numbers) of 800 individuals as well as the IMEI (International Mobile Station Equipment Identity) codes for about 34,400 devices; the code identifies both mobile and satellite phones.

It appears that the hacker boasted about the intrusion and published on Pastebin images of the database administration console. Apart from this, a message addressed to Lizard Squad hacker outfit was included saying:

“We smite the Lizards, LizardSquad your time is near. We’re in your bases, we control your satellites. The missiles shall rein upon thy who claim alliance, watch your heads, ** T-47:59:59 until lift off. We're one, we're many, we lurk in the dark,we're everywhere and anywhere. Live Free Die Hard! DoD, DISA EMSS : Enhanced Mobile Satellite Services is not all, Department of Defense has no Defenses.”

Law enforcement cracked down on multiple suspects

NCA did not identify the hacker by name. In the post announcing the arrest on Friday, the British law enforcement agency said that officers from its National Cyber Crime Unit (NCCU) took the suspect into custody on March 4 in Sutton Coldfield, West Midlands.

The operation was carried out with the help of West Midlands Regional Organised Crime Unit (NCUU) and was part of a larger action that targeted cybercriminals across the UK and resulted in arresting 56 other individuals on suspicion of cyber-offenses ranging from distributed denial-of-service (DDoS) attacks, fraud, development of malicious software to network intrusion and data theft

Web Application Firewalls: Next Big Thing in Security

                         

Web application firewalls, an especially critical component of enterprise security, are even more effective when combined with other emerging security technologies.

Over the last few years, network attacks have subsided in favor of attacks by hackers on firewalls. Because of active SSL usage and booming attention to Web (cloud) storage, typical intrusion detection and intrusion prevention systems (IDS/IPS) solutions are not capable of analyzing traffic higher than the third level of the OSI model. That's why Web applications have become the main arena for battles of hacking vs. security.

Web application firewall (WAF) protection appears to be the next key direction in IT/security development. With WAF deployment getting more and more active, the next step is to combine it with other technologies, such as dynamic application scanning testing (DAST) or the highly promising intrusion deception system.

Web Application Firewall (WAF)

WAF (Web application firewall) is a mechanism aimed at intercepting HTTP requests, such as SQL injections or regular-expression-based cross-site scripting (XSS). This technology works on the application layer (OSI Layer 7, the layer closest to a user), as opposed to the intrusion prevention system that functions on the network layer (aka OSI Layer 3).

WAF configuration allows users to block harmful content, and in this way prevent an attack, as well as identify an attacker. To apply WAF in the most relevant way, consider these key selection criteria:

• Protection against OWASP Top Ten;
• Very few false positives (i.e., never disallow an authorized request);
• Power and ease of learn mode;
• Types of vulnerabilities it can prevent;
• Both positive and negative security model support;
• High performance;
• Brute force protection, etc.

Combination of DAST and WAF

The next leap in WAF development is a combination of DAST and WAF. Dynamic application security testing is an approach toward application scanning by means of which DAST-scanner-generated requests imitating a hacker's activity are sent to the working service. A DAST scanner (Burp, OWASP Zed Attack Proxy) generates a report that serves as a basis for WAF signatures.

So, combining DAST with WAF, we can observe an interesting system:

1. WAF initiates a DAST scan of the resource
2. DAST scans the resource and generates a report
3. WAF pulls report and extracts vulnerability data
4. WAF correlates vulnerability data for protection

With this approach, updating the DAST scanner presupposes automatic WAF updates, if there are any malicious payloads not registered in the signature database yet. The effectiveness of such a combination would be enhanced even more by static security analysis.

Honeypot/Deception Proxies (Web IPS)

The next generation of security and web attack detection systems was developed by Juniper's Mykonos Software. They launched a winsome direction in the IDS industry, namely honeypot/deception proxies (Web intrusion prevention systems).

The principle of this mechanism is based on the following: such a honeypot proxy is functioning between a user and a Web service; proxy injects redundant information into traffic and generates redundant resources (for example, by means of embedding hidden fields, intended to attract attacker's attention, into HTML-code or creating fake .htaccess and .htpasswd files). How does that work? An average user won't have the slightest clue about all these complicated "pots," while a hacker, who is looking for the easiest way to attack, will try to hit on tempting (but false) data.

The rest rides upon a part in the position of configuring the system. You may "award" an attacker with an extensive timeout of the service's responses, which will make them angry (really angry); or, to be even more rebellious, indemnify a hacker's geolocation and send them a message: "Big Brother is watching you."

Intrusion prevention systems of this kind may be integrated with WAF signatures, blocking malicious traffic in this way. Read more how these systems work here.

Conclusions

WAF and DAST technologies are still evolving. Trying to peep into the future, IDS combined with machine learning seems to become the most promising direction, with the system being able to learn, identify the attacks and create signatures in real time, by itself. Until then, do not underestimate the role of timely detection and prevention of your systems from the existing intrusions to stay safe and secure.

Help Files Help Users Get Infected with CryptoWall 3.0 Ransomware

An active email campaign was deployed towards the end of February with the purpose of infecting user machines with CryptoWall ransomware; the messages carry interactive help files (CHM) infected with a malware downloader that delivers the final payload.

CryptoWall has file encryption capabilities and starts locking the data on the computer as soon as it is launched. When the process completes, the user receives a ransom message asking to pay a certain amount of money in digital currency bitcoin, or the information stays encrypted for good.

Campaign delivers the latest version of CryptoWall
Hundreds of infections detected in the first day of the campaign

The nefarious messages try to trick the recipient into launching a CHM file that claims to be a fax report, suggesting that the cybercriminals target business computers that still rely on electronic fax services for company communication.

Security researchers at Bitdefender have determined that the malicious servers spewing the malicious messages are located in Vietnam, India, Australia, the US, Romania and Spain; but victims have been located in other parts of the world.

“Once the content of the .chm archive is accessed, the malicious code downloads from this location http://*********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware,” researchers say in a blog post on Monday.

The version of CryptoWall delivered this way is 3.0, the latest one spotted in the wild since mid-January, Bitdefender said via email. This means the command and control servers are well hidden in the I2P anonymity network.

According to Bitdefender senior threat analyst Bogdan Botezatu, the attackers use two different malware downloaders in the operation, one of them being more widespread than the other.

The latest detection recorded by Bitdefender occurred on Monday, indicating that the spam operation is still ongoing. Researchers noticed the campaign on February 18, when about 300 infections were recorded in the US alone.

As per data from the Romania-based antivirus vendor, the most affected countries are United States, Japan, Australia, Canada, Germany, United Kingdom, and Romania. However, infections have been recorded in the Netherlands, Denmark, Sweden and Slovakia, too.

CHM files are included with software programs to provide instructions on how the product functions and present the different features available.

They consist of compressed HTML files, images and JavaScript content. One functionality in CHM is that it can redirect to external web addresses automatically after they are executed.

One of the best ways to avoid damage in the wake of being infected with ransomware that can encrypt files is to maintain an updated backup file on an isolated system or storage drive with restricted access. Preventing an infection can be achieved by running an up-to-date reputable antivirus product on the computer and refraining from opening files and messages from unknown or suspicious sources.

Google officially announces Android 5.1 with HD Voice, multi-SIM, and device protection

Google has officially announced Android 5.1, about a month after it started shippingAndroid One phones with it. Better late than never, right?

The release was detailed on the Official Android Blog, and should start rolling out to Nexus devices this week. Don't get too excited; this release is mostly about fixing the plethora of bugs in Android Lollipop. There are four new features worth mentioning, though.

Multi-SIM support: Have a phone with more than one SIM slot? Now you can use them both!

HD Voice: On networks with HD Voice like Verizon and T-Mobile, you can now actually use it on supported devices (such as the Nexus 6).

Device Protection: If your phone is lost or stolen, you'll need to log in with your Google account to unlock it—even if it is factory reset.

Quick settings: Select which Wi-Fi network to join or Bluetooth device to pair with, right from a drop-down list in the quick settings menu.

Most of those features won't be of much use to people who don't use stock Android phones (Nexus, Google Play Edition, or Android One). Most manufacturers enhance Android with their own quick settings menus, support for carrier features like HD Voice, or dual-SIM support. But the new device protection feature should be a welcome deterrent to theft for all phones that ship with Android 5.1.

Perhaps the best to come from its release will be more rapid updates from manufacturers, who have not been as speedy in updating their phones to Android 5.0 as we hoped. This is in part due to all the bugs in the initial release—this major bugfix release might help grease the wheels on Android updates.