Resilient Military Systems and the advanced Cyber Threat

Done by the Departement of defense, mainly by the Defense Science Board (DSB).
This report is a good study on the state of the American CyberDefense, despite the fact that the language used is very military oriented, it is also easy to understand and permit to have a clear view on the Cyber Security situation in 2013.
We learn that after 18 month of study, that “the cyber threat is serious and that the United States cannot be confident that there critical Information Technology (IT) system will work under attack from a sophisticated and well-resourced opponent”, nothing new regarding that point.
What is interesting is the spectrum and the detailed analysis of potential threat, like hardware. Because nowadays almost all electronics components are made abroad, it is possible that a foreign state hide a keylogger into our electronics devices, think about the story of the “Gunmann operation” in the 1970s with the IBM Selectric typewriters, described in the report.
I also feel, that the report is very pessimistic (or realistic: “the functioning of DoD’s systems is not assured in the presence of even a modestly aggressive cyber attack”) and the fact of spying on people is a necessity “the Intelligence Community should increase the priority of its intelligence collection and reporting requirements in this domain”, not very good for our freedom of expression, that we lose each and every day more and more.

The full report is available here.

Symantec Report: Stuxnet 0.5

In this report of Symantec we learn that Stuxnet was not born in 2009, as I was aware, but that there are tracks of a version 0.5 going back to November 2007 and C&C server registration dated of November 2005.

The report is very accurate, and informations provided by Symantec are very well documented. Symantec found that the only method used to spread in that version of Stuxnet (0.5) was through the infection of Siemens Step 7 project files, there is no exploit of any Microsoft vulnerabilities as with version 1.X.
That version of Stuxnet contains code to attack the valve systems in a uranium enrichment facility rather than modifying centrifuge speeds, as in later version.
Interestingly, Stuxnet 0.5 is programmed to stop contacting the C&C server after January 11, 2009, even though the threat is programmed to only stop spreading after a later date of July 4, 2009.

That suggests that it was very clear that a second version of Stuxnet was in the roadmap.
I am still very surprise about the accuracy and preparation that was involved in that Stuxnet operation.
It is true that it has allowed the Iran’s nuclear program to be delayed by two years, without the need to launch a conventional military attack.

States are now using the Internet as a military weapon and no one is safe. This report is the description of the first known cyber military attack of the 21st century.

The full report is available here.
A short video explaining Stuxnet’s variant is here.

Websense 2013 Threat Report

Websense is a global leader in unified web security, email security, mobile security and data loss prevention.
Is headquarter is in San Diego, California, employs 1450 employees, and was founded in 1994.

The report is very interesting, we see that the number of malicious sites grew nearly 600% in 2012 and an incredible statistic claims that 85% of malicious sites were found on legitimate web hosts. This last number is very interesting that it proves that we cannot rely anymore on the simple fact that a site is “Trustable” or not.
Regarding the fact of targeting attack, we see that cybercriminals are using local languages and events to target business and users in specific regions or areas. We are not facing anymore, bad fishing attempt with approximate English or spelling errors.

The social media threats is also very present, we are using mobile devices 50 percent more often to access social media than to make phone call. As mentioned in the report, it creates a familiarity and confident feeling with the mobile device that we forget that we are as risk as we are in front of a computer, but without an anti-virus and/or a firewall.
It is also very difficult to trust every link with the presence of “shortened web link”, widely used in twitter and other social media, simply because we cannot check by eye the link source.

Regarding mobile threats: “Data stored on a mobile device, and data accessed through the device, are at risk due to minimal control of web, email and social media traffic and access. Lost devices are also a risk”. Nothing new, it is obvious that the next “Far West” will be in the mobile area. You don’t need to have a jailbreak device to be at risk, with the success of apps market, and the number of daily new apps proposed, neither Apple nor Google could verify all submitted apps. Don’t forget also that it is understood that we need firewall and Anti-virus on our computer, but we, most of the time don’t have that kind of tools on our mobile device.

Email threats, the number of “only one in five emails sent in 2012 was safe or legitimate” proves that it is still a good infection vector, especially with the increase of Spear-phising.
I was very surprised by a new concept of attack, based on time delay. An email containing an embedded malicious web link is sent to a target. The mail gateway or organisation’s email system, will check the validity (and the risk of the link) when the email is received, and not when the user click on the link. So the trick is to “activate” the malicious part of the link after safely bypassing email security defenses. Well done.
I also learned that 66% of phishing emails were sent on Mondays and Fridays, because people are more distracted with personal concerns these days. That’s interesting because the “bad guys” are more often adding to well technical concepts very accurate human behaviour and reflex.

The full report report is available here.