June 2012 – year 2, issue 6

events

SAM’12: The 2012 International Conference on Security and Management Date: 16 – 19 July 2012 editorial Location: Las Vegas , USA http://sam.udmercy.edu/sam12/ Leading international opportunity for computer and network security professionals and users Dear Reader, users are facing. The situation is even to investigate innovative ideas and outcomes, worse than it appears: most users I know and to exchange experiences on various May has been full of events that saw the are using on Linkedin the same password aspects of information security. Novel participation of GCSEC. they use for the email. This is a big risk: research in all practical areas of computer and network security is sought. email has become our “digital key ring” It is worth mentioning the Digital Agenda where most of our digital identities are ICITIS 2012 : The 3rd IEEE International Assembly 2012 in Brussels, where connected to. The incident demonstrated Conference on Information Theory and GCSEC has been asked to contribute on not only the risk, but also the fact that Information Security Digital Identity. In April we also joined a operators are not adopting even the most Date: 27 July 2012 session at the European Parliament simple and inexpensive techniques to Location: Beijing, China organized by EIF – European protect users identities and credentials. http://www.wikicfp.com/cfp/servlet/event.show Foundation. The situation is clear: the cfp?eventid=19827©ownerid=21605 ICITIS 2012 will keep promoting the attention is on eID, the digital equivalent GCSEC position is to help operators information exchange on information theory, of National ID cards and not on “soft through guidelines and standards in order information security, computer technology, identities”, those that we use daily to to adopt minimum standard telecommunication technology, network and access any kind of service on the countermeasures to protect end-user some related fields, which aims to promote Internet, including payment systems (at identities. Governments should also play international academic exchange and the end, a credit card when used online is a key role through modern policies. This international cooperation. a soft identity…). is what GCSEC is advocating at The incident that affected 6.5m users of international level. SecurIT 2012 Date: 16 – 19 August 2012 Linked is a clear example of the risks that Andrea Rigoni Location: Kerala, India http://securit.ws/ SecurIT 2012, the Security Conference on Internet of Things (IoT) invites professionals in this number from industry verticals such as security solutions companies, automobile, mobile and wireless companies and academicians from “London Olympics 2012: no game with Cyber Security!” universities and research labs to participate by Maria Luisa Papagni – AlmavivA/GCSEC and contribute.

The surprising results of a survey by McAfee, the well-known U.S. security company, show a Cyber Resilience for National Security worrying lack of awareness amongst MPs, business leaders and journalists about the extent of Date: 12 – 14 September 2012 the cyber threat facing the London 2012 Olympic Games. The risks for major events like the Location: Washington, DC/VA, USA Olympics, do not just come from terrorism, but the alarm is very high even for a cyber attack. http://www.clocate.com/conference/Cyber- Resilience-for-National-Security-2012/29782/ “A distributed and hierarchical DNS-CERT for Internet Health and Security.” As the US Military, Homeland Defense and by Igor Nai Fovino and Elena Agresti – GCSEC Intelligence communities prepare for post- The mechanism by which Internet translates names to addresses and vice versa is the Domain Iraq, and eventually post-Afghanistan, they Name System (DNS). It is recognized as one of the most critical services in the Internet will need to maintain force dominance over infrastructure. The cyber attacks and security breaches to which the DNS has been exposed in new and emerging actors and threats. One of the last years have shown that DNS’s world is in crisis. the largest threats to national security at

“Lulzsec. Can hacking be just fun?” - by Marco Caselli – GCSEC present is in the cyber realm. This event will focus on the latest prioritization efforts within Lulz Security, abbreviated Lulzsec, was born as an offshoot of . On May 2011, an the DoD’s cyber security efforts, while affiliated collective called Internet Feds decided to re-organize itself under this new identity while bringing together government and industry riding the wave of success of several cyber attacks. In just one year the group has made people leaders to discuss the most challenging talking a lot about it. threats to national cyber security in both the public and private sector. “London Olympics 2012: no game news with Cyber Security!” India to greenlight state-sponsored cyber attacks By Maria Luisa Papagni – AlmavivA/GCSEC http://www.theregister.co.uk/2012/06/11/india_state_spo nsored_attacks/ The Indian government is stepping up its cyber security capabilities with plans to protect critical national infrastructure from a - like attack. Sources told the “Times of India” that the government’s National Security Council, which is headed by Prime Minister Manmohan Singh, is working out the fine details which would give the Defence Intelligence Agency (DIA) and National Technical Research Organization (NTRO) the power to carry out unspecified offensive operations. LinkedIn dials 911 on password mega-leak http://www.theregister.co.uk/2012/06/08/law_investigat es_linkedin_breach/ LinkedIn has turned to the FBI for help after 6.5 million of its users' passwords were dumped online by hackers. A list containing the SHA1 hashed passwords but unsalted, purportedly of users of the business social network, has been posted on a Russian Dropbox-alike website. The business network Imagine to be at the stadium watching the finals of the athletics competitions said "a small subset" of the hashed data had of Olympics. Adrenaline and emotion before the start, with the whole been deduced and revealed, but the rest is audience stood to admire the "human shrapnel" try blocks and make the last "hard to decode". Security biz Sophos estimated that as much as 60 per cent of the stretch pre-start. leaked list had been cracked. "To the best of Then comes the long awaited moment. One, two, three ... and spectacular our knowledge, no email logins associated start of the usual Usain Bolt. He is already a few inches ahead of everyone, with the passwords have been published," the and suddenly… all the lights turn off! company stated in a blog post.

Flame gets suicide command Total darkness, people panic, it is a terrorist attack? People start to scream http://www.theregister.co.uk/2012/06/07/flame_suicide_ command/ and rush en masse toward the way out! This sounds like a science fiction One of the most dangerous virus ever, which movie? No, it's just one of the scenarios that may follow to a possible cyber lie in some areas of the Middle East, a attack during the Olympics in London 2012. surprise change his behavior. According to Symantec, its creators have sent a self- Yes, because the risks for major events like the Olympics, do not just come destruct command designed to wipe from terrorism, but the alarm is very high even for a cyber attack, that can be from compromised computers, to avoid can be traced to them. Study on Flame also from who also has the purpose of a terrorist attack or even who wants to have revealed how sophisticated is the code used, a bit of notoriety (given the high number of followers of the event). will take years to understand how it works. White House unveils initiatives to combat The risk is to underestimate the threat of cyber attacks, as often happens with botnets http://www.scmagazine.com/white-house-unveils- regard to cyber security. The surprising results of a survey by McAfee, the initiatives-to-combat-botnets/article/243712/ well-known U.S. security company, show a worrying lack of awareness The Obama administration revealed new amongst MPs, business leaders and journalists about the extent of the cyber initiatives to combat botnets, believed to threat facing the London 2012 Olympic Games. present one of the greatest threats to the Only 2% of respondents considered cyber-attacks the largest threat, despite integrity of the internet. The initiatives are the result of a voluntary public-private partnership the record growth of (over 6 million cases in the first three months of between the White House Cybersecurity 2011). The McAfee report, in essence, reflects a mismatch still present Office and the U.S. Departments of between the real growth of cyber attacks and the awareness of dangers of Commerce and Homeland Security (DHS), entrepreneurs, politicians and media. who coordinate with private industry to lead Just think that in the first three months of 2011 there was an increase of 76% the Industry Botnet Group (IBG), a group of of the attacks on Android phones, while the forecast for growth of malware nine trade associations and nonprofit organizations representing thousands of indicates the threshold of 75 million by the end of the year. companies across information, communications, and financial services This is a deficit of awareness that we must be aware of. industries. But awareness does not fail Gerry Pennell, Chief Information Officer of Obama Order Sped Up Wave of London Committee for the Olympic Games, which early in January said that Cyberattacks Against Iran http://www.nytimes.com/2012/06/01/world/middleeast/o “The high profile nature of the event means that an attack is inevitable. We bama-ordered-wave-of-cyberattacks-against- will be the target of a cyber attack. It will happen for sure as happened in the iran.html?pagewanted=all last editions of the Games. For this we are working with the government and From his first months in office, President Obama secretly ordered increasingly other stakeholders to ensure that we have the defences necessary to protect sophisticated against the Iranian nuclear our systems from inevitable offensives”. industry, significantly expanding America’s first sustained use of cyberweapons. Mr. Obama decided to accelerate the operation A team of 450 experts anti-hacking is working to protect the games: not only code-named Olympic Games ordered by they’re defending against tampering the official website of the event (and the President George W. Bush starting in 2008. archives of scores and results), but they are assigned to the control of at least The effort seems to have included the use of the Stuxnet malware. 90 Olympic websites. Global Payment: processor affirms victim In the recent past, both Beijing 2008 and Athens in 2004 were targets of cyber estimate, but warns of new breach attacks. Atos Origin, IT partner of the London 2012 Olympic Committee, http://www.scmagazine.com/processor-affirms-victim- estimate-but-warns-of-new-breach/article/245597/ reported that 14 million malware events were recorded per day during the Global Payments, the Atlanta-based Olympics the took place in Beijing, 400 of which had the potential to impact on processor whose North American payment the games. systems were breached earlier this year potentially compromising up to 1.5 million A concrete episode of cyber attack linked to an Olympic event also occurred credit and debit card. Chairman and CEO Paul Garcia revealed that through a forensic during the 2002 Winter Games in Salt Lake City when some South Koreans examination into the incident, investigators hackers made unusable several American sites, with a DDoS attack on US detected another unauthorized intrusion: this servers, following a disputed decision that denied victory to an athlete of one affecting a database that contains the Seoul rewarded with a gold an American skater. So the alarm is high for the applications of merchants who sought to have risk of compromising websites, hacking smartphones, breaching of the huge Global Payments process their transactions. The two breaches don't appear linked. databases reserved for management of all data to organize, classify, protect, and in general blocking the operations of the complex platforms that Senators attempt compromise cyber constitute the basis of the Olympic Information System. security bill http://www.csoonline.com/article/708336/senators- attempt-compromise-cybersecurity-bill But Gerry Pennel comforts all: "We will be using a content distribution network Sens. Sheldon Whitehouse (D-R.I.) and Jon to push data out, which means our dependency on a central host architecture Kyl (R-Ariz.) are circulating a draft bill that is much lower. What that means is that it is very hard to launch a distributed they hope will settle one of the major debates over competing legislative proposals: How denial of service attack (DDoS), simply because our front-end is so dispersed. heavy the hand of government should be in We designed our approach to information security into our architecture from regulating industries that operate critical the beginning. We keep mission-critical Games systems, such as anything to infrastructure. They are proposing incentives do with distributing results, quite insulated from other components of the instead of mandates. Senate Majority Leader network, particularly anything web-facing, thus making it extremely hard for an Harry Reid took to the Senate floor to say it external attack to succeed." matters very much. He cited a letter from a bipartisan group of former national security officials from both the Bush and Obama He is confident a cyber attack will not succeed in bringing down the Games' IT administrations, who wrote that the nation is systems. We hope so… And we trust in the fact of seeing Usain Bolt crossed at risk of being unprepared for cyber 9/11: “it the finish line, perhaps giving us another world record! is not a question of whether this will happen; it is a question of when.”

“A distributed and hierarchical DNS-CERT for Internet health and security.” by Igor Nai Fovino and Elena Agresti - GCSEC

In the new digital society, characterized by interoperability, configuration of DNSSEC that disconnected whole connectivity and communications, Internet plays a key role. domains, have demonstrated its weakness and lack of The main critical infrastructures and the core business global visibilities, management and control. activities of the private organizations are based on Internet and information technologies. Therefore Internet is the Today if a researcher discovers a new DNS security heart of basically all the existing services and its failure issue, he doesn’t know who contact, what information could have potentially impact on our life. A failure of critical provides or which are trusted communications channel services such as transportation, energy, that he can use. There isn’t an entity able to collect and telecommunication, banking and financial, could result in provide information about threats, vulnerabilities profiles, significant impacts on the economy of that country and mitigation strategies or incident response methodologies other countries, but also on citizen security and on the daily concerning DNS. life of the citizen. In response to this scenario, in 2010 Internet The mechanism by which Internet translates names to Corporation for Assigned Names and Numbers (ICANN), addresses and vice versa is the Domain Name System conducted consultations with a broad spectrum of (DNS). It is recognized as one of the most critical services stakeholders on the concept of “DNS CERT”. in the Internet infrastructure. The cyber attacks and security Unfortunately that consultation remained the only action breaches to which the DNS has been exposed in the last toward the creation of a DNS-CERT. Its proposal was years have shown that DNS’s world is in crisis. Security considered insufficient in detail and in analysing gaps events as the massive DNS cache poisoning attack that regarding current activities and capabilities related to affected millions of users in Brazil in 2011 or the wrong DNS security and resiliency.

Today doesn’t exist anything like a DNS-CERT. There are investigation on potential weaknesses. CERTs at national, regional and worldwide level, but the scope of the current CERTs doesn’t coincide with the DNS GCSEC has developed and promoted a framework of ecosystem. DNS management is decentralized and its metrics and KPIs to support the design, engineering and community is global and independent. It is composed of policy making of the DNS infrastructure. The framework different actors as end users, resolvers, root servers, is based on point of view analysis, in which each DNS registers, authoritative servers, registrars, ICANN, IANA, actor will be able to describe DNS from its perspective. It VeriSign that work across a hierarchical infrastructure. reflects DNS hierarchical infrastructure and its needs. To meet the environment needs, DNS-CERT should be Sharing of common metrics could be the first step for based on a hierarchical and distributed model. In this case DNS-CERT constitution. a capability response would be distributed among all actors of DNS ecosystem to respond and prevent DNS incidents and threats and enhance level of security, stability, resiliency and health. DNS actors would share knowledge about vulnerabilities, threats, security incidents, warnings, alerts, experiences, methodologies, best practices, lesson learned and tools for incident management. In this way they will be able to identify correctly hazards and impacts and to solve many issues.

Cooperation and information sharing are essential for a correct DNS incident prevention, detection and response. In a distributed and hierarchical model, not all the actors need to directly interact with each other.

GCSEC has conducted an assessment of each DNS actors’ role and its interaction in ecosystem. The analysis found that each actor frequently speaks with actor of the What we have just described has been presented by same level or with actors positioned upper or lower in GCSEC at the 24th Annual FIRST Conference. The hierarchical structures. This is an evidence of the need to Forum of Incident Response and Security Teams adopt a hierarchical and distributed approach. (FIRST) is a global non-profit organization dedicated to bringing together computer security incident response Moreover the distributed model is an agile model and it teams (CSIRTs) and includes response teams from over facilitates the interfaces with stakeholders. National 240 corporations, government bodies, universities and operators could be an interface with national CERT that other institutions spread across the Americas, Asia, could be the correct way to reach critical infrastructure Europe and Oceania. The annual FIRST conference operators. provides a setting for conference participants to attend a wide range of presentations delivered by leading experts DNS CERT will not overlap current activities and in both the CSIRT field and from the global security capabilities but enhance and improve it through sharing of community. experiences, initiatives, best practices and common exercises. If a TLD decide to implement DNSSEC, could The FIRST conference, bringing together the top experts take advantage of experiences of other TLD. This could in the CERT and CSIRTs sectors, was the ideal floor share its knowledge, issues addressed or lesson learned, were present the concept of distributed and hierarchical give suggestions. CERT for the DNS ecosystem.

DNS CERT should be composed of participants that are The presentation attracted a lot of attention, and during directly involved in it (e.g. Root Operator, DNS Operators, question time the audience raised several interested TLD Registries, Registrars, ISP, Registrants, Corporate questions. Infrastructure Operators) and stakeholders that are interested in and can support DNS CERT activities (e.g. While on a side the idea of distributed CERT has been national CERT, standardization organization, business confirmed as the most suitable model for the needs and community, Law Enforcement, vendors, researchers & peculiarities of the DNS, doubts have been raised about academics). DNS CERT could be managed by a not-for- the attention of the DNS community to this topic and profit consortium, composed of DNS CERT participants, about the possibility of reaching the critical mass which could be overnighted by a Board composed of one allowing to launch a similar initiative worldwide. representative for participant. The last point is indeed the most relevant: as the A distributed approach will have many advantages over experience related to the ICANN CERT initiative centralized, such as shared resource and hierarchical showed, without the support of relevant actors in the interaction among all DNS actors, but can have negative DNS community the creation of a DNS-CERT will remain effects on incident handling due to complex organization. a mere project on paper. For that reasons, it should be organized well regarding the main processes (communication, IT, logging, support…). However, the lack of a CERT specifically designed to To guarantee an effective communication and information support DNS operators potentially constitutes a breach sharing, CERT will need a common and formalized in the security and stability of all the critical language. DNS CERT should identify a common way to infrastructures relying on the public network to operate, measuring DNS performances as well as a common way of and for that reason it cannot be neglected.

A distributed approach promises to put together the needs GCSEC strongly believe in this approach and for that for independency and flexibility of the operators with the reason is planning to promote an international initiative typical functions and services provided by a CERT. to define a first pilot based on this approach.

“Lulzsec. Can hacking be just fun? ” by Marco Caselli - GCSEC

Basically, they do it “for the lulz”. Just fun, just a variation of post on the imageboard Pastebin (a forum dedicated to the more famous lol (laughing out loud), the lulz is what has comment images) the user KillerCube identified LulzSec always marked the most irreverent group of hackers in the leader Sabu as Hector Xavier Monsegur already in June whole Internet. 2011. This identification was later shown to be accurate and the FBI arrested the the same month. He Lulz Security, abbreviated Lulzsec, was born as an offshoot was a 28-years old IT consultant residing in New York. of Anonymous. On May 2011, an affiliated collective called Seems strange, but this fact did not close the career of Internet Feds decided to re-organize itself under this new the boy in Lulzsec. identity while riding the wave of success of several cyber Not funny at all for the group of cyber-activists, Sabu attacks. In just one year the group has made people talking pleaded guilty to several hacking charges and agreed to a lot about it. Lulzsec has committed numerous attacks but, cooperate with the FBI. as the Wall Street journal wrote, these activities seem to be closer to Internet pranks rather than serious cyber-warfare. Over the following seven months he successfully unmasked the other core members of Lulzsec. Finally, In this sense, the group’s motto is quite explicative: on March 6, Topiary, Kayla, pwnsauce, palladium, and “Laughing at your security since 2011!”. Anarchaos, betrayed by their leader, fell into the trap Can it be just amusement? Well, LulzSec has never hatched by the feds and were arrested. appeared to hack for financial profit despite it is possible to make Bitcoin donations to help to fund its activities. Moreover, the ideology and political alignment is something that came out mostly when the group joined Anonymous for collaborative operations (e.g. Anti-Sec).

Lulzsec seems different. They used to say that many other hackers exploit and steal user information without releasing the names publicly, or alerting people they may possibly have been hacked. Instead, they always reveal lists of stolen usernames, also informing the public of vulnerable websites. This gives users the opportunity to change credentials that might otherwise be exploited, and allows business companies to be aware of their vulnerabilities and upgrade their security.

Game over? It seems that the amusement is not finished Real goodness or desire for fame? Lulzsec’s behavior must yet. After two months of agitation within the hacker not deceive. There are many actions that seem far less community (Anonymous immediately reacted to Sabu's altruistic than others as the Distributed Denial of Service unmasking and betrayal tweeting "#Anonymous is a attack against the United Kingdom’s Serious Organized hydra, cut off one head and we grow two back") the Crime Agency (SOCA). Moreover Lulzsec incurred cyber- group is rising from the ashes with the same goliardic activists’ wrath more than once. Groups like TeaMp0isoN spirit. and Team Web Ninjas, but also single hackers made several times life difficult for Lulzsec. They accused its Few days ago, Lulzsec Reborn introduced itself to the members of misconduct in respect of Internet users and Internet with a cheerful Star Wars-style video showing a maybe this situation was one of the reasons of the group’s taste of three terabytes of governments’ emails and downfall. sensible information close to release. The Lulz Boat,

allegoric image of the group often present in their Lulzsec is, in fact, going through a crucial period that could videos, still surfs the stormy waters of the Internet. possibly marks its end. Like a flame that burns so The crew changes but the goal remains the same. The vigorously to last few moments, the great number of fun fills the sails and several FBI battleships are back in attacks and the disrespectful attitude of their claims has their pursuit. Let's enjoy the show; we cannot surely get probably attracted too much attention on the group. With a bored when it comes to Lulz.

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy www.gcsec.org