CERT-MU Quarterly | July 2012 CERTCERT--MUMU ee--SecuritySecurity NewsletterNewsletter

Addressing the Need of Information Security for Intelligent Mauritius

Volume 2|Issue 2|July 2012

 A New Era of Cyber Warfare with

 Transition of IPv4 to IPv6 Raises New Security Challenges ERT-MU has been affiliated to the Forum of

Incident Response and Security Teams C  Cyber Security Events 2012 (FIRST) at the beginning of May 2012. FIRST is the

premier organization and recognized global leader in Information Security incident response and brings to-  News Focus gether more than 200 computer security incident re- sponse teams from government, commercial, and educa-  CERT-MU Events tional organizations from Europe, Africa, America and other countries. This affiliation will enable CERT-MU  Guidelines to respond more effectively to security incidents.  Information Security Tips

Dear Readers,

Today’s enterprise and global critical infrastructure is more vulnerable than ever due to the changing threat landscape. The typical cy- bercriminal is no longer defacing a website from a personal computer for fun and notoriety. They have more to steal. Organisations have become a rich target as more valuable information is being stored on network accessible devices and services every day. Histori- cally, enterprises have focused on securing sensitive customer data such as consumer credit card information, but now other information such as details of critical infrastructure and other records are targeted as well. This has been confirmed with the discovery of sophisti- cated cyber-attacks such as Flame, and . In these circumstances, our duty is to protect our critical infrastructure and valua- ble information from being attacked. One way of doing it is by educating people and making them aware of the latest threats.

The third edition of CERT-MU e-security newsletter will not only help you to understand the specifics of information security and trends but also keep you up-to-date with latest information security issues, statistics, tips and events. We trust that you will find the articles interesting and enjoy reading.

The e-Security Newsletter Team

CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 1 CERT-MU Quarterly | July 2012 A New Era of Cyber Warfare with Flame

The virus known as ‘Flame’ is the third major cyber weapon un- Flame has also the ability to replicate through local networks. It covered after the Stuxnet virus that attacked Iran’s nuclear pro- exploits printer vulnerability – (Vulnerability in Print Spooler gram in 2010 and Duqu in 2011. Flame came to light following Service Could Allow Remote Code Execution – MS10-061). This an investigation prompted by the UN’s International Telecommu- vulnerability was also exploited by Stuxnet by using a special nication Union (ITU) about a that was deleting sensitive Microsoft Operations Framework (MOF) file, executed on the information across the Middle East. While searching for that attacked system using Windows Management Instrumentation code, nicknamed as “Wiper”, Kaspersky Lab discovered the mal- and secondly via remote jobs tasks. ware Worm Win.32.Flame. Flame is a sophisticated attack toolkit and is a backdoor, a Trojan, and has worm-like features. This al- lows it to replicate in a local network and on removable media. The malware targets Windows computers and once the system is infected, it begins a complex set of operations. This includes sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, amongst others. The data captured is then made available to the operators through the link to the Flame’s command-and-control servers. Later, the oper- ators can choose to upload further modules, which expand Flame’s functionality. About 20 modules have been detected in Flame.

Flame appears to have two modules designed for infecting USB sticks, called “Autorun Infector” and “Euphoria”. However, secu- rity experts have not detected them in action yet. This is because Flame appears to be disabled in the configuration data. But, the ability to infect USB sticks is present in the code. Two methods are used and they are as follows:

1. Autorun Infector: the “Autorun.inf” method from early Stux- net, using the “shell32.dll” “trick”. This method was only When Flame is executed by a user who has administrative rights used in Stuxnet and was not detected in any other malware. to the domain controller, it is also able to attack other machines in 2. Euphoria: spread on media using a “junction point” directory the network: it creates backdoor user accounts with a pre-defined that contains malware modules and an LNK file that trigger password that is then used to copy itself to these machines. the infection when this directory is opened.

CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 2 CERT-MU Quarterly | July 2012

The Complexity of Flame mation on the operations of certain nation states in the Middle East, The virus contains about 20 times as much code as Stuxnet, which including Iran, Lebanon, Syria, Israel and others. attacked an Iranian uranium enrichment facility, causing centrifug- es to fail. It has about 100 times as much code as a typical virus The Self-Destruction of Flame designed to steal financial information, as per Kaspersky Labs. Several weeks after the detection of Flame, the malware has been Due to this complexity, it is very difficult to analyse Flame. The ordered to self-destruct. Flame has a built-in feature called SUI- malware is very big because it consists of several libraries such as CIDE that can be used to uninstall the malware from infected com- ‘zlib’, ‘libbz2’, ‘ppmd’ for compression and sqlite3 for database puters. However, late last week, Flame's creators decided to distrib- manipulation and Lua vitual machine. Lua is a scripting ute a different self-removal module to infected computers that con- (programming) language, which can very easily be extended and nected to servers still under their control, Symantec’s security re- interfaced with C code. Many parts of Flame have high order logic sponse team. According to Security firm, Symantec, its command- written in Lua - with effective attack subroutines and libraries com- and-control (C&C) servers had sent an updated directive to the piled from C++. In addition, there are internally used local data- virus, which it termed “Flamer,” designed to remove it from com- bases with nested SQL queries, multiple methods of encryption, promised computers. The commands leave no traces of the Flame various compression algorithms, usage of Windows Management infection behind. Therefore, any client receiving this file would Instrumentation scripting, batch scripting and more. have had all traces of Flame removed.

How to remove Flame from infected computers International Telecommunications Union (ITU) –International Multilateral Partnership Against Cyber Threat (IMPACT) and Kaspersky Labs have developed a special edition tool to eradicate all espionage related from affected systems. The tool is the Kaspersky Virus Removal Tool Special ITU Edition, which is a customised tool that removes detrimental malwares such as Flame, Stuxnet, Duqu and all other known malicious programs.

The tool can be downloaded from CERT-MU website: www.cert- mu.gov.mu from security tools section. The Virus Removal Tool is aimed at curing infected computers (running under the Microsoft Windows) of malicious programs including the Flame virus. The application does not require installation and the steps below can be performed to scan computer for viruses:  Start the application from any device, for example, a remova- ble drive

 When the application starts, a window with the License Agree- ment is displayed  You must agree with the License Agreement and then click on According to cryptographic experts, Flame is the first malicious the Start button to open the main application program to use an obscure cryptographic technique known as “prefix collision attack”. This allowed the virus to fake digital cre-  In the left part of the window, select on Automatic Scan tab dentials that had helped it to spread. The exact method of carrying and click the Start Scanning button out such an attack was only demonstrated in 2008 and the creators  If the tool detects a threat that is currently active in the system of Flame came up with their own variant. Security experts have (for example, a malicious process in RAM or in startup ob- added that the design of this new variant required world-class jects), a notification pops up to carry out the disinfection pro- cryptanalysis. Moreover, running and debugging the malware is also not trivial as it is not a conventional executable application, cedure. but several DLL files that are loaded on system boot. Attacks on Mobile Devices

The purpose of Flame  According to new statistics from Symantec, the number of The discovery of complex cyber-attacks is not new. In 2010, there malicious cyber attacks have increased to 81% in 2011 was Stuxnet, a software virus that disrupted the operation of centri- fuges at nuclear facilities in Iran. In 2011, Duqu was discovered, a  Mobile vulnerabilities have increased by 93% in 2011 and computer worm that was built on much of the same code as Stux- there has been a rise in threats that targeted Android de- net, but which concentrated on espionage rather than sabotage, vices. extracting data out of computers that it infected. Flame has been compared to Duqu since both appeared to target similar geograph-  2011 was the year that mobile malware presented a tangi- ble threat to businesses and consumers. Threats are de- ical regions and have been created for the same purpose. Accord- signed for activities such as data collection, sending of ing to security experts, Flame has been created to collect infor- content and user tracking

CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 3 CERT-MU Quarterly | July 2012 The Transition of IPv4 to IPv6 Raises New Security Challenges

The Internet Protocol (IP) is the primary communications protocol Increase in attacks with the adoption of IPv6 for determining how data packets are routed around the Internet and is responsible for the addressing system that ensures traffic is The adoption of IPv6, however, introduces new security issues that routed to the intended destination. Basically, the Web was running need to be addressed, including an increased risk of distributed on Internet Protocol version 4 (IPv4) which is the fourth revision in denial of service and buffer overflow attacks. From a security per- the development of the Internet Protocol (IP) and the first version spective, IPv6 exposes businesses to cyber-attacks as use of the protocol to be widely deployed. With IPv4, the Internet’s IPv6 to bypass security controls and filters designed and configured address space consisted of about 4 billion addresses. Unfortunately, for IPv4 traffic. The number of IPv6 attacks is relatively small, but the landscape has changed. Today, the Internet has grown to be a as IPv6 is being widely adopted, there will be an increase in at- million-network network tacks. Security researchers and this growth has led to have already seen wide- the depletion of the Inter- spread malware with IPv6- net’s address space. In based command-and- addition, with time, sever- control capabilities. Given al shortcomings of IPv4 the relative lack of attention have been detected. To paid to IPv6, this technique address these limitations, can bypass existing protec- IPv6 (Internet Protocol tion such as non-IPv6 ena- version 6) was introduced bled firewalls completely. that will succeed over IPv6 uses a completely IPv4. On June 6 2012, the different scheme of IP ad- World IPv6 Launch Day dresses and while having a was celebrated worldwide large number of IP address- and in Mauritius. es will benefit companies The World IPv6 Launch from a management point represents the next step in of view, it will also benefit the evolution of the Inter- cyber criminals. Not only net and marks a milestone will criminals be able to in its history. As the suc- switch IP addresses fre- cessor to the Internet Pro- quently that make it diffi- tocol IPv4, IPv6 is seen as cult to track and trace them crucial to the continued - but many existing security growth of the Internet as a controls that rely on black- platform for innovation listing malicious IP ad- and economic develop- dresses will cease to be ment. In line with its vision for “spearheading Internet Technology effective. Cyber criminals in the African Region” the African Network Information Centre will be able to rotate IP addresses rapidly which can pose a chal- (AfriNIC) has been encouraging the African Internet Community lenge to the effectiveness of blacklisting and even grey and white- and its stakeholders to adopt the new protocol IPv6. According to listing. the estimation of AfriNIC, Africa will run out of the IPv4 around 2013/2014 and it is important for Africa to build a stable Internet In addition, with IPv6, it is important to note that it is a new tech- Infrastructure for the future. To achieve this purpose, AfriNIC has nology. The majority of security professionals and networking en- been actively spreading IPv6 best experiences, trainings and know- gineers are conversant with the protection of IPv4 networks. As how over the past six years. such, the adoption of IPv6 also means a shortage of skills to deal with IPv6 problems. The IT personnel in many organisations lack The transition to IPv6 is not optional as the Internet and the number the knowledge of working with this technology and they have nei- of devices connected to it continues to expand. There are many ther gone through a transition like this in the past. As a result, there reasons for switching over to IPv6 beyond the fact that the number is a potential to create security holes during the transition process. of available IP addresses is at exhaustion point--it offers security This can occur in the creation of usage and security policies of improvements over IPv4, such as mandatory use of IPSec for en- IPv6. Not all existing corporate policies implemented in IPv4 envi- cryption and authentication, it offers auto-configuration for new ronments can be translated syntactically for IPv6 environments. devices connected to the network, it offers superior connections for There is a need to rewrite these policies and the lack of operational mobile devices and improves peer-to-peer collaboration capabili- expertise makes it more likely that an IT manager will unintention- ties. ally create a security hole while writing those new policies.

CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 4 CERT-MU Quarterly | July 2012

IPv6 also raises technical issues. One of them is header manipulation. The use of extension headers and Internet Protocol Security (IPSec) Cyber Security Events can deter some common sources of attacks based on header manipula- tion. However, the fact that Extension Headers (EH) must be processed 2012 by all stacks can be a source of concern - a long chain of EH or some 2012 considerably large-sized could be used to overwhelm certain nodes – for example, firewalls or masquerade an attack. Moreover, spoofing 2012 Workshop on the Security of the Internet of Things remains to be a possibility in IPv6 networks. However, due to Neigh- July 30| Munich, Germany bor Discovery (ND), spoofing is only possible by nodes on the same network segment. The same does not apply to 6to4 transition net- The c0c0n 2012 - International Information Security works. Although one approach to 6to4 transition is using some form of Conference dual-stack functionality, another approach is using some type of tun- August 2- 4 | Trivandrum, India neling. Since tunneling requires that a protocol is encapsulated in an- other, its use could be a source of security problems such as address SANS Vulnerability Management Summit 2012 spoofing – in case if the spoofed address is used to external packet as August 14 | San Antonio, USA one that was originated from inside network. SecurIT 1st International Security Conference on Internet of things 2012 Flooding issues are also a source of problem in IPv6. Scanning for val- August 17 | Kollam, India id host addresses and services is more difficult in IPv6 networks that it

is in IPv4. To effectively scan a whole IPv6 segment may take up to 7th International Workshop on Critical Information 580 billion years because the address space uses 64 bits. However, the Infrastructure Security larger addressing space does not mean that IPv6 is totally invulnerable September 17| Lillehammer, Norway to this type of attack. In addition, the lack of broadcast addresses does

not make IPv6 more secure. New features such as multicast addresses Nullcon Delhi 2012 continue to be a cause of problems. Smurf-type attacks are also possi- September 26 –29 | Delhi, India ble on multicast traffic.

12th Global Symposium for Regulators Another concern in IPv6 is Mobility. This is a totally new feature of October 1- 4 | Colombo, Sri Lanka IPv6 that was not available in IPv4. Mobility is a very complex func- tion that raises a considerable amount of concern when considering ITU TELECOM WORLD security aspects. Mobility uses two types of addresses – the real ad- October 14 –18 |Dubai, United Arab Emirates dress and the mobile address. The real address is a typical IPv6 address contained in an extension header. The second is a temporary address Cyber Defense Forum 2012 contained in the IP header. Due to the characteristics of this network, October 24 | Prague, Czech Republic the temporary component of a mobile node address could be exposed to spoofing attacks on the home agent. Mobility requires special securi- ty measures and network administrators therefore must be fully aware of them.

Without doubt, IPv6 is a considerable improvement as compared to IPv4. The new protocol provides countless features that improve the overall functionality and consist of some security functions. Although IPv6 solves old security problems of IPv4, but it also raises new securi- ty challenges that have to be addressed.

Did you know?

According to a recent Global Youth Online Behaviour Survey conducted by Microsoft, 54 per cent of children, which represents more than half of children across the world, worry about being bullied online. The survey has been conducted in 25 countries from January 2012 to February 2012 and children aged from eight to seventeen were targeted. The survey focuses on how kids are treating one another online and whether their parents are ad- dressing online behaviours.

Read More: http://www.gov.mu/portal/sites/cert/isn-more.html

CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 5 CERT-MU Quarterly | July 2012 News Focus... The Flashback Trojan There was a myth about the security of the Mac platform whereby Apple users do not require anti-virus software. However, with the ap- parition of a variant of the Trojan BackDoor. Flashback also known as Flashback Trojan, it is no longer the case. The Trojan has infected over 600,000 Mac computers, forming a botnet that includes 274 bots located in Cupertino, California, the location of the headquarters of Apple Inc. The Flashback Trojan is a malicious software program that exploited a security hole in Java and tricked users into installing it by masquerading as an installer for Adobe Flash. While the original version of Flashback and its initial variants relied on users to install them, this new form of Flashback is a drive-by download. The new variant of the Flashback Trojan has been designed to steal personal information. According to Russian antivirus company, Dr.Web, the number of Macs infected with Flashback has increased to more than 600,000. In addition, 56.6% of the infection rate is located within the United States, 19.8% in Canada, 12.8% in the United Kingdom and 6.1% in Australia.

There are two ways which the Flashback Trojan can get installed on a computer. Firstly, when the user visits a malicious web site containing Flashback on an OS X system with Java installed, the malware will ask for an administrator password and if it is supplied with one, it will in- stall its package of code into the Applications folder. Secondly, if a password is not entered, the malware will install to the user accounts where it can run in a more global way. After the installation, the Flash- back Trojan will inject code into Web browsers and other applications like Skype to harvest passwords and other information from those pro- gram’s users. Apple released a tool known as the Flashback Checker that checks whether the system is infected or not. If the results display includes the message “No Signs of infection were found,” then the PC is not infected. However, if you are infected, the utility alerts you.

‘Operation High Roller’ – Biggest Cyber Bank Robbery in History

have suffered from what it has called an “insider level of under- standing”. The attacks began in Europe but have spread to Latin America and the United States. As per the report, the objective be- hind ‘Operation High Roller’ is to drain off large amounts from high balance accounts. An automated malicious software pro- gramme was discovered that used servers to process thousands of attempted thefts from commercial firms such as credit unions, large multinational and regional banks as well as individuals have been attacked. According to the security firms, the criminals have shifted from their routine attacks and have got into the bank servers and constructed software which is automated. McAfee researchers have been able to track the global fraud, which is still continuing across different countries and continents. They have identified 60 different servers as well as the one that has been used to steal 60 million eu- About sixty million euro has been stolen from bank accounts in a ro. Several servers identified are located in Russia. These attacks massive cyber bank raid after fraudsters attacked dozens of finan- are considered to be the biggest and most sophisticated cyber bank cial institutions around the world. According to a joint report by robbery in history. security firm McAfee and Guardian Analytics, more than 60 firms

CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 6 CERT-MU Quarterly |July 2012 CERT-MU Events

Workshop on Mobile Hacking and Applications Security

Mobile devices have become an essential tool in most organisa- tions. Mobile phone deployments have increased significantly and it has been adopted by multitudes of end users for convenient email access and for accessing organisational resources and pro- duction applications. As mobile devices are widely adopted in organisations, they are also becoming an attractive and vulnerable target for cyber criminals. To address this issue, a workshop on Mobile Hacking and Applications Security was organised by CERT-MU on 31st May 2012 at Cyber-City, Ebene. Several presentations were conducted and they were focused on Mobile Risks and Countermeasures, Design Considerations for Enterprise Mobile Security and Android Applications Security. On this occa- sion, a brochure on “Tips to Secure Your Mobile Phone” was launched by the Minister of Information and Communications Technology.

A Certificate Award Ceremony was also held to award successful participants who completed ISO 27001 Implementers Course and the Lead Auditor Course which was organized by the National Computer Board in December 2011.

Safer Internet Day 2012

Safer Internet Day is an international event organised by Insafe in February each year to promote safer and more responsible use of online technology and mobile phones, especially amongst children and young people across the world. The theme for this year’s Safer Internet Day was “Connecting Generations and Educating each other – Discover the Internet Together, safely!” where the focus was on sensitizing Internet users of all generations irrespective of their age, culture and communities. On this occasion, the National Computer Board organized a workshop targeting towards State and Private Secondary School students, rectors and ICT teachers. Some 2600 students have already been sensitized. In addition, ICT teachers of primary schools across the island have also been trained on the issues of child online safety.

As a continuation of the Safer Internet Day campaign, the National Computer Board, in collaboration with Ministry of Education and Human Resources have been conducting awareness sessions on Internet Safety and Security in schools and colleges in the four zones of the country. Other activities that were organized include an online Internet Security quiz competition for State and Private Sec- ondary School students.

CERT-MU e-Security Newsletter |Volume 2| Issue 2| July 2012 7 CERT-MU Quarterly | July 2012 Latest Security Guidelines & Tips Guidelines Security Tips CERT-MU publishes Information Security Guidelines on a regular basis to help and guide  Do not click on the users in adopting best practices and implement "unsubscribe" link at the bottom them whenever possible. The highlights of some of unsolicited emails of the guidelines are as follows: Spam filters are catching most unwant- Guideline on Windows 7 Parental ed e-mail, but some might still reach Controls you. Most spam is designed to get you to respond with your own email or to This guideline is aimed at assisting parents in click a link to "unsubscribe." When you protecting children’s online interactions and respond or click the "unsubscribe" link, activities. The target audience for this guideline the sender takes your email address and are parents, teachers, rectors and the public in adds it to a SPAM database of active general, who can help children to stay safe and email addresses. You might then start more secure on the Internet. to receive a large amount of SPAM in your inbox. Guideline on Incident Handling and Reporting  Avoid default installations

The purpose of this guideline is to provide the Devices or applications often come basis for the creation of incident response poli- with default configurations and this cies, plans, procedures, and teams to handle incidents within an organisation. The guide- poses high security risks. Attackers can line also consists of an incident handler’s checklist template that can be used to ensure easily exploit the default passwords. that each incident response steps is being followed during an incident. The guide focuses Necessary measures should be taken to on computer security related incidents and the target audience are IT professionals, man- change the default passwords to better agers responsible for incident handling and management. protect the devices or applications.

 Install the latest version of your Guideline on Wireless Security web browser and keep it up to The guideline on Wireless Security is focused towards helping organisations to secure date their wireless networks against attacks. It is also aimed at guiding individual users who make use of wireless networks to surf on the Internet at home and in public places. Always make use of a latest version of web browser and keep it up to date. The latest updates of web browsers Guideline on Debit or Credit Cards Usage contain security fixes and new features that can help to protect your computer This guideline provides an overview of the bank cards available for use and their se- while you are online. curity aspects in terms of access. The target audience of this guideline include all users of debit and credit bank cards.  Only install add-ons from web- The guidelines can be downloaded on CERT-MU website: sites that you trust

www.cert-mu.org.mu Web browser add-ons allow webpages to display things like toolbars, stock tickers, video, and animation. However, add-ons can also install spyware or other malicious software. If a website asks you to install an add-on, make sure Forthcoming Events that you must check before you start installing it.

A Workshop on Identity and Access Management will be organized by CERT-MU in August 2012.

Join us there!

CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 8

Mauritian Computer Emergency Response Team (CERT-MU)

National Computer Board 7th Floor, Stratton Court, La Poudriere Street, Port Louis

Tel: 210 5520 Fax: 208 0119

Website: www.cert-mu.org.mu

Incident Reporting Hotline: 800 2378 Email: [email protected]

Vulnerability Reporting Email: [email protected]

For Queries Email: [email protected]

Subscription to Mailing Lists Email: [email protected]