DOCSLIB.ORG

Stuxnet : Analysis, Myths and Realities

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ACTUSÉCU 27 XMCO David Helan STUXNET : ANALYSIS, MYTHS AND REALITIES CONTENTS Stuxnet: complete two-part article on THE virus of 2010 Keyboard Layout: analysis of the MS10-073 vulnerability used by Stuxnet Current news: Top 10 hacking techniques, zero-day IE, Gsdays 2010, ProFTPD... Blogs, softwares and our favorite Tweets... This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [1] Are you concerned by IT security in your company? ACTU SÉCU 27 XMCO Partners is a consultancy whose business is IT security audits. Services: Intrusion tests Our experts in intrusion can test your networks, systems and web applications Use of OWASP, OSSTMM and CCWAPSS technologies Security audit Technical and organizational audit of the security of your Information System Best Practices ISO 27001, PCI DSS, Sarbanes-Oxley PCI DSS support Consulting and auditing for environments requiring PCI DSS Level 1 and 2 certification. CERT-XMCO: Vulnerability monitoring Personalized monitoring of vulnerabilities and the fixes affecting your Information System CERT-XMCO: Response to intrusion Detection and diagnosis of intrusion, collection of evidence, log examination, malware autopsy About XMCO Partners: Founded in 2002 by experts in security and managed by its founders, we work in the form of fixed-fee projects with a commitment to achieve results. Intrusion tests, security audits and vulnerability monitoring are the major areas in which our firm is developing. At the same time, we work with senior management on assignments providing support to heads of information- systems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts. To contact XMCO Partners and discover our services: http://www.xmco.fr WWW.XMCO.FR This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [2] EDITORIAL NUMBER 27 FEB. 2011 We wish you a happy 2011… ACTUSECU This is the first issue of ActuSécu certainly be implementation errors in 2011. As usual, a very busy that may be exploited by pirates, year end made us a little late in especially as these are particularly Editor in chief: writing this issue. ingenious concerning hacking Adrien GUINAULT means of payment. The XMCO team is strengthened Contributors: with the arrival of Florent We hope that you find this issue Charles DAGOUAT Hochwelker, a security consultant interesting and we look forward to Florent HOCHWELKER coming from SkyRecon. The seeing you at Black Hat Stéphane JIN security of the Windows kernel, Barcelona, for which XMCO is a François LEGUE DEP bypass and other tricks for partner. Frédéric CHARPENTIER happily causing memory overflows Yannick HAMON no longer hold any secrets for him. Frédéric Charpentier Florent has also written its first Chief Technology Officer article in this issue. CONTACT XMCO What will 2011 bring us in terms of [email protected] attacks and security? Without [email protected] wishing to gaze into a crystal ball, it is clear, for me, that 2011 will be THE XMCO AGENDA the year of m-payment: contactless mobile payments (by PCI DSS QSA TRAINING NFC or GSM). Although these 7 and 8 March in London technologies are, a priori, new, BLACKHAT EUROPE they are based on existing and 16 and 17 March in Barcelona proven frameworks. There will BLACK HAT This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [3] STUXNET PART I P. 5 BOOKMARKS AND TOOLS P. 52 P. 13 CONTENTS STUXNET... ...PART II Stuxnet Part I: analysis, myths and realities..5 An examination of THE virus of 2010 Stuxnet Part II: technical analysis.................13 Propagation, infection and attacks on industrial systems. Keyboard Layout vulnerability......................29 Analysis of the "elevation of privileges" vulnerability KEYBOARD used by Stuxnet (MS10-073). LAYOUT P. 29 Current news..................................................38 Top Ten hacking techniques, zero-day IE, GS Days, ProFTPD... Blogs, software and extensions...................52 IMA, VMware compliance checker, Twitter and the rn_101 blog. CURRENT XMCO 2011 NEWS P. 38 This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [4] ACTU SÉCU 27 Stuxnet, elected malware of STUXNET PART I : the year HISTORY, MYTHS AND It would have been ACTU SÉCU 27 inconceivable not to devote an article to THE malware of the REALITIES year 2010. Although nearly everything has already been said on this subject, we could not resist wanting to write an article on Stuxnet several months after the media buzz has subsided. Much is still obscure concerning this malware, its origins and its developers. However, we will try to give a summary, also taking an objective view in relation to various papers covering the subject. Karsten Kneese Karsten If there is one thing to remember about 2010, it is surely To quickly reach its target, the malware also uses a the case of Stuxnet. This is because this malware, password defined by default within certain SCADA specifically produced to carry out the second highly- (Supervisory Control And Data Acquisition) systems. publicized targeted attack of 2010 (after Aurora) This is based on the Siemens SIMATIC WinCC caused comment for more than six months! This article software. is intended as a summary of this long period, which was punctuated by many new developments. It covers the “Stuxnet is a complex piece of malware development of the discoveries and announcements constructed from many items, intended to that took place during this period and tries to analyze all sabotage the normal functioning of certain the facts in order to draw conclusions. Between reminders on technical matters, genuine rumors and critical systems. ” false realities, this article will appraise the situation as Thanks to all the work performed by various completely as possible. researchers with an interest in malware, the role of Stuxnet has been clarified. The malicious code acts in Preliminary reminders several stages: firstly, a removable item of storage media is used to compromise a system on a local Stuxnet is a complex piece of malware constructed from network. Once present on a network, the malware many items, intended to sabotage the normal replicates, moving towards the discovery of a point of functioning of certain critical systems. In contrast to access to its target: a system on which WinCC is the somewhat indiscreet approach which is used to installed. access these sensitive systems, this sabotage is intended to be very discreet. Secondly, when such a target is discovered, the To approach its target, Stuxnet exploits at least four behavior of the various items controlling the target zero-day vulnerabilities (currently all corrected by architecture is modified in order to physically impair Microsoft) targeting different versions of Windows, as the integrity of the industrial production system. In the well as the famous MS08-067 vulnerability that was case of Stuxnet, this concerns modifying the normal corrected several years ago. function of certain critical systems by manipulating their WWW.XMCO.FR controllers. This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [5] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27 History the Metasploit framework. This allowed control of a system to be taken over remotely by exploiting the It is difficult to create a comprehensive history of the security vulnerability through WebDAV sharing. This events relative to Stuxnet because of the numerous code allowed a pirate simply to encourage an Internet new developments and announcements during this long user to visit a web page with Internet Explorer to take period. Limiting ourselves to the dates of the control of the underlying system. The same day discoveries made and publicized by the researchers Symantec renamed W32. Temphid to W32.Stuxnet, and would not really make sense. It is necessary to consider Siemens reported that the company was in the process the period before the media took an interest in this of studying reports referring to the compromise of subject, as this attack is so complex. We are therefore several SCADA systems linked to WinCC. going to try, with hindsight, to trace a history that takes into account the dates before the beginning of the On 20 July, Symantec announced that it had media interest in this sabotage campaign. Also, all this discovered how the malware communicated with its takes into account discoveries made after this attack command and control (C&C) servers, and the meaning attracted media interest. of the exchanged messages. On 21 July, MITRE assigned reference From Stuxnet CVE-2010-2772 to the security vulnerability present within the Simatic WinCC and PCS 7 software from Everything officially began on 17 June 2010, when the Siemens. A password had been hard-coded and could Belarusian company Virusblokada published a report on be used to access certain components of Siemens the virus RootkitTmphider, mentioning the LNK applications with elevated privileges. security vulnerability. This vulnerability, which was zero-day in June 2010, allows a pirate to execute code Two days afterwards, on 23 July, VeriSign revoked the when opening a directory, whether it is shared (SMB, certificate belonging to JMicron Technology Corp. WebDAV), local or on a mass-storage peripheral (external hard disk, USB drive, portable telephone, MP3 player, etc.). The vulnerability gradually began to “On 17 July, Symantec renamed arouse comment. MITRE dedicated reference "W32.Temphid" as "W32.Stuxnet" and CVE-2010-2568 to it the following 30 June, and on 13 July, Symantec added the detection of this virus under Siemens reported that the company was in the name of W32. Temphid. the process of studying reports referring to the compromise of several SCADA systems The next day, on 14 July, MITRE assigned references linked to WinCC ” CVE-2010-2729 and CVE-201 0-2743 to security vulnerabilities present in the print spooler and in the keyboard management.
Recommended publications
  • The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

    The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

    The Web Never Forgets: Persistent Tracking Mechanisms in the Wild Gunes Acar1, Christian Eubank2, Steven Englehardt2, Marc Juarez1 Arvind Narayanan2, Claudia Diaz1 1KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium {name.surname}@esat.kuleuven.be 2Princeton University {cge,ste,arvindn}@cs.princeton.edu ABSTRACT 1. INTRODUCTION We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies A 1999 New York Times article called cookies compre­ and use of “cookie syncing” in conjunction with evercookies. hensive privacy invaders and described them as “surveillance Canvas fingerprinting, a recently developed form of browser files that many marketers implant in the personal computers fingerprinting, has not previously been reported in the wild; of people.” Ten years later, the stealth and sophistication of our results show that over 5% of the top 100,000 websites tracking techniques had advanced to the point that Edward employ it. We then present the first automated study of Felten wrote “If You’re Going to Track Me, Please Use Cook­ evercookies and respawning and the discovery of a new ev­ ies” [18]. Indeed, online tracking has often been described ercookie vector, IndexedDB. Turning to cookie syncing, we as an “arms race” [47], and in this work we study the latest present novel techniques for detection and analysing ID flows advances in that race. and we quantify the amplification of privacy-intrusive track­ The tracking mechanisms we study are advanced in that ing practices due to cookie syncing. they are hard to control, hard to detect and resilient Our evaluation of the defensive techniques used by to blocking or removing.
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • 2016 8Th International Conference on Cyber Conflict: Cyber Power

    2016 8Th International Conference on Cyber Conflict: Cyber Power

    2016 8th International Conference on Cyber Conflict: Cyber Power N.Pissanidis, H.Rõigas, M.Veenendaal (Eds.) 31 MAY - 03 JUNE 2016, TALLINN, ESTONIA 2016 8TH International ConFerence on CYBER ConFlict: CYBER POWER Copyright © 2016 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1626N-PRT ISBN (print): 978-9949-9544-8-3 ISBN (pdf): 978-9949-9544-9-0 CopyriGHT AND Reprint Permissions No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non-profit or non-commercial purposes, providing that copies bear this notice and a full citation on the first page as follows: [Article author(s)], [full article title] 2016 8th International Conference on Cyber Conflict: Cyber Power N.Pissanidis, H.Rõigas, M.Veenendaal (Eds.) 2016 © NATO CCD COE Publications PrinteD copies OF THIS PUBlication are availaBLE From: NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org Head of publishing: Jaanika Rannu Layout: Jaakko Matsalu LEGAL NOTICE: This publication contains opinions of the respective authors only. They do not necessarily reflect the policy or the opinion of NATO CCD COE, NATO, or any agency or any government.
  • How to Analyze the Cyber Threat from Drones

    How to Analyze the Cyber Threat from Drones

    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
  • Zeszyty T 13 2018 Tytulowa I Redakcyjna

    Zeszyty T 13 2018 Tytulowa I Redakcyjna

    POLITECHNIKA KOSZALIŃSKA Zeszyty Naukowe Wydziału Elektroniki i Informatyki Nr 13 KOSZALIN 2018 Zeszyty Naukowe Wydziału Elektroniki i Informatyki Nr 13 ISSN 1897-7421 ISBN 978-83-7365-501-0 Przewodniczący Uczelnianej Rady Wydawniczej Zbigniew Danielewicz Przewodniczący Komitetu Redakcyjnego Aleksy Patryn Komitet Redakcyjny Krzysztof Bzdyra Walery Susłow Wiesław Madej Józef Drabarek Adam Słowik Strona internetowa https://weii.tu.koszalin.pl/nauka/zeszyty-naukowe Projekt okładki Tadeusz Walczak Skład, łamanie Maciej Bączek © Copyright by Wydawnictwo Uczelniane Politechniki Koszalińskiej Koszalin 2018 Wydawnictwo Uczelniane Politechniki Koszalińskiej 75-620 Koszalin, ul. Racławicka 15-17 Koszalin 2018, wyd. I, ark. wyd. 5,72, format B-5, nakład 100 egz. Druk: INTRO-DRUK, Koszalin Spis treści Damian Giebas, Rafał Wojszczyk ..................................................................................................................................................... 5 Zastosowanie wybranych reprezentacji graficznych do analizy aplikacji wielowątkowych Grzegorz Górski, Paweł Koziołko ...................................................................................................................................................... 27 Semantyczne ataki na aplikacje internetowe wykorzystujące język HTML i arkusze CSS Grzegorz Górski, Paweł Koziołko ..................................................................................................................................................... 37 Analiza skuteczności wybranych metod
  • Tracking the Cookies a Quantitative Study on User Perceptions About Online Tracking

    Tracking the Cookies a Quantitative Study on User Perceptions About Online Tracking

    Bachelor of Science in Computer Science Mars 2019 Tracking the cookies A quantitative study on user perceptions about online tracking. Christian Gribing Arlfors Simon Nilsson Faculty of Computing, Blekinge Institute of Technology, 371 79 Karlskrona, Sweden This thesis is submitted to the Faculty of Computing at Blekinge Institute of Technology in partial fulfilment of the requirements for the degree of Bachelor of Science in Computer Science. The thesis is equivalent to 20 weeks of full time studies. The authors declare that they are the sole authors of this thesis and that they have not used any sources other than those listed in the bibliography and identified as references. They further declare that they have not submitted this thesis at any other institution to obtain a degree. Contact Information: Author(s): Christian Gribing Arlfors E-mail: [email protected] Simon Nilsson E-mail: [email protected] University advisor: Fredrik Erlandsson Department of Computer Science Faculty of Computing Internet : www.bth.se Blekinge Institute of Technology Phone : +46 455 38 50 00 SE–371 79 Karlskrona, Sweden Fax : +46 455 38 50 57 Abstract Background. Cookies and third-party requests are partially implemented to en- hance user experience when traversing the web, without them the web browsing would be a tedious and repetitive task. However, their technology also enables com- panies to track users across the web to see which sites they visit, which items they buy and their overall browsing habits which can intrude on users privacy. Objectives. This thesis will present user perceptions and thoughts on the tracking that occurs on their most frequently visited websites.
  • On the Privacy Implications of Real Time Bidding

    On the Privacy Implications of Real Time Bidding

    On the Privacy Implications of Real Time Bidding A Dissertation Presented by Muhammad Ahmad Bashir to The Khoury College of Computer Sciences in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science Northeastern University Boston, Massachusetts August 2019 To my parents, Javed Hanif and Najia Javed for their unconditional support, love, and prayers. i Contents List of Figures v List of Tables viii Acknowledgmentsx Abstract of the Dissertation xi 1 Introduction1 1.1 Problem Statement..................................3 1.1.1 Information Sharing Through Cookie Matching...............3 1.1.2 Information Sharing Through Ad Exchanges During RTB Auctions....5 1.2 Contributions.....................................5 1.2.1 A Generic Methodology For Detecting Information Sharing Among A&A companies..................................6 1.2.2 Transparency & Compliance: An Analysis of the ads.txt Standard...7 1.2.3 Modeling User’s Digital Privacy Footprint..................9 1.3 Roadmap....................................... 10 2 Background and Definitions 11 2.1 Online Display Advertising.............................. 11 2.2 Targeted Advertising................................. 13 2.2.1 Online Tracking............................... 14 2.2.2 Retargeted Ads................................ 14 2.3 Real Time Bidding.................................. 14 2.3.1 Overview................................... 15 2.3.2 Cookie Matching............................... 16 2.3.3 Advertisement Served via RTB.......................
  • Anti-Virus Issues, Malicious Software and Internet Attacks for Non-Technical Audiences

    Anti-Virus Issues, Malicious Software and Internet Attacks for Non-Technical Audiences

    Known Knowns, Known Unknowns and Unknown Unknowns: Anti-virus issues, malicious software and Internet attacks for non-technical audiences By Daniel Bilar Introduction [Heading] The risks associated with the internet have changed significantly. A recent study claims that a typical Microsoft Windows machine is subjected to autonomous infiltration attempts - not just mere pings and probes - from worms and botnets looking for clients once every six minutes.1 Stealth – not exhibitionism or hubris – characterizes this breed of attacks and concomitantly deployed malicious software. Unbeknownst even to experienced human operators, surreptitious attacks are able to insert malicious code deep within the bowels of individual computers and the wider supporting internet communication and control infrastructure such as wireless access points, home routers, and domain name servers.2 In addition to stealth, social engineering via e-mail, Instant 1 Gabor Szappanos, ‘A Day in the Life of An Average User’, Virus Bulletin, January 2009, 10-13, available at http://www.virusbtn.com/. 2 Most users do not bother to change the default passwords on home devices such as routers. Browser vulnerabilities can then be exploited by malicious software to alter the DNS settings of the router, thereby directing any name lookup query to a DNS of the attacker’s choice. This may be used to spoof a bank web site, for instance. See Sid Stamm, Zulfikar Ramzan and Markus Jakobsson, ‘Drive-By Pharming’, Lecture Notes in Computer Science 4861, (Springer, 2007), 495-506 and Hristo Bojinov, Elie Bursztein, Eric Lovett and Dan Boneh, ‘Embedded Management Interfaces: Emerging Massive Insecurity’, Blackhat Technical Briefing, Blackhat USA 2009 (Las Vegas, USA, August 2009), available at http://www.blackhat.com/presentations/bh-usa- 09/BOJINOV/BHUSA09-Bojinov-EmbeddedMgmt-PAPER.pdf.
  • Hack Para Big Time 2019 New Inazuma Eleven GO 2K19 Mini Forum, Answers, Tips, Tricks and Glitches

    Hack Para Big Time 2019 New Inazuma Eleven GO 2K19 Mini Forum, Answers, Tips, Tricks and Glitches

    hack para big time 2019 New Inazuma Eleven GO 2K19 Mini Forum, Answers, Tips, Tricks and Glitches. Ask a Question or Help other Players by Answering the Questions on the List Below: Rate this app: More details. For Android: 4.0 and up Guide: New Inazuma Eleven GO 2K19 cheats tutorial When updated: 2019-06-30 Star Rating: 4.1952863 Name: New Inazuma Eleven GO 2K19 hack for android Extension: Apk Author: NGmer File Name: inazuma.newtips.eleventips.soccerguide Current Version: 2.1 User Rating: Everyone Downloads: 1000- Version: mod, apk, unlock System: Android Type: Education. Share New Inazuma Eleven GO 2K19 Cheats Guides Hints And Tutorials - Best Tactics from Users below. New Inazuma Eleven GO 2K19 Tricks and Codes: Add your tips. Hints and Tips: Glitches: Codes: Guide: Easter Eggs: Advice for new users: Please wait 10 seconds. New Inazuma Eleven GO 2K19 Hack Cheats Codes Tips Tricks Advices for New Users and Q&A! Add your questions or answers. Q: How to get the best score? Q: What is your favourite trick in this game/app? Q: What is your strategy? Watch New Inazuma Eleven GO 2K19 videoreviews, gameplays, videoinstructions, tutorials, guides, tips and tricks recorded by users, pro players and testers. New Inazuma Eleven GO 2K19 Gameplay, Trailers and Related Videos. Watch Inazuma Eleven Go Strikers 2013 Raimon GO 2.0 Vs Inazuma Legend Japan Wii 1080p (Dolphin/Gameplay) video. Watch NBA 2K19 ► MY PRO PLAYER #19 - ON LES EXPLOOOOSE video. Watch Mashup || Inazuma Eleven GO opening 2 VS Sincara WWE || video. Watch Inazuma Eleven Go Strikers 2013 Part3 video.
  • Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policymakers

    Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policymakers

    A PROPOSED FRAMEWORK FOR BUSINESSES AND POLICYMAKERS PRELIMINARY FTC STAFF REPORT FEDERAL TRADE COMMISSION | DECEMBER 2010 A PROPOSED FRAMEWORK FOR BUSINESSES AND POLICYMAKERS PRELIMINARY FTC STAFF REPORT DECEMBER 2010 TABLE OF CONTENTS EXECUTIVE SUMMARY...................................................... i I. INTRODUCTION .......................................................1 II. BACKGROUND ........................................................3 A. Privacy and the FTC ...............................................3 1. The FTC Approach to Fair Information Practice Principles...........6 2. Harm-Based Approach .......................................9 B. Recent Privacy Initiatives ..........................................12 1. Enforcement...............................................12 2. Consumer and Business Education .............................13 3. Policymaking and Research...................................14 4. International Activities ......................................17 III. RE-EXAMINATION OF THE COMMISSION’S PRIVACY APPROACH .........19 A. Limitations of the FTC’s Existing Privacy Models.......................19 B. Technological Changes and New Business Models ......................21 IV. PRIVACY ROUNDTABLES .............................................22 A. Description. .....................................................22 B. Major Themes and Concepts from the Roundtables ......................22 1. Increased Collection and Use of Consumer Data ..................23 2. Lack of Understanding Undermines Informed
  • PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims

    PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims

    SPECIAL REPORT FIREEYE THREAT INTELLIGENCE PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims NOVEMBER 2015 SECURITY REIMAGINED SPECIAL REPORT Pinpointing Targets: Exploiting Web Analytics to Ensnare Victims CONTENTS FIREEYE THREAT INTELLIGENCE Jonathan Wrolstad Barry Vengerik Introduction 3 Key Findings 4 The Operation 5 WITCHCOVEN in Action – Profiling Computers and Tracking Users 6 A Means to a Sinister End? 8 Assembling the Pieces 9 Finding a Needle in a Pile of Needles 11 Employ the Data to Deliver Malware 13 Effective, Efficient and Stealthy 15 Likely Intended Targets: Government Officials and Executives in the U.S. and Europe 18 Focus on Eastern Europe and Russian Organizations 18 Similar Reporting 19 Collateral Damage: Snaring Unintended Victims 19 Mitigation 21 Appendix: Technical Details 22 2 SPECIAL REPORT Pinpointing Targets: Exploiting Web Analytics to Ensnare Victims INTRODUCTION The individuals behind this activity have amassed vast amounts of information on OVER web traffic and visitors to more than 100 websites—sites that the threat actors have selectively compromised to gain access to THE their collective audience. PAST we have identified suspected nation-state sponsored cyber actors engaged in a large-scale reconnaissance effort. This effort uses web analytics—the technologies to collect, analyze, and report data from the web—on compromised websites to passively collect information YEAR, from website visitors.1 The individuals behind this activity have amassed vast amounts of information on web traffic and visitors to over 100 websites—sites that the threat actors have selectively compromised to gain access to their collective audience. Web analytics is used every day in much the same way by advertisers, marketers and retailers for insight into the most effective ways to reach their customers and target audiences.
  • Chapter Malware, Vulnerabilities, and Threats

    Chapter Malware, Vulnerabilities, and Threats

    Chapter Malware, Vulnerabilities, and 9 Threats THE FOLLOWING COMPTIA SECURITY+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: ✓ 3.1 Explain types of malware. ■ Adware ■ Virus ■ Spyware ■ Trojan ■ Rootkits ■ Backdoors ■ Logic bomb ■ Botnets ■ Ransomware ■ Polymorphic malware ■ Armored virus ✓ 3.2 Summarize various types of attacks. ■ Man-in-the-middle ■ DDoS ■ DoS ■ Replay ■ Smurf attack ■ Spoofing ■ Spam ■ Phishing ■ Spim ■ Vishing ■ Spear phishing ■ Xmas attack ■ Pharming ■ Privilege escalation ■ Malicious insider threat ■ DNS poisoning and ARP poisoning ■ Transitive access ■ Client-side attacks ■ Password attacks: Brute force; Dictionary attacks; Hybrid; Birthday attacks; Rainbow tables ■ Typo squatting/URL hijacking ■ Watering hole attack ✓ 3.5 Explain types of application attacks. ■ Cross-site scripting ■ SQL injection ■ LDAP injection ■ XML injection ■ Directory traversal/command injection ■ Buffer overflow ■ Integer overflow ■ Zero-day ■ Cookies and attachments; LSO (Locally Shared Objects); Flash Cookies; Malicious add-ons ■ Session hijacking ■ Header manipulation ■ Arbitrary code execution/remote code execution ✓ 3.7 Given a scenario, use appropriate tools and techniques to discover security threats and vulnerabilities. ■ Interpret results of security assessment tools ■ Tools: Protocol analyzer; Vulnerability scanner; Honeypots; honeynets; Port scanner; Passive vs. active tools; Banner grabbing ■ Risk calculations: Threat vs. likelihood ■ Assessment types: Risk; Threat; Vulnerability ■ Assessment technique: Baseline reporting; Code review; Determine attack surface; Review architecture; Review designs ✓ 4.1 Explain the importance of application security controls and techniques. ■ Cross-site scripting prevention ■ Cross-site Request Forgery (XSRF) prevention ■ Server-side vs. client-side validation As we discussed in Chapter 1, “Measuring and Weighing Risk,” everywhere you turn there are risks; they begin the minute you fi rst turn on a computer and they grow exponen- tially the moment a network card becomes active.