Security News

Did the US write Stuxnet? Deputy Defense Secretary won’t deny it

Last night, US TV station CNBC broadcast a documentary entitled “CodeWars: America’s Cyber Threat”, looking at the threat of cyberwarfare, hacker attacks on critical infrastructure and the risk of technology made in China containing spyware.

Deputy Defense Secretary William Lynn was amongst those interviewed, who confirmed that US government networks receive thousands of attempted hacker attacks every day, and confirms that on occasion weapons systems plans and critical information has been lost in the assaults.
The US government isn’t alone in being targeted by attackers of course, we have heard a similar message from British politicians this year, for instance.

But, as Wired magazine points out, Lynn was also asked directly whether the US was involved in the development of the infamous Stuxnet worm.

Avoiding the question, Lynn replies:

"The challenges of Stuxnet, as I said, what it shows you is the difficulty of any, any attribution and it's something that we’re still looking at, it's hard to get into any kind of comment on that until we've finished our examination."

Reporter Melissa Lee is tenacious, however, and tries asking again:

"But sir, I’m not asking you if you think another country was involved. I’m asking you if the US was involved. If the Department of Defense was involved."

Lynn’s response?

"And this is not something that we’re going to be able to answer at this point."

Unfortunately I haven’t been able to find a video clip online of this exchange.

William LynnOf course, a refusal to confirm or deny the US’s involvement in the Stuxnet worm isn’t an admission. After all, it’s possible that Lynn simply doesn’t know if the USA was involved – and doesn’t want to be caught on film denying something which later turns out to be true.

Or it’s possible that he’s not authorised to deny the US’s involvement for reasons best known to the higher echelons of US politics.

Or maybe even the USA, were involved in Stuxnet but Lynn realises what a monumental sh*t-storm that would create on the international stage so he thought better than to confirm it on a CNBC documentary.

Whatever the truth, it’s always fun to see a politician squirm when put on the spot regarding their own country’s murky activities on the internet.

Long term readers of Naked Security will remember that a couple of years ago I reported on how BBC’s Eddie Mair mischievously tied the then UK Security Minister into knots over the tricky question of whether UK ever attacks other countries in cyberspace:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

You’ll notice that Lord West makes the same point as the US Deputy Defense Secretary, that a key problem is attribution when it comes to internet attacks – proving that someone (or some nation) is behind a cyber attack is very very difficult.

By the way, if you’re wondering why there’s a picture of ABBA’s Anni-Frid Lyngstad alongside Lord West in that video you’ll have to read my original article.

Apple support to infected Mac users: “You cannot show the customer how to stop the process”

ZDNet writer Ed Bott has posted thelatest instructions to Apple tech support personnel regarding users calling in with active fake anti-virus “MacDefender” infections.

Bott says he acquired the documents by talking with two anonymous Apple support representatives about how Apple is coping with the first widespread attack against OS X users. According to his sources Apple has received an estimated 60,000 tech support calls related to the infections.

It has been encouraging that many Apple customers have been taking this attack seriously and taking preventative measures like installing our free anti-virus program for OS X.

Apple is apparently telling support reps to tell customers:

“Apple’s [sic] doesn’t recommend or guarantee any specific third part [sic] anti-virus protection over another. However I can suggest several third party virus protection programs that you may want to consider researching to find the best one for your needs.”

But they still have their heads buried in the sand when it comes to assisting their customers. The memo, acquired from an outsourced support company, says:

Screenshot of leaked Apple memo

“Things you must never do according to the client [Apple].”

  • You cannot show the customer how to force quit Safari on a Mac Defender call
  • You cannot show the customer how to remove from the Login items.
  • You cannot show the customer how to stop the process of Mac Defender in their Activity Monitor.
  • You cannot refer the customer to ANY forums or discussions [sic] boards for resolution (this includes the forums)

Apple’s famous PR savvy apparently doesn’t apply to handling security incidents. It is genuinely tragic that such a large number of OS X users are falling victim to this scam, and Apple’s response is less than helpful.

You could argue that Apple created this false sense of security through theirmarketing and advertisements suggesting Apple users are immune to security threats. Now that some of their flock are affected, it would be good of them to at least point people in the right direction.

Many journalists have asked me in the last few weeks whether this is being hyped by the anti-virus business. Are real people being impacted? Judge for yourself… Apple’s reaction says more about the problem than I can possibly explain.

Regardless of platform we all need to be safe with the choices we make on our computing devices, whether we use tablets, Linux, Windows, OS X, or Android. When enough people let their guard down they are easy targets and criminals will take advantage of the lowest hanging fruit.

Until next time… Stay secure.

by Chester Wisniewski on May 24, 2011

President Obama’s cybersecurity plan – Part 2 Data Breach Notification Act

Following up on yesterday’s post outlining the proposed changes to RICO and the Computer Fraud and Abuse Act, today I will dissect the White House’s proposal for the National Data Breach Notification Act.

Currently 47 states have data breach notification laws with varying rules and requirements. This makes it very difficult for national and multinational organizations to understand when they must report lost or stolen data and how they must report it. The idea of a national law in the US has been debated for a couple of years now, and this proposal seems to strike a nice balance.

First, the definition of Personally Identifiable Information, or PII:

  1. Full name plus any two of the following
    1. Address and phone number
    2. Mother’s maiden name
    3. Month, day, and year of birth
  2. Social Security Number (SSN), driver’s license number, passport number, alien registration number, or other government issued identification number
  3. Biometric data such as fingerprints, retinal scans, etc.
  4. Unique account numbers, financial account numbers, credit card numbers, debit card numbers, electronic IDs, user names or routing codes
  5. Any combination of the following
    1. First and last name or first initial and last name
    2. See item four above
    3. Security codes, access codes, passwords or source codes used to derive the aforementioned

RolodexThe new rules would apply to any business possessing the PII of 10,000 or more individuals in a 12-month period. They would supersede any existing state laws, creating one unified national standard.

Organizations discovering lost or stolen PII would have 60 days to notify affected customers unless law enforcement or national security concerns intervene. If there are extenuating circumstances, organizations can provide proof to the Federal Trade Commission (FTC) that they require up to an additional 30 days.

FTC fight back against ID theft logoThe proposal includes a “safe harbor” provision when measures are in place to protect data (encryption). Organizations must still report the data loss to the FTC within 45 days, including a professional risk assessment, logs of access to the data and a complete list of users who had access to the protected data.

If data is determined to be properly protected and evidence is submitted on time, individual notifications would be unnecessary. Financial institutions who only lose account numbers are also exempt if other protective measures are in place to prevent fraud.

After a data loss incident, organizations would be required to notify individuals by letter, phone or email.

Notices would include what information was compromised and a toll-free number to contact the company responsible to obtain more information. If a third party lost the data, the notice must include the name of the original collector (direct business relationship) of the PII.

States may pass laws requiring notifications to include information about identity theft/fraud prevention.

When more than 5,000 victims are involved, organizations would be required to do the following:

  • Place advertisements in mass media ensuring potential victims are aware of the risk they are being exposed to.
  • Notify all consumer credit reporting agencies of the victims within 60 days of discovery.

Police badgeBusinesses would be required to notify the Department of Homeland Security for law enforcement purposes when any of the following are true:

  • The breach contains, or is believed to contain, PII on 5,000 or more individuals.
  • The breach involves a database or network of databases that contain PII on 500,000 or more individuals.
  • The breach involves a database owned by the United States government.
  • The breach involves PII of employees or contractors of the United States government involved in law enforcement or national security.

Notice to DHS must occur 72 hours before individual notices are served, or 10 days after discovery of the incident, whichever comes first.

The proposed rules would be enforced by the FTC after consultation with the US Attorney General to ensure there is no interference with ongoing criminal investigations. State Attorneys General would also be able to enforce the rules within their jurisdiction after notifying the FTC.

Penalties for non-compliance would be $1000 per person affected per day, for a maximum of $1 million. There would not be a maximum penalty if it is determined the non-compliance was willful or intentional.

Organizations that are required to comply with HIPAA or HITECH data protection laws are exempt from this legislation.

It appears the Obama Administration and Howard Schmidt, the President’s Cyber-Security Coordinator, have taken careful notes from the different laws passed by individual states. This proposal is a great start to making data security a priority and contains provisions to make adjustments after implementation.

Why not download the “The State of Data Security” report we published today? It covers the most prominent data loss incidents and details the actions you can take to prevent you from being the next company to have to notify your customers.

by Chester Wisniewski on May 19, 2011

Google rolls out silent fix for Android security vulnerability

There’s good news for any owners of Android devices worried about the recently announced security vulnerability that could allow allow unauthorised parties to snoop on your Google Calendar and Contacts information.

Google has already started rolling out a fix!

The issue had already been fixed in Android 2.3.4 (codenamed Gingerbread), but as we mentioned earlier this week over 99% of Android users are running earlier versions of the operating system.

Google has started to implement a server-side patch that addresses the issue for all versions of the Android OS. The great news is that it doesn’t require a software update on the Android devices themselves – meaning the fix is automatic and worldwide. Effectively this is a silent fix.

The fix addresses a vulnerability with the use of authTokens for Google’s Calendar and Contacts apps discovered by researchers at Germany’s University of Ulm, but a similar issue with Picasa is still being investigated. If not fixed, the problems could mean that a hacker could snoop on your activity when you use an unencrypted WiFi hotspot and steal personal information.

Google reckons the work will be complete, and all devices secured from this vulnerability, within the week by forcing its servers to use an encrypted HTTPS connection when Android phones try to sync with them.

Here’s what a Google spokesperson had to say:

"Today [May 18th] we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."

So, it’s a very good thing that this problem is being fixed. Of course, concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates.

by Graham Cluley on May 19, 2011

Report: Sony Music Greece, Indonesia hacked

Elinor Mills of CNET Security posted a reasonable information earlier today, and this is what she said.

Sony Music Greece was hacked with its user data published to the Web and Sony Music Indonesia’s Web site was defaced, according to an online news report.

The attacks, if confirmed, would be just the latest in a series of security problems the company has had in the past month starting with a distributed denial-of-service attack by the loosely organized hacker group Anonymous in early April to protest Sony’s taking PS3 hackers to court.

A Sony spokeswoman provided this statement via e-mail this evening: “There was an online tweet that one page of Sony Music Indonesia’s Web site was altered and Sony Music Indonesia shut down the access to such page and started investigation. We are investigating the Sony Music Greece matter.” was attacked with a SQL injection method and customer names, user names, and e-mail addresses of potentially more than 8,300 users were posted on, The Hacker News reported on Sunday. It displayed a screen shot that said “hacked by b4d_vipera.” The link to the Pastebin page was empty as of Monday morning.

Chester Wisniewski at Sophos included a snippet of redacted data from the Pastebin page on his Naked Security blog post and said that it appeared to be incomplete “as it claims to include passwords, telephone numbers and other data that is either missing or bogus.”

The site was down this morning. Users should reset their passwords when they can and be alert to the possibility of phishing attacks, Wisniewski wrote.

The Hacker News first reported the Sony Greece hack on Saturday, as well as reporting that the Sony Music Indonesia site had been defaced with a screenshot saying “defaced by k4L0ng666.” The Indonesia site was accessible on Monday morning.

On Friday, The Wall Street Journal reported that someone broke into the network of Sony’s Japanese ISP subsidiary, So-net Entertainment, compromised e-mail accounts and stole customer rewards points. Also late last week, Sony Thailand’s site was hacked and being used for phishing, according to ZDNet UK.

However, the big Sony breach came in April when someone hacked into the PlayStation Network and exposed personal information from 77 million customer accounts. Shortly thereafter, the company said attackers may also have obtained data from close to 25 million Sony Online Entertainment accounts.

It’s likely that the subsequent attacks are not all connected, but could instead indicate that attackers are testing Sony’s network for weaknesses and exploiting confusion among Sony customers about security of their accounts.

Read more:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: