Research
This is a archive for Research.
Wednesday, February 22, 2012 @ 04:02 PM gHale
The Low Orbit Ion Cannon (LOIC) is popular among hackers that want to take down a certain website and now there is a version designed for Android users.
The tool first appeared via Anonymous Argentina as the hacktivists urged their supporters to download the application to aid their cause, McAfee researchers said.
RELATED STORIES
Mobile Malware Skyrocketing
Hackers Find Cell Phone Location
Apple Deals with App Privacy Issues
Apple Supplier Hit by Hack
The developers didn’t start this WebLOIC for Android from the ground up. They simply ported the web application using a free online service that creates Android apps from a URL or a piece of HTML code.
Created to aid Anonymous in OpArgentina, the LOIC for Android went out in a hurry; they didn’t even resize the page to fit the screen of a smartphone.
Researchers to determine they programmed it to send 1,000 HTTP requests with one of the parameters being the message “We are LEGION.”
McAfee identified this tool as Android/DIYDoS and cataloged it as being a potentially unwanted program (PUP).
“Because the application’s purpose is simply to display any website on an Android system, we classify this hack tool a potentially unwanted program,” McAfee Labs Malware Researcher Carlos Castillo said.
Another reason why this tool is a PUP is because of prior reports where the hacktivists tried to dupe unsuspecting Internet users into clicking on links that led to a version of web LOIC that automatically sent large numbers of packets toward a designated target.
DOS tools such as LOIC have become popular not only among hackers, but also among regular users who support their causes.
The best example for this is the massive attacks that took place following the Megaupload closure. At the time, reports revealed more than 5,000 individuals used these automated tools to launch attacks against the FBI, RIAA, the U.S. Department of Justice and many others.
Tuesday, February 21, 2012 @ 06:02 PM gHale
If manufacturers don’t stay on top of their game, dust in any industrial setting is a potential safety nightmare, but with expanded industrial-scale production of nanomaterials coming online, experts worry dust generated during processing of nanomaterials may explode more easily.
Nanomaterial dust could explode due to a spark with only 1/30th the energy needed to ignite sugar dust — the cause of the 2008 Portwentworth, GA, explosion that killed 13 people, injured 42 people and destroyed a factory.
RELATED STORIES
Dust Catcher Woes Shut Down Steel Plant
Iron Dust Plant Hit with 11 Fire Violations
What Went Wrong: Dust Explosions
New Push for Stronger Dust Rules
Dust explosions are among the earliest recorded causes of industrial accidents — dating back to a 1785 flour warehouse disaster — and are still a constant threat at facilities that process fine particles of various materials, said Dr. Paul Amyotte, P.Eng., and professor in the chemical engineering department at Dalhousie University in Halifax, Nova Scotia, Canada.
Despite significant research, there is still much for scientists to learn about the risks of dust explosions in industry, especially “nontraditional” dusts, and a constant threat exists. That’s why the researchers decided to probe the potential of explosion of three types of nontraditional dusts: Nanomaterials; flocculent (fibrous or fuzzy) materials used in various products, such as floor coverings; and hybrid mixtures of a dust and a flammable gas or vapor.
After reviewing results of studies, the researchers concluded the energy needed to ignite nanomaterials made of metals, such as aluminum, is less than 1 mJ, which is less than 1/30th the energy required to ignite sugar dust or less than 1/60th the energy required to set wheat dust aflame.
Flocking is a process that generates static electricity, which could set off an explosion of flocculent dust, they said. And the addition of a flammable gas or vapor to a dust as a hybrid mixture increases the chance that the dust will explode.
The researchers warn safety needs to be paramount to prevent these materials from exposure to sparks, collisions or friction, which could fuel an explosion.
Tuesday, February 21, 2012 @ 02:02 PM gHale
Cybercriminals have gotten to a point where they can build an intricate network infrastructure and use it repeatedly for the distribution of malware, according to a new study.
These malware networks, or malnets, lure targets through trusted websites, then route them to malware through relay, exploit and payload servers to deliver the malware payload, according to the study from network security company Blue Coat Systems.
RELATED STORIES
Inexpensive, Effective Whitelisting
New Software Cuts Costs, Risk
Struggle to Secure Mobile Devices
All Mobile Devices Victimized
While the sophistication level of these malnets keeps increasing, Blue Coat said they are identifiable and the user can block the malware attacks.
The problem is these malnets are constantly on the move, making them hard to pin down, the Blue Coat Systems 2012 Security Report said. In one case, in early February, a malware payload changed locations more than 1,500 times in a single day.
“These guys have become very sophisticated in really laying out these malware delivery networks, this organized set of infrastructure that they then activate, deactivate and can re-purpose depending on what they’re launching,” said Blue Coat’s Sasi Murthy. “They can now use this infrastructure and launch any kind of new attacks with pretty minimal effort.”
Information about these malnets came together through the security vendor’s WebPulse cloud service, which studies the Web traffic of 75 million users worldwide to identify potential malware attacks.
One notable malnet incident of late was the Urchin site-injection attack, which began on Oct. 6, 2011, and lasted for 10 days. Blue Coat, however, started tracking Urchin four months earlier in June as part of the Shnakule malnet, and WebPulse viewed Urchin suspiciously. During the ensuing months, while Urchin lay dormant on the Internet, WebPulse matched the “DNA” of servers believed to be harboring Urchin and was able to block all requests from suspicious servers on the day the attack launched.
“We could see the sharks under the water before the fins were above the surface,” Murthy said.
Wednesday, February 15, 2012 @ 04:02 PM gHale
There is a smart piece of malware programmed to steal documents from the infected computer and upload them to the sendspace.com hosting site.
Sendspace saw use before to store stolen data because the service allowed crooks to “send, receive, track and share” big files, but the process never underwent automation from malware, Trend Micro researchers said.
RELATED STORIES
New Malware in New Botnet
Botnet Taken Down, then Resurfaces”
Malware with Customer Support
New Software Cuts Costs, Risk
The infection begins with an executable file called Fedex_Invoice.exe, identified as TROJ_DOFOIL.GE, the file’s name hinting that it may spread with the use of a fake “FedEx failed delivery” spam campaign.
Once the file executes, it downloads and executes TSPY_SPCESEND.A, a Trojan that searches the local drive for Word and Excel documents, collecting them in a password-protected archive placed in the user’s temporary folder.
After it creates the archive, it uploads to Sendspace, its download link transmits to the malware’s command and control server. This way the crooks don’t have to store all the files on the C&C, instead they access them from the file hosting service.
“We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” said Trend Micro Solutions Evangelist Ivan Macalintal.
This discovery is bothersome because it means information theft and exfiltration are not specific only for targeted attacks, but they’re present in mass campaigns as well.
This is a perfect time for users to check their personal documents, especially if they’re stored on company computers and make sure all the sensitive files are in a safe place.
Wednesday, February 15, 2012 @ 04:02 PM gHale
New reactor and plant designs need stepped up plans for security, according to a report from a group of nuclear scientists.
While most safety procedures and precautions at U.S. nuclear plants gear toward accidents, more attention needs to go to intentional attacks and sabotage, said the extensive report, “The Future of Nuclear Power in the United States,” released last week by the Federation of American Scientists (FAS) and Washington and Lee University.
RELATED STORIES
NRC Safety Enforcement Questioned
Nuke Alert: Human Error in Leak
New U.S. Nuke Gains Approval
NJ’s Oyster Creek Deemed Disaster Ready
Nukes Need New Quake Model
Harold Feiveson, senior research scientist and member of Princeton University’s Program on Science and Global Security of the Woodrow Wilson School of Public and International Affairs who wrote the 144-page report’s security analysis section, analyzed the design-basis-threat (DBT), which is an assessment of the plausible threats that nuclear plants confront and must defend against.
He said despite improvements in the DBT after the 9/11 terrorist attacks, “questions remain whether the DBT is yet realistic enough to capture plausible threats by terrorist groups, and whether the DBT and associated reactor security operations have been adjusted to accommodate industry concerns with cost.”
“There will always be the possibility of a beyond-DBT attack on a reactor,” he said. He recommended the nuclear power industry pursue new reactor designs, reactor site locations, and operational procedures that would boost the inherent safety and security of the plants.
He said the terror threat to nuclear plants comes primarily in two types: The first is a commando-like ground-based attack possibly abetted by an insider, on some designated targets and nuclear compounds. The target could be critical equipment, which if disabled could lead to a core meltdown or dispersal of radioactivity from the spent fuel pool. The second type is an external attack that uses either brute force or electronic stealth. Attackers could use an aircraft crashed into a reactor complex, or a cyber attack, which could also come from an insider at a plant.
An attack doesn’t’ necessarily have to target the reactor itself, Feiveson said. Spent fuel pools, used to store used reactor fuel rods, generally do not get as much protection from the containment dome and are more vulnerable than the reactor to attacks from the ground or air.
He said the way in which an utility manages the pools could greatly affect the risks of large releases of radioactivity in the event of loss of cooling. He cited a 2003 study by independent scientists that showed with densely-packed spent fuel rods, a loss of water coolant could potentially lead to a propagating zirconium fire and a large radioactive release to the environment. Zirconium is the material commonly used in cladding the fuel rods.
Although the DBT has improved and force-on-force security exercises done by the Nuclear Regulatory Commission every three years have stepped up security, Feiveson said questions remain about the DBT’s ability to halt a terror attack and whether nuclear reactor security operations have adequately adjusted to address industry concerns with costs.
“Whatever the DBT, there will always be the possibility of a beyond-DBT attack on a reactor,” he said. “This suggests the value of the nuclear industry seeking reactor designs and operational procedures that are more inherently safe than the current systems.”
Monday, February 13, 2012 @ 05:02 PM gHale
Distributed denial-of-service (DDoS) attacks continue to flourish and they may become much easier for attackers as tools and services continue to hit the market.
In addition, when it comes to wireless network operators’ security capabilities appear to lag their wired counterparts by about 10 years, principally in terms of the visibility they do or don’t have into what’s happening on their TCP/IP networks, which now serve an enormous number of smartphone users and their increasing data consumption requirements, according to a research study by security firm, Arbor Networks.
RELATED STORIES
Apple Supplier Hit by Hack
Breach Aftermath: Hijacked Sites
User Alert: Brute Force Attacks on Rise
Wireless Flaw Allows Easy PIN Access
Enhanced Security for Cloud Computing
“Wireless operators around the world had become what I like to call ‘accidental ISPs’ over the last four years, since the introduction of the iPhone,” said Roland Dobbins, Asia-Pacific solutions architect for Arbor Networks.
“Some of the larger providers have really done a tremendous job of making a transition, understanding that TCP/IP is really the future,” he said. “But there are a number of wireless providers around the world at which the senior management doesn’t agree with the proposition that their primary business is now Internet access, and that voice … will become [only] packetized TCP/IP.”
At those organizations, knowledge of TCP/IP security can lag, which leaves the telecommunications carriers at greater risk of not being able to cope with DDoS attacks launched at their wireless networks. “There’s still this focus on minutes versus packets. It’s going to take a lot of time for the industry to make that conceptual shift,” said Dobbins.
Meanwhile, the hacking group Anonymous created its low orbit ion cannon (LOIC) DDoS attack tool, which worked very well for them, but also gave the good guys a chance at adding to their intelligence list.
LOIC is just one of many DDoS tools now available for online use, downloading, or renting. There’s now a thriving DDoS tool and botnet ecosystem that includes “single user flooding tools, small host booters, shell booters, remote access Trojans (RATs) with flooding capabilities, simple DDoS bots, complex DDoS bots, and some commercial DDoS services,” said Curt Wilson, a research analyst at Arbor Networks. “Many types of threats can be blended into any given tool in order to make the tool more attractive and financially lucrative”–as in, profitable for whoever’s renting out the DDoS capabilities.
Wilson counted 55 different DDoS tools, which are still just a fraction of what’s publicly and commercially available. Of course, some of these tools are more dangerous than others.
There are complex DDoS toolkits and related bots, and typically also Web-based command-and-control interfaces. These toolkits sport names such as Darkness/Optima, DeDal, Dirt Jumper, G-Bot, and Russian Armageddon. Services such as Death DDoS Service and Totoro offer commercial DDoS options, meaning that rather than running the tools themselves, attackers can just outsource the job.
Why launch a DDoS attack? Many times, as with botnets, the goal is to steal information, such as financial details or passwords. But such attacks also see use for business purposes. “While there are numerous motives for DDoS, such as revenge, extortion, competitive advantage, and protest, many of the commercial DDoS services emphasize competitive advantage with wording devoted to taking down a competitor,” said Wilson. “More troubling is the recently reported distracting use of DDoS to flood networks after financial theft has been performed via a banking Trojan in order to allow the thieves extended access to the loot.”
Half of DDoS attacks now focus on ideology, according to the Arbor Networks 2011 attacks study. “Ideologically and politically motivated DDoS attacks have dramatically risen as the perceived root cause of large-scale DDoS attacks on the Internet,” Dobbins said.
Previously, he said, service providers and network operators saw the leading causes of DDoS attacks as “nihilism, vandalism, criminal activity, and gaming activity — people unhappy with their gaming comrades, who DDoS them,” he said. “Then there’s criminal extortion, where people will demand ‘protection money’ to allow a DDoS’d site to come back up.”
