Use Wufoo integrations and get your data to your favorite apps.

Category: Cyber warfare

Technology in cyber warfare and cyber security

Server Configuration Can Protect against Fast-Growing CHARGEN Attacks

Hundreds of thousands of Internet servers sit at risk of being used in a fast-growing technique to reflect and amplify distributed denial of service (DDoS) attacks, despite the fact that a simple server configuration change could eliminate the DDoS threat.


Incidences of DDoS attacks using the character generator CHARGEN protocol rose sharply in the third quarter of 2013, according to data reported in the Q3 2013 Global Attack Report from the Prolexic Security Engineering and Response Team (PLXsert).


Attacks using the CHARGEN protocol, which was noted as vulnerable to these types of attacks as early as 1999, were the fastest-growing type of DDoS attack in Q3 2013, with attackers using vulnerable servers around the world to reflect and amplify data onslaughts at target servers.


The CHARGEN protocol was initially created to enable testing and measurement of servers. Today, it is obsolete, and it should be disabled. Many legacy servers have it turned on by default.


Despite its age, the re-emergence of CHARGEN attacks within the underground DDoS-as-a-Service marketplace suggests the abuse of this internet protocol retains value to malicious actors engaging in distributed reflected denial of service (DrDoS) attacks.


In Q3, Prolexic observed CHARGEN DrDoS attacks against its customers in the gambling and entertainment industries. Prolexic’s experts mitigated these attacks before they affected the availability of the customers’ servers. A subsequent analysis found similar CHARGEN attack patterns in each case.


In the gambling industry attack, most of the reflected traffic originated from Asia, and particularly China. The attack lasted 1.5 hours and reached a peak rate of 2 Gbps.


In the entertainment industry incident, although much of the traffic originated in China CHARGEN servers from all continents except Antarctica were engaged in the attack, which lasted a half-hour and reached a peak rate of 2 Gbps.


Because vulnerable servers used to reflect CHARGEN data may respond with as much as 17 times more data than they receive, attackers find the approach  attractive. An attack launched with just one or two servers can overwhelm a standard 1GB virtual private server in a matter of seconds. In addition, the use of the UDP CHARGEN enables spoofing of IP addresses, which provides pseudo-anonymity for attackers.


Meanwhile, hundreds of thousands of CHARGEN servers lie susceptible to use as attack vectors, a situation that can be readily addressed with a simple change to the server configuration. Of 1,000 attack events involving CHARGEN analyzed by PLXsert, more than 99 percent were found to have taken advantage of Windows servers – from Windows NT to Windows 2008 R2.


Step-by-step instructions explain how to disable CHARGEN on a Windows server in a case study on new DDoS techniques, including CHARGEN attacks, available in the Q3 2013 Global Attack Report from Prolexic.


More information is available in the Q3 2013 Global Attack Report.


DDoS Attackers New Tactics Amplify Attack Sizes and Hide Identities

Distributed denial of service (DDoS) perpetrators changed tactics in Q3 2013 to boost denial of service attack sizes and hide their identities. By employing a type of DDoS attack called a reflection attack, which leverages the capabilities of vulnerable servers, malicious actors launched high-bandwidth attacks with fewer resources with the intent to cause outages at their intended targets.


As reported in Prolexic’s Q3 2013 Global Attack Report, the reflection attack method grew in popularity among malicious actors by 265% year-over-year compared to Q3 2012 and by 70% in just the past quarter. Attackers are flocking to these distributed reflection denial of service (DrDoS) attacks, because this type of attack method provides them with significant benefits.


One benefit of DrDoS attacks for the malicious actor is the obscuring of the source of the attack (anonymity). By going through a victim server, the original attacker’s identity is hidden. Instead, it looks like the victim servers initiated the attack against the target.


The other benefit of DrDoS attacks for malicious actors is the ability to use the bandwidth of intermediary victim servers to make the attack more powerful. Because the amplification factor is so large – for one type of protocol attack the amplification factor is 17 – less outbound bot traffic is needed and the botnet can be much smaller.


In DrDos attacks there are always two or more victims: the malicious actor’s intended target and the intermediary servers. The intermediary victims usually participate unknowingly. They aren’t infected with malicious code. Instead, they may have a server feature turned on that DrDoS attackers have learned to exploit opportunistically – typically a common network protocol such as DNS or CHARGEN.


In Q3 there was a big jump in UDP attacks and a corresponding drop in SYN attacks. The increase in UDP attacks is part of this reflection attack trend.


Other DDoS trends identified in Q3 was related to the number of attacks. We found that the total number of DDoS attacks launched against our clients in Q3 2013 remained high and represented the highest total ever for one quarter. Usually Q3 is a relatively quiet month, but the DDoS attack trend showed a consistently heightened level of DDoS activity around the world over the last six months.


Since Q3 2013, we have seen a 58 percent increase in total DDOS attacks, 101 percent increase in application layer (Layer 7) attacks, 48 percent increase in infrastructure (Layer 3 & 4) attacks and 12.3 percent increase in the average attack duration.


Prolexic’s Q3 2013 Global DDoS Attack Report is available as a free PDF download. It includes a detailed analysis of the DDoS trend toward DrDoS reflection attacks. The analysis examines DrDoS attack methods, tools and services – specifically CHARGEN attacks being integrated into the DDoS threatscape – and provides steps for remediating CHARGEN attacks.


Cyber Mercenary 'Icefog' Attacks South Korean and Japanese Supply Chains

An advanced persistent threat (APT), named Icefog, has been detected; mostly targeting South Korean and Japanese supply chains, including: government institutions, military contractors, maritime and ship-building group, telecom operators, satellite operators, industrial and high technology companies and mass media.


Icefog, tracked by Kaspersky since 2011, was recently discovered in June 2013 following an attack sample which was retrieved from Fuji TV. Upon analysis, different variants were identified — 6 to be exact. It was also found that these attacks were essentially a newer form of an original attack on the Japanese Parliament in 2011.


Icefog follows an ongoing trend, consisting of a relatively small group of attackers that perform hit-and-run tasks with a focus on supply chain. The attack is done, initially, through spear-phishing emails — the victims get an email with an attachment or link to malicious sites with downloadable files. When the files are downloaded, a backdoor is dropped into the system, giving Icefog access to the machine. Then specific, sensitive information is extracted with surgical precision. Special to Icefog’s method of attack, once information has been acquired, the group moves on to another machine in sharp contrast to the usual, long-time infection that other APTs maintain.


So, who, in general, is susceptible to Icefog’s attack? Their attacks are done through the use of custom-made cyber espionage tools that act on Microsoft Windows and Apple Mac OSX, leaving Linux computers immune to hacking attempts. An Android variant is suspected to exist, but has not yet been found.


Considering some of the major tensions in East Asia, Icefog’s attack pattern begs the question “are these attacks sponsored by a state?” Usually, a state is inferred and determined based on the motivations of the campaign, which tends to last a long time. Because of the hit-and-run method of attack by Icefog, it’s hard to determine an overarching theme beyond supply chain and, thus, makes it difficult to pinpoint anyone. Though, it should be mentioned that, based on the IP addresses used to monitor and control the infrastructure, the ones that could be responsible for Icefog could be deduced to: China, South Korea, or Japan.


Fortunately, Kaspersky found a few command-and-control servers and sinkholed some of them — preventing access to hundreds of users. Additionally, Kaspersky is able to identify and neutralize all variants of Icefog. Despite the work being done towards these APTs, Kaspersky says that “In the future, [they] predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations, a kind of ‘cyber mercenaries’ of the modern world.”


Kimsuky is a Simple Computer Virus That Targets South Korea

On September 11, Kaspersky’s research team published a report showing attacks on South Korea’s think-tanks. This cyber-espionage campaign, named Kimsuky, seemed to only target 11 South Korean and 2 Chinese groups—some of these groups include: the Sejong Institute, KIDA (Korea Institute for Defense Analysis), South Korea’s Ministry of Unification, Hyundai Merchant Marine, and supporters of the Korean Unification.

The first instance of Kimsuky’s activity was on April 3, 2013 and the first Trojan samples were found on May 5, 2013. This virus is special in that it’s pretty unsophisticated and communicated with its master using a public email server. Apparently, this is commonplace with amateur virus coders and is usually ignored. What caught the attention of the researchers was that Kimsuky used a Bulgarian email server and the code contains Hangul (Korean characters), which actually translate to “attack” and “completion.”


Because Kimsuky is highly limited and targeted, it is uncertain how it is being distributed. The early Trojan samples collected were delivered by spear-phishing emails. These emails have been traced to “kim” names and 10 IP addresses. These IP addresses connect this virus to the Jilin and Liaoning Network Province in China. Interestingly enough, there are lines in these provinces that connect to North Korea. Another interesting attribute of Kimsuky is that it disables the security tools of a South Korean anti-malware company, AhnLab.


Looking at Kimsuky’s targets and the source of the IP addresses, it seems as though the source of the malware is North Korea. Though, Kaspersky researchers say that “it is not that hard to enter arbitrary registration information and misdirect investigators to an obvious North Korean origin.” In the end, there is no clear cut evidence to point any fingers.


Luckily, the code is, as previously mentioned, simple—Kaspersky products are able to detect and neutralize various Kimsuky threats.


Top Startup and Tech News Today-7 Things You Missed Today

1. Facebook’s Mark Zuckerberg on NSA Leaks: “The Government Blew It”


Mark Zuckerberg offered his outraged opinion when questioned about his thoughts on the fact that government is asking internet companies for user information. He says that “the government blew it” when it came to finding the balance between maintaining the civil liberties of the people and national protection. He has taken and plans to take more steps towards increasing the transparency of government requests for data.


Facebook joined a lawsuit asking the Obama administration to “allow it to disclose more details of its forced cooperation.” In addition, Zuckerberg plans on visiting Republican lawmakers in Washington D.C. and discuss the privacy issues.


2. Court Decision Means Another Look At Google Street View Case


Google has, once again, been accused of breaching wiretapping laws with their Street View car excursions. The U.S. Appeals Court in San Francisco does not plan on dismissing the lawsuit against the company which states that the Street View cars were taking advantage of unencrypted networks to collect digital conversations.


Google argues that the “internet data it was collecting was broadcast over the airwaves and was not encrypted” and that “the communications were more like radio transmissions than phone calls.” Circuit Judge Bybee stated that, while it is common for people to take advantage of neighbors’ unencrypted, they don’t normally record and decrypt the data obtained. This lawsuit could cost Google billions.


3. Five Startups to Watch From Kaplan’s TechStars-Powered Ed Tech Accelerator Demo Day


Kaplan’s one time joint ed tech accelerator with TechStars decided to run their ed tech accelerator program again with strong results. It’s no wonder—analysts have said that “venture capital deal activity remains strong in ed tech.” Five of the most highly praised startups on demo day are: Degreed, Flinja, Newsela, Ranku, Verificient.


Degreed’s goal is to provide a means of “quantifying and credentialing learning.” Flinja offers college students small projects to do in an effort to break the catch 22 of needing experience for a job while needing a job for experience. Newsela works to improve student literacy by providing stories, each of which comes in several levels of difficulty. Students will be given a version of a story that matches their reading level and they can opt for more challenging version should they choose to do so. Ranku allows students to explore virtual degree programs that is able to provide a quality education at affordable prices. Verificient is an automated proctoring system that monitors keystrokes and facial expressions to keep virtual students honest whilst taking tests and whatnot.


4. Hanoi: 200 Students Off School Because of Hacker


An identified hacker broke into the security system of Ha Dinh primary school in Hanoi, Vietnam and sent messages to the parents of students. The first of the messages informed the parents of students that there would be unexpected work and that students would not need to attend on September 6th. A following message to the parents said that the school would be upgrading its facilities for improved education and asked for a contribution of VND1.2 million along with an extra VND200,000 per child. Luckily, the school caught wind of the messages soon after the second message was sent and followed up with a message clarifying the situation.


5. How the Internet of Things is Making Our Homes Smarter (And Easier to Hack)


With everything being connected together and to the internet, the world is becoming a more convenient place. However, this comes at a price: everything becomes accessible if someone tried hard enough.


John Matherly created a search engine named Shodan. It doesn’t function the same way other search engines like Google or Bing do—it searches for things that are connected to the internet. Additionally, it can tell how secure a device is. For example, it discovered a huge security flaw in a hydroelectric plant in France. What Matherly does with Shodan is to warn people of unsecure devices. In the end though, “it’s the customer’s responsibility to keep their own homes safe.”


6. Internet Entrepreneur Believed to be First 9/11 Casualty Remembered in New Book


No Better Time: The Brief, Remarkable Life of Danny Lewin, the Genius Who Transformed the Internet, a book written by Molly Knight Raskin details the first casualty of the September 11 attacks. He was stabbed on the first plane that hit the twin towers, leaving behind his wife and two children.


What makes him remarkable isn’t the fact that he’s the first casualty, but, instead, that he was one of the co-founders of a company known as Akamai. He and Tom Leighton, the other half of Akamai, worked on codes to speed up dial-up internet connections. This success brought in billions of dollars overnight. While they started strongly, the company hit a wall and was losing money quickly—it was September 10 when they had worked out how to cut costs.


Though he left use early, he left behind a legacy that strongly impacted the internet.


7. Microsoft’s Concept Videos From 2000 Were Spot-On. So Why Didn’t Ballmer Build Any of It?


Back in the days of minidisc players and 9 keyed phones, Microsoft’s CEO, Steve Ballmer, had a vision; one where all devices within a household could be connected together. This idea came into existence before Apple, Google, or anyone else. What happened?


Essentially the company didn’t realize these aspirations due to disagreements on some aspects while other facets of the idea were before its time and, before long, the dot-com bubble burst. “Had the company executed on even a fraction of its vision, Microsoft wouldn’t be out looking for a new CEO,” stated a former Microsoft executive, Charles Fitzgerald.


Kaspersky Labs explains: How to Protect Your Business from Cyber Attacks Part II

In the first part of this article, we told you about targeted cyber attacks and how cyber criminals penetrate corporate networks, attacking the computers of employees who use their desktops for social networking and other cyber-skiving.


Along with targeted cyber attacks there are other threats. Intentionally or by chance, employees may be guilty of disclosing confidential data or breaking copyright laws, which might result in law suits against the company.


We will tell you about some incidents related to the storage and transfer of corporate documents via a personal mailbox or a cloud service and the use of software for P2P file sharing. We will explain what technologies and security policies allow system administrators and IT security specialists to prevent such incidents.


Reputation loss

Your company’s reputation is worth protecting - and not only from cyber criminals.  Employees who send professional correspondence to their personal mailboxes, download illegal content, or use pirated software on corporate computers never think they might damage their company’s reputation.


Confidential information disclosure

One company faced an accident in which extremely confidential information was disclosed.  Data security specialists started the investigation by checking the leaked documents and were surprised to learn that the metadata contained important information - the company’s name, computer’s name, where the document was stored for the last time, authors’ names, e-mail addresses, telephone numbers, and more. Criminals usually delete this data to hide the source of the leak.  During the investigation, the experts found that the copies of disclosed documents were stored on the computers of five employees.  None of them admitted to handing the documents over to a third party; moreover, having learnt about the accident at the interview with the security, all of them were genuinely surprised.  After analyzing the corporate proxy-server logs, it was revealed that one of those five employees had uploaded copies of the disclosed files to a mail service.


At the second interview, this employee confessed that he had used his personal mailbox a few times to store corporate documents.  It was convenient: if he had no time to finish or read a document, he sent it to his personal mail and finished it at home.  Any employee could gain remote access to his corporate mailbox on request, but the employee hadn’t set up any extra protections.  He didn’t anticipate any problems with using his personal mailbox for work.


Having gained access to his personal mailbox, data security specialists checked the list of IP addresses used to connect to the e-mail.  Along with the employee’s home and corporate IP addresses, a lot of other addresses of proxy-servers from different countries surfaced.


While investigating the employee’s computer security, specialists discovered spyware that logged all the account data for different systems - sites, social networks, mailboxes, and online banking services.  Having used the malware to gain access to the employee’s mailbox, the criminal found a lot of corporate documents stored there.


Though the guilty employee was fired; the reputational damage to the company lingers on.



Breach of copyright

It’s widely known that pirate content download is a violation of copyright law.  However, few people remember that when you use the Internet from your corporate network, you use the IP address of your company.  This means that if a violation is discovered, it is the company who will be liable.


A small company suffered an unpleasant incident.  At certain times, there was a sharp drop in Internet connection speeds.  Network traffic statistics showed one computer using 80% of the network capacity, with in-coming and out-going connections going off the scale.  The sysadmin assumed that the computer was used to share files on a P2P network.


It turned out that one employee had brought his personal laptop and connected it to the corporate network. A BitTorrent client installed on the laptop was set to run automatically when the system started.  The employee had forgotten all about it and the program running on his laptop caused trouble with the Internet connection.


Three months later, local law enforcement authorities came to the office with a search warrant and took many hard drives and documents, because they suspected that the company had used pirated software, in breach of copyright rules.  In the end, the company was fined and, since then, stronger restrictions against pirate software have been introduced in the security policy.  Now, employees face serious sanctions for a first offense, and lose their jobs if there is any repeat.  In addition to those punishments, illegal content (hacked software, video, music, e-books, etc.) is forbidden whether it is downloaded to a corporate computer from the Internet, or if it is brought from home.



We described just two cases in which the violation of corporate policies by employees led to serious incidents.  In everyday life, there are many more scenarios like this.  Fortunately, there are also some simple methods, which, together with security policies, can help to prevent the majority of these incidents.


Network Traffic Control

In the incident described above - corporate documents leaked and unlicensed content loaded via P2P - the corporate network served as a channel to send and receive data.  Firewall, IPS, HIPS, and other technologies allow system administrators and IT security specialists to limit or block:

  • Access to public services and their servers - mail services, cloud storages, sites with forbidden content, etc.
  • Use of ports and protocols for P2P sharing
  • Sending corporate data outside the corporate network


It’s worth remembering that no single control of network traffic can provide the highest level of corporate network security.  In order to bypass security policies, employees can use traffic encryption methods, connect to the copies (mirrors) of blocked online services, or use proxy servers and anonymizers.  Moreover, many applications can use other application ports and embed their traffic into various protocols, which cannot be forbidden.  In spite of these obstacles, network traffic control is important and necessary, but it needs to be combined with application control and file encryption.


Application control


Using application control, a system administrator or data security specialist can not only forbid any unwanted software, but also track what applications employees use, as well as when and where they use them.  It’s almost impossible to prohibit all pirated software, as a lot of varieties of an application may be created and they may be almost identical.  So, the most effective approach is to use application control in default deny mode to ensure that all employees use only authorized software.


File encryption


It’s often impossible to track how employees use cloud services and personal mailboxes to store corporate data, which may include confidential information.  Many mail services and cloud storages encrypt files transmitted by a user but cannot guarantee protection against intruders - a stolen login and password will give access to the data.


To prevent this type of theft, many online services attach cell phone numbers to their accounts.  Along with the account data, a criminal will need to intercept a one-off confirmation code, sent to a mobile device during authorization.  Note that this protection is safe only if the mobile device has no malware that will let the criminal see the code.


Fortunately, there is a safer way to provide security for corporate documents transmitted beyond the corporate network - file encryption technology.  Even if intruders get access to a mailbox or cloud storage where an employee stores corporate papers, they won’t be unable to access the content of these documents, since they have been encrypted before their transmission to an external server.


Security policies

Network traffic control, application control, and data encryption are important security measures that can detect and automatically prevent data leaks as well as restrict the use of unwanted software on the corporate network.  It’s still necessary, however, to implement security policies and increase employee awareness, since many users do not realize their actions may threaten their company.


In case of repeated violations, security policies should lead to administrative sanctions towards the offender, including dismissal.


Security policies should also stipulate the actions that should be taken if a former employee has access to confidential information or critical infrastructure systems.



Incidents like confidential data leaks or unlicensed content loaded from a corporate IP address may cause significant damage to a company’s reputation.


To prevent this damage, companies should limit or completely block employee access to online resources that may be a threat to a company, and also limit or block the use of those ports, data transmission protocols, and applications that are not required for work.  File encryption technologies should be used in order to ensure the confidentiality and integrity of corporate documents.


IT security experts should keep in mind that, along with incident detection and prevention, they should pay attention to administrative protection measures. Users should be aware of what is allowed and prohibited by a security policy and the consequences of any violation.


Top Tech & Startup News - 7 Things You Missed Today the

Tech and Startup News for August 7th, 2013:


1. Zynga shutting down OMGPOP

It’s been barely two years since Zynga purchased OMGPOP for $200 million, but now, Zynga has confirmed plans to shut down the game developer. Although some OMGPOP team members had attempted to buy back the site, games, and intellectual property, Zynga refused to sell anything from the company. OMGPOP games like Cupcake Corner, Snoops, and Gem Rush will all shut down on August 29th. The website for the company will also go dark at the end of September.


2. Hacktivist Richard Stallman advocates for ’truly free software’


During a recent lecture, held at NYU, the controversial hacker Richard Stallman warned that proprietary and open-sourced software is not as free as it claims to be. In order for software to really be free, Stallman claimed, it must include:
-The freedom to run the program in question, for any purpose
-The freedom to study how that program works, and change it so it does your computing as you wish - in other words, the freedom to access its source code
-The freedom to redistribute copies so you can help your neighbor
-And, lastly, the freedom to distribute copies of your modified versions to others for the same reason


3. The Department of Commerce might be reviving a part of SOPA

The Stop Online Piracy Act died last year in Congress. However, a piece of its legislation might be returning from the dead. The Department of Commerce’s Internet Task Force recently endorsed SOPA’s proposal to make the streaming of copyrighted works a felony. Although the streaming of copyrighted works is currently against the law, the offense is only a misdemeanor. If the proposal becomes a law, someone illegally streaming copyrighted works will be punished as severely as someone who illegally reproduced and distributed copyrighted works to the public.


4. Amazon launches artwork marketplace


You could soon purchase a work by Claude Monet without ever having to change from your pajamas. Amazon has recently announced that, with Amazon Art, the web-retailer has created an online gallery, which would allow people to buy artworks from prestigious collections around the country, while still at home. Among other galleries, the site currently promises access to collections from the Paddle8, Holden Luntz, and the McLoughlin galleries.


5. Google will update its searches for more in-depth in articles


Google revealed that the company is adding a new feature for its search function, which highlights “in-depth” articles associated with your search requests. Google has yet to provide many details about the company’s definition of “in-depth.” However, Google officials have claimed that search results are “ranked algorithmically based on many signals that look for high-quality, in-depth content.” Currently, Google users will only be able to use this feature if they use in English.


6. Mozilla releases a new version of FireFox


FireFox 23 is here. This newest update to the browser features a number of changes, including but not limited to a mixed content blocker and a network monitor on the desktop side. If you squint at the new FireFox logo for long enough, you may notice that it looks a little different too. But the biggest change is the addition of a share button, which would allow users to share content with friends with just one click. With this new feature, users will be able to share content directly from Firefox wherever they are online. Firefox 23 has officially been released for Windows, Mac, Linux, and Android.

7. Discussions of Anonymity


With the current NSA scandal and the advent of Google Glass, there is a lot of discussion nowadays about the importance of maintaining anonymity in a democratic society. The unnamed author of the book Tremble the Devil once wrote a blog post titled, “The Importance of Being Anonymous.” Though the piece may have some problems, it does bring up an interesting point: the ability to express your opinion anonymously is often the ability to express yourself safely. To that extent, the threat of exposure could limit your freedom of speech. In our democratic system, the ballot is secret so that you can have a say in what the government does without fear of coercion or retribution from others.


Without that anonymity, people may be pressured out of saying what they think and may, instead, conform to the most widely accepted opinions out of fear. The Internet is a place where a wide variety of viewpoints can be shared—where everyone gets a voice. However, the Internet is also a place of exposure and social pressure. At the moment, we’re at a delicate balance. We have to decide what the Internet is going to be. Is it going to be a place where people become more homogenous in their beliefs?
Or could it possibly be something different?


How to Protect Your Business From Attacks Without Really Trying

You trust your employees, right? Maybe you shouldn’t…


At least, not in issues of network security.  Whether you like it or not, employees use office computers to communicate on social networking sites, share links to online entertainment, or download files from suspicious sources. At the same time, cybercriminals use social networking sites for phishing and malware distribution. They infect personal blogs, entertainment sites, file-sharing services, and torrent trackers. They regularly hack passwords to email accounts.  To protect your network, here is a list of security threats and protection techniques you should know:


Targeted attacks


Because the majority of threats target mass audiences, antivirus software can prevent most accidents. Targeted attacks are different: hackers perform them secretly, often using a non-standard approach; they are highly sophisticated and well organized.  These are the attacks you should worry about the most.


Social Engineering Attacks

In 2009, over 20 major software companies fell victim to the Operation Aurora targeted attack. In one incident, hackers lured company employees with social networking sites and IM clients. Using social engineering techniques, the scammers got acquainted with their victims, gained their confidence, and did whatever was necessary to make the recipients open a link. The fraudsters only needed to:


-Collect widely available information about the user from social networks

-Create an account with the victim’s personal information

-Become “friends” with the people from the victim’s list of contacts

-And get in touch with the victim using an established “cover”


When an account has been so thoroughly prepared, it can easily trick victims into clicking a suspect link. If this fails, the scammer can try a more sophisticated trick; hacking the account of a user whom the victim trusts and sending links from there. This is especially easy if the victim’s trusted contacts include vulnerable users like elderly people, children, or teenagers.


In a targeted attack, a link may lead the victim to a site with 0-day exploits, which allow criminals access to vulnerable computers. By communicating on social networks from the office computer, employees may unwittingly help hackers penetrate the corporate network.


Watering Hole Attacks

In ​​this type of attack, hackers infect the sites that your employees use the most. Recently, the U.S. Ministry of Labor site was infected, but the real target of the attack was the Department of Energy.  The criminals had tried to infect the computers of DOE employees who regularly visited the Ministry of Labor’s website.


Once targeted employees open an infected page,  malware redirects their browser to a malicious site, which may contain 0-day exploits.  By hiding malware in such a way, scammers can also hide their targeted attacks from antivirus companies and IT security experts.


Before you assume that your network is secure, remember that fraudsters will try to infect trusted sites. Even when users must carry out additional steps, like turning on JavaScript, they may innocently click “Allow” and “Confirm.”


Protection through Policy

Users may cause targeted attacks by allowing scammers to access the system. Unfortunately, there is no technology to eliminate human error from corporate network security. However, reinforcing security policies provides protection by combating targeted attacks at every stage - from the first attempt to exploit a vulnerability to attempts to compromise the network.


Protection Against Exploits

Since targeted attacks use unique malware, signature-based detection isn’t enough to identify the malicious code. Yet, antivirus programs have long had more weapons at their disposal than signature-based detection. AEP technology methods of heuristic analysis and control over executable code can block execution of malicious code when it exploits a 0-day vulnerability.


If fraudsters can attack the system, network traffic and application controls may prevent further penetration into the corporate network.


Network traffic control

Once malicious code gets in the system, it usually attempts to:


-Establish connection with a command center

-Open ports for incoming connections

-Download additional modules

-Implement malicious code in other processes to maintain connection with the command center

-Gather information about the network like its systems and users

-And send the harvested information to the fraudsters’ server.


Having connected to the system, scammers collect information about it and the computer’s corporate network. To collect local information, the fraudsters don’t need extra privileges.  They can find a list of running processes, installed software, and more, with little effort. They collect information about the corporate network using special scripts and utilities for masking activity and bypassing security systems. Then they analyze this information before the next stage of attack.


Using network traffic control technology, system administrators and IT security specialists can block dangerous network activity and detect any penetration into the corporate network. For instance, Firewall and IPS / IDS can:


-Block incoming/outgoing connections by port, protocol, domain name, and IP address.

-Generate statistical analysis of traffic for anomalies

-Collect suspicious network traffic for further analysis

-Detect or block outgoing commands or similar output sent online, downloads of suspicious files from the Internet, and transmissions of confidential information


Firewall and IPS / IDS can detect anomalies in the interactions of network nodes once the malicious code tries to contact the command center or scans the corporate network for other systems like open ports. This anomaly detection allows IT security experts to respond to the threat, preventing further intrusion into the corporate network.


Application control

Having accessed the target system, the criminals aim to consolidate their success.  By downloading additional modules, malicious code, and utilities onto the system, they incorporate a connection with the command center into trusted processes like explorer.exe.


Application Control can block the launch and download of untrusted programs and modules from the scammer’s hacker set.  HIPS policies should also block dangerous non-standard behavior from legitimate software. Browsers shouldn’t open ports for incoming connections. System processes and other applications shouldn’t be connected to external servers to deploy malicious code to other trusted processes.  This behavior should be prohibited.


To prevent criminals from gaining control of the system, IT security specialists should:


-Stop trusted or vulnerable programs from implementing code in other processes

-Restrict applications’ access to critical system resources and files only

-Block dangerous functions that aren’t a default feature of the applications

-Safeguard systems that require the highest protection level with the Default Deny mode.  This mode can block programs from starting up if they aren’t included in the white list, stored locally, or in the cloud.


File encryption

If the scammers seize control of the system and penetrate the corporate network, they may try to find and upload files that contain important information like:


-Corporate documents, including security policies

-Files containing credentials

-Configuration files

-Source codes

-Private keys


This information appears on the main victim machine as well as in open network folders on other systems. To prevent a data leak, IT security specialists should use file/disk encryption to restrict local access to the confidential information. Data is also transferred in an encrypted form. Even if the criminals manage to download something, they couldn’t read the content of the encrypted files.


Security policies

In isolation, none of the above technologies can prevent a targeted attack. To protect the corporate network, all these technologies must be well integrated and carefully tuned.


However, system administrators and IT security specialists should also use administrative protection measures:


All users must:

-Know and observe company security policies

-Understand the ​​possible consequences of the Internet threats, such as phishing, social engineering, or malware sites

-Inform the security service about all incidents.

-Accept user access rights and privileges:

-Scan the systems for vulnerabilities and unused network services:

-Detect and analyze vulnerable network services and applications

-Update vulnerable components and applications. If there is no update, vulnerable software should be restricted or banned.


Rights and privileges should be granted only when necessary and recorded.  Many of these measures can be automated. If security policies are violated, special software shows the user a warning message. Systems Management technology can be used to search for network services and unauthorized devices, vulnerabilities, and automatic updates of vulnerable applications.



Misuse of company resources can lead to direct financial losses and a serious IT security incident. While communicating on social networking sites or viewing websites on the office computer, employees can become unwitting victims and involuntary allies of criminals who plan targeted attacks.  Though they may have honest intentions, it’s never a bad idea to have a backup plan.


Resilience - The Way To Survive A Cyber Attack

The claim that any Western, information technology dependent society could be brought down by a fifteen-minute cyber attack has recently provoked intense discussion.


In reality, a well-prepared cyber attack does not need to last for 15 minutes to succeed.  It takes only seconds to conduct an attack that could hit targets next door or on the other side of the world.


Society’s capability to withstand the attack determines whether or not it will lead to chaos - and in what time.  As a general rule, it takes a lot longer than 15 minutes for all consequences to manifest themselves and for Society to absorb and react to them. Re-establishing the equilibrium that existed before the attack may take years.


There is no such thing as absolute security; neither in the physical nor in the virtual world.  While technology could eliminate human error from the threat catalogue through automation, with it brings novel and constantly evolving threats.  Information technology vows to enhance situational awareness for security, yet carries unknown vulnerabilities with it.  Incomplete security is nothing new in itself, but the enmeshment of physical and virtual worlds creates new kinds of security opportunities and needs to address.


Today’s overall threat catalogue is versatile and in constant change.  As it includes both unemerged and just gradually appearing threats, it forces Society to plan and prepare for the unknown.  Preparing for the unknown can only take place through strengthened resilience. Resilience refers to the continuation of operations even when Society faces a severe disturbance in its security, the capability to recover from the shock quickly, and the ability to either remount the temporarily halted functions or re-engineer them.


Resilience is a multidimensional phenomenon. It affects Society at present, but will affect its future even more . Resilience is not only a headache for the decision-makers, but also a feature of states, organizations, corporations, and individuals.  Society’s overall resilience builds upon the capabilities of its parts to prevent and resist exceptions from the usual and adapt to them rapidly.


Resilience can be categorized as “infrastructure resilience,” “community resilience,” “business continuity” and “corporate resilience.” All of these are important for the survival of Society in a contemporary security environment. Resilience is not only physical - it is mental as well. Hence it also includes, for instance, the capability to make justifiable decisions and act upon them under distress. Tolerance for crisis should be seen as a function vital to society.


Western societies are used to a prevailing state of peace and have managed to construct well-functioning societal operations based on the utilisation of technology.  As a drawback to this state, however, they have lost some important survival capabilities.  Their mental ability to deal with distress is especially declining because of the lulling belief that nothing can go too wrong. This belief can lead to a situation in which the physical features of Society recover from an attack relatively quickly, but poor mental tolerance keeps it from re-balancing itself for years or decades.


Developing and maintaining resilience is a central demand presented by contemporary security thinking. Its importance will only heighten in the future as the world becomes more interconnected, threats become more complex and cooperation becomes a necessity to address complicated security questions. Resilience enables both efficient operating in times of distress and smooth societal functioning. The intertwinedness of physical and virtual worlds requires that preparation, acting, and learning take place in the intermingled reality .  This enables the utilisation of opportunities information technology and cyberspace create without exposing oneself to unnecessary risk.


Even the virtual world breaks sometimes. But minor disturbances, like temporal interruptions in communications networks or defunct ATMs, are only beneficial because we tend to trust the operability of bytes too much. If bytes do not function, we become helpless.


Temporal cyber disturbances and shocks will always happen. This could save us, because they keep us alert. Our future depends upon our resilience and our resilience depends on Society’s ability to protect itself from cyber attacks.


The Next Crypto Battle

Initial skirmishes have provided some indication that the next cryptography (crypto) battle is heating up and is not far from a full-fledged call to arms. Insights from previous battles in this continuing war are useful in predicting how it could play out.


Online security and privacy are at the heart of the battle. The most obvious foot-soldiers of this war are a new breed of ‘cypherpunks,’ who advocate crypto to fight ubiquitous government surveillance. As Julian Assange said, “No amount of coercive force will ever solve a math problem… A well-defined mathematical algorithm can encrypt something quickly, but to decrypt it would take billions of years.”


There will be a bigger, less visible part of the battle. People will want to retain control over their communications- messages, photographs, video, files, and locations. They will want to be able to use cloud computing and store their files on the Internet with the confidence that it can be done safely and securely. They will not want these things from a ‘nothing to hide’ perspective but rather as a natural and necessary prerequisite for confidence and utility of the medium.


Underpinning the Internet are the TCP/IP protocols which were designed to provide only the functions of efficiently transmitting and routing packets of data between peers. What they inherently lack is the ability to deal with network security issues such as data snooping and connection hijacking.


This wasn’t a problem when people used trusted and open networks that interconnected university computers. It rapidly became a big problem as the Internet exploded to become central to communication, commerce, and all the myriad of ways that we now depend on the Internet.


Earlier Battles

Crypto played an important role in World War II. From then on, many governments regulated the export of crypto on national security grounds. Treating crypto as munitions, several governments introduced controls like export licences. There were also other efforts to control crypto, such as the 1976 weakening of IBM’s Data Encryption Standard (DES) by the National Security Agency (NSA) before the National Bureau of Standards allowed it to become a government-approved standard.


The Internet created a need for individuals and businesses to use crypto as well as the means to distribute information on crypto quickly and cheaply. Phil Zimmermann‘s PGP in 1991 allowed everyday people to encrypt their email and data. The growth of electronic commerce created additional pressure, such as the need to protect credit card transactions online using public key crypto.


In the US, some defining moments of the first crypto battle occurred with the cases Junger v. Daley and Bernstein v. United States which established that crypto software could be published online, protected by the First Amendment as free speech.


The Clinton administration tried to get the industry to adopt the Clipper chip- an encryption chip for which the government had a back-door key. When this failed, the administration tried to introduce key escrow - a policy that required all encryption systems to leave a spare key with a ‘trusted third party’ that would hand it over to the FBI on demand.


The willingness of some to risk and resist prosecution as well as the growing availability of crypto software outside the US led to relaxing of export controls. Some restrictions still exist, even on purely commercial services for the mass market, particularly in countries participating in the Wassenaar Arrangement on dual-use technologies.


Growing Mass Market Use of Crypto

It’s common for commercial products to use crypto with credit cards and DVD content scrambling. What’s relatively new is the conscious, routine use of crypto for communications and data protection by people for themselves. For example, when people send emails in crypto-enabled ‘envelopes’ rather than postcards open for everyone to read. While this technology has existed since the 1990s, so far it has been too hard and inconvenient for everyday use by the average person.


Global concerns over governments collecting, storing, and analysing all Internet traffic is growing. New laws are sprouting everywhere like the UK’s proposed ‘Snooper’s Charter,’ metadata retention for law enforcement agencies in Australia, and an update to lawful interception in New Zealand.


This is leading to a return to the debate of the 1990s and 2000s. In 1997, the then Director of the FBI said:


“Clearly, in today’s world and more so in the future, the ability to encrypt both contemporaneous communications and stored data is a vital component of information security. As is so often the case, however, there is another aspect to the encryption issue that if left unaddressed will have severe public safety and national security ramifications.”


“Uncrackable encryption will allow drug lords, spies, terrorists, and even violent gangs to communicate about their crimes and their conspiracies with impunity. We will lose one of the few remaining vulnerabilities of the worst criminals and terrorists upon which law enforcement depends to successfully investigate and often prevent the worst crimes.”


The Next Crypto Battle

Exactly the same concerns still drive the continuing war on crypto. Only, this time, the vocabulary has been updated to include words like national security, cyber espionage, and paedophiles.


The FBI is worried about the ‘dark net’ while the German police uses malware to spy on its citizens’ Internet activities. Some governments are worried about decrypting Apple’s iMessage and all user data held on that company’s smartphones and tablets. On the other side, the inventor of PGP is back with Silent Circle while the company that I work for, Mega, provides encryption and decryption invisibly and automatically.


Some of the instruments governments have used in the past- such as export controls and deliberate weakening of the crypto- will no longer work. New instruments will undoubtedly be tried. The same arguments and counter-arguments of the 1990s will be debated back and forth.


While it is difficult to predict how this crypto battle will evolve and the inevitable casualties, one thing is certain: the end result will be the same as the previous battles- an uneasy truce in which governments will accept that they have limited ability to control crypto being used by people and businesses.


That will be a victory for the public good and the Internet’s indispensable role in our daily lives. Until the next crypto battle erupts.