Security rundown for week ending Aug. 5, 2011

If you'd never heard the phrase 'advanced persistent threat' before, you may have gotten an ear full of it the past week in a collection of news stories that used the APT term to describe a variety of network security problems that are causing big problems.

"APT is originally from the Air Force," says Ryan Kalember, director of product marketing for HP ArcSight, during our discussion of Ponemon Institute's annual study on cybercrime. The term arose as Air Force shorthand to describe endless, unremitting network attacks coming from mainland China — the People's Republic of China (PRC). "It's a running joke in the industry that APT is short for PRC," he adds.

More news: 20 of the weirdest, wackiest and stupidest sci/tech stories of 2011 (so far!)

But the phrase APT has evolved into something broader. It suggests the effort not just by nation-states, but also industrial competitors, along with any hired-hand assistance, to infiltrate the networks of targets to steal important and sensitive information, such as intellectual property.

And in the news last week, McAfee, based on finding a server on the Internet and analyzing its logs, identified 72 compromised organizations — mostly in the U.S. but also in Canada and Asian nations — it says had APT-style attacks carried out against them for months if not years, starting in 2006.

According to McAfee, an attacker — probably a "nation-state" though it declined to name any country — carried off huge volumes of sensitive information, including "closely guarded national secrets (including from classified networks), source code, bug databases, e-mail archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more." McAfee didn't release most of the names of the victims though it did name a few, such as the World Anti-Doping Agency, as well as some Olympic committees.

APT came up in a story on the RSA data breach that blamed China for that breach earlier this year. Joe Stewart, director of malware research at Dell SecureWorks, said the finding was based on research into APT malware called HTran, which was developed by Chinese hackers, that was used in the attack on RSA. The HTran malware, usually installed on a compromised server, is meant to hide transmission of data where an attacker stealing it wants it to go. Stewart found error messages from HTran inadvertently revealed exact IP addresses, leading directly to ISPs in Beijing and Shanghai.

No wonder the Security for Business Innovation Council, a group of 16 security leaders in corporations that include eBay, Coca-Cola Company, SAP, FedEx Corp., Johnson & Johnson and Northrop Grumman, last week said the APT problem is a top concern and it's changing how you should look at security.

More security news: Corporate cybercrime costs skyrocket

In their report, entitled "When Advanced Persistent Threats go Mainstream," they say "Focusing on fortifying the perimeter is a losing battle" and "today's organizations are inherently porous. Change the perspective to protecting data throughout the life cycle across the enterprise and the entire supply chain."

The report adds: "The definition of successful defense has to change from 'keeping attacks out' to 'sometimes attackers are going to get in; detect them as early as possible and minimize the damage' Assume that your organization might already be compromised and go from there." The focus, they say, needs to be more on working with business managers to ascertain the "crown jewels" of the organization and protect these "core assets."

Other hot security news this week included:

Black Hat: Lots of hacks and a patriotic plea

Black Hat hasn't disappointed this year, with research revealing a flaw that undercuts Open Shortest Path First routing, two separate assertions that security for Apple products in the enterprise isn't that bad and a friendly hand being offered to hackers and crackers to join the U.S. fight against terrorists in cyberspace. Perhaps the biggest blockbuster, because of the sheer scope of the potential problem, is the vulnerability an Israeli researcher found in the OSPF routing protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.

Black Hat: Researcher picks apart Sophos antivirus package

A researcher presenting at Black Hat picked apart Sophos Antivirus software and found it lacking in several areas that leave it vulnerable to attack or circumvention - something he says might apply to other antivirus vendors' products as well, but he just hasn't looked. Tavis Ormandy, who works as a researcher for Google, says he reverse engineered the product and found, among other things:

* The key used to encrypt some data is stored with the data, making it relatively easy to decrypt.

* Its buffer overflow protection only works on Windows platforms prior to Vista.

* The signatures Sophos selects to identify viruses are weak and can be generated independent of Sophos, making it possible to flood users with false positives.

Black Hat: System links your face to your Social Security Number and other private things

Soon it will be practicable to take someone's photo on a smartphone and within minutes know their Social Security number and a range of other private data like their personal interests, sexual preference and credit status, researchers told the Black Hat security conference this week. The technique calls for linking faces of random individuals to images in databases that contain other information about them and using that information to project Social Security numbers, says Alessandro Acquisti, a professor at Carnegie Mellon University, who will present the research at the conference.

U.S. wants to build cybersecurity protection plan for cars

As cars and other forms of transportation increasingly rely on online systems for everything from safety to onboard entertainment, the cybersecurity threat from those who would exploit such electronic control packages has also increased. That's why the US Department of Transportation (DOT) today issued a Request For Information to the security industry to help it create a road map to build "motor vehicle safeguards against cybersecurity threats and assure the reliability and safety of automotive electronic control systems."

LulzSec gets Google+ boot, but returns

Hacker group LulzSec ("the world's leaders in high-quality entertainment at your expense") has had its initial Google+ account nixed this week. Though LulzSec has quickly and brashly re-emerged with a new one, LulzSec appears to have fallen victim to Google's purge of accounts on its new Google+ social network that are based on profiles not associated with a real individual's name. The same fate befell fellow hacking group Anonymous last month, and the outfit responded by saying it was developing its own social network and that it knew of an "operation" being organized against Google+.

Android Trojan records phone calls

A new Android Trojan is capable of recording phone conversations, according to a CA security researcher. While a previous Trojan found by CA logged the details of incoming and outgoing phone calls and the call duration, the malware identified this week records the actual phone conversations in AMR format and stores the recordings on the device's SD card.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags mcafeesecurityblack hatlegalPonemon Institutecybercrimearcsight

More about AlessandroAppleAPTArcSightCarnegie Mellon University AustraliaDellDell ComputereBayetworkFedExGoogleHewlett-Packard AustraliaHPLANMcAfee AustraliaMellonNorthrop GrummanPRCRequest DSLRSASAP AustraliaSecureWorksSophosTransportation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place