Tuesday, November 8, 2011

11/8/2011 Army Wants Ability to Fight in Cyberspace by 2020

From National Defense mag, Nov. 8, 2011:

The Army wants to deploy a new arsenal of cyberwarfare weapons by 2020.

Lt. Gen. Rhett Hernandez, the commander of Army Cyber Command/Second Army, said the plan is to acquire both defensive and offensive capabilities -- including tools to conduct network damage assessments and ensure that there is no collateral harm done to nonmilitary entities.

Commanders in the field should have a "full range of cyberspace capabilities" at their hands including the ability to "seize, retain and exploit" enemy networks, he said Nov. 8 at the Milcom conference in Baltimore, Md. 

The Army "seeks the same level of freedom to operate in cyberspace domain as we have in the land domain," he said. The command, which became operational in October 2010, is in its infancy.

<more - see article>

Saturday, October 29, 2011

US-satellites hack: Chinese hackers suspected of interfering with US satellites

Two US government satellites fell victim to cyber-attacks in 2007 and 2008, claims report highlighting control systems' vulnerability.

See article by Charles Arthur in Guardian, Oct 27, 2011The article also mentions report from Oct. 2009 on China's ability to conduct cyberwar, prepared for the US-China Economic and Security Review Commission, and a forthcoming report by same commission which will discuss this satellites attack. The attack and (new) report are also discussed in a Business week article, also of Oct. 27

Tuesday, October 25, 2011

Nice prez by Richard Stiennon  on Post Apocalyptic Cyber Realism. Richard lists several `apocalyptic scenarios` of the sort we have been warning years ago... and then gives examples showing such attacks `in the wild`. Few of the attacks he listed are not  in my list, I should add them. 

Oh, and I really should add the table I've done of many attacks. And maybe upload my draft-paper on the main Internet vulnerabilities and how we must fix them to reduce motivation and risk of cyberwar. But too busy now with several works about to be submitted (dnssec and dns security in general, TCP traffic analysis, DDoS, covert channel, more...), and making major improvements in my courses for the term beginning next Sunday... If you're really interested in any of these, ask me by email. Or wait, hope to post soon...

Wednesday, October 19, 2011

Claims of German Governmental Backdoor ("Case R2D2")

From F-secure's `news from the lab', Oc. 8, 2011:

Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Government.

The announcement was made public on ccc.de with a detailed 20-page analysis of the functionality of the malware. Download the report in PDF (in German).

The malware in question is a Windows backdoor consisting of a DLL and a kernel driver.

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include and

We do not know who created this backdoor and what it was used for.

We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government.

DuQu: a new APT Malware (from StuxNet authors?)

Symantec, McAfee and F-Secure  released information about what appears to be a new WarWare (info-warfare level malware), which they named "DuQu" (since it creates many files beginning with ~DQ). This time, the attack may have been exposed already at an early stage.

DuQu is an advanced Trojan RAT (Remote Administration Tool) - like Gh0st RAT and BlackShades RAT, but apparently more advanced.

Few more reports on it: Pedro Bueno at ISC diaryKim Zetter at Wired,

From Symantec's report:
Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. 
... Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility...
Two variants were recovered, ...based on file compile times, attacks using these variants may have been conducted as early as December 2010.

One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011.

Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information.

.NYTimes reports: `U.S. Debated Cyberwarfare in Attack Plan on Libya`.

Here is an interesting report of US supposedly considering using cyber-attack but then not doing it, among other reasons for concern of it being a precedent:

NYTimes reports: `U.S. Debated Cyberwarfare in Attack Plan on Libya`.
By ERIC SCHMITT and THOM SHANKER, Published: October 17, 2011 

from the article: ....[The] exact techniques under consideration remain classified, the goal would have been to break through the firewalls of the Libyan government’s computer networks to sever military communications links and prevent the early-warning radars from gathering information and relaying it to missile batteries aiming at NATO warplanes.

But administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. They were also unable to resolve whether the president had the power to proceed with such an attack without informing Congress.

Sunday, October 9, 2011

Virus infected US airforce drones

From Wired: A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.
This is definitely malware (virus, to be specific). But... details are insufficient to be sure this really is part of an intentional APT attack against US airforce, or just a virus keylogger which accidently hit their machines. Propagation apparently by removable media (USB memory sticks?). So, not adding it to my list yet.