Stuxnet Spotted Stateside in Chevron Computers
It didn't do any damage thanks to its meticulous design, but the Stuxnet malware, whose purpose was to destroy Iranian nuclear centrifuges, somehow found its way onto computers at Chevron. Still, the next one might do further harm. "Once the genie is out of the bottle, it's hard to stuff it back in, and it's hard to tell where it's going to go," said Eric Byres, CTO at Tofino Security.
11/12/12 7:00 AM PT
Chevron was infected with the Stuxnet malware in 2010, the company revealed last week, raising concerns about the effectiveness of cyberweapons as a policy tool.
Because of Stuxnet's design, it didn't do any damage to Chevron's computers, but the fact that a cyberweapon created to attack Iran's nuclear capability ended up on the systems of an American oil company isn't very reassuring to security experts.
"Even cybercriminals will check time zones and clock settings to make sure their malware will stay in a country or doesn't infect people in a particular country," Richard Stiennon, chief research analyst with IT-Harvest, told TechNewsWorld.
What the world is finding out is that cyberweapons are going to be hard to control, observed Eric Byres, CTO at Tofino Security. "Once the genie is out of the bottle, it's hard to stuff it back in, and it's hard to tell where it's going to go," he told TechNewsWorld.
Chevron may have benefited from the fact that Stuxnet was well-built and designed, for the most part, not to cause problems outside its targeted purpose, but that may not be the case with future cyberweapons. "Unless you're running a nuclear centrifuge, Stuxnet is just a cleanup job," Byres said. "But I don't think future worms are going to be as well-designed. Copycats will not take care to contain collateral damage."
There has been some talk of a "massive" cyberattack on Iran, Stiennon added. Such an attack would target power and communication grids. "If that got out, it would spread to anyone else running power and communication grids," he reasoned. "That kind of collateral damage could be devastating."
Protecting The Perimeter
It's popular in security circles these days to look inside perimeter defenses for protection from cyberattacks. Not only can that be a mistake, but it can be an impossibility, according to Tommy Stiansen, CTO at NorseCorp.
His company combines big data analytics in real time with massive computer power to block attacks on organizations at their perimeters.
In recent times, security vendors have pushed the idea that perimeter defenses alone aren't enough to protect an organization for intrusion. Because of that, an industry has evolved to slice and dice internal network traffic to identify and mitigate threats. That's a Sisyphean task in today's computing world, Stiansen argues.
"There's no way you can predict all the possibilities in that scenario today," he told TechNewsWorld. "We see weekly exploits that before we'd see once every three or six months."
In that kind of environment, what's needed is an analysis of massive amounts of data that can be used for real-time actions. To do that, Norse has created a global network of 1,000 computers to gather and analyze 19 terabytes of threat information a day.
Norse's network can deflect malicious traffic from an organization at its perimeter, Stiansen explained. In a six-month pilot program with 80,000 merchants in which every purchase was pushed through Norse's API, 40 percent of all their fraud was blocked, with only 1 percent false positives.
Perimeter defenses can do more than they're given credit for -- all they need is a little help, Stiansen maintained. "We can complement the firewall," he explained. "We give the firewall the intelligence it needs to act on malicious traffic."
Android Gets Real About Security
The next version of Google's mobile operating system Android 4.2 (Jelly Bean) will be remembered in malware-fighting circles as the release of the OS where the search giant got serious about security.
Google reportedly confirmed new security features in Jelly Bean last week that had been spotted by Android code hackers.
For the first time, the operating system will include a feature that will scan any app from a source outside the Google Play store for harmful behavior.
Google does that by comparing the app to a white list of good apps and a blacklist of known malicious programs. If the app can't be matched to either of those lists, it's up to the user to decide if they want to continue with installation or not.
The new version of Android has also cleaned up the permissions screen that pops up when an app is installed, making it easier to see what the app will be accessing on a handset. Recent studies have revealed that many apps access much more information than they need to perform their functions.
In addition, Jelly Bean will include a background feature that alerts the user when an app tries to send an SMS message that will cost them money. The initial lease of the new OS, however, won't address a flaw discovered last week by researchers at North Carolina State University that can be exploited by malware to spoof SMS messages to a handset using contacts stored on it.
Data Breach Diary
- Nov. 2: The Illinois Department of Health Care and Family Services announces that a briefcase containing personal information about 508 Illinois nursing home residents was stolen from a contractor, and that it would be notifying the affected residents of the breach.
- Nov. 4 Bloomberg reports that on March 15, 2009 hackers broke into Coca-Cola's computer systems and stole sensitive files about its attempted US$2.4 billion acquisition of China Huiyuan Juice Group. Coca-Cola has never acknowledged the break-in.
- Nov. 7: The CEO of Pizza Hut Australia confirms that its website was breached and that the intruders gained access to names and contact information of some of its customers. He pledges that no credit card information was stolen.
- Nov. 7: An attorney filing a lawsuit in connection with a data breach at the South Carolina Department of Revenue, in which 3.6 million personal income tax returns were compromised, announces that he is expanding his litigation to include Trustwave and the South Carolina Division of State Information Technology.
- Nov. 8: Twitter discloses that in an attempt to protect some of its members whose accounts were hacked by spammers, it may have accidentally reset the passwords of members unaffected by the hack.
- Nov. 9: Security Analyst Jeffrey Carr reports that the hacker collective known as Anonymous stole documents from the internal network of the Organization for Security and Corporation in Europe and posted them to the Internet. The organization is not acknowledging the breach.
Upcoming Security Events
- Nov. 14: A Tipping Point in the Battle against Cyber Attacks. Noon ET. Free webinar. Sponsored by Dark Reading.
- Nov. 14: How to choose the right authenticator to meet the CJIS requirement for advanced authentication. 1-2 p.m. ET. Free webinar. Sponsored by Entrust.
- Nov. 15: Getting the Cyber Future We Want, Not the One We Deserve. 1 p.m. ET. Free webcast sponsored by RSA.
- Nov. 28-29: Smart Strategies for Secure Identity. Washington convention Center, Washington, DC. Registration by Nov. 6: $1080. By Nov. 27: $1,200.
- Nov. 28-29: Strategic Security Response Summit: The Detecting and Preventing Emerging Threats. Washington Convention Center, Washington, DC. Regular registration: $470. Government registration: $230.
- Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla. Registration is now open.
- Dec. 3-6 Black Hat Abu Dhabi 2012. Emirates Palace, United Arab Emirates. Registration by Dec. 2: $1,895. On-site Registration: $2,595.
- Jan. 7-9: Redmond Identity, Access & Directory Knowledge Summit 2013. Microsoft Conference Center, Redmond, Wash. sponsored by Oxford Computer Group. Early registration: $450. Registration after Nov. 21: $650.