China on Cyberattacks: US Is Pot Calling the Kettle Black
It didn't take long for China to claim it too has been on the receiving end of many a data hack. The latest in that developing story, along with a new round of Java exploits and some interesting -- and contentious --observations at the annual RSA conference, marked another busy week in the cybersecurity world.
03/04/13 6:00 AM PT
After taking it on the chin for its alleged attacks on U.S. media outlets -- and for its army reportedly backing hackers engaged in cyberespionage around the world -- China returned fire.
The government claimed its defense and military ministries' websites are being bombarded with 144,000 hacking attacks a month from the U.S. However, China didn't try to link the attacks to the U.S. government -- for good reason.
"It's a fallacy that because an attack comes from an IP geolocated within a certain country, that country is then responsible for the attack," Jeffrey Carr, CEO of Taia Global and author of "Inside Cyber Warfare: Mapping the Cyber Underworld," told TechNewsWorld.
U.S. Internet service providers tolerate more malicious behavior on their systems than they should, Carr added. That makes it easy for foreign nationals to buy server time with bogus credentials, so the source of an attack stemming from the U.S. could be someone outside the country.
A Stuxnet Fossil
It was revealed last week that Stuxnet, the infamous attack code, may be older than originally thought. Symantec researchers discovered a sample of the malware that was actively used in 2007 and could date back to 2005.
Stuxnet 0.5, as the researchers call it, could be the missing link between Stuxnet 1.0, which disrupted Iran's nuclear development program, and super worm Flame, which was discovered after Stuxnet but is believed to predate it.
Zero Day Redux
The never-ending saga of Java also continued last week. Researchers at FireEye found hackers exploiting a newly discovered vulnerability in Java. The exploit is being used to install a remote-access Trojan called McRat.
Meanwhile, Adobe pushed yet another security patch for its Flash Player to its users as February came to an end. It was the third patch of the month.
Google's two-factor authentication was in the limelight when researchers at Duo Security found a loophole that exploited its method for issuing unique passwords for applications. Google fixed the flaw before the researchers made it public.
Better Than Signatures
A lot of new products are introduced whenever the annual RSA conference is held in San Francisco. Among this year's crop was Trend Micro's Custom Defense Product, which includes targeting command and control activity from attacks like Advanced Persistent Threats.
The product also includes a Deep Discovery Inspector feature that goes beyond what's provided by typical antivirus software, according to Kevin Faulkner, TrendMicro's senior enterprise product marketing manager.
"It's a network-based device that monitors communications, malware and attacker behavior," he told TechNewsWorld. "It sees things that standard signature-based security doesn't see."
RSA isn't just about products; the conference can also court controversy. During one panel session, a founding father of cryptology, Adi Shamir, declared the security industry had entered a post-crypto era.
"It's very hard to use cryptography effectively if you assume an APT [Advanced Persistent Threat] is watching everything on a system," he said. "We need to think about security in a post-cryptography world."
Whether we're in that world or not, cryptography is here to stay, countered Bogdan Botezatu, a senior e-threat analyst with Bitdefender.
"Cryptography may have its flaws, it even may lend a helping hand to cybercrooks, but this does not mean that we're going to stop using it anytime soon," he told TechNewsWorld.
"In a world where mobile communication and strict security checks are part of the day-to-day fight with cybercrime, simply ditching encryption altogether would increase the prevalence of attacks to a point where we wouldn't have any privacy and data integrity at all," he said. "Even though crippled to some extent, cryptography still makes a huge difference."
- Feb. 26. Ponemon Institute study reveals 46 percent of organizations do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.
- Feb. 26. Minnesota Senate Judiciary Committee holds hearing on public employee data breach bill making misuse of data "a gross misdemeanor" and requiring governments to publicly name employees who misuse data.
- Feb. 28. Bank of America fingers third-party contractor as source of data from the bank posted to the Internet by an affiliate of the hacktivist collective Anonymous.
- Feb. 28. Study by Javelin Strategy and Research shows that 22.5 percent of people who receive a data breach notice become victims of identity theft.
- Mar. 1. Dropbox users report receiving spam to email accounts associated with a data breach of the service that occurred last year. Dropbox says it doesn't believe the spam barrage is a new problem or related to a new data breach.
Upcoming Security Events
- Mar. 5. Next Steps in Security Reform: Overcoming Disconnects among Acquisitions, Security and Industry. 8 a.m.-3 p.m. The SI Organization, Stonegate 2, 15052 Conference Center Drive, Chantilly, Va. US$195-$295.
- Mar. 7. Smart Secure Wireless in a BYOD World. 1 p.m. ET. Webinar sponsored by Watchguard Wireless. Free.
- Mar. 7-8. APWG eCrime Researchers Sync-Up. University College Dublin, Ireland. Sponsored by ICANN. $175-$225.
- Mar. 12-15. Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, 1,095 euros ($1,447); through Feb. 28, 1,295 euros ($1,711); Mar. 1-15, 1,495 euros ($1,975).
- March 28. Trends in Government Security - Risk Management, Compliance and Technology. 1 p.m. Webinar. Free.
- Apr. 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: Before Feb. 9, $999; Feb. 9-Apr. 18, $1,099; Apr. 19-25, $1,199.
- Apr. 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: By Apr. 19, free; After Apr. 19, Pounds 20.
- Jun. 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m.ET. Newseum, Washington, D.C. Registration for Non-government attendees: Before March 3, $395; Mar. 3-Jun. 10, $495; Onsite, $595.