Stuxnet Strikes Again? Not Likely

Iran boasted last week that its malware fighters fended off another attack on its infrastructure by the notorious Stuxnet computer worm.

Stuxnet targeted a power plant and some other industries in the southern part of the country, but Iranian computer experts were able to thwart the attack, a provincial civil defense official claimed.

The original Stuxnet attack two years was aimed at Iran’s nuclear development program.

Iran did not say who was behind the latest Stuxnet attack, but it’s been documented that the United States and Israel were behind the first attack.

What’s more, U.S. intelligence officials have recently blamed Iranian cybersabotage specialists for disrupting computer operations at a number of American banks and the Saudi Arabian oil industry.

Retaliation Doubtful

It’s unlikely any attack, if there was one, was made in retaliation for the banking attacks, said John Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a private research firm that studies cyberattacks.

“Any current cyberattacks being launched by the U.S. or Israel would likely be linked to Iran’s nuclear program, which is violating multiple United Nations Security Council Resolutions,” he told TechNewsWorld.

Moreover, the Saudi Aramco attack should not be laid on the Iranians’ doorstep, he added. “One of Aramco’s own employees launched the devastating cyberattack against the company’s network last August,” he explained. “That employee was an Islamic fundamentalist, which means that the attack should be considered an act of cyberterrorism.”

In addition to the power plant attacks, Iran also claimed a cyberattack was launched against an agency in its Ministry of Culture. The foray originated in Dallas, it said, and was rerouted to Iran through Malaysia and Vietnam.

A malware attack originating in Dallas isn’t exactly a smoking gun, according to Jeffrey Carr, CEO of Taia Global and author of “Inside Cyber Warfare: Mapping the Cyber Underworld.”

“Lots of malware resolve to an IP address in Dallas since it’s home to ISPs that serve an awful lot of malware,” he told TechNewsWorld.

SpamSoldier Marches On

Reports continued to appear last week about a pernicious program aimed at smartphones running Google’s Android operating system that turns infected handsets into spam servers.

The malware, called SpamSoldier, is spread through SMS messages promising a reward — a free copy of a paid version of a game — by clicking on a link in the message. The link leads to a website that downloads an installer to the victim’s handset.

When the installer, masquerading as an installer for the coveted game, is activated it launches its pernicious payload.

After launch, the malware immediately checks in with a command and control server where it receives its marching orders, consisting of the text of an SMS spam message and 100 phone numbers to send it to. When it completes those tasks, it checks in with the server again, for more phone numbers. The process continues until the app or the server is shut down.

“This is the best try at building a mobile botnet that I’ve seen so far,” Alex Balan, head of product management for BullGuard, a mobile security software maker, explained to TechNewsWorld.

However, he added: “Building malware for Android is not that hard. Getting people infected is also not that hard.”

“If you look at SpamSoldier and the way it propagates, it’s not exactly rocket science,” he maintained.

Carriers, as well as consumers, should be concerned about SpamSoldier, suggested cloud security software maker Cloudmark in its company blog.

“Compared with PC botnets this was an unsophisticated attack,” it wrote. “However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs.”

Congress Approves Warrantless Snooping

Congress couldn’t agree on how to avoid going over the fiscal cliff last week, but it had no problem agreeing on how to sell out the privacy rights of U.S. citizens.

Provisions in a video privacy bill that would have required federal law enforcement agencies to obtain a warrant before they could peek at email or any other data stored in the cloud was stripped from the legislation in the Senate on its way to President Obama’s desk.

Why the language was dropped from the final bill is still undetermined. Currently, under the Electronic Communications Privacy Act, law enforcement agencies can look at any data stored in the cloud without a warrant as long as the information has been there 180 days or more.

The Senate also sent to the President a bill that keeps alive for another five years a law that allows government agencies to spy on Americans without a warrant for counter-terrorism purposes.

The law allows the government to obtain secret court orders — which do not require probable cause like regular warrants — for any overseas emails or phone call traffic, according to the Electronic Frontier Foundation.

The only requirement is that the communications have to deal with “foreign intelligence information,” a broad term that can mean virtually anything. What’s more, it added, one secret order can be issued against groups or categories of people — potentially affecting hundreds of thousands of Americans at once.

Almost three-quarters of the Senate disagreed with the EFF, approving passage of the law 73-23.

Breach Diary

• Dec. 23: Hacker claims to have stolen 3 million records of Verizon Wireless customers and posted 300,000 of them to the Web. Verizon denies its computers were compromised and a security researcher examining information uploaded to Net reveals data had been previously posted to the Internet months ago.
• Dec. 24: WikiLeaks founder Julian Assange announces his whistleblowing site will publish more than one million documents in 2013. Most documents posted to the Internet by WikiLeaks in the past were obtained without their owners’ permission.
• Dec. 26: University of Michigan Health System discloses that personal health information of some 4,000 patients was contained in equipment stolen from the car of an employee who works for a vendor of the health care provider. According to the university, the equipment — which, contrary to policy, was not secured — included only health and demographic information.
• Dec. 26: South Carolina Gov. Nikki Haley submits US$6.3 billion budget to state legislature, including $47 million for IT spending. Forty percent of the IT request will go to pay off $20 million loan from the South Carolina Budget and Control Board to pay for expenses related to a massive data breach at the state’s Revenue department in October, which resulted in 3.8 million taxpayers Social Security numbers, 3.3 million bank account numbers and data on 700,000 businesses being compromised. The loan was used to pay for credit monitoring fees for affected taxpayers ($12 million), create dual passwords and encrypt data at the department ($5.6 million), notification costs ($1.3 million) and a breach report and an assessment conducted by a security firm ($750,000). Some $3 million of the IT budget request is earmarked for IT security improvements.
• Dec. 28: U.S. Army confirms a data breach on Dec. 6 of a database maintained by its Communications-Electronics Command (CECOM) located at the Aberdeen Proving Ground in Maryland may have compromised personal information of some 36,000 persons who worked for or visited Army commands formerly located at Fort Monmouth in New Jersey. Exposed information included a mix of full names, dates and places of birth, Social Security numbers, home addresses and salaries.

Upcoming Security Events

• Jan. 7-9: Redmond Identity, Access & Directory Knowledge Summit 2013. Microsoft Conference Center, Redmond, Wash. Sponsored by Oxford Computer Group. Registration: $650.
• Feb. 8-9: Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: $595.
• Feb. 24-25: BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
• Feb. 25-Mar. 1: RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: Jan. 25 and before, $1,895. After Jan. 25, $2,295.
• Mar. 12-15: Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, Euro 1,095 (US$1,447); through Feb. 28, Euro 1,295 (US$1,711); Mar. 1-15, Euro 1,495 ($US1,975).