Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 December
12, 2014 Issue no 1518
Tenth year of
uninterrupted publication
Todays edition
CAUTION : MHA
Employees Cautioned Against Use of Social Media
CYBER-ATTACK :
Was Mysterious 2008 Turkey Pipeline Blast Opened a Cyberwar?
OLD HACK : Powerful, highly stealthy Linux
trojan may have infected victims for years
HACKED : Iranian
hackers used Visual Basic malware to wipe Vegas casinos network
(Click on heading above to jump to related item. Click on Top to be back here)
CAUTION : MHA Employees Cautioned
Against Use of Social Media
By
PTI
10th
December 2014
NEW
DELHI: All employees in the Home Ministry have been cautioned against the use
of social media and directed that no confidential information should be
divulged on such platforms.
The
Home Ministry told its employees that though they are free to post response in
their personal capacity, it is mandatory that while doing so they must clearly
identify themselves and they must not divulge confidential information.
"Their
views should not be seen to represent 'official view' unless authorised to do
so. For any official work involving transmission of public records, they must
use an email identity connected to a server, located in India and for this
purpose they must preferably take service of National Informatics Centre,"
Home Ministry Joint Secretary Kumar Alok said in a circular.
The
Ministry said that social media is increasingly being used in government for
public engagements for disseminating information, policy making, recruitments,
generating awareness, education etc.
"Most
of the social media platforms are based outside India and are not governed by Indian
laws. It is very important to ensure that Public Records Act 1993 and other
applicable laws are complied with and adequate provisions for security are in
place in view of current threat scenario in cyber space," the circular
said.
Prime
Minister Narendra Modi, Home Minister Rajnath Singh
and most of the Union ministers are frequent users of social media platforms
like Twitter and Facebook.
CYBER-ATTACK
: Was Mysterious 2008 Turkey Pipeline Blast Opened a Cyberwar?
By
Jordan Robertson and Michael Riley
December
10, 2014
The
pipeline was outfitted with sensors and cameras to monitor every step of its
1,099 miles from the Caspian Sea to the Mediterranean. The blast that blew it
out of commission didnt trigger a single distress signal.
That
was bewildering, as was the cameras failure to capture the combustion in
eastern Turkey. But investigators shared their findings within a tight circle.
The Turkish government publicly blamed a malfunction, Kurdish separatists
claimed credit and BP Plc had the line running again in three weeks. The
explosion that lit up the night sky over Refahiye, a
town known for its honey farms, seemed to be forgotten.
It
wasnt. For western intelligence agencies, the blowout was a watershed event.
Hackers had shut down alarms, cut off communications and super-pressurized the
crude oil in the line, according to four people familiar with the incident who
asked not to be identified because details of the investigation are
confidential. The main weapon at valve station 30 on Aug. 5, 2008, was a
keyboard.
The
revelation rewrites the history of cyberwar, said
Derek Reveron, a professor of national security
affairs at the U.S. Naval War College in Newport, Rhode Island.
Countries
have been laying the groundwork for cyberwar
operations for years, and companies have been hit recently with digital
broadsides bearing hallmarks of government sponsorship. Sony Corp.s network
was raided by hackers believed to be aligned with North Korea, and sources have
said JPMorgan Chase & Co. blamed an August assault on Russian cyberspies. Security researchers just uncovered what they
said was a campaign by Iranian hackers that targeted commercial airlines,
looking for vulnerabilities that could be used in physical attacks.
Energy
Politics
The Refahiye explosion occurred two years before Stuxnet, the computer worm that in 2010 crippled Irans
nuclear-enrichment program, widely believed to have been deployed by Israel and
the U.S. It turns out the Baku-Tbilisi-Ceyhan
pipeline hackers were ahead of them. The chief suspect, according to U.S.
intelligence officials, is Russia.
The
sabotage of the BTC line -- which follows a route through the former Soviet
Union that the U.S. mapped out over Russian objections -- marked another
chapter in the belligerent energy politics of Eurasia. Days after the
explosion, Russian fighter jets dropped bombs near the line in neighboring
Georgia. Alexander Dugin, an influential advocate of
Russian expansionism and at the time an adviser to the Russian parliament, was
quoted in a Turkish newspaper declaring the BTC was dead.
Kinetic
Effects
The
obituary was premature, but the attack proved to U.S. officials that they were
right to be concerned about the vulnerability of pipelines that snake for
hundreds of thousands of miles across Europe and North America. National
Security Agency experts had been warning the lines could be blown up from a
distance, without the bother of conventional weapons. The attack was evidence
other nations had the technology to wage a new kind of war, three current and
former U.S. officials said.
The
timing really is the significance, said Chris Blask,
chairman of the Industrial Control System Information Sharing and Analysis
Center, which works with utilities and pipeline companies. Stuxnet
was discovered in 2010 and this was obviously deployed before that. This is another point on the timeline in the young history of cyberwar.
U.S.
intelligence agencies believe the Russian government was behind the Refahiye explosion, according to two of the people briefed
on the investigation. The evidence is circumstantial, they said, based on the
possible motive and the level of sophistication. The attackers also left behind
a tantalizing clue.
Infrared
Camera
Although
as many as 60 hours of surveillance video were erased by the hackers, a single
infrared camera not connected to the same network captured images of two men
with laptop computers walking near the pipeline days before the explosion, according
to one of the people, who has reviewed the video. The men wore black
military-style uniforms without insignias, similar to the garb worn by special forces troops.
Given
Russias strategic interest, there will always be the question of whether the country
had a hand in it, said Emily Stromquist, an energy
analyst for Eurasia Group, a political risk firm based in Washington.
Nikolay Lyaschenko, a spokesman for the Russian Embassy in
Washington, didnt respond to two e-mails and a phone call.
Eleven
companies -- including majority-owner BP, a subsidiary of the State Oil Company
of Azerbaijan, Chevron Corp. and Norways Statoil ASA (STL) -- built the line,
which has carried more than two billion barrels of crude since opening in 2006.
Circumventing
Russia
It
starts in Azerbaijan, traverses Georgia and then enters Turkey, ending at the
port city of Ceyhan. It was routed south to
circumvent Russia, a blow to that countrys aims to reassert control over
Central Asia, a major pipeline deliberately built outside Russian territory to
carry crude from the Caspian.
Traversing
strategic, politically unsettled terrain, the line was built to be one of the
most secure in the world. The 3-foot 6-inch diameter pipe is buried underground
and punctuated by fenced valve stations designed to isolate sections in case of
emergency and to contain leaks.
According
to investigators, every mile was monitored by sensors. Pressure, oil flow and
other critical indicators were fed to a central control room via a wireless
monitoring system. In an extra measure, they were also sent by satellite.
The
explosion, at around 11 p.m. on a warm summer night, was spectacular. Residents
described feeling the heat a half mile away, and patients at a nearby hospital
reported hearing a thunderous boom.
First
Mystery
Almost immediately, the Kurdistan Workers Party, or
PKK, an armed separatist group in Turkey, claimed credit. It made sense because of the PKKs history of bombing
pipelines. The Turkish governments claim of mechanical failure, on the other
hand, was widely disputed in media reports. Hilmi Guler, then Turkeys energy minister, said at the time
there was no evidence of sabotage. Neither he nor officials at the Energy
Ministry responded to requests for comment.
Huseyin Sagir, a spokesman for Botas
International Ltd., the state-run company that operates the pipeline in Turkey,
said the lines computer systems hadnt been tampered with. We have never
experienced any kind of signal jamming attack or tampering on the communication
lines, or computer systems, Sagir said in an e-mail.
He didnt respond to questions about what caused the explosion. BP spokesman
Toby Odone referred questions to Botas.
The
BTC was shut down because of what BP referred to in its 2008 annual report
simply as a fire.
Malicious
Program
The
investigators -- from Turkey, the U.K., Azerbaijan and other countries -- went
quietly about their business. The first mystery they set out to solve was why
the elaborate system in place to detect leaks of oil or a fire didnt work as
planned.
Instead
of receiving digital alerts from sensors placed along the line, the control
room didnt learn about the blast until 40 minutes after it happened, from a
security worker who saw the flames, according to a person who worked on the
probe.
As
investigators followed the trail of the failed alarm system, they found the
hackers point of entry was an unexpected one: the surveillance cameras
themselves.
The
cameras communication software had vulnerabilities the hackers used to gain
entry and move deep into the internal network, according to the people briefed
on the matter.
Once
inside, the attackers found a computer running on a Windows operating system
that was in charge of the alarm-management network, and placed a malicious
program on it. That gave them the ability to sneak back in whenever they
wanted.
Extensive
Reconnaissance
The
central element of the attack was gaining access to the operational controls to
increase the pressure without setting off alarms. Because of the lines design,
the hackers could manipulate the pressure by cracking into small industrial
computers at a few valve stations without having to hack the main control room.
The
presence of the attackers at the site could mean the sabotage was a blended
attack, using a combination of physical and digital techniques. The super-high
pressure may have been enough on its own to create the explosion, according to
two of the people familiar with the incident. No evidence of a physical bomb
was found.
Having
performed extensive reconnaissance on the computer network, the infiltrators
tampered with the units used to send alerts about malfunctions and leaks back
to the control room. The back-up satellite signals failed, which suggested to
the investigators that the attackers used sophisticated jamming equipment,
according to the people familiar with the probe.
Investigators
compared the time-stamp on the infrared image of the two people with laptops to
data logs that showed the computer system had been probed by an outsider. It
was an exact match, according to the people familiar with the investigation.
Terrorism
Act
Years
later, BP claimed in documents filed in a legal dispute that it wasnt able to
meet shipping contracts after the blast due to an act of terrorism.
The
explosion caused more than 30,000 barrels of oil to spill in an area above a water
aquifer and cost BP and its partners $5 million a day in transit tariffs during
the closure, according to communications between BP and its bankers cited in
The Oil Road, a book about the pipeline.
Some
of the worst damage was felt by the State Oil Fund of the Republic of
Azerbaijan, which lost $1 billion in export revenue while the line was shut
down, according to Jamala Aliyeva,
a spokeswoman for the fund.
A
pipeline bombing may fit the profile of the PKK, which specializes in
extortion, drug smuggling and assaults on foreign companies, said Didem Akyel Collinsworth,
an Istanbul-based analyst for the International Crisis Group. But she said the
PKK doesnt have advanced hacking capabilities. Thats not their modus
operandi, she said. Its always been very physical, very basic insurgency
stuff.
Potential
Rivals
U.S.
spy agencies probed the BTC blast independently, gathering information from
foreign communications intercepts and other sources, according to one of the
people familiar with the inquiry. American intelligence officials believe the
PKK -- which according to leaked State Department cables has received arms and
intelligence from Russia -- may have arranged in advance with the attackers to
take credit, the person said.
The
U.S. was interested in more than just motive. The Pentagon at the time was
assessing the cyber capabilities of potential rivals, as well as weaknesses in
its own defenses. Since that attack, both Iran and China have hacked into U.S.
pipeline companies and gas utilities, apparently to identify vulnerabilities
that could be exploited later.
Critical
Services
As
tensions over the Ukraine crisis have mounted, Russian cyberspies
have been detected planting malware in U.S. systems that deliver critical
services like electricity and water, according to John Hultquist,
senior manager for cyber espionage threat intelligence at Dallas-based iSight Partners, which first revealed the activity in
October.
Russian
hackers also targeted sensitive documents related to a NATO summit in September,
hitting dozens of computers belonging to the Ukrainian government and others,
according to an iSight report.
In
the U.S., it is only a matter of the when, not the if, that we are going
to see something dramatic, Michael Rogers, director of the NSA and commander
of the U.S. Cyber Command, told the House Intelligence Committee on Nov. 20. I
fully expect that during my time as the commander we are going to be tasked to
help defend critical infrastructure.
Three
days after the BTC blast, Russia went to war with Georgia, and Georgian Prime
Minister Nika Gilauri
accused Russia of sending the jets to bomb the BTC near the city of Rustavi.
The bombs missed their presumed target, some by only a few feet, and the
pipeline remained undamaged. The keyboard was the better weapon.
OLD HACK : Powerful, highly stealthy Linux trojan may have infected victims for years
Backdoor tied to espionage campaign that has targeted
governments in 45 countries.
by Dan Goodin
Dec 9 2014
Researchers have uncovered an
extremely stealthy trojan
for Linux systems that attackers have been using to siphon sensitive data from
governments and pharmaceutical companies around the world.
The previously undiscovered
malware represents a missing puzzle piece tied to "Turla,"
a so-called advanced persistent threat (APT) disclosed in August by Kaspersky Lab and Symantec. For at least four years, the
campaign targeted government institutions, embassies, military, education,
research, and pharmaceutical companies in more than 45 countries. The unknown
attackerswho are probably backed by a nation-state, according to Symantecwere
known to have infected several hundred Windows-based computers by exploiting a
variety of vulnerabilities, at least two of which were zero-day bugs. The
malware was notable for its use of a rootkit that
made it extremely hard to detect.
Now researchers from
Moscow-based Kaspersky Lab have detected Linux-based
malware used in the same campaign. Turla was already
ranked as one of the top-tier APTs, in the same league as the recently
disclosed Regin for
instance. The discovery of the Linux component suggests it is bigger than
previously thought and may presage the discovery of still more infected
systems.
"The [Turla] operations are being carried out in broader
environments than we previously knew," Kaspersky
Lab expert Kurt Baumgartner told Ars. "All the
other stuff we've seen from Turla has been windows
based. This piece of the puzzle shows us that they do not limit
themselves."
Magic Numbers
Like its Windows
counterparts, the Linux trojan
is extremely stealthy. It can't be detected using the common netstat command. To conceal itself,
the backdoor sits dormant until attackers send it unusually crafted packets
that contain "magic numbers" in their sequence numbers. The malware
may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that
suspicion. The trojan is
able to run arbitrary commands even though it requires no elevated system
privileges.
"It's a very interesting
piece of code," Baumgartner said. "Not only does it run on Linux, but
you can't detect it in the usual ways."
Even a regular user with limited
privileges can launch it, allowing it to intercept traffic and run commands on
infected machines. Capabilities include the ability to communicate with servers
under the control of attackers and functions allowing attackers to run commands
of their choice and perform remote management.
Even after its discovery, the
Linux component remains a mystery. The underlying executable file is written in
the C and C++ languages and contains code from previously written libraries, a
property that gives the malicious file self-reliance. The code is also stripped
of symbol information, making it hard for researchers to reverse engineer or
analyze. As a result, Baumgartner said the trojan may have capabilities that have not yet been
uncovered.
Administrators who want to
check for Turla-infected Linux systems can check
outgoing traffic for connections to news-bbc.podzone[.]org or 80.248.65.183, which are
the addresses of known command and control channels hardcoded into the Linux trojan. Admins can also build a
signature using a tool called YARA that detects the strings
"TREX_PID=%u" and "Remote VS is empty !"
Given the power and stealth
of the backdoornot to mention its connection to one of the more sophisticated
espionage campaigns discovered to dateit wouldn't be surprising for the
discovery to open the door to discoveries of more infections or malware
components.
"The research is
ongoing," Baumgartner said. "I would assume at some point this is
going to bridge into another finding because of the way this backdoor is
used."
HACKED : Iranian hackers used Visual
Basic malware to wipe Vegas casinos network
Attack in February aimed at punishing majority owner for nuke
Iran statements.
by Sean
Gallagher
Dec
12 2014
Stop
us if this sounds familiar: a company executive does something that makes a
foreign governments leadership upset. A few months later, hackers break into
the companys network through a persistent cyber attack, and plant malware that
erases the contents of hard drives, shuts down e-mail servers and phone
systems, and brings operations to a screeching halt.
Thats
not just what happened to Sony Pictures Entertainment in late Novemberits
also what happened to Las Vegas Sands Corp., owners of the Sands, Venetian and
Palazzo hotels and casinos in a cyber attack that began last January. The
attack and the damage it did were kept quiet by the company until it was
reported in a story by Bloomberg Businessweek today.
Attempts
to reach Las Vegas Sands Corp. have gone unanswered, and a spokesperson for
Dell SecureWorkswhich was brought in to clean up the
mess afterward and determine its causedeclined to speak about the article as
it is the companys policy not to discuss work done for a customer. But according
to Bloombergs sources, the Sands attack was undertaken by hacktivists
who were responding to a speech by Sands majority owner Sheldon Adelson. The billionaire 52-percent owner of the Sands and
Israeli media mogul made an October 2013 appearance on a panel at the Manhattan
campus of Yeshiva University, where he called for a nuclear attack on Iran to
get the country to abandon its own nuclear program.
What
I would do, he said during the panel, rather than negotiating, would be to
say, Do you see that desert over there? I want to show you something. You
pick up your cell phone and you call somewhere in Nebraska and you say Ok let
it go.
Then you say, See? The next one is in the middle of Tehran. The
statement, which circulated on YouTube from smartphone
video, reached Irans leadership; Supreme Leader Ayatollah Ali Khameeni said in a November speech that the American
government should slap these prating people in the mouth and crush their
mouths.
Apparently
inspired by the speech, the attackers started probing Sands network, launching
an all-out brute force password attack on the companys virtual private network
gateway at its slots casino in Bethlehem, Pennsylvania. Then, on February 1,
they breached a Microsoft IIS development and staging server for the casinos
website and used an open tool called mimikatz to
obtain usernames and passwords. Eventually, they found the credentials of a
senior systems engineer who had visited the Bethlehem site from Las Vegaswhich
gave them the keys to the corporate castle.
As
they rifled through the master network, Bloombergs Ben Elgin and Michael
Riley reported,the attackers readied a malware bomb.
Typing from a Sony (SNE) VAIO computer, they compiled a small piece of code,
only about 150 lines long, in the Visual Basic programming language.
The
Visual Basic malware the written by the attackers (who according to
investigators from Dell SecureWorks were likely hacktivists based in Iran and not attached to the Iranian
government) worked in the same way as the Shamoon
attack on Saudi Aramco, the DarkSeoul
attack on South Korean media companies and banks, and the recent Sony Pictures
attack. It overwrote portions of the hard drive of the affected machines, and
then rebooted them to complete the job.
Disk Drive
A disk drive is a device that reads and/or writes data to a
disk. The most common type of disk drive is a hard drive (or "hard disk
drive"), but several other types of disk drives exist as well. Some
examples include removable storage devices, floppy drives, and optical drives,
which read optical media, such as CDs and DVDs.
While there are multiple types of disk drives, they all
work in a similar fashion. Each drive operates by spinning a disk and reading
data from it using a small component called a drive head. Hard drives and
removable disk drives use a magnetic head, while optical drives use a laser. CD
and DVD burners include a high-powered laser that can imprint data onto discs.
Since hard drives are now available in such large
capacities, there is little need for removable disk drives. Instead of
expanding a system's storage capacity with removable media, most people now use
external hard drives instead. While CD and DVD drives are still common, they
have become less used since software, movies, and music can now often be
downloaded from the Internet. Therefore, internal hard drives and external hard
drives are the most common types of disk drives used today.
The major western democracies
are moving towards corporatism. Democracy has become a business plan, with a
bottom line for every human activity, every dream, every decency, every hope. The main parliamentary parties are now devoted
to the same economic policies - socialism for the rich, capitalism for the poor
- and the same foreign policy of servility to endless war. This is not
democracy. It is to politics what McDonalds is to food.
John Pilger
Note -