Nations prepare for cyber war

By David Goldman

Security analysts are predicting that 2013 is when nation-sponsored cyberwarfare goes mainstream — and some think such attacks will lead to actual deaths. In 2012, large-scale cyberattacks targeted at the Iranian government were uncovered, and in return, Iran is believed to have launched massive attacks aimed at U.S. banks and Saudi oil companies. At least 12 of the world’s 15 largest military powers are currently building cyberwarfare programs, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies. So a cyber Cold War is already in progress. But some security companies believe that battle will become even more heated this year.
“Nation states and armies will be more frequent actors and victims of cyberthreats,” a team of researchers at McAfee Labs, an Intel subsidiary, wrote in a recent report. Michael Sutton, head of security research at cloud security company Zscaler, said he expects governments to spend furiously on building up their cyber arsenals. Some may even outsource attacks to online hackers.
Source: http://money.cnn.com/2013/01/07/technology/security/cyber-war/

 

 

Pass on ‘password’ for Internet security, experts say

Following a year in which an estimated one billion hacking attempts were made, security experts hopethat people resolve to upgrade their passwords in 2013. Lists posted by hackers show that in 2012, the most commonly used password was “password.” In second place was “123456.” Passwords “ABC123” and “letmein” were also among the top-ten most common passwords. Canada’s proposed data breach measures trail other countries: privacy watchdog “On what planet do these people live? Who would use that as your password? But lots of people do,” Ontario Privacy Commissioner Ann Cavoukian told CTV News. Security experts say users should have at least a few passwords to use for different accounts. Users should also avoid words that they may have used online, such as a pet’s name or a street name. If hackers get into one account, they may scour it for passwords to other accounts. Cavoukian has a unique way to make passwords more difficult. She says she chooses one word, and then combines it in two languages.
Source: http://www.ctvnews.ca/sci-tech/pass-on-password-for-internet-security-experts-say-1.1102603

Microsoft’s Internet Explorer Zero-Day Fix Broken ‘With Ease’

By Tom Brewster

Just days after Microsoft issued a workaround solution to stop attackers exploiting a zero-dayvulnerability in Internet Explorer, researchers have shown how easy it is to get around the supposed fix. Microsoft rushed out a Fix It tool this week to prevent hackers from exploiting a previously unknown memory corruption flaw in IE versions 6, 7 and 8, which hackers have used to carry out watering hole attacks. In this kind of attack, hackers add malicious code to webpages they know their targets frequent. But that fix has been circumvented by researchers at Exodus Intelligence, a vulnerability specialist formed by ex-employees of the Zero-Day Initiative. Aaron Portnoy, co-founder and vice-president of research at Exodus, told TechWeekEurope it took less than a day’s work to get around the fix and exploit the flaw.
Source: http://www.techweekeurope.co.uk/news/microsoft-internet-explorer-zero-day-fix-broken-103199

 

Latest IE attacks connected to espionage group

By Dan Kaplan

Symantec has linked exploits that leverage a new zero-day vulnerability in Internet Explorer to thegroup responsible for a spate of recent espionage attacks. Dubbed the “Elderwood Project” bySymantec, the gang’s work is responsible for at least four remote code execution vulnerabilities that were discovered in 2012 and used to spread malware to visitors of websites such as Amnesty International Hong Kong, according to a post Thursday from Symantec Security Response. While theattackers used spear phishing emails in the past, researchers are now seeing the emergence of “watering hole” tactics being used – where they compromise websites that are frequented by employees working at targeted companies, or even lower-tier organizations, like manufacturers, in the defense supply chain. The latest zero-day was used as part of a so-called “watering hole” attack against the website for the policy think tank Council on Foreign Relations, the influential membership group that helps shape U.S. foreign policy.
Source: http://www.scmagazine.com/latest-ie-attacks-connected-to-espionage-group/article/274915/