SAM’12: The 2012 International Conference on Security and Management Date: 16 – 19 July 2012 Location: Las Vegas , USA http://sam.udmercy.edu/sam12/ Leading international opportunity for computer and network security professionals and users to investigate innovative ideas and outcomes, and to exchange experiences on various aspects of information security. Novel research in all practical areas of computer and network security is sought.

ICITIS 2012 : The 3rd IEEE International Conference on Information Theory and Information Security Date: 27 July 2012 Location: Beijing, China http://www.wikicfp.com/cfp/servlet/event.showcfp?eventid=19827&copyownerid=21605  ICITIS 2012 will keep promoting the information exchange on information theory, information security, computer technology, telecommunication technology, network and some related fields, which aims to promote international academic exchange and international cooperation.

SecurIT 2012 Date: 16 – 19 August 2012 Location: Kerala, India http://securit.ws/ SecurIT 2012, the Security Conference on Internet of Things (IoT) invites professionals from industry verticals such as security solutions companies, automobile, mobile and wireless companies and academicians from universities and research labs to participate and contribute.

Cyber Resilience for National Security Date: 12 – 14 September 2012 Location: Washington, DC/VA, USA http://www.clocate.com/conference/Cyber-Resilience-for-National-Security-2012/29782/ As the US Military, Homeland Defense and Intelligence communities prepare for post-Iraq, and eventually post-Afghanistan, they will need to maintain force dominance over new and emerging actors and threats. One of the largest threats to national security at present is in the cyber realm. This event will focus on the latest prioritization efforts within the DoD’s cyber security efforts, while bringing together government and industry leaders to discuss the most challenging threats to national cyber security in both the public and private sector.

 

Dear Reader, May has been full of events that saw the participation of GCSEC. It is worth mentioning the Digital Agenda Assembly 2012 in Brussels, where GCSEC has been asked to contribute on Digital Identity. In April we also joined a session at the European Parliament organized by EIF – European Internet Foundation. The situation is clear: the attention is on eID, the digital equivalent of National ID cards and not on “soft identities”, those that we use daily to access any kind of service on the Internet, including payment systems (at the end, a credit card when used online is a soft identity…). The incident that affected 6.5m users of Linked is a clear example of the risks that

users are facing. The situation is even worse than it appears: most users I know are using on Linkedin the same password they use for the email. This is a big risk: email has become our “digital key ring” where most of our digital identities are connected to. The incident demonstrated not only the risk, but also the fact that operators are not adopting even the most simple and inexpensive techniques to protect users identities and credentials. GCSEC position is to help operators through guidelines and standards in order to adopt minimum standard countermeasures to protect end-user identities. Governments should also play a key role through modern policies. This is what GCSEC is advocating at international level. Andrea Rigoni

“London Olympics 2012: no game with Cyber Security!” by Maria Luisa Papagni – AlmavivA/GCSEC

The surprising results of a survey by McAfee, the well-known U.S. security company, show a worrying lack of awareness amongst MPs, business leaders and journalists about the extent of the cyber threat facing the London 2012 Olympic Games. The risks for major events like the Olympics, do not just come from terrorism, but the alarm is very high even for a cyber attack.

“A distributed and hierarchical DNS-CERT for Internet Health and Security.” by Igor Nai Fovino and Elena Agresti – GCSEC

The mechanism by which Internet translates names to addresses and vice versa is the Domain Name System (DNS). It is recognized as one of the most critical services in the Internet infrastructure. The cyber attacks and security breaches to which the DNS has been exposed in the last years have shown that DNS’s world is in crisis. “Lulzsec. Can hacking be just fun?” - by Marco Caselli – GCSEC

Lulz Security, abbreviated Lulzsec, was born as an offshoot of Anonymous. On May 2011, an affiliated collective called Internet Feds decided to re-organize itself under this new identity while riding the wave of success of several cyber attacks. In just one year the group has made people talking a lot about it.  

events

editorial

in this number

June 2012 – year 2, issue 6

 

 India to greenlight state-sponsored cyber attacks http://www.theregister.co.uk/2012/06/11/india_state_sponsored_attacks/  The Indian government is stepping up its cyber security capabilities with plans to protect critical national infrastructure from a Stuxnet-like attack. Sources told the “Times of India” that the government’s National Security Council, which is headed by Prime Minister Manmohan Singh, is working out the fine details which would give the Defence Intelligence Agency (DIA) and National Technical Research Organization (NTRO) the power to carry out unspecified offensive operations.

LinkedIn dials 911 on password mega-leak hackers http://www.theregister.co.uk/2012/06/08/law_investigates_linkedin_breach/ LinkedIn has turned to the FBI for help after 6.5 million of its users' passwords were dumped online by hackers. A list containing the SHA1 hashed passwords but unsalted, purportedly of users of the business social network, has been posted on a Russian Dropbox-alike website. The business network said "a small subset" of the hashed data had been deduced and revealed, but the rest is "hard to decode". Security biz Sophos estimated that as much as 60 per cent of the leaked list had been cracked. "To the best of our knowledge, no email logins associated with the passwords have been published," the company stated in a blog post.

Flame gets suicide command http://www.theregister.co.uk/2012/06/07/flame_suicide_command/ One of the most dangerous virus ever, which lie in some areas of the Middle East, a surprise change his behavior. According to Symantec, its creators have sent a self-destruct command designed to wipe Flame from compromised computers, to avoid can be traced to them. Study on Flame also revealed how sophisticated is the code used, will take years to understand how it works.

White House unveils initiatives to combat botnets http://www.scmagazine.com/white-house-unveils-initiatives-to-combat-botnets/article/243712/ The Obama administration revealed new initiatives to combat botnets, believed to present one of the greatest threats to the integrity of the internet. The initiatives are the result of a voluntary public-private partnership between the White House Cybersecurity Office and the U.S. Departments of Commerce and Homeland Security (DHS), who coordinate with private industry to lead the Industry Botnet Group (IBG), a group of nine trade associations and nonprofit organizations representing thousands of companies across information, communications, and financial services industries.

Obama Order Sped Up Wave of Cyberattacks Against Iran http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all From his first months in office, President Obama secretly ordered increasingly sophisticated against the Iranian nuclear industry, significantly expanding America’s first sustained use of cyberweapons. Mr. Obama decided to accelerate the operation

  Imagine to be at the stadium watching the finals of the athletics competitions of Olympics. Adrenaline and emotion before the start, with the whole audience stood to admire the "human shrapnel" try blocks and make the last stretch pre-start. Then comes the long awaited moment. One, two, three ... and spectacular start of the usual Usain Bolt. He is already a few inches ahead of everyone, and suddenly… all the lights turn off! Total darkness, people panic, it is a terrorist attack? People start to scream and rush en masse toward the way out! This sounds like a science fiction movie? No, it's just one of the scenarios that may follow to a possible cyber attack during the Olympics in London 2012. Yes, because the risks for major events like the Olympics, do not just come from terrorism, but the alarm is very high even for a cyber attack, that can be from who also has the purpose of a terrorist attack or even who wants to have a bit of notoriety (given the high number of followers of the event). The risk is to underestimate the threat of cyber attacks, as often happens with regard to cyber security. The surprising results of a survey by McAfee, the well-known U.S. security company, show a worrying lack of awareness amongst MPs, business leaders and journalists about the extent of the cyber threat facing the London 2012 Olympic Games. Only 2% of respondents considered cyber-attacks the largest threat, despite the record growth of malware (over 6 million cases in the first three months of 2011). The McAfee report, in essence, reflects a mismatch still present between the real growth of cyber attacks and the awareness of dangers of entrepreneurs, politicians and media. Just think that in the first three months of 2011 there was an increase of 76% of the attacks on Android phones, while the forecast for growth of malware indicates the threshold of 75 million by the end of the year. This is a deficit of awareness that we must be aware of. But awareness does not fail Gerry Pennell, Chief Information Officer of London Committee for the Olympic Games, which early in January said that “The high profile nature of the event means that an attack is inevitable. We will be the target of a cyber attack. It will happen for sure as happened in the last editions of the Games. For this we are working with the government and other stakeholders to ensure that we have the defences necessary to protect our systems from inevitable offensives”.

“London Olympics 2012: no game with Cyber Security!”

By Maria Luisa Papagni – AlmavivA/GCSEC  

news

A team of 450 experts anti-hacking is working to protect the games: not only they’re defending against tampering the official website of the event (and the archives of scores and results), but they are assigned to the control of at least 90 Olympic websites. In the recent past, both Beijing 2008 and Athens in 2004 were targets of cyber attacks. Atos Origin, IT partner of the London 2012 Olympic Committee, reported that 14 million malware events were recorded per day during the Olympics the took place in Beijing, 400 of which had the potential to impact on the games. A concrete episode of cyber attack linked to an Olympic event also occurred during the 2002 Winter Games in Salt Lake City when some South Koreans hackers made unusable several American sites, with a DDoS attack on US servers, following a disputed decision that denied victory to an athlete of Seoul rewarded with a gold an American skater. So the alarm is high for the risk of compromising websites, hacking smartphones, breaching of the huge databases reserved for management of all data to organize, classify, protect, and in general blocking the operations of the complex platforms that constitute the basis of the Olympic Information System. But Gerry Pennel comforts all: "We will be using a content distribution network to push data out, which means our dependency on a central host architecture is much lower. What that means is that it is very hard to launch a distributed denial of service attack (DDoS), simply because our front-end is so dispersed. We designed our approach to information security into our architecture from the beginning. We keep mission-critical Games systems, such as anything to do with distributing results, quite insulated from other components of the network, particularly anything web-facing, thus making it extremely hard for an external attack to succeed." He is confident a cyber attack will not succeed in bringing down the Games' IT systems. We hope so… And we trust in the fact of seeing Usain Bolt crossed the finish line, perhaps giving us another world record!

code-named Olympic Games ordered by President George W. Bush starting in 2008. The effort seems to have included the use of the Stuxnet malware.

Global Payment: processor affirms victim estimate, but warns of new breach http://www.scmagazine.com/processor-affirms-victim-estimate-but-warns-of-new-breach/article/245597/ Global Payments, the Atlanta-based processor whose North American payment systems were breached earlier this year potentially compromising up to 1.5 million credit and debit card. Chairman and CEO Paul Garcia revealed that through a forensic examination into the incident, investigators detected another unauthorized intrusion: this one affecting a database that contains the applications of merchants who sought to have Global Payments process their transactions. The two breaches don't appear linked.

Senators attempt compromise cyber security bill http://www.csoonline.com/article/708336/senators-attempt-compromise-cybersecurity-bill Sens. Sheldon Whitehouse (D-R.I.) and Jon Kyl (R-Ariz.) are circulating a draft bill that they hope will settle one of the major debates over competing legislative proposals: How heavy the hand of government should be in regulating industries that operate critical infrastructure. They are proposing incentives instead of mandates. Senate Majority Leader Harry Reid took to the Senate floor to say it matters very much. He cited a letter from a bipartisan group of former national security officials from both the Bush and Obama administrations, who wrote that the nation is at risk of being unprepared for cyber 9/11: “it is not a question of whether this will happen; it is a question of when.”

 

In the new digital society, characterized by interoperability, connectivity and communications, Internet plays a key role. The main critical infrastructures and the core business activities of the private organizations are based on Internet and information technologies. Therefore Internet is the heart of basically all the existing services and its failure could have potentially impact on our life. A failure of critical services such as transportation, energy, telecommunication, banking and financial, could result in significant impacts on the economy of that country and other countries, but also on citizen security and on the daily life of the citizen. The mechanism by which Internet translates names to addresses and vice versa is the Domain Name System (DNS). It is recognized as one of the most critical services in the Internet infrastructure. The cyber attacks and security breaches to which the DNS has been exposed in the last years have shown that DNS’s world is in crisis. Security events as the massive DNS cache poisoning attack that affected millions of users in Brazil in 2011 or the wrong

configuration of DNSSEC that disconnected whole domains, have demonstrated its weakness and lack of global visibilities, management and control. Today if a researcher discovers a new DNS security issue, he doesn’t know who contact, what information provides or which are trusted communications channel that he can use. There isn’t an entity able to collect and provide information about threats, vulnerabilities profiles, mitigation strategies or incident response methodologies concerning DNS. In response to this scenario, in 2010 Internet Corporation for Assigned Names and Numbers (ICANN), conducted consultations with a broad spectrum of stakeholders on the concept of “DNS CERT”. Unfortunately that consultation remained the only action toward the creation of a DNS-CERT. Its proposal was considered insufficient in detail and in analysing gaps regarding current activities and capabilities related to DNS security and resiliency.

“A distributed and hierarchical DNS-CERT for Internet health and security.” by Igor Nai Fovino and Elena Agresti - GCSEC

Today doesn’t exist anything like a DNS-CERT. There are CERTs at national, regional and worldwide level, but the scope of the current CERTs doesn’t coincide with the DNS ecosystem. DNS management is decentralized and its community is global and independent. It is composed of different actors as end users, resolvers, root servers, registers, authoritative servers, registrars, ICANN, IANA, VeriSign that work across a hierarchical infrastructure. To meet the environment needs, DNS-CERT should be based on a hierarchical and distributed model. In this case a capability response would be distributed among all actors of DNS ecosystem to respond and prevent DNS incidents and threats and enhance level of security, stability, resiliency and health. DNS actors would share knowledge about vulnerabilities, threats, security incidents, warnings, alerts, experiences, methodologies, best practices, lesson learned and tools for incident management. In this way they will be able to identify correctly hazards and impacts and to solve many issues. Cooperation and information sharing are essential for a correct DNS incident prevention, detection and response. In a distributed and hierarchical model, not all the actors need to directly interact with each other. GCSEC has conducted an assessment of each DNS actors’ role and its interaction in ecosystem. The analysis found that each actor frequently speaks with actor of the same level or with actors positioned upper or lower in hierarchical structures. This is an evidence of the need to adopt a hierarchical and distributed approach. Moreover the distributed model is an agile model and it facilitates the interfaces with stakeholders. National operators could be an interface with national CERT that could be the correct way to reach critical infrastructure operators. DNS CERT will not overlap current activities and capabilities but enhance and improve it through sharing of experiences, initiatives, best practices and common exercises. If a TLD decide to implement DNSSEC, could take advantage of experiences of other TLD. This could share its knowledge, issues addressed or lesson learned, give suggestions. DNS CERT should be composed of participants that are directly involved in it (e.g. Root Operator, DNS Operators, TLD Registries, Registrars, ISP, Registrants, Corporate Infrastructure Operators) and stakeholders that are interested in and can support DNS CERT activities (e.g. national CERT, standardization organization, business community, Law Enforcement, vendors, researchers & academics). DNS CERT could be managed by a not-for-profit consortium, composed of DNS CERT participants, which could be overnighted by a Board composed of one representative for participant. A distributed approach will have many advantages over centralized, such as shared resource and hierarchical interaction among all DNS actors, but can have negative effects on incident handling due to complex organization. For that reasons, it should be organized well regarding the main processes (communication, IT, logging, support…). To guarantee an effective communication and information sharing, CERT will need a common and formalized language. DNS CERT should identify a common way to measuring DNS performances as well as a common way of

investigation on potential weaknesses. GCSEC has developed and promoted a framework of metrics and KPIs to support the design, engineering and policy making of the DNS infrastructure. The framework is based on point of view analysis, in which each DNS actor will be able to describe DNS from its perspective. It reflects DNS hierarchical infrastructure and its needs. Sharing of common metrics could be the first step for DNS-CERT constitution.

What we have just described has been presented by GCSEC at the 24th Annual FIRST Conference. The Forum of Incident Response and Security Teams (FIRST) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRTs) and includes response teams from over 240 corporations, government bodies, universities and other institutions spread across the Americas, Asia, Europe and Oceania. The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community. The FIRST conference, bringing together the top experts in the CERT and CSIRTs sectors, was the ideal floor were present the concept of distributed and hierarchical CERT for the DNS ecosystem. The presentation attracted a lot of attention, and during question time the audience raised several interested questions. While on a side the idea of distributed CERT has been confirmed as the most suitable model for the needs and peculiarities of the DNS, doubts have been raised about the attention of the DNS community to this topic and about the possibility of reaching the critical mass allowing to launch a similar initiative worldwide. The last point is indeed the most relevant: as the experience related to the ICANN CERT initiative showed, without the support of relevant actors in the DNS community the creation of a DNS-CERT will remain a mere project on paper. However, the lack of a CERT specifically designed to support DNS operators potentially constitutes a breach in the security and stability of all the critical infrastructures relying on the public network to operate, and for that reason it cannot be neglected.

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy www.gcsec.org

A distributed approach promises to put together the needs for independency and flexibility of the operators with the typical functions and services provided by a CERT. Basically, they do it “for the lulz”. Just fun, just a variation of the more famous lol (laughing out loud), the lulz is what has always marked the most irreverent group of hackers in the whole Internet. Lulz Security, abbreviated Lulzsec, was born as an offshoot of Anonymous. On May 2011, an affiliated collective called Internet Feds decided to re-organize itself under this new identity while riding the wave of success of several cyber attacks. In just one year the group has made people talking a lot about it. Lulzsec has committed numerous attacks but, as the Wall Street journal wrote, these activities seem to be closer to Internet pranks rather than serious cyber-warfare. In this sense, the group’s motto is quite explicative: “Laughing at your security since 2011!”. Can it be just amusement? Well, LulzSec has never appeared to hack for financial profit despite it is possible to make Bitcoin donations to help to fund its activities. Moreover, the ideology and political alignment is something that came out mostly when the group joined Anonymous for collaborative operations (e.g. Anti-Sec). Lulzsec seems different. They used to say that many other hackers exploit and steal user information without releasing the names publicly, or alerting people they may possibly have been hacked. Instead, they always reveal lists of stolen usernames, also informing the public of vulnerable websites. This gives users the opportunity to change credentials that might otherwise be exploited, and allows business companies to be aware of their vulnerabilities and upgrade their security. Real goodness or desire for fame? Lulzsec’s behavior must not deceive. There are many actions that seem far less altruistic than others as the Distributed Denial of Service attack against the United Kingdom’s Serious Organized Crime Agency (SOCA). Moreover Lulzsec incurred cyber-activists’ wrath more than once. Groups like TeaMp0isoN and Team Web Ninjas, but also single hackers made several times life difficult for Lulzsec. They accused its members of misconduct in respect of Internet users and maybe this situation was one of the reasons of the group’s downfall. Lulzsec is, in fact, going through a crucial period that could possibly marks its end. Like a flame that burns so vigorously to last few moments, the great number of attacks and the disrespectful attitude of their claims has probably attracted too much attention on the group. With a

GCSEC strongly believe in this approach and for that reason is planning to promote an international initiative to define a first pilot based on this approach. post on the imageboard Pastebin (a forum dedicated to comment images) the user KillerCube identified LulzSec leader Sabu as Hector Xavier Monsegur already in June 2011. This identification was later shown to be accurate and the FBI arrested the hacker the same month. He was a 28-years old IT consultant residing in New York. Seems strange, but this fact did not close the career of the boy in Lulzsec. Not funny at all for the group of cyber-activists, Sabu pleaded guilty to several hacking charges and agreed to cooperate with the FBI. Over the following seven months he successfully unmasked the other core members of Lulzsec. Finally, on March 6, Topiary, Kayla, pwnsauce, palladium, and Anarchaos, betrayed by their leader, fell into the trap hatched by the feds and were arrested.

Game over? It seems that the amusement is not finished yet. After two months of agitation within the hacker community (Anonymous immediately reacted to Sabu's unmasking and betrayal tweeting "#Anonymous is a hydra, cut off one head and we grow two back") the group is rising from the ashes with the same goliardic spirit. Few days ago, Lulzsec Reborn introduced itself to the Internet with a cheerful Star Wars-style video showing a taste of three terabytes of governments’ emails and sensible information close to release. The Lulz Boat, allegoric image of the group often present in their videos, still surfs the stormy waters of the Internet. The crew changes but the goal remains the same. The fun fills the sails and several FBI battleships are back in their pursuit. Let's enjoy the show; we cannot surely get bored when it comes to Lulz.

 

“Lulzsec. Can hacking be just fun?” by Marco Caselli - GCSEC