Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/12/2011
01:33 PM
Fritz Nelson
Fritz Nelson
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Antisec Attacks An Urgent Wake-Up: InformationWeek Now

It's difficult to gauge the ethos of these next generation hackers. If I could summarize, it's this: Punish.

Almost a month ago I was talking with Jerry Johnson, the CIO of Pacific Northwest National Laboratory (PNNL), which provides cyber security research for a variety of government agencies and many in the intelligence community. A friend and advisor to InformationWeek, he had reached out to talk about recent attacks on everyone from RSA to Lockheed-Martin--and specifically about some of his concerns regarding advanced persistent threats (APTs).

Our chat seems almost ominous now, given last week's attack on PNNL, and another wave of breaches culminating, for now at least, with yesterday's Monday Military Meltdown, so dubbed by the brash Antisec, whose mottos include "disclose nothing," "destroy everything," and "hide your mother" (OK, that last one was my own).

Johnson said that his biggest concern had become remote and home workers, accessing systems on the network, logging in over a variety of wireless connections, sometimes with malware running, and watching everything those users do. He didn't mention new attack vectors, like tablets, but the inherent insecurity of mobile devices, combined with recent vulnerabilities are causing security practitioners and IT pros some big headaches. Johnson said that recent NSA advisories urged that the threats have been understated. He seemed on high alert, and said that PNNL had some interesting new tools on hand.

Perhaps those tools helped PNNL shut down most of its network and servers; for now, the company isn't saying who it suspects, nor the nature of the attack, other than that is was not--as some reported--a spearphishing attack, but an APT, and that it exploited a zero-day vulnerability in a vendor's product, which has now been patched. Johnson said that PNNL is gradually turning some of its services back on, but it is being extremely cautious, given the sophistication of hackers, and the massive amounts of communications PNNL conducts ("we are capable of streaming tens of billions of bits of information per second," the organization said in a Q&A).

PNNL is operated under contract with the US Energy Department, and it works on some fairly critical issues, like reducing our dependence on imported oil and coming up with new energy solutions; in other words, its work and its data are vital to national security. And that is what is most concerning.

Last week attackers breached servers at FBI contractor IRC Federal, unveiling all sorts of damaging loot. That attack used SQL injection. Yesterday, the same group claimed to have obtained the email addresses and passwords of 90,000 military personnel after compromising systems of defense contractor, Booz Allen Hamilton.

Years ago, a well-respected security research who is now with a CIA outfit told me that it wouldn't be long before attackers shorted a stock and then took down a site. This might be a stretch, but in its report on the Booz Allen compromise yesterday, The Wall Street Journal said that the company's shares fell 2.3%. I raise this because it is difficult sometimes to gauge the ethos of this new era of hacker. If I could summarize it in one word, it would be: Punish.

In the so-called 50 days of LulzSec existence, the company claimed to target corruption, but sometimes just to target companies because they could, or, in some cases, just because someone asked, like the five-year-old who asks his big brother to come down to the playground and knock around the bully. They reveled (indeed, revel still) in the thrill of anarchy (their words) and entertainment. If their actions weren't so damaging, it might be tempting to find them entertaining. Their posts and tweets were creative writing, including the liberties they took with grammar.

I can't remember where LulzSec started and Anonymous ended, or LulzSec began again with Anonymous, or what the relationship between those two is now, or might be with Antisec. Nor can I discern any differentiation in mottos or actions. Reading the prelude to Antisec's data dump on The Pirate Bay gives no further clues, but once again, it makes for good reading. In hailing their capture, Antisec says of Booz Allen: ". . . in this line of work you'd expect them to sail the seven proxseas with a state-of-the-art battleship, right? Well you may be as surprised as we were when we found their vessel being a puny wooden barge." The post goes onto blast the defense contractor, shining a light on potential conflicts of interest and secret work Antisec alleges the company has done in an effort to spy on U.S. citizens.

It's fruitless to engage in a debate about whether the casualties of Antisec's war (the exposure of private information of innocent, everyday folks) are worth revealing the dirty details of the usual suspects of hypocrisy and duplicity--which exist in all walks of life and in nearly every industry. But the real debate that should be taking place inside organizations everywhere is what steps can be taken to ensure that these thrill seekers can't easily target your organization. That's what Johnson was telling me before PNNL was so rudely interrupted.

There's plenty of information about how to prevent vulnerabilities like SQL Injection attacks, and what some of the likely vulnerabilities are, including government databases. My colleague Kelly Jackson Higgins recently published a multi-faceted list of tips that could help thwart attackers.

Fritz Nelson is the editorial director for InformationWeek and the Executive Producer of TechWebTV. Fritz writes about startups and established companies alike, but likes to exploit multiple forms of media into his writing.

Follow Fritz Nelson and InformationWeek on Twitter, Facebook, YouTube and LinkedIn:

Twitter @fnelson @InformationWeek @IWpremium

Facebook Fritz Nelson Facebook Page InformationWeek Facebook Page

YouTube TechWebTV

LinkedIn Fritz Nelson on LinkedIn InformationWeek

A service catalog is pivotal in moving IT from an unresponsive mass of corporate overhead to an agile business partner. In this report, we chart the new service-oriented IT landscape and provide a guide to the key components: service catalogs, cost and pricing models, and financial systems integration. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...