Cyber security in the modern/post-modern internet

  • Thread starter Astronuc
  • Start date
In summary, the FBI released a warning about a destructive malware that is becoming more common. Large corporations, financial institutions, and government labs are all under attack. Be careful, be alert, and be informed.
  • #1
Astronuc
Staff Emeritus
Science Advisor
2023 Award
21,924
6,371
If malware isn't bad enough, . . .

Exclusive: FBI warns of 'destructive' malware in wake of Sony attack
http://news.yahoo.com/exclusive-fbi...ware-wake-sony-attack-002204335--finance.html

This is becoming increasingly critical. Large corporations, particularly technology and financial institutions, and government labs are under constant attack, but there are some really skilled directed attacks.

Be careful, be alert and be informed.
 
  • Like
Likes berkeman
Computer science news on Phys.org
  • #2
Astronuc said:
If malware isn't bad enough, . . .

Exclusive: FBI warns of 'destructive' malware in wake of Sony attack
http://news.yahoo.com/exclusive-fbi...ware-wake-sony-attack-002204335--finance.html

This is becoming increasingly critical. Large corporations, particularly technology and financial institutions, and government labs are under constant attack, but there are some really skilled directed attacks.

Be careful, be alert and be informed.
Thanks.
 
  • #5
Next XF update supports 2 factor login. I am mulling over requiring it for staff.
 
  • #6
Greg Bernhardt said:
2 factor login

What dat?
 
  • #7
berkeman said:
What dat?
Most likely a secondary temp password will be sent to your email. There are more advanced services that give you temporary pin numbers too in different ways. All will be explained if we go that route. Might be as early as next month.
 
  • #8
Oh, like VPN dongles?
 
  • #9
berkeman said:
Oh, like VPN dongles?
Yeah, but now a days there are mobile apps to take the place of the actual dongle.
 
  • #10
Oh cool. :smile:
 
  • #13
When I made the initial post, OPM had been hacked.
Interesting read - https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/

The routine nature of OPM’s business made the revelations of April 15, 2015, as perplexing as they were disturbing. On that morning, a security engineer named Brendan Saulsbury set out to decrypt a portion of the Secure Sockets Layer (SSL) traffic that flows across the agency’s digital network. Hackers have become adept at using SSL encryption to cloak their exploits, much as online vendors use it to shield credit card numbers in transit. Since the previous December, OPM’s cybersecurity staff had been peeling back SSL’s camouflage to get a clearer view of the data sloshing in and out of the agency’s systems.

Soon after his shift started, Saulsbury noticed that his decryption efforts had exposed an odd bit of outbound traffic: a beacon-like signal pinging to a site called opmsecurity.org. But the agency owned no such domain. The OPM-related name suggested it had been created to deceive. When Saulsbury and his colleagues used a security program called Cylance V to dig a little deeper, they located the signal’s source: a file called mcutil.dll, a standard component of software sold by security giant McAfee. But that didn’t make sense; OPM doesn’t use McAfee products. Saulsbury and the other engineers soon realized that mcutil.dll was hiding a piece of malware designed to give a hacker access to the agency’s servers.

The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers.

By Tuesday the 21st, having churned through a string of nearly sleepless days and nights, the investigators felt satisfied that they’d done their due diligence. Their scans had identified over 2,000 individual pieces of malware that were unrelated to the attack in question (everything from routine adware to dormant viruses). The PlugX variant they were seeking to annihilate was present on fewer than 10 OPM machines; unfortunately, some of those machines were pivotal to the entire network. “The big one was what we call the jumpbox,” Mejeur says. “That’s the administrative server that’s used to log into all the other servers. And it’s got malware on it. That is an ‘Oh feces’ moment.”

By controlling the jumpbox, the attackers had gained access to every nook and cranny of OPM’s digital terrain. The investigators wondered whether the APT had pulled off that impressive feat with the aid of the system blueprints stolen in the breach discovered in March 2014. If that were the case, then the hackers had devoted months to laying the groundwork for this attack.

OPM has a multifactor authentication scheme, but it wasn’t fully implemented until January 2015—too late to prevent the PlugX attack.

As the investigators laboriously sifted through interview transcripts and network logs, they created a rough timeline of the attack. The earliest incursion they could identify had been made with an OPM credential issued to a contractor from KeyPoint Government Solutions. There was no way to know how the hackers had obtained that credential, but the investigators knew that KeyPoint had announced a breach of its own in December 2014. There was a good chance that the hackers had first targeted KeyPoint in order to harvest the single credential necessary to compromise OPM.
 
  • Like
Likes Drakkith
  • #14
U.S. Cyber Agency: Computer Hack Poses 'Grave Risk'


https://www.wired.com/story/russia-solarwinds-hack-targets-fallout/

I heard about this first on a radio news program about December 16 (SolarWinds and the Orion platform were mentioned) and have seen bits and pieces since. As far as I know, FireEye alerted the government concerning a breach. I don't think SolarWinds knew then that they had been hacked, and apparently the malware was still available to their unwitting customers.

https://www.fireeye.com/blog/produc...yber-attack-actions-to-protect-community.html
They didn't mention SolarWinds or the Orion software is the above posting on Dec 8.

https://www.csoonline.com/article/3600893/fireeye-breach-explained-how-worried-should-you-be.html

https://www.lawfareblog.com/reflections-solarwinds-breach
Since Dec. 13, the SolarWinds breach has dominated the news cycle. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate the consequences of the security breach. SolarWinds, the company responsible for the software in question, reported that as many as 18,000 customers may have been affected. Other reports indicate that a variety of government agencies—including the departments of Treasury, State, Commerce, Energy (specifically, the National Nuclear Security Administration, which is responsible for the U.S. nuclear weapons stockpile), and Homeland Security—have been affected as well.
SolarWinds like to advertise their customer, which may be one reason their software was used to perpetrate this cyberattack.

Clearly, SolarWinds did not have very good security, but then FireEye, a cybersecurity firm, also seemed to be vulnerable as were many other institutions that were supposed to be secure.
 
  • #15
Several of the astute analysts have always told us that the mechanism of distributing updates and security patches is itself a threat delivery vector. Even in the heated Apple-FBI debate about encryption, Apple claimed that they had no mechanism to decrypt the data, but some analysts pointed out that Apple need only send a new version of IOS to all phones that had encryption disabled.

Conventional wisdom is that end users must keep current on security update patches, and that failure to do so is malpractice. It's a paradox.

A defense against that is to use diversity. If every device used a different make/model/vintage/OS/protocol, then a successful hack must target one at a time rather than all at once. If SolarWinds had only one customer, this hack would not make headlines.

Of course, diversity can carry a large cost to support. For example, we enjoy the Internet only thanks to the universality of TCP/IP. If every network node had unique protocols, there would be no Internet.

Re: the power grid, I discussed diversity in this Insights article. Simply said, because the grid uses every make and model device offered by every manufacturer in the past 30-40 years, it is pretty diverse. Any successful cyber attack could only influence spots of the grid here and there. Compare it to cars. A cyber attack that hits only 2010-2017 Toyota Corollas would be serious but it can never be close to bringing down the world's fleet of vehicles.

Also, I'm not sure it is fair to say that any organization that gets hacked has, by definition, bad security.
 
  • #16
Back when I worked at previous employer, we had a very secure system behind a robust firewall. We were getting attacked an average of 2K to 3K times a day from China, Russia, N. Korea, Eastern Europe and various other random actors from around the world. We never got breached. We also had separate, isolated computer systems for sensitive work. At the same time, we knew that various government institutions got breached, and we know of several DOE labs (at one lab we know of, hackers used a portal through a university as a backdoor) and NASA sites that got hacked.

— The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks it gained access to when it inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.

— The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security.

— “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.
and
— SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target, according to current and former employees and government investigators. Its chief executive, Kevin Thompson, who is leaving his job after 11 years, has sidestepped the question of whether his company should have detected the intrusion.

— Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.
https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html
last week, CrowdStrike, another security company, revealed that it was also targeted, unsuccessfully, by the same hackers, but through a company that resells Microsoft software.
With respect to Eastern Europe
But some of those measures may have put the company and its customers at greater risk for attack. SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.
Seriously?!

Older news - https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html
 
Last edited:
  • #18
Greg Bernhardt said:
@Astronuc this is an interesting and important thread going forward, mind if I move to a public forum?
Various media organizations are reporting on it, and it is very important.

I'm astounded that even government agencies didn't know that SolarWinds had satellite offices in Belarus. It is mindboggling given the sensitivity of information and cybersecurity risks.
 
Last edited:
  • Like
Likes Greg Bernhardt
  • #20
StreamWorks: Near Real-Time Detection of Emerging Patterns of Cyberattacks in Massive Data Streams
https://www.pnnl.gov/available-tech...ection-emerging-patterns-cyberattacks-massive

Technology Overview

One hundred forty-six days—that’s how long, on average, it takes to detect a cyber breach from the time it begins. Pacific Northwest National Laboratory’s patented StreamWorks cuts that time significantly—to near real time—by detecting emerging patterns of sophisticated cyberattacks in massive data streams.

Combining several analytic approaches, never before seen together in a cybersecurity tool, StreamWorks tells a cyber analyst when major suspicious patterns are occurring. The tool also provides a description of the potential threat and a rationale for why the threat was selected—so the analyst doesn't have to guess but, instead, can act swiftly.
 
  • Informative
Likes bhobba and berkeman
  • #21
A new cybersecurity threat has been identified publicly.
https://www.yahoo.com/finance/news/...-malware-in-us-systems-in-guam-195805235.html
China may have conducted digital espionage against the US' Pacific interests. Microsoft and the National Security Agency (NSA) have revealed that an alleged state-sponsored Chinese hacking group, Volt Typhoon, installed surveillance malware in "critical" systems on the island of Guam and elsewhere in the US. The group has been operating since mid-2021 and reportedly compromised government organizations as well as communications, manufacturing, education and other sectors.

Volt Typhoon prioritizes stealth, according to the investigators. It uses "living off the land" techniques that rely on resources already present in the operating system, as well as direct "hands-on-keyboard" action. They use the command line to scrape credentials and other data, archive the info and use it to stay in targeted systems. They also try to mask their activity by sending data traffic through small and home office network hardware they control, such as routers. Custom tools help them set up a command and control channel through a proxy that keeps their info secret.

I heard about this yesterday.
https://www.microsoft.com/en-us/sec...tructure-with-living-off-the-land-techniques/

https://www.afr.com/politics/federa...volt-typhoon-hacking-campaign-20230525-p5db4d
Businesses have been warned to be on high alert after Five Eyes members, including Australia, blamed a Chinese state-backed hacking group for a stealth surveillance campaign responsible for a series of attacks on US critical infrastructure.

In a rare public attribution, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) issued an advisory saying the group had exploited built-in Windows tools on compromised hosts.

https://wraltechwire.com/2023/05/25...se-clear-present-danger-to-us-says-microsoft/

https://www.yahoo.com/finance/news/china-rejects-claim-spying-western-091913475.html
(Reuters) - The Chinese government has rejected claims that its spies are penetrating Western infrastructure, calling the joint warning issued by the United States and its allies a "collective disinformation campaign."

Chinese foreign ministry spokesperson Mao Ning told reporters that alerts issued by the U.S., Britain, Canada, Australia and New Zealand were intended to promote their intelligence alliance, known as the Five Eyes - and that it was Washington that was guilty of hacking,
 
Last edited:
  • #22
Vulnerability in Secure FTP program, MOVEIt. Russian hacker group, CL0P, apparently exploited a vulnerability in the MOVEIt software.

https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/

Researchers say the newly discovered security flaw was exploited as far back as 2021

The Russia-linked ransomware gang has been exploiting the security flaw in MOVEit Transfer, a tool used by corporations and enterprises to share large files over the internet, since late May. Progress Software, which develops the MOVEit software, patched the vulnerability — but not before hackers compromised a number of its customers.

While the exact number of victims remains unknown, Clop on Wednesday listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw. The victim list, which was posted to Clop’s dark web leak site, includes U.S.-based financial services organizations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the U.K.-based energy giant Shell.
 
  • Like
Likes Greg Bernhardt

Related to Cyber security in the modern/post-modern internet

1. What is cyber security?

Cyber security refers to the practice of protecting computer systems, networks, and data from digital attacks, theft, and damage. It involves implementing strategies, technologies, and processes to prevent unauthorized access, misuse, and disruption of information and resources.

2. How has cyber security evolved in the modern/post-modern internet?

In the modern/post-modern internet, cyber security has become increasingly important due to the widespread use of technology and the rise of cyber attacks. It has evolved to encompass a wide range of threats, including malware, phishing, ransomware, and social engineering. With the growing number of connected devices and the increasing reliance on digital systems, cyber security has become more complex and requires constant adaptation to new threats.

3. What are some common cyber security threats?

Some common cyber security threats include viruses, worms, trojans, spyware, ransomware, phishing scams, and denial-of-service attacks. These threats can come from various sources, such as malicious actors, vulnerable software, and human errors.

4. How can individuals protect themselves from cyber attacks?

Individuals can protect themselves from cyber attacks by practicing good cyber hygiene, such as using strong and unique passwords, keeping software and operating systems up-to-date, being cautious of suspicious emails and links, and using reputable antivirus and firewall software. It is also important to be aware of common cyber scams and to regularly back up important data.

5. What are some emerging trends in cyber security?

Some emerging trends in cyber security include the use of artificial intelligence and machine learning for threat detection and response, the implementation of biometric authentication for enhanced security, and the increasing adoption of cloud-based security solutions. There is also a growing emphasis on proactive and collaborative approaches to cyber security, as well as the integration of security into the design and development of software and systems.

Similar threads

Current and Future AI Threats to Humanity and the Human Response
    • Computing and Technology
Replies
10
Views
2K
Highjack Hostages: Cyber Extortion and Ransomware Threats
    • Computing and Technology
Replies
4
Views
3K
Politicians can't control (or secure) the Internet
    • Computing and Technology
Replies
4
Views
2K
Hundreds of thousands may lose Internet in July
    • General Discussion
Replies
19
Views
4K
News Obama's Nobel Acceptance speech:
    • General Discussion
Replies
9
Views
3K
BRS: PKI Cryptosystems for SA/Ms: A Tutorial
    • Special and General Relativity
Replies
13
Views
2K
News Patriot Act 2: Summarized by Alex Jones
    • General Discussion
Replies
10
Views
3K
Physics What are the steps to becoming a physicist?
    • STEM Career Guidance
Replies
1
Views
3K
News Bush Honest & Trustworthy Until How Many Lies?
    • General Discussion
2
Replies
65
Views
8K
  • Poll
News The Bush Administration: A Critical Examination
    • General Discussion
Replies
13
Views
4K

Hot Threads

Recent Insights

Back
Top