The Union Government of India on 8 May 2013 approved a National Cyber Security Policy

New Delhi, May 9: The government approved the National Cyber Security Policy, on Wednesday, that aims to create a secure computing environment in the country and build capacities to strengthen the current set up with focus on manpower training. The Cabinet Committee on Security (CCS) approved the policy which stresses on augmenting India's indigenous capabilities in terms of developing the cyber security set up. "CCS met today and approved the National Cyber Security Policy, which sets a road map for strengthening cyber security of the country by building capacities in the country, training manpower, etc," a source said after the meeting. A senior official in the Department of Information Technology said the policy strives for a secure computing environment and seeks to build adequate trust and confidence in electronic transactions. "This policy caters for the whole spectrum of ICT users and providers including small and home users, medium and large enterprises and government and non-government entities," the official added. It aims to create a cyber security framework that will address all related issues over a long period. The framework will lead to specific actions and programmes to enhance the security posture of country's cyber space. Besides, cyber security intelligence forms an integral component to be able to anticipate attacks and quickly adopt counter measures. PTI

Q&A with a hacker

There are a lot of issues to cover when talking about computer security - and it is important to get a few terms out of the way first.

Any programme that is designed to make your computer do something you don't want it to is malware. This can range from programmes that damage your computer, to ones that can steal your personal data giving hackers the ability to do things like access your credit card and bank account details.

Adware is a form of malware floods your computer with advertising.

A botnet is a form of malware that allows a hacker to take control of your computer to do things like repeatedly visit websites to shut them down (Known as a DOS or denial of service attack) or send emails your contact list in the hopes of making people who trust you click on something less than trustworthy.

Trojans are programmes which are designed to look attractive on the surface, like a really nice looking poker game, but actually exist to load malware onto your computer.

Social engineering attacks are essentially where hackers turn con-artist and instead of trying to crack your computer's security, try to trick you into giving up information that they can then use to access your system.

Phishing is a form of social engineering attack in that it works by creating a website to look like an online vendor or banking website so that you end up giving it your details without the hacker having to actually break through any security measures you may have. This is why you get all those emails from banks you don't actually bank with, or claiming you have a refund from SARS.

Q: How did you get into hacking?

A: I was always interested in hacking and the concept of 'ethical hacking'. I actually began my career with the end goal of becoming an ethical hacker or a 'whitehat' hacker. I educated myself around different security and network technologies from various different vendors. I got certifications and achieved practical working experience in all the mayor security controls and also various operating systems for the likes of Windows, Linux, Unix and even some others.

I wanted to know exactly how these systems work and how administrators are defending these systems, thus giving me the 'background' knowledge of the best way to attack these systems. After 13 years in the IT Security industry, from working as a Linux/Windows support engineer, firewall administrator to a security architect, I finally became a security consultant doing penetration testing.

Q: What exactly is ethical hacking?

A: Ethical Hacking also known as Penetration Testing, is attacking a system on behalf of the company that owns that system, using the same methods, techniques and tools that are used by malicious hackers also known as 'blackhat' hackers, but in a controlled manner with a professional services wrapper around it.

Q: Is there such a thing as perfect computer security?

A: No such thing exists, but we need to strive to be as close to perfect as possible, using various security controls and being as proactive as possible.

Q: How prevalent is hacking on mobile devices in South Africa?

A: Mobile devices are being targeted more and more by criminals. The reason for example is credit cards are harder to clone, since the implementation of 'chip and pin' technology, so criminals are focusing on easier targets. According to Trustwave’s Global Security Report, the most attacked targets are web and mobile applications. The report also stated that a 400% growth of mobile malware was seen in 2012.

Q: Is South African law and law enforcement taking hacking seriously enough?

A: Yes, I believe so. For example, more law enforcement personnel are being deployed to monitor social media. Also there are companies that are very serious about security that are working closely with law enforcement to combat cybercrime.

Q: Have any mutations of Stuxnet hit mobile devices?

A: Stuxnet was designed to target and damage a certain type of industrial equipment used by the Iranian nuclear program. Many Stuxnet mutations and variant are seen across the web; so it’s reasonable to say it is not a question of will it hit mobile devices it’s when.

Q: What are the warning signs for phishing attacks?

A: Phishing attacks can be emails, text messages or phone calls from unknown sources, claiming to be a legitimate source, for example a bank or well-known company. They usually ask you to provide or verify your password or account details. Warning signs to look out for:

• Warning! Your account will be deleted if you don’t reply within 10 days
• Dear Bank Account Holder – a general, rather than specific, greeting
• A greeting packed full of errors is also a big warning sign – Accountt holder needing pdate of Pasword!
• There is no contact information or a signature

Q: Recently the game Natural Selection 2 had to deactivate a lot of Steam keys, costing the developers about $30 000, due to unethical vendors. Is this something that is going to become more of a risk on mobile devices in future?

A: This is definitely possible, as all the mobile applications stores are not controlled and governed in the same manner or with the same attentiveness. It is a lot easier for unethical vendors to sell compromised or fraudulent applications on a mobile application store with lesser security controls.

Q: A lot of malware comes in the form of Trojans, what warning signs should consumers look out for to avoid them?

A: Treat all unsolicited emails, especially from unknown senders, with caution and never click any links in these emails. Be careful when downloading executable or zip files from the Internet or via email. Many browsers and anti-virus products will warn you when you attempt to visit a website that my be harmful, avoid visiting these websites.

Q: Does adware actually make the advertisers any money?

A: There are accusations that many advertisers work directly with adware companies, even if they claim to be unaware of this.

Q: A lot of hacking is done through social engineering, where hackers use publicly available information in order to get access to computers (such as using information available on Facebook in order to work out the answer to the user’s security question) – what would you suggest users do to reduce the risk?

A: Use a strong password; make sure your password is complicated. Choose a password you have not used before. Use 'a pass phrase' rather than just passwords, and make sure it contains a mixture of numbers, letters and special characters. Enable security notifications that will send you an email every time you login or when there are any changes to your account. As for security questions, make sure they can’t be easily guessed or researched.

Q: In the same vein, a lot of corporate hacking works through social engineering attacks where hackers get information through simply asking workers, how can companies train their workers better to avoid falling for this?

A: Security awareness training is essential for employees, as it is a fact that they are often seen as the company’s weakest link. This security awareness training should cover things like for example not to give your corporate password out to anyone. Makes sure your employee’s understand that their username and password is their own confidential information, and that no one at the company will ask for their password either via a phone call or an email.

Q: What tools would you suggest for users who have been infected with malware who want to get rid of it?

A: There are various tools that can be used to firstly detect, and then try to remove malware from an infected PC. Particular tools is difficult to recommend, as they can differ depending on the operating system the PC is running and type of malware that the PC is infected with. What I can recommend is to make sure that all the infections have actually been removed, that is no easy task. This can be accomplished using your anti-virus software, or get support from you company’s IT department or computer supplier.

Q: Botnets often turn computers into zombie slaves in order to launch DOS and spam attacks on third parties – at what point does one figure stuff it and use the universal zombie repellent (AKA a shotgun to the hard drive)?

A: LOL, I like your zombie analogy. If your defences are in place, and all you security controls in affect, then you are on the right track. Your security posture can further more be tested and improved with proactive security test, also known as Penetration Testing. Even though it almost seems like the aged old battle of good vs. evil, we have to keep fighting the good fight.

Backdoor targeting Apache servers spreads to nginx, Lighttpd

Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning - Eset's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers.

And while Apache is definitely the most widely used of the three, nginx' has also cornered a considerable portion of the market (around 15 percent).

The AV company's researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites.

They also discovered that while visitors who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are the only ones who get redirected to sites hosting Blackhole, iOS users are also in danger as they get redirected to adult content sites that might be hosting malware.

"The Linux/Cdorked.A threat is even more stealthy than we first thought: By analyzing how the attackers are configuring the backdoor, we found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian," the researchers pointed out.

"We believe the operators behind this malware campaign are making significant efforts to keep their operation under the radar and to hinder monitoring efforts as much as possible. For them, not being detected seems to be a priority over infecting as many victims as possible."

Another way with which they are trying to keep a low profile is that the backdoor Cdorked uses compromised DNS servers to resolve the IP addresses of redirected sites.

The Blackhole exploit kit is currently delivering a variant of the Glupteba Trojan to the unsuspecting victims. The malware employs blackhat SEO methods to push clickjacking contextual advertising onto users.

"We still don’t know for sure how this malicious software was deployed on the web servers," the researchers admit. "We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software."

To help system administrators spot the existence of the backdoor on their webservers, Eset has released a script that detects a specific modified httpd binary on the hard drive that's a definitive sign of infection.

The Big Security Data Challenge

Big Data is not only a challenge for customer-facing organizations—but for security teams as well. Over the past decade, the demand for stronger security has driven the collection and analysis of increasingly larger amounts of event and security contextual data. Security Information and Event Management (SIEM) has long been the core tool that security teams have depended on to manage and process this information. However, as security data volume has grown, relational and time-indexed databases that support SIEM are struggling under the event and analytics load. Legacy SIEM systems have raised doubts about the potential success of SIEM implementations due

to their slow performance, inability to manage data effectively, and the extremely high

costs associated with scaling. This paper addresses the Big Security Data challenge

and highlights the key criteria organizations need to consider for processing security

information in light of today’s dynamic threat landscape.

Big Security Data

Why security data has become a Big Data problem is obvious for anyone who has tried to manage

a legacy SIEM, particularly when you look at the definition of Big Data. Big Data consists of data sets

that grow so large that they become awkward to work with using existing database management tools.

Challenges include capture, storage, search, sharing, analytics, and visualization.

With this in mind, it’s easy to see that IT and IT security have repeatedly wrestled with Big Data challenges. In fact, SIEM itself was invented to address a fundamental lack of data processing capabilities. In the early 2000s, the amount of security information and the level of accuracy of this security data exceeded the capability of existing technologies, and the lack of centralized visibility developed a strong need for automated data analysis. 

Enter the early SIEM tools, which were designed to handle firewall, vulnerability assessment, and

intrusion detection systems (IDS) data with the primary purpose of reducing false positives from IDS plus

the ability to investigate logs. These early SIEM vendors leveraged existing database management tools

and provided specialized analytics on top of event data to enable organizations to eliminate a large number

of IDS false positives.

While SIEM initially was adopted by security-conscious industries—such as large financial services and

government—broad adoption did not take off as a viable market until the mid-2000s, when Sarbanes Oxley

audit became a reality. Overnight, event management was a core component of the “control framework” in

Sarbanes Oxley section 404, and internal and external auditors were requiring it. Sarbanes Oxley was quickly followed by PCI DSS for retail organizations and card processors, another major regulation that required log review to pass audit and the automation that SIEM promised to provide. And then the regulatory explosion began. The SIEM market exploded along with it—into a billion dollar market.

Compliance not only increased SIEM adoption but also led to a flood of additional security instrumentation

and increased logging levels. This simultaneously increased the flood of data SIEM now had

to manage and further stretched analytic capabilities. Legacy SIEM systems had always struggled to

manage any increases in volume and correlation of security data. This dramatic growth in data and

correlation requirements further revealed the inherent scale and analytic limitations that these SIEM

solutions faced.

Fast forward to 2012. The demands on SIEM systems continue to intensify. Devastating data breaches

at organizations that had passed purportedly stringent compliance-based security audits have pushed

IT security to move from “check-the-box” compliance to comprehensive security programs that include

perimeter, insider, data, and system security. In response to these increased security controls, innovative

and persistent attackers have evolved the sophistication level of their attack methods—creating a need

for SIEM to detect low-and-slow attacks, rapidly detect anomalies in event flow, and gain contextual

information about data, applications, and databases.