Cyber attack simulation uncovers serious communication issues
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
February 6, 2014
The recent simulation of a cyber attack sponsored by the Bank of England was designed to test how well financial companies in London and elsewhere in Britain were able to handle major hacker attempts. Now we're told that the simulation has uncovered serious and very critical communication issues with the infrastructure.
The program was dubbed Waking Shark II and took place in November 2013. It was meant to test how investment banks and financial institutions held up together under a sustained assault by several hackers.
The overall results were an improvement on those from the original Waking Shark I exercise, which took place in 2011, while still offering plenty of scope for some improvement, according to an official report on the exercise from the Bank of England.
"The exercise successfully demonstrated cross-sector communications and coordination through the CMBCG (Cross Market Business Continuity Group), information sharing through the use of the CISP (Cyber Security Information Security Partnership) platform and enabled all participants to better understand the requirements of the Financial Authorities in Britain," the report concludes.
The report added that the banks' overall communication systems were severely hampered by the lack of an overall clearing house for cyber threat information.
"Consideration will be given to the identification of a single coordination body from the industry to manage communications across the segment during an incident," the report recommends.
The simulated attacks took place over four hours. Other problems were identified and were designed to reflect a three day attack involving DoS (denial of service) and malware elements, and included some confusion about the Financial Services Authority.
For example, attacked banks were criticised for not calling the police, a breach of agreed procedures. The Bank of England outlined the scenario played out during the simulated attacks which, contrary to earlier reports, didn't test the cyber resilience of high street banks.
The simulation was based on a concerted cyber-attack against the U.K. financial sector by a hostile nation state with the aim of causing significant disruption and dislocation within the wholesale market and supporting infrastructure.
Although the impacts caused by the cyber-attacks would have had an international as well as a U.K. dimension, for the purposes of the exercise, the scope of the simulated attacks was restricted to the management of the impacts in the U.K.
The program was set over a three-day period the last day of which happened to coincide with “Triple Witching” (when options and futures contracts for stock index and stock options all expire on the same Friday).
The three-day period was broken into different phases, playing out various technical and business impacts from the scenario. The simulation examined how financial companies and banks would manage their response to the cyber-attacks both on a technical level (in particular information-sharing amongst the firms via the CISP tool), and from a business perspective.
Elements of the cyberwar exercise included DDoS (distributed denial of service attacks) causing the firms’ global websites and certain other internet-facing systems to be unresponsive or intermittently available, as well as APT and PC wipe attacks that penetrated the firms’ networks for disruptive and destructive purposes.
All this had knock-on effects on trading and reconciliation systems. At least on paper, this looks to be fairly challenging, yet the exercise was criticised by some banks as not being challenging enough.
Some participants wanted a greater emphasis on cyber-espionage and malware in future exercises. There were also calls to involve telecom service providers such as British Telecom in the exercise.
Adrian Culley, technical consultant at anti-botnet firm Damballa and formerly of Scotland Yard’s Computer Crime Unit, said that banks had a long way to go before their malware protections were up to scratch.
“Financial Institutions in the United Kingdom have real active infection inside their networks now, Culley said. "Caphaw is an example of one such very prevalent Advanced Attack, but there are many others as well, and that's disturbing."
"Despite Waking Shark II, there appears to be a real disconnect between Business Secretary Vince Cable's very timely warning, and banks actually holding accessible, actionable intelligence.
How they are planning to ever respond decisively without such intelligence? Those bodies are part of U.K. Critical National Infrastructure, and both active attacks, and the threat of an attack, are very real.
Banks need this vital information to detect active infections and prevent them from becoming security breaches in the first place. It's clear now that many of them don't have this implemented in their core infrastructure.”
After a summit of bank regulators and intelligence officals yesterday, Cable warned of the more widespread vulnerability of Britain's critical national infrastructure to cyber-attacks.
The regulators-- which included representatives from the Bank of England, the Civil Aviation Authority, the Office of the Nuclear Regulator, Ofgem, Ofwat and Ofcom were all briefed on the security threat posed to systems by GCHQ's senior manager, Sir Iain Lobban.
Cable called on regulators to oversee the overall adoption of more robust cyber security measures. Financial firms and banks were encouraged to undertake a self-assessment against the 10 steps; take up membership of the Cyber Security Information Partnership, or CISP, and then manage cyber risk in their supply chains by driving adoption of the HMG Preferred Organisational Standard for Cyber Security."
KPMG security expert Stephen Bonner warned that organizations will reduce the chances of successfully defending themselves, if they continue to act in isolation.
“Fear of damaged reputations or stuttering share prices are major factors behind many organizations’ decision to keep a low profile when their cyber defences have been breached," said Bonner, a partner in KPMG’s Information Protection and Business Resilience team.
But the days of isolationist thinking have long since disappeared, as an attack on one institution can lead to the exposure of commercially sensitive details for another.
For its part, KPMG said that the overall rising number of cyber attacks targeting security vulnerabilities presents a growing danger to several financial institutions in the United Kingdom.
"We’ve seen requests for help more than doubling in the past twelve months suggesting that the recognition is there, but that the awareness doesn’t equal any resolution. Waking Shark II has thrown in a welcome light on current security vulnerabilities, but that doesn’t mean it's still safe to get back in the water," said Bonner.
"Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organizations are to remain secure,” he added.
In other internet security news
Large U.S. technology companies are sharing some details on the numerous and secret data requests they regularly get from the U.S. government on so-called national security concerns.
Google, Facebook, Microsoft, LinkedIn and Yahoo all posted data for the first time yesterday on the huge volume of specific data requests made under the Foreign Intelligence Surveillance Act, or FISA, which allows the U.S. government to secretly obtain data on user accounts and various communications in cases related to national security.
The releases come after the tech firms filed lawsuits seeking the right to disclose more information about requests for user data.
In response, the Department of Justice issued new disclosure guidelines last week allowing the publication of basic information about FISA requests.
President Obama ordered the change in January as part of his speech on intelligence reform. "Today, for the first time, our report on government requests for user information encompasses all of the requests we receive," said Google lawyer Richard Salgado.
In a joint statement last week, Attorney General Eric Holder and Director of National Intelligence James Clapper said they had concluded "that the public interest in disclosing this information now greatly outweighs the national security concerns that required its classification."
National security officials make FISA requests in a secret court room that has authorized nearly every request it's received so far.
The process came under scrutiny in 2013 following the revelation via NSA leaker Edward Snowden of a secret surveillance court order approving the collection of mass amounts of user metadata from telecom giant Verizon Wireless and leading Internet companies.
The technology companies in question are permitted only to release ranges, rather than precise numbers, for the amount of FISA requests they receive from the government and the number of accounts affected.
However, it's important to note that they can't discuss any details of the requests or the specific identities of the users involved.
"We still believe that more transparency is greatly needed so that everyone can better understand how surveillance laws work and decide whether or not they serve the public interest," said Google's Salgado.
He called for Congress to pass legislation allowing technology companies to reveal "the precise numbers and types of requests we receive, as well as the number of users they affect in a timely manner."
Google's numbers revealed that it received fewer than 1,000 FISA requests between July and December of 2012 covering between 12,000 and 12,999 accounts.
In its most recent reporting period, January to June 2013, Google received under 1,000 FISA requests affecting between 9,000 and 9,999 accounts.
For its part, Yahoo received RFIs (requests for information) for between 30,000 to 30,999 accounts during the same period last year, while Facebook got requests covering between 5,000 and 5,999 accounts.
"We will continue to advocate for reform of government surveillance practices around the world, and for greater transparency about the degree to which those governments can seek access to data in connection with their efforts to keep the population safe," said Facebook general counsel Colin Stretch.
FISA requests targeting LinkedIn between January and June of 2013 covered just under 250 accounts, while Microsoft's encompassed between 15,000 and 15,999 accounts.
The five technology companies in question were among a group that last year called for reform of government surveillance programs to increase transparency and impose limitations on what information can be collected.
In other internet security news
Hackers have put together a corrupted version of the popular FTP program Filezilla, which works just like the real program but surreptitiously passes FTP account login credentials to a hacker-controlled server.
The evil version has the same look and feel as the genuine program and is clearly designed to mask its suspicious activities, such as dialing back home with compromised, corrupted data and changes in the system files.
The trojanized version of Filezilla is actually 6.8 MB smaller than the genuine product even though it comes packed with two extra malicious DLL libraries that don't feature in the genuine code.
The fake version is designed not to install updates, a tactic that along with its stealth features adds up to a threat designed to avoid removal or detection on compromised systems for the maximum time possible.
A write up of the threat, complete with screenshots and code analysis, can be found in a blog post by anti-virus software firm Avast.
"Beware of malformed Filezilla FTP client versions 3.7.3 and 3.5.3," Avast warns. "We have noticed an increased presence of these malware versions of famous open source FTP clients."
"The bogus installer is mostly hosted on hacked websites with fake content," it adds.
Compromised FTP logins can be used to plant malware on associated sites or steal data, among others things. The hackers behind the FileZilla attack and their ultimate purpose remains unclear at present.
In other internet security news
After Target recently reported that over 110 million of its customers' credit cards in the United States have been compromised, now it's U.S. luxury retailer Neiman Marcus that is confirming that details from over 1.1 million of its customers' cards were stolen in a recently detected high-profile security breach.
Credit card details were lifted after hackers successfully planted malware on payment systems over a period that ran between July 18 and October 30, 2013, far earlier than previously suspected.
About 2,400 of the said compromised credit card details have subsequently been abused to make several fraudulent purchases, according to an update by Neiman Marcus on the security breach.
But while the forensic and criminal investigations are ongoing, we do know that malicious software was clandestinely installed on the system. It appears that the malware actively collected or scraped credit card data from July 16, 2013 to October 30, 2013.
During that period, approximately 1,100,000 customer payment cards could have potentially been visible to the malware. To date, Visa, MasterCard and Discover have been notified that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.
The retailer said that it has already taken extensive security precautions to prevent a repetition of the breach, which has become the subject of ongoing forensic investigation and law enforcement interest.
Neiman Marcus said that it isn't aware of any connection between its breach to the spill of 40 million credit card details by fellow retailer Target.
In an associated statement, Karen Katz, president and CEO at Neiman Marcus Group said that "he was very sorry that some of our customers' payment cards were used fraudulently after making purchases at our stores".
Neiman Marcus said that it is offering the affected customers free credit card monitoring services. "The timeline of the Neiman Marcus compromise demonstrates the strong need for organizations to store long term forensic audit trails in order to investigate security breaches," said Tim Keanini, CTO at security tools firm Lancope.
"According to Neiman Marcus, the attack activity took place between July 16th and October 30th, 2013. However, the compromise was not discovered until January of 2014."
The Target security breach at least has been narrowed down to a specific malware tool (a modified version of Black POS) that affected its POS (point-of-sale) systems and enterprise payment processing servers.
Reuters previously reported that at least three other unnamed retailers may have also been hit by attacks using similar techniques and tools.
On Thursday, Reuters reported that the Feds have since expanded their victim list to include no less than twenty identified victims of hacking over the last year.
The FBI has also put out a warning to retailers urging them to review their security arrangements and to prepare for future possible attacks of the same nature.
Apparently geographically confined to North America, the spate of retailer credit card breaches has led some internet security observers to suggest that the introduction of Chip and PIN would be enough to frustrate future frauds along the same lines.
Anti-fraud firm Easy Solutions argues that upgrading to Chip and PIN alone won't be enough. Other experts suggest that vulnerable Point of Sale systems are the main villains in the Target and Neiman Marcus breaches.
Overall, internet security researchers at Cisco have published a blog on detecting future payment card compromises and shortening the remediation window for such attacks.
The payment card data attacks on Target and other retailers were possible because the POS payment technology includes third party software installed on a computer terminal. The problem is that the payment card data is susceptible to interception in memory before the encryption process and transmission across the network.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
Source: The Bank of England.
You can link to the Internet Security web site as much as you like.