A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 17.04
Ubuntu 16.04 LTS
Summary
USN 3366-1 introduced a regression in OpenJDK 8.
Software description
openjdk-8 - Open Source Java implementation
Details
USN-3366-1 fixed vulnerabilities in OpenJDK 8. Unfortunately, that
update introduced a regression that caused some valid JAR files to
fail validation. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the JPEGImageReader class in OpenJDK would
incorrectly read unused image data. An attacker could use this to
specially construct a jpeg image file that when opened by a Java
application would cause a denial of service. (CVE-2017-10053)
It was discovered that the JAR verifier in OpenJDK did not properly
handle archives containing files missing digests. An attacker could
use this to modify the signed contents of a JAR file. (CVE-2017-10067)
It was discovered that integer overflows existed in the Hotspot
component of OpenJDK when generating range check loop predicates. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions
and cause a denial of service or possibly execute arbitrary
code. (CVE-2017-10074)
It was discovered that the JavaScript Scripting component of OpenJDK
incorrectly allowed access to Java APIs. An attacker could use this
to specially craft JavaScript code to bypass access restrictions.
(CVE-2017-10078)
It was discovered that OpenJDK did not properly process parentheses
in function signatures. An attacker could use this to specially
construct an untrusted Java application or applet that could escape
sandbox restrictions. (CVE-2017-10081)
It was discovered that the ThreadPoolExecutor class in OpenJDK did not
properly perform access control checks when cleaning up threads. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions and
possibly execute arbitrary code. (CVE-2017-10087)
It was discovered that the ServiceRegistry implementation
in OpenJDK did not perform access control checks in certain
situations. An attacker could use this to specially construct
an untrusted Java application or applet that escaped sandbox
restrictions. (CVE-2017-10089)
It was discovered that the channel groups implementation in
OpenJDK did not properly perform access control checks in some
situations. An attacker could use this to specially construct an
untrusted Java application or applet that could escape sandbox
restrictions. (CVE-2017-10090)
It was discovered that the DTM exception handling code in the
JAXP component of OpenJDK did not properly perform access control
checks. An attacker could use this to specially construct an untrusted
Java application or applet that could escape sandbox restrictions.
(CVE-2017-10096)
It was discovered that the JAXP component of OpenJDK incorrectly
granted access to some internal resolvers. An attacker could use this
to specially construct an untrusted Java application or applet that
could escape sandbox restrictions. (CVE-2017-10101)
It was discovered that the Distributed Garbage Collector (DGC) in
OpenJDK did not properly track references in some situations. A
remote attacker could possibly use this to execute arbitrary
code. (CVE-2017-10102)
It was discovered that the Activation ID implementation in the RMI
component of OpenJDK did not properly check access control permissions
in some situations. An attacker could use this to specially construct
an untrusted Java application or applet that could escape sandbox
restrictions. (CVE-2017-10107)
It was discovered that the BasicAttribute class in OpenJDK did not
properly bound memory allocation when de-serializing objects. An
attacker could use this to cause a denial of service (memory
consumption). (CVE-2017-10108)
It was discovered that the CodeSource class in OpenJDK did not
properly bound memory allocations when de-serializing object
instances. An attacker could use this to cause a denial of service
(memory consumption). (CVE-2017-10109)
It was discovered that the AWT ImageWatched class in OpenJDK did not
properly perform access control checks, An attacker could use this
to specially construct an untrusted Java application or applet that
could escape sandbox restrictions (CVE-2017-10110)
Jackson Davis discovered that the LambdaFormEditor class in the
Libraries component of OpenJDK did not correctly perform bounds checks
in the permuteArgumentsForm() function. An attacker could use this
to specially construct an untrusted Java application or applet that
could escape sandbox restrictions and possibly execute arbitrary
code. (CVE-2017-10111)
It was discovered that a timing side-channel vulnerability existed
in the DSA implementation in OpenJDK. An attacker could use this to
expose sensitive information. (CVE-2017-10115)
It was discovered that the LDAP implementation in OpenJDK incorrectly
followed references to non-LDAP URLs. An attacker could use this to
specially craft an LDAP referral URL that exposes sensitive information
or bypass access restrictions. (CVE-2017-10116)
It was discovered that a timing side-channel vulnerability existed
in the ECDSA implementation in OpenJDK. An attacker could use this
to expose sensitive information. (CVE-2017-10118)
Ilya Maykov discovered that a timing side-channel vulnerability
existed in the PKCS#8 implementation in OpenJDK. An attacker could
use this to expose sensitive information. (CVE-2017-10135)
It was discovered that the Elliptic Curve (EC) implementation
in OpenJDK did not properly compute certain elliptic curve
points. An attacker could use this to expose sensitive
information. (CVE-2017-10176)
It was discovered that OpenJDK did not properly restrict weak key
sizes in some situations. An attacker could use this to specially
construct an untrusted Java application or applet that could escape
sandbox restrictions. (CVE-2017-10193)
It was discovered that OpenJDK did not properly enforce disabled
algorithm restrictions on X.509 certificate chains. An attacker
could use this to expose sensitive information or escape sandbox
restrictions. (CVE-2017-10198)
It was discovered that OpenJDK did not properly perform access control
checks when handling Web Service Definition Language (WSDL) XML
documents. An attacker could use this to expose sensitive information.
(CVE-2017-10243)
Update instructions
The problem can be corrected by updating your system to the following package version:
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.
Lucas Lundgren sat at his desk as he watched prison cell doors hundreds of miles away from him opening and closing.
He could see the various commands floating across his screen in unencrypted plain text. "I could even issue commands like, 'all cell blocks open'," he said in a phone call last week. But without being there, he could not know for sure if his actions would have real-world consequences.
"I'd probably only know by reading about it in the newspaper the next day," said Lundgren, a senior security consultant at IOActive, ahead of his Black Hat talk in Las Vegas last week.
It's because those cell doors are controlled by a little-known but popular open source messaging protocol known as MQTT, which lets low-powered, internet-connected (IoT) sensors, and smart devices communicate with a central server using little bandwidth, like letting prison guards remotely control the locks on a cell door. The protocol is used everywhere -- by hobbyists at home, but also in industrial systems, like gauges and sensors in industrial systems, electronic billboards, and even medical devices.
But all too often, the servers that listen to devices and send commands aren't protected with a username or password, allowing anyone with an internet connection to look into one of the 87,000 unprotected servers, according to Lundgren's port scans.
"It's a scary situation," he said. "Not only can we read the data -- that's bad enough -- but we can also write to the data."
Lundgren has seen heart monitors and insulin pumps that are constantly updating data over the protocol so that a doctor can read it remotely on a web page and make alterations, he said. "If I wanted to be malicious, I could probably change the insulin or something, and see what happens," he said.
Throughout his scans, he found servers from all over the world, running everything from home automation and alarm systems, to nuclear power plants, a particle accelerator -- and even an oil pipeline.
"I can see the pressure flow back and forth," said Lundgren. He wasn't sure of the pipeline's location, but said he could see usernames and passwords to its entire industrial control system.
"If you can push more oil through, you could injure people," he said.
Lundgren also found a server operating in a German train station. He could see when trains run, which track they're on, and when they arrive. "I don't know what the impact could be if I changed it," he said. "The best case scenario is that the devices just update the boards," said Lundgren -- though, he couldn't be sure if the data aggregated down to the actual tracks. In the worst case scenario, an attacker could've manipulated where trains go on each track, potentially causing a crash.
Among his finds were sex toys, blood pressure machines, air humidity sensors, and earthquake alert systems, he said.
In one of the slides at his Black Hat talk, he described how a Tesla vehicle was leaking its real-time geolocation and other vital statistics.
But Lundgren will be the first to launch a defense for the protocol -- laying blame at the hands of its users.
"To blame MQTT isn't fair -- the protocol isn't the problem," he said. "You should always use encryption, and a username and a password on the server," he said. "The majority don't bother." Several significant data breaches and exposures have resulted from leaving servers unprotected, including database servers that've been held to ransom, and Amazon cloud storage units that have been raided, among others.
He said that companies like Amazon, IBM, and Microsoft -- some of the big names with cloud-based MQTT solutions, which he recommends -- force you to set up the servers properly.
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
If you are a die heart fan of 'Game of Thrones' series, there's good news for you, but obviously bad for HBO.
Hackers claim to have stolen 1.5 terabytes of data from HBO, including episodes of HBO shows yet to release online and information on the current season of Game of Thrones.
What's more?
The hackers have already leaked upcoming episodes of the shows "Ballers" and "Room 104" on the Internet.
Additionally, the hackers have also released a script that is reportedly for the upcoming fourth episode of
, hackers claim to have obtained 1.5 terabytes of data from the entertainment giant and informed several reporters about the hack via anonymous email sent on Sunday.
Though HBO has confirmed the cyber attack on its network and released a statement, the company did not confirm what the hackers have stolen more information, and whether or not upcoming episodes of the widely watched Game Of Thrones have been stolen.
"HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information," the company confirmed the hack in a statement.
"We immediately began investigating the incident and are working with law enforcement and outside cybersecurity firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold."
After leaking episodes of "
Ballers
" and "
Room 104
" and a script that is believed to be the new episode of "Game of Thrones," hackers have promised more leaks to be "coming soon."
The anonymous email sent to the reporters read:
"Hi to all mankind. The greatest leak of cyber space era is happening. What’s its name? Oh, I forget to tell. It's HBO and Game of Thrones……!!!!!!
You are lucky to be the first pioneers to witness and download the leak. Enjoy it & spread the words. Whoever spreads well, we will have an interview with him."
If hackers have indeed stolen 1.5 terabytes of data from HBO, it could be the company's second major cyber attack, after 2015, when the first four episodes of "
Game of Thrones Season 5
" appeared on the Internet shortly before the season's premiere.
Does this sound like a day in your IT security life? Wake up, get coffee, drive to work, and battle an almost constant onslaught of attacks, while playing whack-a-mole with too many alerts. If so, we get it. You never know where the next attack will come from. And you’re probably on to the fact […]
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Summary
RabbitMQ could allow unintended access to network services.
Software description
rabbitmq-server - AMQP server written in Erlang
Details
It was discovered that RabbitMQ incorrectly handled MQTT (MQ Telemetry
Transport) authentication. A remote attacker could use this issue to
authenticate successfully with an existing username by omitting the
password.
Update instructions
The problem can be corrected by updating your system to the following package version:
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Summary
USN-3363-1 caused a regression in ImageMagick.
Software description
imagemagick - Image manipulation programs and library
Details
USN-3363-1 fixed vulnerabilities in ImageMagick. The update caused a
regression for certain users when processing images. The problematic
patch has been reverted pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.
Update instructions
The problem can be corrected by updating your system to the following package version:
Phishers have recently hacked an extension for Google Chrome after compromising the Chrome Web Store account of German developer team a9t9 software and abused to distribute spam messages to unsuspecting users.
Dubbed Copyfish, the extension allows users to extract text from images, PDF documents and video, and has more than 37,500 users.
Unfortunately, the Chrome extension of Copyfish has been hijacked and compromised by some unknown attacker, who equipped the extension with advertisement injection capabilities. However, its Firefox counterpart was not affected by the attack.
The attackers even moved the extension to their developer account, preventing its developers from removing the infected extension from the store, even after being spotted that the extension has been compromised.
"So far, the update looks like standard adware hack, but, as we still have no control over Copyfish, the thieves might update the extension another time… until we get it back," the developers warned. "We can not even disable it—as it is no longer in our developer account."
Here's How the Hackers Hijacked the Extension:
Copyfish developers traced the hack back to a phishing attack that occurred on 28 July.
According to a9t9 software, one of its team members received a phishing email impersonating the Chrome Web Store team that said them to update their Copyfish Chrome extension; otherwise, Google would remove it from the web store.
The phishing email instructed the member to click on "Click here to read more details," which opened the "Google" password dialogue box.
The provided link was a bit.ly link, but since the team member was viewing the link in HTML form, he did not find it immediately suspicious and entered the password for their developer account.
The developers said the password screen looked almost exactly the one used by Google. Although the team did not have any screenshot of the fake password page as it appeared only once, it did take a screenshot of the initial phishing email and its reply.
"This looked legit to the team member, so we did not notice the [phishing] attack as such at this point. [Phishing] for Chrome extensions was simply not on our radar screen," the developers said.
Once the developer entered the credentials for a9t9 software’s developer account, the hackers behind the attack updated the Copyfish extension on 29 July to Version 2.8.5, which is pushing out spams and advertisements to its users.
The worst part comes in when the Copyfish makers noticed the issue very quickly, but they could not do anything because the hackers moved the extension to their developer account.
The software company contacted Google developer support, which is currently working to provide the company access to their software.
The a9t9 software is warning users that the Chrome extension for Copyfish is currently not under its control. So, users are advised not to install the malicious Chrome extension and remove, if they have already installed.
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 12.04 LTS
Summary
Several security issues were fixed in Apache HTTP Server.
Software description
apache2 - Apache HTTP server
Details
Emmanuel Dreyfus discovered that third-party modules using the
ap_get_basic_auth_pw() function outside of the authentication phase may
lead to authentication requirements being bypassed. This update adds a new
ap_get_basic_auth_components() function for use by third-party modules.
(CVE-2017-3167)
Vasileios Panopoulos discovered that the Apache mod_ssl module may crash
when third-party modules call ap_hook_process_connection() during an HTTP
request to an HTTPS port. (CVE-2017-3169)
Javier Jiménez discovered that the Apache HTTP Server incorrectly handled
parsing certain requests. A remote attacker could possibly use this issue
to cause the Apache HTTP Server to crash, resulting in a denial of service.
(CVE-2017-7668)
ChenQin and Hanno Böck discovered that the Apache mod_mime module
incorrectly handled certain Content-Type response headers. A remote
attacker could possibly use this issue to cause the Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2017-7679)
David Dennerline and Régis Leroy discovered that the Apache HTTP Server
incorrectly handled unusual whitespace when parsing requests, contrary to
specifications. When being used in combination with a proxy or backend
server, a remote attacker could possibly use this issue to perform an
injection attack and pollute cache. This update may introduce compatibility
issues with clients that do not strictly follow HTTP protocol
specifications. A new configuration option "HttpProtocolOptions Unsafe" can
be used to revert to the previous unsafe behaviour in problematic
environments. (CVE-2016-8743)
Update instructions
The problem can be corrected by updating your system to the following package version:
The iDoorBell is one of two NeoCoolCam devices found to have vulnerabilities that allow hackers to remotely take them over.
Image: Shenzen Neo Electronics
Over 100,000 internet-connected security cameras contain a "massive" security vulnerability that allows them to be accessed via the open web and used for surveillance, roped into a malicious botnet, or even exploited to hijack other devices on the same network.
Representing yet more Internet of Things devices that are exposed to cyberattackers, vulnerabilities have been uncovered in two cameras in Chinese manufacturer Shenzhen Neo Electronics' NeoCoolCam range.
Researchers at Bitdefender say the loopholes mean it's trivial for outsiders to remotely attack the devices and that 175,000 of the devices are connected to the internet and vulnerable. Between 100,000 and 140,000 are detectable via the Shodan IoT device search engine alone.
The easy online availability and low cost -- some models are available for under £30 ($39) -- of Shenzhen products means the NeoCoolCam devices have spread around the world; the products are in no way just limited to China.
"This proof of concept attack confirms once again that most Internet of Things devices are trivial to exploit because of improper quality assurance at the firmware level. Paired with the fact that the bug affects the authentication mechanism and the massive pool of affected devices, we can only imagine the impact a harvested botnet of devices might have," Bitdefender's research paper said.
The two cameras studied, the iDoorbell model and NIP-22 model, contain several buffer overflow vulnerabilities, some even before the authentication process. The flaws can be used for remote execution on the device -- the attacker doesn't even need to be logged in, even just the attempt at a login can provide access.
"By manipulating the login and password fields of the form, the attacker can inject commands and trick the camera into executing code as it attempts to perform the authentication," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.
"This is a massive vulnerability because it does not allow the user to be logged in; on the contrary, the camera is compromised when a login validation is attempted."
The vulnerabilities could act as a gateway to the rest of the network and the compromise of other devices on it, the researchers said. "Since this attack can execute code on the respective devices, a hacker can use the cameras to pivot inside the internal network," said Botezatu.
Both types of camera were subjected two types of attack: one which affects the web server on the cameras themselves and another which affects the Real Time Streaming Protocol Server.
The camera web server exploit stems from a vulnerability in the HTTP service triggered by the way the application processes the username and password information at login.
Exploiting a weakness they discovered, the researchers were able to overflow the system function and specify commands to be executed, such as monitoring activity on the hacked camera and even overwriting the password, a move which would put the camera in the hands of the hacker for malicious purposes including espionage.
Researchers discovered second vulnerability in the camera's Rapid Spanning Tree Protocol (RSTP) server, with an exploit around authorization which would allow them to gain access to the device.
Bitdefender notes that the two exploits are "almost identical" on both camera models. NeoCool Cam was contacted in May, but Bitdefender says the company hasn't responded. ZDNet has attempted to contact Shenzhen Neo Electronics but hasn't received a reply at the time of publication.
READ MORE ON CYBERCRIME
from Latest Topic for ZDNet in... http://ift.tt/2web6pv
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 12.04 LTS
Summary
Several security issues were fixed in NSS.
Software description
nss - Network Security Service library
Details
It was discovered that NSS incorrectly handled certain empty SSLv2
messages. A remote attacker could possibly use this issue to cause NSS to
crash, resulting in a denial of service. (CVE-2017-7502)
Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES
ciphers were vulnerable to birthday attacks. A remote attacker could
possibly use this flaw to obtain clear text data from long encrypted
sessions. This update causes NSS to limit use of the same symmetric key.
(CVE-2016-2183)
It was discovered that NSS incorrectly handled Base64 decoding. A remote
attacker could use this flaw to cause NSS to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2017-5461)
Update instructions
The problem can be corrected by updating your system to the following package version:
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.
There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 6, 7 and 8 that are used by IBM MQ. These issues were disclosed as part of the Java SDK updates from IBM in April 2017.
Google is being pressed to explain what data on credit and debit card purchases it's accessing, and how it's getting and encrypting that information.
Image: Google
Privacy rights group the Electronic Privacy Information Center (EPIC) will file a legal complaint with the Federal Trade Commission over a system Google is using to link web activity with in-store card purchases.
The complaint concerns Google's new Store Sales Measurement program, which aims to demonstrate to advertisers that clicks online do lead to purchases at the register.
According to The Washington Post, EPIC wants Google to be more transparent about what data on credit and debit card purchases it's accessing, how it's getting the information, and what encryption it's using to ensure user data remains anonymous.
Announcing the system in May, Google said third-party partnerships allow it to capture 70 percent of all payment-card transactions in the US. The system matches transactions back to Google ads, which Google said was done in a "secure and privacy-safe way". It also reports aggregated and anonymized store sales data to advertisers.
Google has developed custom encryption to anonymize and encrypt the payment data it receives from third parties, which prevents it from accessing the data for individuals.
Google can match in-store spending to ads if a consumer provides their email address at the register. For consumers who don't provide an email address, Google relies on third-party providers of payment-card transaction data.
Google execs previously confirmed its "double-blind" encryption is based on CryptDB, a system for protecting applications run on SQL databases. CryptDB was developed by MIT researchers in 2011 with partial funding from Google.
The researchers noted that since CryptDB uses chained encryption, "a database administrator never gets access to decrypted data, and even if all servers are compromised, an adversary cannot decrypt the data of any user who is not logged in".
However, in an interview with the Post in May, Google declined to reveal exactly how it is encrypting data, citing a pending patent.
A Google exec told the paper back then how it matches data from its third-party partners: "Through a mathematical property we can do double-blind matching between their data and our data. Neither gets to see the encrypted data that the other side brings."
EPIC wants the FTC itself to review the algorithm and for Google to reveal how it gets purchase data. The privacy group argues that consumers can't make an informed decision about which cards to use or which shops to avoid if they'd prefer not to have purchases tracked.
Google said users can opt out of the tracking by going to the My Activity Page, clicking on Activity Controls, and unchecking 'Web and Web Activity'.
However, EPIC argues that Store Sales Measurement goes beyond location tracking.
"Google requires its Store Sales Measurement partners to have the rights to individuals' transaction data but the details on how, or whether, individuals choose to give or not give these rights has not been disclosed," EPIC says.
from Latest Topic for ZDNet in... http://ift.tt/2vbeJQq
NSA whistleblower Edward Snowden argues that Russia's decision to outlaw VPNs is a "tragedy of policy".
Image: CBS News
Edward Snowden has laid into the Russian government for banning the use of virtual private networks (VPNs) and other tools that people can use to circumvent censorship and surveillance.
Russian president Vladimir Putin signed the law on Sunday, prompting a Twitter tirade from Snowden, the US National Security Agency (NSA) whistleblower who has been sheltering in Moscow since 2013.
Snowden called the decision a "tragedy of policy" that would make Russia "both less safe and less free". He also linked the government's move to China's crackdown on VPN technology, which led Apple to pull dozens of VPN apps from its Chinese App Store over the weekend.
"Whether enacted by China, Russia, or anyone else, we must be clear this is not a reasonable 'regulation,' but a violation of human rights," Snowden wrote, arguing that, "If the next generation is to enjoy the online liberties ours did, innocuous traffic must become truly indistinguishable from the sensitive."
He also appeared to urge tech industry workers to push back against the anti-VPN trend.
Linking Russia's move to China's crackdown on VPN technology, Snowden urged tech workers to be vigilent.
Image: Edward Snowden/Twitter
Snowden is these days the president of the Freedom of the Press Foundation. In line with his 2013 decision to expose the NSA's mass-surveillance activities, he has long been an advocate of individuals being able to protect their communications and online activities.
However, he has previously warned against people relying too much on VPNs, because their operators may be vulnerable to hacks or subpoenas that could expose users.
The former NSA contractor originally fled from the US to Hong Kong, where he famously started working with newspapers to expose the agency's activities.
Then, while apparently trying to fly to Latin America, Snowden found himself stranded at a Moscow airport because the US had cancelled his passport. The Russians granted him asylum, which was extended for "a couple more years" in January this year.
During his stay there, Snowden has occasionally voiced strong criticism of Russia's surveillance policies.
In mid-2016, when the Russian government introduced a data-retention law and forced communications providers to help decrypt people's messages, the American said the legislation was "an unworkable, unjustifiable violation of rights that should never have been signed".
In 2014, he also denounced the so-called Blogger's Law, which imposed restrictions on what bloggers can write.
The latest law, banning VPNs, will come into effect in November this year. It is mainly intended to stop Russians viewing websites that are on the official state blacklist.
from Latest Topic for ZDNet in... http://ift.tt/2wdJhhm
Reportedly, at least one senior cyber security analyst working with Mandiant, a Virginia-based cybersecurity firm owned by the FireEye, appears to have had its system compromised by hackers, exposing his sensitive information on the Internet.
On Sunday, an anonymous group of hackers posted some sensitive details allegedly belonged to
Adi Peretz
, a Senior Threat Intelligence Analyst at Mandiant, claiming they have had complete access to the company's internal networks since 2016.
The recent hack into Mandiant has been dubbed Operation #
LeakTheAnalyst
.
Further Leaks from Mandiant Might Appear
The hackers have leaked nearly 32 megabytes of data—both personal and professional—belonging to Peretz on Pastebin as proof, which suggests they have more Mandiant data that could be leaked in upcoming days.
"It was fun to be inside a giant company named “Mandiant” we enjoyed watching how they try to protect their clients and how their dumb analysts are trying to reverse engineer malware and stuff," the Pastebin post reads.
"This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future."
Hackers dumped a treasure trove of sensitive information, which includes:
Peretz's Microsoft account login details
Peretz's Contacts
Screenshots of the Windows Find My Device Geolocator, linked to Peretz's Surface Pro laptop.
Client correspondence
Presentations
Contents of his email inbox
Several internal Mandiant and FireEye documents
Threat intelligence profiles for the Israeli Defence Force (IDF)
Besides leaks, the anonymous hackers also reportedly broke into Peretz's LinkedIn page and defaced it. His profile has since been
But, in countries like America, even hacking electronic voting machines is possible—that too, in a matter of minutes.
Several hackers reportedly managed to hack into multiple United States voting machines in a relatively short period—in some cases within minutes, and in other within a few hours—at Def Con cybersecurity conference held in Las Vegas this week.
Citing the concern of people with the integrity and
" event, where tech-savvy attendees tried to hack some systems and help catch vulnerabilities.
Voting Machine Village provided 30 different pieces of voting equipment used in American elections in a room, which included Sequoia AVC Edge, ES&S iVotronic, AccuVote TSX, WinVote, and Diebold Expresspoll 4000 voting machines.
And what's horrible? The group of attendees reportedly took less than 90 minutes to compromise these voting machines.
Image Credit: @tjhorner
Members of the Def Con hacking community managed to take complete control of an e-poll book, an election equipment which is currently in use in dozens of states where voters sign in and receive their ballots.
Other hackers in attendance claimed to have found significant security flaws in the AccuVote TSX, which is currently in use in 19 states, and the Sequoia AVC Edge, used in 13 states.
Another hacker broke into the hardware and firmware of the Diebold TSX voting machine.
Hackers were also able to hack into the WinVote voting machine, which is available on eBay, and have long been removed from use in elections due to its vulnerabilities.
Hackers discovered a remote access vulnerability in WinVote's operating system, which exposed real election data that was still stored in the machine.
Another hacker hacked into the Express-Pollbook system and exposed the internal data structure via a known OpenSSL vulnerability (CVE-2011-4109), allowing anyone to carry out remote attacks.
"Without question, our voting systems are weak and susceptible. Thanks to the contributors of the hacker community today, we’ve uncovered even more about exactly how," said Jake Braun, a cybersecurity expert at the University of Chicago, told Reg media.
"The scary thing is we also know that our foreign adversaries — including Russia, North Korea, Iran — possess the capabilities to hack them too, in the process undermining the principles of democracy and threatening our national security."
Election hacking became a major debate following the 2016 US presidential election, where it was
in at least 39 states in the run-up to the election.
However, there is no evidence yet to justify these claims.
Even, Hacking of voting machines is also a major concern in India these days, but the government and election commission has declined to host such event to test the integrity of EVMs (Electronic Voting Machines) used during the country's General and State Elections.
Australia's eSafety Commissioner Julie Inman Grant has assembled an Online Safety Consultative Working Group to determine the best approach to protecting those under the age of 18 from accessing adult or pornographic material online.
The newly appointed Inman Grant said addressing the challenge Australia is faced with as a result of graphic pornography, technology, and young Australians colliding requires the collaboration and expertise of government, industry, academics, educators, advocacy groups, and law enforcement agencies.
"While Australian children are some of the most fortunate in the world in terms of their access to technology, this comes with both benefit and risks. One of those risks is exposure to extreme pornography -- graphic, violent, and sometimes degrading video content -- whether deliberate or incidental," she wrote in a blog post.
The UK Parliament recently passed new legislation that will mean porn consumers in Britain will need to be age-verified to gain access from April next year.
"While there is no clear way forward on how this legislation will be implemented or the technical solutions needed to do so, we will watch the UK closely and will learn where we can," Inman Grant explained.
However, protecting those underage from accessing content they are perhaps not mentally developed enough to understand by way of some sort of internet filter might merely serve as a band-aid solution.
Following a roundtable Inman Grant held last week, she said it was clear there was a need for more local research into the effectiveness of interventions, not only to limit young people's access and exposure to pornography but also around how to minimise pornography's harmful effects.
"While it is apparent there is much work to be done, there was consensus that no single measure is likely to be a catch-all solution. Unfortunately, despite a range of interesting efforts being undertaken around the world, there is no silver bullet," the commissioner explained.
"We also believe that we can come up with novel approaches that are fit for the Australian populace. The eSafety Office will continue to work with our expert committee, and others, to critically analyse all possible solutions, and following deliberations will present policy recommendations to the government."
In a blog post from May, Inman Grant said that while education and engagement with children may serve as the initial frontline defence, parents need to be vigilant in employing a range of protective strategies to prevent and minimise the risks and effects.
"A multi-pronged approach may also include deploying parental controls to help limit the types of content and apps children can access, but technology tools, in isolation, will not serve as a total panacea," she said previously.
"The 'set and forget' mentality can lead to parental complacency and determined tech savvy kids can find ways to circumvent technological protections. In short, there is no substitution for adult engagement and oversight in children's online lives."
In November 2012, the then Labor government dropped its plans to introduce a mandatory internet filtering scheme for websites that the Classifications Board labelled as Refused Classification, meaning a rating beyond X-rated content.
According to Kate Carnell, Australian Small Business and Family Enterprise Ombudsman, half of small-to-medium enterprises (SMEs) operating in Australia believe their limited online presence protects them from cybercrime.
However, Carnell believes the opposite to be true -- that the presence they have does make them a prime target for cyber criminals.
Speaking at the ASIAL Security Conference in Sydney last week, Carnell said a lot of SMEs don't think they have anything warranting a cyber attack, believing criminals instead would target the "big guys".
"They know the big guys have really cool systems and they know the little guys haven't," she explained. "Cyber criminals now are attacking small businesses as a result, very, very regularly."
A former pharmacy owner, Carnell said she employed a range of physical security practices, including multiple safes, as a way of preventing the bad guys from accessing both her business' money and medication. But now, she said the threat to a pharmacist is the world -- not just a few known local nuisances.
"Everybody can attack the computer system in a pharmacy," she said.
"Small business are attacked for a whole range of reasons, one is their systems are pretty low, their knowledge in the area is pretty low, they don't have in-house IT people, most people don't really understand this stuff at all ... and they have a tendency to pay accounts and invoices quickly. When you get a false account, they have a nasty habit of being paid."
According to the ombudsman, the average cost to businesses as a result of an online scam is about AU$10,000, with most of the scams coming in via email or phone.
30 percent of small businesses reported experiencing a cybercrime incident in the year to mid-2015 -- a 109 percent increase over the year prior. Carnell, however, is certain that figure was a lot higher as a lot of small businesses don't want to admit they've fallen victim.
Australia is a nation of small business operators -- defined by the ombudsman as business employing less than 20 employees and by the Australian Taxation Office as businesses turning over below $10 million.
In Australia right now, 97 percent of business are small businesses employing less than 20 employees -- that is 2.1 million individuals employed by a small business.
"The vast percentage of businesses in this country fall into that category," she said.
Carnell added that many do not have a chief operating officer, in-house lawyers, or IT folk. They don't really get cybersecurity even though they know it's a problem, and the CEOs are often actively running the day-to-day business with an office structure around them. As a result, cyber protection is often forgotten.
"This is starting to be a bigger impact among our economy ... than some traditional forms of crime," she explained, but noted that the challenge for many SMEs is they don't know how to protect themselves.
"The reason they don't know how to deal with it is that there's so much stuff in the space across government ... there's a lot of different parts of the federal government dealing in the cybersecurity space.
"But from a small business perspective, where do you go? Do you go to ASIC, the AFP, Scamwatch, the ATO?"
"They need [help] in the way that's simple enough for them to incorporate it into their business and that they can afford," Shorten said, addressing Parliament in November. "This means having the resources to design cyber defences for products, processes, and people."
With grants of up to AU$2,100 becoming available next year to SMEs to support a cybersecurity IT system, Carnell said Australia is still a mile away from small businesses knowing where they have to go to report and what they have to do to be safe.
"60 percent of small businesses that have a major cyber attack go broke within 12 months," she said.
"This is a huge problem and it's a major opportunity for the cybersecurity industry."
from Latest Topic for ZDNet in... http://ift.tt/2uLQnf5
Russian President Vladimir Putin has signed a law prohibiting the use of technology that provides access to websites banned in the country.
The law signed on Sunday is already approved by the Duma, the lower house of parliament, and will come into effect on November 1, 2017.
It will ban the use of virtual private networks (VPNs) and other technologies, known as anonymisers, that allow people to surf the web anonymously.
Leonid Levin, the head of Duma's information policy committee, has said the law is not intended to impose restrictions on law-abiding citizens but is meant only to block access to "unlawful content", RIA news agency said.
The move follows a decision Apple made at the weekend to pull VPN apps from the App Store in China.
China has long operated the world's most sophisticated online censorship mechanism, known as the Great Firewall, and the use of VPNs by residents provides a loophole which can be used to circumvent the country's surveillance and blocking lists.
Popular social media websites such as Facebook, Twitter, and YouTube, for example, are blocked in the country, with a pilot free-trade zone active in Shanghai in the past that allowed some access to such content, although still heavily restricted.
At the beginning of last year, China upgraded its Great Firewall and began to crack down on the use of VPNs within the Middle Kingdom.
The revamped internet filter made it difficult to work around the Facebook ban, and called it a move aimed at fostering the "healthy development" of the internet in China.
The Chinese government earlier this month ordered state-owned internet service providers, including China Mobile, China Unicom, and China Telecom, to completely block access to VPNs by February 2018.
It followed a 14-month campaign the Chinese Ministry of Industry and Information Technology launched in January, aimed at cracking down on "unauthorised" web platforms and services the government does not approve of.
In what the Chinese government labelled a "clean up" which will "standardise the market order" and "promote healthy and orderly development", the program forces ISPs, VPN providers, datacentres, and content delivery networks to gain a licence and approval from Chinese officials to operate.
The campaign described VPNs as "illegal cross-border business issues" that need to be controlled, and deems it illegal for businesses to operate outside of their specific licence limitations.
With AAP
from Latest Topic for ZDNet in... http://ift.tt/2tV7fkt
In order to comply with Chinese censorship law, Apple has started removing all virtual private network (VPN) apps from the App Store in China, making it harder for internet users to bypass its Great Firewall.
VPN service providers that provide services in China has accused the United States tech giant of complying with Chinese stringent cyberspace regulations.
In a blog post, the developers of ExpressVPN reported that Apple informed them that their VPN app had been pulled from the company's Chinese App Store, and it seems all major VPN clients have received the same notice from Apple.
China has strict Internet censorship laws through the Great Firewall of China – the country's Golden Shield project that employs a variety of tricks to censor Internet and block access to major foreign websites in the country.
The Great Firewall is already blocking some 171 out of the world's 1,000 top websites, including Google, Facebook, Twitter, Dropbox, Tumblr, and The Pirate Bay in the country.
Therefore, to thwart these restrictions and access these websites, hundreds of millions of Chinese citizens use virtual private networks (VPNs) that encrypt their online traffic and route it through a distant connection.
However, earlier this year, China announced a crackdown on VPNs and proxy services in the country and made it mandatory for all VPN service providers and leased cable lines operators to have a license from the government to use such services.
This 14-month-long crackdown on the use of unsupervised internet connections, including VPNs was launched by the country's Ministry of Industry and Information Technology, who called it a "clean-up" of China's Internet connections.
Now, ExpressVPN received a notice from Apple that its app would be removed from the China-based App Store "because it includes content that is illegal in China."
"We're disappointed in this development, as it represents the most drastic measure the Chinese government has taken to block the use of VPNs to date, and we are troubled to see Apple aiding China's censorship efforts," ExpressVPN said in a statement.
Not just ExpressVPN alone, but another VPN service provider, Star VPN, also received same notice from Apple, the company confirmed via its official Twitter account on Saturday.
"We are writing to notify you that your application will be removed from the China App Store because it includes content that is illegal in China," Apple said in the notice. "We know this stuff is complicated, but it is your responsibility to understand and make sure your app conforms with all local laws."
Although Apple did not comment on this issue, it is no coincidence, as the company has severely been implementing various aspects of Chinese law in recent months for its regional operations in the most populated country.
Earlier this year, Apple removed the New York Times (NYT) app from its Chinese App Store because the app was in "violation of local regulations."
The tech giant has even partnered with a local firm in the southwestern province of Guizhou earlier this month to set up its first data centre in China, which will store all user information for Chinese customers.
IBM 10x vulnerability in IBM Control Center does not properly update the session id which could allow a user to obtain the ID in further attacks against the system.
IBM Control Center 6.1.0.0 through 6.1.0.1 iFix05
IBM Control Center 6.0.0.0 through 6.0.0.1 iFix09
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2vSLa3B
X-Force Database: http://ift.tt/2odAHyr
When using the MQIPT SecurityManager, IP addresses that are not configured in the MQIPT security policy file with the accept and resolve socket permissions, cause MQIPT to stop responding to connection attempts.
IBM WebSphere MQ Internet Pass-Thru v2.0 on all platforms
IBM WebSphere MQ Internet Pass-Thru v2.1 on all platforms
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2uIegEi
X-Force Database: http://ift.tt/2vSRpEk
I think we should stop going crazy over the smart things unless it's secure enough to be called SMART—from a toaster, security cameras, and routers to the computers and cars—everything is hackable.
But the worst part comes in when these techs just require some cheap and easily available kinds of stuff to get compromised.
Want example? It took just cheap magnets purchased from Amazon online store for a security researcher to unlock a "smart" gun that only its owner can fire.
The German manufacturer of the
Armatix IP1 "smart" gun
which claimed the weapon would 'usher in a new era of gun safety' as the gun would only fire by its owners who are wearing an accompanying smartwatch.
However, for the first time, a skilled hacker and security researcher who goes by the pseudonym "Plore" found multiple ways to defeat the security of Armatix GmbH Smart System and its $1,400 smart gun.
, the smart idea behind the Armatix IP1 is that the gun will only fire if it is close to the smartwatch, and won't beyond a few inches of distance from the watch.
However, Plore found three ways to hack into the Armatix IP1 smart gun, and even demonstrated (the video is given below) that he could make the smart gun fire without the security smartwatch anywhere near it.
Smart Gun Hacking Demonstrated:
Plore placed $15 magnets near the barrel of the gun, doing this made him bypass the security watch, thereby defeating the Armatix IP1’s the electromagnetic locking system altogether.
"I almost didn't believe it had actually worked. I had to fire it again," the researcher said. "And that's how I found out for $15 (£11.50) of materials you can defeat the security of this $1,500 (£1,150) smart gun."
Plore was also able to jam the radio frequency band (916.5Mhz) of the gun from ten feet away using a $20 (£15) transmitter device that emits radio waves, preventing the owner from firing the gun even when the watch is present.
The researcher was also able to hack the gun's radio-based safety mechanism by using a custom-built $20 RF amplifier to extend the range of the watch.
When the owner squeezes the trigger, the gun sends out a signal to check whether the watch is there or not.
But the researcher was able to intercept the signal using a radio device, which acts as a relay that could extend the range by up to 12 feet, meaning somebody else other than the owner could be wearing the watch, defeating its fundamental security feature.
Plore believes that if smart guns are going to become a reality soon, they will need to be smarter than this one.
Black Hat and Def Con, the two annual security conferences you shouldn't miss, are drawing to a close.
Each year, security researchers and hackers bring their exploits and discoveries to share with the common aim of making the world more secure. But if you weren't in Vegas for the heat and hacking, we've got you covered.
From ZDNet, sister-site CNET, and around the web, here's the best of Black Hat and Def Con.
ZDNet: A flaw in modern 3G and 4G LTE cell networks could be used to pave the way for a next-generation of stingray devices, otherwise known as cell site (or IMSI) simulators. These highly controversial surveillance devices are shrouded in secrecy, but are almost exclusively used by police and law enforcement, often without warrants, in order to carry out indiscriminate cellular surveillance.
ZDNet: A security researcher found a bug, later patched by Apple, which could've let an attacker or insider gain access to an entire account's iCloud Keychain. The vulnerability was found by targeting a weak point in the end-to-end encryption, which let the researcher steal passwords and other secret data, like the Wi-Fi network names and visited websites and their passwords.
Motherboard: Hackers have shown how to remotely hijack an internet-connected car wash, which they say could be used to hurt someone -- the first cyberattack turned physical attack of its kind. "An attacker can send an instantaneous command to close one or both doors to trap the vehicle inside, or open and close one door repeatedly to strike the vehicle a number of times as a driver tries to flee," wrote Motherboard.
CBS News: Fruitfly is the name of a stealthy but highly-invasive malware for Macs that went undetected for years. An attacker can remotely take complete control of an infected computer, including accessing user files, and the computer's webcam, screen, keyboard and mouse.
Wired: A series of vulnerabilities in the software and hardware of radiation detection systems can be exploited to, in its worst case scenario, "confuse nuclear engineers, or prevent them from responding to an ongoing radioactive leak." A hacker could disable radiation monitors to allow dangerous nuclear materials to bypass checkpoints.
CNET: A security flaw in the embedded system of a Diebold Nixdorf cash dispenser let hackers raid the cash stored inside. A vulnerability near the ATM's speakers in the upper section provided an opening for potential hackers to loosen and expose a USB port. "We're pretty sure we can just ask it to give us the money," said one of the hackers.
CNET: A flaw in how phones switch from modern LTE cell networks to the older, fallback 2G network can let an attacker send text messages and make phone calls from a victim's phone number. The hack works because of the way your phone rushes to keep a connection running when it switches between network technologies, according to the security researchers who found the flaw.
Dark Reading: A senior FBI agent described how the agency took down one of the largest, most damaging international botnets in living memory. Avalanche, the command and control network behind several ransomware and trojans, was a "network of servers used to spread malware campaigns" that facilitated so-called money mule laundering schemes. More than 800,000 domains associated with the complex network.
USA Today, Reuters: US officials say that no votes were affected in the recent US presidential election. Hackers in Las Vegas have been challenged to "prove it." The hackers have been given rare access to try to break into dozens of pieces of election equipment, including voting machines that are currently in use. The security researchers will spend the weekend trying to hack the machines and trying to alter the voting machines' results.
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
from Latest Topic for ZDNet in... http://ift.tt/2tKvWfC
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 16.04 LTS
Summary
Several security issues were fixed in the Linux kernel.
Software description
linux-hwe - Linux hardware enablement (HWE) kernel
Details
It was discovered that the Linux kernel did not properly initialize a Wake-
on-Lan data structure. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2014-9900)
Alexander Potapenko discovered a race condition in the Advanced Linux Sound
Architecture (ALSA) subsystem in the Linux kernel. A local attacker could
use this to expose sensitive information (kernel memory).
(CVE-2017-1000380)
Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the
Linux kernel did not properly validate some ioctl arguments. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)
Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in
the Linux kernel did not properly initialize memory. A local attacker could
use this to expose sensitive information (kernel memory). (CVE-2017-9605)
Update instructions
The problem can be corrected by updating your system to the following package version:
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
In the doorway of a low-ceilinged room with harsh strip lighting, Klaid Magi is looking tired. Behind him, the mess suggests this has not been a standard day at the office. The bins are overflowing with empty Coke cans, the desks are covered in snack wrappers, and the room probably smelled a whole lot fresher a few hours earlier.
Magi's team, a small band of about two dozen now-weary security experts, wander between the rows of PCs and whiteboards scrawled with notes, gradually recovering from a day spent as the last defense of a tiny nation against a massive cyberattack.
Magi's usual job is running Estonia's Computer Emergency Response Team, but today he's been in charge of protecting the fictional country of Berylia from unknown aggressors.
The team of defenders, operating from a nondescript tower block in a suburb of the Estonian capital Tallinn, is just one of a number taking part in an international cyberdefence exercise aimed at preparing them to tackle the real thing.
The two-day exercise, organized by NATO-affiliated cyber defence think tank, aims to test the skills of these teams at defending a range of technology--from PCs and servers to air traffic control systems.
"All the infrastructure we have was somehow under attack," said Magi.
"In real life you never will see a couple of thousand cyberattacks per day, so obviously it was a rough day," he added.
It's the end of the first day of the game (unlike a real cyberwar the game is slightly more civilised and keeps to standard business hours) and the Estonian team, considered to be one of the strongest playing, feels it has weathered the storm so far, managing to protect the systems of the fictional air base they are defending.
"This is our everyday job and nothing impresses us," Magi said.
But there's plenty more to come on day two.
*****
Over on the other side of Tallinn are the bad guys causing all the problems for Magi's team.
It's nothing personal--they're also causing havoc for the other 18 defending teams in the war game known as Locked Shields.
For the two days the game was running, the ballroom of a downtown hotel served as the nerve centre of the exercise, with dinner jackets and party frocks giving way for a few days to cyber security experts in bright T-shirts and the occasional military uniform.
It was also the base of the attackers--known as the Red Team--and it looked the part: a cavernous hall dominated by a giant screen.
The room, full of red T-shirted, mostly male hackers, was quiet and businesslike, which is somewhat at odds with the merciless bombardment this team is dishing out.
Mehis Hakkaja was the stern-looking head of the Red Team. "I'm a nice guy," he insisted with a smile, but it was clear he relished the challenge of the exercise.
I mention the visit to the Estonian Blue Team. "They looked tired?" he asked. "They'd better be."
*****
The Locked Shields exercise has been running since 2010, and the scenario is usually based around protecting the country of Berylia, a fictional new member of NATO floating somewhere in the north Atlantic, which has a difficult relationship with the rival state of Crimsonia.
Quite where this meddling rival Crimsonia is located is never actually made entirely clear in the scenario. But nobody involved with the exercise has much doubt that it lies somewhere to the east of Europe.
Locked Shields is run by NATO's Cooperative Cyber Defence Centre of Excellence (CCD COE) and bills itself as the largest and most complex international technical network defence exercise and involves 900 participants from 25 nations. This year there were 18 national teams, plus one team from NATO itself playing the game.
Exercises like this have been growing in scale in recent years, as it has become clear that cyberwarfare has moved from the largely theoretical to the worryingly likely.
Many governments are now spending vast sums on building up their capability to wage war on digital systems, with the US, Russia, and China seen as the most advanced in their capabilities. Incidents such as the 2015 hacking attack on the power grid in western Ukraine, which caused a blackout leaving hundreds of thousands without power, have shown the effectiveness of using digital attacks against critical infrastructure.
This year the defending Blue Teams had to play the role of a rapid response computer security team that has been dropped in to protect Berylia's main military air base from cyberattacks.
The furious pace of the simulation mimics a real-life emergency.
Image: NATO
The teams have to defend everything you might find in a standard office, including Windows PCs, Macs, Linux, and email and file servers. They must also protect systems that control the power grid and plan military air operations, including military surveillance drones and programmable logic controllers linked to the air base's fuel supply. The aim is to reinforce the idea that every single system inside or outside the network could be a jumping-off point for attackers.
The technical game, fighting off wave after wave of cyberattacks, was the main point of the exercise, and was how the teams scored the majority of their points.
Rain Ottis, head of the game-organising White Team, explained, "It is technical, it is hands-on. Most of the gameplay we have is on real computers, facing realistic threats, dealing with realistic opponents. It is live fire. We actually have a live opponent. They will actually take control of a server, maybe deface it or do whatever the objective says they have to do."
Over the years Locked Shields has expanded to include a communications game, where the teams have to respond to requests for interviews and update the Berylian people on their response to the attack, and a legal game where the teams' lawyers have to work out whether the attacks break the law and what to do about it. On top of this, there's a table-top strategy game, which tries to mimic the role of senior military and civilian decision makers who have to figure out how to respond to the attacks--putting it into the "grander geopolitical context," according to one of the players.
"At the technical level you have to worry about things like malware, or somebody defacing your website, or 'why did my power system just go down?'...questions like this. In the strategic game there are questions about if this happened in real life would it be considered a use of force or an armed attack," said Ottis. "Is it something worth going to war about?"
To add to the complexity, the game's controllers are not managing just one fictional Berylia but as many as 20 separate versions stacked up, because while each team is facing the same set of threats they may encounter different problems and different elements of the scenario at different times. This means the game unfolds separately and at a different pace for each team, depending on the decisions they make. It's no surprise then that one of the teams running the game picked the time-travelling Tardis as their unofficial mascot.
All of this is run from the ballroom control room, to which TechRepublic was given wide-ranging access during the whole exercise.
The teams running the different elements of the game are assigned their own colour T-shirts and banks of PCs. Red is for the attacking team; green is for the infrastructure team that keeps the game running; and white is for the communications and legal teams and others running the scenarios.
There's another team that sits just outside the control room. Phishing attempts and ransomware can only succeed if someone in the organisation is unwise enough to open a document or click on a dodgy link. And who would be dumb enough to click on a random attachment from an odd email address in the middle of a cyberwarfare game?
Fortunately for the attackers, and unfortunately for the defenders, each Blue Team is assigned a set of virtual end users who are trusting (or stupid) enough to click all sorts of virus-ridden attachments and provide the bad guys with one of their ways in. To add to the chaos these clueless virtual users will then complain to the Blue Team that they can't access their email or other services (because they've just brought them down by clicking on ransomware), causing yet more work and hassles for the defending teams to clear up.
There aren't any blue T-shirts in view--the defending teams are mostly based in their home countries. These teams can range in size from 20 to 60 members; most, like Magi's Estonian team, are a mix of civilian and military security experts. Some teams are filled with veterans of previous Locked Shields, while some are complete newbies.
*****
The game starts in a way the teams might not expect--not with a never-seen-before computer virus tearing through their systems but with a document with fake claims that the Berylians are building banned weapons. While the teams try to figure out what is going on, the rest of the bombardment starts.
There's a constant buzz in the control room when the game is on, but it's also controlled; there are certainly no cheers when one of the teams loses a system.
It's easy to get caught up in the game, to feel for the teams as they lose a drone or struggle to keep their power grid from shutting down, all the while trying to decide who is attacking them and what the legal situation is, even if the teams themselves may be hundreds or thousands of miles away.
Over the top of all of the different groups looms a giant drone that rocks gently in the breeze of the occasionally heated conversations from the teams below, the mirrored undersides of its long wings reflecting the bright screens beneath.
This drone isn't the only reminder of the virtual battle that is raging. Around the edges of the room are some of the systems that help make the game more real for the teams, both the attackers and defenders.
In one corner is a whiteboard filled with a set of grey metal boxes about the size of a housebrick--plain save for some green and red flickering lights on the bottom. These are drone brains.
These drone control units think they are actually inside the body of a drone flying around in Berylian airspace. The drones are supposed to trace a route over the center of Berylia, but if Red Team hackers gain control, then the drone will spiral off course over Berylia (bad) or even enter international airspace (very bad). Even worse, the hackers may be able to hijack the surveillance video stream from the drone and replace it with something else, such as cartoons, (very bad and embarrassing, too).
Another board displays a set of 20 programmable logic controllers, which represent the system on the air base used for refueling aircraft. If the hackers can break into this, they can open the valve and spill fuel onto the ground, and after that it only takes a spark to create chaos.
Various models are used to react to staged incidents.
Image: NATO
Raimo Peterson, CCD COE's technology branch head, pointed out that these are not just for show. "They may look like mock-ups or toys, [but] they are real systems taken from the field.
"If you talk about the power grid system, then yes, it is the same power grid software and the same power grid system that is used in energy transmission," he said, and the same drone system used in military operations around the world. "It's real equipment that we are playing with."
Dominating the rest of the room is a set of screens that display the current status--that is, the current woes of the teams.
One big screen shows a live map of the digital attacks arcing across from Crimsonia and down onto the teams spread across the map of Berylia like an updated version of the old video game Missile Command. It's pretty, but doesn't really tell you much other than all the teams are under attack, all of the time.
What's shown on the other bank of screens changes every so often, the better to display just how the Red Team hackers are ruining the Blue Team's day.
The Red Team, run by Hakkaja, breaks down into three main groups. The biggest of these is known as an advanced persistent threat (APT) group--like sophisticated state-backed hackers. This means sneaking quietly into networks and attacking from within.
While they creep around, alongside them is a team that specializes in attacking things like websites--a much more noisy and obvious approach that this year includes using ransomware against the teams. This means that rather than just defacing or deleting websites this team will encrypt the data and send a ransom note to the Blue Team, which has to decide whether to pay up or not.
A third team takes on firewalls and the special industrial control systems and drone systems that the teams have to defend.
"If you look at the pattern of how most enterprises are compromised, it is this APT-style approach by compromising one computer--even a fairly random computer--within an organization that gives you so much leverage to move around. In many cases, these incidents are not even noticed until months after the compromise has happened, so if you have time to sneak around and lay low, you can exfiltrate a lot of data and create a lot of damage until you are caught," Hakkaja said.
"The difference with the exercise is the Blue Team(s) know we are after them, and everything is scrutinised a lot more than usual and we have a very short time window to achieve our objectives so we have to move very fast to do what we need to do before we are kicked out."
Sometimes the screens show a map of the Blue's air base and its systems: If the Red Team's hackers have managed to knock out the main power supply, the defenders only have minutes before their backup battery is exhausted.
The screen might also show the radar systems that the team has to protect--showing invading fleets of ghost aircraft if they lose control--or the path of the drone the teams have to keep under control.
Jean-Francois Agneessens was working for the White Team this year but was previously head of the NATO team, so he knows what it's like to be on the receiving end of the attacks.
"The two days of live fire is like a compressed year so there are a lot of events that are happening concurrently and your team is limited, so you will need a wide variety of skills," he said.
It's important for the teams to understand they can't protect everything all the time, he added, "which I think makes it so realistic because in real life, this is true--you just cannot protect everything perfectly."
Agneessens said, "It's completely exhausting I can tell you. At the exercise [end] you would really like to celebrate the fact that you are alive after these two days, but people just go to sleep and you need to wait for the next day so you can celebrate."
That the teams are in their own countries defending the virtual infrastructure of another fictional country doesn't make too much difference to the feel of the exercise he said, largely because that's how modern technology works--rarely is a computer system physically located in the same room, or even the same building as the team managing it.
"The attacks we are facing are realistic, they are well organised, so it's not just a simulation of a bunch of script kiddies who are trying to get into your network who you will detect easily," he said.
******
All of the additional layers beyond the technical game create more context for the technical game and make it more meaningful for the teams.
It's a reminder that they aren't just trying to protect a set of servers or PCs, but they are trying to protect a way of life for a country that relies on online services.
But the expansion of the game also reflects that cyberwarfare isn't just about fixing software code, it's something that can affect every facet of society.
That's something that Estonia already knows well. This year Locked Shields was particularly significant because it coincided exactly with the tenth anniversary of the major cyberattacks on Estonia in April 2007. It was the first time a state came under such a bombardment.
Back then, after the Estonian authorities announced plans to move a Soviet war memorial, the websites of the country's banks, government agencies, and telecoms companies were attacked, and many were forced offline. Estonia regained its independence in 1991 during the collapse of the Soviet Union; Tallinn is only 200 miles from St. Petersburg.
The 2007 incidents were the first serious demonstration of how electronic attacks were capable of causing real problems for an advanced economy. NATO's cyber think tank was established in Tallinn the year after; it had already been planned, but the "Bronze Soldier" attacks as they were known--which were accompanied by two days of riots--certainly accelerated the process.
The Locked Shields simulation plays out across multiple screens.
Image: NATO
Russian-backed hackers were widely seen as responsible for the disruption, although Russia denied any responsibility.
Not that the attacks scared Estonia away from using technology, quite the opposite; the country is one of the most connected in Europe and even has Estonian "e-residency," which allows foreigners to set up EU-based businesses online.
Two decades ago the small country--with few natural resources, big scary neighbours, and a population of just over one million--decided to prioritise the use of technology. It introduced online voting in 2005 and has invested in cybersecurity, the Estonian CERT and CCD COE, as well as its Cyber Defence League, which is made up of experts from the country's IT companies, banks, and ISPs.
And it's not just a historical threat for Estonia. Earlier this year 800 troops from the UK arrived in the country as part of a NATO "enhanced forward presence" campaign, which was aimed at deterring any Russian aggression. Tensions in Eastern Europe have been on the rise ever since Russia's illegal annexation of Crimea in 2014.
While staging Locked Shields on the anniversary of the attacks was coincidental according to the organisers (it happens the same week every year) it served for many as a reminder that while this was just a game, reality is not too far away.
One big difference is that the 2007 attacks were mostly denial of service attacks--flooding websites with so much traffic that they could not cope. This is one of the few attacks not allowed in Locked Shields, during which the Red Team uses vastly more sophisticated methods to bombard its targets.
"10 years ago in Estonia, mostly there was only the DDoS attacks--attacks that ground your systems down. But during this exercise, the DDoS is the only attack they are not allowed to do by the rules. They are trying to get inside your system, to compromise your systems, steal your data, change your data. That kind of incident wasn't around in 2007, mostly it was just DDoS attacks," said Magi of the Estonian Blue Team, who was a network system administrator at a telecoms company in the country at the time of the 2007 attacks.
During the second afternoon, the game reaches its climax: The Red Team moves from specific targets to attacking any systems it can reach. The Blue Teams are besieged, throwing everything into their defence, desperately trying to hold the line.
And then suddenly it's all over.
Some beers arrive from somewhere, and a bottle of brandy. The control room is released and suddenly the serious air is gone, and replaced with chatter and jokes and clinking glasses. People gather around the big displays to work out which teams lost what systems. Even members of the Red Team start appearing from their lair, although even now they remain a bit more serious and reserved.
Later, after all the adding up is done, bringing together all the scores from the different game elements, it becomes clear that the Czech Republic won, Magi's Estonian team has grabbed second place, and a team from NATO came in third.
NATO also won the legal game, Germany topped the forensic challenges, while the team from the UK scored highest in the communications game.
But are war games like Locked Shields missing the point?
Locked Shields participants check the status of industrial control systems.
Image: NATO
While leaders have worried about all-out cyberattacks on critical infrastructure like the ones in Locked Shields, it is less obvious attacks that have caused the damage recently, like the hacking attacks on the Democratic National Committee in the run up to the US presidential elections and the hacking and leaking of emails from the Macron campaign just before the French elections. At least right now, spying and leaking seems to be having just as big an impact on politics as an attack on a power grid.
So are these teams planning for an attack that may never come and ignoring the trickier to defend attacks that are actually doing more damage? I asked CCD COE's elegantly bearded director Sven Sakkov if they are training for the right threats.
"Any unit needs training and preferably in the most realistic challenging live fire environment," he said, and pointed to events like the power cuts in western Ukraine as one example of the threats countries face.
"The issues of cybersecurity are front page news, so I suspect that we will see more, not less, in the future and I hope that because of the collective training that has been provided here in Tallinn for the Blue Teams distributed across Europe that some of the calamities hopefully might be avoided," he said.
But despite organising an event to help teams defend against these attacks, he also cautions against seeing every incident as cyberwar.
"If you say there is a cyberwar, then in international law that means there is an armed conflict between two nations with all the legal consequences and what that entails in terms of self-defense or collective self-defence," he noted.
"And if we cry wolf all the time and then actually we are in a situation where cyberattacks would result in people getting killed and things blown up, what will you call it then? Basically we undermine the terminology."
After the game finished, it was all packed away quickly; the ballroom became a ballroom again, and Berylia was packed up for another year.
And the teams returned to their normal lives, perhaps wondering if the next time they are called on to defend a country it will be for real.
