The Rise of "Onion-Layered" Attacks , IBM Says

"Onion-layered" security incidents have been on the rise throughout 2015, according to the IBM X-Force Threat Intelligence Quarterly report for Q4 2015.

Released this week, IBM’s report (PDF) cites four key trends that have been observed this year, with onion-layered and ransomware attacks joined by attacks coming from inside an organization and by an increased management awareness of the need to address security threats proactively.

IBM explains that onion-layered security incidents involve a second, more damaging attack hidden behind a visible one. Usually, these attacks are carried by two actors, namely a script kiddie, an unsophisticated attacker launching highly visible attacks which can be easily caught, and a more sophisticated stealthy attacker who might expand their grip of the victim’s network without being detected for weeks or even months.

"As the name suggests, an 'onion-layered' security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event," the report said.

Such attacks demand large amounts of resources and time to investigate and mitigate, IBM says, given that stealthy attackers use sophisticated tools, are careful to cover their tracks, and use anti-forensic techniques to remain undetected. IBM also notes that anti-virus software alerts about malware on Internet-facing servers, unexpected reboots of servers and other unusual behavior, suspicious log records, and frequent user lockouts are signs that stealthy attackers have infiltrated a network.

Undetected attacks could prove highly damaging to companies, especially if the cybercriminals behind them manage to get hold of valuable data.  

“While the recovery of systems compromised by script kiddie attacks might take only a few days of an operation team’s time and effort, the job of finding a root cause, then fully understanding and remediating the work of the stealthy attackers could take months,” IBM said. Meanwhile, an undetected attacker could roam the network undetected, ultimately trying to gain access to the client’s crown jewels.

Earlier this year, Corero Network Security warned that distributed denial-of-service (DDoS) attacks were being leveraged to circumvent cybersecurity solutions, disrupt service availability and infiltrate victim networks.

"The danger in partial link saturation attacks is not the ‘denial of service’ as the acronym describes, but the attack itself," Corero said. "The attack is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks with data exfiltration as the main objective, to fly in under the radar, while the distracting DDoS attack consumes resources."

Based on investigations conducted by Mandiant/FireEye throughout 2014, the median number of days that attackers were present on a victim’s network before being discovered was 205 days.

IBM provided fundamental advice, suggesting that organizations keep systems updated and increase their visibility into the network, as well as build an internal security operations center, create operational procedures, and ensure an appropriate level of logging, in addition to periodically performing penetration testing exercises.

Read More

Indian Hackers Leaks 1.7 Million Snapchat User Data

Snapchat is going through one of its worst weeks in a while. First the ratings of its app took a nose dive in the fallout of its CEO’s alleged comment calling Indians poor ( read more about it here ) and now, reports are coming in that a hacker group has released details of around a million accounts.

White Hat Hackers

According to reports coming in, the leak contains user details of approximately 1.7 million accounts. The group that has leaked the details seems to be a white hat hacker group. White hat hackers usually hack into software systems to find loopholes that can be exploited and then report them for a reward. From the reports so far, we gather this particular group is considered to be one of the top white hat hacking groups around.

The report alleges that this data was acquired a while ago and has only now been released as a retaliation to Evan Spiegel’s comments. However, Snapchat is yet to officially confirm that any breach has taken place nor has there been any external confirmation of a breach whatsoever. Therefore, take this news with a pinch of salt for now.

The Controversy over the comments

Meanwhile Snapchat is still reeling over the comments which people have take offence to. It should be noted however, that these comments are only attributed to Evan Spiegel. There is no evidence that he’s actually said it, with the company officially denying it as well. The app has still faced the brunt through #BoycottSnapchat and #Uninstall_Snapchat trending on twitter over the weekend and the app ratings hitting the lowest possible in India & 2 out of 5 in the US.

Source: Indiatimes

Read More

WikiLeaks Promises to Publish Leaks on US Election, Arms Trade and Google

WikiLeaks Promises to Publish Leaks on US Election, Arms Trade and Google


Wikileaks completed its 10 years today, and within this timespan, the whistleblower site has published over 10 million documents, and there’s more to come.

In the name of celebration of its 10th Anniversary, Wikileaks promises to leak documents pertaining to Google, United States presidential election and more over the next ten weeks.

Speaking by video link to an anniversary news conference at the Volksbuhne Theater in Berlin on Tuesday morning, WikiLeaks founder Julian Assange eagerly announced his plans to release a series of publications every week for the next 10 weeks.

The upcoming leaks will include "significant material" related to Google, the US presidential election, military operations, arms trading and, the hot topic of past few years, mass surveillance.

Assange also promised to publish all documents related to the US presidential race before the election day on November 8.

"There is an enormous expectation in the United States," Assange said for the forthcoming leaks. "Some of that expectation will be partly answered; but you should understand that if we're going to make a major publication in relation to the United States at a particular hour, we don't do it at 3AM."

Assange initially planned to announce today's release from the balcony of the Ecuadorian Embassy in London, where he has been living since 2012 in an asylum for avoiding extradition to Sweden where he is facing sexual assault allegations. But he canceled his appearance, citing "security concerns."

When asked whether the upcoming leaks are aimed at damaging the image of US presidential candidate Hillary Clinton, Assange denied the claims, saying some of his statements in this regard had previously been misquoted.

"I certainly feel sorry for Hillary Clinton and Donald Trump," Assange said. "These are two people who are tormented by their ambitions, in different ways."

You can watch the video of the conference, marking WikiLeaks 10th Anniversary.

WikiLeaks has released 10 Million classified documents over past 10 years, among which include documents detailing US military operations in Afghanistan and Iraq, documents relating to the detention of prisoners by the America in Guantanamo Bay, and NSA's mass surveillance of world leaders.

Read More

Source Code for CIA’s Tool to Track Whistleblowers Leaked by Wikileaks

Wikileaks has just published a new batch of the Vault 7 leak, exposing the documentation and source code for a CIA project known as "Scribbles."

Scribbles, a.k.a. the "Snowden Stopper," is a piece of software allegedly designed to embed 'web beacon' tags into confidential documents, allowing the spying agency to track whistleblowers and foreign spies.

Since March, as part of its "Vault 7" series, the Whistleblowing website has published thousands of documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).

The CIA itself described Scribbles as a "batch processing tool for pre-generating watermarks and inserting those watermarks into documents that are apparently being stolen by FIO (foreign intelligence officers) actors."

Here's How Scribbles Tool Works:

Scribbles is coded in C# programming language and generates a random watermark for each document, inserts it into the document, saves all processed documents in an output directory, and creates a log file that identifies the watermarks inserted into every document.

This technique works exactly in the same way as the "tracking pixel" works, where a tiny pixel-sized image is embedded inside an email, allowing marketers and companies to keep track of how many users have seen the advertisement.

Using this tool CIA inserts a tiny uniquely generated file, hosted on a CIA-controlled server, to the classified documents "likely to be stolen."

So, every time the watermarked document is accessed by anyone, including potential whistleblowers, it will secretly load an embedded file in the background, which creates an entry on the CIA's server, containing unique information about the one who accessed it, including the time stamp and his/her IP address.

"It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document," Scribbles' user guide manual reads.

Scribbles Only Works with Microsoft Office Products

The user manual also specifies that the tool is intended for off-line preprocessing of Microsoft Office documents. So, if the watermarked documents are opened in any other application like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.

According to the documentation, "the Scribbles document watermarking tool has been successfully tested on…Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97–2016 (Office 95 documents will not work!) [and]...documents that are not be locked forms, encrypted, or password-protected."

However, since the hidden watermarks are loaded from a remote server, this technique should work only when the user accessing the marked documents is connected to the Internet.

WikiLeaks notes that the latest released version of Scribbles (v1.0 RC1) dated March 1, 2016, which indicates it was in use up until at least last year and seemingly meant to remain classified until 2066.

More technical details of Scribble can be found in the User Guide.

So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for popular hardware and software, the "Dark Matter" batch which focused on hacking exploits the agency designed to target iPhones and Macs, the "Marble" batch, and the "Grasshopper" batch that reveal a framework, allowing the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.

Read More