Original release date: February 04, 2014 | Last revised: March 10, 2014
OverviewWhether traveling to Sochi, Russia for the XXII Olympic Winter Games, or viewing the games from locations abroad, there are several cyber-related risks to consider. As with many international level media events, hacktivists may attempt to take advantage of the large audience to spread their own message. Additionally, cyber criminals may use the games as a lure in spam, phishing or drive-by-download campaigns to gain personally identifiable information or harvest credentials for financial gain. Lastly, those physically attending the games should be cognizant that their communications will likely be monitored.HacktivistsA number of hacktivist campaigns may attach themselves to the upcoming Olympics simply to take advantage of the on-looking audience. For example, the hacktivist group, Anonymous Caucasus, has launched what appears to be a threat against any company that finances or supports the winter games. This group states the Sochi games infrastructure was built on the graves of 1 million innocent Caucasians who were murdered by the Russians in 1864. According to Trusted Third Party analysis, the group has been linked to distributed denial of service (DDoS) attacks on Russian banks in October 2013. Therefore, the group is likely capable of waging similar attacks on the websites of organizations they believe financed Olympic related activities; however, no specific threat or target has been identified at the time of this report. Olympic coverageWhether viewing live coverage, event replays, or checking medal statistics online, it’s important to visit only trusted websites. Events which gain significant public interest and media coverage are often used as lures for spam or spearphishing campaigns. Malicious actors may also create fake websites and domains that appear to be official Olympic news or coverage that can be used to deliver malware to an end user upon visiting the site (also known as drive-by downloads or wateringholes).NBCUniversal offers exclusive coverage of the games for viewers via NBC, NBCSN, MSNBC, USA Network, NBCOlympics.com and corresponding Twitter, Facebook and Instagram accounts. Viewers should be wary of any other source claiming to provide live coverage. As always, it is best to visit trusted resources directly rather than clicking on emailed links or opening attachments. Purchasing tickets or merchandise at the GamesAccording to the official Winter Olympics website: http://www.sochi2014.com, Visa will be the only card accepted for all purchases including tickets and merchandise at the Games. Tickets may only be purchased through Authorized Ticket Resellers (ATR). Individuals can validate the authenticity of an ATR offering tickets by using the “Website Checker” tool available on the official Sochi website. The designated ATR in the United States is CoSport, and at the time of this report, individuals purchasing tickets through CoSport may only pick up their tickets at CoSport’s Host City Collection Center in Sochi, Russia. Any ticket offer from a site not recognized as an ATR or accepting payment methods outside of VISA are likely fraudulent and should be met with skepticism.Traveling to SochiWhen traveling abroad it’s important to know your host countries laws and policies, particularly when it comes to privacy. Russia has a national system of lawful interception of all electronic communications. The System of Operative-Investigative Measures, or SORM, legally allows the Russian FSB to monitor, intercept, and block any communication sent electronically (i.e. cell phone or landline calls, internet traffic, etc.). SORM-1 captures telephone and mobile phone communications, SORM-2 intercepts internet traffic, and SORM-3 collects information from all forms of communication, providing long-term storage of all information and data on subscribers, including actual recordings and locations. Reports of Rostelecom, Russia’s national telecom operator, installing deep packet inspection (DPI ) means authorities can easily use key words to search and filter communications. Therefore, it is important that attendees understand communications while at the Games should not be considered private.Russia also retains broad inbound encryption license requirements. Taking laptops and other devices into the country is unrestricted; however software may be inspected upon departure. This means, any computer or software containing sensitive or encrypted data may be confiscated by Russian authorities when individuals depart from the country . Travelers may want to consider leaving personal electronic devices (e.g. laptops, smartphones, tablets) at home or alternatively bring loaner devices that do not already store sensitive data on them and can be wiped upon return to your home country. If individuals decide to bring their personal devices, consider all communications and files on them to be vulnerable to interception or confiscation.
Message from Caucasus Anonymous on Operation Pay Back for Sochi 2014 to Russian government
NBC Sports Pressbox
As Sochi Olympic venues are built, so are Kremlin's surveillance networks
How deep packet inspection works
Use Caution When Traveling With Encryption Software
Author: NCCIC Watch & Warning
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: November 04, 2013
Overview Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. This publication is focused on the threat of enterprise-scale distributed propagation methods for malware and provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and Incident Response practices.While specific indicators and modules related to destructive malware may evolve over time, it is critical that an organization assess their capability to actively prepare for and respond to such an event.Potential Distribution VectorsDestructive malware has the capability to target a large scope of systems, and can potentially execute across multiple systems throughout a network. As a result, it is important for an organization to assess their environment for atypical channels for potential malware delivery and/or propagation throughout their systems. Systems to assess include:Enterprise Applications – particularly those which have the capability to directly interface with and impact multiple hosts and endpoints. Common examples includePatch Management Systems,Asset Management Systems,Remote Assistance software (typically utilized by the corporate Help Desk),Anti-Virus,Systems assigned to system and network administrative personnel,Centralized Backup Servers, andCentralized File Shares.While not applicable to malware specifically, threat actors could compromise additional resources to impact the availability of critical data and applications. Common examples include:Centralized storage devicesPotential Risk – direct access to partitions and data warehouses;Network devicesPotential Risk – capability to inject false routes within the routing table, delete specific routes from the routing table, or remove/modify configuration attributes - which could isolate or degrade availability of critical network resources.Best Practices and Planning StrategiesCommon strategies can be followed to strengthen an organization’s resilience against destructive malware. Targeted assessment and enforcement of best practices should be employed for enterprise components susceptible to destructive malware.Communication FlowEnsure proper network segmentation.Ensure that network-based access-control lists (ACLs) are configured to permit server-to-host and host-to-host connectivity via the minimum scope of ports and protocols – and that directional flows for connectivity are represented appropriately.Communication flow paths should be fully defined, documented, and authorized.Increase awareness of systems which can be utilized as a gateway to pivot (lateral movement) or directly connect to additional endpoints throughout the enterprise.Ensure that these systems are contained within restrictive VLANs, with additional segmentation and network access-controls.Ensure that centralized network and storage devices’ management interfaces are resident on restrictive VLANs.Layered access-control, andDevice-level access-control enforcement – restricting access from only pre-defined VLANs and trusted IP ranges.Access ControlFor Enterprise systems which can directly interface with multiple endpoints:Require two factor authentication for interactive logons.Ensure that authorized users are mapped to a specific subset of enterprise personnel. If possible, the “Everyone” , “Domain Users” or the “Authenticated Users” groups should not be permitted the capability to directly access or authenticate to these systems.Ensure that unique domain accounts are utilized and documented for each Enterprise application service.Context of permissions assigned to these accounts should be fully documented and configured based upon the concept of least privilege.Provides an enterprise with the capability to track and monitor specific actions correlating to an application’s assigned service account.If possible, do not grant a service account with local or interactive logon permissions.Service accounts should be explicitly denied permissions to access network shares and critical data locations.Accounts which are utilized to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.Continuously review centralized file share access-control lists and assigned permissions.Restrict Write/Modify/Full Control permissions when possible.MonitoringAudit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.Failed logon attempts,File share access, andInteractive logons via a remote session.Review network flow data for signs of anomalous activity.Connections utilizing ports which do not correlate to the standard communication flow associated with an application,Activity correlating to port scanning or enumeration, andRepeated connections utilizing ports which can be utilized for command and control purposes.Ensure that network devices log and audit all configuration changes.Continually review network device configurations and rule sets, to ensure that communication flows are restricted to the authorized subset of rules.File DistributionWhen deploying patches or AV signatures throughout an enterprise, stage the distributions to include a specific grouping of systems (staggered over a pre-defined time period).This action can minimize the overall impact in the event that an enterprise patch management or AV system is leveraged as a distribution vector for a malicious payload.Monitor and assess the integrity of patches and AV signatures which are distributed throughout the enterprise.Ensure updates are received only from trusted sources,Perform file and data integrity checks, andMonitor and audit – as related to the data that is distributed from an enterprise application.System and Application HardeningEnsure that the underlying Operating System (OS) and dependencies (ex: IIS, Apache, SQL) supporting an application are configured and hardened based upon industry-standard best practice recommendations. Implement application-level security controls based upon best practice guidance provided by the vendor. Common recommendations include:Utilize role-based access control,Prevent end-user capabilities to bypass application-level security controls,Example – disabling Antivirus on a local workstationDisable un-necessary or un-utilized features or packages, andImplement robust application logging and auditingThoroughly test and implement vendor patches in a timely manner.Recovery and Reconstitution PlanningA Business Impact Analysis (BIA) is a key component of contingency planning and preparation. The overall output of a BIA will provide an organization with two key components (as related to critical mission/business operations):Characterization and classification of system components, andInterdependencies.Based upon the identification of an organization’s mission critical assets (and their associated interdependencies), in the event that an organization is impacted by a potentially destructive condition, recovery and reconstitution efforts should be considered.To plan for this scenario, an organization should address the availability and accessibility for the following resources (and should include the scope of these items within Incident Response exercises and scenarios):Comprehensive inventory of all mission critical systems and applications:Versioning information,System / application dependencies,System partitioning/ storage configuration and connectivity, andAsset Owners / Points of Contact.Comprehensive inventory of all mission critical systems and applications:Versioning information,System / application dependencies,System partitioning/ storage configuration and connectivity, andAsset Owners / Points of Contact.Contact information for all essential personnel within the organization,Secure communications channel for recovery teams,Contact information for external organizational-dependant resources:Communication Providers,Vendors (hardware / software), andOutreach partners / External StakeholdersService Contract Numbers - for engaging vendor support,Organizational Procurement Points of Contact,ISO / image files for baseline restoration of critical systems and applications:Operating System installation media,Service Packs / Patches,Firmware, andApplication software installation packages.Licensing/activation keys for Operating Systems (OS) and dependant applications, Enterprise Network Topology and Architecture diagrams,System and application documentation,Hard copies of operational checklists and playbooks,System and application configuration backup files, Data backup files (full/differential),System and application security baseline and hardening checklists/guidelines, andSystem and application integrity test and acceptance checklists.ContainmentIn the event that an organization observes a large-scale outbreak that may be reflective of a destructive malware attack, in accordance with Incident Response best practices, the immediate focus should be to contain the outbreak, and reduce the scope of additional systems which could be further impacted.Strategies for containment include:Determining a vector common to all systems experiencing anomalous behavior (or having been rendered unavailable) – from which a malicious payload could have been delivered:Centralized Enterprise Application,Centralized File Share (for which the identified systems were mapped or had access),Privileged User Account common to the identified systems,Network Segment or Boundary, andCommon DNS Server for name resolution.Based upon the determination of a likely distribution vector, additional mitigation controls can be enforced to further minimize impact:Implement network-based access-control lists to deny the identified application(s) the capability to directly communicate with additional systems,Provides an immediate capability to isolate and sandbox specific systems or resourcesImplement null network routes for specific IP addresses (or IP ranges) – from which the payload may be distributed,An organization’s internal DNS can also be leveraged for this task – as a null pointer record could be added within a DNS zone for an identified server or application Readily disable access for suspected user or service account(s), andFor suspect file shares (which may be hosting the infection vector), remove access or disable the share path from being accessed by additional systems.As related to incident response and incident handling, organizations are reminded to:Report the incident to US-CERT and/or ICS-CERT for tracking and correlation purposes, andPreserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes.
Author: ICS-CERT and US-CERT
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: October 29, 2013 | Last revised: November 04, 2013
October 29, 2013 marks the 4th Annual Asia Pacific Economic Cooperation Cyber Security Awareness Day. To recognize this occasion and in observance of the 10th year of National Cyber Security Awareness Month in the United States, US-CERT, along with its international partners from Asia and Europe, is promoting a set of International Mobile Safety Tips that were developed by the National Cyber Security Alliance, InfollutionZero, the Cyber Security Awareness Alliance in Singapore, and the iZ HERO Project.The goal of the campaign is to use harmonized messaging to reach out to children, families, and schools across the world, and to provide them with core principles and simple tips that can help people of all ages enjoy safer and more secure use of digital devices and the Internet.US-CERT encourages users and administrators to view the International Mobile Safety Tips at the following link and share them with their respective communities.http://stopthinkconnect.org/campaigns/details/?id=442 The guidelines below provide core principles and recommendations for more secure use of digital devices and the Internet.Keep software updated. Running the most recent versions of your mobile operating system, security software, apps and Web browsers is among the best defenses against malware, viruses and other online threats.Keep your device secure by using a strong password to lock your smartphone or tablet.Enable two-step authentication when offered, and change passwords to any accounts you accessed while connected to an unfamiliar network. Before downloading an application (app), make sure you understand what information (i.e., location, your contacts, social networking profiles, etc.) the app would access and share before you download it. Download apps from trusted sources.Back up your contacts, photos, videos and other mobile device data with another device or cloud service on a weekly basis.When using a public or unsecured wireless connection, avoid using sites and apps that require personal information like log-ins.Automatically connecting to networks can create vulnerabilities exploitable by hackers and others. Switch off your Wi-Fi and Bluetooth connections when not in use.Delete any online communications (i.e., texts, emails, social media posts) that look suspicious, even if you think you know the source. When banking or shopping online, use only trusted apps or websites that begin with https://.The Golden Rule. Be respectful on your device. Treat others as you would like to be treated when texting, calling or using social networks.Share with care. Be a true friend when taking and sharing photos and videos with your smartphone. Get permission from friends before you share them via text or social networks.Be Web wise. Stay informed of the latest updates to your device and apps. Know what to do if something goes wrong. Related Topics:Safety and Security for the Business Professional Traveling Abroad http://www.fbi.gov/about-us/investigate/counterintelligence/business-brochure(ST05-017) Cybersecurity for Electronic Devices http://www.us-cert.gov/ncas/tips/ST05-017(ST04-017) Protecting Physical Devices: Physical Security http://www.us-cert.gov/ncas/tips/ST04-017
International Mobile Safety Tips - Stop Think Connect
This product is provided subject to this Notification and this Privacy & Use policy.