Slashdot Mirror
Regin Malware In EU Attack Linked To US and British Intelligence Agencies
Advocatus Diaboli writes The Regin malware, whose existence was first reported by the security firm Symantec on Sunday, is among the most sophisticated ever discovered by researchers. Symantec compared Regin to Stuxnet, a state-sponsored malware program developed by the U.S. and Israel to sabotage computers at an Iranian nuclear facility. Sources familiar with internal investigations at Belgacom and the European Union have confirmed to The Intercept that the Regin malware was found on their systems after they were compromised, linking the spy tool to the secret GCHQ and NSA operations.
On NSA website, NSA states about their values: " We will protect national security interests by adhering to the highest standards of behavior".
So how NSA would be able to explain to a child that computer virus and malware represent the highest standard of behavior.
It is probably the same as stealing money on the street from slightly overweight person and telling him/her, that you need to lose weight anyway and that the robber cares about you. If questioned, street robber will counter stating that the victim should be thankful, because in other streets (countries) you could be shot for even questioning.
Is vulnerable and weakened by NSA encryption is also "highest standard of behavior", dear beavers from NSA?
That "land of free" sham was maintained for only as long as the USSR existed. Once it became Russia and a dozen other smaller countries, the "civilized" west just stopped pretending.
we're only "free" as long as we are explaining to a conquered people why we are bombing them.
Will this sophisticated malware work on anything other than Microsoft Windows:
"Symantec Security Response has not obtained the Regin dropper at the time of writing. Symantec believes that once the dropper is executed on the target’s computer, it will install and execute Stage 1. It’s likely that Stage 0 is responsible for setting up various extended attributes and/or registry keys and values that hold encoded versions of stages 2, 3, and potentially stages 4 and onwards". link
Kind of makes me wonder what happened to that "land of the free" part of the national charactor.
Well, at least we can still claim to be the "home of the brave." Of course, that just leaves us on a par with Freedonia.
Good, inexpensive web hosting
This thought began as a joke, but this actually does sound how something like Skynet could be born. Malware is infamous for aggressively trying to preserve itself. We all joke about how stupid the idea of programming an AI with a strong sense of self-preservation is because of the obvious dangers, but that is exactly how malware is programmed. Programming it to control industrial systems as well (giving it a "body") seems like a really bad idea, particularly if the aim is not to sabotage the infected industrial system, but to cause as much damage to the target nation as possible (a reasonable wartime goal).
Buy your next Linux PC at eightvirtues.com
The code is of a quality set per user depending on OS, installed AV and all other understood networking conditions.
A consumer OS with standard trusted consumer AV and trustred normal OS updates?
A well understood open source install that a user looks over deeper OS level logs everyday?
The presence of unique new code a user "installed" and "allowed" is not going to report on huge anti-virus and anti-malware lists.
Will well understood behavior analysis on consumer grade AV be looking in the correct place?
Gov and mil know all about what AV can do and how unique code for one computer has to be installed so it is not really going to be found by consumer AV products.
Domestic spying is now "Benign Information Gathering"
Re "I wonder who was targeted?"
When different network where still needed experts did find a few interesting past projects:
Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/...–05
The SISMI-Telecom scandal in Italy found in 2006 https://en.wikipedia.org/wiki/...
Domestic spying is now "Benign Information Gathering"
So many ppl come here and post that Windows is not only safe, but that it is targeted because of numbers. Yet, it is obvious that NSA and GCHQ targeted Windows. Why? I doubt that it was numbers, but ease of cracking.
So, in the meantime, how many companies will start switching to *nix?
I prefer the "u" in honour as it seems to be missing these days.
So many ppl come here and post that Windows is not only safe, but that it is targeted because of numbers. Yet, it is obvious that NSA and GCHQ targeted Windows. Why? I doubt that it was numbers, but ease of cracking.
If your targets use Windows it would be a real stroke of genius to distribute attacks against Linux, don't you think?
Duh.
So, in the meantime, how many companies will start switching to *nix?
What is the *nix equivalent to secure boot? Signed kernel modules? What is the *nix equivalent to Measured Boot and Network Access Protection? How does an organization automatically and immediately detect and isolate potentially infected hosts?
Every operating system out there will experience exploitable vulnerabilities. Applications running on top of the operating systems will experience exploitable vulnerabilities. The most recent severe vulnerabilities that have been mass exploited are *nix vulnerabilities like Heartbleed and Shellshock. No operating system is immune.
That's why defense in depth is important. Windows starts it's defenses before boot, by using Secure Boot. This ensures that only approved bootloaders run. It prevents bootkits. Some Linux distros support a weak form of secure boot (it doesn't protect all types of resources, notably scripts and config files are not digitally signed). Windows loads all kernel components from signed "cabinet" files - protecting all assets used during boot. If a rootkit tampers with any of the files, the system will refuse to boot.
During boot, before loading *any* kernel module, Windows will compute a hash of the module and record it in the TPM hardware module along with name, size, dates and other metadata. Upon successful boot (but before other hosts will accept traffic from the system) the OS asks the TPM for a signed "health" record. The TPM will issue a signed document with all the recorded info that the host can present to a health certificate server. The health cert server can investigate the list of loaded modules and compare against known whitelists and/or blacklists. If everything checks out, the health cert server issues a certificate the booting host must use when communicating with other hosts. Unless it can present such cert, the other hosts will refuse to communicate with the host.
Does 'Nix support such security in depth?
Such targeted attacks will target whatever operating system is being used by the target. Targets must consider the possibility that any host can be breached through an application or OS vulnerability. With that recognition, they must ensure expedient diagnosis and isolation. In that area, a Windows server infrastructure can be set up to become extremely strong.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Not loading modules at all. It's just one kernel compile away. That's been done for security reasons by some people since about when this site started or before. Some people even had their stuff boot from read-only optical media to avoid such threats back when the possibility of tainted kernel modules was first discussed.