A Quick Perspective on the Current State in Cybersecurity
Diogo A.B. Fernandes, Liliana F.B. Soares, João V. Gomes, Mário M. Freire and Pedro R.M. Inácio, University of Beira Interior, Covilhã, Portugal
Nowadays, cybersecurity makes headlines across the media and in companies, blogs, social networks, among other places. The Internet is a wild cyberspace, an arena for commercialization, consumerism, business, and leisure, to name a few activities. Networks, populations, and nations around the world, now interconnected through the Internet, rely on it for their daily lives. But some Internet users have learned to take advantage of vulnerable systems and of Internet technologies for their own good, sending out spam, phishing, data breaches, botnets, and other threats. An underground criminal network has emerged, creating complex malware kits for several purposes. “Hacktivism” has become a popular term with many supporters worldwide, but cyberwarfare is now on the rise, gaining more and more attention from nation-states. This chapter provides a quick overview of these topics, discussing them in a timely manner, referencing key events from the past while focusing on the present day.
Keywords
cybersecurity; cyber-crime cyber-warfare; threats; trends
Information in this chapter
Introduction
This section starts by defining cybersecurity and information security terms, focusing on the latter, and then shedding light on the contributions this chapter makes. The clipping method used for this chapter is then described, and the chapter’s organization is outlined in the end.
The scope of cybersecurity
The terms “cybersecurity” and “information security” are sometimes used interchangeably. They overlap in meaning, but they also differ in key aspects [1]. “Security” refers to protecting resources from threats that exploit vulnerabilities. The distinction between “information” and “cyber” points to information versus technology. Non-technological elements, like people, fall within the information security. Non-information assets, like a hard drive or an Ethernet link, are part of the cybersecurity.
Cybersecurity involves the cyberspace itself and its users, along with their personal, ethical, societal, and national capacity and interests. The Internet-enabled cyberspace, however, is a place full of dispute—an open battleground. Copyright infringement, intellectual property theft, censorship, privacy breach, digital surveillance, and cyberwarfare all contribute to these disputes [2]. The drama apart, the reality is that computer security is not generally prioritized, leaving systems wide open to threats. Meanwhile, security vendors, often accused of spreading fear, uncertainty, and doubt (FUD) to drum up business, tend to skew their reports according to the companies’ best interests [3]. But the threats are real and the consequences can be severe, as proven by history. Therefore, it is worthwhile to periodically survey the current state of cybersecurity by analyzing incidents, cases, and trends.
Contributions
This chapter’s purpose is to provide a quick perspective on the current state of the international arena of cybersecurity. Its contribution is threefold: First, some concepts important in this field are introduced and practical examples are provided. Second, key incidents of the past as well as recent events are discussed in order to understand how cybersecurity has evolved through the time. Third, the chapter discusses several current hot topics in the cyber-world. We have gathered an extensive set of security resources and used them for this chapter. The chapter does not consider solutions but rather points out unresolved issues.
Clipping method
The work presented in this chapter is the result of daily efforts performed throughout the first half of 2013. On a daily basis, we searched for relevant cybersecurity discussions in the following places: the blogs of major vendors like Symantec, Kaspersky, and F-Secure; news feeds from various sites, online magazines and journals; security documents of research laboratories; scientific articles; blogs and tweets of security experts; vulnerabilities databases; and search engines. This resulted in a set of articles, news clips, reports, and other documents from which we extracted the more interesting ones, analyzed their credibility, veracity, and theoretical groundings to include them in the chapter. Every day, chosen items were rendered in a list organized after the structure of this chapter in order to classify each source. The study presented in this chapter distinguishes itself for its methodical analysis and discussion of the state-of-the-art on cybersecurity. Due to space constraints, we do not include every reference compiled, citing only the most important ones.
Organization
The remainder of this chapter is structured as follows: The next section introduces key concepts in the cybersecurity field. Then, focus is put on malware and phishing, describing what stems from them while also discussing botnets, spam, and spear-phishing. The discussion then shifts to a description of vulnerabilities and data breaches, while providing remarkable examples for each. Toward the end, the chapter sheds light on the current state of cyberspace through the lens of three profile threats. The final section reflects on the main lessons learned.
Understanding the scope of cybersecurity
The prefix “cyber” originated in the 1990s, but only recently has it been combined with “security” [4] and given proper attention as a field. As security awareness has improved, protocols and applications have started to include an “s” for “secure” in acronyms like “HTTPS.” This section focuses on security enforcement in enterprise environments, who are the stakeholders of the cyberspace, and how they operate in it.
Network perimeter
Since the 1990s, the openness of networks has gradually increased, opening doors for applications like email and websites, while the perimeter trust has gradually narrowed down, creating an attack spectrum spanning several vectors [5]. To reduce the exposure gap, networks are enclosed within various layers of security controls, whose purpose is preventing, detecting, and mitigating intrusions and other activities of similar nature. Such perimeters are traditionally composed of firewalls, intrusion prevention/detection systems, sensors and traffic analyzers, proxies and reverse proxies, load balancers, and anti-* solutions.1
Security controls are set up to log events according to the syslog standard for a centralized point that is part of the Security Information and Event Management (SIEM) process. Security logs can be extremely huge data sets, with on the order of millions or even billions of rows. When processed by SIEM devices, the resulting information gives a picture of the network’s health status—a holistic view of the egress and ingress traffic points and systems. Front-end platforms analyze those events, correlate them, track patterns, and trigger pre-set alarms for a monitoring team typically placed within a Security Operations Center (SOC)—a Computer Emergency Response Team (CERT).
The advent of “big data” has caused quite a commotion, and the industry has started to work out solutions. Thus, the SIEM process could surely benefit from such technology that would optimize log processing and event correlation at a large scale.
Responding to cybersecurity incidents
Responding to cybersecurity incidents involves internal procedures defined by the company’s policy. The de facto framework for incident response involves five steps: preparation, identification, mitigation, eradication, and recuperation. The preparation phase consists of knowing the network, systems, applications, and the SOC infrastructure beforehand. The remaining four steps define the response flow for real-time incident response. The incident is first detected and identified. Then it is mitigated, that is, contained, to at least diminish its impact. Eradication involves eliminating possible compromised artifacts, like patching vulnerabilities or purging malware, which supports the idea that a capacity for deep technical forensic investigation is required in the cybersecurity field. Finally, targeted systems are recovered and restored to their normal operation. In the majority of the simplest cases, the last two steps might not even be executed. Afterward, the lessons learned should be used to optimize the infrastructure and improve incident response in the future.
Sometimes Internet protocol (IP) addresses get included in known international blocking lists (e.g., the Spam and Open Relay Blocking System [SORBS]) for participating in spam or phishing campaigns. To delist IP addresses, CERTs have to cooperate with those cyber-authorities and provide evidence of eradication. CERTs also collaborate with other security teams around the world, thereby creating a white hat network of cyber-warriors that fight malefactors.
The most straightforward way to mitigate an incident is to block the source IP address or addresses. Blackhole Access Control Lists (ACLs) or drop rules are among the common techniques used. But these approaches can be problematic under Distributed Denial of Service (DDoS) conditions. It can be time-consuming to block lots of IP addresses, and both ACLs and rules put processing constraints on routers and firewalls. Moreover, many security controls are still stateful nowadays and rely on deep packet inspection and signature databases. However, both enterprise networks and the Internet are now lively, dynamic places, where many kinds of traffic originate from countless discrete devices, decreasing the effectiveness of such approaches. For example, the probability of anti-viruses correctly matching signatures with malware is roughly 30 to 50 percent [6].
Dynamic environments
Both the Internet and corporate networks are changing and becoming more dynamic environments, and security controls have to keep up with the changes. Cloud computing and Bring Your Own Device (BYOD) are gaining ground, but they also raise several security questions. How can company policy be enforced on outsourced infrastructures or on employee devices? They can move from one Wi-Fi hotspot to another and to telecommunications networks (e.g., 4 G) seamlessly, and can carry malware while accessing the enterprise’s applications. Security controls lack the monitoring capability to address this situation, and end-point protection still needs development on this regard as well. Cisco [7] believes that people-to-machine, people-to-people, and machine-to-machine connections will dictate and play a key role in the future. Clearly, to maintain the traditional holistic perspective while overseeing evolving network components in long term, it is necessary to recognize these key issues and adapt cybersecurity accordingly.
Threat profiles
In the context of cybersecurity, three threat profiles are considered: the hacktivist, the cyber-criminal, and the nation-state. Each of these profiles is enough to categorize cyber-threats in terms of personality, habits, motives, methods, and dedication. The hacktivist is the sort of a threat that can be dangerous within a very short time-frame. It is also normally easy to guess when and where attacks are going to hit, because they are often publicized ahead of time to show off and gather supporters. The cyber-criminal, in contrast, is more keen, looking over his or her shoulder, as it were, constantly. This profile is characterized by a meticulous and methodical approach that aims to make profit at any cost on the underground. The nation-state profile is intrinsically linked to Advanced Persistent Threats (APTs) and state-sponsored threats. Hacktivists tend to engage in crisis, whereas nation-states mean to disable target abilities for cyber-warfare. Cyber-espionage lies somewhere in the gray area between these three, as it can be conducted by an entity with any profile, individual or group.
Malware, the infectious disease, and phishing, the fraud
Early computer viruses, dating from the late 1980s and early 1990s were written for the pure challenge of it. Some would show simple animations over and over, while others showed just text. The Joshi virus, for example, would ask for user input only on its writer’s birthday. The early Linux and Windows viruses would only spread via disks. Today, viruses are dynamically carried on data files for various systems—Windows, Mac, and Linux—and purposes. The following sections provide an overview of what malware masterminds and phishers have been up to lately.
Malware trends
The continual search for profit is the reason for new surges of trojans mainly targeting the finance sector. Beta Bot evolved from an HTTP bot to a banking malware [8]. Shipped with an embedded rootkit, it offers a kill switch for other malware and is capable of stealing home banking credentials by capturing HTTP requests. VSkimmer steals credit card information from card readers plugged into machines running Windows [9]. With thousands of infected machines, the Kangoo botnet targets home banking theft [10]. In Brazil, a homemade browser tricks a home banking website into not needing a security plugin by disguising itself as a mobile browser [11] while, in fact, it is stealing user credentials.
It is more convenient to control a victim computer than to provoke damage. However, McAfee [12] believes that destructive malware and ransomware on mobile devices will make a comeback. Indeed, in August of 2012, the Saudi Arabian oil company Aramco had thousands of machines down for a week [13]—caused by the Shamoon malware. These types of attacks can be troubling because they impact the real world. In this case, oil prices could increase. More recently, a time-bomb wiped out several computer hard drives of Korean financial institutions and TV broadcasters [14]. Other cases of Master Boot Record (MBR) wiping [15] have been reported, but with ransomware functionality too. Ransomware locks victim computers and encrypts data, asking for payment in order to undo the lock. Fees are demanded in the name of policing authorities, like the Federal Bureau of Investigation (FBI) [16]. Moreover, Reveton, a well-known ransomware strain, has been updated with a password purloining function [17].
Malware writers are focusing their efforts on new platforms. Smartphones, and consequently the BYOD paradigm, along with social networks and Mac machines, are making strides in the technology scene, but they also give rise to new arenas for malware development. On top of that, consumers are less aware of security risks on these environments, making them especially phishable. In 2012, a 2577 percent Android malware growth was recorded [7], with hundreds of new malicious samples per day and thousands already estimated for 2013 [18,19]. Most are profit-motivated and do not connect to Command-and-Control (CnC) servers, but the noteworthy ones do so, making mobile botnets little different than traditional ones.
Mobile malware focuses on toll fraud (premium-rate Short Message Service [SMS] messages), ad jacking, and bank fraud by capturing mobile Transaction Authentication Numbers (TANs) [19,20]. They disseminate via drive-by downloads or malvertising, or even disguising themselves as legitimate applications on official stores like Google Play Store and Apple App Store. A noteworthy malware with multiple advanced functionalities has been uncovered [21]. Obad, as it was dubbed, is able to send premium-rated SMS messages, download and install other malware onto the device or send it further via Bluetooth, and remotely issue console commands on Android devices. Of more concern is the fact that the user cannot delete it without root access once it acquires administrative privileges by exploiting a flaw in the operating system.
Regarding social networks, the Dorkbot malware spreads through Facebook internal chat, hopping from one friend to another. It circulates in many countries and is capable of stealing personal information and spying on user activities [22]. Another malware [23] posts malicious links on Facebook, while a surge [24] tweets malicious links onto Twitter. Furthermore, signs of malware are beginning to show up on Macs. The best example is the popular Flashback trojan, which exploited a vulnerability in Java. Recently found, the spyware Kumar dumps and uploads screenshots to CnC servers [25]. The most interesting aspect of this evildoer is that it was signed with a valid Apple Developer ID.
In general, cyber-criminals develop mainstream functionalities to reinforce malware but also to avoid detection and slip past anti-viruses. Recent anti-virtual machine, anti-debugging, and anti-sandbox techniques have been used by malware to evade detection because those isolated environments are used to analyze malware [26]. For example, a malware can ascertain if infected machines have mouse movements or not, the latter being evidence of dormant systems devoid of user interaction. These techniques are also particularly of concern for cloud computing. Truly, it is a game of cat and mouse between the white hat and dark hat communities. Malware, the infectious digital disease, will not fade away in the near future. When new technologies come along, malware can be expected to follow them into unexpected places [27]. This is the case of the Internet of Everything (IoE) [7], where IP-enabled devices connected to the Internet, like TVs and cars, can run existing operating systems similar to Android.
Botnets
Botnets are a network of computer bots infected with malware controlled by a CnC infrastructure, or mothership. Botmasters issue commands from CnC servers to bots. Malware can be written for virtually anything. In some cases, Remote Administration Tools (RATs) (e.g., the Travnet botnet [28]) allow complete control over the machines, being suitable for APTs. Botnets are mostly known and perceived (negatively) in this way.
Botnet defenses
There have been successful shutdowns of botnets (e.g., Waledac, Kelihos, more recently Citadel [29] and ZeuS, although ZeuS variants are reemerging strong [30]). But Peer-to-Peer (P2P) botnets (e.g., ZeroAccess and Sality) are more resilient to sinkholing because the absence of a central server makes it harder to redirect bots and to estimate population through upwards crawling discovery (bots restrict who they add to their peering lists, including injected sensors) [31]. P2P botnets have been growing at a fast pace ever since the advent of their forefathers, like Storm and Waledac. For example, the MultiBanker botnet recently added Jabber P2P communication [32].
Although rare, some botnets borrow the fast-flux feature from the Domain Name Service (DNS) to hide proxies, CnC servers, or even phishing and drive-by malware websites. This feature rapidly swaps in and out DNS records with small time-to-live values, meaning that an array of IP addresses are hidden behind the Fully Qualified Domain Name (FQDN) for a single fast-flux mode. The double fast-flux mode changes both A and NS records of a domain. Furthermore, botnets can use a deterministic Random Domain Name Generator (RDNG) to hinder sinkholing. For this to work, botmasters must register the domains before they are generated. A RDNG is a basic algorithm. If understood, it may be possible to sinkhole bot traffic by anticipating the domain’s registration, pointing DNS records to controlled sinkhole servers. However, some malware might include blacklists of known vendor subnets to prevent this. In such a case, it is more effective to set up a proxy or use the same fast-flux technique. To make things worse, CnC servers can be spread throughout various nations, thus crossing jurisdictional bounds and creating legal issues. In addition, the emergence of cloud computing has made it easy to acquire on-demand servers. That, combined with bulletproof hosting and the botnet defenses described above, makes hunting CnC servers a tricky and challenging task.
Carna botnet
A recent anonymous study [33] showed how to use a botnet for added scientific value. An Internet census of the entire Internet Protocol version 4 (IPv4) address space was presented, aiming at collecting network statistics. But to achieve that in practical time, the researcher used the so-called Carna botnet, composed of thousands of insecure embedded devices reachable from the Internet, rather than being behind a firewall or Network Address Translation (NAT). Simple telnet login combinations (e.g., root:root or passwordless) on routers from vendors like Cisco and Juniper were sufficient to install a small binary—a worrying industry-wide phenomenon. On one hand, the study changes the widespread notion of botnets as evil. On the other, the way it was collated is highly illegal in most countries and may fall under Articles 2 and 5 of the Cybercrime Convention [34]. The author confessed good intentions and omitted the source of the study, and thus the legal consequences in this matter cannot be determined.
Wordpress botnet
Recently, cyber-criminals have explored the popular blogging platform WordPress to build a large botnet with potentially over 90,000 nodes in a couple of days [35]. This achievement was possible because most WordPress-based websites have a default username “admin” with weak passwords like “123456,” so cracking them by brute force was easy.
Bitcoin botnets
Although quite new, bitcoin is already a popular digital currency. After its value increased to over $100, what followed was not surprising. Malware for mining bitcoins was spotted—a form of currency theft. First, a malicious campaign on Skype pointed towards malware going after bitcoin wallets [36]. Then, bitcoins were directly targeted [37]. A dropper would download the mining payload from a file hosting service. Generating bitcoins is based on complicated mathematics processing. Because of this, the malware is easily detected by checking Central Processing Unit (CPU) usage. Another malware was discovered [38] that receives CnC commands but uses a legitimate mining application.
Good old DDoS
DDoS attacks are making a comeback as actively as they once were. Prolexic reported [39] a steep increase of 718 percent on bandwidth-related attacks, moving from 5.9 Gbps in Q4 2012 to 48.25 Gbps in Q1 2013. These findings, together with the 32.4 Mpps statistic, make blackholing mitigation techniques nonviable. In March 2013, Spamhaus was under the fiercest DDoS attack ever. The attack caused quite a commotion in the media and the industry. CloudFlare diluted an impressive bombardment of 300 Gbps [40] against Spamhaus—a mark that became iconic. Such a high bit rate was attained through DNS reflection and amplification by querying open DNS resolvers around the world with small-sized ANY questions. In return, large-sized responses would be redirected to the target spoofed IP address.
Phishing and spam
Email spam is undoubtedly one of the greatest cyber-weapons. Good mass mail, such as newsletters, is characterized as non-spam (also known as ham). Mass mail carrying malicious attachments or images with Uniform Resource Locators (URLs) or text URLs pointing to malware or phishing servers is characterized as spam. Tricky social engineering methods fool email readers into opening such attachments or clicking on those URLs. Some 91 percent of targeted attacks involve spear-phishing emails, 94 percent of which have malicious email attachments [41]. Spam numbers have been decreasing for the past few years, but an increase was witnessed in early 2013: 97.4 billion spam emails and 973 million malware emails were sent worldwide each day, almost double the number tallied at the end of the previous year [42].
Email is a main tool for businesses but also a doorway for infiltrating corporate networks. Because software can remain unpatched for some time, some vulnerabilities can still be exploited by malware spammed years later. Malicious binaries are usually encapsulated within files of vulnerable programs or zip archives. They are not directly attached to messages because email gateways and spam filters usually block such attempts. For example, Gmail does not allow attachment of any executable file, compressed or not.
Year-round spam is about spoofed brands, mostly pharmaceuticals [7]. The Kelihos botnet was used for that purpose, sending enormous spam waves without regard for spam filters [43]. This is an old technique to maximize email throughput: if 99.99 percent gets blocked, the 0.01 percent that is not blocked still accounts for many emails. Spammers also take advantage of real-life events for improving their effectiveness, such as the tax season or a gadget launch, or unexpected events like the pope’s election. The recent Boston Marathon bombing [44] is a perfect example. Moreover, malware and phishing websites are usually set up on generic Top-Level Domains (TLDs) or on domains belonging to countries where cybersecurity laws are not stringent [45].
Beyond common email spam, SMS spam has become more frequent due to the increase in mobile devices. SMS messages are combined with phishing scams, such as promotional lures or advanced fee frauds. A particular spam campaign in Europe [46] has been active for several months with profit intents. Social networks, namely, Facebook, are also targeted for credentials theft [47] or credit card information [48]. Twitter widely uses short URLs because of space constraints. Fake Twitter profiles spam tweets or direct messages with long URLs hidden behind shorter services [49]. PayPal phishing scams were also on the rise during the initial months of 2013 [42].
Another spam profit-oriented technique consists of increasing the value of pre-bought penny stocks that are typically traded at low prices. Pump-and-dump spam advertises cheap targeted shares with a twist: also spamming that the company is on the verge of success. Unsuspecting individuals buy a portion of shares, and stock values rise momentarily. Then the spammers sell their stocks at higher prices. This technique has not been used for a while, but it is now making a massive comeback [42,50].
In general, phishing targets popular user platforms, and massive spam volumes are returning. Because spam mail with attachments tend to stand out among legitimate mail, spam filters are more likely to block it. While spam with attachments accounts for only 3 percent of all spam [7], spam with URLs is on the rise [51].
Vulnerabilities: The long exploitable holes
Vulnerabilities are a headache for system administrators. Upgrading a vulnerable operating system in a production environment is not straightforward because it may be supporting critical services or applications. Even so, patching must be considered carefully before committing to it. Vulnerabilities were the real story of 2012 reported Cluley at Sophos [3]. Indeed, mobile vulnerabilities are increasing [52]. Humans are not error-free, and software holes keep re-emerging. The following sections discuss vulnerabilities management, zero-days, and noteworthy vulnerable software.
Vulnerabilities management
In the security field, vulnerabilities are formally and officially described through a Common Vulnerabilities and Exposures (CVE) identifier [53], which has been a baseline index for evaluating tools and resources online since 1999. The National Vulnerability Database (NVD) contains a total of over 50,000 records of vulnerabilities. The NVD is the responsibility of the National Institute of Standards and Technology (NIST), while MITRE is its main CVE Numbering Authority (CNA). CVE management is nevertheless a collaboration among several vendors, third-party coordinators, and researchers. Other initiatives, like the Open Source Vulnerability Database (OSVDB), which was created in 2002 for the security community, already contains over 90,000 entries. This initiative clearly shows that some want vulnerability management to be in the hands of the community rather than a few people selected by the government.
Zero-day vulnerabilities
In the realm of vulnerabilities, zero-days are particularly important and can be alarming when exploited in the wild. A zero-day vulnerability is one unknown to the vendor and is most likely spotted when being exploited in the wild by malware. A watering hole campaign targeting older versions of Microsoft Internet Explorer [54] exploited the use-after-free zero-day identified as CVE-2012-4792. If fake objects could be allocated in the heap via heap spraying, the browser would call a function of a previously freed object, which would point to an attacker-controlled shellcode. Since then, many other exploits of the same vulnerabilities in Internet Explorer were discovered; these were eventually patched in the cumulative update MS13-037 on a patch Tuesday [55]. On the same day, Adobe also corrected many flaws for Flash. In total, 11 zero-days have been identified when these programs, along with Adobe Reader and Oracle Java [56], were exploited. This is quite a high number.
Noteworthy vulnerable software
When discussing vulnerabilities, various exploits and subsequent attacks come to mind. Typically, the intent of a front-end hole exploit is to gain access to back-end system servers, notably, databases. Popular attack vectors include Structured Query Language Injection (SQLi) and Cross-Site Scripting (XSS), and others with broken authentication and session management schemes [57]. Popular software is often the most scrutinized, and it is not surprising that flaws were found in them. The Web has become a streamlined attack vector, and thus holes in Web applications, browsers, plugins, and other sorts of software are critical for malware and hackers. Adobe Flash and Reader are among the top three most vulnerable, along with Java [52]. For the latter, a patch [58] addressing 50 vulnerabilities successively found in early 2013 was issued. Amaong browsers, Apple Safari, Google Chrome, and Mozilla Firefox rank as the top three most vulnerable.
Parallels Plesk Panel was recently found to be vulnerable to remote code execution. An exploit for spawning a shell was quickly disclosed. Not surprisingly, an Internet Relay Chat (IRC) botnet exploiting this vulnerability was found [59]. Although it was shut down, other botnets may appear. Also worrisome are long-standing vulnerabilities that are not patched. For example, Schneider Electric took 18 months to patch some product holes [60].
Data breach: A faulty containment
Cybersecurity is about protecting systems, but incident response is also about containment and eradication. In the case of data breaches, cybersecurity professionals should respond accordingly and make the necessary system modifications to prevent further breaches. This section discusses data breaches from three standpoints: cyber-attacks, unintentional data leakage, and whistleblowers. Current trends are discussed at the end.
Cyber-attacks
Cyber-attacks in the realm of data breach come from external entities, and such breaches occurred in the first half of 2013. Evernote issued a service-wide password reset for 50 million users after experiencing a network breach that potentially leaked usernames, emails, and encrypted passwords [61]. Twitter [62] did the same when 250,000 users’ data got compromised. Drupal also experienced this [63]. In particular, and quite different from other attacks, a hacker was able to penetrate a military database containing sensitive information [64]. A cyber-attack originating from China and targeting The New York Times lasted four months [65]. The network was breached, and so was data used to access employees’ computers. This attack might be related to the Chinese APT recently uncovered by Mandiant [66]. The case of Mat Honan [67] is also worth mentioning. Some culprit was able to telephonically extract little pieces of sensitive data from Amazon and Apple support, and then wipe out all of Honan’s Apple devices, revealing a data breach at a smaller but no less dangerous scale.
Unintentional data leakage
Human error and system glitches drive nearly two-thirds of data breaches, according to a recent survey [68]. In 2013, privacy breaches of the Health Insurance Portability and Accountability Act (HIPAA) were common. A hospital employee accidentally uploaded over 1,000 patients’ personal information onto the hospital public website [69]. The leak was only detected some two months later. An incident at a health center affected almost 1,700 patients after a workstation infected with malware copied health records off premises. Finally, unattended or lost hardware can also lead to data leakage. This was the case with over 14,000 students’ social security numbers lost on a portable hard drive that sat on a college computer for two days.
Whistleblowers
The possibility of an insider turning rogue is always present. Malicious insiders, inside persons, informants, and whistleblowers are all capable of leaking data to the outside. These types of data breach often involve more sensitive types of data that are under a national security umbrella. In fact, the government industry ranks first in data breach [70]. The most polemic case in late years is the one of Julian Assange, founder of WikiLeaks. WikiLeaks exposes large sets of secret information provided by anonymous sources. More recently, a former National Security Agency (NSA) employee, Edward Snowden, leaked the so-called NSA PRISM project [71], which has been causing quite a sensation. Snowden now finds himself in the same boat as Assange, searching refuge and political asylum. Schneier [72], a field expert, supports the need for whistleblowers in order to protect people from the abuse of power.
Trends
According to Verizon, in 2012, 98 percent of data breaches were originated by external agents, mainly through some form of hacking—a number that has been continuously growing [73]. Another relevant figure is the 61 percent of breaches caused by a combination of hacking and malware, both mainly going after credentials and cards data. But theft or loss accounted for 36 percent of all data breaches in 2013, surpassing hacking, according to Symantec [74]. Breaches in the healthcare sector rose in 2012 [70,73] , and so far the trend continues [74]. A good omen for cybersecurity in terms of data breaches is their cost, which has been on a downward trajectory for two years [68]. It has been steadily falling because organizations have acknowledged breaches and improved incident response and systems protection.
Cyber-war, the latest war front
Cyberspace has become the fifth domain of war, along with land, sea, air, and outer space [75]. In the vain hope of avoiding protests that use the Internet, some nations decide to prevent access to it. Culture, censorship, religion, and politics all play key roles in this decision. The Great Firewall of China blocks social networks like Facebook and YouTube, and even Google. In North Korea, the Internet is available only to a handful of people, mostly government and military personnel. Such utter control shapes user surfing habits in those countries and restricts them greatly, if not totally.
Similarly, cyber-war introduces complications concerning the scope of laws of war, such as applying lawful combatancy to cyber-warriors [76]. Lately, several nations have been involved in disputes over cyberspace. From our analysis, the United States, China, Israel, Syria, South Korea, India, and Norway have either been victims or perpetrators of some sort of cyber-war. Attacks shifting to critical sectors like energy [77] or oil [13,78] production were also witnessed. This section takes up the topic of underground cyber-criminality and then focuses on the current state od cyber-war and hacktivism. The section ends with an overview of developments by governments with regard to cybersecurity and cyber-warfare.
The underground cyber-crime industry
Cyber-crime was once an activity of isolated individuals, but the underground is now crowded with organized criminal gangs. It is as if the classical gangsters and crime lords, who once counterfeited and smuggled drugs, now make malware, sell it, and perform strategic cyber-attacks in exchange for money. A new crime class has emerged, and nation-states must fight back this threat as well.
In the underground, cyber-crime is democratized. Malware, spam, and phishing campaigns aim at pocketing millions for their masterminds, and each gang member has a specific expertise: one writes the malware, another the spear-phishing email, another prepares the spam botnet, and so on. Like any other economy, the underground markets competitive solutions. Crime packs or exploit packs agglomerate onto a single software numerous functionalities for commanding a botnet or exploiting zero-days. Whoever is the quickest to implement exploits might as well win the day. Famous crime packs include BlackHole, ProPack and Sakura [79]. For example, the death of Margaret Thatcher was hastily used as a spam technique on BlackHole [80].
Cyber-criminals sell their solutions and services. Trend Micro provided [81] valuable insight into the Russian crimeware marketplace, which is one of the most dangerous in Eastern Europe. A pay-as-you-go business model is used, meaning that customers pay only for what it is used. Additionally, DDoS-as-a-Service (DDoSaaS) has been gaining popularity [82]. On top of that, products and services are sold cheap, while creating a multi-billion-dollar Cybercrime-as-a-Service (CaaS) economy [52]. When the ZeuS source code leaked in 2011, an open-source criminal project of one of the most prolific malwares ever was released. After that, variants started to show up on mobile devices [83] and on social networks as well [84].
Notably, an underground forum devoted to smuggling stolen credit card data was recently disabled in Vietnam [85]. It had already facilitated over $200 million worth of card fraud relating to over one million credit cards. Various worldwide agencies, including the FBI, jointly accomplished this deed—a good sign for international cooperation against cyber-crime. Nevertheless, it is predicted [27] that it is going to take time to fully address global cyber-crime effectively.
Advanced persistent threats
During the 1980s, PC revolution hackers were mostly teenagers, playing around with code, computers, and networks. They thought trespassing in neighbors’ computers was something quite different from trespassing on neighbors’ properties. But system administrators did not take such actions lightly, and saw them as vandals and criminals [86,87]. A pioneer incident of cyber-espionage relatedby Stoll [88] in the late 1980s confirms precisely this. He was able to trace the source of an attacker through the maze of telephone circuitry to an overseas country after 10 months, but only after struggling with three-letter agencies in the United States. None of them were willing to cooperate fully, either domestically or abroad. In the end, a German hacker who had been persistently active in cyber-espionage for almost two years, was discovered and sentenced for his crimes, including selling stolen data to the KGB.
Today, the goal of cyber-espionage is no different, except that its significance, technology, and methods have changed. A targeted attack consists of three phases [89]: intelligence gathering, threat modeling, and the attack itself. In the first half of 2013, four APT campaigns of note were uncovered by major security players.
Mandiant indicted a Chinese military unit that had been engaged in extensive cyber-espionage since 2004 [66]. This APT developed its own assault tools and malware, used hundreds of CnC servers and domains, and perpetrated several spear-phishing campaigns for stealing hundreds of terabytes from 141 countries, spanning 20 major industries. The news was acknowledged by the information security community, which started to search for signs of this APT. Tensions between China and other countries have followed, and since then, China has been under several attacks.
Operation Red October, as it was dubbed by Kaspersky [90], has been active for at least since 2007, targeting government and military sites in several countries. Interestingly, this botnet infrastructure uses a second layer of proxy servers before contacting the real CnC servers. Another APT campaign, dating back to 2005, has also been uncovered by Kaspersky [91]. A surveillance malware named NetTraveler is related to the Travnet botnet. Although its source has not been disclosed, perhaps due to insufficient evidence, the modus operandi of the group resembles that of the Chinese group. Various industries are targeted by both, and the attack vectors are similar. Greater NetTraveler activity has been observed in the past few years on high-profile victims.
Norman unveiled the Hangover group [92], an APT emanating from India. This APT attacked various countries and industries for some years, during which over 700 malware samples and hundreds of FQDNs were collected and analyzed. It was also discovered that the Hangover group was selling services on the underground, but preferred to install previously unknown backdoors on customer computers [93]. This APT has been linked with the Mac backdoor malware mentioned earlier.
Hacktivism
Hacktivism is an act of political, religious, or patriotic protest conceived by non-state groups driven by the desire to correct what they see as wrongful laws and corrupt governments. Notorious groups include LulzSec and Anonymous. Key members of the former have been arrested, and the group is now believed to be extinct, while the latter is globally spread. Hacktivists take actions against targeted computer infrastructures usually using popular, free tools, some considered “script kiddie” tools, to launch Denial of Service (DoS) attacks (e.g., the Low Orbit Ion Cannon [LOIC]), hack websites and put up defacement pages [94,95] or URL redirection, or even leak sensitive data [95]. Some tools are capable of automated cyber-attacks. Marketing stunts are used to gather a cyber-militia empowered by a common vision. Normally, hacktivism targets oppressed nations like Syria and Israel, in the name of stepping up for the oppressed people. In this case, ethical hacking seeks quality of life and world improvement.
Although hacktivists attacks are publicized beforehand, their outcome may or not be successful. For example, the operations dubbed #OpIsrael and #OpUSA (hashtags for “operation Israel,” set, up to protest the Israeli policy toward the Palestinians, and for “operation USA,” mounted to protest American foreign policy) had an overall low attack impact [96,97]. Sometimes sensitive attack information leaked onto paste sites (e.g., Pastebin) can be used by CERTs to prevent an attack. Still, the DDoS attacks experienced by US banks in late 2012 and early 2013 were strong, lowering their available bandwidth [98]. This corroborates the DDoS trend discussed earlier. Operations named #OpInnocence and #OpPedoHunt aim at stopping child abuse [99], while #OpGTMO opposes the Guantanamo Bay detention camp [100]. Interestingly enough, hackers gained access to the Twitter account of the Associated Press to post false information of explosions at the White House [101]. This momentarily sent the United States stock market into freefall.
Governments
The Stuxnet worm was a big government stone dropped into a lake. Specifically infecting uranium production equipment in nuclear-empowered nations is a clear sign of government peeking, but it was likely an illegal act of force [102]. It is unclear whether Iran, which was attacked with Stuxnet, has the right to strike back under the Geneva Convention—after all, cyber-war is a form of war if certain conditions are met [103]. This is, unfortunately, the tip of the iceberg. Stuxnet is an instance of a large malware saga that includes Duqu, Flame, and Gauss [104]. These mainly target Middle Eastern countries, pack numerous functionalities, and only run under specific conditions, but little is yet known about their true goals. The mysteriousness surrounding this saga raises suspicions pointing toward nation-state threats. Other high-profile attacks have been quite common. For example, compromised websites belonging to governments have been found to host malware [105,106].
Given the current state of cybersecurity, nations and enterprises are building response infrastructures and teaming up to meet the challenge. For example, in the United States and in Australia, General Electric is building cybersecurity centers [107] although the Australian state will be in charge of its new center [108]. Both are expected to open in late 2013. The Pentagon is assembling 13 teams capable of offensive cyber-operations and governed by a response framework giving them clear hacking authority [109]. In fact, the Commission on the Theft of American Intellectual Property [110] says that US companies should hack back at cyber-thieves. While the Tallinn Manual on the International Law Applicable to Cyber Warfare attempts to resolve the legal disputes of cyber-warfare, it controversially advises the approval of physical retaliation if data is destroyed or death is proved [111]. It also suggests that engagements be one-on-one in order to reduce collateral damage. A new bill currently being worked out on the United States aims to curb foreign threats [112]. In Spain, a bill draft authorizes the police to install malware on computers without the owners’ knowledge [113]. Perhaps more concerning is the controversial NSA PRISM spy program [71]. Probably the first of its kind, it supposedly mines data from lawful backdoors on major Internet players like Google, Skype, and Facebook.
The industry is investing in cybersecurity to monitor domestic and foreign threats. One way to do this is by installing backdoors on targets. FinFisher is an industrial spy software capable of that. Indeed, a commercial surveillance software marketed through law enforcement channels for spying on dissidents is gaining recognition among governments, particularly under repressive regimes. Some of its samples have been extensively analyzed [114]. The HackingTeam provides a remote control solution for governments or agencies only. Essentially, it creates a spy botnet that can monitor targets on a variety of platforms, including mobile operating systems.
Lessons learned
Decades ago, cybersecurity was a minor topic. Once a thing of real spies, today, espionage can be conducted a common computer and at a great physical distance, but with a small communications latency. The cyberspace landscape has changed into a battlefield, shifting cybersecurity perceptions, maturing cyber-warfare, and concerning spearheaded nation-states. The welfare of computers, networks, the Internet, its users, and data is becoming a priority. Yet one thing Stoll noted years ago is still true today: security is a human problem; it cannot be solved by technical solutions alone. This means that security controls must adapt accordingly, but the mentality, awareness, and wisdom of the cyberspace stakeholders also has to be changed.
Our analysis shows that cyber-attacks and enterprise incidents routinely made headlines. This field morphs constantly, and because of that security professionals must respond at the same pace. It is a widespread opinion that hacktivism and cyber-espionage will continue to increase. Hacktivists do break the law and thereby are punishable. But are they the real concern for the future of cybersecurity, or are they more of a sensationalist stunt? The spotlight shines on them often, but the more severe threats and financial or data loss come from organized crime groups headquartered in Russia, Ukraine, China, or Brazil, and from state-sponsored APTs. Cyber-war is partially hype at the moment. So far it has not caused loss of life, and thus other threats currently outweigh cyber-warfare. Still, it is clear that nations are taking action and shaping the world of cyber-war. The United States is one of the pioneers in the field. It is of interest for the rest of the world to take action in the light of cybersecurity and create interchangeable guidelines to cooperatively and efficiently respond to incidents and cyber-engagements. The highest caliber of international cooperation to fight back against cyber-crime is needed. This includes agencies, teams, and lawful support.
The cyber-war hysteria will eventually fade away, and time will tell who becomes essential in the field. Nothing suggests that cyber-war is equivalent to nation-state conflicts, and thus it is entirely possible to envision a many-to-many engagement. Virtually anybody can participate, from individual hacktivists to companies to governments, including the latter possibly contracting cyber-criminals. It is also possible for cyber-threats to devolve into physical engagement.
Meanwhile, there is the need to monitor traffic at the Internet scale while maintaining user privacy; to monitor perimeter traffic at the enterprise scale; to keep analyzing malware, shut down botnets and pursue underground cyber-criminals—to exert oneself against cyber-threats. Digital surveillance provokes chilling thoughts, nonetheless.
References
1. von Solms R, van Niekerk J. From information security to cyber security. Computers & Security. 2013;38:97–102.
2. Berson TA, Denning DE. Cyber Warfare. IEEE Secur Privacy. 2011;9(5):13–15.
3. Mansfield-Devine S. Security review: the past year. Computer Fraud & Security. 2013;1:5–11.
4. Kurbalija J. An introduction to internet governance 5th ed. Diplo Foundation 2012.
5. Amoroso E. From the enterprise perimeter to a mobility-enabled secure cloud. IEEE Secur Privacy. 2013;11(1):23–31.
6. Websense. Threat Report. [Internet]. Available from: https://www.websense.com/content/websense-2013-threat-report.aspx; 2013.
7. Cisco. 2013 Cisco Annual Security Report. [Internet]. Available from: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html; 2013.
8. Kessem LS. New commercial Trojan. #INTH3WILD: Meet beta bot. RSA Blog. Available from: <https://blogs.rsa.com/new-commercial-trojan-inth3wild-meet-beta-bot/>; 2013 [accessed Jun. 2013].
9. Shah C. Skimmer botnet targets credit card payment terminals. McAfee Labs 2013; Available from: <http://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals>; 2013 [accessed Apr. 2013].
10. Paganini P. Group-IB exclusive details on Kangoo botnet that hit Australian banks. Security Affairs Blog 2013; Available from: <http://securityaffairs.co/wordpress/14444/cyber-crime/from-group-ib-kangoo-botnet-against-australian-banks.html>; 2013 [accessed May 2013].
11. Romera R. Homemade browser targeting Banco do Brasil Users. TrendLabs Blog 2013; Available from: <http://blog.trendmicro.com/trendlabs-security-intelligence/homemade-browser-targeting-banco-do-brasil-users/>; 2013 [accessed May 2013].
12. McAfee. Threats Predictions. [Internet]. Available from: <http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdf>; 2013.
13. Reuters. Aramco says cyberattack was aimed at production. The New York Times. Available from: <http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html?_r=0>; 2012 [accessed Jan. 2013].
14. Yang K. Digital attack on Korean networks: WIPERS, time-bombs and Roman soldiers. Fortinet Blog. Available from: <http://blog.fortinet.com/digital-attack-on-korean-networks-wipers-time-bombs-and-roman-soldiers/>; 2013 [accessed Mar. 2013].
15. Bermejo L. Backdoor wipes MBR, locks screen. TrendLabs Blog 2013; Available from: <http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-wipes-mbr-locks-screen/>; 2013 [accessed Jun. 2013].
16. Melick R. Recent spike in FBI ransomware striking worldwide. Webroot Blog 2013; Available from: <http://www.webroot.com/blog/2013/05/23/recent-spike-in-fbi-ransomware-striking-worldwide/>; 2013 [accessed May 2013].
17. Donohue B. Reveton ransomware adds password purloining function. Threatpost 2013; Available from: <https://threatpost.com/reveton-ransomeware-adds-password-purloining-function>; 2013 [accessed May 2013].
18. Apvrille A. 1,000 malicious Android samples per day. Fortinet Blog. Available from: <http://blog.fortinet.com/1-000-malicious-Android-samples-per-day/>; 2013 [accessed May 2013].
19. F-Secure. Mobile threat report Q1 2013. [Internet]. Available from: <http://www.f-secure.com/static/doc/labs_global/Research/Mobile_Threat_Report_Q1_2013.pdf>; 2013.
20. Lookout. State of Mobile Security. [Internet]. Available from: <https://www.lookout.com/resources/reports/state-of-mobile-security-2012>; 2012.
21. Unuchek R. The most sophisticated android trojan. Securelist Blog 2013; Available from: <https://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan>; 2013 [accessed Jun. 2013].
22. Stanescu B. Dorkbot malware infects facebook users: spies browser activities and grabs data. Bitdefender Labs 2013; Available from: <http://www.hotforsecurity.com/blog/dorkbot-malware-infects-facebook-users-spies-browser-activities-and-grabs-data-6165.html>; 2013 [accessed May 2013].
23. Wanve U. Turkish ‘delete virus’ targets facebook users. McAfee Labs. Available from: <http://blogs.mcafee.com/mcafee-labs/turkish-delete-virus-targets-facebook-users>; 2013 [accessed Apr. 2013].
24. Tamir D. Twitter malware: spreading more than just ideas. Trusteer Blog 2013; Available from: <https://www.trusteer.com/blog/twitter-malware-spreading-more-than-just-ideas>; 2013 [accessed Apr. 2013].
25. Boutin J-I. Operation hangover: more links to the oslo freedom forum incident. ESET Blog 2013; Available from: <http://www.welivesecurity.com/2013/06/05/operation-hangover-more-links-to-the-oslo-freedom-forum-incident/>; 2013 [accessed Jun. 2013].
26. Ortega A. Your malware shall not fool us with those anti analysis tricks. AlienVault Labs 2012; Available from: <http://www.alienvault.com/open-threat-exchange/blog/your-malware-shall-not-fool-us-with-those-anti-analysis-tricks>; 2012 [accessed Jan. 2013].
27. Genes R. Trend micro predictions for 2013 and beyond: threats to business, the digital lifestyle, and the cloud. TrendLabs Blog 2012; Available from: <http://blog.trendmicro.com/trendlabs-security-intelligence/predictions-for-2013/>; 2012 [accessed Jan. 2013].
28. Wanve U. Travnet botnet controls victims with remote admin tool. McAfee Labs 2013; Available from: <http://blogs.mcafee.com/mcafee-labs/travnet-botnet-controls-victims-with-remote-admin-tool>; 2013 [accessed May 2013].
29. Smith B. Microsoft, financial services and others join forces to combat massive cybercrime ring. Microsoft News Center 2013; Available from: <https://www.microsoft.com/en-us/news/press/2013/jun13/06-05dcupr.aspx>; 2013 [accessed Jun. 2013].
30. Yaneza J. ZeuS/ZBOT malware shapes up in 2013. TrendLabs Blog 2013; Available from: <http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-malware-shapes-up-in-2013/>; 2013 [accessed May 2013].
31. Rossow C, Andriesse D, Werner T, StoneGross B, Plohmann D, Dietrich C J, et al. SoK: P2PWNED-Modeling and evaluating the resilience of peer-to-peer botnets. In: Proc of the 34th IEEE Symp on Security and Privacy; 2013; San Francisco, CA, USA. IEEE Computer Society, p. 1–15.
32. News on multibanker, features now a Jabber P2P functionality. Kleissner & Associates SRO. Blog; 2013.
33. Internet Census 2012: Port scanning /0 using insecure embedded devices. [Internet]. Available from: http://internetcensus2012.bitbucket.org/paper.html; 2012.
34. Valerie. Lawful botnet and Internet census: When law is not the case? [Internet]. Available from: <http://www.diplointernetgovernance.org/profiles/blogs/lawful-botnet-and-internet-census-when-law-is-not-the-case>; 2012.
35. Liska A. Wordpress botnet explodes over weekend. Symantec Blog 2013; Available from: <http://www.symantec.com/connect/blogs/wordpress-botnet-explodes-over-weekend>; 2013 [accessed Apr. 2013].
36. Bestuzhev D. An avalanche in skype. Securelist Blog 2013; Available from: <https://www.securelist.com/en/blog/208194206/An_avalanche_in_Skype>; 2013 [accessed Apr. 2013].
37. Bestuzhev D. Skypemageddon by bitcoining. Securelist Blog 2013; Available from: <https://www.securelist.com/en/blog/208194210/>; 2013 [accessed Apr. 2013].
38. Shah H. Delving deeply into a bitcoin botnet. McAfee Labs 2013; Available from: <http://blogs.mcafee.com/mcafee-labs/delving-deeply-into-a-bitcoin-botnet>; 2013 [accessed May 2013].
39. Prolexic. Prolexic quarterly global DDoS attack report Q1 2013. [Internet]. Available from: <https://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html>; 2013.
40. Prince M. The DDoS that almost broke the internet. CloudFlare 2013; Available from: <http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet>; 2013 [accessed Mar. 2013].
41. Trend Micro. Spear-phishing email: Most favored APT attack bait. [Internet]. Available from: <http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf>.
42. Commtouch. Internet threat trend report: April 2013. [Internet]. Available from: <http://www.commtouch.com/uploads/2013/04/Commtouch-Internet-Threats-Trend-Report-2013-April.pdf>; 2012.
43. Schultz J. Massive canadian pharmacy spam campaign. Cisco Blog 2013.
44. Williams C. Massive spam and malware campaign following the Boston tragedy. Cisco Blog. Available from: <http://blogs.cisco.com/security/massive-spam-and-malware-campaign-following-the-boston-tragedy/>; 2013 [accessed Apr. 2013].
45. Anti-Phishing Working Group. Global phishing survey: Trends and domains name use in 2 H 2012. [Internet]. Available from: <http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdf>; 2013.
46. SMS phishing leads to an advance fee spam scam across Europe. Infosecurity Magazine. Available from: <http://www.infosecurity-magazine.com/view/32319/sms-phishing-leads-to-an-advance-fee-spam-scam-across-europe/>; 2013 [accessed May 2013].
47. White D, Christensen B. Facebook ‘fan page verification program’ phishing scam. Hoax-Slayer Blog 2013; Available from: <http://www.hoax-slayer.com/fan-page-verification-scam.shtml>; 2013 [accessed May 2013].
48. Melgarejo AJ. Malware phishes with fake facebook security check page. TrendLabs Blog 2013; Available from: <http://blog.trendmicro.com/trendlabs-security-intelligence/malware-phishes-with-fake-facebook-security-check-page/>; 2013 [accessed Apr. 2013].
49. Diaz V. Is digital marketing the new spam? Securelist Blog 2013; Available from: <https://www.securelist.com/en/blog/208194237/Is_digital_marketing_the_new_spam>; 2013 [accessed Apr. 2013].
50. Muralidharan A. Increase in pump and dump stock spam. Symantec Blog 2013; Available from: <http://www.symantec.com/connect/blogs/increase-pump-and-dump-stock-spam>; 2013 [accessed May 2013].
51. Patil S. Rise in URL spam. Symantec Blog 2013; Available from: <http://www.symantec.com/connect/blogs/rise-url-spam>; 2013 [accessed May 2013].
52. Symantec. Internet security threat report 2013. [Internet]. Available from: <https://www.symantec.com/security_response/publications/threatreport.jsp>; 2013.
53. MITRE. CVE website. [Internet]. Available from: <https://cve.mitre.org/>; 2013.
54. Symantec Security Response. Internet Explorer zero-day used in watering hole attack: Q&A. Symantec Blog. Available from: <http://www.symantec.com/connect/blogs/internet-explorer-zero-day-used-watering-hole-attack-qa>; 2012 [accessed Jan. 2013].
55. Krebs B. Microsoft, adobe push critical security updates. KrebsOnSecurity Blog 2013; Available from: <https://krebsonsecurity.com/2013/05/microsoft-adobe-push-critical-security-updates-2/>; 2013 [accessed May 2013].
56. Symantec. First quarter zero-day vulnerabilities. Symantec Blog. Available from: <http://www.symantec.com/connect/blogs/2013-first-quarter-zero-day-vulnerabilities>; 2013 [accessed Apr. 2013].
57. OWASP. The ten most critical Web application security risks. [Internet]. 2013. Available from:https://www.owasp.org/index.php/Top_10_; 2013.
58. Oracle. Oracle Java SE critical patch update advisory. [Internet]. Apr. Available from: <http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html>; 2013.
59. RepoCERT. Botnet using Plesk vulnerability and takedown. Seclists Website. Available from: <http://seclists.org/fulldisclosure/2013/Jun/36>; 2013 [accessed Jun. 2013].
60. Fisher D. Schneider patches 18-month-old SCADA bugs. Threatpost. Available from: <https://threatpost.com/schneider-patches-18-month-old-scada-bugs>; 2013 [accessed Jun. 2013].
61. Engberg D. Service-wide Password Reset. Evernote Blog 2013; Available from: <https://evernote.com/corp/news/password_reset.php>; 2013 [accessed May 2013].
62. Lord B. Keeping our users secure. Twitter Blog 2013; Available from: <https://blog.twitter.com/2013/keeping-our-users-secure>; 2013 [accessed Feb. 2013].
63. Ross H. Reset your drupal.org password. Drupal Forum 2013; Available from: <https://drupal.org/news/130529SecurityUpdate>; 2013 [accessed Jun. 2013].
64. Zetter K. Hacker breached U.S army database containing sensitive information on dams. Wired 2013; Available from: <http://www.wired.com/threatlevel/2013/05/hacker-breached-dam-database/>; 2013 [accessed Jan. 2013].
65. Perlroth N. Hackers in china attacked the Times for last 4 months. The New York Times 2013; Available from: <http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html>; 2013 [accessed Feb. 2013].
66. Mandiant. APT1: Exposing one of China’s cyber espionage units. [Internet]/ Apr. Available from: <http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf>; 2013.
67. Honan M. How Apple and Amazon security flaws led to my epic hacking. Wired. Available from: <http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/>; 2012 [accessed Jan. 2013].
68. Ponemon Institute. 2013 cost of data breach study: Global analysis. Symantec Website. Available from: <http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon-2013>; 2013 [accessed May 2013].
69. Sun News. Hospital discloses privacy breach. Sun News. Available from: <http://news.sonomaportal.com/2013/05/24/hospital-discloses-privacy-breach/>; 2013 [accessed May 2013].
70. Check Point. Check point 2013 security report. [Internet]. Available from: <https://www.checkpoint.com/campaigns/security-report/>; 2013.
71. Barton Gellman AB, Miller G. Edward Snowden comes forward as source of NSA leaks. The Washington Post 2013; Available from: <http://articles.washingtonpost.com/2013-06-09/politics/39856642_1_extradition-nsa-leaks-disclosures>; 2013 [accessed Jun. 2013].
72. Schneier B. Government secrets and the need for whistle-blowers. Schneier on Security Blog. Available from: <https://www.schneier.com/blog/archives/2013/06/government_secr.html>; 2013 [accessed Jun. 2013].
73. Verizon. 2012 data breach investigations report. [Internet]. Available from: <http://www.verizonenterprise.com/DBIR/2012/>; 2012.
74. Symantec. Symantec intelligence report. [Internet]. Available from : <http://www.symantec.com/connect/blogs/symantec-intelligence-report-may-2013>; 2013.
75. Taddeo M. An analysis for a just cyber warfare. In CYCON: 4th International Conference on Cyber Conflict; 2012; Tallinn, Estonia. p. 1–10.
76. Watts S. The notion of combatancy in cyber warfare. In CYCON: 4th Int Conf on Cyber Conflict; 2012; Tallinn, Estonia. p. 1–15.
77. ICS-CERT. Monthly Monitor. [Internet]. Available from: <https://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monitor_Jan-Mar2013.pdf>; 2013.
78. Shauk Z. Rise in URL spam. Symantec Blogs 2013; Available from: <http://www.symantec.com/connect/blogs/rise-url-spam>; 2013 [accessed May 2013].
79. McAfee. McAfee threats report-fourth quarter 2012. [Internet]. 2013. Availabe from: <http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf.>.
80. Coronado C. Blackhole exploit kit leverages Margaret Thatcher’s death. Trend Micro. Available from: <http://about-threats.trendmicro.com/us/spam/460/Blackhole+Exploit+Kit+Leverages+Margaret+Thatchers+Death>; 2013 [accessed Apr. 2013].
81. Trend Micro. Russian underground 101. [Internet]. 2012. Available from: <http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf.>.
82. Musthaler L. DDoS-as-a-service? You betcha! It’s cheap, it’s easy, and it’s available to anyone. Security Bistro. Available from: <http://www.securitybistro.com/?p=4121>; 2012 [accessed Jan. 2013].
83. Trustwave. 2013 global security report. [Internet]. Available from: <https://www2.trustwave.com/2013GSR.html>; 2013.
84. Schwartz M.J. Zeus bank malware surges on Facebook. InformationWeek. Available from: <http://www.informationweek.com/security/attacks/zeus-bank-malware-surges-on-facebook/240156156>; 2013 [accessed Jun. 2013].
85. Eleven arrests as global investigation dismantles criminal web forum. SOCA Website. Available from: <http://www.soca.gov.uk/news/552-eleven-arrests-as-global-investigation-dismantles-criminal-web-forum>; 2013 [accessed Jun. 2013].
86. Stoll C. Stalking the wily hacker. Commun ACM. 1988;31(5):484–497.
87. Thompson K. Reflections on trusting trust. Commun ACM. 1984;27(8):761–763.
88. Stoll C. The cuckoo’s egg: Tracking a spy through the maze of computer espionage New York, NY: Doubleday; 1989.
89. Sood A, Enbody R. Targeted cyberattacks: A superset of advanced persistent threats. IEEE Secur Privacy. 2013;11(1):54–61.
90. GReAT. "Red October" diplomatic cyber attacks investigation. Securelist Blog. Available from: <http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation>; 2013 [accessed Jan. 2013].
91. Kaspersky Lab. The NetTraveler. [Internet]. 2013. Available from: <http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf.>.
92. Norman. Operation hangover: Norman unveiling an Indian cyberattack infrastructure. [Internet]. 2013. Available from: <http://enterprise.norman.com/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf.>.
93. Fagerland S. The hangover report. Norman Blog. Available from: <http://blogs.norman.com/2013/security-research/the-hangover-report>; 2013 [accessed May 2013].
94. Kovacs E. 20 Chinese government sites defaced by anonymous Algeria hacker Charaf Anons. Softpedia. Available from: <http://news.softpedia.com/news/28-Chinese-Government-Sites-Defaced-by-Anonymous-Algeria-Hacker-Charaf-Anons-339986.shtml>; 2013 [accessed Mar. 2013].
95. Kredo A. Anonymous-linked groups hack Israeli websites, release personal data Washington Free Beacon 2013; Available from: <http://freebeacon.com/the-cyber-front/>; 2013 [accessed Mar. 2013].
96. Lake E. Why #OpIsrael was an #OpFail. The Daily Beast 2013; Available from: <http://www.thedailybeast.com/articles/2013/04/08/why-opisrael-was-an-opfail.html>; 2013 [accessed Apr. 2013].
97. Schultz J. The effects of #OpUSA. Cisco Blog 2013; Available from: <http://blogs.cisco.com/security/the-effects-of-opusa/>; 2013 [accessed May 2013].
98. Rudger A. Understanding the impact of Web attacks-The user perspective. Keynote Blog 2013; Available from: <http://blogs.keynote.com/the_watch/2013/04/understanding-the-impact-of-web-attacks-the-user-perspective.html>; 2013 [accessed Apr. 2013].
99. Bigs. Anonymous leaked massive pedophile d0x in response to child s*x rings. Cyberwarzone. Available from: <http://cyberwarzone.com/anonymous-leaked-massive-pedophile-d0x-response-child-sx-rings>; 2013 [accessed Mar. 2013].
100. Heller J. Guantanamo Bay shuts off wi-fi after Anonymous threatens #OpGTMO attack on prison camp. International Business Times 2013; Available from: <http://www.ibtimes.com/guantanamo-bay-shuts-wi-fi-after-anonymous-threatens-opgtmo-attack-prison-camp-1273041>; 2013 [accessed May 2013].
101. Moore H, Roberts DAP. Twitter hack causes panic on Wall Street and sends Dow plunging. The Guardian 2013; Available from: <http://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall>; 2013 [accessed Apr. 2013].
102. Zetter K. Legal experts: Stuxnet attack on Iran was illegal ‘act of force’. Wired 2013; Available from: <http://www.wired.com/threatlevel/2013/03/stuxnet-act-of-force/>; 2013 [accessed Mar. 2013].
103. Gossels J. Cyber war, this is not. SCMagazine 2013; Available from: <http://www.scmagazine.com/cyber-war-this-is-not/article/284430/>; 2013 [accessed Apr. 2013].
104. Kaspersky Lab. Gauss: Nation-state cyber-surveillance meets banking Trojan. SecureList Blog. Available from: <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>; 2012 [accessed Jan. 2013].
105. Santos R. BANKER malware hosted in compromised Brazilian government sites. TrendLabs Blog 2013; Available from: <http://blog.trendmicro.com/trendlabs-security-intelligence/banker-malware-hosted-in-compromised-brazilian-government-sites/>; 2013 [accessed May 2013].
106. To D. Compromised US government webpage used zero-day exploit. TrendLabs Blog. Available from: <http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-us-government-webpage-used-zero-day-exploit/>; 2013 [accessed May 2013].
107. General Electric. GE information security technology center. [Internet]. 2013. Available from: http://www.ge.com/careers/ge-information-security-technology-center.
108. Benitez J. Australia’s new cyber security center will be ’fully operational by late 2013.. NATOSource News Blog 2013; Available from: <http://www.atlanticcouncil.org/blogs/natosource/australias-new-cyber-security-center-will-be-fully-operational-by-late-2013>; 2013 [accessed Jan. 2013].
109. Brito H. Pentagon creating “rules of engagement” for responding to advanced attackers. Mandiant M-Unition 2013; Available from: <https://www.mandiant.com/blog/pentagon-creating-rules-engagement-responding-advanced-attackers/>; 2013 [accessed Apr. 2013].
110. Commission on the theft of American intellectual property. The Report of the Commission on the Theft of American Intellectual Property. [Internet]. Available from: <http://ipcommission.org/report/IP_Commission_Report_052213.pdf>; 2013.
111. Colon M. 2 minutes on: The rule of war. SCMagazine 2013; Available from: <http://www.scmagazine.com/2-minutes-on-the-rule-of-war/article/288854/>; 2013 [accessed May 2013].
112. Kerr D. US government to propose bill targeting foreign hackers. CNET 2013; Available from: <http://news.cnet.com/8301-1009_3-57587942-83/u.s-government-to-propose-bill-targeting-foreign-hackers/>; 2013 [accessed Jun. 2013].
113. Rial N. Spanish police might use Trojans to spy computers. New Europe 2013; Available from: <http://www.neurope.eu/article/spanish-police-might-use-trojans-spy-computers>; 2013 [accessed Jun. 2013].
114. Marquis-Boire M, Marczak B, Guarnieri C, Scott-Railton J. The Commercialization of Digital Spying. [Internet]. Available from: <https://citizenlab.org/storage/finfisher/final/fortheireyesonly.pdf>; 2013.
1Anti-* is used in terms like “anti-spam,” “anti-virus,” and “anti-phishing.”