cyber attack

If you are not familiar with the term virtual-state you are not alone – but it’s a term you’re going to hear more often.

Here is a working definition that has broad acceptance: A virtual-state is defined as a nebulous community of individuals that self-identify and share in common one or more social, political and/or ideological convictions, ideas or values. They act collectively to influence and bring about changes they deem appropriate. You can read more about virtual-states here. Keep reading →

With so much attention focused on the recent deadline for U.S. government agencies to deploy IPv6 on their public-facing websites, it’s important to raise the flag on a much less discussed, but critically important aspect of IPv6. Namely, that the rapid expansion of unplanned and unmonitored IPv6-enabled systems in ‘IPv4-only’ networks is greatly increasing the attack surface presented by those networks.

Limited awareness of IPv6 security issues and incomplete support for IPv6 vulnerability detection in commercial firewall and intrusion detection products are exposing both commercial and government enterprises to cyber attack.

The IPv4 protocol is the primary communications protocol of the Internet. As early as 1992, the IPv4 limit of 4 billion addresses for network-connected devices was recognized as insufficient to support the rapidly increasing growth of the Internet. The Internet Engineering Task Force embarked on a project to define a replacement protocol for IPv4, eventually labeled as IPv6, to resolve the IPv4 address exhaustion problem and support additional capabilities.

The lack of awareness and insufficient IPv6 security defenses are exposing ‘IPv4-only’ networks to attack and exploitation.”

The quantity of addresses supported by the IPv6 protocol is so vast that an IPv6 address could be assigned to every atom on the surface of the earth and still have enough addresses left to cover another 100 earth-sized planets.

This vastly increased address space enables continued growth of the Internet and support for new services and applications. IPv6 also introduces a redesigned protocol that is streamlined and extensible, improving router efficiency and making it adaptable to future protocol requirements. Additional features include network auto-configuration, improved support for end-to-end security, quality of service capabilities and mobile support.

The IPv6 protocol specification was published in 1996 and the last decade and a half has seen much experimentation, testing and refinement. Greatly spurred on by government initiatives to advance support for IPv6 in commercial products, most network equipment, computer operating systems and mobile devices now ship with operational IPv6 communications stacks in addition to the traditional IPv4 communication stack. Just as in the early days of IPv4 adoption, it will take time for these IPv6 software implementations to mature.

While we gain more experience with these IPv6 implementations, vulnerabilities, implementation errors and misconfigurations will continue to expose these systems to penetration and denial-of-service attacks.

The MITRE Common Vulnerabilities and Exposures (CVE) database details over 100 known IPv6 vulnerabilities, and that list continues to grow. Increasingly sophisticated attack tools are available to exploit these known vulnerabilities, and through fuzzing techniques, identify new ones.

When plugged into a network, these dual-stack systems will automatically configure themselves into a local IPv6 network and start querying their neighbors for the configuration information necessary to communicate beyond the local network and to the IPv6 Internet. This built-in IPv6 auto-configuration capability, known as Stateless Address Auto-Configuration, or SLAAC, lacks any form of authentication or integrity checking, making it susceptible to spoofing through the impersonation of a valid configuration information source. Essentially, an attacker who can reach these nodes can configure this unmonitored IPv6 network on-demand to support exfiltration of data and deeper penetration into the enterprise environment.

IPv6 tunnels, which encapsulate IPv6 packets inside of IPv4 packets, present another important security issue. IPv6 tunnels enable IPv6-capable systems to reach other IPv6 systems and the IPv6 Internet over an IPv4 network. IPv6 tunnels were intended to aid in the transition of IPv4 to IPv6, but they also can be used to bypass firewalls and intrusion detection systems, supporting covert communications and aiding in exfiltration of data.

Many operating systems ship with support for automatically configured tunnels that can result in unintended and unmonitored connections from inside the enterprise to the IPv6 Internet. For example, all Windows operating system versions since Windows Vista ship with support for ISATAP, 6to4 and Teredo automatic tunnels. Under the right conditions, the Windows operating system will automatically attempt to configure each of these types of tunnels and create a persistent, routable IPv6 tunnel through the enterprise and to the IPv6 Internet.

The unintended presence of native IPv6 traffic and IPv6 tunnels in ‘IPv4-only’ networks introduces a whole new class of network vulnerabilities. Unfortunately, most network security products, including firewalls and intrusion detection systems, still lack the comprehensive security capabilities necessary to fully inspect and filter native IPv6 and tunneled IPv6 traffic. The complexity of the IPv6 extensible protocol design and the difficulty in identifying and inspecting the contents of IPv6 tunnels are some of the reasons why these implementations have lagged behind.

It is imperative that CIOs and CSOs recognize that IPv6 is here, whether they like it or not. The threats resulting from the unplanned and unmonitored deployment of IPv6-enabled systems into enterprise networks can no longer be ignored and appropriate security controls must be put in place to address them.

Knowing that security incidents come down to just plain human error the lack of training professionals greatly increases the risk of more errors. IT and network security staffs need to be trained on the operational and security issues of IPv6 and network security product vendors must made to step up to the challenge of implementing effective counter-measures to IPv6-based attacks.

David Helms is vice president, Cyber Security Center of Excellence at Salient Federal Solutions.
which is developing comprehensive security controls and countermeasures, including those necessary to address the expanding IPv6 attack surface in enterprise networks.

Keep reading →


On the heels of a well publicized distributed denial of service (DDoS) attack on U.S. financial institutions came a warning about another coordinated and planned cyber attack against this critical infrastructure sector.

Cyber intelligence uncovered a fairly large, coordinated cyber attack that is said to use fraudulent wire transfers as the means of attack. This cybersecurity attack is said to leverage session hijacking in a man-in-the-middle cyber attack.

Man-in-the-middle cyber attack is defined as a compromise where the attacker is able to insert themselves between its target and the system or service in which the target is trying to access or use. An attacker accomplishes this by impersonating the system or service that the target is attempting to connect with by falsely rerouting the traffic to and from the service or by hijacking session data.

This attack is known to be initiated by spam and phishing emails, keystroke loggers as well as Trojans with remote access. A high attack concentration has been seen in the small and medium sized organizations and the transfer amounts have ranged from $400,000 to $900,000.

Multiple cyber intelligence sources have warned that an estimated 30 U.S. based financial services institutions may be the targets of an organized cyber criminal gang that is said to be the entity behind this attack.

Just recently the FBI issued a warning about this threat. Their warning stated that the criminals behind this cyber attack were using multiple techniques to obtain customer log-in credentials. Once the criminals have these credentials, they initiate international wire transfers.

For additional information you should monitor the FBI, in association with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3).

Kevin G. Coleman is a long-time security technology executive and former Chief Strategist at Netscape. He is Senior Fellow with the Technolytics Institute weekly blog for Breaking Gov on the topic of cyber intelligence. Keep reading →

For several days, Bank of America’s systems had problems. The problems – primarily denial of service disruptions – hit their web site and reportedly their mobile banking services.

For BofA, the nation’s largest bank based on assets, this was not the first issue or attack they experienced in the past year. Nor in fact, was BofA the only U.S. financial institution that has been experiencing what appears to be a series of directed cyber attacks. JPMorgan Chase and Citigroup also are reported to have been struck by similar related aggressive cyber activities, beginning last year. Keep reading →

For weeks now rumors have been circulating about the White House working to draft an executive order, which will put in place cybersecurity measures to protect the critical infrastructure of the United States.

A glimpse of the draft’s intent was released in news reports in recent days, including a Washington Post report, which among other points, noted that the plans called for voluntary standards. Keep reading →

Ever consider the massive amount of intelligence that the United States collects and uses in the defense of the country and our allies? It is surely massive given the scope of our collection effort.

Many people do not realize that the U.S. intelligence community is comprised of 16 separate agencies, not including the Office of the Director of National Intelligence which is responsible for leading intelligence integration. These agencies are tasked with foreign and domestic intelligence collection, analysis support of military planning, and in some cases performing acts of espionage:

  1. Central Intelligence Agency (CIA)
  2. Air Force Intelligence, Surveillance and Reconnaissance Agency (AFISRA)
  3. Army Intelligence and Security Command (INSCOM)
  4. Defense Intelligence Agency (DIA)
  5. Marine Corps Intelligence Activity (MCIA)
  6. National Geospatial-Intelligence Agency (NGA)
  7. National Reconnaissance Office (NRO)
  8. National Security Agency (NSA)
  9. Office of Naval Intelligence (ONI)
  10. Office of Intelligence and Counterintelligence (OICI)
  11. Office of Intelligence and Analysis (I&A)
  12. Coast Guard Intelligence (CGI)
  13. Federal Bureau of Investigation (FBI)
  14. Office of National Security Intelligence (DEA/ONSI)
  15. Bureau of Intelligence and Research (INR)
  16. Dept of Treasury’s Office of Terrorism and Financial Intelligence (TFI)

Source: Wikipedia

Now we have to add U.S. Cyber Command to that list.

In addition, we have to add all the private sector organizations that have established their own security intelligence and cyber intelligence gathering and analysis capabilities as well as those in industry protecting against cybersecurity threats as well.

Oh – we should not forget the state and local law enforcement intelligence units that exist around the country.

Now let’s add the black-ops (clandestine) intelligence community members.

Add them all up and that paints a reasonable picture of the intelligence coverage we have in place. It sounds like allot, but given the number of kinetic and non-kinetic threat we face, it’s not!

One has to wonder how much more effective our intelligence efforts could be if regulations requiring separation did not exist and a collaborative/sharing environment along with the systems required for collaborative support were in place.

While those regulations were probably put in place for good reason when they were enacted, times have changed. Maybe it is time to revisit the restrictions.

Kevin G. Coleman is a long-time security technology executive and former Chief Strategist at Netscape. He is Senior Fellow with the Technolytics Institute where he provides consulting services on strategic technology and security issues. He writes a weekly blog for Breaking Gov on the topic of cyber intelligence.


As we approach the 2012 presidential election, concerns are being raised about the likelihood of cyber attacks leading up to and during that event. There are many individuals, groups and rogue nation states that would like nothing better than to disrupt this year’s election.

Several months ago, a video was posted by those claiming to be from the well know hacktivist group Anonymous that alluded to plans for launching cyber initiatives that target the 2012 presidential election. Keep reading →


After years of the public and private sectors having listened to the nearly constant cyber threat warnings issued by military and government officials, as well as industry experts, over the past few years, addressing the threats posed to our systems by cyber attacks is now appropriately considered as a work-in-process.

There are some signs that the private sector might be moving to address the new heightened level of cyber security threats, however. Keep reading →

The head of Iran’s Presidential Center for International Legal Affairs has announced that Iran plans to bring legal action against those that launched cyber attacks against their uranium enrichment equipment in a move that promises to raise the stakes for the U.S. cybersecurity policy officials.

Majid Jafarzadeh made the announcement this week after consulting Iranian and foreign legal experts, saying Iran has decided to file a lawsuit against the “cyber terrorists” who have attacked the country’s nuclear enrichment infrastructure. Keep reading →

Underground movements are not uncommon, but the apparent ground swell that has taken place in the cyber underground has caught the attention of traditional and cyber intelligence organizations around the world.

Call them covert, clandestine, black-market – whatever title you choose to put on these activities – the fact remains there is a growing community of underground groups and individuals with diverse missions and objectives. These groups develop and acquire sophisticated cyber weapons that are used in highly targeted attacks against their enemies. Keep reading →

Page 1 of 3123