In Case You Missed It: German government and renewable power sector breaches, new regs due, and VoIP attacks rise
In Case You Missed It: German government and renewable power sector breaches, new regs due, and VoIP attacks rise

German Bundestag breach

German chancellor Angela Merkel inadvertently helped spread Trojan malware in the German Parliament (Bundestag), which is now facing a new wave of cyber-attacks, say local press reports.

After infection, the hackers supposedly used her computer to send phishing emails containing malware to other Bundestag members, claiming to be an invite to a conference.

However German blogger Alvar Freude points out that the email does not appear to come from Merkel's email account – but rather a Polish one.

Early estimates cited theft of data from up to 20,000 PCs but Bild claims that only 15 machines were targeted and five had data stolen from them. May's attack has been blamed on Russia, but Germany's domestic intelligence service head, Hans-Georg Maassen, only said that it may have been carried out by a “foreign intelligence service.” 

A second attack is described as less professional and using a different Trojan. Swatbanker (the malware used) is a successor to Cridex, of Russian origin, and Swatbanker is believed the work of Russian hackers too.

Hundreds of wind turbines and solar systems vulnerable to attack

German security researcher Maxim Rupp discovered numerous security flaws with solar lighting systems and wind turbines which, if maliciously exploited by an attacker, could result in disrupting energy supplies.

Rupp recently reported numerous flaws in the web controls for the following systems, the XZERES 442SR Wind Turbine, the Sinapsi eSolar Light and the RLE Nova-Wind Turbine, with the ICS-CERT subsequently issuing public warnings on all three of these.

One of these flaws, a cross-site scripting (XSS) request forgery vulnerability affecting the XZERES turbine, could potentially be used by an attacker to change the administrator password for the web management interface, and then gain complete control of the turbine.

Assuming the mind-set of a black hat hacker, the researcher said he could then “change the wind vane correction, or change the network settings to access the web interface that would make it inaccessible. This can certainly be critical for the implementation of a successful attack.” The ICS-CERT has ranked this security issue as 10 of 10 on the standard Common Vulnerability Scoring System (CVSS), the organisation considers the flaw dangerous due to the ease of remote exploitation.

Swiss Authorities investigate cyber-attack during nuclear talks 

Swiss authorities searched a house in Geneva seizing computer equipment which may have been used in a possible cyber-attack on the nuclear negotiations between Iran and the major powers in the city, according to Switzerland's attorney general.

"On 12 May, 2015, a house search took place in Geneva and IT hardware as well as software was seized. The aim of the aforementioned house search was to seize respective information as well as the malware," said the Swiss attorney-general's office in Berne yesterday.

"It was of particular interest to investigate whether the malware infected the respective IT systems."

Austria is also investigating the case, which came to light after Kaspersky Lab said that a new variant of the Duqu computer virus had been used to hack into several companies, including Kaspersky Lab's own network. Furthermore, the virus – believed to be the work of the Israeli government (although it has already denied such claims), was also said to have been used to hack into three luxury hotels that hosted negotiations between Iran and six world powers.

Criminal proceedings have been opened against unknown persons on “suspicions of political espionage”. Law enforcement agencies are believed to suspect the involvement of a foreign intelligence service.

New EU data protection law looms near, but are security teams ready?

The European Union's General Data Protection Regulation is on course to be introduced this year, but politicians and IT security teams are not completely supportive.

The General Data Protection Regulation (GDPR), the successor to the 1995 Data Protection Directive, now appears to be on the home straight to becoming law. 28 ministers in the Justice Council agreed to adopt a “general approach” on the Commission's proposal on the regulation.

“Trilogue negotiations with the Parliament and the Council will start in June; the shared ambition is to reach a final agreement by the end of 2015,” read a press statement.

Key features include the ‘One Stop Shop' rule – where companies will have to deal with a single set of rules on data protection rather than 28 covering each EU member state, the right to data portability and the ‘right to be forgotten', although the Council notes that that the latter is “not an absolute right”.

Meanwhile, the Council's view is that data breach fines should be capped at two percent (or a maximum of €1 million) of global annual turnover, rather than previous declarations from the European Parliament that they should go up to five percent (or €100 million). GDPR also stipulates that data breaches will need to be reported within 72 hours, large firms will need to hire data protection officers and all the proposals will apply to non-EU companies that offer services to EU customers.

A study by security vendor Trend Micro indicated that only half of UK IT security teams were aware of the proposed changes, compared to 87 percent in Germany and 65 percent in France.

Researchers call time on poor VoIP server security

Voice over IP (VoIP) attacks are on the rise because of the proliferation of online tools and software which can target these services.

Security consultancy Nettitude has released a report based on its experience monitoring servers for its clients. Surprisingly, it said the attacks on VoIP services – carried out by targeting Session Initiation Protocol (SIP) servers – represented 67 percent of all attacks it recorded against UK-based servers.

By comparison, SQL servers – which represented the second-most attacked category – accounted for only four percent of attacks.

If an attacker gains access to the application layer, he can make calls to long-distance numbers and premium-rate services. In addition to racking up huge phone bills, which can cripple a company's finances, attackers can also interrogate the company phone directory, stealing customers' phone numbers, and even intercept and record calls.

Most surprisingly, 80 percent of attacks took place out of office hours – believed because the VOIP server was most likely not to be monitored at these times.

Protecting a server involves the same basic computer hygiene principals that apply to other types of servers: put the server behind a firewall, make sure the operating system is patched and updated on a regular basis and use strong passwords and authentication.