The Complex

Langevin to reintroduce cyber security legislation in 2013

Congressional Cyber Caucus chair, Rep. Jim Langevin (D-RI), plans to reintroduce cyber security legislation aimed at creating minimal IT security standards for utility, transportation, finance, and communications companies.

The Rhode Island lawmaker, who also sits on the House Permanent Select Committee on Intelligence, plans in the next year to reintroduce his cyberspace executive authority act, a bill from 2010 aimed at giving the executive branch more power in regulating IT security standard for so-called critical infrastructure providers.

"I will reintroduce my cyberspace executive authorities act," Langevin told Killer Apps during a Dec. 13 interview. "It will give regulatory authority to the Department of Homeland Security or other regulatory agencies to regulate critical infrastructure."

In addition, the bill would "create a Senate-confirmed position for the White House Cyber Coordinator." The bill would elevate the White House cyber security coordinator's position to director of the what would be a new office, the National Cyberspace Office, with the power to veto federal agencies' IT security budgets as well as the power to establish minimal security standards for federal agencies.

In the meantime, Langevin said he will continue to push for whatever he can get when it comes to legislation aimed at protecting critical infrastructure from cyber attack, noting that he is most concerned about attacks against U.S. power companies.

"The electric grid is what I'm concerned about most, that's where the most damage can be done," said Langevin. "You can understand, if a whole nation or sector was without power for several weeks or months in the dead of winter how that could create great damage to our economy or create loss of life."

"There are attempts to hack into the electric grid all the time, and other areas of critical infrastructure. Everyday it's happening, at some point someone's going to get lucky," he added.

The Senate recently failed to pass a cyber security law sponsored by Sens. Joe Lieberman (I-Ct.) and Susan Collins (R-ME) that would have established minimal cyber security standards and encouraged information sharing between critical infrastructure providers and the Department of Homeland Security. 

"I will continue to work with the majority here on our side, even if that's getting several smaller bills passed through the Congress, and I'll continue to push for broader cyber security legislation like what Lieberman and Collins were trying to do on the Senate side."

When asked about critics who say that even minimal cyber security standards will place unnecessary burdens on businesses, Langevin said, "They have their heads in the sand."

Getty Images

National Security

Threat of the week: Zeus

Remember Zeus? No, not the ancient god. We're talking about the nasty little bit of malware that can trick you into believing that you're logged onto your bank's website when you're really on a fake one designed to give criminals your online banking username and password. Earlier this year, the European Network and Information Security Agency told banks to "assume all PCs are infected." One of the worst things about Zeus is that it's an easily purchased piece of software that can be customized, yielding a variety of different sub-bugs that have proven very difficult to eradicate. Zeus may be old (around since at least 2007), but it ain't dead yet -- by a long shot. So here's an edited Q-and-A update on the threat we conducted yesterday with Meaghan Molloy, an analyst with the IT security firm Mandiant:

Killer Apps: How extensive is the problem today?

Molloy: Earlier this year, in response to a Zeus campaign "High Roller" that was targeted at high-balance accounts, the European Network and Information Security Agency (ENISA) advised that banks should assume that all PCs are infected. In 2011, a variant of Zeus [Zitmo, aimed at breaking into bank customers' mobile banking apps] was behind the theft of an estimated $47 million from 30,000 European individuals and corporate customers. This is by no means the total sum of money lost through Zeus. It has been spotted in nearly every country and caused untold hundreds of millions of dollars in damage.

  • There have been numerous other instances of widespread losses due to Zeus over the past several years. For example, in 2010, M86 Security reported that Zeus was responsible for the loss of $1 million from 3,000 compromised accounts in the UK. In the same year, Trusteer reported that a different Zeus botnet had infected over 100,000 systems.
  • Zeus is not a single botnet but rather it is a type of malicious software that encompasses hundreds or thousands of different command and control infrastructures. A criminal is much better able to remain nimble when he can simply set up multiple small infrastructures that are less likely to be exposed and suffer only small losses if they are.
  • While Zeus makes up only a fraction of the millions of compromised computers that Mandiant Cloud Alert tracks on a daily basis, it is massive and standard security measures such as antivirus aren't containing it.

Killer Apps: Is it still making inroads into the U.S.?

Molloy: Yes, absolutely. Here is just one example: Operation Trident Breach in 2010 exposed the theft of $70 million dollars from hundreds of small and medium business in the U.S. In an attack lasting 18 months, a Ukrainian gang used Zeus to break into 390 bank accounts belonging to American companies.

Killer Apps: How advanced is the threat? How could it evolve?

Molloy: Zeus is an information stealing trojan primarily designed to harvest banking credentials using keystroke logging and form grabbing. It can be purchased for the low price of just a few hundred dollars and is highly customizable beyond its basic functionality. Because Zeus is readily available for purchase on many black markets there is no single Zeus botnet but rather thousands of smaller botnets run by individuals and criminal organizations.

  • In May 2011, the Zeus source code was leaked on underground forums. This has since resulted in several new versions of Zeus appearing in the wild such as ICE IX, Citadel, Zitmo, and GameOver which uses peer-to-peer command and control infrastructure. Some versions of Zeus use sophisticated techniques to avoid detection and takedown such as domain generation algorithms (DGA) and fast flux IP. Citadel offers the botmaster more comprehensive information [about victims] than is typically offered with Zeus, harvesting information on database servers and network configuration. Zitmo, which targets mobile users, is capable of defeating two-factor authentication, a common technique in bank account security.
  • Ongoing development of the Zeus kit that is available for sale and individual customization of the 'open source' versions mean that criminals can and will continue to use Zeus and improve its functionality. As long as it continues to be effective Zeus will remain in use.

Killer Apps: Is there a security solution to Zeus?

Molloy: Unfortunately there is no single security solution to combat the threat of Zeus. Most Zeus variants communicate with their command and control infrastructure just like regular web traffic. In particular, small and medium sized companies should ensure that they have strict security procedures in place for any unusual activity on their accounts. They are at the highest risk since financial institutions do not provide companies with the same money back guarantee in case of fraud as they do with individuals. Additionally, companies of that size are the least likely to maintain an in-house security team. Maintain up-to-date software, only bank within a virtual machine, and change your passwords frequently though none of those techniques guarantee your security. Most importantly, individuals and companies should monitor their network traffic for communication with command and control servers.

Killer Apps: Are there similar threats?

Molloy: SpyEye is another information stealing trojan focused primarily on banking credentials. In 2011, there were reports of a potential merger between the creators behind both trojans. Regardless, development of both types and subsequent variants is ongoing.

Wikimedia Commons