FBI warns of three spam hoaxes

The FBI is warning citizens to be on the lookout for three separate email scams — including one that attempts to infect users with malware and two others that seek personal and financial information.

The biggest threat is posed by widespread emails claiming to include a greeting card attachment from friends, co-workers or family members, but unsuspecting clickers are instead diverted to a malicious webpage that attempts to exploit a vulnerability and upload malware, according to a FBI statement issued Tuesday.

Menashe Eliezer, who heads the detection center at anti-virus and anti-spam firm Commtouch, told SCMagazine.com today web-borne threats are getting more sophisticated.

Two other scams claim to be coming from the FBI or a U.S. military official. In the FBI example, the spammers offer lottery endorsements or inheritance money in exchange for a modest up-front payment, the warning said. Emails said to be coming from military leaders allegedly attempt to dupe recipients out of funds that will be used to benefit soldiers stationed overseas.

Spammers use legitimate-looking content, such as pictures and letterheads, to make the emails look like the real thing, the warning said.

"It’s an illegitimate form of marketing, but [spammers] have to deal with the same issues [as real marketers] in terms of getting people to answer their call to action," Rebecca Herson, Commtouch’s senior director of marketing, told SCMagazine.com today. "They’re trying to improve the look and feel of their campaigns the same way legitimate marketers are."

The FBI recommends users delete the "hoax" emails.

"Consumers need to be wary of unsolicited emails that request them to take any action, even if that means just clicking on an attachment," the warning said, adding that clicking could allow viruses or keyloggers to be installed on users’ machines.

Zulfikar Ramzan, senior principal researcher at Symantec, told SCMagazine.com that users should maintain an updated internet security solution, keep patches up to date and avoid following unknown links.

"These spam scams are particularly dangerous as many consumers consider communication from government agencies as credible," he said.

The FBI’s announcement was prompted by a high number of complaints lodged with the Internet Crime Complaint Center. [SC Magazine]

New storm worm run called largest virus attack in two years

The infamous ‘storm worm' virus attack began another run last week, this one called the largest in two years by messaging security vendor Postini.

The San Carlos, Calif.-based company, which Google announced intentions to acquire earlier this month, said this week that the storm worm attack that began July 16 generated 120 million messages by Friday.

Postini said that the attack is spreading through blended methods, using emails that contain links to malicious websites that exploit vulnerabilities.

The attack was named for the deadly European wind storms that occurred simultaneously with the first attacks this past January. Early attacks arrived with video EXE files with storm-related headings, such as "230 dead as storm batters Europe."

Researchers spotted a storm worm run earlier this month that used messages falsely informing recipients that they received a greeting card from a family member, admirer, classmate or colleague.

That storm worm run was the first of the kind to redirect recipients to a malicious website instead of using a malicious attachment.

The social engineering attack exploited a number of patched vulnerabilities, including ANI, QuickTime and WinZip – to add compromised machines to a botnet.

Adam Swidler, senior manager of solutions marketing at Postini, told SCMagazine.com today that the most recent storm worm attack is five times larger than the previous largest attack.

"[The attack’s] URLs are all using IP addresses instead of domain-based URLs, and that’s a flag we look out for," he said. "I think the biggest thing [about this attack] is the volume, the sustained nature, and it went on for nine days using the blended attack of email and the web to deliver the payload to the PC."

Joe Stewart, senior security researcher at SecureWorks, told SCMagazine.com today that his firm has seen storm worm spam mostly using an ecard as a lure.

"It’s the ecard ploy and the social engineering ploy, and if you go ahead and click on the ecard, it takes you to a page that can get some exploit code through the browser, and if that doesn’t work they prompt you to download the malware," he said.

VeriSign suffers data breach after July laptop theft

VeriSign, the digital certificate vendor responsible for the internet's .com and .net domains, suffered a data breach last month when a laptop was stolen from an employee's vehicle.

An undisclosed number of current and former employees are at risk of identity theft after the burglary, which took place July 12 or 13 in a parking garage in northern California.

The laptop contained names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses of an undisclosed number of VeriSign employees, according to a notification letter sent to victims.

The Mountain View, Calif.-based company revealed that bank account numbers and password information were not stored on the device.

The breach was first reported on the wizbang blog on Friday.

VeriSign said today in a statement that the employee has left the company. The vendor said it is working to shore up its data-protection policies, which were not followed in this case.

VeriSign disclosed that it has "no reason to believe that the thief or thieves acted with the intent to extract and use this information. The local police have said the theft may be tied to a series of neighborhood burglaries."

"VeriSign is committed to making sure current and former employees whose personal information may have been on the stolen laptop have the support they need to monitor their credit and know how to respond if they identify any problems," VeriSign said today in a statement. "The company has a policy on how to manage laptops that contain sensitive information and company data — which in this case was not followed. That policy includes not leaving laptops in vehicles in plain view, keeping the amount of confidential and sensitive data stored on laptops to a minimum, and using data encryption tools to protect those sets of data that absolutely must be stored on a laptop. Going forward, we will continue to review our security procedures to prevent future human errors of this type."

Avivah Litan, Gartner vice president and distinguished analyst, told SCMagazine.com today that laptop thefts have "zero impact on the bottom line," but said she was disappointed to see a security vendor suffer a breach.

"Certainly a missing or stolen laptop is common, but you don’t want to see that event at a managed security services provider," she said. "It lowers confidence in their abilities when they’re subject to the same breaches they’re helping their customers with."

Last month, Kingston Technology, a data security vendor, reported a breach initiated when thieves infiltrated a company computer two years ago. That hacking put the credit card files of 27,000 customers at risk.

Kingston has said that none of the financial information was misused.

IBM was the victim of a data loss incident in May, when a third-party vendor lost an undisclosed number of tapes while transporting them between an IBM location in Westchester County, N.Y., to a permanent storage facility.

Symantec says spam attachments up, image spam down

Traditional image spam is again on the decrease, but attachment spam - containing images as part of Microsoft Office files - is on the upswing, according to Symantec's "State of Spam" report for August.

Image spam accounted for only eight percent of all spam during July, a drastic decrease from January, when it totaled 52 percent of junk email. However, the percentage of all spam at the SMTP layer, 66 percent of all email, was consistent with previous months.

Researchers said that PDF spam increased during July, accounting for between two and eight percent of all spam.

Doug Bowers, senior director of anti-abuse engineering at Symantec, told SCMagazine.com today that the stats contained "nothing that’s a huge surprise," but noted trends showing a drop in image spam and an increase in attachment spam.

"Of note, what we’re seeing is [an increase in] PDFs and the larger trend toward attachment spam," he said. "Last month, it wasn’t clear if spammers were going to stick with this. They seem to still be in the poking-and-prodding stage with other attacks."

Twenty-eight percent of all spam pitched products, ranking it as the most common spam category, followed by financial junk mail at 18 percent, internet pitches at 17 percent, health issues at 13 percent and scams at nine percent.

The Santa Clara, Calif.-based company also saw an increase in the use of spam containing Chinese top level domains.

Symantec reported that it captured 250 million copies of greeting card spam last month.

The content of the cards ranged from everyday greetings to holiday-specific messages, according to Symantec.

Researcher Kelly Conley said on the Symantec Security Response Weblog that some versions of greeting card spam lead to malware downloads.

"Greeting card spam containing links to viruses was seen at higher-than-usual numbers in July. More than 250 million Symantec customers were targeted with these message types. Around the Fourth of July, a particularly large outbreak was seen and blogged on," said Conley. "The content of the greeting cards consists of an exposed IP address in most cases, which is a very good indicator that the card is not genuinely good. These exposed IP address links were downloading trojans onto computers." [SC Magazine]

Microsoft delivers nine Patch Tuesday fixes

Microsoft today plugged 14 vulnerabilities by distributing eight client-side patches, as well as a ninth fix that experts say foreshadows threats posed by virtualization.

Six of the patches fix critical flaws that could permit exploitation by malicious website. Among those was bulletin MS07-042, which corrects a vulnerability in Microsoft XML Core Services program that could lead to remote code execution.

This bug is particularly harmful because XML Core Services is a "core part of the operating system…and an underlying piece to the way a lot of Windows software works," Tom Cross, an X-Force researcher with IBM ISS, told SCMagazine.com today.

The security update – one of the largest of the year – also fixes a similar flaw, this one related to an error in object linking and embedding (OLE) technology that permits, for example, a user to copy a chart in Excel and paste it into a PowerPoint presentation, Amol Sarwate, manger of the vulnerability labs at Qualys, told SCMagazine.com.

The other critical patches fix vulnerabilities in ActiveX controls and cascading style sheets (CSS) in Internet Explorer (IE); in the graphics device interface (GDI); in Excel and in the vector markup language (VML) implementation.

The GDI bug "does not require any other application like IE or Excel or Media Player" to run, Sarwate said. "It can be exploited easily if someone downloads or views an image file."

Another two "important" bulletins fixed vulnerabilities in Windows Media Player and Windows Gadgets, a new feature that allows Vista users to, for example, display sports scores in a separate bar. In total, six of the patches affected the new operating system version but only the gadget flaw resulted from code written specifically for Vista.

None of the flaws exist in server-side issues, preventing any "wormable" exploits from occurring, Eric Schultze, chief security architect at Shavlik Technologies, told SCMagazine.com.

"Now you just have to worry about the masses running their desktops and visiting malicious websites," he said.

Experts agreed the most interesting bulletin was MS07-049, an "important" fix that repaired a vulnerability in Virtual PC and Virtual Server, which could permit privilege escalation. If successful, attackers can assume control of the host operating system, giving them access to virtual platforms running beneath the host, Cross said.

Flaws affecting these types of machines are likely to increase as more companies sign on to the cost-savings attraction of virtualization, he said. About 35 percent of U.S. and European firms employ virtualization, he said, citing statistics from Forrester Research. [SC Magazine]

46,000 job hunters victimized by malicious recruitment ads

The personal information of approximately 46,000 job seekers have been stolen from major job hunting websites by hackers using the so-called Prg trojan.

"[The hackers] are injecting their ads with the trojan," said Don Jackson, the SecureWorks researcher who discovered the scheme as well as the original Prg trojan. "When a user views or clicks on one of the malicious ads, their PC is infected and all the information they are entering into their browser, including financial information being entered before it reaches the SSL protected sites, is being captured and sent off to the hacker's server in Asia Pacific."

He said that information stolen includes names, Social Security numbers, bank and credit card account numbers, online payment account user names and passwords.

SecureWorks discovered the names after developing countermeasures "to detect the network traffic" generated by the Prg trojan on infected systems, Jackson told SCMagazine.com.

"We deployed the [countermeasures] on clients’ systems, then watched where the network traffic was going and followed it to the server [in Asia]," he said. "This one server is still collecting stolen data, and at any one time, we’re seeing 9,000 to 10,000 victims sending information."

Jackson said that the aggregators who sold the hackers ads are apparently unaware that the ads contain links to malicious sites. The malware uses vulnerabilities in Windows, QuickTime, and ActiveX controls to infect users’ systems with executables that collect personable information, such as passwords.

"Anti-virus software has a hard time finding it because of way the way it hides itself and also because it changes executables so frequently – the hackers behind this scam are releasing a new variant every five days to a week on average, and sometimes even quicker," he said. "Once the anti-virus stops one version, another rolls in and gets through to vulnerabilities the user has not applied patches for."

Because anti-virus software solutions "are not good at catching this, the best way to protect yourself is to patch the operating system and everything else," Jackson said.

Computers infected with the Prg trojan will have a back door proxy server listening for connections on port 6081, according to Jackson.

"This port is in not assigned to legitimate services and is not hidden by the root kit functionality. If port 6081 is open on your computer, you are likely infected with the Prg trojan," said Jackson.

Victims whose anti-virus is not detecting the infection should boot the computer into Safe Mode and run an anti-virus scan. "If that fails, manual removal or reinstalling the operating system may be necessary," Jackson said.

AOL phisher pleads guilty in ID theft scheme

A 23-year-old man accused of sending spam and phishing emails that targeted AOL subscribers pleaded guilty Wednesday in federal court, the U.S. Department of Justice (DOJ) announced.

Michael Dolan, who lists West Haven, Conn. and North Miami Beach, Fla. as previous addresses, agreed to plead guilty to a pair of criminal counts brought against him by the U.S. attorney in Connecticut. One count charges him with conspiracy to commit fraud, the second with aggravated identity theft.

From 2002 to 2006, Dolan worked with several other unidentified individuals to steal names, credit card and bank account numbers, and Social Security numbers via spam and phishing emails sent to AOL subscribers.

Dolan's scheme employed malicious software to collect AOL account names from chat rooms, authorities said. He then sent electronic greeting cards purporting to be from Hallmark.com to the AOL users; opening the card downloaded a trojan that prevented AOL subscribers from logging into their account without entering personal information, such as credit card and Social Security numbers.

Dolan used the harvested information to order products online and produce counterfeit debit cards, which were then used at ATM machines and retail stores, authorities said. On Sept. 26, 2006, Dolan was caught with the private and financial information of 96 individuals, according to the DOJ.

The plea agreement calls for Dolan to spend 84 months in prison, then remain on supervised probation for two to three years, and pay a fine of $250,000, plus other fees. Dolan must also make restitution to victims, including covering loss of income.

He is scheduled to be sentenced Nov. 14. [SC Magazine]

AOL phisher pleads guilty in ID theft scheme

A 23-year-old man accused of sending spam and phishing emails that targeted AOL subscribers pleaded guilty Wednesday in federal court, the U.S. Department of Justice (DOJ) announced.

Michael Dolan, who lists West Haven, Conn. and North Miami Beach, Fla. as previous addresses, agreed to plead guilty to a pair of criminal counts brought against him by the U.S. attorney in Connecticut. One count charges him with conspiracy to commit fraud, the second with aggravated identity theft.

From 2002 to 2006, Dolan worked with several other unidentified individuals to steal names, credit card and bank account numbers, and Social Security numbers via spam and phishing emails sent to AOL subscribers.

Dolan's scheme employed malicious software to collect AOL account names from chat rooms, authorities said. He then sent electronic greeting cards purporting to be from Hallmark.com to the AOL users; opening the card downloaded a trojan that prevented AOL subscribers from logging into their account without entering personal information, such as credit card and Social Security numbers.

Dolan used the harvested information to order products online and produce counterfeit debit cards, which were then used at ATM machines and retail stores, authorities said. On Sept. 26, 2006, Dolan was caught with the private and financial information of 96 individuals, according to the DOJ.

The plea agreement calls for Dolan to spend 84 months in prison, then remain on supervised probation for two to three years, and pay a fine of $250,000, plus other fees. Dolan must also make restitution to victims, including covering loss of income.

He is scheduled to be sentenced Nov. 14. [SC Magazine]

Hackers spread worm via Skype IM

A worm posing as a link to glamour model images has been spread via the Skype IM chat system, it was reported today.

Hackers launched the Pykse-A worm via Skype instant messages. Any recipients that click on the link inadvertently infected their computer with a Trojan that downloads and installs the worm.

"Once it's up and running, the Pykse-A worm attempts to connect to a number of remote websites, presumably in an attempt to generate advertising revenue for them by increasing their number of 'hits'," said Graham Cluley, senior technology consultant for Sophos. "It's another example of the methods that malware authors can use to make money.”

Last year 63 per cent of system administrators said that blocking VoIP was essential in order to protect corporate networks, according to a poll conducted by Sophos. The survey also found that 86 per cent of respondents wanted the power to control the use of the internet telephony service in an attempt to protect their company systems.

Skype blames downtime on Patch Tuesday re-start, not hackers

A simultaneous reboot of computers automatically installing the latest Microsoft patches set off a widespread Skype outage last week, the VoIP company announced today.

"The high number of re-starts affected Skype’s network resources," the company said on its Heartbeat blog. "This caused a flood of login requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact."

The company said normally the service can withstand this type of event through an "inbuilt ability to self-heal." However, the incident, which began Thursday, unearthed a vulnerability in the services’ network resource allocation algorithm, which prevented the self-healing component from working.

Skype’s announcement today dispelled rumors that hackers were responsible for the DoS attack. A poster on a Russian forum claimed the crash was caused by exploiting a buffer overflow vulnerability by sending malformed requests to Skype’s authorization server. The exploit code was posted on a Romanian website.

"We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk," the company said, adding that it has instituted software improvements to prevent a similar incident from happening in the future.

Peter Thermos, chief technology officer of Palindrome Technologies and a VoIP expert, told SCMagazine.com that he finds it odd that a buffer overflow exploit was revealed, but the outage was blamed on Microsoft security updates.

"If [a crash due to patch updates] happened, I’d assume it would happen when Skype was taking off, when they were beginning to become well-known as a peer-to-peer communications company," he said.

Since its launch about four years ago, Skype has faced its fair share of criticism from security experts. Last year, the Burton Group recommended enterprises should evaluate whether the closed-source Skype fits into their information protection posture.

In March, variants of the Stration worm used Skype as a vector to spread.

Experts have warned internet telephony is at risk to such threats as toll fraud, eavesdropping and phishing.

"This disruption was unprecedented in terms of its impact and scope," Skype said. "We would like to point out that very few technologies or communications networks today are guaranteed to operate without disruptions."

Skype, owned by eBay, reportedly has more than 200 million registered users.

Attackers steal Monster.com user information

Was Monster.com hacked, or did someone take advantage of one of the popular website's fundamental business processes to harvest the personal data of hundreds of thousands of job hunters?

Security researchers at Symantec say the former. Kevin Mandia, a computer forensics expert, believes it might be the latter.

In any case, what is known is that a new trojan, called Infostealer.Monstres, was attempting to access the Monster.com online recruitment website.

"The trojan appears to be using the [probably stolen] credentials of a number of recruiters to login to the website and perform searches for resumes of candidates located in certain countries or working in certain fields," Symantec researcher Amado Hidalgo said in blog post.

"The trojan sends HTTP commands to the Monster.com website to navigate to the Managed Folders section," he added. "It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter's saved searches."

The trojan extracted personal information from the resumes and uploaded to a remote server, Symantec said. The researchers found 1.6 million pieces of compromised data on a single server. Separately, SecureWorks’ researchers found about a dozen smaller collections of stolen data, which included names and home and email addresses.

The perpetrators then used the collected email addresses to send phishing messages to job hunters whose information was stolen, SecureWorks said.

Mandia, chief executive officer of Mandiant, said he questions whether Monster.com was in fact "hacked."

"I don't see any evidence that Monster.com was hacked at all — it looks like a business process was compromised," he told SCMagazine.com today.

"I'm not convinced data theft is the right definition" for what occurred, he added. "This is a site that collects people's resumes that are publicly available. Monster.com is a site that people pay to find perspective employees, and someone used an account for data mining so they could send spam. I would imagine something like this could have been happening for years."

Symantec said it has told Monster.com of the problem so it can shut down the recruiter accounts stolen by the trojan.

A Monster.com spokesperson did not return a telephone call seeking comment.

source: SC Magazine

Monster takes down ‘pirate' server with stolen user information

Monster.com, the job recruitment website that suffered a data breach triggered by the Infostealer.Monstres trojan, said it has closed a "pirate" server housing the personal information of hundreds of thousands of job hunters.

The server contained the names, addresses, phone numbers and email addresses of Monster.com job seekers "primarily located in the United States," Monster.com said in a prepared statement. The company did not say where the server was located.

Reports early in the week from security vendor Symantec said reseachers had located a server containing 1.6 million records of hundreds of thousands of Monster.com users. The company, however, said it was still working to pinpoint the exact the number of people affected by the breach and that it "will be contacting them as appropriate."

According to Symantec, unknown individuals stole the login information for companies looking for employees, then used that information to access Monster.com's job-seeker database. The automated Infostealer.Monstres trojan transmitted the job-seeker information to the server.

In the final step of the multi-stage attack, the Monster.com users were sent emails with links to at least two forms of malware. One attempts to harvest login details for financial sites, while the second tries to encrypt data on the user's PC, then demands a ransom to decode the data.

The company warned visitors to its website to "contact us to verify its legitimacy" should they receive an email asking them "to download a tool or update your account or access agreement."

It also urged visitors to "run an anti-virus application to remove anything that may have been installed on your computer, and contact a Monster representative to have your Monster account password changed," if they believe they clicked on a link in one of the fraudulent email messages.

"Regrettably, opportunistic criminals are increasingly using the internet for illegitimate purposes," Monster.com said. "This problem spans the web, particularly websites that receive heavy traffic and serve a variety of users. All online companies are susceptible to occasional scams. While Monster makes every effort to prevent this abuse, it is not immune to such activity."

Monster.com waited days before informing users of breach

The employment website Monster.com, which suffered a huge malware attack this week, waited five days before informing its users that their personal data had been hacked, an executive at the company has revealed.

Patrick Manzo, vice president of compliance and fraud prevention at the New York-based firm, told the Reuters news agency yesterday that the company first learned of the hacking attack on 17 August, when security experts at Symantec told them of the data breach.

Monster.com subsequently posted an advisory notice on its website on 22 August to inform customers of the incident.

Researchers at the security vendor detected the Trojan, called Infostealer.Monstres, which accessed over 1.6 million entries of personal information belonging to several hundred thousand people, mainly based in the US, from the online recruitment site.

Monster.com has also revealed that it has shut down the server that was used to store the compromised information. The company traced the fraudulent servers used in the attack back to the Ukraine and they were closed down on Monday.

The hackers stole personal data including names, email addresses, home addresses and telephone numbers, in the assault which were then uploaded to the server.

The online recruitment company also said that it has started to contact all of the users whose personal data was taken during the attack.

Calum Macleod, European director for Cyber-Ark, believes things could get worse for Monster.com, as the hackers could use the personal details to commit identity theft crimes, which could lead to lawsuits against the company.

“By encrypting the details, even if the attackers succeeded in downloading the files, the fact they were protected would render the data unreadable and therefore unusable,” he said.

Source: SC Magazine

Attack on Monster.com affects 146,000 USAJobs.gov subscribers

About 146,000 users of USAJobs.gov had their personal information compromised in recent attacks on Monster.com, the U.S. Office of Personnel Management (OPM) disclosed this week.

The breach affected approximately eight percent of the two million USAJobs.gov users, OPM announced in a news release on Wednesday.

Monster administrates the USAJobs.gov website for OPM, the agency in charge of the civil service.

Information breached in the attack includes names, email addresses and telephone numbers. No Social Security numbers were compromised, according to OPM.

The breach was part of a multi-layered attack on Monster, in which hackers used credentials to access the site, then spread a trojan to capture names, email addresses and telephone numbers of job seekers.

That stolen information was used to deliver spear phishing emails to job seekers, requesting financial details or recruiting individuals to join the scam.

Experts have told SCMagazine.com that such multi-layered attacks will become more common in the future.

OPM published a security notice on USAJobs.gov and reminded users that they will not be asked to provide personal information in unsolicited emails.

Users of the website who receive phishing emails should report them to mayday@fedjobs.gov, according to OPM.

OPM is sending letters to all affected subscribers.

OPM spokesman Peter Graves told SCMagazine.com that the agency should complete email notification of all 2 million users today. Monster officials said this week that they’re beefing up security measures in response to the recent data theft that exposed the personal information of 1.3 million subscribers.

Hijacked Bank of India website downloads malware

The website of one of the leading Indian financial services companies is back online after U.S. researchers discovered it was downloading a wide range of malware to customer PCs.

Sunbelt Software discovered Thursday afternoon that the Bank of India's website had been compromised and was distributing about 30 types of malware, Alex Eckelberry, Sunbelt CEO, told SCMagazine.com. Sunbelt learned that the site had become compromised while researching another malware issue. The company contacted the Bank of India, which shut the site down about 2 a.m. EST Friday to clean the server, he said. The site is up and running again."We tracked communication with [the other malware] to the Bank of India site," Eckelberry said. "We're fairly certain this was done by the Russian Business Network (RBN), an underground criminal gang in Russia responsible for lot of bad things on the internet."The exploit appeared to be a malicious IFRAME, which took advantage of a Microsoft Windows 2003 server running the Bank of India site, he added. The IFRAME downloaded a wide variety of malware to PCs that have not been patched since August 2006, Eckelberry said.Among the distributed malware were variants of TSPY_AGENT.AAVG and Trojan.Netview, several rootkits and a Trojan.Pandex. The former steals information from active windows on vulnerable end-user PCs, as well as information collected by a keylogger, network configuration and user names and passwords from POP3 and SMTP email protocols.The collected files were uploaded to an FTP server in Russia, according to Sunbelt."Bank of India had a hole in its systems, and the Russians took the opportunity to insert code into the page," Eckelberry said. "The same thing happened to the Super Bowl site earlier this year."

Pentagon servers attacked, but by whom?

Is the Chinese military responsible for recent attacks on Pentagon computers?

That's the question after numerous reports surfaced claiming that the People's Liberation Army of China hacked into a system in the office of U.S. Defense Secretary Robert Gates in June.

In a statement published Tuesday, Pentagon spokesman Bryan Whitman confirmed that a system in Gates' office was hacked in June.

He declined, however, to identify the origin of the attack.

China has denied any involvement in the attacks.

"Cyber- or non-kinetic type threats to military computer networks are viewed as just as real and just as significant as physical or kinetic threats," Whitman said in the statement. "The department aggressively responds to deter all intrusions to defend what is known as the GIG, the global information grid."

Herb Strauss, vice president and national security analyst at Gartner, told SCMagazineUS.com today that finding the origin of possible state-sponsored cyberattacks is no easy task.

"A number of attacks have emanated from China," he said. "This is just one in a series, and the question, the issue that makes it so hard, is answering when it's government-sponsored."

Many countries have developed what Strauss called "military capabilities in cyber-warfare." In addition, he believes that "every country with some form of IT is looking at how to protect itself and how to attack in the event of attack on itself. This was brought home by the Russian attacks on Estonia, which essentially took [Estonian financial institutions] offline.”

Strauss emphasized that just because the attack “originated in China doesn't necessarily make it a Chinese government attack.”

“It could be an attack managed from Bermuda that originated in servers in China," he said.

Strauss said these types of attacks are launched in response to major geo-political events. One such event occurred in April 2001 when a U.S. Navy surveillance plane collided in midair with a Chinese jet fighter.

“[It created a] big flurry of activity, and American citizens not with the government [were] trying to hack into Chinese government sites," he said.