Tag Archives: press

Information Security Intelligence Report for 2010 and Predictions for 2011

Looking back at 2010 shows a widening gap between cybercrime and law enforcement capabilities, in conjunction to nations that have started the cyber-race to develop defensive and offensive capabilities. Most of the attacks analyzed in 2010 depict organizations that fall behind in their defensive strategies as attackers take advantage of a hybrid approach that merges technical merits alongside human weaknesses to cash-out on their attacks.

Cybercrime widens the gap between attack capability and defense mechanisms. Analyzing several of the major attacks of 2010, Security Art notes that organizations were attacked in two key ways. Firstly, through technical exploits such as Aurora, Mariposa, ZeuS, and SpyEye. Secondly, by attacks that bypassed traditional protection methods, and gained access to targets through human-weakness areas such as social media. While businesses focused on defending themselves using security mechanisms such as anti- virus software and perimeter defenses, attackers jumped over these defenses, and proceeded to flood the market with a high volume of malware that now poses a serious threat to security providers in terms of detection rates and response time. However, law enforcement agencies have focused mainly on menial cybercriminals, and have not successfully reduced the impact of online criminal activities. On a national level, we see nations have embarked upon the race to develop defensive and offensive cyber capabilities.

Cyberwar arms race sends nations to shopping frenzy. As CyberWar gained merit (and criticism) during 2010, with the movie-material Stuxnet incident being the poster-boy for news outlets that published every spin-off, speculation, and plain old gossip, the international scene had its own race for the latest and greatest defense mechanisms. The implications of Aurora and Stuxnet made most countries feel their lack of a critical infrastructure defense and the capability to deliver a similar cyber-blow, and many went shopping for weapons. Security Art witnessed the strategic build up of capabilities in some countries, and a more hurried shopping spree (that usually led to amassment of CyberCrime provided tools) in others. This, and the delayed response of organizations such as the UN, the EU, and NATO, left the scene looking more like the Wild West than Silicon Valley.

Expanding digital domain and improved understanding of security will reign in 2011. Our prediction for 2011, drawn from the criminal, political and diplomatic sides of cybercrime that dominated 2010, is that more focus is going to be given to approaching security from a strategic standpoint. Rather than buying “best of breed” products and ticking off compliance sheets, we predict that organizations and countries will apply a more sensible executive-level understanding of what information security means to them. In the expanding personal digital domain (smartphone, tablets, and suchlike), and the continued digitization of all organizational information (from scanned materials to VOIP telephony), security must be applied to more layers than ever before. Countries and organizations will have to adopt additional skill-sets and look for solutions in areas they have not dealt with before.

Please go to http://www.security-art.com/download-report to download the full report, or email [email protected] for additional information.

The Botnet Wars – industry Q&A

I was approached recently by Bart P from Panda security in order to participate in an industry expert Q&A about the botnet wars (apparently he did his homework as he got quite the lineup to participate in this, guessed he can count me as a close miss :-)…).

He managed to compile a great Q&A where you can read some of the views and opinions on the current state of business at the Botnet (including exploit kits and crimeware kits) marketplace.

The full article is available at: http://bartblaze.blogspot.com/2010/10/botnet-wars-q.html

Enjoy!

Learning from stux, and connecting more dots in infosec

So everyone has been fully focused on Stuxnet – trying to figure out (again) what 0-days were involved, how were networks crossed, which command-and-control channels are utilized and how the systems were compromised.

Great.

I’m really hoping that the technical analysis would help us get a better grip on what kind of risk a persistent and well-funded attacker poses to a target. Nevertheless, it’s almost as we have not really learned a lot from past events – and yes, I’m talking about connecting the dots again. This time not in the sense of linking between crime and nation-state, but more in the sense of understanding that the technological attacks are usually coupled with kinetic ones – especially when talking about the more advanced activities.

For starters – stuxnet could not have gotten to where it did without the “human factor”. Someone needed to carry the infected USB thumbdribve and stick it into some system that was in the separate network. Call it a hostile agent, call it a paid off internal agent, or a 3rd party provider that was recruited to provide slightly modified equipment. It had to be done.

Now that we established that the “matrix” could not have just jumped across networks, let’s see what else can we learn from such an incident. As in learn whether this could affect us, and how. Which brings me to the second point:

We got nothing. Nothing in the sense of actual protection. And no, your claims that “our production control and monitoring network is physically disconnected from other networks” does not hold water anymore. It didn’t before either, but now it’s easier to point out how wrong you were.
Not only we got nothing, we keep listening to vendors that are too cheap/lazy to implement proper controls (from proper secure development, to taking into account that security measures would need to live on the systems), and completely lose focus when something proprietary comes along the way. When we should have been kicking vendors in the round ones and making sure that we make ourselves experts in the “proprietary” protocols thrown at us. Time to taste a bit of what we’ve been cooking.

Because stuxnet is not going to be hitting us soon. It’s going to be something much more appropriate for our culture and more targeted towards our soft spots. If delaying a nuclear development plan was on the top of the objective list when the operation that included stuxnet was planned, the counter-plans we would have to defend from would be different.
Think more in the lines of altering the way we perceive reality. Seriously. What if someone would be able to change what the newspapers printed tomorrow morning? What if they could change/affect what we see on TV? And no, this is not science fiction (check out what happened during Cast Led where Israel hacked the palestinian TV station, and how a retaliation effort was mounted and almost succeeded).
Such actions can be pulled out more easily than you’d think. The fact the everyone is focused on the pure technical aspects of defense left us pretty much open on any front that combined both human/social, physical and technical efforts.
Thinks furthermore on how the economy would hurt if the stock exchanges would be provided with false information (remember what happened when computers were involved in making decisions back in May 2010?).

And there’s more. Out travel, insurance and a lot of our financial systems are running on technology that was created back in the time when “strong authentication” means that you had to guess a really cryptic username. That’s right – not even a password is needed. And we are running billions of dollars on these things. They are protected of course – by separation. But network separation is not enough as we have just seen.

So back to connecting the dots. Remember my last rant? (you better!) – that’s exactly where the dots connect. Think critically of the business as a whole. Not in a system by system, or network by network scheme, but in the “how does this business work” scheme. How does the paper get printed at the end of the day? It may be easier to hack into the printing press facility control system than to the editor’s or the publisher’s network. Same goes for financial institutions, hospitals, airports, manufacturers, etc… Identify the weak spots in your industry, not in your office or your network.
And don’t blame me from giving the bad people ideas. They should be considered at least as smart as all of us are (smarter than me for sure 🙂 ). The anger that you are feeling right now reading this, is coming from the pain of sticking your neck out of the sand your head was buried in, and the uncomfortable feeling of getting a grip on reality…
Thanks for taking the red pill, and welcome to the matrix.

Now go and change things.

The Turkish hack and another case for IL-CERT

You have been living under a rock if you haven’t heard of the Turkish hack a couple of days ago. Basically – a Turkish hacker forum that bolsters a strong anti-Israeli attitude has been practicing hacking and mostly defacing Israeli sites for the past few months (years).

Now, this is nothing new, and as I stated before, has been going on for years. I’m not even going to go to the political discussion on whether this is sponsored by the government (or have been turned a blind eye by it), as opposed to Israeli hackers that would like to retaliate but know that they would be charged in their country for computer crimes.

No.

The focus here is that there was such a huge media outrage over the fact that so many (more than 100,000) user accounts have been affected, and everyone is scrambling to figure out who should have notified who on what. A couple of funny things to consider in this incident:

  1. There are more than a couple of companies in Israel that specialize in gathering intelligence on such forums as their core business. One company has even been quoted that they knew of this issue months ago.
  2. Some of the accounts that have been breached belong to government personnel (or at least have a .gov.il email account with it’s corresponding password).
  3. The sites that have been breached were not notified until a couple of days ago. They have no-one to consult with in terms of how to handle this incident, or how to fix their issues (ever heard of one-way password hashing??? apparently not…).

Why am I bringing up these specific point? Let’s see, and now from a perspective of a normal CERT that if would have been here would have addressed these as follows:

  1. Companies that deal with security research can send their insights over local security incidents to a coordinating entity – IL-CERT that would manage the anonymous and responsible notification to the affected parties. No need to figure out a local policy for notifications, no need to dig out contact details for obscure police departments and guesstimate whether they even care about your data, and no need to get into the politics of the existing semi-CERTS and who they constituency is.
  2. Coordination and notification to government related bodies would  be handled through the ILGOV-CERT (although their website is not too promising, there are ways to reach them…). Additionally, collateral damage notification would also be handled in the same way (i.e. – a .gov.il site has not been breached, but .gov.il account have been found through breaching a .co.il server. This is the kind of thing that ILGOV-CERT does not know how to handle right now…).
  3. Incident handling support and assistance would have been provided by subject-matter experts to any site that have experienced a breach. No cost associated (unless actual work on the servers or code would have been sought after, in which case the IL-CERT would have probably done a referral as initially it would not be a commercial body).

Simple huh? And you keep wondering how come a place where so much innovation in science, technology and security has come from is still in the dark ages of it’s own internet security…

Cyber[FUD]Fare – repost from fudsec.com

As promised – here is the “official” cross-post from my guest appearance on fudsec.com. Enjoy!

I’ve been intravenously fed with FUD for as long as I’ve been in the business.

The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity. This has served me well over the years and managed to keep me out of trouble (i.e. buying/selling/liking any “you gotta have this!!!” technology).

I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled. What’s the motivation? It’s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just $39.99 (not including annual license renewal of $99.99).

Nevertheless, as someone who likes security (yeah, I know… sorry…) and actually spends most of his time playing around with computers (my semi-formal job definition), I had to dig into this.
I decided to start off with my prior knowledge of CyberCrime (again – definitions aside, some say eCrime, some CyberCrime, some tomato…) to cover the more “traditional” attack vectors and risk surfaces. Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past. The main incidents that brought the most media attention were the Estonia and the Georgia ones.
Estonia being dubbed the “first true cyberwar” in some publications (and by some “professionals”) turned out to be mostly civilian  – meaning that there didn’t seem to be a Kremlin general high on Vodka that marched his army of hackers into cyberspace to crush the Estonia internet!!! On the other hand, reality seemed much more familiar that expected – a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that – behold – is attributed to CyberCrime. Almost like someone was trying to push me back to my “place”.
To be completely honest, there was a bit more to it. For anyone who is familiar with the RBN, you probably are aware of the close ties it has with Russian authorities that allow it to operate almost uninterrupted. The timing of the attacks, and the scale of it indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonia neighbors.
But from some greased hands that allow RBN to keep running aloof to “the first true cyberwar” is a long haul…

The second example was the Georgia-Russia front. While getting somewhat less attention in the media, this was more closely a “CyberWar”, or an act of cyberwarfare, as it has been closely coordinated with kinetic actions taken on the ground by the Russian forces. Nevertheless, the same deniability factor plays well here – use of botnets operated mainly by CyberCriminal groups was the main attack surface.

Interestingly enough – true cyberwar acts failed to truly make a media hit (look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s… These allegedly did not show up on any radar screen. Not in Turkey, nor in Syria or Lebanon. Go figure 🙂 ).

But the real cherry on top has been APT! When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution… Yeah – I’m such a sucker for the media 🙁
Too bad that the latest APT (and that’s the last time you’ll see this acronym here) is just another FUD-happy name for – wait for it – TROJANS!!! Trojans, and rootkits, and keyloggers and viruses!!! run for your lives…
Seriously now. Whether state sponsored (possible…) or just another highly targeted criminal attack on select organizations (seen it before, handling some on a daily basis, not calling it funny names…), we go back again to the FUD motivation.
According to the latest one (FUD that is), CyberWar is full of APT (broke my promise. deal with it), and it can only be protected by – you guessed it – AntiVirus! (or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years).

So cheer up!  The sky is not falling. It’s just a little cloudy, and the usual bad people are still around doing their thing. The only difference is that you need to realize that ANYONE can hire these bad guys. Yes – even your government (or whatever shell company used to disguise it). Just like we are used to do with more conventional arms dealing.

Hope this was some food for thought. For more on the topic you can check out my past coverage of Cybercrime (BlackHat, DefCon, HackerHalted, Excaliburcon, etc.) and the up-and-coming coverage of Cyber[Crime|War] connections in BlackHat EU and the FIRST conference.