TechByter Worldwide

Speak softly and carry a large microphone

 

Sep 11, 2016

The Unexpected Attack is Coming

September 11th is an appropriate date for discussing the threat posed by having our own technology turned against us. In 2001, it was airplanes flown into buildings. The next gathering storm, 15 years later, involves the internet and a lack of preparation for how it could be used against us. But if I tell you an unexpected attack is coming, is it really still unexpected?

I've been reading several books by authors who have the experience to know what they're talking about and today I'll share some of the troubling information from those books. This is not a pleasant topic, but it's an essential one.

Glass Houses (Joel Brenner)

Joel Brenner is the former senior counsel at the National Security Agency. Before that, he served as the national counterintelligence executive in the office of the director of National Intelligence and as the NSA’s inspector general. He is a graduate of the University of Wisconsin at Madison, the London School of Economics, and Harvard Law School. His book describes espionage and warfare on the digital battleground. He says that all of us -- including businesses and governments -- inhabit glass houses that are transparent to a new generation of spies who operate remotely from such places as China, the Middle East, Russia, and even France.

No Place to Hide (Glenn Greenwald)

In May 2013, Glenn Greenwald set out for Hong Kong to meet an anonymous source who claimed to have astonishing evidence of pervasive government spying. That source turned out to be the NSA contractor Edward Snowden. Snowden's revelations began a debate over national security and information privacy. Privacy and security are always at odds with each other. We should have a reasonable expectation of privacy and a reasonable expectation of security. But what's "reasonable"?

Future Crimes (Mark Goodwin)

By far the most troubling of the three books, Future Crimes was written by Mark Goodwin, who was "futurist-in-residence" with the FBI, worked as a senior adviser to Interpol, and served as a street police officer. As the founder of the Future Crimes Institute and the Chair for Policy, Law, and Ethics at Silicon Valley’s Singularity University (a think tank), he continues to investigate the intriguing and often terrifying intersection of science and security, uncovering nascent threats and combating the darker sides of technology.

The Threat

Businesses, governments, and our infrastructure are constantly being attacked. In more cases than we'd like to admit, the bad guys are able to obtain proprietary data, user credentials, or other valuable information. Goodwin says "Our electrical grids, air traffic control networks, fire department dispatch systems, and even the elevators at work are all critically dependent on computers. Each day, we plug more and more of our daily lives into the global information grid without pausing to ask what it all means. [Thousands have] found out the hard way.... But what should happen if and when the technological trappings of our modern society—the foundational tools upon which we are utterly dependent—all go away? What is humanity’s backup plan? In fact, none exists."

Thieves and terrorists have learned about the importance of being quiet as they prepare their attacks. The threats change so quickly that protective software is all but useless. That doesn't mean you should stop using anti-malware and anti-virus applications, but it does mean that it's important not to assume that they will catch every threat that's thrown at you. They won't. If a crook or a terrorist wants your computer, your computer will be theirs. Fortunately, most attacks use antiquated methods that the protective applications know about. Your computer won't even notice some of the new, sophisticated threats.

In 2010, the AV-Test research firm in Germany said 49 million strains of computer malware existed in the wild. A year later, McAfee said it identified 2 million new types of malware every month. And in 2013, Russia's Kaspersky Lab said that it identified 200,000 new types of malware every day. These numbers need to be considered in terms of who is reporting them: cyber-security companies. These companies might tend to inflate the numbers by reporting nearly identical types of malware as something new. But if Kaspersky's number is inflated by a factor of 100 and the real number of new bits of malware is "only" 200 per day, that's still 73,000 new threats every year.

Marcus Jacobssen, a long-time cyber-security expert wrote recently on his blog: Online crime is going through an upheaval. Only a few years ago, the typical on-line crime involved scammers email blanket bombing anybody they could reach, offering recipients discounted Cialis and posing as Libyan widows (although normally not in the same email). While such abuse is still taking place, this type of crime has shifted sharply to targeted attacks, whether involving malware used for extortion or using social engineering to extract money or proprietary data. The move to targeting, fueled by breaches and a dearth of public information, increases yields by making the messaging more credible and by circumventing traditional security technologies. The poster child of targeted email attacks is business email compromise (BEC), which the FBI reports has increased 1300% since 2015. Email is an indispensable tool for enterprises and individuals … and for criminals.

Goodwin again: "According to Verizon’s 2013 Data Breach Investigations Report, most businesses have proven simply incapable of detecting when a hacker has breached their information systems." The survey was conducted by Verizon in conjunction with the US Secret Service, the Dutch National Police, and the UK Police Central E-crimes Unit. "[O]n average 62 percent of the intrusions against business took at least two months to detect. A similar study by Trustwave Holdings revealed that the average time from the initial breach of a company’s network until discovery of the intrusion was an alarming 210 days."

But that's just the business side of the equation. What happens when the thieves attack government agencies. In Glass Houses, Brenner notes "Pentagon information systems have been under attack since at least 1998. In August 2006, Major General William Lord of the air force let the public in on the secret when he mentioned that massive heist of up to twenty terabytes. To carry this volume of documents in paper form, you’d need a line of moving vans stretching from the Pentagon to the Chinese freighters docked in Baltimore harbor fifty miles away. If the Chinese tried to do that, we’d have the National Guard out in fifteen minutes. But when they did it electronically, hardly anyone noticed. As it happens, the data were stolen from the Pentagon’s unclassified networks, but those networks hold lots of sensitive information—including the names and private identifying information of every man and woman in the US armed forces."

According to Mark Goodwin, "In 2008, the top secret design specs for the president’s Marine One helicopter were found freely available on-line, hosted on a peer-to-peer (P2P) network in Iran. These P2P networks allow for easy decentralized file sharing and are most often associated with the distribution of pirated films and music on the digital underground. How did the top secret plans and capabilities of one of the most technologically advanced helicopters in the world end up in the hands of the Iranians? Simple. A military contractor in Bethesda, Maryland, working on the Marine One project decided he wanted to listen to free music on his work laptop. When he downloaded the popular P2P sharing software, he accidentally and unknowingly installed the program in the wrong directory on his computer. As a result, the plans and defensive security features of the military helicopter that shuttles the president from the White House to Air Force One leaked to P2P music-sharing networks around the world, including those in Iran. For the want of free music, a billion-dollar military project was compromised, and the blueprints for the president’s Sikorsky VH-3D helicopter ended up on a peer-to-peer network in Iran, hosted next to the pirated songs of both Michael Jackson and Shadmehr Aghili, the undisputed king of Persian pop. The former military contractor, interrogated by both the FBI and the Department of Defense, admitted his error, but by then the damage had been one. Our global interconnections and never-ending storage of more and more data mean leaks are inevitable."

And utilities. Brenner says that we can't ensure the safety of our infrastructure such as electric grids, financial systems, air-traffic control, and other networks. "All these systems run electronically; all run on the same public telecommunications backbone; and increasingly all run on commercial, off-the-shelf hardware and software that can be bought anywhere in the world. Many of these systems have already been penetrated by criminal gangs or foreign intelligence services—sometimes to steal, sometimes to reconnoiter for uncertain purposes—using offensive tools that are often more effective than our defenses. All of these systems could become targets for disruption in wartime or even during a lower-grade conflict like a diplomatic standoff."

Both Goodwin and Brenner note that most nation states today exist in a continual state of conflict. The US and China are not at war. In fact, the two nations are partners in commerce, but there's no question that Chinese hackers have been able to break in to numerous commercial enterprises to exfiltrate proprietary data and into government agencies such as the Department of Defense to obtain information about technology and plans. Russia and Iran are also implicated, but so are our allies -- Israel and France, for example.

An example: The US Office of Personnel Management learned something was wrong in March of 2014 when they received a warning from the Office of Homeland Security's Computer Emergency Readiness Team (US-CERT) that data was being exfiltrated from its network. The connection wasn't shut down right away. Instead, OPM and US-CERT worked together to monitor the attack.

One hacker was attempting to gain clearance for employee background information. In May of 2014, OPM shut that hacker out of the system, but another hacker gained access in June and continued to have access until near the end of August. In December 2014, 4.2 million personnel records were exfiltrated.

Now an analysis by the House Oversight and Government Reform Committee says the incident could have been avoided. The 241-page report concludes that the OPM failed to implement basic security controls prior to the intrusion and failed to respond quickly enough once they knew about it. A copy of the full report is available on the Oversight Committee's section of the House website as a 110MB PDF document.

On a Smaller Scale

We may expect privacy, but many of us make huge amount of personal information public via social media. Google knows more about most of us than the NSA, FBI, CIA, the UK's MI5, Russia's GRU, and Israel's Mossad -- combined. Google profiles you, stores the information, and sells you to advertisers. Brenner says that Google processes about 24 petabytes of data every day. That's 1 million gigabytes. Every day! And in print form, a single gigabyte of information would fill about 10 yards on a bookshelf.

"If all the data Google processed on a daily basis were printed and those books were stacked on top of each other, the pile of books would reach halfway from earth to the moon."

In 2014, the most recent year that Brenner had information for, collectively this happened every minute of every day. We:

  • Sent 204,166,667 e-mail messages
  • Queried Google’s search engine 2 million times
  • Shared 684,000 pieces of content on Facebook
  • Sent out 100,000 tweets on Twitter
  • Downloaded 47,000 apps from the Apple App Store
  • Uploaded 48 hours of new video on YouTube
  • Posted 36,000 new photographs on Instagram
  • Texted 34 million messages on WhatsApp

Changes in Protective Software

Developers of protective applications have started what will probably be a long-term trend of acquisitions and mergers. Smaller operators are acquired by larger ones and they, in turn, are acquired by still larger organizations. This week Intel announced that it has begun the process of returning McAfee to the wild.

Intel sold 51% of the company to investment firm TPG and will retain the other 49%. TPG will pay Intel $3.1 billion in cash, which makes the deal a slight money loser for Intel. The company bought McAfee 2011 for $7.7 billion, so it's a loss of about $600 million on the portion of the company sold.

Apparently someone at Intel thought acquiring McAfee would help the company improve its hardware security, but the threat landscape is now more cloud-based than computer-based. According to the Intel announcement, the new McAfee will be one of the largest pure-play cyber-security companies and will be valued at $4.2 billion. If "pure-play" is a new term to you, as it was to me, it means probably what you expect it to mean: a company that focuses exclusively on a particular product or service in order to obtain a large market share.

In a letter to stakeholders, Intel Security general manager Chris Young said that Intel will continue partnering with the McAfee unit on security. Young will head the new company and the deal should close sometime in the 2nd quarter of 2017.

The Takeaway

Government should be doing more than it is to force utilities to harden their automated management systems. Companies should be doing more than they are doing to protect customers' data. Individual computer users should take time to understand the threats that are arrayed against all of us.

Pleasant dreams!

Short Circuits

Dangers of Bring Your Own Device (BYOD)

Bring your own device (BYOD) is today's incarnation of the original intrusion of the PC into the workplace. Managers bought early Apple computers, took them to the office, and used them to process corporate data faster than they could have it done on mainframes. Now it's phones and tablets.

IT didn't like it back then, but the intrusion of consumer electronics into the workplace wasn't much of a threat because nothing was connected to the network. Now the internet connects every device to every other device and BYOD presents significant dangers.

Among the hazards: Data breaches because of a lack of proper security protocols and encryption on devices or missed operating system updates, data leakage as a result of device software not being regularly updated, and malware on the device finding its way onto the corporate network. Every company has tech-savvy employees who try to bypass restrictions or misuse Wi-Fi. And the careless ones who lose their personal devices.

Personal devices should pose no greater danger than company-issued hardware, with one important consideration: Primary efforts should focus on securing the core of the system first and then work outwards with access control, authentication control, and device control.

Create a structured network segmentation strategy: A tiered networking structure might include a public network, a private intranet network, and a network for secure limited access. This allows public and unauthorized devices to have access to the internet through the public network, while authorized devices have secure networks -- and for that devices must meet your BYOD standards. The secure network should be super-tight, IP-restricted, user-limited, and behind a VPN.

Limit access to systems through a single point and apply fine-grained access controls: If access is always through a central point you can add role-based access to limit who has right to use to which systems and information. It's important to work on the principle of least privilege here to ensure employees only have access to the services they really need.

Control who has access to what when in the office network and when outside and set restrictions on certain file-shares or applications to within the office network only so that these can be audited and monitored for data leakage.

Increase authentication to corporate resources: This means introducing identity and access management (IAM) and single sign-on (SSO) technology to ensure that the network is being accessed securely through correct identity mapping, correct access assignments, and authentication flows.

Manage your devices: Once the network is under control through IAM, segmented networks, VPN access, and fine-grained access, it's time to think about managing BYOD with technology that manages what is installed on these devices, monitors their use, and can lock them or erase them if they're lost or stolen.

The next challenge: WYOD (wear your own device). Wearable computing devices will probably make BYOD look a lot like those original Apple II computers on a manager's desk.

Check a Site's Security

Wouldn't it be great if you could ask someone about a site before you visited it, particularly when someone has sent you a shortened link that gives no clue about what the site is? Well, you can do just that, but with the understanding that it's not perfect.

OnlineLinkScan can help you to avoid potentially dangerous sites, but it's important to understand that it's an automated tool and a site that's deemed to be safe may not really be.

Scammers often use misspellings of common names (microsfot, for example, instead of microsoft). In this case, Microsoft has registered that misspelling and redirects requests to the company's home page. The same is true for gooogle.com (with an extra o) -- Google has licensed it. You can't count on any organization to think of every possible misspelling of their domain name, though and it's even more challenging when somebody sends you a link like this: http://safeshare.tv/w/FEDEwZHZXU.

The site is safe. It's a video about the 1950s and you may enjoy it. I had never visited the site, so I opened OnlineLinkScan (http://onlinelinkscan.com) to see what I could learn:

Overall result : This site is safe.
PhishTank : This site is safe.
Google Safe Browsing : This site is safe.
WebsecurityGuard: This site is safe.
Google Page Rank: 0
Alexa Rank: 55666

I also got the WhoIs information:
Created : 2009-08-17T17:53:25Z
Data Validation : N/A
Expiration Date :
Registrar : REALTIME REGISTER BV
And there was this information about the IP address:
City : San Francisco
Region : California
Country : US
Location : 37.7697,-122.3933
Org : CloudFlare, Inc.
ISP : AS13335 CloudFlare, Inc.
Postal : 94107