AV is dead … again …

Antivirus software only catches 45% of malware attacks and is “dead”, according to a senior manager at Symantec.”

85.4% of statistic can be interpreted in the opposite way, and AV has been declared dead regularly since 1987.

Symantec “invented commercial antivirus software in the 1980s”?  That must come as news to the many companies, like Sophos, that I was reviewing long before Symantec bought out their first AV company.

“Dye told the Wall Street Journal that hackers increasingly use novel methods and bugs in the software of computers to perform attacks.”

There were “novel attacks” in 1986, and they got caught.  There have been novel attacks every year or so since, and they’ve been caught.  At the same time, lots of people get attacked and fail to detect it.  There’s never a horse that couldn’t be rode, and there’s never a rider that couldn’t be throwed.

“Malware has become increasingly complex in a post-Stuxnet world.”

So have computers.  Even before Stuxnet.  I think it was Grace Hopper who said that the reason it is difficult to secure complex systems is because they are complex systems.  (And she died a while back.)

Share

Big Government vs Big Corp – which is worse?

A programmer has been banned from Google for life.

This appears to be kind of like those Kafka-esque errors that big government sometimes make [1] (and which reinforce the arguments against the “if you’re not doing anything wrong you don’t need privacy” position), with the added factor that there is absolutely nothing that can be done about it.

I suppose an individual programmer could bring civil suit against Google (and its undoubtedly huge population of lawyers) citing material damages for being forbidden from participating in the Google/Play/app store, but I wouldn’t be too sanguine about his chances of succeeding …

 

[1] – since the foreign workers program seems to be being used primarily to bring in workers for the oil and gas sector right now, do you think it would help if she offered to mount a production of “Grease”?

Share

Disasters in BC

The auditor general has weighed in, and, surprise, surprise, we are not ready for an earthquake.

On the one hand, I’m not entirely sure that the auditor general completely understands disaster planning, and she hasn’t read Kenneth Myers and so doesn’t know that it can be counter-productive to produce plans for every single possibility.

On the other hand, I’m definitely with Vaugh Palmer in that we definitely need more public education.  We are seeing money diverted from disaster planning to other areas, regardless of a supposed five-fold increase in emergency budget.  In the past five years, the professional association has been defunded, training is very limited in local municipalities, and even recruitment and “thank you” events for volunteers have almost disappeared.  Emergency planning funds shouldn’t be used to pay for capital projects.

(And the province should have been prepared for an audit in this area, since they got a warning shot last year.)

So, once again, and even more importantly, I’d recommend you all get emergency training.  I’ve said it beforeI keep saying itI will keep on saying it.

(Stephen Hume agrees with me, although he doesn’t know the half of it. )

Share

Enhanced Nigerian scam – linkedin style

Linkedin is a much better platform for Nigerian scammers: They now have my first and last name, information about me, etc. So they can craft the following letter (sent by this guy):

Hello Aviram Jenik,

I am Dr Sherif Akande, a citizen of Ghana, i work with Barclay’s Bank Ltd, Ghana. I have in my bank Existence of the Amount of money valued at $8.400,000.00, the big hurt Belongs to the customer, Peter B.Jenik, who Happen To Have The Same name as yours. The fund is now without any Claim Because, Peter B.Jenik, in a deadly earthquake in China in 2008. I want your cooperation so that bank will send you the fund as the beneficiary and located next of kin to the fund.

This transaction will be of a great mutual assistance to us. Send me your reply of interest so that i will give you the details. Strictly send it to my private email account {sherifakande48@gmail.com} or send me your email address to send you details of this transaction.

At the receipt of your reply, I will give you details of the transaction.I look forward to hear from you. I will send you a scan copy of the deposit certificate.

Send me an email to my private email account {sherifakande48@gmail.com}for more details of the transaction.

Sincerely,
Best Regard’s
Dr Sherif Akande.
Here is my number +233548598269

Share

CyberSec Tips: Follow the rules – and advice

A recent story (actually based on one from several years ago) has pointed out that, for years, the launch codes for nuclear missiles were all set to 00000000.  (Not quite true: a safety lock was set that way.)

Besides the thrill value of the headline, there is an important point buried in the story.  Security policies, rules, and procedures are usually developed for a reason.  In this case, given the importance of nuclear weapons, there is a very real risk from a disgruntled insider, or even simple error.  The safety lock was added to the system in order to reduce that risk.  And immediately circumvented by people who didn’t think it necessary.

I used to get asked, a lot, for help with malware infestations, by friends and family.  I don’t get asked much anymore.  I’ve given them simple advice on how to reduce the risk.  Some have taken that advice, and don;t get hit.  A large number of others don’t ask because they know I will ask if they’ve followed the advice, and they haven’t.

Security rules are usually developed for a reason, after a fair amount of thought.  This means you don’t have to know about security, you just have to follow the rules.  You may not know the reason, but the rules are actually there to keep you safe.  It’s a good idea to follow them.

 

(There is a second point to make here, addressed not to the general public but to the professional security crowd.  Put the thought in when you make the rules.  Don’t make stupid rules just for the sake of rules.  That encourages people to break the stupid rules.  And the necessity of breaking the stupid rules encourages people to break all the rules …)

Share

BadBIOS

In recent days there has been much interest in the “BadBIOS” infection being reported by Dragos Ruiu.  (The best overview I’ve seen has been from Naked Security.)  But to someone who has lived through several viral myths and legends, parts of it sound strange.

  • It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.

These things, of course, have been around for a while, so that isn’t necessarily wrong.  However, BIOS infectors never became a major vector.

  • It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
  • It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.

This sounds bit odd, but we’ve had cross-platform stuff before.  But they never became major problems either.

  • It is said to prevent infected systems being booted from CD drives.

Possible: we’ve seen similar effects over the years, both intentionally and un.

  • It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.

OK, it’s dangerous to go out on a limb when you haven’t seen details and say something can’t happen, but I’m calling bullshit on this one.  Not that I don’t think someone couldn’t create a communications channel without the hardware: anything the hardware guys can do the software guys can emulate, and vice versa.  However, I can’t see getting an infection channel this way, at least without some kind of minimal infection first.  (It is, of course, possible that the person doing the analysis may have made a mistake in what they observed, or in the reporting of it.)

  • It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.

As above.

  • It is said to infect simply by plugging in a USB key, with no other action required.

We’ve seen that before.

  • It is said to infect the firmware on USB sticks.

Well, a friend has built a device to blow off dangerous firmware on USB sticks, so I don’t see that this would present any problem.

  • It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.

Reminds me somewhat of the old “fast infectors” of the early 90s.  They had unintended effects that actually made the infections easy to remove.

  • It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.

Don’t know details of the internals of TTF files, but they should certainly have enough space.

  • It is said to block access to Russian websites that deal with reflashing software.

Possible, and irrelevant unless we find out what is actually true.

  • It is said to render any hardware used in researching the threat useless for further testing.

Well, anything that gets reflashed is likely to become unreliable and untrustworthy …

  • It is said to have first been seen more than three years ago on a Macbook.

And it’s taken three years to get these details?  Or get a sample to competent researchers?  Or ask for help?  This I find most unbelievable.

In sum, then, I think this might be possible, but I strongly suspect that it is either a promotion for PacSec, or a promo for some presentation on social engineering.

 

Share

Risk management and security theatre

Bruce Schneier is often outrageous, these days, but generally worth reading.  In a piece for Forbes in late August, he made the point that, due to fear and the extra trouble casued by TSA regulations, more people were driving rather than flying, and, thus, more people were dying.

“The inconvenience of extra passenger screening and added costs at airports after 9/11 cause many short-haul passengers to drive to their destination instead, and, since airline travel is far safer than car travel, this has led to an increase of 500 U.S. traffic fatalities per year.”

So, by six years after the event, the TSA had killed more US citizens than had the terrorists.  And continues to kill them.

Given the recent NSA revelations, I suppose this will sound like more US-bashing, but I don’t see it that way.  It’s another example of the importance of *real* risk management, taking all factors into account.

Share

Google’s “Shared Endorsements”

A lot of people are concerned about Google’s new “Shared Endorsements” scheme.

However, one should give credit where credit is due.  This is not one of Facebook’s functions, where, regardless of what you’ve set or unset in the past, every time they add a new feature it defaults to “wide open.”  If you have been careful with your Google account in the past, you will probably find yourself still protected.  I’m pretty paranoid, but when I checked the Shared Endorsements setting page on my accounts, and the “Based upon my activity, Google may show my name and profile photo in shared endorsements that appear in ads” box is unchecked on all of them.  I can only assume that it is because I’ve been circumspect in my settings in the past.

Share

Click on everything?

You clicked on that link, didn’t you?  I’m writing a posting about malicious links in postings and email, and you click on a link in my posting.  How silly is that?

(No, it wouldn’t have been dangerous, in this case.  I disabled the URL by “x”ing out the “tt” in http;” (which is pretty standard practice in malware circles), and further “x”ed out a couple of the letters in the URL.)

Share

The Biggest Gap in Information Security is…?

As a person who’s committed to helping raise awareness in the security community as a whole, I’ve often found myself asking this question. While there are several issues that I think contribute to the state of information security today, I’m going to outline a few of the major ones.

One major problem that spans every industry group from government to finance, all the way over to retail, is the massive amounts of data stored, the large number of devices to manage and frankly, not enough people to do it all. Or not enough people with the appropriate level of security skills to do it. I recently had a student in an Ethical Hacking class who asked me if I would be open to discussing some things in private with him concerning some issues he had at work. During dinner he confided in me that he sees his job as becoming more and more impossible with all the security requirements. He let me know that he had recently completed a penetration test within his company and felt he didn’t really get anything out of it. My first question was how many nodes were in the scope of the test. His response was 20,000. So naturally my next question was how big was his pen test team. To that he looked at me blankly and said “It was just me”. My next question was how long did he have to complete the test. And to that his reply was 3 days. This shocked me greatly and I candidly let this individual know that with a scope that big it will usually take one person more than three days to do proper discovery and recon and wouldn’t even give you time to even start vulnerability discovery, mapping, and exploitation testing/development.  I also informed him that for a job like that I usually deploy 3 people and usually contract a time of 2 to 4 weeks. Keep in mind this young man was a very intelligent and skilled person, but he lacked the skills to pull this off. After more conversation I realized that he himself was responsible for scoping the 3 day time to complete the test.

This brings me to the first main point; I see a trend of corporations and entities placing more security responsibility on individuals without giving them enough resources or training. This person admitted he really didn’t even have the skills to know how long it would take him and he based his time estimate off something he found on the web using google, which was why he was in the class. After the class he emailed me and thanked me for finally giving him the understanding to realize what it would take to successfully complete his internal testing. He drafted a plan for a 4 week test and put in a request to have temporary help for the 4 week duration. 2 months later he sent me another email and a redacted copy of the penetration test (after I signed a NDA of course). I was impressed with his work and let him know that. This demonstrated that even the most intelligent people can become overwhelmed if put into an impossible situation with no tools.

Second is the increasingly swift changing threat models. What would be considered a very secure computer 10 years ago (basic firewall, and up to date anti-virus) would be considered a joke today. I can remember when OS patches were mostly just non-security related bug fixes. If the bug didn’t affect you, you didn’t worry about the patch since it often broke other things. This way of thinking became the norm, and still exists in some places today. Add to that the web based attack vectors and client side attacks, it gets even more detrimental. I watched as Dan Kaminsky wrote himself into the infosec history books with his DNS attack. At the same time I saw one pen test customer after the other totally ignore it. Once we were able to exploit this in their environment we usually got responses like “i thought this mostly affected public/root dns servers”. The bottom line is DNS is DNS, internal or external. While Dans’ demonstration was impressive, thorough and concise, it left the average IT admin lost in the weeds. As humans when we don’t truly understand things we typically either do nothing, or do the wrong things. A lot of the media coverage of this vulnerability mostly focused on the public side threat. So from a surface look, it appeared to be something for “others” to worry about. Within weeks of that presentation there were new mobile device threats identified, new adobe reader threats, and many other common application vulnerabilities were identified. With all these “critical” things identified and disclosed within weeks of each other, it is apparent why some security professionals feel overwhelmed and behind the curve! Throw in the fact that I’m learning from clients and students alike that they’re now expected to be able to perform forensics investigations, and the weeds get deeper.

The last thing I want to point out is a trend I’ve noticed in recent years. The gap between what I like to call the “elite” of the information security world and the average IT admin or average whitehat/security professional is bigger than it’s ever been. Comments I’ve heard is “I went to blackhat and I was impressed with all of what I witnessed, but I don’t truly understand how it works and what to really do about it”. I think part of this is due to the fact that some in the information security community assume their audience should have a certain level of knowledge and refuse to back off that stance.

Overall I think the true gap is in knowledge. Often times individuals are not even sure what knowledge is required to perform their job.  Check back soon as I’ll be sharing some ideas as to how to address this problem.

Keatron Evans, one of the two lead authors of “Chained Exploits: Advanced Hacking Attacks From Start to Finish”, is a Senior Instructor and Training Services Director at the InfoSec Institute.

Share

Thoughts at the library drop slot

A couple of days ago, I happened to walk over to the library in order to return some items.  When I got there, as all too often is the case, a parent was allowing two of his children to put their returns back into the (single) drop slot.  He noticed me, and offered to take my stuff and return it when they were done.  (Parenthetically [as it were], I should note that, in the five years since the new system was put in place, this is only the second time that a parent, in such a situation, has taken any notice of the fact that they were delaying matters.  The previous one, about a year ago, asked her children to stand aside and let me through.  I digress, but not completely.)

I immediately handed over my pile (which included a recent bestseller, and a recent movie).  (We are all creatures of social convention, and social engineering is a powerful force.)  But, being a professional paranoid, as soon as I walked away I started berating myself for being so trusting.

I was also thinking that his actions were pedagogically unsound.  While he was, at least, assisting me in avoiding delay, he was, just as much as the majority of the parents at that slot, teaching his children that they need have no regard for anyone else.

(And, yes, before I left the library, I checked my account, and determined that he had, in fact, returned my items.  Auditing, you know.)

Share

A virus too big to fail?

Once upon a time, many years ago, a school refused to take my advice (mediated through my brother) as to what to do about a very simple computer virus infection.  The infection in question was Stoned, which was a boot sector infector.   BSIs generally do not affect data, and (and this is the important point) are not eliminated by deleting files on the computer, and often not even by reformatting the hard disk.  (At the time there were at least a dozen simple utilities for removing Stoned, most of them free.)

The school decided to cleanse it’s entire computer network by boxing it up, shipping it back to the store, and having the store reformat everything.  Which the store did.  The school lost it’s entire database of student records, and all databases for the library.  Everything had to be re-entered.  By hand.

I’ve always thought this was the height of computer virus stupidity, and that the days when anyone would be so foolish were long gone.

I was wrong.  On both counts.

“In December 2011 the Economic Development Administration (an agency under the US Department of Commerce) was notified by the Department of Homeland Security that it had a malware infection spreading around its network.

“They isolated their department’s hardware from other government networks, cut off employee email, hired an outside security contractor, and started systematically destroying $170,000 worth of computers, cameras, mice, etc.”

The only reason they *stopped* destroying computer equipment and devices was because they ran out of money.  For the destruction process.

Malware is my field, and so I often sound like a bit of a nut, pointing out issues that most people consider minor.  However, malware, while now recognized as a threat, is a field that extremely few people, even in the information security field, study in any depth.  Most general security texts (and, believe me, I know almost all of them) touch on it only tangentially, and often provide advice that is long out of date.

With that sort of background, I can, unfortunately, see this sort of thing happening again.

 

Lest you think I exaggerate any of this, you can read the actual report.

Share

REVIEW: “Consent of the Networked”, Rebecca MacKinnon

BKCNSNTW.RVW   20121205

“Consent of the Networked”, Rebecca MacKinnon, 2012, 978-0-465-02442-1, U$26.99/C$30.00
%A   Rebecca MacKinnon
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02442-1 0-465-02442-1
%I   Basic Books
%O   U$26.99/C$30.00 special.markets@perseusbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465024421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465024421/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465024421/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   294 p.
%T   “Consent of the Networked: The Worldwide Struggle for Internet Freedom”

In neither the preface nor the introduction is there a clear statement of the intent of this work.  The closest comes buried towards the end of the introduction, in a sentence which states “This book is about the new realities of power, freedom, and control in the Internet Age.”  Alongside other assertions in the opening segments, one can surmise that MacKinnon is trying to point out the complexities of the use, by countries or corporations, of technologies which enhance either democracy or control, and the desirability of a vague concept which she refers to as “Internet Freedom.”

Readers may think I am opposed to the author’s ideas.  That is not the case.  However, it is very difficult to critique a text, and suggest whether it is good or bad, when there is no clear statement of intent, thesis, or terminology.

Part one is entitled “Disruptions.”  Chapter one outlines a number of stories dealing with nations or companies promising freedom, but actually censoring or taking data without informing citizens or users.  The “digital commons,” conceptually akin to open source but somewhat more nebulous (the author does, in fact, confuse open source and open systems), is promoted in chapter two.

Part two turns more directly to issues of control.  Chapter three concentrates on factors the Republic of China uses to strengthen state censorship.  Variations on this theme are mentioned in chapter four.

Part three examines challenges to democracy.  Chapter five lists recent US laws and decisions related to surveillance and repression of speech.  The tricky issue of making a distinction between repression of offensive speech on the one hand, and censorship on the other, is discussed in chapter six.  The argument made about strengthening censorship by taking actions against intellectual property infringement, in chapter seven, is weak, and particularly in light of more recent events.

Part four emphasizes the role that corporations play in aiding national censorship and surveillance activities.  Chapter eight starts with some instances of corporations aiding censorship, but devolves into a review of companies opposed to “network neutrality.”  Similarly, chapter nine notes corporations aiding surveillance.  Facebook and Google are big, states chapter ten, but the evil done in stories given does not inherently relate to size.

Part five asks what is to be done.  Trust but verify, says (ironically) chapter eleven: hold companies accountable.  MacKinnon mentions that this may be difficult.   Chapter twelve asks for an Internet Freedom Policy, but, since the author admits the term can have multiple meanings, the discussion is fuzzy.  Global Information Governance is a topic that makes chapter thirteen apposite in terms of the current ITU (International Telecommunications Union) summit, but the focus in the book is on the ICANN (Internet Committee on Assigned Names and Numbers) top level domain sale scandals.  The concluding chapter fourteen, on building a netizen-centric Internet is not just fuzzy, but full of warm fuzzies.

There are a great many interesting news reports, stories, and anecdotes in the book.  There is a great deal of passion, but not much structure.  This can make it difficult to follow topical threads.  This book really adds very little to the debates on these topics.

copyright, Robert M. Slade   2013   BKCNSNTW.RVW   20121205

Share

Nopcon 2013 is here

Douglas Adams is still right: No language has the phrase “As pretty as an airport”. But in my humble opinion, airports have come a long way in the last 10 years. Or maybe my expectations have become so low, I can’t be disappointed. Either way, it seems to me going through an airport isn’t as bad or boring or inconvenient as it used to be.
I’m not just talking about the East-Asian airports (Hong Kong, Seoul, Singapore) which have always been stellar. Even the infamous American airports are newer, and more convenient.

I’m giving you this airport cheer-leading chant because if you live in Europe, you should go and check out how much your airport has improved since you’ve last seen it. Then, take a flight to Istanbul. Not just because Istanbul is one of the nicest cities in Europe but also because Nopcon is taking place June 6, and has some very interesting and incredibly original speaker lineup: Moti Joseph, Nikita Tarakanov, Gökhan Alkan, Svetlana Gaivoronski, Canberk Bolat and Ahmet Cihan (aka Hurby). Nice!

More info here: http://www.nopcon.org/

Share

Password reset questions

Recently therewas some discussion about “self-service” password resets.  The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer.  You know: super-secret stuff like your pet’s name.  (Yes, Paris Hilton, I’m talking about you.)

The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.

I would definitely allow custom questions.  The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.

If I can make up my own question, I can ask myself what my favourite burial option would be.  The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess.  (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)

Go ahead: try and guess what is the only pain reliever that works for me.

What sits under my desk and keeps the computers running in the case of a power failure?

What is Gloria’s favourite ice cream flavour?

Finish the following sentence: Don’t treat Rob as your _______ ___.  (This is a two-factor authentication: you also have to fill in the standard response to that statement.)

The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world.  They rely on mistakes or quirks that have become “family phrases.”  For example, what do you need before bed to get to sleep?  Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.

Yeah, I like “custom questions” a lot.

(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)

Share

“New” ideas about distributed computing?

The CEO of BitTorrent thinks we should think about using distributed computing to deal with upgrade issues over the Internet.

It sounds like a good idea.  So good, that you wonder why someone hasn’t thought of it before.  Well, surprise, surprise (unless you know Slade’s Law of Computer History), someone has.  How about Shoch and Hupp, who worked on the idea at Xerox PARC in the late 70s, and reported on it in 1980 and 1982?  Or Fred Cohen, who was quite vocal about using “good” viruses in the late 80s, and mentioned it in one of his earlier popular books?  Or Vesselin Bontchev, who, in the 90s, gave a detailed outline of what you have to do to make it work

Share