Small Business Attack – Mobile Attack

Despite all the humorous commercials to which I am now receiving links, you may have in your possession an iPhone. You may have even gone through the lengthly process of installing unofficial software on it. So there you are, all happy with your fancy toy and feeling smart about yourself. Then, one day, you turn it on and instead of getting your normal pretty backdrop of a baby hedgehog you get a photograph of Rick Astley… which isn’t quite the same thing, really.

It sounds far fetched, but that’s exactly what happened to a large number of iPhone users over the weekend. A worm was launched that specifically targeted iPhones and spread over the web in just a few hours. Now, in this case, the author was just trying to make a point, and the media is generally taking a light view of things… after all, Rick Astely is funny, right?

Let’s take a different view of the situation.

Suppose that, one day, you turn on your iPhone and instead of getting your normal pretty backdrop of a baby hedgehog you get a photograph of Rick Astley. You shrug, go on with life and check your email. While you check your email, you notice that things a bit slow, but hey, it all works. You put your iPhone back in your pocket and head over to work. When you get to work, you see an upset security officer standing in your office, who informs you that someone hacked into your iPhone, copied all your email when you checked it, accessed your VPN password, used the VPN password to get into your network and download all your files, including the one containing access to your company’s bank account and transferred all of the money overseas.

That’s a bit more than an amusing little attack, isn’t it? However, to be fair, it is a little bit unrealistic. Let’s take a more realistic view:

The exact same things happened, but the security officer wasn’t waiting in your office for you. In fact, the security group didn’t even know what was going on until the accounting group called and let them know… which happened after they found the problem and were able to determine that it wasn’t an accounting error… which was in excess of the normal 48 hour window and now the money is gone, the business is going under and it’s your fault because your iPhone got hacked.

The risk here is that iPhones, Blackberries, Palms, Droids and the like aren’t phones. They’re little portable computers that work just like phones. More than that, they’re little portable computers that are always attached to the Internet, have no firewall, don’t run antimalware and are often connected directly to your network.

The fact that the first big worm just changed the background proves that we’re really lucky and should view this as a wakeup call.

Are you awake yet?

Security Lessons from Nature – Minimizing Shadows

Imagine for a minute that you’re a bug. You wander around looking for food and avoiding predators. Now, most critters that predate on bugs aren’t exactly the brightest. They just sort of fly around and look for anything that looks buggy and then try to eat it. There are generally only two clues for buggyness: movement and contrast.

Basically, if something moves like a bug, it’s probably a bug. Of course, this is only good against the bugs that haven’t learned to just keep still. If you want to keep your little bug self safe and secure, all you have to do is not move when a predator comes at you… which is a lot harder than it sounds… and not 100% successful now that predators have learned the contrast trick.

Most says, there tends to be light around, and even though bugs have gotten pretty good at matching their surroundings, if the light comes from the wrong angle, it doesn’t matter how well you match your environment, you’ll cast a nice long shadow. If a bird is looking for an area of sharp contrast, they can find you even if you manage to stay frozen.

Bad news for bugs.

Unless, of course, you manage to reduce your shadow. If you are careful to shift your position or only land in pre-existing shadows, you can really reduce these shadows. Similarly, if you only come out during mid day and stay hidden during morning and evening, you’ll avoid the long shadows. Basically, you want to reduce the amount of your body that catches the light, which would reduce the amount of shadow, which would reduce the likelihood of attack.

We do the same thing in the security world. A system can be attacked in many (many (many)) ways. Looking just at a fairly standard Web system, a system can be attacked at: ssh, apache, mysql/postresql, openssl, php/perl/ruby, ftp, or any modules contained within… and this assumes that the system has been hardened and isn’t running any of the common applications such as X, Gnome/KDE, OpenOffice.org, Firefox, portmap, r* commands, etc. The simple fact is that we load our systems with all sorts of fancy widgets, adding new functionality here and there, making it run faster (or least, more interestingly) and… if an attacker looks at… casting a very interesting shadow.

Simply put, every thing you can install can be exploited. It may be reviewed. It may be well designed. It may be hardened. However, this is not a perfect world, and there are no guarantees. You can’t make sure that everything is running exactly as it should be, but what you can know with absolute certainty is that something that’s not there cannot be exploited. People have a really hard time robbing a house that’s not been built, and they’d have similar difficulties attacking a service that’s not running.

In I.T. Security, we call this reducing our attack surface. The term can apply to an entire business, a network, a server or just an application. The idea is pretty much exactly what a bug does. We want to make our shadow as small as possible, by reducing the number of protrusions and things that make the shadow interesting. In practice, this means reducing your business (you’re not a bug anymore, by the way) to just what you need. If you don’t need modems, don’t leave them plugged in. If you don’t need to be running telnet, don’t run it. If you don’t need to employ untrusted people at incredibly low wages, don’t do it.

The point here isn’t to say that you can be completely safe by minimizing what’s running… there is no completely safe. Any bug can get eaten, despite how good it gets at what it does. The point is that by minimizing the attack surface, you can get it to a manageable size. If bugs were the size of baseballs, cast huge shadows and were slow to maneuver, they’d be eaten awfully quickly. By staying small and relatively flat, they’ve been able to focus on better defenses (such as scent bombing, protective colouration, and just plain old tasting bad). The same applies to your business. If you limit what you’re doing and running to something manageable, it can then be managed.

It also helps not to move suddenly when someone flips over a leaf… but I’ve not yet figured out exactly how that applies to business.

Mythic Monday – Rolling Along

There’s often something lacking when I read Native American mythology. Perhaps it’s that that form of mythology uses a different form of logic, perhaps they are fragmentary, or perhaps it’s because the original tellings were oral and participatory and it just doesn’t carry over to the written word. However, once in a while, you get a myth like this:


Why the sun rolls along

Sun was warned by a messenger, “Someone is coming to kill you.”

Soon a person came along and seized the Sun. He threw him toward the East, but Sun came back. He threw him toward the South, but Sun came back. The evil one came toward Sun again, but Sun began to roll along. Sun rolled and rolled and rolled along. He rolls along to this very day.

(From Shasta Indian Tales by Rosemary Holsinger.)

Clearly, there is something missing here. Such myths raise more questions than they answer… but lucky for us, this isn’t a mythology blog, so we can leave the questions alone. The point here is that the sun just keeps on rolling, no matter how the evil person tries to kill him. As with many things, it’s all about persistence.

I’ve had numerous projects in the works for years, and at some point, they just stopped moving forward. Due to a lack of energy on my part and other pressing concerns, progress just ceased. There’s only so much time a day (mostly because Sun keeps on moving), and it’s sometimes not possible to keep everything progressing and something has to stop in order for other things to continue.  Last week, my blog stopped.  I had taken a week of vacation to make some progress on another project.  I had worked up a buffer of blog posts to cover the time I wouldn’t be paying attention to the blog… but I forgot about the post-push resting period.

Ooops.

The nice thing about being a mythic character such as Sun, is that you only have one thing on which to focus.  (Well, two if you count “rolling along” and “being glowy”.)  Here in the real world, we often have too many things going on to “keep on rolling” on more than one.  For me, the one thing that is always 100% consistent is monitoring security posture.  Things change every day.  In fact, just over the weekend, we got reports of an iPhone attack, a discussion on legacy systems, and a revival of an old attack.  Last month, there was a huge amount of malware to keep on top of as well as numerous patches from major vendors.  The threats never stop, so those of us in security have to keep on rolling.

Unfortunately, this means that other things have to be dropped sometimes. But hey, even Sun sometimes takes a day off, so I don’t feel that bad. I’ll just try to pick things back up and get to posting again. Hopefully I won’t miss to many days as I get things running again.

Security Lessons From Nature – Pangolin

Normally in this section I pick one aspect of the natural world and focus on the security ramifications of that animal of adaptation. However, this doesn’t really do justice to the complexities that surround security posture. So today, we’re going to look at the pangolin.

Now, you can either hit the link and read all about it, or we can play the build-an-animal game. (The game is more fun.)

  1. Start with an anteater.
  2. Give it huge sharp claws.
  3. Now grant it the ability to spray a stinky acid like a skunk.
  4. Take the scales off a fish and glue them to the anteater.
  5. Thicken the scales so it’s armored like an armadillo.
  6. Sharpen each scale so it’s razor sharp.
  7. Oh yeah, they’re also good at tunneling and swimming.
  8. Now just for fun, lets expand their brains and make them little Houdinis.

Now let’s think for a minute about the threats that could have provoked such defenses.  Before we had an anteater, we must have started with ants. That’s all well and good. After all, who doesn’t love a yummy meal of ants? Well, other than the ants, I guess. In the US, ants tend to build nests underground and just pile up the dirt outside. However, in anteater territory, ant and termite mounds are heavily armored, so our pangolins need big sharp claws to get to their food. Now, not only are ants yummy, but in areas where hyenas roam, so are pangolins.

Of course, the easiest way to make the annoying creatures go away is to spray them with a noxious fluid… though one has to wonder exactly how that particular defense mechanism came about.

Then there are the roaming large felines. Where those abound, it helps to grow large, thick, scales to protect yourself. Now, generally speaking, if you grew up in a world where your biggest threats are jaguarundi and sabertooth tigers (with respective Bite Force Quotients (BFQ) of 75 and 78), regular armor is probably fine. However, if your predators are clouded leopards and tigers (BFQs of 137 and 127 respectively), regular armor is apparently insufficient, and you need razor sharp scales instead.

So here you, safe against the abundant predators of Southeast Asia… except for those pesky humans. People of the area like to eat them and use part of them for medicine. Since humans tend to use tools that render claws, razor scales and explosive scent ineffective, it’s important to be able to run away. Thus, it helps to learn how to dig intricate tunnels and learn to swim out of range of these tools. Of course, some humans still manage to capture some pangolins, so it’s quite helpful be able to escape with ease.

Thus, through simple defenses against ordinary threats, we get an animal that seems almost mythological in it’s complexity. The same applies to business. We tend to build very complex systems with numerous layers of defenses, but each of them is targeted at attacks that manage to get through the outer layer of defenses.

We hardened systems, but attackers got through. We created firewalls, but attackers got through. We added application awareness to the firewalls, but attackers worked within the applications. We added kernel-level hooks to restrict what the application can do, and attackers still managed to get personal data. More recently, we’ve added Network Access Control, Data Loss Prevention, Buffer Overflow Protection and others. Of course, it’s just a matter of time until the attackers start working against those too.

Like the pangolin, we have to pay attention to new threats and adapt to new threats.  If we don’t, well, the pangolin has an answer for that too.

Thanks to dotpolka for the use of the photo.

Mythic Monday – Aesop: The Dog, The Rooster and the Fox

This isn’t one of Aesop’s more commonly known fables. Like most of them, it quite simple. Essentially, a dog and rooster are friends (we ignore the improbability of that bit), and taking a bit of a holiday. As they came do the end of the day, they decide to go to sleep. As is their nature, the rooster perches atop a hollow tree and the dog curls up to sleep inside the tree.

When morning comes, the rooster crows, and attracts the attention of a fox. The fox invites the rooster home for breakfast. The rooster, being wise (demonstrating again, that this is a fable and not reality), tells the fox the he is regrettably unable to accept such a generous offer, but instead invites the fox to join him inside the tree. The fox (seemingly unable to smell the dog within) enters the tree and is promptly devoured.

Clearly, the lesson that Aesop wished us to learn was to beware the rooster. However, it is also quite possible that Aesop was covering for the known illegal leanings of roosters and dogs. This dastardly duo was singlehandedly responsible for the massive reduction of the fox population in ancient Greece. This is much as how modern phishers work.

Security attacks have gotten sufficiently complex that different people are better at different aspects. Some attackers are best at writing malware and others are best at sending the emails that distribute the malware. So, just like the dog and rooster, they have gotten good at working together. By each relying upon their their best skills, they can take over (attract and eat) various targeted computers (foxes).

Of course, this only works on foxes that aren’t paying attention.  If the fox in the story had simply stopped to realize that:

  1. Roosters tend not to live in hollow trees.
  2. Dogs have a noticeable odor. . .  especially for foxes.

The same applies to phishing emails.

  1. Organizations such as the FBI and IRS are generally not in the habit of emailing people.
  2. Phishing spam also has a noticeable odor (spear phishing is a bit different).

At the core, email is not 100% deliverable.  If anything is extremely important (as someting from the FBI or IRS would be), it would come in a manner that is more reliable.  Registered letter and phone calls tend to be popular.  Similarly, if someone has your email address, wouldn’t it make sense that they already have your name, phone number and other personal information?  If an email asks you to “verify” your information, it’s good to be suspicious.

Above all, unlike the fox in the story (and just like foxes in real life) it pays to be wary.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.