Flame On!

The security world exploded today with news of a new piece of malware found in Iran. It’s been a very long time since we’ve seen an unfounded industry panic on this scale. Phrases like “most advanced malware”, “super-weapon” and “new era in cyberwar” are being thrown around like confetti. So, let’s take a bit of a reality check.

 

Calm Down

1) Are you in the Middle East?

If not, relax. The evidence suggests that the malware is focused on the Middle East… likely either Iran or Israel. While malware does spread quickly, highly targeted malware focused on information theft does not. After all, if it did, the people running the systems wouldn’t be able to use the information they get. There would be too much of it.

2) Have you updated your systems in the last two years?

If so, relax. While the news is new, it looks like this malware was released in 2010. Modern malware is capable of attacking along numerous vectors, so simply patching may not be enough, but if you’re monitoring your systems properly, you probably would have noticed it by now.

3) Are you profoundly unlucky?

If not, relax. The Kaspersky report that has been widely cited lists the following infection counts: Iran – 189, Israel/Palestine – 98, Sudan – 32, Syria – 30, Lebanon – 18, Saudi Arabia – 10, Egypt – 5. This means that, as of May 28th… after Flame has been out for two years… it has infected 382 systems. In 2010, there were about five billion devices connected to the Internet (probably more now). So your odds of being infected are likely less than 0.0000076%. You are 22 times more likely to be struck by lightning than you are to get infected by Flame.

4) Are you a nation state?

If so, thank you! Most geopolitical entities don’t read my blog. If not, relax. Cyberwar is unlikely to affect you. The goals of Cyberwar are to steal critical intellectual property, identify what other nation states are up to and interfere with the capabilities of other nation states. The only one that really drifts into the private sector is the theft of intellectual property, which can be protected pretty easily.

 

Big Deal

So why are people making such a big deal out of this? Well, the first thing to consider would be who exactly is promoting this and how they’re doing it.

First, you have what I call “set it and forget it AV” companies. Kaspersky and Symantec were among the first to bring this news out. This shouldn’t come as a shock to anyone, as they make a lot of sales when a malware attack makes it all the way to the mainstream news. This is too bad, as both of these firms tend to do excellent technical analysis and it’s sad to see their research skewed into a FUD campaign.

Next, you have the response to these sorts of firms by the vendors that focus on analysis and response. Take at look at these responses by Sophos and Sourcefire. These two firms make their money selling tools that allow a competent administrator to get more done by leveraging analytics and determining appropriate responses.

Then you have a slew of mainstream media articles that reference “cybersecurity experts” (who often have nothing to do with malware) to comment on the issue. I’ve seen and heard quotes from people who do development security, physical security and governmental policy… which seems to be a response to a reporter needing a quick quote to get into the news cycle.

Finally, you have a bunch of individual posts (like this one) of individuals trying to catch the “Flame Wave” and boost SEO ratings. (Hiya Google, how you doin’?) Basically, everyone has a reason behind their actions. Before you start tossing money around to make the scary go away, stop for a minute and think.

 

What To Do

The first thing you should do is, as I stated above, relax a bit. Snap decisions are seldom the ones you want to make. Think about what advanced malware can do and how it gets in. Here are the facts.

Protecting against Flame is EXACTLY like protecting against other malware. Nothing in Flame is technologically new.

Modern malware targets data and takes advantage of missing patches. If you don’t know the Who, What, Where, How and Why of your data, you can’t control it. If you aren’t maintaining your operating systems and the applications that run on them, you are at risk. Also if your users are running as local administrators, there’s not much you can do.

Modern malware does a lot of really neat things too, like infect smart phones, hide its tracks, punitively wipe systems if you tamper with it. Heck, for all I know, it’s also responsible using the last piece of toilet paper and not replacing the roll. However, if you are letting your users run with administrative permissions, you’re not patching your systems and you don’t understand your data, this isn’t going to matter.

Basically, you have to walk before you run… and before you walk, you have understand how. Most organizations that I work with are still at the crawling stage. If you cannot answer “Yes” to each of the following questions, don’t even think about Flame/Duqu/Stuxnet/BoogaThreat. Focus on getting your own house in order first.

1) I know exactly where all my data is.
2) I know that I need all of the data I have.
3) I have classified the data I have according to criticality.
4) I have implemented technology to detect and respond to data as it crosses security zones.
5) I am completely confident that all my operating systems are up to date.
6) I understand each application in my environment, why it is there and am certain that it is up to date.
7) None of my users are using administrative permissions as part of their daily work.
8) I have installed and am maintaining a modern anti-malware stack or application whitelisting solution on each system on my network.
9) I have installed and am maintaining an intrusion detection solution on my network.
10) I pay attention to the alerts from all of my awareness systems and respond appropriately.

If you’ve answered “No” to any of these, that’s where you have to focus. If you have trouble, let me know. I’m here to help. (Guess why I take the time to write posts.)

The Importance of Exercise (and rhinos)

Exercise. With a few annoyingly fit and perky exceptions, we all hate to do it. Even when it comes to business exercises, where we can avoid the serious danger of getting all sweaty and tired, we still avoid it… generally for reasons comparable to the physical: foolishness, arrogance and wasting time.

In business, time is money. We focus on reducing waste and maximizing profit. When times are tough, we avoid future-focused activities in preference for those that we are fairly certain would benefit us right now… even when future gains would likely be much larger. So, even when we know that exercise would help us, we avoid it because there are other things that need doing.

Then there’s the other side. For a business exercise to be useful, we must learn from it. To learn from it, we must encounter something new. This is socially dangerous as it places us in a situation where, to positively respond to the scenario, we risk being viewed negatively by those around us… so there is resistance to trying new things.

Why risk social censure and waste time when you know what you’d do in a bad situation anyway? After all, we’re smart people. We think about things and we know our environment, right? If a problem happened, we’d just deal with it. Our people would have to work overtime, but we’d get the job done… right?

Well, let’s find out. Suppose you work in a zoo. Suppose one of the risks you face is that of an animal escaping. Your job is to figure out how to deal with the event and get the animal back. How would you do it? Take a couple of minutes and think what you’d do. I’ll wait.

Now, watch this video.

Tell me. In your mental model, which animal escaped? Was it dangerous? Was it hard to recapture? Did you think about what would happen if one or more of your people were injured during the escape? What about people at the zoo? Did you think of children, of adults, of any disabled people and how they might escape? Did you think about the potential damage that an animal could cause to the infrastructure both inside and outside of the zoo? What about the possibility that the animal could survive after escaping and create a breeding population of dangerous animals in the city? Did you plan include alerting the news media and trying to control the story?

Even an exercise can show you things that you might not think of on your own. By running through live exercises, you can encounter serious problems in a safe way. You can discover which events need prevention and which ones would require a pre-planned reaction. If your organization’s culture focuses on predictable work, you might find a resistance to working extra hours to make up for what is perceived for someone else’s problem. If your organization is on the other side of the continuum and tends towards interrupt-driven tasks, you may find that your people are closer to exhaustion than you think, and a true disaster could push them over the edge.

This will allow you to engage in a more accurate risk assessment, allocate resources and move to a more proactive stance. So, you could be prepared for any eventuality, from mountain lion to penguin.

Policies, Procedures and Politics

In the United States, you might have noticed that we have an event going on. Theoretically, the purpose of this event is to decide the direction the country for the next four years. As is often the case with these discussions, many claims are being made by both sides. Of course, there are then claims upon claims and discussion and action start to spiral out of control. Luckily, we have a document that we’ve created over the years to help keep things on track.

The Constitution of the United States, the Bill of Rights and associated Amendments serve as a reference and a guideline for how to run the country. They break down as follow:

  • Constitution of the United States, accepted in 1787 – 4,601 words
  • Bill of Rights, adjustments to the constitution in 1791 – 731 words
  • Amendments since 1791 – 2,615 words

This means that in the two hundred and twenty five years that the United States has existed as a country, over four hundred million people, their rights, responsibilities and very lives have been guided by under 8,000 words. In general, it’s worked pretty well.

I make this post with two reasons in mind.

1) If you are going to engaging in political discourse within the US, please take the time to read the 8,000 words (and 7% of that is filler like headers and names). It’s only about 12 pages of text (24 double-spaced), and it will help you to uncover lies and arm you to educate the uninformed.

2) If we can run a country for over two centuries with a policy document that is 12 pages long… that most people don’t bother to read, how many do you think read your information security policy manual?

 

For those that don’t want to bother clicking the links above, below is the text of the US Constitution and all amendments. Please, read it over lunch. You, and the country, will be better off.

Read More»

Horsing around at SchmooCon

Last weekend I attended ShmooCon, a yearly security conference held in Washington D.C. Today I want to explore several common themes I noted in many of the great technical presentations at the conference.

1) Operations

For many years, the community has been saying that security is facing an operations challenge, not simply one of just technology and cash flow. Simply put, most people aren’t following our advice. Administrators aren’t reviewing logs, systems are still unpatched and users are still running as administrators. Risk increases every day when people don’t do the right thing; this is the fundamental reason most people get successfully attacked.

In many ways, this flaw in operations is like having a horse. You build a great stable. You put in lights and a heater. You put nice locks on the doors. You build out the plumbing system so the horse can have fresh water and then finally … you buy a horse and put it in the stable.  Sadly, most companies get to this point and then, after spending tens of thousands of dollars on their horse, decide spending $100 on oats is too expensive and just toss scraps into the stable as time permits.

Sadly, we live in a world full of dead and starving horses.

2) Separation of Targets

Fortunately, not every business is as behind as most we see. There are many businesses doing security right. They are investing money to protect assets, training employees and seamlessly running operations. These companies are succeeding, and as a result, the gap between “good” and “average” is widening dramatically.

To get back to the horse metaphor, we no longer have a single race. Instead, we have two. In the first, people are riding their horses much as you’d expect. In the second, businesses have invested in security but not operations, dragging their dead and dying horses around the track. These races work very differently and therefore are attacked differently.

If your operations are failing (as in #1 above), your horse may not be worth much. However, if an attacker can get a nice pile of dead horses, they can sell them for glue. In other words, these are the low-level attacks we see every day zeroing in on credit cards, ACH transfers and customer data. Attackers focus on bulk theft and you are just a convenient target.

However, if you have good security AND good internal operations, you’re in a different race. A horse thief focusing on live horses is going to have more options than one who raids the graveyard. The attacker who selects a company with good operations will see greater value from a successful attack. If your company is investing in day-to-day operations, odds are you have some juicy intellectual property to protect. This is where these attackers focus.

In either case, if you’re behind more than half the horses in the race (i.e., below average), you’re going to lose. Remember, the attacker just has to win once… you have to deflect the attacks constantly. The attackers are targeting the easiest in each category first, so as horses vanish from the race, you have to keep improving to stay above average.

3) Defensive Intel Sharing

Finally, there is the true value of an event like Shmoo. The value isn’t in the sessions (though they are great), but in the discussions in hallways and over meals. This is where security people get together and share ideas as to what techniques work to defend against these attacks. We brainstorm and share intelligence. This helps us protect our own little corners of the world better.

To beat the horse metaphor to death, it is as though an international team of horse rustlers (hackers) specialize in stealing horses (your business). Some are great at stealing wagons and have no idea what horse they’ll be getting. Others team up and have one person good at riding horses, one at distracting jockeys and maybe a large animal vet to determine how best to use the newly-stolen horse. They share ideas with other teams as to what has worked and what hasn’t, thus they constantly improve.

At Shmoo, we share ideas that keep our horses from being stolen. It could be as easy as putting better locks on the stables, or as ridiculous as using velcro saddles to keep the jockeys firmly seated. In many cases, it is about small improvements … ways to feed the horses more cost-effectively, or the ability to keep an extra set of eyes on people approaching your stable.

In other words, going to Shmoo isn’t likely to help you, but it will certainly help me help you. Now, let’s talk about your horse.

 

(Originally posted on RJS Informer)

Password Security and Schools

For those who don’t know, when attackers successfully breach a system, they often share the information they find publicly on the internet. For those on the illegal side of Information Security, this awards them the satisfaction of adding another notch on the scoreboard and further shames those who have poor security. For people like me on the legal side, we receive the ability to gather passwords used in the real world and analyze commonalities, variations and patterns. For this reason, I have several automatic searches that notify me when certain information gets leaked.

Recently, I was alerted to a situation that occurred at the George Washington Middle School in Ridgewood, New Jersey. I won’t link to the actual leaked data, but suffice to say it contains enough administrative information to access their systems. I did not verify this to the point of logging in, but it certainly looks correct and the leak has already been plugged, thus illustrating the sensitivity of the information revealed. Besides the data mentioned above, the leak also contained usernames and passwords for 246 sixth graders.

You’d think with 246 young students, you’d see 200, perhaps even 225 unique passwords, right? And if default passwords were created for them by a network administrator, you’d hope all 246 were unique. When analyzing the data, however, there were only 34 unique passwords. 34!

Here they are:

  • glasses = 13 (5.28%)
  • finish = 12 (4.88%)
  • button = 12 (4.88%)
  • dinner = 12 (4.88%)
  • oranges = 12 (4.88%)
  • apples = 12 (4.88%)
  • letter = 12 (4.88%)
  • stormy = 12 (4.88%)
  • gentle = 11 (4.47%)
  • cupcake = 11 (4.47%)
  • winter = 11 (4.47%)
  • butter = 11 (4.47%)
  • carpet = 11 (4.47%)
  • joyful = 11 (4.47%)
  • summer = 10 (4.07%)
  • middle = 10 (4.07%)
  • friday = 10 (4.07%)
  • person = 10 (4.07%)
  • football = 10 (4.07%)
  • people = 10 (4.07%)
  • soccer = 10 (4.07%)
  • butter32 = 1 (0.41%)
  • butter27 = 1 (0.41%)
  • dinner20 = 1 (0.41%)
  • letter38 = 1 (0.41%)
  • summer17 = 1 (0.41%)
  • summer83 = 1 (0.41%)
  • winter34 = 1 (0.41%)
  • apples74 = 1 (0.41%)
  • letter28 = 1 (0.41%)
  • Password = 1 (0.41%)
  • summer22 = 1 (0.41%)
  • letter48 = 1 (0.41%)
  • winter64 = 1 (0.41%)

Note the right hand column. Those are the passwords that are truly unique. This means that of 246 passwords, only 13 of them are not like the others. Of those 13, only one wasn’t based on the shared list. And even that one was the always original “Password.”

In all the analyses I’ve done, this is by far the worst.  There are a handful of possible scenarios here. Ignoring the possibility this is completely fabricated (the usernames of the children make that seem somewhat unlikely), this is either a set of passwords that were generated for children or by children. Given how evenly matched the passwords are in distribution, it seems more likely there was a list of 21 “default” passwords that were generated and then the students were asked to change them. Given the passwords on the right hand column, it seems as though the instructions were “add two numbers to the end of your password to make it secure.”  The password of “Password” matches a username of “Username,” so it’s probably a header or a default value and can be ignored.

So, what’s wrong here?

First, selecting passwords in this way means if someone knew their password and wanted to try to get into other accounts, they’d be able to get into at least 9 other accounts and possibly as many as 14 … and that’s with doing no work at all. If you look at word pairs you get summer/winter, apples/oranges and soccer/football. This raises the number of breached accounts with inside knowledge to 25. Now, if you decided to attack this system with a default word list, it would take about a day to get hits on most of these. If you had a list of usernames, you could easily gain access to every account on this list in a day.  In some systems, it would take as little as a minute to crack each account.

So no one expects sixth graders to be security geniuses, but sad to say, habits get set early. Assuming the right hand column contains passwords that people changed, only 12 students changed their passwords as instructed. If we assume they were given instructions, this means we can expect 4.88% of people to follow directions. If personal experience indicates anything, sixth graders are even more likely to follow directions than adults, so in an average organization, we can assume less than 5% of people will follow best practices … and they’ll probably do the bare minimum required of them.

Now take a minute and think what this would have looked like if the following changes were made to the system:

  • Users are assigned completely random passwords
  • The system required passwords to be at least 12 characters long.
  • The system required passwords to have a mix of upper case, lower case, numbers and punctuation

What would happen?  First, the student would probably write his or her password down somewhere. Now that code is as safe as a locker and/or the student’s resistance to bullying.  Maybe there’s a better way.

What if the system were set up to allow users to register themselves and had a password complexity rule. Suppose it had to hit a specific score of something like 100, where the scoring worked this way:

  • base starts at 0
  • Upper case character base+10
  • Lower case character = base+10
  • Number = base+10
  • Punctuation = base+10
  • Space character = base+10
  • Score = base * length of base

If someone wanted to use a basic word like “winter,” the system wouldn’t accept the password. “Zoologists” on the other hand, would be accepted. If you wanted something shorter, you could go with “like2″ to obtain your required score of 100 (a base of 20 * 5). This is the basic idea of password scoring. You could decide for yourself what metrics to use, but by raising the threshold score and weighting various characters differently, people are driven to select their own passwords.

Using the rules above, suppose you wanted a specific score of 1000. “Jooxiepa8da X1Zaode!” would work, but so would “Ask not what you can do for your country.”  Which is easier to remember?

This is how you generate passwords to meet an arbitrary security threshold that are easy to remember and hard to crack. Since people don’t follow directions (5% change rate) and write down hard things to remember, this is one of the best systems you can implement. Sure, multifactor systems are better, but I don’t think sixth graders would be very good at keeping track of their magic “log me on” device. So instead of teaching them horrible password security from an early age, maybe we should implement a system that understands that humans, of whatever age, are human.

In fact, maybe we should do this in business too.

 

 

(This article original posted at the RJS Insider)

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.