Tag Archives: Stuxnet

Manuela Arcuri

Monica Belluci and Security

Trends –  security and movie stars, Manuela Arcuri and  Monica Bellucci, Verisign and Mcafee.

Information security and  risk analysis is complex stuff, with multiple dimensions  of people, software, performance, management, technology, assets, threats, vulnerabilities and control relationships.  This is why it’s hard to sell security to organizations. But, information security is also a lot like fashion with cyclical hype and theater: today – , HIPAA, iOS and Android security,  yesterday – Sarbanes-Oxley, federated identity management, data loss protection and application security firewalls.

Back in 2007,  I thought we might a return to the Age of Reason, where rational risk management replaces blind compliance check lists – I thought that this could happen  for 2 reasons:

  1. Compliance projects  can have good business value, if you focus on improving the product and it’s delivery.
  2.  Security is like fashion – both are cyclical industries, the wheel can also turn around in the right direction.

HIPAA compliance is a minimum but not sufficient requirement for product and process improvement.

Healthcare companies and medical device vendors that do HIPAA compliance projects, may be paying a steep price for HIPAA compliance without necessarily getting a return on their investment by improving the core features and functionality of their products and service offerings.

Compliance driving improvements in products and services is good for business, not just a mantra from Mcafee.

It could happen, but then again, maybe not. Look at the trends. Taking a sample of articles published in 2011 on the  eSecurityPlanet Web site we see that  mobile devices and cloud services lead the list, followed by IT security with healthcare closing the top 15. I guess cost-effective compliance is a lot less interesting than Android security.

  1. iOS vs. Android Security: And the Winner Is?
  2. 5  iOS 5 Enterprise Security Considerations – You can’t keep Apple out of the enterprise anymore so it’s best to figure out the most secure way to embrace it, writes Dan Croft of Mission Critical Wireless.
  3. PlayBook Tops in Tablet Security – Recent price reductions may mean more Blackberry Playbook tablets entering your organization, but that may not be such a bad thing for IT security teams.
  4. Android Security Becoming an Issue – As the Android mobile platform gains market share, it also garners a lot of interest from cyber crooks as well as IT security vendors.
  5. Which Browser is the Most Secure? – The ‘most hostile’ one, say researchers at Accuvant Labs.
  6. How to Prevent Employees from Stealing Your Intellectual Property -It’s the employee with the sticky hands that is the easiest and cheapest to thwart.
  7. Security Spend Outpacing the Rest of IT – High profile breaches and mobile devices are driving IT security spending.
  8. Public Cloud Keys Too Easy to Find -If you put the keys to your cloud infrastructure in plain sight, don’t be surprised if you get hacked.
  9. Zeus (Still) Wants Your Wallet – The antivirus community has failed to figure out this able and persistent piece of malware. It’s as simple as that.
  10. Spear Phishing Quickly Coming of Age – Even the security giants are not immune from this sophisticated and growing form of attack, writes Jovi Bepinosa Umawing of GFI Software.
  11. Penetration Testing Shows Unlikely Vulnerabilities – Enterprises need to dig deeper than just automated scanning to find the really interesting and dangerous cyber security flaws.
  12. Bank Fraud Still Costing Plenty – Bank fraud is and will continue to be an expensive problem.
  13. Do IT Security Tools Really Make You Safer? – Yet another suite of tools for IT security folks to administer and manage can actually have the opposite effect.
  14. Siege Warfare in the Cyber Age – In one the unlikeliest turn of events brought about by technology, it looks like Middle Ages’ siege warfare may be making a comeback, writes Gunter Ollmann of Damballa.
  15. Healthcare Breaches Getting Costlier – And it’s not just dollars and cents that are on the line – reputations are on the line, writes Geoff Webb of Credant Technologies.
Tell your friends and colleagues about us. Thanks!
Share this

Offensive security

I have written several times in the past here, here and here about the notion of taking cyber security on the offensive

James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align with a company that has suffered a cyber attack; therefore, companies must think about retaliation,” he says.

Should a company take retaliatory steps beyond simply increasing its own defensive perimeter? The answer depends on the seriousness of the attack and the potential threat from future attacks. Anderson says that simply turning over evidence to law enforcement may not save the company from future cyber attacks. But, if the attack had to do with a government’s critical infrastructure, authorities may take an interest; however, there are no established service levels for government response.

For example, Anderson says some activities that might be considered retaliatory are:

  • legal information gathering to identify attackers,
  • direct blocking of network traffic from specific origins,
  • use of transaction identifiers that label the traffic as suspicious,
  • placement of honeypots,
  • identifying and actively referring botnet details for blacklisting or referral to authorities or industry associations, and
  • certain types of deception gambits against suspected internal malefactors.

This is not the first time that I’ve heard the notion of retaliation using cyber space methods. There are two things wrong with this direction – a) retaliation and using cyber security methods to attack the attackers.

The notion that there are two separate universes,  a physical universe and a cyber universe is wrong. There is one continuum of cyber space and physical space. Forget retaliation and go on the offensive.  That means use counter terror techniques to discover hacker cells, infiltrate and disrupt them in the physical world. The problem of course is the price tag. It’s cheap to mount a cyber attack but if an attacker knew that they would lose their life if they attacked a US government installation with malware, a deterrent would be created.

Retaliation doesn’t create deterrence – at most, retaliation makes people angry. Just look at the reaction of Palestinian terrorists to Israeli retaliation raids.

Retaliation in cyber space is too late, too little.  Instead – I call on the US and other governments to actively combat cyber terror with the same resolve that they attack physical world terrorists.

Tell your friends and colleagues about us. Thanks!
Share this

Cyber crime costs over $1 trillion

A pitch from Alex Whitson from SC TV for a Webinar on the LinkedIn Information Security Community piqued my attention with the following teaser:

As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the $1 trillion number nor the $43.5 billion number.

A little googling revealed the UK government report UK Cyber crime costs UKP 27BN/year. Published on the BBC’s website, the report offers a top-level breakdown of the costs of cybercrime to Britain using a fairly detailed scheme of classification and models. Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  – they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

the UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space. Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs

Tell your friends and colleagues about us. Thanks!
Share this

What if al-Qaeda Got Stuxnet?

Speaking at this years RSA Security conference in San Francisco, Deputy Defense Secretary William Lynn was worried about al-Qaeda getting Stuxnet:

al-Qaeda operates as a network comprising both a multinational, stateless army and a radical SunniMuslim movement calling for global Jihad…Characteristic techniques include suicide attacks and simultaneous bombings of different targets…beliefs include that a ChristianJewish alliance is conspiring to destroy Islam,  embodied in theU.S.-Israel alliance, and that the killing of bystanders and civilians is religiously justified in jihad. (From Wikipedia)

William Lynn is the same official at the US Department of Defense who doesn’t believe in offensive measures to combat cyber terror. In his article several months ago in Foreign Affairs Lynn claims:

Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.

Let’s see if we can connect the dots.

1. Who is the attacker?

Lynn has just reiterated that the Obama administration officially considers al-Qaeda a threat to the US, markedly ignoring the Muslim Brotherhood – since the US considers the Muslim Brotherhood a secular, democratic political organization.  Neither is Mr. Lynn concerned with other Islamic terror groups like Hamas or the PLO.

2. What are the best security countermeasures against the attack?
Despite believing in good cyber security defenses, Mr Lynn does not offer any security countermeasures against al-Qaeda deploying Stuxnet and falls back on the American shoe bomber security philosophy, considering yesterday’s attack, not tomorrow’s attack. This is the same security management strategy that resulted in millions of airline passengers taking off their shoes in a fruitless, ineffective security countermeasure against a one-time, one in a million attack.

3. Is Stuxnet a cost-effective attack against the great Satan?
Of course – al-Qaeda might deploy Stuxnet against US critical national infrastructures but then again it might be cheaper and more effective for a Muslim terror organization to do something different – like use Facebook to make friends with a DC college student, make a date with her in Manhattan and have her ride the Red Line to Reagan Airport in DC, go through the non-security measures there, not get profiled and use a text message to a bomb in her bag to blow up in the line of people taking off their shoes, killing 20-30 civilians and taking down the US transportation infrastructure for the day.

4. Is the Obama administration more concerned with media exposure than with combating Islamic cyber terror?

Director of National Intelligence James Clapper told a House panel. al-Qaeda appears more focused on making inroads to unsuspecting Muslim youth through social media. Is Mr Clapper speaking with Mr Lynn, or is the Obama administration making the same mistake that the Bush and Clinton administrations made where the CIA collects intelligence, the DOD defends, the FBI investigates civilian crimes but no one connects the dots?

As I wrote in April 2009 about the Obama cyber security policy review, I was reminded of Melissa Hathaway’s 2009 speech to the RSA Security conference which featured a few cute gems like this one:

“….Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.“.

Ms. Hathaway’s perspective on security appears to be influenced by the movies, which is consistent with President Obama, who thinks he’s living in an episode of “The West Wing“.

As I wrote back in April 2009 – I thought we should wait 6 months after the report is made public and see how many cost-effective security countermeasures the government Cyberspace security task force has produced.

Less than 6 months later, Ms. Hathaway resigned. People familiar with the matter said Ms. Hathaway had been “spinning her wheels” in the White House, where the president’s economic advisers sought to marginalize her politically. (See Siobhan Gorman’s Wall Street Journal piece from August 2009. Gorman covers national intelligence issues at WSJ and has written stories exposing the NSA’s computer problems—including those in its multibillion-dollar Trailblazer program aimed at identifying electronic data crucial to the nation’s safety).

Tell your friends and colleagues about us. Thanks!
Share this

The security of open source software

A conversation with a client this morning revolved around software development tool alternatives in an environment of Web Socket.
Why not use Flash on the client and AMF on the server side?, the client asked. I hesitated for a moment and answered – because Adobe is proprietary and closed source and the only developers looking at the code are Adobe employees. If you’ve ever gotten a white screen of death and a cryptic #1707 upload failed message – you know what I mean. Everything else – the security vulnerabilities of Flash, the cost of development, the support costs, all derive from the closed-source proprietary software.

In 2011, there seems to be more awareness that Open Source software is more secure and more reliable. In reality, the most secure systems available today are based on the open source model and peer review. There is absolutely no question that the secret to creating great software that is also secure software is by marshaling as many smart people as possible to the task.

Natalie Walker-Whitlock wrote an excellent article – The security implications of open source software almost 10 years ago and it’s still an excellent read.

Traditionally, software security was equated with secrecy. You lock up your house, your car and your valuables. In the software community, you “lock up” the programming source code as a means of securing it against hackers and competitors.

To the closed source camp, a system can’t be truly secure when its source is open for all to read. This is patently a very bad idea since with good guys and bad guys all looking at a supposedly secure system, disclosing the source discloses software defects and by remedying defects, the software becomes more reliable. More reliable software slows up intruders and reduces the attack surface and, in the event of a data breach, keeps damages due to data loss at a minimum.

Tell your friends and colleagues about us. Thanks!
Share this
mindless IT research

Counter cyber terrorism with social networks

The topic of offensive strategies against hackers comes up frequently and I am surprised and dismayed by the US strategies on combating cyber terror. The Americans are still thinking in a conventional warfare paradigm – in defending a new domain, William Lyn writes:

It must also recognize that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult and time consuming to identify an attack’s perpetrator.

Dismantling terrorist infrastructures and social fabrics is neither retaliation nor vigilantist and I am dismayed by the DoD strategy of combating terror with defenses instead of using anti-terror techniques

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.

At a network level, you would and should black list the source of the malware – it might be an IP address that gets blocked at the firewall level or at a blacklist level or as a modified signature in a content filtering/IPS system.

However – this is a defensive strategy that we know is not very effective strategy in the long term, since it doesn’t address the root cause of the threat.  A more interesting approach,  used several years ago against Code Red – redirects requests back to source IP addresses – if large numbers of attacked web servers would do that – it could create a DDOS attack – punishing the attackers in a turn about is fair play strategy.

Attacking social networks of hackers

Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet,  even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker.  Let’s learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.

Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.

Since malware is a form of terrorism – I believe that this strategy could be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.

While an interesting idea – the key barrier to this strategy is deploying it where hackers operate and obtaining the cooperation of local law enforcement.

As Mr. Lynn writes in his article in Foreign Policy – the Americans are keen on cooperation:

Cyber Command’s third mission is to work with a variety of partners inside and outside the U.S. government. Representatives from the FBI, the Department of Homeland Security, the Justice Department, and the Defense Information Systems Agency work on-site at Cyber Command’s Fort Meade headquarters, as do liaison officers from the intelligence community and from allied governments. In partnership with the Department of Homeland Security, Cyber Command also works closely with private industry to share information about threats and to address shared vulnerabilities. Information networks connect a variety of institutions, so the effort to defend the United States will only succeed if it is coordinated across the government, with allies, and with partners in the commercial sector.

While it’s not clear that the Chinese or Estonian governments would play ball- if the Americans are really intent on combating cyber terror through international cooperation, perhaps they should trade in their defense-oriented strategy for an anti-terror and demand-side strategy.

Tell your friends and colleagues about us. Thanks!
Share this

Stuxnet targeting specific SCADA configurations

The debate on whether or not the Israelis wrote the Stuxnet malware rages on – but it seems pretty clear from the research from ESET and Siemens own findings – here that the virus is apparently only activated in plants with a specific configuration. To be exact – the target is not the SCADA system itself but rather the Siemens WinCC visualization and process monitoring software – WinCC which runs on standard Windows platforms as I pointed out in a previous post, and not on a hardened version of Windows as Shai Blitzblau seems to think.

Note also – that standard anti-virus programs with updated signatures as of August 2010 remove Stuxnet, so the continued propagation of the malware is either via a mutation or on Windows systems not running an anti-virus, which would not be too surprising, since apparently most Siemens WinCC installations are still using default admin passwords.

Analysis of virus and status of investigations

  1. The virus has been isolated on a test system in order to carry out more extensive investigations. Previously analyzed properties and the behavior of the virus in the software environment of the test system suggest that we are not dealing with the random development of one hacker, but with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge.
  2. As far as we know at the moment, industrial controls from Siemens are affected. The Trojan is activated whenever WinCC or PCS7 software from Siemens is installed.
  3. Further investigations have shown that the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means that the malware is able, under certain boundary conditions, to influence the processing of operations in the control system . However, this behavior has not yet been verified in tests or in practice.
  4. The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.
  5. This means that Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications.
  • This conclusion also coincides with the number of cases known to Siemens where the virus was detected but had not been activated, and could be removed without any damage being done up to now. · This kind of specific plant was not among the cases that we know about.
  • Tell your friends and colleagues about us. Thanks!
    Share this

    Are we glorifying the attackers and prosecuting the victims?

    With all the media noise about Stuxnet, cyber war and cyber terror, I proposed taking a closer look at how we relate to the players. Whether  uber hackers or PLO terrorists;  are we glorifying  the attackers at the expense of  prosecuting the victims?

    In data security  I don’t subscribe to utilitarian ethics  (which attempts to balance the benefit versus the damage of an act) and can lead to the ends justifying the means.

    For data security and compliance – I recommend  the “Ten commandments” approach – if it’s not ethical to steal data then it’s never acceptable to steal data  – neither as an employee, contractor, consultant or hacker.

    I  read a short article by the Chazon Ish (who passed away in 1953 and is well known for both his saintliness and extreme breadth of knowledge). He speaks about the importance of distinguishing between the attacker and the victim.   He explains how we must carefully tread the line of understanding who is the attacker and who is the victim.  Basic morality dictates showing compassion to the victim and and harshness to the attacker.   Therefore – how terrible it is when we mistakenly reverse the roles and show compassion to the attackers and penalize the victims!

    Translated to the world of security and compliance – we can understand that a basic component of data security in the workplace, is an ethical approach where we maintain a clear identification of who is the malicious attacker and deal with him in an uncompromising and harsh way.  The vast majority of employees are not malicious attackers and there is no reason to penalize them as long as they comply with the company’s acceptable usage policy. On the other hand, there is no ethical basis to treat an attacker with compassion.

    Like Sun Tzu wrote in “The Art of War” – “When you lay down a law, make sure it is not disobeyed”.

    Tell your friends and colleagues about us. Thanks!
    Share this

    Open Source Security Testing

    Pete Herzog, Founder of ISECOM, will be discussing the revised Open Source Security Testing Methodology Manual (OSSTMM v3) and how it applies to web application security today (10-13-2010) in Raleigh, NC.

    I’m not sure exactly if this project really qualifies as Open Source – since the license is not specified.  As a methodology and not a piece of software – I would have expected to see a Creative Commons License.

    Tag lines aside – the OSSTMM is a peer-reviewed methodology for performing security tests and metrics, and the test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

    Pete rarely gets to the US, so this is a unique opportunity for security professionals to have an open discussion with him about trust-based security models and how to apply sound logic to securing and testing web application.

    Christoph Baumgartner, CEO of OneConsult GmbH in Switzerland – whose firm has been using the OSSTMM methodology since its inception – recently commented on the value proposition the methodology standard offers, stating that, “the most important aspect is that we have an easier time keeping our clients. Most of the companies and organizations which order security audits on a regularly basis are fairly well organized and have a strong interest in gaining and keeping an adequate level of security.”

    “Having the attack surface metrics, the ravs, means that they can watch trends and keep a close eye on how changes in operations affect their security directly. I can definitely confirm that many of our clients who have to change the supplier for security policy reasons expect their future suppliers to apply the OSSTMM.”

    Tell your friends and colleagues about us. Thanks!
    Share this

    Security theater and security politics

    I had some input from colleagues on my Stuxnet posts – suggesting that I was downgrading the need to be vigilant against cyber-threats.  Of course we must be vigilant, but let’s not forget a couple things:

    1) We have to get the basics right –

    Note the Siemens guideline for implementing WinCC:  “system administrator password can be assigned by the user and supports adherence to company password conventions”

    Which Siemens themselves do not follow in their field implementations.  If they had – then Stuxnet would not have been able to exploit the default password vulnerability in WinCC

    2)  Security theater is one thing.   Security lobbies hyping cyber-war and cyber-terror in order to garner Federal funding, paid for by your tax dollars is another.  Unfortunately – the Obama administration agenda on fighting terror is more oriented towards security theater and politics than addressing the root causes starting with shutting down funding of Hamas and Al-Qaida by the Saudis and the Iranians, which seems to me, to be infinitely more effective than bullying the Israelis to stop building schools and homes.

    Tell your friends and colleagues about us. Thanks!
    Share this