Today the Avast anti-virus company is warning about a vulnerability in a WordPress image-resizer.
In early October, researchers from AVAST were contacted by several users via the CommunityIQ system that http://www.theJournal.fr, the online site for The Poitou-Charentes Journal, had been infected… The infection was the work of cybercriminals using the Blackhole Toolkit, a set of malware tools available on the black market. “TheJournal.fr and its readers were certainly not the only targets, this is a larger issue of WordPress security,” said Mr. Sirmer. We’ve registered 151,000 hits at one of the locations where this exploit redirected users. We also blocked redirects from 3,500 unique sites on August 28 – 31 – the first three days that this infection surfaced – that led to this exploit. During September, we blocked redirects from 2,515 sites and I expect October results will be similar.
Thing is, this vulnerability was found way back on 1 August by Mark Maunder:
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty…
Eventually I found it. The hacker had done an eval(base64_decode(‘…long base64 encoded string’)) in one of WordPress PHP files. My bad for allowing that file to be writeable by the web server. Read on, because even if you set your file permissions correctly on the WordPress php files, you may still be vulnerable.
Zero Day Vulnerability in many WordPress Themes
And it was further discussed by Matt Mullenweg on 8 August:
Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes. Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications.
The TimThumb Saga
I don’t know how we do it, but somehow we need to convert researchers’ research into users’ use.
Tomorrow the Foreign Office will host an international conference on cyber security – and I would just love to be a fly on the wall of the closed sessions seeking to teach the world how to behave on the internet.
Britain will be there trying to explain the difference between British criminal rioters and other nations’ freedom fighters, and that we need international co-operation to allow Cameron to block social networks in the UK while protecting the free speech and free intercourse of freedom fighters in other countries.
France will be trying to sell its spyware to China.
The USA will be late to the table.
Germany will be trying to sell its spyware to China.
Australia and New Zealand will be hoping to learn how to control access to the internet from China.
The CIA will be offering its spyware free to China – but it includes a secret back door.
Russia won’t say much; it’s too busy looking for opportunities.
The EU won’t say much; it’s too afraid that the Euro’s begging bowl to China will be spurned.
France will still be trying to sell its spyware to China.
The USA will make a great public stand on the immutability of free speech, while quietly trying to explain to China that you don’t actually have to protect civil liberties, you just have to pretend to.
China will be inscrutable. It doesn’t give a hoot. Its way has clearly proved to be the best way – why change what ain’t broken? If other countries leave their intellectual property lying around on the internet, picking them up isn’t criminal, it’s just good business. And anyway, what would happen if China foreclosed on the rest of the world?
So what will we get from this conference? My suspicion is that everyone will agree, and nothing will change. Except, perhaps, I can see the IWF’s Cleanfeed becoming even more international, growing from child pornography and copyright infringement to include other categories, and becoming mandatory for many ISPs around the world. Except for China which has got its own.
Don’t you just love statistics? The security industry uses them extensively, but here’s a non-security example of why I love ‘em.
There’s a campaign here in the West Country to persuade all pensioners to retake their driving test, or at least take a refresher course. The argument is simple and an absolute clincher: one in five accidents are caused by pensioners.
But consider. Let’s say that pensioners are aged 65 to 80 (actually, here in the West Country they’re more likely to be 65 to 95 driving souped up Golfs). Anyway, 65 to 80 is fifteen years. The full driving span is 17 to 80; that is, 63 years; meaning that 48 years are occupied by pre-pensioners.
Now, according to the argument, one-fifth of accidents (20%) are caused by pensioners. So, in those 15 years, pensioners are responsible for a ratio of accidents to years (20/15); ie, 1.33. But pre-pensioners are responsible for a ratio of accidents to years (80/48); ie, 1.66. So, just on these figures, pre-pensioners are more likely to cause accidents than actual pensioners; and clearly it is we rather than they that need refresher courses.
The statisticians among us will say, whoa! you can’t prove that from those. You have an agenda, and you’re using statistics to prove it. But that’s my point. Statistics are never used for anything other than to justify a pre-determined course of action. Rightsholders twist piracy statistics to justify draconian copyright laws. Leftist governments twist economics to prove that we are better off under socialism. Rightist governments twist economics to prove that we need to do what is best for Big Business because it will benefit all of us (but them even more). All governments twist threat statistics to justify draconian anti-terrorist control laws. And of course some security companies twist cyberthreat statistics to persuade us to buy their product.
When offered statistical justification for something, bin the statistics. Base your course of action on your experience, your gut feeling, a pinch of logic and a dash of independent advice, and you’re more likely to choose the right course of action.
Here’s a thought for the youth of today. The first computer I ever bought that had any real storage was an IBM PC with a 10Mb hard disk. It cost me around £5000, and was revolutionary.
Today you can get a tablet with more than 30Gb of memory for around £500.
I would have needed 3000 IBM PCs to match the storage of one tablet. It would have cost me £16,000,000; or conservatively, £32,000,000 in today’s money.
I should have waited.
Security and compliance go together like love and marriage – you can’t have one without the other. That is the common perception (we’re talking of course solely about the infosec aspects of compliance). But is it true? Are security and compliance synonymous? If you are secure, will you be compliant? If you are compliant, will you be secure? What, in short, is the relationship between the two?
Here’s my problem. The purpose of the infosec aspects of the Data Protection Act is to keep personal data secure. But how can you be compliant with this requirement? If you have the strongest security in the world, you still cannot guarantee that the data won’t be lost. If you have virtually no security, you might never lose the data. The only empirical test for conformance, or at least the lack of it, is whether you keep personal data safe. If you lose the data you are not compliant, regardless of your security. If you do not lose the data, you are compliant, regardless of your security.
This leads to an important question: if compliance is purely a legal requirement effectively disconnected from security, will it lead companies to concentrate on legal compliance to the detriment of true security? To help me understand, I spoke to a number of security experts.
Lars Davies. CEO at Kalypton and a one-time visiting fellow at the Centre for Commercial Law Studies, Queen Mary, University of London, is clear on the relationship. “The problem comes from the fact that compliance and security are not commutative,” he told me. “One does not necessarily infer the other. Compliance infers security. Security does not infer compliance… Compliance tells you what you need to achieve. Good security is simply one of a set of components that you need to achieve the goal.”
Infosec in this sense is a tool for compliance, not a required effect of compliance; although confusion comes from the need to use security (and therefore gain security) in order to achieve compliance.
“If you are compliant then you must be secure; your security must be fit for purpose,” continued Lars. “You simply cannot not end up with the lowest common denominator at all and still remain vulnerable. If you are vulnerable then you cannot, by definition, be compliant.” So, “If you are compliant you must, by definition also be secure… Compliance and security are like pregnancy, you either are or you are not.”
This gives me a problem, since I believe it is impossible to be secure.
“You define security as the ability to avoid compromise,” replies Lars. “That is one definition. However, it does not say avoid compromise absolutely. It is impossible to avoid compromise if you are the subject of a targeted attack. However, you can make such attacks extremely difficult, and you can put in monitoring processes and procedures to try to detect and thus counter those attacks. That is also part of achieving security. You must continually refresh and update your security tools based on your on-going assessment of their suitability to meet your requirements. That is what you need to do as part of your efforts to achieve compliance.”
This is the view of Edy Almer, VP Marketing and Business Development at Safend. “The reality is that to be ‘secure’ is a continuum not a discrete state. Compliance mandates acceptable risk points along that continuum. If you are compliant there is a very reasonable possibility that your risk is lower than it would otherwise be.”
David Emm, senior security researcher at Kaspersky Lab, comes to a slightly different conclusion from the same argument. “Security is a bit like housework, by which I mean it’s a process, rather than a fixed set of actions or tools implemented in an organisation. Regulations are invariably static and may not keep pace with technological developments – either positive ones or those that attackers make use of. I think there’s a parallel here with health and safety legislation. A company may be compliant for the annual inspection; but if it plays fast-and-loose with safety for the rest of the year, how ‘compliant’ is it in reality?”
Howard Sklar, senior corporate counsel at Recommind and advisor to the InfoRiskAwareness Project, takes a slightly different view. “Being ‘compliant’ doesn’t necessarily mean secure. ‘Compliance’ means ensuring that your people, process, and technology all work together to meet standards or policies. To turn compliance into security, you need to make sure that the standards you set are sufficient to keep you secure. If your policies allow for open access for everyone, including the public, then having totally insecure computers would still be compliant: you’re meeting the requirements that you set out. They’re just the wrong requirements.”
Paul Davis, Director-Europe at FireEye, has a more traditional security-centric view. “Simply put,” he says, “compliance is a necessary step towards better security; but inadequate by itself to protect against advanced malware and sophisticated cyber criminals. Compliance regulations set the minimum requirements for organisations to meet by only accounting for generally well-known cyber attack tactics and threats. We’ve all heard of the successful attacks on ‘compliant’ organisations like Epsilon marketing and even computer security companies, like RSA. Today’s advanced malware can bypass traditional and next-generation firewalls, AV, IPS, and Web gateways easily. Being “compliant” does not mean the network has been ‘secured’, but rather that it has taking the first step towards protecting customer data, intellectual property, and sensitive information. Compliance is only one of the first steps towards a secure IT infrastructure.”
Mehlam Shakir, CTO at NitroSecurity, sees the danger in treating compliance as the winning line rather than just ‘one of the first steps’. “For many businesses it is a vital necessity that they are compliant with regulations such as PCI DSS, GPG13 or CoCo; but there is a rapidly emerging trend of organisations just thinking about what needs to be achieved to reach compliance – which is undermining and negating the security measures that should be in place as a first point of call. This means that more and more businesses are finding themselves at risk because basic security measures are either not in place or up-to-date.”
“Being compliant to a standard is important to having better security; however it doesn’t always guarantee that the network is secure,” agrees Alex Teh, Commercial Director, Vigil Software. “What I mean is that quite often being compliant to a particular standard like PCI DSS relates only to the part of the network that is holding credit card information and not security in general. Quite often the role of a QSA is to limit the extent of the network that needs to be PCI compliant. This often means ruling out major parts of the network to reduce cost.”
And there’s another potential by-product. Compliance requirements could persuade companies to become ‘early adopters’ of apparently relevant new technologies. “But if the organization is one of the ‘late majority’ in the technology adoption lifecycle,” explains independent governance and risk consultant Roger Southgate, “they may be significantly less vulnerable than organizations that are early adopters of new technologies, and in effect the trail blazers in identifying what security requirements are most appropriate for their risk appetite.” Don’t be the guinea-pig has always been good business advice.
Am I any more clear about the relationship between security and compliance? No, I am not. The main issue is well described by Frank Coggrave, General Manager EMEA, Guidance Software. “Compliance is backward facing and security should be forward facing,” he explains. “Compliance is about adherence to rules that have been set in the past (by definition) that reflect the thoughts, worries and concerns that created the desire to have the rule. Although they can try to take account of future expectations they will always fail to do so, to some greater or lesser extent. If compliance was perfect why would we have a set of financial rules called Basel III – Basel I should have been enough. Security is about responding to today’s and tomorrow’s threats and concerns. It needs to be more reactive than a compliance cycle. Compliance is important to ensure you don’t leave yourself exposed to the old stuff, but it’s no security blanket – there are too many moths active out there.”
So after all of this I can come to only one conclusion. If security and compliance are like love and marriage – we need a divorce. Ensure compliance for the sake of compliance regardless of security, and seek security for the sake of security regardless of compliance. Don’t let one influence the other and you will be more successful in both.
I hear that the West Yorkshire Trading Standards office is taking payment from a company that has outstanding complaints against it (SGE Loans). It’s not a backhander, apparently – it’s a consultancy fee (although I doubt that SGE Loans considers it that simplistically).
But where will it end? Will we have politicians accepting gifts from the businesses they regulate? Will we have councils approving contentious planning applications in exchange for ‘free car parks’ or ‘free swimming pools’ or ‘free sports centres’? Will we have Members of Parliament defying the public in exchange for career preferment?
Will we have LEAs taking consultancy from criminal hackers; or turn it round and will we find the British Army providing ‘consultancy’ to the foreigners who will be the terrorists in countries we need to invade in the future?
I am so glad that the innate British moral compass steers us away from such dubious and immoral conflicts of interest.
Understanding the threat
If we look at security today there is one conclusion we simply cannot avoid: it is not working. Despite the $20bn invested in IT security in 2010 (FireEye Advanced Threat Report – 1H 2011), the cost of cyber crime to the UK economy alone is estimated to be £27bn per annum (The Cost of Cyber Crime: a Detica report in partnership with the Office of Cyber Security and Information Security in the Cabinet Office). We need to understand what is going wrong in order to reverse this. And to understand that, we need to examine the evolving threat landscape.
It is tempting to blame the emergence of the advanced persistent threat (APT), a highly targeted, sophisticated attack aimed at large corporates. Hardly a week passes without news of a new APT attack on a household name: Google, Sony, Nintendo, RSA, Mitsubishi. And it is easy to support this idea with current statistics. FireEye divides current threats into two primary categories: ‘wide and shallow’, and ‘narrow but deep’. The first is the traditional approach: a wide net is thrown to catch as many targets as possible; but the actual loss is relatively small. The second is the specifically aimed attack on an individual organization that goes deeper and steals more – the APT.
It’s a description that is recognised by Detica’s Henry Harrison. “Of the £27bn annual loss to the UK economy,” he comments, “£17bn comes from theft of intellectual property and espionage – the typical narrow but deep targets of APT attacks.”
But while we must be aware of the threat of APT, we should not be diverted by it. The exploits and methodologies used are not new. Only the manner in which they are combined; the targets at which they are aimed; and, it has to be said, the almost military intelligence and precision with which they are controlled, is new. (It’s worth noting that ‘APT’ is a military term first coined by the US Air Force.)
Successful security should stop APT just as much as it should stop common-or-garden malware. Consider the banking trojan Zeus. Worldwide, RSA’s security and fraud expert Uri Rivner told me, “there are some five million PCs infected with Zeus”. Clearly our security defences stop neither wide and shallow nor narrow but deep attacks; and we need to understand the reason.
One clue can be found in PricewaterhouseCoopers’ 2012 Global State of Information Security Survey. “A clear majority of [9,600 CEOs, CFOs, CIOs, CISOs, CSOs worldwide],” it states, “are confident that their organization’s information security activities are effective.” This is despite the unambiguous empirical evidence to the contrary.
The problem is that we are stuck in an old security paradigm when the paradigm itself is changing. We grew up with our servers in the computer room and our users in the same building. The concept of security was simple: we put a barrier around our IT infrastructure to keep the bad things on the outside and the good things on the inside. Since the good things were all in one building it was conceptually simple. And since the technology to achieve this barrier is mature and effective – firewalls, anti-malware, intrusion prevention, content filters – and since we have all installed this technology, we believe we are secure.
It is a false sense of security that leaves us terribly exposed. Computing is no longer that simple. Cloud computing means that our data could be anywhere. Mobile computing means that our users could be anywhere. Consumerization means that our access devices could be anything that has internet connectivity. Where now can we effectively place a barrier? It’s not impossible, it’s just different; and we’re not keeping pace. But all of this pales into comparative insignificance in the face of a major new weakness: us. The rise of social networking combined with the consumerization of devices and mobile computing means that we are as like to socialise at work as we are to work at home. There is no longer even a virtual boundary between work and home.
“There has been a seismic shift in the threat landscape,” explains Rivner. “The criminals are no longer attacking the IT infrastructure. They are attacking the users.” It is social networking that provides the information that allows the criminal to bypass our security defences and get into our networks via our users. We have become nonchalant over the amount of personal information we effectively broadcast to all and sundry: our likes, our dislikes, what we do, what we want, where we are, where we’re going…
Armed with this information and basic social engineering skills it is easy for the criminal to trick us into doing something we shouldn’t, like going to a compromised website or opening a poisoned attachment. The malware itself stays ahead of us by rapid and automatic changes designed to defeat, and is successful at defeating, signature-based defences. FireEye points out that 90% of malicious executables and malicious domains change in just a few hours, and that today’s criminals are almost 100% successful at breaking into our networks.
The criminal no longer seeks to find a way through our security defences; social engineering has shown him a way round them. The difference with APT is that the criminal will now try to hide his presence and will take his time to find and steal what he wants. Unless we change our approach, and adapt our security to the changing threat landscape, the cost of crime will continue to escalate.
Tackling the threat
As things stand today, any company targeted by APT or simple spear phishing will almost certainly succumb. But it doesn’t have to be that way. There are things we can do. Absolutely central to this is continuous staff security awareness training to defeat that initial social engineering. It would be best not to do this yourself – use an expert to test both your defences and your staff. “First,” says David Hobson, the sales director of Global Secure Systems, “we test/audit your security systems and bring them up to speed. Then we’ll test your staff – and bring them up to speed.”
But that’s not enough; security awareness will not prevent all people-hacking. This summer RSA and TechAmerica hosted an Advanced Persistent Threats Summit in Washington, D.C. One of the takeaways is this: Organizations should plan and act as though they have already been breached (APT Summit Findings, RSA). Statistically, you probably have. So if existing defences aren’t working, go back to basics and start again. Security is not an end in itself: it is the risk mitigation aspect of risk management. Use risk management techniques to understand what is of most value. David Hobson uses an analogy with medieval castles. “You take your crown jewels and keep them separate in the best defended part of your castle, in the Keep.”
One method of segregating your networks is to colocate, wholly or partially, with a specialist data centre provider. It’s a way of providing greater physical security for your servers than you could probably do alone. “We use 24-hour manned security and biometric authentication (palm readers) for access to our data centres and to individual client suites, cages or racks,” explains Brian Packer of provider BIS.
There’s a second implication from the APT Summit: if you are already breached, it would be good to know about it as soon as possible. You need to shine a light inside your network, to see what is happening, to look out for anomalies and recognise any intrusion before any data loss. There are several new and very advanced security products that can help you here from companies like Detica and FireEye.
Rivner believes that virtualization can also help. “A virtual desktop infrastructure (vdi) could prevent malware getting onto the desktop and from there to the server; and it certainly makes patching and upgrading the entire infrastructure an easy task.” Bear in mind that the Google Aurora hack would not have succeeded if the target were not still using an old and outdated version of Internet Explorer. ‘Patch your software’ should be a way of life.
But virtualization is only as good as its implementation and your understanding of its components. “An APT or any other security threat,” explains Mike Atkins of Orange IS Security Solutions, “is likely to focus on the weaknesses that can be found in the target systems and processes, and then seek to leverage 0-hour exploits. The key to protecting a virtualised environment is to similarly focus on the weaknesses of the system and then mitigate as fully as possible any attacker’s ability to leverage those weaknesses.”
There is, however, one weakness in all of these approaches. Necessary and good though they be, they effectively use the same old security paradigm: wait for, recognise and respond to an attack. And that might be too late. In this new security paradigm we need to accept that our attackers are more sophisticated, better resourced and organized, and more patient and persistent than are we. “We need,” says RSA’s Uri Rivner, “global information sharing. It will be difficult, coping with the different privacy requirements in multiple jurisdictions, but it can be done. The banks are already doing it. When we all do it, we will have the necessary intelligence to cope with today’s evolving threat landscape.”