Joe User is the weakest link – a presentation at the Infosecurity Virtual Conference
Eighteen months ago we had news of a sophisticated attack against Google. It became known as the Aurora attack and it spawned a new term: advanced persistent threat, or APT. It may or may not have had the direction, connivance or knowledge of the Chinese government. But it made us rethink the threat landscape.
A year ago we heard about Stuxnet, a new intricate attack originally targeting the Iranian nuclear programme. This too may or may not have had government direction, connivance or knowledge. But again, we had to rethink the landscape: the unhackable, computers not even attached to the internet, had become hackable.
A few months ago, one of the world’s leading security companies, RSA, was breached and SecurID tokens were compromised. A while later, Lockheed Martin and Northrop Grumann, two leading US defence companies, were both attacked with the stolen RSA data. Another new development – the implication is that the RSA attack was a planned precursor of the defence attacks – and once again the finger has been pointed at China.
What can we conclude from all this? That cybercrime has been taken over by government cyber warfare agencies? Well, yes and no. Cybercrime today is a PPP, a public/private partnership, with freelance cybercriminals employed by and selling to government agencies. And these same criminals also work for highly organized criminal gangs.
Do we deduce, then, that our security industry has failed us? Again, yes and no. The security industry failed in these and many more instances. But without that industry, without the anti-malware companies, without our firewalls and filters and intrusion prevention, it would be chaos. The security industry stops far more than it lets through.
But what does get through is now so sophisticated that many security experts privately admit that there is no defence against a determined, targeted attack. And if the big companies, and even security companies, cannot defend themselves, what hope is there for the rest of us? Dr Kevin Curran, a lecturer in computer science and senior member of the I Tripple E told me in a conversation about the recent Sony hacks, “There’s nothing we can do to stop a targeted attack. We’re all vulnerable.”
So, do we load ourselves up with layers of cyber defences, and then just hope? Do we have to accept that if our name is on the bullet, that’s it? That if a foreign government wants our inventions for its own industry we have to accept it? That if a criminal gang wants our card details for themselves they will take them?
No, we don’t have to, and shouldn’t, just give up. There is a common factor, a common weak link exploited by all hackers; and if we strengthen that link, we will do much to prevent the attacks. What is this weak link? It’s you. It’s me. It’s all of us. It’s Joe User.
Joe User is both the cause and the solution. We have to change our behaviour. Consider these details from the Spanish anti-malware company Panda Labs.
It shows the type of successful malware attack currently out there. Similar graphs could be drawn for the different types of email scam or spam. Others could be drawn for categories of phish attacks. Endless graphs could be drawn to help us understand the threats we face from the e-criminals. But there is one statistic always left off. 100% of all these attacks depend upon just one element. Joe User.
If we were to include Joe User’s involvement in these attack graphs, he would always stand at 100%. Think about this. Not one single successful hack from the nerd in his bedroom to the Russian Mafia to the secretive government cyberwarfare agency has ever succeeded without the conscious or unconscious connivance of Joe. Joe, of course, is the single user at his desk in the corner, or working on the train going home – but he is equally the body corporate. It may be that he doesn’t do what he should, or does do something he shouldn’t; he might do it willingly or unwillingly or in ignorance – but if that act of collusion doesn’t happen, then the hacker can’t get in.
The hacker is like a vampire at the door. If Joe doesn’t invite him in, he can’t get in. But if Joe does let him in, he’ll own you, and he’ll bleed you dry. And the good hacker won’t even leave a shadow while he’s doing it.
We can illustrate this with a reconstruction of the way in which the Aurora attack was probably perpetrated. The attackers first chose their target. How? Possibly by using a business network like LinkedIn. Try it yourself. Choose any company and check it on LinkedIn. You’ll get a list of many of the internet-active employees, and probably which department they work in or what they do. Choose the person most likely to have good access to the corporate network or have direct knowledge of the company information you want to steal. Then switch to Facebook. See if he is there – probably he, or she, is. You already know what Joe does; now you can find out what he likes. Who his friends are. What interests him outside of work.
Now you have to hack one of those friends. It’s not as hard as you would hope. For example, there are long lists of stolen passwords available to the criminal. Maybe an innocuous gaming site was hacked, and user details stolen. From Sony, perhaps. Sony seems to have stored Joe’s password in plaintext. If you can find your friend-target on one of these lists, the chances are, because we all do it, don’t we, he’s using the same password throughout the internet.
So now we can own Joe User’s friend’s Facebook account. We already know what Joe does, and we now know what interests him – and we’re his friend.
The next step is to forge a personal message from the friend, based around something of mutual interest to both parties. The intent is to get Joe to visit a particular site that we have already compromised. Again, that’s not too difficult – drive-by downloading from compromised sites is one of the cybercriminals’ current weapons of choice. But this is where the hacker might play his trump card – the use of a zero-day vulnerability in Joe’s browser.
The problem with zero-day vulnerabilities is that the security industry doesn’t know anything about them. We don’t even know how many there are. In this instance it was an unknown vulnerability in the old browser (IE6) that Joe was still using; and it was just one of a string of doors left open. This open door allowed the hacker to install a Trojan on Joe’s network – a Trojan designed to find and quietly steal information.
Joe left the doors open – an open invitation to the hacker – and the hacker quietly slipped in. And we all do it, all of the time. We do the wrong things. We click on bad links in emails we receive, we open attachments and we respond to spam. On the internet we get carried away and visit dubious sites using old and unpatched browsers, and we allow scripts to run willy-nilly rather than blocking them with something like a combination of the latest version of Firefox and NoScript. In short, we trust the internet to do us no harm; when we really shouldn’t.
And then there’s social networking, a Pandora’s Box of goodies for the hacker. Where there are privacy options, we ignore them, and upload vast amounts of personal and sensitive and often embarrassing information. We indulge in ‘my Friend List is bigger than your Friend List’, becoming a friend or contact or follow of any stranger that asks – and then, because it’s a social network, we trust those strangers as if they really are long-lost buddies from school.
But it’s not just a case of actively doing the wrong thing.
We also fail to do the right thing. Too many of us are still not using adequate and up-to-date anti-malware and firewall defences. We forget to patch or update our software when the supplier issues an update to solve a vulnerability, leaving that software vulnerable to the hacker. In short, we behave with insufficient paranoia about the internet. Paranoia is the best security defence.
Joe Corporate is no better. He often fails to develop and enforce a strict security policy. He forgets the importance of adequate provisioning and deprovisioning procedures – sometimes giving Joe User greater privileges than necessary, and not taking them away again fast enough; allowing disaffected Joe User to become Joe Hacker. He almost invariably fails to encrypt sensitive data, and once again fails the paranoia test.
So are we saying that all cybercrime could be stopped if every Joe only did the right thing? Yes, we are. Are we saying it will ever happen? No. It won’t. But the fact remains that e-crime would be dramatically reduced if more of us users were less inviting to the criminals. We need to take a leaf out of physical policing and architecture: crime prevention through environmental design, known as CPTED. We make our systems so difficult to penetrate that the criminals go elsewhere. And if there’s nowhere else to go, they give up. That’s the theory. But if Joe continually opens or leaves open the doors, then no amount of other defences will help.
Security is a partnership – a partnership between the company defences supplied by the security industry, and Joe’s personal practices. We need anti-virus products, and firewalls and intrusion detection and content filters; but more than anything we need Joe User to behave in a responsible manner. Cybercrime, whether it emanates from the lone computer nerd in his bedroom or a nation state’s cyberwarfare agency, can only be defeated if Joe User closes the door in the face of hackers.
That means we need to take security awareness more seriously. The message is simple: to defeat cybercrime companies need to spend as much time, effort and money on educating Joe User as they do on buying security products. It’s not an either or situation. We need both. But at the moment, Joe User is the weakest link.
This blog is moving to ITsecurity.co.uk, where it will be bigger and better than ever. Please join us.
The all-time most popular stories on this site
- What’s with the TrueCrypt warning?
- ITsecurity.co.uk went live
- We’re moving and expanding!
- More on the Avast breach and the hash used
- Avast forum hack demonstrates we need password storage disclosure
- Hector ‘Sabu’ Monsegur to be sentenced while Hammond sits in prison
- The eBay hack, the loss of 140 million records, and the PR fiasco
- The Master Troll, Weev, delivers a masterpiece of trolling
- FBI indicts five members of the Chinese military for hacking US companies
- Worldwide crackdown on BlackShades RAT users
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010