Archive for February, 2013

The problem with belief systems

February 24, 2013 Leave a comment

The problem with a belief system is that it is built on interlocking argument and is always right.

But it defies logic that anything can be always right. Therefore a belief system is sometimes wrong – but to maintain a belief system, believers have to act in denial of any of it being wrong (because it’s all interlocking); which makes the entire belief system lack credibility.

Better by far to have a disbelief system in belief systems. Since it cannot possibly be always right, that disbelief will sometimes being wrong – and it is the disbelief system that becomes questioned, not the belief.

The logical conclusion is that to believe in anything, start with blanket denial. That’s what I strongly don’t believe.

Categories: All

Government cannot and must not be trusted with personal information

February 23, 2013 Leave a comment

One thing that RSA week always brings is dozens of new surveys and research reports. I looked at three for Infosecurity Magazine on Friday:

They are all looking at different issues, but there is a common finding in all of them – a disconnect between recognising a threat and taking the right or adequate action to mitigate that threat. More specifically, they all say that the public sector is the worst offender.

From the Check Point security report

From the Check Point security report

From Check Point we learn that government is the leading offender in the use of high risk applications (remote admin, file storage and sharing, P2P file sharing, and anonymizers). In particular government is more likely than any other sector to suffer an incident that could lead to data loss at least once every week; and government is the leading offender in sending credit card information to external resources.

From Clearswift we learn that “Despite 93% of [UK public sector] organisations sharing sensitive information with external partners, 30% don’t view information security as a high priority when selecting a partner.”

Trend Micro, commenting on its own report, says, “Public sector respondents were guilty of a worrying level of complacency, with over a third claiming targeted attacks are not a concern, despite 74 per cent of such organisations having been a victim of these attacks in the past.”

Put quite simply, government cannot and must not be trusted with our personal information. In the UK, this is the government that plans to build a national DNA database within the NHS; and that wishes to be able to intercept our private communications at will. For the sake of our security, it must be stopped.

Categories: All, Politics, Security Issues

Do you believe in full Metasploit or responsible Metasploit?

February 22, 2013 Leave a comment

I did a blog posting for Lumension yesterday: Metasploit – Is it a Good Thing, or a Bad Thing?

I tried to give an idea of what the industry thinks, and it includes some interesting observations from luminaries such as HD Moore (the founder of Metasploit and CSO at Rapid7) and Rik Ferguson (VP of security research at Trend Micro).

One thing it doesn’t do is give my opinion. Assuming that we can relate Metasploit to ‘full disclosure’…

Do you believe in full disclosure or responsible disclosure?

Unequivocally, categorically, yes.

It’s a neat marketing trick by some of the vendors: full disclosure is responsible disclosure. Delayed disclosure is irresponsible disclosure. I believe that full, immediate and responsible disclosure is the only way to improve security. Any other suggestion is a sleight of hand from the vendors.

Categories: All, Security Issues

Cameron wants Indian students to save the UK universities

February 20, 2013 Leave a comment

Have you noticed our dearly beloved prime minister trying to recruit Indian students for our UK universities?

That’s because he denuded the universities with excessive tuition charges. Even with the incredibly poor education system we now have, kids coming out of school are intelligent enough to know that wracking up debts of £30,000 to get a degree that no employer wants in a market that has no jobs just doesn’t make any sense. So it’s better to go straight on job seekers allowance now, debt free, than in 3 years time with a millstone around the neck.

But the danger in attracting Indian and Chinese and Brazilian students is that Cameron will reduce our higher education system to just another commercial enterprise. Those foreign students will come in, pay their fees, get their degrees and then go back to their native countries – not out of any anti-British sentiment, but simply because their own economies are growing much faster and creating more jobs.

The tragedy is that British companies haven’t seen the opportunity. They should be creaming off our top Sixth Formers with offers to pay off student debts if they join the company at the end of tuition with a first or second class degree.

Categories: All, Politics

Mandiant says it was the Chinese military what did it

February 19, 2013 Leave a comment

Thing is, I don’t trust Mandiant. (I did a news story on the new ‘China did it’ report on Infosecurity here – but now this is my opinion, not news). Mandiant suffers from being trusted by governments. I do not trust governments – and so, by association, I do not trust Mandiant.

Every time that governments want to pass some new legislation further restricting, or decimating, personal privacy and internet freedom, there is a sudden flurry of Chinese and Iranian hacks – but mostly Chinese. I think many people get it the wrong way round. The proposed legislation is not necessary because of the hacks, the hacks are necessary because of the proposed legislation.

So, in the last few weeks we have had the New York Times, Washington Post, Wall Street Journal, Twitter and Facebook. And today Mandiant says quite categorically that it was the Chinese military what did it. Which just goes to prove that Obama was right to issue his Cybersecurity Executive Order and demand the return of the Cybersecurity Act; that Ruppersberger is right to reintroduce CISPA; that Cameron is correct in his insistence on the Communications Bill; and that the unelected European Commission has only proposed the Cybersecurity Directive for our own good – all because of China.

None of these new laws will do anything much for security; but they will all allow government to maintain closer control over innocent people.

Aerial photograph clearly showing the new roof that proves this is the source of Chinese military hacking

Aerial photograph clearly showing the new roof that proves this is the source of Chinese military hacking

But let’s look at the Mandiant report. It makes strong argument that proof of Chinese involvement is the use of Chinese IP addresses by the hackers. Given the hacking skill that Mandiant bestows upon the Chinese military, I can’t help wondering why China would leave this obvious proof so open when it could easily use some other country’s IP addresses. Must be a double bluff, I guess.

But what about Mandiant’s motives? In the section headed “Why We Are Exposing APT1” (APT1 is the name it gives to the hacking crew it says is really the Chinese military), it says, “It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”

The latter part of that statement is pure philanthropy. Good on ‘em. But I’m not quite sure of the relevance of the first part to that second part. If I have a mad axeman at my front door, all I’m really concerned about is keeping him out. It isn’t actually relevant to me whether the axeman is British, American, Chinese or Aztec – I just want to keep him out. The fact is, he could indeed be Chinese. But he could equally be Israeli or British or Iranian or French or Russian or American in Halloween dress. The threat is the issue, not its source; and I don’t see why I need to give up my freedom to go out because my own government says I will be safer if I stay in and give the local policeman the keys to my door.

So for me there is a slight suggestion that perhaps there is another motive behind this report. And that’s where the closeness of Mandiant with the UKUSA government worries me.

See also:
Somebody is lying. Is it Ruppersberger and CISPA, or Aramco?
The problem with GCHQ’s Cyber Incident Response scheme
The evolution of a hack – South Carolina hack analysed by Mandiant

Categories: All, Politics, Security Issues

Suddenly, I feel very old and out of touch

February 17, 2013 3 comments

Whether I like it or not, and I like it not, the times they are a-changin


changing times


and like the elves, perhaps it is time that I and my generation departed this Middle-earth…


Categories: All

Targeted attacks: what they are, why they succeed, and how to stop them

February 17, 2013 Leave a comment

Cyber attacks on the internet fall into two basic categories: random and targeted. Random attacks are by far the most prevalent, mainly because they are easy to do and can be largely automated. They don’t seek high value targets, they just seek a high volume of targets. Spam, scam and phishing campaigns are typical examples.

Targeted attacks are aimed at a specific person, or company, or organization. The targets are high value targets. “There are numerous motives,” explains David Emm, a senior security researcher at Kaspersky Lab. “These include theft of confidential data, cyber-espionage, political or social protest, and sabotage.” Cyberwarfare, an emotive term that is nevertheless accurate, is a clear example of targeted attacks: destructive malware like Stuxnet and Wiper should not cause collateral damage, but should affect only the prime target.

(Denial of service attacks against specific companies or services are an example of automated targeted attacks that are not part of this discussion.)

A targeted attack will usually involve one or more highly skilled cybercriminals. It will frequently, although not necessarily, be an advanced, persistent threat attack, or APT. There are many definitions of ‘APT’, but it is essentially a targeted attack by a competent and determined adversary willing to take as long as necessary to achieve his purpose. It is very difficult to defend against an APT attack.

The initial breach
Key to any attack is the initial breach. A study by Trend Micro in November 2012 demonstrated that 91% of all APT attacks unfold from an initial successful email-based spear-phishing attack; and that 94% of those spear-phishing emails carried a malicious attachment. Clearly, the best way to combat a targeted APT attack is to understand and mitigate against spear-phishing before the hackers get into the network.

Email spear-phishing is the use of personalised emails sent to an individual or small group of related individuals, engineered to persuade the recipient to open an attachment or click a link. It is part of what Trend Micro terms the ‘pre-infiltration’ phase of a targeted attack.

First the attacker researches, or profiles, the target. This is relatively simple: Facebook, LinkedIn, Twitter and a simple Google search – reinforced by the personal data scattered on the targets’ website – will combine to provide a detailed personal picture. From this the spear-phishing email is constructed. The content might be fashioned around an individual’s personal interests or a subject that will appeal to all of the target group (an internal salary review, perhaps), the source will be forged and malware disguised and attached. The hackers will have tested the malware against as many anti-virus products as possible, and selected something with the greatest chance of remaining undetected.

High profile APT breaches
The result is surprisingly successful, with Google and RSA among the highest profile victims. “In the attack against RSA,” explains Scott Gréaux, a vice president at the PhishMe company, “the spear-phishers sent two different phishing emails to a group of employees over the course of several days. The subject line read ‘2011 Recruitment Plan’. One person’s curiosity duped him into opening the message and…” the rest is history.

In May the Élysée Palace was breached, and in October it emerged that the South Carolina Department of Revenue had been breached with millions of social security details and hundreds of thousands of bank card details stolen. All of these victims were initially breached by targeted spear-phishing.

Evolution of the attack
Once a malicious attachment is clicked, malware will enter the system and the post-infiltration phase begins. It is likely to start with the installation of a remote administration trojan (commonly called a RAT) that will open a covert channel to the attacker. This allows the attacker to roam at will around the network – which he will do, but slowly and stealthily, gaining intelligence on the network infrastructure. He will learn what is stored where, and perhaps more importantly, how he can steal and exfiltrate information without being discovered.

During this process, the hacker will likely find the keys to the front door – legitimate log-on credentials. “As detailed by a report on the South Carolina hack,” explained Amichai Shulman, co-founder and CTO at Imperva, “the attackers grabbed remote access credentials to obtain a simple, standard channel of access into the organization. Using standard tools they explored the inside of the network looking for sensitive data and sent it out using standard file sharing services.” The longer the attackers can remain undetected, the more data they can steal.

Defending against targeted attacks
But all of this begs one major question: how can companies defend themselves against targeted attacks? It might appear as if traditional security is failing, but remember that we only hear about the few that get through, not the unknown number that are stopped. It’s not that companies need different security, they need additional security tailored to these new threats. One emerging technology is anomaly detection from big data analysis. The theory is that all of the organization’s data is monitored on a continuous basis. From this, a baseline of ‘normal’ activity is developed and anything subsequently anomalous to that normal activity is highlighted – it could be the activity of an intruder.

The fact remains, however, that prevention is always better than cure. With 91% of such attacks starting from a spear-phishing email, defence against spear-phishing has to be a priority. While there are security products that will help, the bottom line here is user education. “Organizations must pay attention to the human factor in security,” says Kaspersky’s Emm. “Users need to learn how to recognize phishing, and to stop over-sharing personal information online.” Above all, he says, “It’s important to remember that security is not unlike housework – it’s only meaningful if you repeat the process at regular intervals.”

See also:
Security awareness is taught, not bought
Spear-phishing is the single biggest threat to cyber security today
A new security paradigm for the zero-day advanced persistent threat

Categories: All, Security Issues