The precarious balance between law enforcement and personal privacy is highlighted by a new proposal from the Department of Justice — it wants greater leeway in its ability to place malware on multiple computers.
It can do this already, but not easily — it requires a judicial warrant that is only valid in the judge’s home district. Those warrants are not always automatic. In April 2013 magistrate judge Stephen Smith rejected such an application in Houston:
The Government has applied for a Rule 41 search and seizure warrant targeting a computer allegedly used to violate federal bank fraud, identity theft, and computer security laws. Unknown persons are said to have committed these crimes using a particular email account via an unknown computer at an unknown location. The search would be accomplished by surreptitiously installing software designed not only to extract certain stored electronic records but also to generate user photographs and location information over a 30 day period. In other words, the Government seeks a warrant to hack a computer suspected of criminal use. For various reasons explained below, the application is denied.
But even if it had been allowed, the warrant would only have been valid for the named computer within the judge’s district — the Southern District of Texas, Houston Division.
The FBI is now seeking a change in judicial rules to allow multiple searches on a single warrant, and for a single warrant to be valid for all 94 judicial districts. Its arguments are reasonable. Firstly, it may know the IP of a suspect computer, but not the precise geographic location. Secondly, modern organized crime can use hundreds if not thousands of computers in a crime — a botnet delivering a DDoS attack to disguise financial fraud for example. Obtaining individual warrants in all possible districts is difficult, time-consuming and expensive.
But there are huge privacy and security issues here. Firstly, the use of 0-day exploits by law enforcement will weaken the security of the internet itself. Secondly, placing spyware on the computer of an innocent person who ‘might’ be unknowingly harboring a bot (and thereby providing access to every intimate and confidential piece of data on that computer) is a dangerous attack on liberty and privacy.
But even more worrying, it is an attempt by the DoJ to make its surveillance desires easier to accomplish. The FBI could and would cherry pick its districts. Ninety-three of the districts might reject an application for a warrant as over broad and in conflict with the Fourth Amendment — but if there was just one sympathetic judge, the warrant would apply to the whole United States.
The FBI already cherry picks where it thinks it might get away with it. In the prosecution of Andrew Auernheimer it chose to prosecute in a district entirely unrelated to the case, but in which it could levy further charges and gain a longer sentence.
Now consider if the FBI had access to the NSA’s TAO catalogue of hacking tools (which it probably already has): no computer would ultimately be safe from the FBI, and the FBI would be acting entirely legally. We have seen over the last year that law enforcement and intelligence agencies have the attitude, if we can do it, we must do it. If the DoJ gets its way on this, the process will escalate until it is able to hack any computer, any time, on any whim.
I got an email yesterday (29 April 2014). It said:
Today the Websense Security Labs found a new vulnerability in Microsoft Internet Explorer which affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting Explorer 9 through 11. The Labs have issued a blog post which outlines solutions for those who have been affected by the attack.
Not another IE 0-day surely? Because FireEye found one just a couple of days ago. On Saturday (26 April 2014) FireEye blogged:
FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.
New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
This is strange, because the 0-day ‘found’ by Websense two days later is also given the vulnerability assignation CVE-2014-1776:
A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website.
This vulnerability has been assigned reference CVE-2014-1776…
Microsoft Internet Explorer Zero-day – CVE-2014-1776
In fairness to Websense, its blog does not claim to have found the vulnerability itself – that is left to the email sent to journalists such as myself. But nor does it give any credit to FireEye – which would have been good. Just in case there is any doubt about who really did first discover this particular vulnerability (apart from the hackers of course), Microsoft’s advisory is quite explicit:
Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11…
Microsoft thanks the following for working with us to help protect customers:
- FireEye, Inc. for working with us on the Internet Explorer Memory Corruption Vulnerability (CVE-2014-1776)
OK. So having established that FireEye really does have the bigger willy, and implying that Websense is a wee bit envious in trying to pass off the discovery as its own… what is this vulnerability? Well, it’s a bad one. Bad enough, in fact, for the European security agency, ENISA, to issue its own advisory (something I am not aware of it having done before).
- This is a significant threat for IE users as there is no quick fix to repair, and “patch” this
- Users who want to avoid the abovementioned risk should temporarily use another browser until this security gap has been fixed
- Users should keep their systems patched and up-to-date
- Many users have two different browsers installed so they should easily be able to switch. If not, this is a good reason why they should have it; when needed.
This is the best advice I’ve seen. While many experts are advising users not to surf in admin mode, to install EMET and to activate EPM, the majority of IE users will not even know what any of this means. Far simpler, and much more effective, would be to install multiple browsers (I’ve got five: Firefox, Chrome, IE, Safari and Opera); to keep them all fully patched; and to switch between them whenever a new 0-day is discovered for any one of them.
The granddaddy of security software is the venerable anti-virus. But the mother of all attacks is the zero-day targeted exploit. Vendors of new products specifically designed to protect against the latter continuously insinuate that anti-virus no longer works — ergo you need to buy their shiny new product to stay safe.
These vendors point out that the attacker merely needs to modify the malware to change its signature to instantly create a pseudo-0-day that defeats AV signature engines. And to prove their point, they will submit the pseudo or actual 0-day to VirusTotal to demonstrate that few if any AV products actually detect it.
This gives a false impression. VT basically just submits the sample to the signature engine — which won’t detect 0-days. But the AV industry long ago accepted that signatures alone are not enough, and built additional behavioural defences into their products. These are not generally tested by VT.
So when a VirusTotal report says a particular sample was not detected by your own AV software, that doesn’t necessarily mean that it would not be detected by the AV product’s behavioural methods in situ on your PC. It’s a difficult thing to prove, and it has left the anti-virus industry disadvantaged against the arguments of the newer products.
Now F-Secure has tested it. There is a new 0-day MS Word/RTF vulnerability that is expected to be fixed by Microsoft in this week’s Patch Tuesday patches. For the moment, it remains a 0-day.
“Now that we got our hands on a sample of the latest Word zero-day exploit (CVE-2014-1761),” reported Timo Hirvonen, senior researcher at F-Secure, yesterday, “we can finally address a frequently asked question: does F-Secure protect against this threat? To find out the answer, I opened the exploit on a system protected with F-Secure Internet Security 2014, and here is the result:
I would suggest that F-Secure is not the only AV software able to detect the worrying behaviour, if not the signature, of the 0-day without ever seeing the malware.
The reality is that no software can guarantee to stop all malware; but anti-virus software remains the bedrock of good security. Adding to it is prudent; replacing it is foolhardy.
“Know your enemy,” says Sun Tzu in the Art of War, simplistically speaking. And, simplistically speaking, in the current cyberwar the enemy are the bots, the trojans, the worms and viruses and all the other malware that seek to breach our cyber defences. The clear implication is a need to monitor and understand these threats.But the threats are continuously evolving, changing and increasing; so the solution would appear to be ‘continuous threat monitoring’.
There are many ways this can be done: by signing up to the ‘alerts’ RSS feeds almost always provided by the major systems and software providers; by monitoring the national CERT pages and in particular the one hosted by Carnegie Mellon university in the USA; or by subscribing to one or more of the alert providers such as Secunia. An alternative or additional approach is to monitor the blogs of leading security researchers, such as David Harley (ESET), Luis Corrons (PandaLabs), Rik Ferguson (Trend Micro) and Graham Cluley (Sophos); all of whom provide insight and commentary on the current threat environment.
But we said at the beginning: ‘simplistically speaking’. The enemy isn’t just the threats: it includes time, your time to do all of this. Amanda Finch, general manager at the Institute of Information Security Professionals, suggests a risk management approach to ease the burden. Continuous threat management should depend on the business and the risks it faces. “For example,” she says, “in manufacturing this is probably not necessary or cost-effective; but for utilities or banks, or high security situations, it may be. With the sophistication of the cyber threat and the techniques, methods and tools available to attackers, the days of retrospectively checking configuration, incident and event logs is wholly inadequate for most business, certainly where monetary value, IP, or sensitive personal information is involved.”
But still this is too simplistic. The enemy isn’t merely the malware, or the time to monitor all the threats – the real enemies are the vulnerabilities that allow the malware into the system; and the user. Microsoft research shows that the vast majority of breaches depend upon the user doing something he or she should not; and that a statistically insignificant number of breaches are caused by the infamous 0-day threat. Further research shows that the bulk of detected exploit threats appear after the vulnerability is patched by the vendor.
Stuart Aston, chief security advisor at Microsoft, takes up the story. “You have to start from a thorough understanding of the risk. If you understand your risk, it will help you understand how to monitor the threats. For example, a large percentage of breaches come from end users actively doing something they shouldn’t. Similarly, 99% of breaches occur via patched vulnerabilities. It follows that improving your users’ security awareness together with religious patching will defend against the majority of security attacks. This, coupled with a good defence in depth, is the best way to not merely monitor threats, but to defeat them.” In other words, it is an effective use of time to let the vendors and security researchers monitor and alleviate the threats, provided the company then acts on the findings, and patches its software.
Continuous threat monitoring, then, should be a combination of watching the industry, using risk management techniques to concentrate on the most pertinent areas and, perhaps most importantly, keeping all systems and software fully upgraded and patched.
Understanding the threat
If we look at security today there is one conclusion we simply cannot avoid: it is not working. Despite the $20bn invested in IT security in 2010 (FireEye Advanced Threat Report – 1H 2011), the cost of cyber crime to the UK economy alone is estimated to be £27bn per annum (The Cost of Cyber Crime: a Detica report in partnership with the Office of Cyber Security and Information Security in the Cabinet Office). We need to understand what is going wrong in order to reverse this. And to understand that, we need to examine the evolving threat landscape.
It is tempting to blame the emergence of the advanced persistent threat (APT), a highly targeted, sophisticated attack aimed at large corporates. Hardly a week passes without news of a new APT attack on a household name: Google, Sony, Nintendo, RSA, Mitsubishi. And it is easy to support this idea with current statistics. FireEye divides current threats into two primary categories: ‘wide and shallow’, and ‘narrow but deep’. The first is the traditional approach: a wide net is thrown to catch as many targets as possible; but the actual loss is relatively small. The second is the specifically aimed attack on an individual organization that goes deeper and steals more – the APT.
It’s a description that is recognised by Detica’s Henry Harrison. “Of the £27bn annual loss to the UK economy,” he comments, “£17bn comes from theft of intellectual property and espionage – the typical narrow but deep targets of APT attacks.”
But while we must be aware of the threat of APT, we should not be diverted by it. The exploits and methodologies used are not new. Only the manner in which they are combined; the targets at which they are aimed; and, it has to be said, the almost military intelligence and precision with which they are controlled, is new. (It’s worth noting that ‘APT’ is a military term first coined by the US Air Force.)
Successful security should stop APT just as much as it should stop common-or-garden malware. Consider the banking trojan Zeus. Worldwide, RSA’s security and fraud expert Uri Rivner told me, “there are some five million PCs infected with Zeus”. Clearly our security defences stop neither wide and shallow nor narrow but deep attacks; and we need to understand the reason.
One clue can be found in PricewaterhouseCoopers’ 2012 Global State of Information Security Survey. “A clear majority of [9,600 CEOs, CFOs, CIOs, CISOs, CSOs worldwide],” it states, “are confident that their organization’s information security activities are effective.” This is despite the unambiguous empirical evidence to the contrary.
The problem is that we are stuck in an old security paradigm when the paradigm itself is changing. We grew up with our servers in the computer room and our users in the same building. The concept of security was simple: we put a barrier around our IT infrastructure to keep the bad things on the outside and the good things on the inside. Since the good things were all in one building it was conceptually simple. And since the technology to achieve this barrier is mature and effective – firewalls, anti-malware, intrusion prevention, content filters – and since we have all installed this technology, we believe we are secure.
It is a false sense of security that leaves us terribly exposed. Computing is no longer that simple. Cloud computing means that our data could be anywhere. Mobile computing means that our users could be anywhere. Consumerization means that our access devices could be anything that has internet connectivity. Where now can we effectively place a barrier? It’s not impossible, it’s just different; and we’re not keeping pace. But all of this pales into comparative insignificance in the face of a major new weakness: us. The rise of social networking combined with the consumerization of devices and mobile computing means that we are as like to socialise at work as we are to work at home. There is no longer even a virtual boundary between work and home.
“There has been a seismic shift in the threat landscape,” explains Rivner. “The criminals are no longer attacking the IT infrastructure. They are attacking the users.” It is social networking that provides the information that allows the criminal to bypass our security defences and get into our networks via our users. We have become nonchalant over the amount of personal information we effectively broadcast to all and sundry: our likes, our dislikes, what we do, what we want, where we are, where we’re going…
Armed with this information and basic social engineering skills it is easy for the criminal to trick us into doing something we shouldn’t, like going to a compromised website or opening a poisoned attachment. The malware itself stays ahead of us by rapid and automatic changes designed to defeat, and is successful at defeating, signature-based defences. FireEye points out that 90% of malicious executables and malicious domains change in just a few hours, and that today’s criminals are almost 100% successful at breaking into our networks.
The criminal no longer seeks to find a way through our security defences; social engineering has shown him a way round them. The difference with APT is that the criminal will now try to hide his presence and will take his time to find and steal what he wants. Unless we change our approach, and adapt our security to the changing threat landscape, the cost of crime will continue to escalate.
Tackling the threat
As things stand today, any company targeted by APT or simple spear phishing will almost certainly succumb. But it doesn’t have to be that way. There are things we can do. Absolutely central to this is continuous staff security awareness training to defeat that initial social engineering. It would be best not to do this yourself – use an expert to test both your defences and your staff. “First,” says David Hobson, the sales director of Global Secure Systems, “we test/audit your security systems and bring them up to speed. Then we’ll test your staff – and bring them up to speed.”
But that’s not enough; security awareness will not prevent all people-hacking. This summer RSA and TechAmerica hosted an Advanced Persistent Threats Summit in Washington, D.C. One of the takeaways is this: Organizations should plan and act as though they have already been breached (APT Summit Findings, RSA). Statistically, you probably have. So if existing defences aren’t working, go back to basics and start again. Security is not an end in itself: it is the risk mitigation aspect of risk management. Use risk management techniques to understand what is of most value. David Hobson uses an analogy with medieval castles. “You take your crown jewels and keep them separate in the best defended part of your castle, in the Keep.”
One method of segregating your networks is to colocate, wholly or partially, with a specialist data centre provider. It’s a way of providing greater physical security for your servers than you could probably do alone. “We use 24-hour manned security and biometric authentication (palm readers) for access to our data centres and to individual client suites, cages or racks,” explains Brian Packer of provider BIS.
There’s a second implication from the APT Summit: if you are already breached, it would be good to know about it as soon as possible. You need to shine a light inside your network, to see what is happening, to look out for anomalies and recognise any intrusion before any data loss. There are several new and very advanced security products that can help you here from companies like Detica and FireEye.
Rivner believes that virtualization can also help. “A virtual desktop infrastructure (vdi) could prevent malware getting onto the desktop and from there to the server; and it certainly makes patching and upgrading the entire infrastructure an easy task.” Bear in mind that the Google Aurora hack would not have succeeded if the target were not still using an old and outdated version of Internet Explorer. ‘Patch your software’ should be a way of life.
But virtualization is only as good as its implementation and your understanding of its components. “An APT or any other security threat,” explains Mike Atkins of Orange IS Security Solutions, “is likely to focus on the weaknesses that can be found in the target systems and processes, and then seek to leverage 0-hour exploits. The key to protecting a virtualised environment is to similarly focus on the weaknesses of the system and then mitigate as fully as possible any attacker’s ability to leverage those weaknesses.”
There is, however, one weakness in all of these approaches. Necessary and good though they be, they effectively use the same old security paradigm: wait for, recognise and respond to an attack. And that might be too late. In this new security paradigm we need to accept that our attackers are more sophisticated, better resourced and organized, and more patient and persistent than are we. “We need,” says RSA’s Uri Rivner, “global information sharing. It will be difficult, coping with the different privacy requirements in multiple jurisdictions, but it can be done. The banks are already doing it. When we all do it, we will have the necessary intelligence to cope with today’s evolving threat landscape.”
A few days ago I wrote about the LNK 0-day Windows vulnerability:
So forget about workarounds and concentrate on keeping your AV defences up to date – and hope that your AV supplier gets and stays on top of the problem at least until Microsoft patches the problem.
Some of the issues around the LNK zero-day vulnerability
Sophos has done just that by releasing a free tool to protect users.
So far we have seen the Stuxnet and Dulkis worms, as well as the Chymin Trojan horse, exploiting the shortcut vulnerability to help them spread and infect computer systems. Stuxnet made the headlines because it targeted the Siemens SCADA systems that look after critical infrastructure like power plants – but there’s a warning for all computer users here. Details of how to exploit the security hole are now published on the web, meaning it is child’s play for other hackers to take advantage and create attacks.
No-one knows when Microsoft will roll-out a proper patch for this critical security hole, and its current workaround leaves systems almost unworkable with broken-looking icons. The free tool from Sophos can be run alongside any existing anti-virus software, providing generic protection against the exploit. Unlike Microsoft’s workaround, it doesn’t blank out all the shortcuts on your Windows Start Menu – meaning your life – and that of your users – will be less stressful.
Graham Cluley, senior technology consultant at Sophos