Category: Security

According to Silicon Republic, the Irish government is to run some cyber war games to test their responses and resilience to digital attacks. 

That’ll be interesting; a few years ago the Irish government decided to implement a very unpopular and ineffective DNS-based copyright (and potentially censoring) system that drew the attention of a certain Guy-Fawkes-mask wearing hacktivist group.  In no time at all the hackers posted admin passwords from the Department of Foreign Affairs (DFA), a group you’d expect to have superior security.  I saw the list, and it was not much better than “Monkey” or “Password1” … actually “Password1” might have been one of them!

Hopefully the results of the tests will result in real changes to practices and design.  I’m sceptical; I reckon tests/results will be moulded to minimise “bad results” and a knock on image.  Plus an admin who uses “Password1” in a so-called-secure environment is the sort who won’t want to change. 

Folks from efficient countries will think I’m being a cynic – people who live in Ireland know exactly what I mean (e-voting machines where the admin password was in the publicly available help button, a 10 year SAP project that exceeds departmental budgets, digital ticketing for public transport that makes us want to use paper stripe cards like most Euro cities, and so on).

This afternoon I got a phone call from a -blocked- phone number.  I answered.  The person who called said he was calling me from Bank of Ireland.  I got the usual “the call is being recording for training purposes” speech.  And then the shocker:

“I need to ask you some security questions”.

Huh?

1. This person called me.  I assume he got my number from a database.  OK, my phone could have been stolen.  But let’s remember that he called me.
2. He was going to ask me the security questions?

Who the hell was he?  This could be any geezer with caller ID disabled on his phone and reading off an official sounding script.  Let’s imagine he asks me to confirm my date-of-birth, my credit card number, and my mother’s maiden name, etc.  What’s to stop that dude from calling the bank and claiming to be me?

I refused to proceed.  To be honest, I knew it was BoI and I knew why he was calling.  But I wanted to highlight how stupid this “phishing” practice was.  The guy in question understood and told me how I could contact the bank to proceed.  He was quite professional about it, and not to blame for the process he was force to follow by his employer/manager.

But the call from block number practice followed by asking security questions process is ridiculous.  I took to Twitter to let BoI know what I thought:

This is the response that I got:

So let’s imagine the scenario out:

1. The Prince of Abuja picks up his phone, blocks caller ID, and calls me.  He reads out the “call is being recorded” script and starts out with the security question process.
2. I stop him because I don’t want my security question answers to be phished.
3. The Prince of Abuja now says “Sure, my name is Prince of Abuja and you can call me on 01 4567890 and I’ll be happy to help you”
4. I call 01 4567890
5. The Prince of Abuja now asks me the questions and I give him the answers
6. Now the Prince of Abuja has the necessary information to call Bank of Ireland and pretend to be me.

Bank of Ireland, this is the most ridiculous “security” practice.  It’s clear that you don’t have the first clue about data or identity security.  I am not a real security expert but I know enough not to be sharing information in this manner.

Jeez!

Volume 13 (Jan-June 2012) of the Microsoft SIR has been released.  Last year I read the same one, and Conficker was still the number 1 malware on domain-joined computers.  What nuggets are there this year?

Before we get there …

I heard of another report (Symantec I think) that a new kind of attack is being employed by hackers called a “water-hole attack”. Much like Lions on the plains, the hackers lie in wait at locations where their prey comes to get something. So they deliberately place targeted malware on a site that they know their intended victim will visit, and wait.  And eventually *bang* they hit and take over a machine in the networks of their victim.  It’s more efficient than the normal un-targeted drive-by attack.

Hackers are also now attacking the supply chains of their prey.  This is a good approach if you wanted to cripple a manufacturer, e.g. hit their suppliers so the manufacturer cannot produce.  This is very effective now because of Just-in-Time manufacturing and exclusive supply contracts. The real victim (the manufacturer) can do nothing with their own IT security to defend against this.  The only solutions are business ones: demand high levels of security/compliance in suppliers, and have varied supply chains so one down supplier does not shut down the business.

And back to the main event …

Unsecure Supply Chains

There is a rise in malware being spread by BitTorrent, warez, legit website downloads, etc. The rise in BYOD and consumerisation of IT makes this a threat in the business. Users are downloading software outside of the traditional locked down administrator-driven controls, and they are bringing in malware.

Win32/Keygen is a common threat in this space, and the name gives away what it sells itself as – a quick way to activate software that you haven’t bought or can’t find a product key for: Photoshop, Nero, AutoCAD, Call of Duty, etc.  Some “Adobe Flash” installers were also found with malware.  These were non legit installers hosted on 3rd party sites; the user comes to a site that won’t play and they’re told to install an up to date version of Flash.  They do, and their PC is owned, because that was not the official installer from the Adobe site.

Contrary to many misconceptions, no malware can offer 100% protection anymore.  There are just too many attacks, many of which go unreported for very long times thanks to the new zero-day black markets and their “royalty for staying quiet” payment schemes.  The days of the teenager in the basement are over, and this stuff is very professional now, looking to steal confidential data and financial access.

What can help is a well designed BYOD scheme with isolation.  I like the App Catalog in ConfigMgr 2012.  It gives the user the flexibility of BYOD but on a corporate machine.  As for true, BYPD personally owned devices, you have to treat those as untrusted and not let them all the way in, in my opinion.  Windows To Go is a nice touch, allowing the user to use their own device but they must use a Windows 8 image on a USB 3.0 storage device that is provided and managed by the business.

This kind of malware is a real threat in BYOD deployments.  Isolate those machines and only give them limited access to web apps via firewalls is my thinking.  But I can see how that’s not enough, e.g. key loggers.

Microsoft has a few suggestions:

• Acceptable usage policies: sorry, but users are stupid (rule #1) and rules are made to be broken.  We all know that IT only creates these policies to make life more intolerable anyway – that was sarcasm, by the way.  Blocking and limited rights are the only way forward.
• Block P2P: That goes without saying for LAN/Internet access but is a challenge for mobile computing, without expensive 3rd party software
• Procurement: Buy all hardware and image for the users … hmm
• Use AppLocker: Software Assurance required for this white listing solution on Windows 7/8 Enterprise
• Use a 64-bit OS: Not a solution but it appears to limit success of attacks.

Windows To Go or RDS/Citrix seems like the solution for BYOD to me.  Let them use the device of their choice, but not the OS/data on that machine.

Disclosed Vulnerabilities

This refers to the number of industry revealed weaknesses in software.  There had been a trend where this number was dropping from 2009 to 2011, but we see a rise in 2012, across low, medium, and high risk threats.  50% of threats in H1 2012 where medium and 31.5% were high risk.

OS vulnerabilities have been dropping since 2010 and continue to do so.  Browser vulnerabilities (industry wide) have been rising since 2009.  Application (e.g. Flash and Java) have risen drastically in H1 2012.  Note that the rise affects non-Microsoft products, while Microsoft vulnerabilities have been reducing in number since H2 2010 (down 56.1%).

Exploits

HTML/Javascript (dropping in this period) and Java (rising since Q3 2011) lead the way, by a long shot.

Java has made a lot of bad security headlines in recent months and you can see why this is a concern.  This is compounded by Oracle’s infrequent releases and their intransigence on this matter until the media as a whole said that Java needed to be turned off or removed.

Documents were the number 3 type to be hit.  Guess who cam in at number 1 with no one in the rear mirror?  You guessed it: Adobe Reader and Acrobat.

As for OS being attacked, Windows was the clear number 1, as it should be because it is on 95% of all PCs after all.  Android is number 2.  Apple are barely a spec on the market and were just bundled into the flat Others category.

The number 1 most attacked vulnerability was the 2 year old (August 2010) MS10-46 (made famous by Stuxnet but Ramnit is the #1 threat [and rising]). 

Turns out that some of the jailbreak solutions for Android contain malware.  Not too surprising, really.

Security Update Maintenance

No surprises here unfortunately:

Windows is still not being updated.  I still encounter reasonably large organisations that “manually” approve patches.  If you attend any presentation that I do that includes the topic of patching, then you know that manual approval is an oxymoron.  These are usually the same people that have been hit by Conficker, etc, years after the patch to block it is released.  That’s professional negligence in my opinion, pure and simple.

The lack of compliance for Adobe and Java is far some surprising.  28% percent of Adobe Reader users had not updated in 2 years.  Adobe needs to do more to work with the OS vendors to get their products updated.  And we all know that Java apps are usually written to run on a specific 5 year old version of the runtime, and that’s usually government (taxation) or banking software … you know … the stuff that needs the best security?!?!?!

Geography

Infection rates (FakePav fake malware – detections up 45 times) went up by 32.6% in the USA during Q1 and Q2 of 2012.  Similar with Korea (Pluzoks trojan).  Chine has a slight increase and everyone else was down. 

Successful infection rates are rocketing in Korea.  I mean rocketing.

Operating System

Windows XP SP3 leads the way.  Windows 7 SP1 x86 is half of that rate, and the x64 is one third of it.  Adware is dropping since Q1 2011 but Trojans are on the rise since Q2 2011.

Business Versus Home PCs

A Javascript threat called IframeRef number one threat on domain-joined (business) PCs.  Here is the bit that is the most sickening and annoying of all.  Conficker is still the number 2 threat on business machines.  Seriously!?!?!!?  The patch (MS08-067) to prevent this was released in October 2008 … 4 frakking years ago!  Why the hell are businesses not patching?  The tools have been freely available since … jeez 2003 or something when SUS was released!?!?!  There is absolutely no legitimate excuse for this … don’t bother posting any lame excuses you might have to excuse your lack of professionalism if this applies to you; you’ll only highlight you own deficiencies for the world to see.

On the home side, Conficker is not in the top 10.  KeyGen is the #1 and Autorun is #2.

Phishing Sites

Remember I said these guys want to steal money?  All categories (including social media) are down, except for financial phishing (fake emails from your bank saying you need to log in to a dodgy site) are on the increase in Q2 2012.  USA, Ireland, China, east Africa, south Gulf, and southeast Asia are all hotspots for this activity.

Go have a read of the document for yourself, especially if you are involved in the decision making of IT security or engineering in your site or those of your customers.  It’s useful to see what’s going on right now so you can plan accordingly.

I hate Java.  There, I said it.  Any IT pro who has had to support multiple versions of this malware breeding ground knows that Java is a complete nightmare.  I detested dealing with Java when I was an administrator/engineer.  Well, the chickens have come home to roost for Oracle.

A commercially available attack hacker toolkit called Blackhole includes the ability to attack the latest version of Oracle Java on all platforms, including Windows, Mac OS, and Linux.  Attacks are already in the wild.  These drive-by attacks silently attack the Java VM when a user browses the web site, leaving the machine vulnerable to being taken over.

If you want to find out if your version of Java is vulnerable to any security flaws then you can check it on this website.  I can save you a mouse click: your Java is vulnerable because … all versions of Java are vulnerable:

“Oracle knew about zero-day Java vulnerabilities for months, researcher says” according to Computerworld.  I read on The Register that claims Oracle has known about the vulnerabilities since April.  Oracle are sticking silently to their patching schedule, and won’t patch the vulnerabilities until mid October.  That’s responsible of Oracle, eh? Not!

So with no patch to secure Java (there’s an impossibility!), security experts are recommending that you disable Java in your browser.  I’d go one step further: uninstall the sh1te and find alternative applications/banks that understand the need for security.  Anyone who continues to recommend or sell Java based apps should be ignored, fired, thrown off of a cliff (joking about the last action … I think).

Edit#1

For your Java fans, why don’t you read this and this:

“The most commonly observed types of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters” – A report in 2011.

As for Microsoft software having vulnerabilities; yes – any large software does, including Linux, Andoid and Mac OS.  You’re a naive moron if you think otherwise.  Where Microsoft rises above the competition is that they deal with the issues as they arise, release patches, and scream from the mountain tops to get you to patch.  They even give you simple free, and enterprise tools to automate this.  But naive morons don’t want to listen because they have their heads up their asses:

• 23/09/2008: Microsoft released a security patch that would have prevented Conficker
• 24/11/2008: Conficker is first discovered 1 month after Microsoft released the patch
• Mid-2011: Conficker is still the #1 malware present on domain-joined (business) PCs, thanks to the naive, professionally negligent, morons who think they know better

Check yourself and your facts before you fire out stupid comments about Microsoft just cos you’ve gotten into bed with a malware breeding ground like Java.

EDIT#2

Oracle has since released an update.  I don’t have Java on my machines so I can’t tell you anything more about it.  I believe the Java updater only looks for updates once per month.

I just glimpsed at a post on NetworkWorld called Email in security hot seat with rise of cloud, BYOD.  In it I saw this piece of text:

IBM famously issued a new set of BYOD policies that, among other things, forbid employees to use a competitor’s cloud service (no more Dropbox, no more Carbonite, iCloud, etc.), to forward corporate email to private accounts, to transmit unencrypted data, or to use Apple’s personal assistant, Siri.

I’ve talked about BYOD now and then for quite a while.  I’ve not made up my mind on it yet.  BYOD has a lot of complexities in terms of technical support, security, compliance, and so on.  Once you put the user in control of choosing a device (a €300 laptop not build for heavy usage versus a proper business machine with support) and managing that device, you lose control.

But here’s my thought’s on the above IBM rule. You’ve put the user in charge.  Users have no interest in rules.  Put all you want in the acceptable usage rights document.  The first people to contravene those rules will be the executives who wanted them put in place.  With BOYD you have ceded control and accepted the premise that the user knows best how they should work.  If that user thinks that DropBox is the best way to get data off of their iPad and onto their PC then that’s what they’ll use (what other choice have they?).  If they want to back up their work then Carbonite is nice an cheap.  If they want to use an iPhone 4s then they’re not going to not use Siri (“This is your reminder to call the vet”), the most marketed feature of the phone.

Rules like this are the lawyers’ answer but don’t deal with the realities of human nature.  The reason IT did lock down PCs was to protect the business’s information property.  With BYOD, you hope that they don’t send stuff all over, that they do install the app that allows remove lockdown and secure wipe, and that they act responsibly.  But hey, these are the same people that will handover their corporate passwords for a free pen in the street outside their office.