Flame on!

The security world exploded this week with news of a new piece of malware found in Iran. It’s been a very long time since we’ve seen an unfounded panic of this magnitude in our industry. Phrases like “most advanced malware,” “super-weapon” and “new era in cyberwar” are being thrown around like confetti. Let’s take a bit of a reality check.

Calm Down

1) Are you in the Middle East?

If not, relax. Evidence suggests the malware is focused on the Middle East … likely either Iran or Israel. While malware does spread quickly, highly-targeted malware focused on information theft does not. After all, if it did, the people running the systems wouldn’t be able to use the information they get. There would simply be too much of it.

2) Have you updated your systems in the last two years?

If so, relax. While the news is new, it appears this malware was released in 2007. Modern malware is capable of attacking along numerous vectors, so simply patching may not be enough, but if you’re monitoring your systems properly, you probably would have noticed it by now.

3) Are you profoundly unlucky?

If not, relax. The Kaspersky report that has been widely cited lists the following infection counts: Iran – 189, Israel/Palestine – 98, Sudan – 32, Syria – 30, Lebanon – 18, Saudi Arabia – 10, Egypt – 5. This means that, as of May 28th… after Flame has been out for five years… it has infected 382 systems. In 2010, there were about five billion devices connected to the Internet (probably more now). So your odds of being infected are likely less than 0.0000076%. You are 22 times more likely to be struck by lightning than you are to get infected by Flame.

4) Are you a nation state?

If so, thank you! Most geopolitical entities don’t read my blog. If not, relax. Cyberwar is unlikely to affect you. The goals of Cyberwar are to steal critical intellectual property, identify what other nation states are up to and interfere with the capabilities of other nation states. The only one that really drifts into the private sector is the theft of intellectual property, which can be protected pretty easily.

Big Deal

So why are people making such a big deal out of this? Well, the first thing to consider would be who exactly is promoting this and how they’re doing it.

First, you have what I call “set it and forget it AV” companies. Kaspersky and Symantec were among the first to bring this news out. This shouldn’t come as a shock to anyone, as they make a lot of sales when a malware attack makes its way to the mainstream news. This is too bad, as both of these firms tend to perform excellent technical analysis and it’s sad to see their research skewed into a FUD campaign.

Next, you have the response to these sorts of firms by the vendors that focus on analysis and response. Take at look at these responses by Sophos and Sourcefire. These two firms make their money selling tools that allow a competent administrator to get more done by leveraging analytics and determining appropriate responses.

Then you have a slew of mainstream media articles that reference “cyber security experts” (who often have nothing to do with malware) to comment on the issue. I’ve seen and heard quotes from people who do development security, physical security and governmental policy … which seems to be nothing more than a reporter needing a quick quote to get into the news cycle.

Finally, you have a bunch of individual posts (like this one) of individuals trying to catch the “Flame Wave” and boost SEO ratings. (Hiya Google, how you doin?) Basically, everyone has a reason behind their actions. Before you start tossing money around to make the scary go away, stop for a minute and think.

What To Do

The first thing you should do is, as I stated above, relax a bit. Snap decisions are seldom the ones you want to make. Think about what advanced malware can do and how it gets in. Here are the facts.

Protecting against Flame is EXACTLY like protecting against other malware. Nothing in Flame is technologically new.

Modern malware targets data and takes advantage of missing patches. If you don’t know the Who, What, Where, How and Why of your data, you can’t control it. If you aren’t maintaining your operating systems and the applications that run on them, you are at risk. Also, if your users are running as local administrators, there’s not much you can do.

Modern malware does a lot of really neat things too, like infect smart phones, hide its tracks, punitively wipe systems if you tamper with it. Heck, for all I know, it’s also responsible for using the last piece of toilet paper and not replacing the roll. However, if you are letting your users run with administrative permissions AND you’re not patching your systems AND you don’t understand your data, this isn’t going to matter.

Basically, you have to walk before you run … and before you walk, you have understand how. Most organizations that I work with are still at the crawling stage. If you cannot answer “Yes” to each of the following questions, don’t even think about Flame/Duqu/Stuxnet/BoogaThreat. Focus on getting your own house in order first.

1) I know exactly where all my data is.
2) I know that I need all of the data I have.
3) I have classified the data I have according to criticality.
4) I have implemented technology to detect and respond to data as it crosses security zones.
5) I am completely confident that all my operating systems are up to date.
6) I understand each application in my environment, why it is there and am certain that it is up to date.
7) None of my users are using administrative permissions as part of their daily work.
8 ) I have installed and am maintaining a modern anti-malware stack or application whitelisting solution on each system on my network.
9) I have installed and am maintaining an intrusion detection solution on my network.
10) I pay attention to the alerts from all of my awareness systems and respond appropriately.

If you’ve answered “No” to any of these, that’s where you have to focus. If you have trouble, let me know. I’m always here to help.

The Importance of Exercise (and Rhinos)

Exercise … with a few annoyingly fit and perky exceptions, we all hate to do it. Even when it comes to business exercises, where we can avoid the serious danger of getting all sweaty and tired, we still avoid it… generally for reasons comparable to the physical: foolishness, arrogance and wasting time.

In business, time is money. We focus on reducing waste and maximizing profit. When times are tough, we avoid future-focused activities in preference for those we are fairly certain would benefit us right now… even when future gains would likely be much larger. So even when we know exercise would help us, we avoid it because there are other things that need doing.

Then there’s the other side. For a business exercise to be useful, we must learn from it. To learn from it, we must encounter something new. This is socially dangerous as it places us in a situation where, to positively respond to the scenario, we risk being viewed negatively by those around us … so there is resistance to trying new things.

Why risk social censure and waste time when you know what you’d do in a bad situation anyway? After all, we’re smart people. We think about things and we know our environment, right? If a problem happened, we’d just deal with it. Our people would have to work overtime, but we’d get the job done, right?

Well, let’s find out. Suppose you work in a zoo. Suppose one of the risks you face is of an animal escaping. Your job is to figure out how to deal with this event and to ultimately get the animal back. How would you do it? Take a couple of minutes and think what you’d do. I’ll wait.

Now, watch this video.

Tell me. In your mental model, which animal escaped? Was it dangerous? Was it hard to recapture? Did you think about what would happen if one or more of your employees were injured during the escape? What about people at the zoo? Did you think of children, of adults, of disabled persons and how they might escape? Did you think about the potential damage an animal could cause to the infrastructure both inside and outside of the zoo? What about the possibility the animal could survive after escaping and create a breeding population of dangerous animals in the city? Did you plan include alerting the news media and trying to control the story?

Even an exercise can show you things you might not think of on your own. By running through live exercises, you can encounter serious problems in a safe way. You can discover which events need prevention and which ones require a pre-planned reaction. If your organization’s culture focuses on predictable work, you might find a resistance to working extra hours to make up for what is perceived as someone else’s problem. If your organization is on the other side of the continuum and tends towards interrupt-driven tasks, you may find that your people are closer to exhaustion than you think, and a true disaster could push them over the edge.

This will allow you to engage in a more accurate risk assessment, allocate resources and move to a more proactive stance. So, you could be prepared for any eventuality, from mountain lion to penguin.

May Updates and Patch Report: Part 2

It’s interesting how you can go through an entire week of work and think that nothing significant happened in the security world. Now that I am trying to write these updates on a weekly basis, I’m paying a bit closer attention. While we won’t have huge patch-focused updates unless it’s the same week as a patch release, it doesn’t mean nothing has been going on. So, without further ado here are this week’s updates and patch report. If you missed last week’s, read it here.



EMET 3.0 has been released. What is EMET you ask?

EMET stands for “Enhanced Mitigation Experience Toolkit” and is basically a tool that allows you to protect Windows applications from attack. We’re used to applying patches for things like this, but sometimes a problem is more complex than people think and patches are a long time coming. EMET allows you to shift from a reactive to a proactive stance. This is a different way of protecting your systems and will take some work to get started. However, if your operational guidelines have matured to the point you have identified allowed applications and are either using application control or imaging, this can provide a nice additional layer of protection. With this new version, you can also identify attempts to exploit vulnerabilities, which can give you preliminary warnings of attack.



Google has released a new version of Chrome. This new version adds a few features and patches several security bugs. If you are running Chrome, it should have automatically updated. If you want to verify the update has gone through, go to Tools->About and make sure you’re running version 19 or higher.



Apple has released a new version of QuickTime. This version patches seventeen problems and affects the application on both Windows and OSX. If you use it, patch it.  Details are here.



Trail of Bits published an interesting article on the relative security merits of Android versus iOS. The heart of their argument is Android phones aren’t updated as often as the iPhone and the Android marketplace is more flexible and this brings additional malware risk.

While this is true, it is also true the reduction of controls allows for faster development. Additionally, the deployment of Android updates is the job of the carrier, not of Google. Blaming Google for the carriers’ unwillingness to deploy updates to older phones is, I think, unfair. The real problem is carriers make more money when people buy new phones, so the longer they support the old phones, the less money they make. Apple has embraced this economic reality by convincing people to throw away their devices and buy new ones every year or so.

So here’s the truth.  If you are concerned about malware you have three options:

1) Use iOS and trust Apple to protect you. Do not jailbreak anything and live with what you get.

2) Use Android and run an anti-malware agent. I like Sophos Mobile Security (beta) and Lookout. On my phone, at least, they even seem to play well together. Don’t install apps willy-nilly.

3) Use Android, run an anti-malware agent (as above), root it and install firewall and adblockers. This makes you more vulnerable to malware, but gives you additional protection to (somewhat) make up for it. Optionally install your own ROM.

You do have to be more vigilant, but if that’s not a problem for you, you can actually get a more secure device than you can with IOS, as you are in charge of your updates and you don’t have to wait for it to fit within a company’s lifecycle.



A very interesting bug in sudo was discovered. There’s no point in my describing it here, as they did such a good job on Sophos Naked Security. Definitely go there and read about it.



RealPlayer has a brand new update. It patches three vulnerabilities in different levels of the product. However, the fourth vulnerability “why are people still using RealPlayer?” remains unpatched. :)

Apply the fix or remove the software.  The latter is generally a better choice.



A new denial of service tool is out. Known as the HTTP Unbearable Load King or “HULK,” it is different in that it takes greater care to make sure requests are unique. With a traditional DDoS tool, you can often find a traffic pattern to filter out and mitigate the attack. However, the more different each request is from one another, the harder this is to do. This tool raises the bar for DDoS protection.

If you are running a DDoS protection tool, take a look at the tool and check it against your protection system.  If it bypasses it, complain to your vendor so they fix the problem.

If you are not running a DDoS protection tool and are comfortable accepting the DDoS risk, just sit back and chuckle over the fact the most stealthy DDoS tool is known as The HULK.


That’s it for this week.  If you have any questions, please drop us a note.

Is this the end of carrier bloat as we know it?

Carrier bloat … if you have a Smartphone, you probably know exactly what I’m talking about. Carrier bloat usually takes the form of targeted mobile marketing applications that encompass everything from sports and shopping, to games and movies. The apps are baked into the phone’s software,  often run by default, can’t be removed and worst of all, gobble up precious storage space, CPU cycles and battery life. Simply put, carrier bloat holds your phone hostage.

I’m a big fan of rooting Smartphones by loading a custom ROM that strips away all the non-essential garbage the carriers preload onto each device. It’s amazing how much longer your battery will run, as well as how much more talk and text time you will have, when the added overhead of carrier bloat is removed. Why does it suck up so many resources? The bloatware is constantly dialing home to check on updates and frequently reports back to the carrier regarding what you’re up to (*cough* CIQ  *cough*). I guess I’m just one of those old school guys that believes when you purchase a device, you own the hardware and have total control over what is running on the device. What a novel concept!

If I don’t like the underwater basket weaving app included with the phone, I shouldn’t have to put up with Sprint, T-Mobile, or AT&T’s version of that app for the life of the product. I paid several hundred dollars for the hardware and I have a say in what the phone is or isn’t running. I didn’t pay the carrier to spy on my activities or offer me products and services that I don’t care for or use. I’m paying these clowns to provide me with voice and data service … that’s it. And when I root a device and strip it bare, I’m getting exactly what I want and technically what everyone thinks they’re paying for.

Not surprisingly, I’m not alone in this line of reasoning. XDA Developers has at this time a little over 4.4 million members. The site specifically caters to custom ROM development for pretty much every Smartphone you can buy today. Developers on this site figure out how to root the devices and then customize the software loaded onto each device. The real kicker here is the carriers and mobile device manufacturers watch this site very closely as it is often XDA who manages to load new versions of Android on older phones and extend the usefulness and security of said phone before the carrier gives up on it entirely.

Take the HTC Evo 4G for example. HTC had stated they weren’t sure if the device was capable of running Gingerbread. It wasn’t until someone on XDA had successfully ported it over from a ROM on a newer HTC phone that HTC announced a few months later that it was releasing an official update that would upgrade the Evo 4G to Gingerbread.

Luckily, the times be changing!

Google started a little pilot project last month involving Google Wallet and a completely unlocked carrier-independent Samsung Galaxy Nexus smartphone. The phone has no carrier bloat and no carrier contract. It’s simply a pay as you go GSM device that works on any GSM network (AT&T and T-Mobile here in the US). You pay for your minutes through Google wallet and Google reimburses the carrier for your used bandwidth. It’s being described as “Android in pure unadulterated goodness.”

For light phone users this is a perfect phone. You essentially pay for only the time you spend on data and voice usage with no carrier bloat eating away at your data minutes … it only uses what you tell it to use.  For guys like me that are heavy data users and who rely on unlimited data access plans (I spend a lot of time on customer sites using my phone for network access), this will be a very expensive device. It’s not quite there yet for us, but it’s a good step in the right direction for many other users.

The goal of this project is to take control of the device out of the hands of the carrier who ideally should only be involved in providing voice and data services and not dictating to the customer what they can or cannot run on said device. And it’s not like this is the first time a communications provider has taken advantage of its power.

This was a particularly sore point I had with Comcast cable service. They would outright block Netflix at times or downgrade the network traffic to the popular streaming website to the point their product was unusable. Comcast isn’t happy that Netflix is giving Comcast customers options. They want to maintain a closed market environment and don’t like competition for their OnDemand product offering. Like many other consumers, as soon as DSL was available in my area I kicked Comcast to the curb. I voted with my wallet and went with a more open carrier.

Sadly there are those out there that live in locations where Comcast is the only option and they are therefore stuck with a monopolizing provider. Up until Google started their exciting new project, a large percentage of smartphone owners were at the mercy of their carriers for what exactly is installed and running on their phones until Google started their exciting new Smartphone project.

If you’re a Smartphone user who is tired of a carrier who manipulates your phone, it’s time for you to vote with your wallet as well and switch to a phone that doesn’t hold you hostage.

May Updates and Patch Report

It’s been a little while since I’ve written one of these posts. I had, in recent months, gotten overwhelmed by the amount of updates out there and the fact the advice really hadn’t changed. If you’re not going to read the entire post, just follow these two rules of thumb:

1) Apply patches to all applications on all systems as soon as you possibly can.

2) If you skip rule 1, be prepared to reinstall the OS and all apps on any system at any time.

That’s it.  Now, let’s get into some recent happenings:



Last week, Microsoft released several updates with many of them being critical. Workstations, once again, are affected by Office updates. If abused, a special file could cause these applications to take over your system.

But wait, there’s more!

Two sets of patches focus on the .NET framework and patch against code execution as well … so you don’t actually have to download a file to be placed at risk. However, unlike the Office problem, this flaw affects both workstations and servers. Getting even better, if you install the server in “server core” mode, this flaw also allows for elevation of privilege. This means that a successful attack can not only remotely take over a system, but it can break out of the permissions you set to lock things down.

Of course, given how nice these flaws are for attackers, it is not surprising that they are being exploited.

For more details, please see the reports from Sophos and SANS.



Apple has also released updates for many aspects of their operating system. The first set of patches focuses on Java. Over the last few weeks, an OSX+Java-focused attack called Flashback has run amok. This attack leveraged a flaw in Java that was fixed on February 14th… but not patched by Apple until April 3rd. Lucky for us, this malware was good at spreading, but not so good at being evil.

In the set of patches that came out, there were also several that focus on Safari and the disk encryption subsystem. The disk encryption problem basically exposed the encryption password (in certain cases) to people that look for it. Of course, a disk encryption solution that leaks the password is like keeping your house locked by leaving the key on the window sill. It’s just my opinion, but that’s perhaps not the best security solution.

More details on the Apple patches can be seen at ComputerWorld and Sophos.



Several Adobe updates came out to address specific issues. The patched products include Flash Player, Illustrator, Photoshop, Shockwave Player and Flash Pro. Sounds good, right?  Well…

As it turns out, the Flash Player and Shockwave Player updates are free and fix the problems.  The patches for Illustrator, Photoshop and Flash Pro are free… but fix the problems by informing you that CS6 is available and that CS5 is no longer supported. Now, while it is within the rights of any company to stop supporting their products, one might argue that releasing a “security patch” that asks you to pay money and upgrade to fix the problem (assuming your hardware will run CS6) crosses the line.

There is a rumor in the industry that Adobe is backpedaling and will release updates to CS5, but they’re not out yet.

You can get the Flash player update here. Odds are that you don’t need Shockwave, so just uninstall it. Then, cross your fingers and hope that the patches for CS5 come out before your system is completely taken over and your bank account emptied to Eastern Europe. :)

This might also be a good time to check that your anti-malware software is updating and provides decent application hardening. Here’s a tip… if your anti-malware software came with your workstation, it’s probably not sufficient protection for modern attacks.



PHP has been updated to fix a problem in php-CGI. The php-CGI mode is available to provide better isolation for sites that run multiple virtual hosts. In this case, however, it did introduce a potential flaw. If you host multiple PHP sites on a server, please read this vulnerability report and test your system. If you’re vulnerable, apply the patches available here.



If you were playing with the “new online currency” bitcoin and storing them in Bitconica, you probably lost money this week. A compromise of their production servers resulted in a loss of $90,000. Two months ago, a similar theft resulted in a loss of $225,000.  Some details are here.

Here’s the thing. If you are using a traditional currency, there is significant oversight on the part of the government that backs it and the banks that use it to make sure that bad things don’t happen. In a peer-to-peer currency like Bitcoin (even ignoring the lack of cryptographic analysis), there is no central governing body. Without this sort of body, the currency has no externalities and is 100% market driven. Thus, the currency will be protected by the least-accessible effort and breaches like these will continue to occur. Basically, the cost of acceptable losses is built into the currency itself and not dictated by a government. There’s nothing wrong with this, but it is a different model. Think on this before you hop on the Bitcoin train.


That’s it for now. I am going to do these more often for you, so they should be a bit shorter from here on out.  If I don’t cover something that you think is important, please leave us a comment and I’ll get to it on the next cycle.