You’ve been Thunderstruck!

If you haven’t heard, the United States and Israel are behind the cyber warfare attacks on Iran’s nuclear program which included malicious software viruses Stuxnet, Flame and Skywipe. Since the cat is officially out of the bag, I suppose we may as well have some fun with it!

Mikko Hypponen of F-Secure reports that he received several emails over the weekend from one of the scientists who claims to be working on Iran’s nuclear program. The scientist claims a new cyber attack has halted their enrichment activities and is supposedly playing AC/DC’s “Thunderstruck” over the speakers of the infected PCs at max volume.

Apparently this particular attack is another SCADA-based controller exploit that has forced the Iranians to shut down their centrifuges yet again while rocking some music to openly mock them.

The United States has a long history of using music in psychological operations. Some of my happiest memories of serving Uncle Sam were playing music on restricted radio frequencies and taking requests from the enemy combatants for their song choices. “You know we’re looking for you and when we find you, well, you know.  But before that happens, I’d love to hear some more Ozzy.”

Employee security awareness: it’s not about “should” or “shouldn’t.”

If there’s one myth in the footwear industry that just won’t die, it’s that everyone should have a pair of shoes. You can see the reasoning behind it, of course. We’ve all heard about the kid that ran around barefoot, stepped on a nail and had to get incredibly painful tetanus shots.

But do accidents like this prove that shoes are a must or is just the opposite? If people everywhere can get foot injuries with or without shoes, doesn’t that suggest that shoes really aren’t all that important?

One of the best examples ever of the limitations of shoes is Abebe Bikila, who won the 1960 Summer Olympics marathon without any shoes at all.

Fundamentally, what society is saying when demanding that people wear shoes is “it’s not our fault” if people take risks – like not wearing shoes – and get injured. But this is false. An individual has no control over where they put their feet and they don’t have the ability to recognize hazards like broken glass, nails or poisonous vipers. After all, is the average person really a match for a vicious snake? Blaming poisonings on a lack of shoes is misguided – particularly given the stabby nature of snake fangs.

I’ll admit, it’s hard to find statistical evidence that supports this point of view. Not surprisingly, shoe manufacturers don’t share data on how protective their products truly are …

That’s probably enough of that nonsense.

In case you didn’t know, this post is in response to Dave Aitel’s recent article at CSO. While I am hardly one to defend the status quo, there are two logical fallacies at play here. The first is binary thinking … effectively saying “if a defense isn’t 100% effective, it’s not worth doing.” The second is the flaw of hand-picking anecdotes to support your premise.

This is regrettable because the bulleted advice on page two of Aitel’s article is good, if somewhat standard. It’s just that instead of following this advice rather than “wasting time on employee training,” it should be done in addition to employee training.

To drastically over-simplify, security involves identifying what you need to protect and then protecting it. In a global security market (which we’ve matured into), you have a second rule … identify what you want and attack until you get it. These two rules play against one another, with both the attackers and defenders constantly increasing their capabilities until a defender somewhere gets compromised or an attacker gets sloppy, caught and removed from the game.

Then, you repeat the cycle ad infinitum.

In a world that operates this way, the weakest entity is going to be the first out, on either side. And, since security is multidimensional, it will be the first entity with weak enough security along any dimension … technology, process or people. By removing your focus entirely from awareness training to focus on technology and process, you defend only part of your organization. By focusing strictly on network-based defenses, you open a massive hole for non-network attacks.

As soon as it becomes easiest for an attacker to bribe an internal employee to sell them data, they will. As soon as it becomes easiest for them to bluff their way through a job interview to steal data, they will. As soon as it becomes easiest to put on a uniform to steal equipment, they will.

The attacker’s game is “whatever works,” and if we only focus on what is easiest for us to do, we open up doors for attacks.

So … stop spending money on awareness if you want … but only do so if you have taken a good view of your entire organization and have identified areas where those resources are better spent. Be aware, though, that just as we lack solid statistics on how bad awareness is as a defensive layer, we also lack solid statistics on how good it is. For every story I can tell on how I’ve found a person not doing what they should in an organization, I have one that talks about how good they are.

If you need contrarian advice, avoid those that are expressed as binaries. Consider the following:

  • Does password rotation cause more trouble than it’s worth? If users are selecting bad passwords because they have to change them often, maybe it’s time to stop doing that.
  • If you have security alerts that are being ignored by your people, your systems probably aren’t being maintained properly. As soon as you stop maintaining your systems, they shift from being assets to liabilities. Thinking about fixing them … or getting rid of them.
  • Are your people overly constrained? If you have customer service employees following scripts, you’ve basically turned them into technology. Turns out that we have technology in the first place because people are bad at that sort of thing. Ponder that.
  • Is a data breach all that bad? In some industries, sure … but if it were universal, it seems as though there’d be a lot more companies going out of business. Think about what a breach would really mean and how you’d handle it. Odds are, you’re far weaker in response capabilities than you are on defense. Instead of shifting defense dollars from people to technology, maybe you need to invest somewhere else entirely.

Basically, the core lesson here is “think before you spend.” Don’t blindly follow the advice of anyone (including me). Assess your environment, consider your goals and the events that could prevent you from achieving them. Then, and only then, look at how you choose to use your resources.

A Simple Lesson in Protecting yourself against Malware

We see the stories in the news each and everyday.

Malware hit Android. Malware took advantage of known flaws in Windows. Source code was released for a new family of malware. The thing is … none of this is really news.

I’ll make it simple for you. You can ignore all the rest of the malware stories that come out this year if you remember the following points:

  • Attackers get better day-by-day. After all, if they didn’t, they’d lose.
  • As defenders, you must also get better day by day. If you don’t, you’ll lose.
  • Since we can’t control what the attackers do, the best you can do is play to not lose. This means:

1) Harden your systems (patch them, check users/passwords, remove uneeded software).
2) If you can’t harden your systems, get rid of them.
3) If you can’t harden your systems or get rid of them, implement compensating controls and understand where the gaps leave you exposed.
4) If you can’t do any of these three, get help. Sorry to toot my own horn here, but this is what we specialize in. You don’t need to be perfect, you just have to be getting better a bit faster than the attackers do.
5) If you can’t get help, give up. Just post your banking credentials, customer list and passwords on your website. The attackers are going to get them anyway. If you’re not going to protect yourself, just give up and enjoy the ride down as best you can.

July Updates and Patch Report

After a lovely week off, I am now back in the country and reviewing what happened in the security world while I was gone. To my shock, the answer is… not much. This is probably the first vacation I’ve had in years when the bad guys took a break too.

Did interesting things happen last week? Of course they did. For example, I got to pet two otter cubs, take photos of venomous reptiles without protective glass and hold a grey fox in my lap. However on the security front, we’ve got a few updates here and there, and that’s about it. Sure, there’s news that various attackers have gotten incrementally better at this or that, but that’s not really news. That’s just what they do. Of course, since that’s what they do, it really should be what you do as well. However, that’s well off topic for this post.

Microsoft

We finally have an update to the MSXML problem. That is unless you run version 5.0, but who’d do a silly thing like that? The problem affecting Visual Basic DLLs is also addressed. Both of these issues are being actively exploited, so you should apply those patches immediately.

The patches also include critical issues on servers and workstations that involve Internet Explorer, TLS encryption flaws and file and directory name handling. Luckily, it doesn’t look like any of these patches are likely to cause problems, so you should probably just apply them.

Unless of course you’re running MSXML 5.0 … then you should probably replace with version 6.0.

More on these issues can be found at the SANS ISC Blog

Bonus Time

We gained an extra second last week. How did you spend yours?

If you were like some of our software/service vendors out there, you spent it crashing. This shows, yet again, that time is hard to deal with. There’s not much you can do about that, other than be aware that time isn’t as linear as we’d like, and things like leap seconds, leap years, time zone changes and such can wreak havoc on our systems.

Your best protection is to understand your extended business network better. Use a time management system internally and set it to alert you if systems start to drift. Map out how your service vendors affect your business so you can easily identify when being down is on their side as opposed to yours (I test off my cell phone, so all traffic follows an isolated path).

Basically, the more you understand how information flows through your business, the better you can identify what causes that flow to fail.

Android

Turns out Android has malware. This is probably news if your last phone was a Motorola DynaTAC. So, for those of you just now catching up, here’s the deal: phones are computers now. If you don’t treat your phone like a computer, bad things are going to happen. Use encryption, strong passwords, anti-malware and don’t go installing stupid stuff on it.

In fact, phones are bad computers! Much of the malware that runs on phones comes from applications that are, shall we say, somewhat adult in nature. Perhaps it would be better if, instead of viewing such material on a screen smaller than a mouse, people use that mouse and view it on real computer running real protections.

If you do that, you can ignore all the “OMG! Android has Malwares!!!!11!!” articles that come out over the next year.

WordPress

There is a new WordPress update out. If you’re running WordPress, install it ASAP. You can get it here, or just update it from within your dashboard. However, a caveat first. WordPress, as a platform, is great. You can post things quickly and easily. I use it all the time, myself.

But … and it’s a big but … the risk to using WordPress grows with each plugin that you install. It grows with the number of people who have the ability to post. Many site compromises occur because people host multiple sites with a large hosting company and if any one of them gets compromised, the attackers can bounce to other sites and take those over as well. Thus, if you’re running WordPress, keep all sites up-to-date, make sure all users have decent passwords and use a plugin like Exploit Scanner to check that things are set up right.

If you need help reading the results of Exploit Scanner, we’d be glad to lend a hand. Really, it’s pretty easy to secure WordPress, so it’s not that expensive to get a bit of professional help.

DNS Changer shenanigans: How not to lose your internet connection

Are you worried about losing your internet connection on Monday, July 9th? Hundreds of thousands of computers are potentially facing an “internet blackout” because of the DNS Changer virus. Watch this great video by Sophos to find out exactly what is going on and how to avoid any internet connectivity issues.

For more information visit Naked Security.