Hoaxicane Sandy

It’s that time again.

Whenever a major media event happens (like Hurricane Sandy), we are inundated with news. Sometimes that news is useful, but often it merely exists to create FUD… Fear, Uncertainty and Doubt. While I have not personally seen any malware campaigns capitalizing on the event yet, it is inevitable. The pattern is generally as follows:

  1. Event hits the news as media outlets try to one-up eachother to get the word out.
  2. People spread the warnings, making them just a little bit worse each time they are copied.
  3. Other people create hoaxes to ride the wave of popularity.
  4. Still other people create custom hoaxes to exploit the disaster financially.

A few minutes ago, at least in my little corner of the internet, we hit stage 3 when this image was posted:


( From here. )

Now, as someone who plays with photography, I was a bit suspicious, but as a security person, I can actually prove some things here.

The first tool I want to discuss is FotoForensics. Check out their analysis.

See how the statue of liberty and land on which she stands is much brighter than the background? That indicates that that image has been pasted on top of the other, so we know it’s fake.

Sometimes, though, this trick doesn’t work. If someone is making a good hoax, they can change the error levels to prevent easy detection. That’s where our next tool comes in. TinEye is awesome.

Look what happens when I do a reverse image search on the suspicious file here. (TinEye results expire after 72 hours, so if you’re slow to read this, just past the URL of the photo into their search box.)

TinEye, by default, is going to try to find the best match. But that’s not what we want. We want the original. Luckily, when people make hoaxes, they usually shrink the image to make it harder to find the signatures of a hoax. So we just click to sort by size and there we have what it likely the original:

ETA: Original can be found in this set by Mike Hollingshead.

Then it lists a bunch of sites that have stolen this image to use without credit. (That’s a different post.) You can then click on the “Compare” link for the likely original and see what they did. By flipping between the versions, you can see that they added the Statue of Liberty, the water and the boat. They also shrunk the image and made it darker… because darker is scarier, apparently.

The important thing to realize here is that the attacker is trying to manipulate you. By spreading fear, they are making you more susceptible to future attacks. By taking advantage of your uncertainty and doubt, they put you in a position where you will do unwise things to gain an element of certainty in your life. Does this matter that much in an image hoax? Probably not. But it does matter when you start getting fraudulent emails convincing you to “click here” to help victims of the hurricane.

Uncertainty and doubt can work against you, but it can also work for you. When the attacks come … likely in a few hours, approach them with suspicion. If you’re in the path of the storm, trust the names you recognize, like Google and The National Weather Service. If you’re not in the path of the storm and want to send aid, go with The Red Cross. If anyone else you don’t know asks for your money or your clicks, ask yourself what they have to gain.

Cyber “Pearl Harbor”

It’s no secret that cyberspace has quickly become the world’s next battleground. The United States and Israel were widely speculated to have delivered a mighty blow to the Iranian Nuclear Program with the Stuxnet Virus and now Iran has fought back attacking the web sites of American financial institutions, Bank of America and J. P. Morgan Chase.

Despite the magnitude of these web-based attacks, I don’t think the public necessarily understands how devastating cyber warfare could become. With nearly all business featuring some sort of online component and so much of our day-to-day activities utilizing web-based technology, a cyber terrorist could effectively cripple everything from bank accounts, telecommunications, medical facilities, utilities, transportation … you name it. Perhaps this is why U.S. Secretary of Defense, Leon Panetta offered a rather dire warning last week:

“The collective result of these kind of attacks could be a cyber Pearl Harbor,” warned Panetta. “An attack that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nations and create a new profound sense of vulnerability.”

I bet that quote got your attention! The reality of such an immense attack can certainly be debated, but the question of whether the United States is ready and able to protect its interests is certainly a topic that should be at the forefront of any discussion regarding terrorism and world war.

Heather Roff, a Research Fellow with the Eisenhower Center for Space and Defense Studies at the United States Air Force Academy, penned a great post this week for the Huffington Post that discusses the conclusions we can draw from Panetta’s speech and how prepared the United States is to defend it cyber borders.

Sprinting through Security

We’re all familiar with old school consultants. These are people hired at $20/hr and rented out for $150/hr. It’s good business, if you can get it. All too often, however, the work is neither enjoyable for the consultant nor useful to the client. After years of trying and failing to make the old model work, I decided it was time to throw it out and start over. Thankfully, RJS agreed. As of today, we are one year into the process of reinventing security consulting.

The fundamental difference is that we’ve fully embraced the fact that the idea of 100% security is a trap. You can never be completely secure, so why base a security project around the idea that you can be? Instead, we focus on achieving a measurable improvement over “today.” Different businesses have vastly different security needs, so once you shift the goal away from “find and fix all the problems” to “strike a balance between defense and response,” myriad solutions become available.

Having a large number of solutions is great, as we can select the one that fits your company’s unique situation the best. But remember, it’s not perfect and will need constant attention to avoid “analysis paralysis” and to stay current with new security trends. To combat this, we look at the second key difference: time-bound tasks, or as we call them, security sprints.

With anything you do, there is one resource that completely vanishes — time. Other consulting approaches focus on minimizing either money or an amorphous concept of risk. The catch with those is to clearly pre-identify “risk reduced” or “money saved,” time is required. Since time is billed, it can cost a significant amount of money to identify how much money you’re saving!

Want to know how much more secure a project will make you? Pick a small project that can be done in a week or two, do the project, then measure. There’s no guess-work, no scope-creep and most importantly, no spending more money than required to improve your defenses.

This process affords another advantage we did not anticipate. In many cases, security fails because the people put it in place to manage it are often not those responsible for maintaining it. Since security tends to weaken over time as attackers constantly improve, it is imperative that people explore alerts, identify what they mean to the business and take appropriate action. When the people who must manage the systems are not involved with the initial configuration, they tend to lose a lot of time tracking false alerts or worse, missing legitimate issues.

Since our consulting process is time-bound and focused on helping improve security after we leave, we work on a lot of small projects. These projects are designed so that, when done, they can be absorbed into the business’s existing operations. We then come back for iterative tuning engagements and, over time, help maximize the business’s use of technology. This avoids the common problem of security being “someone else’s” issue, while minimizing the disruption that new technologies can cause.

In the end, after a year’s experimentation, we’ve found that a cyclical short-project consulting model has given our clients a level of security far greater than the traditional defense-only approach. While this didn’t surprise us (after all, that’s why we did it), we were surprised to find that these engagements generally came in 25% to 50% lower in cost than the traditional model. We’ve done security assessments, implementations and strategy planning sessions and, in every case, have achieved better security at a lower cost.

Please contact us if you’d like to learn more about our sprint model and how it can help you achieve a better state of security at a fraction of the price.