If I were Evil Series: Creating a malware pandemic through USB charging stations

I would infect the USB power stations at airports & first class w/ malware to take-over all the Laptops & Smart-devices, iPads, iPhones, and latest Samsung device. I would do this either one on one device – much like spreading a virus as demonstrated through pace makers (Jonathan Brossard did a proof of concept of infecting pace makers simply by proximity with each other), much like any other virus. The goal would be simply to infiltrate systems and these devices for exfiltration and espionage.

Of course one could do this too at the hardware level by poisoning the chipsets coming out of China, as was done with the missile guidance chips…

If I were Evil that is …

Too many compromises …

There is a large volume of public disclosures over the past several months involving sophisticated (and some not) with mature defenses being breached.  The most visible ones are not from small startup companies that were lean on their defense, but instead these are being perpetrated against those organization’s with the resources and skills to muster a good defense.

The lessons of these public disclosures (note being public – as more are likely not being publicly released) is the need to reflect and adjust.  A comment i made in February regarding the need to continue building and evolving security through risk assessments.  Information protection is about conditioning and not about the latest fad.  Certainly the latest fad requires attention, but so does historic attack methods.  So, what is interesting of the recent compromises.

First off, sharing and depth of defense.  Barracuda Labs had a breach, and they published very specifically what happened.  What is positive about this breakdown is that they articulate precisely what was taken, and how they are CERTAIN that was it.  Their technology and analysis do not have words of legal or marketing anywhere, and therefore are actionable.

Amazon AWS…  this affected many more people and for many days the impact was unknown.  This was more an operational breakdown for businesses than perhaps an information protection process.  There is a decent timeline of the web services’ updates here, and from it one can tell that great effort was taken by Amazon to address the challenges.  Unfortunately, for businesses trying to take action there was no clear point where clients using Amazon should activate their disaster recovery plans.  Given processes were coming online incrementally I understand that decision is challenging.  In addition, the plethora of terminology probably made all system administrators and CIOs review their deployment maps more than once.  The take away here is – understand precisely what services are being provided and where (as much as you are able), and secondly have your own plan that depends on your own customer’s expectations.  This is leading practice, but can get lost in these serious moments.

Admittedly the Amazon example is not a breach – though think of the potential if it was an attack on the infrastructure of Amazon’s cloud environment and how extremely valuable that landfall would be to criminals and nation-states.

Then there is Sony’s network that was attacked and required a complete shutdown of the service to extricate and stabilize the environment.  Three separate posts by Sony on their blog here, here, and here.  This attack highlighted that, despite the business model, sensitive data is sensitive data (PCI).  In addition, an idea I have been discussing with colleagues is the potential for bot armies.  Consider that playstation consoles have very strong computing platforms built-in and are used by graphic companies and military for high end computing (1,716 linked make 1 super computer!).  Also consider that at least 77 million devices connect at some point to the Playstation network, receive updates, transmit data at high speeds, and are all likely not disconnected after a gaming session.  The point being, a single hardware platform running basically identical firmware, connected on high speed broadband .. sounds like a perfect bot army to me.

There has been much written on these events above and I encourage all to deeply understand the executions.  My intention above, as always, is to provide a different context to these events, their meaning, and perhaps some actions to be appropriate by you.

Best,

James DeLuccia

Security and Privacy on mobile devices are not always equal

I spend a great deal of time on global security programs where the focus is beyond the bit and bytes (finally) and includes the people process side of the equation surrounding information security.  One may argue this has always existed when just looking at the regulations and standards we have built our compliance programs around.  I would politely highlight this is not always the case and not to a sufficient level.

A common challenge in the security world is that a lot of bad can and does happen online.  The only difference between what scares people one day to the next, lies in what is being focused on.  Exposed emails are nothing new; financials leaked on torrents; or simply the acronym APT are not as new as they appear.  What is substantially new is the emerging device universe and the consumerization of tools beyond and into the enterprise.

These devices not only introduce entire new platforms with application risks, but also the manner of handling the traffic and the data itself is also different.  A bit of an example to clarify:

In the late 1990s web browsers and websites allowed fields that went unchecked by the server – why?  Well, there was no reason anyone would send a bazzillion letter ‘A’s, or would type in SQL statements that might interfere with the database backend, right?

Switch to 2011, and with smartphone devices we have new platforms and a model where assumptions are being built into the applications and interfaces on what the users will do.  It is a given that we are wiser today on these points, but with the release of new code and applications the level of complexity increases rapidly on each device and technology ecosystem.  The consequences of these individual applications interacting on the same device have yet to be realized.

Another point of view is what happens with the data being handled by the service provider?  As organizations switched to mobile sites 3rd party systems were used, but those are being pushed aside by custom built and iOS type applications.  As was highlighted in a nice little post by Dan Wallach – not all communication settings are adhered to for every device and every channel (his example Android and Facebook).

There is an immense opportunity to reduce current and future difficulties by reflecting on the past and applying the correct safeguards in place today – completely.  Coverage is key – without it, we are just plugging holes and hoping others don’t look at the others.

A bit broad, but look forward to challenge and alternate perspectives,

James DeLuccia IV

RSA SFO 2011 is done

This week has been a blitz of sessions, one-on-one deep discussions, and random swarms of passionate people descending on any table to discuss all things information security.  The sessions were good, the products somewhat interesting, and the networking was fantastic.  I did my best to tweet as much as I could from sessions throughout the conference, but there is a theme I saw and wanted to share for debate and consumption.

The risks are severe and quite frankly the offensive capability of attackers (individuals, attack teams like Anonymous, and nation state sponsored groups) is excellent.  Organizations are suffering from exfiltrated data at an alarming scale, and lack of maturity in managing these threats is ad-hoc.

A single vendor this would come across as F.U.D., but this was expressed by the Director of the NSA, and at nearly every session and keynote.

So what does this mean?  Well, much like at RSA there is a need to translate and form an opinion, or lovingly called the ‘Apply Slide’.  Below are the points that resonated for me – in no particular priority order:

• There is a need for a more meaningful appreciation of what is valuable to every organization.  This discussion needs to happen with the management, legal, risk management, internal audit, and technology leadership.  A primary effort of bringing these individuals together is to ascertain what is valuable and what forms may it exist throughout the business.
• A sophisticated incident handling process is needed.  This is a topic highlighted by the likes of Google and Signal Intelligence experts.  The point though was lost I feel to the majority of attendees.  The need is not simply to have trained team members with tools to be activated in the case of a breach.  That is needed, but there is a much deeper need:
  • The maturing and sustaining of a firmwide global effort to respond to every infection / malware-instance / behavioral anomaly.  Here is the thesis:  Today most of these are addressed through a help desk function that follows a decade old process of risk identification and remediation.  The common response is to update patches and have the behavior cease (removal of the error is considered a “fix”).  It is widely accepted that the attackers and infection tools are highly sophisticated, and removal is not a linear path nor a guarantee of a “clean” system.  In addition the statistics reinforce this fact when we look at the effectiveness of the anti-virus tools, the amount of malware that is unique and unknown, and the percentage of exfiltration events that occur resulting from this code.  Finally, there is a stigma to ‘activating an incident response’ team in many organizations.  Together these create an atmosphere where keyloggers / botnets / stuxnet / and similar malware toolsets can infect, avoid destruction, increase infiltration, and have intelligent exfiltration of desired data.
• Cloud was a very popular topic all week, and despite professional annoyance of the media focusing on a single aspect of information technology one simple fact remains true.  These sessions were packed.  The information provided was not clear and visibility remains beyond immediate grasp.  So – my response here is … these sessions were packed and the term is everywhere, because we do not have this at a state of understanding.  I foresee this will be a long and great area to continue developing.

Thank to everyone and hope to see you again  – soon!

James DeLuccia

End to End Resilience .. ENISA.. Cloud..

The beautiful opportunity with distributed computing, globalization, and cloud services is the ability to scale and run complex environments around the globe.  This is balanced of course by assurance that the operations are occurring as you expect, are managed properly, and protected to secure the competitive intelligence of the business.  Especially interesting has been the movement of centralizing data centers of a company into super data centers.

Together these points raise and are possibly met by the ENISA (The European Network for Information Security Agency) report that highlights the decisive factors of an end-to-end resilient network.  The report can be found directly at this link location.

An interesting challenge highlighted by, what appears Egypt’s government shutting down the internet, is how are these distributed cloud systems managed if they are cut-off from their administrative consoles?  Considerations for all businesses, and perhaps an appropriate addition to business continuity and such planning risk documents – is the following:

Can the business’ systems function autonomously when the primary controls and administrative connections are lost?

Perhaps a lesson could be gained by the masterful administration of the bot-net armies that leverage dark and shifting network clouds.

I would be interested of the implications that arise as a result of this disconnect of a country, and potential of other countries (whether due to more direct action, or the indirect result to further contain internet traffic).

Come join me and others in San Francisco where I will be speaking at RSA.  Stop by.. lets catchup.. and looking forward to great debates (as always).

James DeLuccia