Spectre, the CPU cyber security bug is back, only now there are 8 of them (intel says only 4 are really bad, the rest are just bad.)
So look for OS patches to mitigate the bug in the next week or so and bios patches to fix the problem (do they really) in August.
In the mean time patch everything and be areful.
Talking of being careful, Twitter apparently through a slippup, more like falling down a set of stairs compared to slipping, had all of their users usernames and passwords stored in a single (large) unencrypted text file. See the hackernews storey here https://thehackernews.com/2018/05/twitter-account-password.html
Be careful out there.
Sunday, May 06, 2018
Saturday, January 06, 2018
Wintereenmas is coming, the world is not going to end, despite Spectre and Meltdown
Despite the dire predictions and hype about the two massive CPU bugs (OK 3) and how stuff on your computers is open to anyone, the attacker still has to get something running on your computer on your computer in user mode to exploit the bug. So unless you are worried about Microsoft taking all of your data (hint they can already) all you have to do is not do anything unsafe. (Good luck with that.)
SO best advice, Patch Everything! And then only do the stuff that really matters on Linux because of all of the other Windows bugs they will never patch.
Oh and Jan 25 to Jan 31, Wintereenmas is coming :-)
SO best advice, Patch Everything! And then only do the stuff that really matters on Linux because of all of the other Windows bugs they will never patch.
Oh and Jan 25 to Jan 31, Wintereenmas is coming :-)
Wednesday, January 03, 2018
New year new Leaf?
I'm still here, still watching the cyber scene and playing video games.
2018, who knew we would get here? Well it was inevitable really and well with all the stuff that happened in 2017 it looks like it will be fun to watch.
Cyber already heating up with the Intel (and other chip makers) security flaws, Meltdown and spectre. As we learn more keep in tune and hopefully I can post something here.
2018, who knew we would get here? Well it was inevitable really and well with all the stuff that happened in 2017 it looks like it will be fun to watch.
Cyber already heating up with the Intel (and other chip makers) security flaws, Meltdown and spectre. As we learn more keep in tune and hopefully I can post something here.
Saturday, January 30, 2016
Hi,
I keep dropping of the edge of the world it seems, I post here a while and then I don't. It's partly that I don't feel I know what people want to know and partly because I'm withdrawing again.
Computers are cool they help you do a lot of things but they also can be used a a crutch to ignore the world. The last few years it's been gaming as a way to ignore the pain. The doctors see an improvement in my health because I game. And I use a lot less pain pills. But it means I also withdraw because the types of games that work for me are solitary things, Skyrim being the foremost, and fallout filling in where Skyrim leaves off.
But I want to post more and I want to post stuff people want to read so post suggestions and I will make the effort to start posting more stuff. ALso wondering if a better firt might be to start posting game play videos? I want to see if doing that will change how the gaming helps me with pain and as a way to stay connected to people. Some people thought twitch would be a way to do this but I'm hoping to stay with google if I can or maybe another provider but i don't want to leave google behind if I don't have to.
Thanks
I keep dropping of the edge of the world it seems, I post here a while and then I don't. It's partly that I don't feel I know what people want to know and partly because I'm withdrawing again.
Computers are cool they help you do a lot of things but they also can be used a a crutch to ignore the world. The last few years it's been gaming as a way to ignore the pain. The doctors see an improvement in my health because I game. And I use a lot less pain pills. But it means I also withdraw because the types of games that work for me are solitary things, Skyrim being the foremost, and fallout filling in where Skyrim leaves off.
But I want to post more and I want to post stuff people want to read so post suggestions and I will make the effort to start posting more stuff. ALso wondering if a better firt might be to start posting game play videos? I want to see if doing that will change how the gaming helps me with pain and as a way to stay connected to people. Some people thought twitch would be a way to do this but I'm hoping to stay with google if I can or maybe another provider but i don't want to leave google behind if I don't have to.
Thanks
Saturday, January 24, 2015
Feeding the trolls (part 2, Microsoft)
Ok it's officially a series, there are two of them.
In this series I am doing a little poking fun at the computer companies we love, for fun and as an exercise in free speech. I guess I survived the expected attacks from Apple fanbois so is there anyone who expected me to let Microsoft off the hook?
Don't expect any fast breaking news, I'm just having fun here.
Bill Gates' brain child Microsoft the publisher of the Operating systems and Productivity tools. DOS and Windows, the most un-unix of the Unix family.
Also know for a time as "the evil empire" and
Microsoft was initially known for another thing, BASIC. Not that their stuff is basic but that they made BASIC for Unix, DOS, and other platforms. VB.net now but BASIC is not just a basic programming language, most people forget what it stands for, Beginners All purpose Symbolic Instruction Code. Yes, Beginners and Instruction, so, for people who don't yet know how to really program to learn with and eventually move on to a "real" programming language like say Forth or Lisp (or C, Java, VC#...) but somehow people forgot that they weren't using a real language and now half the world runs on VB, thanks Bill.
The founder of Microsoft is the ultimate geek's geek. He made the tools that a lot of us geeks use to make tools for real people. I follow his example and make tools using his tools for other geeks to make tools. I think that makes us all tools.
Bill Gates, the ultimate ladies man, skinny, paste white skin, but lots of money.
Microsoft, known to some as "The Evil Empire" because of their long running battle with those people who would have all information and software free (as in speech not necessarily as in beer.)
They got this name for a lot of things, destroying Netscape, Novel Networks, Borland Compilers and trying to kill Linux. They lost a battle about abusing their monopoly in desktop computers and in Europe about what web browser people use but they still hold the top spot in Desktop computer OSs although they lost the battle for mobile platforms to Android and iOS. I still think that Windows Mobile 6.5 is the best mobile OS but I am just 1 person and apparently it is "too computery".
So what did Microsoft do? They changed their mobile OS to be much more dumber down (but apparently not as dumbed down as iOS and Android since it still doesn't sell) and then tried to put that mobile OS on the computers on our desktops. Apparently you shouldn't make computers less computery as it didn't catch on and so they got so befuddled by that they forget how to count. Yup Windows 7, Windows 8, Windows 10. Either they switched to Base 9 counting or some have suggested "7 ate 9".
It's OK they forget how to count in previous occasions as well, notably with Excel 2007. (850*77.1 = 65535 Not 100,000)
One of the more innovative things to come from Microsoft in recent years is Patch Tuesday. One day a month everything that needs a fix delivered to your desktop all at once to every desktop system world wide. One day a month for all IT folks to panic and hope the latest rushed out fixes don't break every system in their networks. Thanks Microsoft.
There you go, Microsoft, what would we do without you.
In this series I am doing a little poking fun at the computer companies we love, for fun and as an exercise in free speech. I guess I survived the expected attacks from Apple fanbois so is there anyone who expected me to let Microsoft off the hook?
Don't expect any fast breaking news, I'm just having fun here.
Bill Gates' brain child Microsoft the publisher of the Operating systems and Productivity tools. DOS and Windows, the most un-unix of the Unix family.
Also know for a time as "the evil empire" and
Microsoft was initially known for another thing, BASIC. Not that their stuff is basic but that they made BASIC for Unix, DOS, and other platforms. VB.net now but BASIC is not just a basic programming language, most people forget what it stands for, Beginners All purpose Symbolic Instruction Code. Yes, Beginners and Instruction, so, for people who don't yet know how to really program to learn with and eventually move on to a "real" programming language like say Forth or Lisp (or C, Java, VC#...) but somehow people forgot that they weren't using a real language and now half the world runs on VB, thanks Bill.
The founder of Microsoft is the ultimate geek's geek. He made the tools that a lot of us geeks use to make tools for real people. I follow his example and make tools using his tools for other geeks to make tools. I think that makes us all tools.
Bill Gates, the ultimate ladies man, skinny, paste white skin, but lots of money.
Microsoft, known to some as "The Evil Empire" because of their long running battle with those people who would have all information and software free (as in speech not necessarily as in beer.)
They got this name for a lot of things, destroying Netscape, Novel Networks, Borland Compilers and trying to kill Linux. They lost a battle about abusing their monopoly in desktop computers and in Europe about what web browser people use but they still hold the top spot in Desktop computer OSs although they lost the battle for mobile platforms to Android and iOS. I still think that Windows Mobile 6.5 is the best mobile OS but I am just 1 person and apparently it is "too computery".
So what did Microsoft do? They changed their mobile OS to be much more dumber down (but apparently not as dumbed down as iOS and Android since it still doesn't sell) and then tried to put that mobile OS on the computers on our desktops. Apparently you shouldn't make computers less computery as it didn't catch on and so they got so befuddled by that they forget how to count. Yup Windows 7, Windows 8, Windows 10. Either they switched to Base 9 counting or some have suggested "7 ate 9".
It's OK they forget how to count in previous occasions as well, notably with Excel 2007. (850*77.1 = 65535 Not 100,000)
One of the more innovative things to come from Microsoft in recent years is Patch Tuesday. One day a month everything that needs a fix delivered to your desktop all at once to every desktop system world wide. One day a month for all IT folks to panic and hope the latest rushed out fixes don't break every system in their networks. Thanks Microsoft.
There you go, Microsoft, what would we do without you.
Cyber Security stats from Surveys (I found them shocking)
Survey from EiQ Networks: (sample size not as
big as I would hope.)
Some
startling statistics, just 15% of IT people think they are prepared for a
security breach. Just 21% think that what they have in place can
mitigate the risk.
Only 80% about
use a firewall (Another survey put this at 87%.) Only 28% are using host based firewalls. (You have to use both or one system being compromised suddenly becomes every system is compromised.) Only 2 thirds use
anti-virus. Only 60% use some type of intrusion detection, mostly just
watching logs.
Only 60% have even a partial process to respond to an attack and only 30% think that process is solid.
Another
survey from ISACA (bigger sized survey) shows that 67% of it
professional have heard of APTs but half of those think they can protect
against them.
And the people who think they are ready to
protect their networks from an APT are relying on the things that don’t
work against APTs, Firewalls and Anti-virus. Like the keys to your house
these things only work against the regular run of the mill threats and
are practically useless to an APT threat. We still need them but they
are nowhere near enough. (They don’t get it, even seasoned professionals
in the cyber security industry don’t seem to get it.)
Couple
this with Cisco’s survey 75% of CIO’s think that their security tools
are effective but less than half of them patch their systems regularly. Also don’t really get it. What else are they not doing if they don't patch their systems?
There
is also some noise in cyber circles about companies that think that
since they were already attacked once (Sony for instance) they won’t be
attacked again.
So
sum that up to this; Most companies are not even doing the basics
right. Not patching, poor firewall use, hoping that outdated technology
like antivirus will help but they don’t even get that the threat they
face has changed and even when presented with examples think it won’t
happen to them or that since they have already been attacked are somehow
immune. And they don’t have a proper plan to deal with it and I bet
they also don’t have a plan of how to recover from it afterward either.
So what to do.
Cyber Security must do all of the motherhood stuff, firewalls (both perimeter and host), patching, anti-virus (even on Linux), etc. Segment your network so that the important stuff (Point of Sale, production, software development, whatever your company does) is not on your main network and that outside access is also on it's own network (like hvac and pepsi machines) and that access from the main network is controlled if allowed at all. If the only thing required is access out don't let access in.
And then if your line of business is at all a target for an APT then assume you are already compromised. If you could be a target you are a target and if you think you can't be a target prove it don't just think it.
You have to teach your employees how to recognize spam and phishing emails and not to open them. If you have employees that are not learning switch them to Linux with only user privileges. Better yet switch as many users as you can, without affecting their job function, to Linux. It's just safer and more secure. (Based on that there are so few malware for Linux and so many for Windows. and that the user access rights on Linux are not administrator level where on Windows so often it is.) Having a mixed network is more work but your IT people may complain but if they are good they will be fine. And put more money into IT. The biggest issue with cyber security is not that people can't do it but that companies are failing to fund it properly. Use open source tools, use free Linux firewalls and security tools like IPFire. Take the money you save and hire IT people. free tools with more people is better than paid tools (which are mostly based on the free tools and packaged to make them pretty) and not enough IT staff.
Also listen to your staff, regular and IT when they say there is something wrong. Most security breaches are not caught by IT but by sufficiently empowered users.
You need to do intrusion detection, something like snort but also honeypots: Fake systems that are not used for anything real on your network but if they get activity means someone is checking out your systems from the inside. Your systems are compromised and the attacker is looking for stuff to steal. Make them obvious and tempting and fill them with fake data. More on this another time perhaps. For now just do the motherhood issues and get enough IT staff to do their jobs.
Friday, January 16, 2015
Feeding the Trolls (Part 1 Apple Fanboys)
Hi,
I have been thinking about the attack on Charlie Hebdo and attacks on people saying their piece. I stand in solidarity with the writers and cartoonists but I don't share their talent in graphics. I also think that the Islamic bear is being poked enough right now, but there are other "holy cows" out there that need poking and I think that there is enough much room to poke things in the technology industry.
Of course there will be some easy targets and the fanbois of those targets will get upset and that is OK, preferred even and hopefully they will respond with words and argument rather than threats and bullets. I also hope to make this into a series, if I remember and no-one guns me down in the street.
Lets start this off with everyone's favorite half eaten fruit, The red delicious of computers, Apple.
The maker of the PC that runs the prettiest version of Unix, the Macintosh.
This is a company that so reveres it's founder that when he bit an apple, it tasted bad, he threw away the apple and they made the logo from it. Lucky for us not the piece he bit out of it. Just think, if he liked the apple their logo would be just the core.
Apple has always been the company that makes the simplest easiest to use computers and over charging for them. They even had mice before Microsoft did but like every thing else they made, simplified for easy use by say, bloggers, so only has one button. Maybe Apple users can only handle one button, I'm not sure.
Apple also makes the iPod, a really good easy to use, over priced, MP3 player, and the iPhone a really good easy to use, over priced, MP3 player, with an add-on cell phone, and the iPad, a really good easy to use, over priced, MP3 player with a big screen.
Steve Jobs made a huge impact in the PC world in so many ways, pioneering many different things both at Apple and for the period he was away from Apple that I for one am very happy he did create computers and software and the devices he made. But it's still fun to poke fun at the company he made.
I have been thinking about the attack on Charlie Hebdo and attacks on people saying their piece. I stand in solidarity with the writers and cartoonists but I don't share their talent in graphics. I also think that the Islamic bear is being poked enough right now, but there are other "holy cows" out there that need poking and I think that there is enough much room to poke things in the technology industry.
Of course there will be some easy targets and the fanbois of those targets will get upset and that is OK, preferred even and hopefully they will respond with words and argument rather than threats and bullets. I also hope to make this into a series, if I remember and no-one guns me down in the street.
Lets start this off with everyone's favorite half eaten fruit, The red delicious of computers, Apple.
The maker of the PC that runs the prettiest version of Unix, the Macintosh.
This is a company that so reveres it's founder that when he bit an apple, it tasted bad, he threw away the apple and they made the logo from it. Lucky for us not the piece he bit out of it. Just think, if he liked the apple their logo would be just the core.
Apple has always been the company that makes the simplest easiest to use computers and over charging for them. They even had mice before Microsoft did but like every thing else they made, simplified for easy use by say, bloggers, so only has one button. Maybe Apple users can only handle one button, I'm not sure.
Apple also makes the iPod, a really good easy to use, over priced, MP3 player, and the iPhone a really good easy to use, over priced, MP3 player, with an add-on cell phone, and the iPad, a really good easy to use, over priced, MP3 player with a big screen.
Steve Jobs made a huge impact in the PC world in so many ways, pioneering many different things both at Apple and for the period he was away from Apple that I for one am very happy he did create computers and software and the devices he made. But it's still fun to poke fun at the company he made.
Saturday, January 10, 2015
Another rambling about malware, some history and impact
In the history of the personal computer there have been instances of malware that have been notorious firsts for affects and compromises we thought would never happen. Starting with the first viruses that spread from system to system by attaching themselves to other programs. The early viruses were clunky and easy to spot and remove. Most of the early viruses just did things like take over your screen and make noises.
It didn't take long for them to start causing damage, deleting files or wiping hard drives. AV programs were new and quickly became popular. And then viruses not only were terminate stay resident and copying from system to system but they became stealthy. They started to hide in places like the MBR of a hard drive and start themselves before the OS did and became root kits but also self modifying to change their signature to stay one step ahead of the AV and OS companies.
Some of the first root kits were for Windows NT, the aptly named NTRootKit for instance.
Then malware started to spread by attaching to documents and worms were born. These were macros and not "real" programs but the damage was just as severe. The love bug was an early example of this. These Macro viruses spread faster and further than anything before them, love bug was thought to have caused $10 billion before it was finally defeated.
For a while malware got boring. Not a lot of new stuff happened until we got word of a virus that put itself into the Bios. We thought that the bios was safe, flashing a bios was an arduous process that you had to be very careful to do and if you messed it up you bricked your computer. But an unnamed virus in CHina was found that when the virus was detected the owners cleaned he hard drive and it came back, then removed the hard drive and it came back. Finally they checked the bios and there it was. Apparently it was a company competitor that knew what brand and model computor was being used in one company and made a virus to cause them damage and be a competitive advantage.
Next Stuxnet. They did a few things we thought no-one could do. They were the first notorious air gap jumping virus. With new information we can now say they did this by infecting the updates being delivered to the computers from the manufacturer as Stuxnet attacked those manufacturers first. They found a hole, a supplier that had privileged access and used that supplier to gain access to the air gapped network. new techniques for communicating with air gapped systems developed in the last year mean that if an air gap is breached then updating the malware is no longer impossible.
Malware then morphed into distributed computing to birth the botnet. Hundreds or thousands of infected computers all taking orders from a central set of command and control computers to send spam, do denial of service attacks (DDoS) and spread themselves even further. The bane of Windows XP and Windows Server.
The same family of malware as Stuxnet also produced some other firsts, the first time an industrial system was attacked on that large of a scale and they also used flaws in Microsoft's Windows Update to put viruses on computers using certificates to make the malware look like a legitimate patch through the OS update system. Flame/Duqu also were used to not just get information from computers but also information of the surroundings and people around those computers. They listened with microphones, used the cameras and wireless/bluetooth to find people, figure out their schedules and may have been used to target Iranian politicians and scientists for assassinations.
New malware happens all the time but for years a "real" virus, one that is binary, not a script, passes itself from machine to machine by infecting programs and is self replicating into different programs is rare. It is also rare to have a virus attack more than one operating system but last year there was one that while it was small in infections size and looked to me like a trial was detected. It infected Windows, Linux and reportedly Mac as they all use the same CPU family.
And then there are the hardware/malware attacks. When you plug a USB device into a computer the device and the computer talk so that the computer knows how to work with the device. But any USB device can be any type of device or even more than one at the same time. The first instance of this was not even looking like a USB device but an IPod dock. It was not only a dock and a set of speakers but also carried malware and infected the IPod/IPone and then installed malware. But any USB deice can do this. You could have a keyboard with a USB memory component and carry malware or a usb stick that is a regular stick and if there was malware in the memory could be cleaned but also in the USB firmware there could be a virus that cannot be cleaned. Or the firmware could also connect as a keyboard and issue commands or include a wireless wifi hub with no password required or just pulled data from the computer and broadcast it indiscriminately.
There are also reports of many devices with backdoors, extra hardware added by countries after things are shipped from companies either from within the country or as it passes through.
Malware can be firmware now.
A story we have been following is a German steel works that someone took control of the computers away from the staff and it caused the smelter to be completely damaged. They lost control of the computer and they were unable to shut down the smelter in a safe way. I just imagine that it just kept getting hotter and hotter until something broke and a flood of molten metal swept through the building. I still want to see pictures.
Then there are some notorious hacks. Sony has been hacked a number of times (you would think they would learn) and we can learn a few things from them. (Sorry Sony but I have to)
From the lulz-sec hacks we learned that a widely distributed company has som many different divisions that they can't keep track of them all so when lulz-sec found a sony network with no firewall they just couldn't resist. Yes one of the ways they got into PS Network was through credentials they got from a completely unprotected network. When the doors are thrown open and everything shared (they had windows shares with no security and rights set to everyone read) is that really a hack or is it authorized access when the access rights are everyone read? yes honest people would not have gone in but all firewalls are for now is keeping honest people honest. We all know that most "honest" people will still pick up the money dropped on the sidewalk. But I digress...
What we have learned from the latest Sony Pictures hack is even if you are doing most of all of the things you should do you can and probably will get compromised so you had better have a recovery plan in place. Sony Pictures scrambled to recover and even operate after their network was "burnt to the ground" and this is a new level. What is built into your network and procedures and culture to allow you to rebuild after everything is wiped clean. And if you have manufacturing or other processes what if your equipment is damaged or out of control.
Target showed us that you must segregate your networks. Don't put your must protect stuff on the same network as your general business network and certainly not on a network that external contractors/suppliers can get to.
All of these things have happened, the ways we protect things cannot possibly take all of them into account. Motherhood processes like patching have been turned against us. Air gaps don't even work so just keeping the system off of the network is not enough and may even be setting you up for a bigger crash.
Anti-virus hasn't worked for years, the new malware changes by the hour some times and signature files can't keep up. It does however allow us to stop all of the older versions of things so we still need to use it but don't rely on it.
Firewalls help keep out the lulzsec types and anonymous, mostly. But they are useless in the face of social engineering and driveby downloads.
A lot of people would say that most/all of the attacks above involved Windows (and they did) but switching to Linux or Mac would also switch the malware there once everyone switches but having a fair number of Linux systems on a network will make it more resilient.
Intrusion detection should work but none of the big attacks were ever caught by it until after the fact. IDS can't stop the Windows update attacks or any other new and evolving attack as they are again rule and or signature based.
There is no magic bullet for Cyber Security. There is only doing the things we all must do, perimeter protection, segregation, AV, patching, IDS (including honeypots and other diversionary tactics), running a firewall on every system, educating your users, vigilance and being prepared for when you will eventually be compromised.
Defense in depth and vigilance and be safe out there.
It didn't take long for them to start causing damage, deleting files or wiping hard drives. AV programs were new and quickly became popular. And then viruses not only were terminate stay resident and copying from system to system but they became stealthy. They started to hide in places like the MBR of a hard drive and start themselves before the OS did and became root kits but also self modifying to change their signature to stay one step ahead of the AV and OS companies.
Some of the first root kits were for Windows NT, the aptly named NTRootKit for instance.
Then malware started to spread by attaching to documents and worms were born. These were macros and not "real" programs but the damage was just as severe. The love bug was an early example of this. These Macro viruses spread faster and further than anything before them, love bug was thought to have caused $10 billion before it was finally defeated.
For a while malware got boring. Not a lot of new stuff happened until we got word of a virus that put itself into the Bios. We thought that the bios was safe, flashing a bios was an arduous process that you had to be very careful to do and if you messed it up you bricked your computer. But an unnamed virus in CHina was found that when the virus was detected the owners cleaned he hard drive and it came back, then removed the hard drive and it came back. Finally they checked the bios and there it was. Apparently it was a company competitor that knew what brand and model computor was being used in one company and made a virus to cause them damage and be a competitive advantage.
Next Stuxnet. They did a few things we thought no-one could do. They were the first notorious air gap jumping virus. With new information we can now say they did this by infecting the updates being delivered to the computers from the manufacturer as Stuxnet attacked those manufacturers first. They found a hole, a supplier that had privileged access and used that supplier to gain access to the air gapped network. new techniques for communicating with air gapped systems developed in the last year mean that if an air gap is breached then updating the malware is no longer impossible.
Malware then morphed into distributed computing to birth the botnet. Hundreds or thousands of infected computers all taking orders from a central set of command and control computers to send spam, do denial of service attacks (DDoS) and spread themselves even further. The bane of Windows XP and Windows Server.
The same family of malware as Stuxnet also produced some other firsts, the first time an industrial system was attacked on that large of a scale and they also used flaws in Microsoft's Windows Update to put viruses on computers using certificates to make the malware look like a legitimate patch through the OS update system. Flame/Duqu also were used to not just get information from computers but also information of the surroundings and people around those computers. They listened with microphones, used the cameras and wireless/bluetooth to find people, figure out their schedules and may have been used to target Iranian politicians and scientists for assassinations.
New malware happens all the time but for years a "real" virus, one that is binary, not a script, passes itself from machine to machine by infecting programs and is self replicating into different programs is rare. It is also rare to have a virus attack more than one operating system but last year there was one that while it was small in infections size and looked to me like a trial was detected. It infected Windows, Linux and reportedly Mac as they all use the same CPU family.
And then there are the hardware/malware attacks. When you plug a USB device into a computer the device and the computer talk so that the computer knows how to work with the device. But any USB device can be any type of device or even more than one at the same time. The first instance of this was not even looking like a USB device but an IPod dock. It was not only a dock and a set of speakers but also carried malware and infected the IPod/IPone and then installed malware. But any USB deice can do this. You could have a keyboard with a USB memory component and carry malware or a usb stick that is a regular stick and if there was malware in the memory could be cleaned but also in the USB firmware there could be a virus that cannot be cleaned. Or the firmware could also connect as a keyboard and issue commands or include a wireless wifi hub with no password required or just pulled data from the computer and broadcast it indiscriminately.
There are also reports of many devices with backdoors, extra hardware added by countries after things are shipped from companies either from within the country or as it passes through.
Malware can be firmware now.
A story we have been following is a German steel works that someone took control of the computers away from the staff and it caused the smelter to be completely damaged. They lost control of the computer and they were unable to shut down the smelter in a safe way. I just imagine that it just kept getting hotter and hotter until something broke and a flood of molten metal swept through the building. I still want to see pictures.
Then there are some notorious hacks. Sony has been hacked a number of times (you would think they would learn) and we can learn a few things from them. (Sorry Sony but I have to)
From the lulz-sec hacks we learned that a widely distributed company has som many different divisions that they can't keep track of them all so when lulz-sec found a sony network with no firewall they just couldn't resist. Yes one of the ways they got into PS Network was through credentials they got from a completely unprotected network. When the doors are thrown open and everything shared (they had windows shares with no security and rights set to everyone read) is that really a hack or is it authorized access when the access rights are everyone read? yes honest people would not have gone in but all firewalls are for now is keeping honest people honest. We all know that most "honest" people will still pick up the money dropped on the sidewalk. But I digress...
What we have learned from the latest Sony Pictures hack is even if you are doing most of all of the things you should do you can and probably will get compromised so you had better have a recovery plan in place. Sony Pictures scrambled to recover and even operate after their network was "burnt to the ground" and this is a new level. What is built into your network and procedures and culture to allow you to rebuild after everything is wiped clean. And if you have manufacturing or other processes what if your equipment is damaged or out of control.
Target showed us that you must segregate your networks. Don't put your must protect stuff on the same network as your general business network and certainly not on a network that external contractors/suppliers can get to.
All of these things have happened, the ways we protect things cannot possibly take all of them into account. Motherhood processes like patching have been turned against us. Air gaps don't even work so just keeping the system off of the network is not enough and may even be setting you up for a bigger crash.
Anti-virus hasn't worked for years, the new malware changes by the hour some times and signature files can't keep up. It does however allow us to stop all of the older versions of things so we still need to use it but don't rely on it.
Firewalls help keep out the lulzsec types and anonymous, mostly. But they are useless in the face of social engineering and driveby downloads.
A lot of people would say that most/all of the attacks above involved Windows (and they did) but switching to Linux or Mac would also switch the malware there once everyone switches but having a fair number of Linux systems on a network will make it more resilient.
Intrusion detection should work but none of the big attacks were ever caught by it until after the fact. IDS can't stop the Windows update attacks or any other new and evolving attack as they are again rule and or signature based.
There is no magic bullet for Cyber Security. There is only doing the things we all must do, perimeter protection, segregation, AV, patching, IDS (including honeypots and other diversionary tactics), running a firewall on every system, educating your users, vigilance and being prepared for when you will eventually be compromised.
Defense in depth and vigilance and be safe out there.
Subscribe to:
Comments (Atom)
