I do cyber security research, lately more than ever. As most companies have lately, there is an uptick on attacks, some because of recent bugs being published, others because cyber is both big business and sadly, seems to be what governments all over are doing.
It's an open secret that everyone is hacking everyone in terms of spying and trying to get or keep the upper hand in trade. While I am not involved in that I see it all the time. Typically when someone gets attacked it is some user or contractor or supplier that opens the door to the wrong email or link or attachment. We say we have to teach the users and we do.
But then a user clicks the wrong thing and people start pointing fingers. "Why did you do that", implying the user is an idiot or something. Anyone who knows me knows I do not advocate blaming users. They just want to do their jobs and get work done. Sometimes they have to chill and read email or whatever and most of the time, 99.9999% of the time (completely made up but you know what I mean) they don't click the link and trash phishing emails. But the one time in thousands of emails they get and they slip up once they get pointed to as 'the guy'.
It's not fair or even helpful to blame them so we have to stop it. The blame stands only on the people doing the attack, not the user who clicked the link, not the researcher who found the flaw in your program or product, not the people who wrote the software or the OS (sorry no Microsoft jokes today) but the guy who made the attack and the people who back him.
Yes all of those people, the user, programmers, cyber techs, systems admins do have a role to play in making the attackers life harder but it's the attackers who hold 100% of the blame.
I write software. I want the software to just work for users and not be a pain to use, pleasant even, but I also have to consider the security issues and I wish I didn't have to, but I do. It makes programming slower and it makes software slower. I can't see us getting out of this. I do see that we need to make our defenses stronger, always practice defense in depth, segregate our networks, use decoys, honey and tar pots a lot more.
With world events and history as our guide I don't see any of the governments (all of the governments) ever being brave enough to admit they have been doing this or forward thinking enough to use that admission to pressure others to do the same and get started breaking the cycle. The current thoughts seem to be we have to do it because everyone else is.
With the current trend of breaking into control systems of industrial systems, scada or otherwise, at some point someone will get into the wrong thing. Something big and dangerous that should never have been connected anyway but it was easier to do it this way, you know how it is. And once connected they will experiment with it and something horribly goes wrong and people get killed or worse. At that time it becomes a physical attack and then what happens?
None of us want this to happen but it will.
In the time being we all hear the talking heads. The head of some US agency telling people that there are two types of big businesses in the US (and I suspect of every country) "the ones who have been hacked by china, and the ones who don't know they have been hacked by china". In Canada the boogyman, rightly or wrongly is Russia at the moment with people all talking of "sandworm." And yet there is evidence that the malware being used is attacking everyone, Russia included and maybe the top target. Whoever it is seems to also be attacking Ukraine as well so I really don't see who would attack both sides in that conflict except maybe newspapers or TV news.
If we believed everything in the news you would think the west was perfect but as we saw in the leaks by Ed Snowden the west, especially the group of five my own country is in, is just as bad if not worse. Probably not worse, but maybe.
I stand with the users, ordinary people and ordinary companies that just have a job to do and want to feed their kids, make the world a bit better etc. We just want to be able to do our jobs, play a few games and be sociable. Maybe the governments of the world should all just go and make their own network (not the one we took from you) and leave the rest of us alone. Is it to much to ask?
Until then, invest in open source, it seems to be more secure and we can at least find the back doors, turn on your firewall and change the default passwords (to keep the media out), put your must be secure stuff on it's own network segment with another (open source) firewall that is not the same segment that external entities can log into and use a decoy/honeypot to confuse attackers.
Use vpns internally between secure segments. Your switched network is just too easy to spoof but a secure tunnel makes it just that much harder for the attackers. Use two, and only use encrypted protocols on all of your servers all the time, mixing it up and using real certificates and passwords.
Crack your user password database, teach your users when to use secure passwords and when not to, otherwise you end up with password stickies everywhere.
Educate your users but quit blaming them, let them work.
All of that stuff you put in place to better control your users use of your company computers, it's making it easier for you to be attacked. Diversity is strength, both in people and in computers. You can still use Windows if you want (and you turn on the firewall) but embrace Mac and Linux and Everything. A diverse network confuses hackers to no end.
Learn what your attackers know. Personally learn it. It's way too easy to learn about your company on line without alerting you to the fact you are being stalked. (That also goes for the attackers, they are not as smart as they think they are, and neither am I apparently, amazing how the most views on my various accounts have swung to mostly from Russia lately, they topped the Chinese this month. What I get for baiting them on line I guess, Hi Guys.)
Use the tools they use. Set up a test network in your office (even the CIO should try this once) and hack the hell out of it. Put computers (I use a virtual network populated with virtual machines behind a virtual firewall/router virtual machine and I update it all the time. On there I have a virtual machine running Kali Linux and I also added some new tools for PLCs and snmp and one of my virtual machines is a virtual plc/virtual sensors) using your chosen company os and software. Then search for exploits.
If you have time try fuzzing your network and then start reverse engineering the malware that has worked against your company. I am sure you have something somewhere that was compromised. Hack the software the hackers used to hack you. It will teach you. There are many good tools for reverse engineering code. be careful, hacker code is obfuscated and poorly written for the most part. It can make your brain hurt to see some of the coding used. Also don't believe everything you read. If it includes a language, for instance, that language is used in a lot more than one place in the world. Russian does not mean Russia any more than English means England. IP addresses do lie, just like the cake.
Do all of this and you give yourself a better chance but don't stop, security is a journey not a destination.
You dear reader have most likely already been hacked or compromised in some way or another. If you don't think you have look harder. If you have, look for more. Stopping the attackers from getting in is one thing, stopping them from getting out is the other.
I love fake data. Something that looks real but if used will not work. Fake systems (honey pots), false leads and looking for that false information to show up somewhere have to be part of the deal. Finding the error in your false lead code out there in the wild allows you to connect the dots. There was a company released its own fake version of a game to people to pirate. When people started asking questions about the error message that only showed up in the pirated version it was funny. Do the same to malware users. It's satisfying.
Look at me go on, sorry. But there you have it my advice today on what to do to be secure, basically, open source, diversity and go hack yourself, have fun.
Sunday, November 09, 2014
Sunday, October 05, 2014
The Cyber Security Mess, a primer
Headlines across the planet are decrying the state of Cyber Security. From major companies being compromised, from the largest banks, to retail chains to government departments to ordinary people. Even police and security companies have been made targets, infiltrated and data taken. There have even been estimates that of companies with over 3000 computers 80% are currently being actively attacked and are compromised. Of these 80% only 20% are aware of it.
The average length of time between a company being compromised and determining this is three months. Most find out by a third party telling them they found data that had been extracted and for sale on the dark side of the Internet.
If your company thinks it has never been compromised then you probably are right now and don't realize it.
The attackers are varied and have many different motives and targets. There are the cyber criminals, only in it for the money. The state actors, US, China, every other country including the ones who deny it. The hacktivists, political or freedom motivated who hack to bring their cause and the freedom of the web to every one, and then the "script kiddies" who hack because they can and the "lulz".
The current situation is bad, very bad. The criminals have so much information they can't use it all. The governments of the world are hoarding data into huge data warehouses with millions of square feet of server space and can't process it all. Law enforcement cannot keep up with the amount of hacks happening. So they go after the low hanging fruit, the easy to catch script kiddies with the hope of deterring the other actors by giving the ones they catch such long sentences they don't fit the crime committed.
How did we get to this point? How does this happen and happen and happen and yet no-one seems to be able to stop it?
The leading way to break into a network is to get someone else to do it for you. This can be by getting an insider to download malware through social engineering, or a watering hole attack or find an outside company that has access to the target company but is less secure. Once inside attackers have it easy since most companies don't properly segregate their networks into zones with access controls between them. Yes it makes getting at data harder, especially for the attacke
So there you go, make sure you have the minimum defenses in place at least, firewalls, antivirus and intrusion detection with someone who is monitoring them 24/7. Use segementing, a VPN, honeypots, heterogeneity and education to keep your network safe.
rs.
It's not expensive. Most of the tools out there to make a network secure are either open source or based on the open source tools in some way. Open source means free and as a bonus you get the source code so you can, if you know how and want to, verify that the software does what it says and has no back doors. And the extra bonus of you can make it better and give back to the open source project. If you come to rely on them a donation to keep them going is appreciated.
So what do you need to have. I thought everyone knew you needed a good firewall at the perimeter of your network. A single entry point that only lets through authenticated traffic. It stops random entry into your network. Add to that a VPN (Virtual Private Network) where your staff who are not inside your firewall can get in securely. Then filter all outgoing traffic to stop people from going to places where they can bring malware back in.
If you have any external entity accessing your network they must be segregated from the rest of your network. Your HVAC contractor doesn't need to be on the same network segment as your employee records or your client records or your point of sale network. These sensitive data networks should also be segregated from your run of the mill data network and if possible each other. If one part of your network is compromised make sure it isn't the important parts of the network.
Next anti-virus just to stop the threats we already know about. Anti-virus/anti-malware software works by knowing what known malware looks like and if it finds that signature blocks and removes it. But what about the stuff we don't know about? Intrusion detection works on analysing traffic patterns. If something abnormal is happening then someone gets alerted and they check it out. Other forms of intrusion detection include honeypots and tarpits. These are computers on your network who are sitting there to not do any work but be tempting targets for malware. And if they get any activity it is likely someone trying to break in. You get an alert and go see what the attacker is trying to do. There are public honeypots at honeynet.org and they have a lot of info.
If your company is industrial with computers running machines there are also honeypots for that. Put one up where you think attackers might be looking and see if they are. Try Conpot from honeynet.org.
You also need to educate your users and continuously refresh their skills. For social engineering your users are either your weakest link or you line of defense. If you don't teach them they won't be very defensive.
Another problem we seem to have in almost every computer network is that to make things simple for IT we make every computer on the network exactly the same with the exact same software and access controls. It sure makes things easy for IT and the hackers. Now your IT is a smart but lazy bunch of people, who like to script everything. SO are hackers and your 'make it easy for IT' policy is also making it easy for hackers. Networks with lots of different computers, heterogeneity, break most hackers tools. Malware that expects everything to be exactly the same breaks down when presented with many different systems all set up with different software and the software not always in the same places. A network full of carbon copy systems is a hackers playground.
The average length of time between a company being compromised and determining this is three months. Most find out by a third party telling them they found data that had been extracted and for sale on the dark side of the Internet.
If your company thinks it has never been compromised then you probably are right now and don't realize it.
The attackers are varied and have many different motives and targets. There are the cyber criminals, only in it for the money. The state actors, US, China, every other country including the ones who deny it. The hacktivists, political or freedom motivated who hack to bring their cause and the freedom of the web to every one, and then the "script kiddies" who hack because they can and the "lulz".
The current situation is bad, very bad. The criminals have so much information they can't use it all. The governments of the world are hoarding data into huge data warehouses with millions of square feet of server space and can't process it all. Law enforcement cannot keep up with the amount of hacks happening. So they go after the low hanging fruit, the easy to catch script kiddies with the hope of deterring the other actors by giving the ones they catch such long sentences they don't fit the crime committed.
How did we get to this point? How does this happen and happen and happen and yet no-one seems to be able to stop it?
The leading way to break into a network is to get someone else to do it for you. This can be by getting an insider to download malware through social engineering, or a watering hole attack or find an outside company that has access to the target company but is less secure. Once inside attackers have it easy since most companies don't properly segregate their networks into zones with access controls between them. Yes it makes getting at data harder, especially for the attacke
So there you go, make sure you have the minimum defenses in place at least, firewalls, antivirus and intrusion detection with someone who is monitoring them 24/7. Use segementing, a VPN, honeypots, heterogeneity and education to keep your network safe.
rs.
It's not expensive. Most of the tools out there to make a network secure are either open source or based on the open source tools in some way. Open source means free and as a bonus you get the source code so you can, if you know how and want to, verify that the software does what it says and has no back doors. And the extra bonus of you can make it better and give back to the open source project. If you come to rely on them a donation to keep them going is appreciated.
So what do you need to have. I thought everyone knew you needed a good firewall at the perimeter of your network. A single entry point that only lets through authenticated traffic. It stops random entry into your network. Add to that a VPN (Virtual Private Network) where your staff who are not inside your firewall can get in securely. Then filter all outgoing traffic to stop people from going to places where they can bring malware back in.
If you have any external entity accessing your network they must be segregated from the rest of your network. Your HVAC contractor doesn't need to be on the same network segment as your employee records or your client records or your point of sale network. These sensitive data networks should also be segregated from your run of the mill data network and if possible each other. If one part of your network is compromised make sure it isn't the important parts of the network.
Next anti-virus just to stop the threats we already know about. Anti-virus/anti-malware software works by knowing what known malware looks like and if it finds that signature blocks and removes it. But what about the stuff we don't know about? Intrusion detection works on analysing traffic patterns. If something abnormal is happening then someone gets alerted and they check it out. Other forms of intrusion detection include honeypots and tarpits. These are computers on your network who are sitting there to not do any work but be tempting targets for malware. And if they get any activity it is likely someone trying to break in. You get an alert and go see what the attacker is trying to do. There are public honeypots at honeynet.org and they have a lot of info.
If your company is industrial with computers running machines there are also honeypots for that. Put one up where you think attackers might be looking and see if they are. Try Conpot from honeynet.org.
You also need to educate your users and continuously refresh their skills. For social engineering your users are either your weakest link or you line of defense. If you don't teach them they won't be very defensive.
Another problem we seem to have in almost every computer network is that to make things simple for IT we make every computer on the network exactly the same with the exact same software and access controls. It sure makes things easy for IT and the hackers. Now your IT is a smart but lazy bunch of people, who like to script everything. SO are hackers and your 'make it easy for IT' policy is also making it easy for hackers. Networks with lots of different computers, heterogeneity, break most hackers tools. Malware that expects everything to be exactly the same breaks down when presented with many different systems all set up with different software and the software not always in the same places. A network full of carbon copy systems is a hackers playground.
Monday, January 20, 2014
Linux is the most secure, so why are you not using it?
Last week there was a study released by the UK government that they tested all of the OSes used within their networks and they found that Ubuntu 12.04 LTS was the most secure.
See the article in TechRepublic or the summary at Ubuntu (pdf)
They did 12 tests, rather comprehensive, fair, impartial and independent from the OS makers. Ubuntu passed 9 of the tests with no significant risks from the 3 it failed. Those 3 were mostly just failed on that item had yet to be independently reviewed. Expect Ubuntu 14 to pass at least 2 of those by April.
Windows only passed 8 the same as Mac Os and both had significant risks in at least 1 of the tests it failed.
Now on Friday I have this system I am working on and we did a backup and had to restore. The backup was before we made an account for me so after the restore I had to create an account for me on a system where there is no root login (Ubuntu doesn't let you log in as root in the default configuration, to compromise it you have to compromise a user account and then the root account) but through the magic of being at the terminal I created my own account.
This made some of the people watching comment that if it was so easy then why do they say Linux is secure. Because if you have physical access to the system it is easy to get into all of them, most have the access built in (Windows recovery mode for instance.)
You can make Linux not let you in by the recovery/single user mode but then just boot a live CD and edit the password and shadow files or on Windows boot a live cd and hack the registry with a Linux based Windows registry editor.
Mac probably the same as Linux as it is BSD.
Nothing is ever 100% secure but for what we can do Linux is the most secure OS out there. Period, full stop.
OK so there is a lot of inertia using Windows. People are used to it, they have programs they are used to using in Windows. Office apparently is a stumbling block although when people tell me libre-office won't do something I can usually find a way to do it easily.
Other people say, games, PC games need Windows don't they? Well, not since Steam went Linux.
So I wonder what excuse people will come up with next, it's too different from Windows? Well so is Windows 8.
There's no excuse now, just switch and be more secure.
Thursday, January 09, 2014
Hand Sanitizers
Hand sanitizer gel, seems like a good idea, use it every time you might have gotten your hands onto a surface where viruses and bacteria might be. Unless you actually read the directions and the literature.
Hand sanitizer is supposed to be used if soap and water is not available. It's not a substitute for soap and water but a fallback only if soap and water is not available.
If you work in the food industry you aren't even supposed to use it, only soap and water, both Canadian and American guidelines state this.
It has also been shown in various studies that too much use of things like sanitizers leave children not exposed to enough bacteria and viruses to form proper immunity. Yeah kids need to get a bit dirty to grow up healthy. (link)
For me it is also a trigger for my lung condition and hurts almost as much as hot tar fumes and perfumes.
If you insist on using it please don't near me or anyone with lung conditions like asthma etc.
Hand sanitizer is supposed to be used if soap and water is not available. It's not a substitute for soap and water but a fallback only if soap and water is not available.
If you work in the food industry you aren't even supposed to use it, only soap and water, both Canadian and American guidelines state this.
It has also been shown in various studies that too much use of things like sanitizers leave children not exposed to enough bacteria and viruses to form proper immunity. Yeah kids need to get a bit dirty to grow up healthy. (link)
For me it is also a trigger for my lung condition and hurts almost as much as hot tar fumes and perfumes.
If you insist on using it please don't near me or anyone with lung conditions like asthma etc.
Monday, January 06, 2014
Watch out for the Polar Vortex (or not)
This blog is turning into the debunk what people are miss-calling things blog (or something like that...)
The current cold snap coming to most of North America (Except Manitoba which is always this cold...) has been described by not just a few as the polar vortex. Which is partly true but mostly just wrong.
Some people even in the weather community have been saying that this is caused by the polar vortex, and while it is involved it's not a vortex of cold are screaming southward like a tornado as some people seem to think.
Our world spins and has two poles. The south one has mountains and glaciers so the winds don't form as much at the pole itself but as a ring of storms and wind off of the edge of Antarctica as well as a tight polar vortex.
The north pole has just ocean, aptly named the arctic ocean, where the winds form a tighter circle around the pole. This is the northern polar vortex; it keeps the coldest arctic air bottle up at the pole. And while it is stable it just whips around the pole because of the spin of the earth, sort of, plus some other stuff like heat transfer from the south. Every once in a while every spinning thing breaks down. An interference wave caused by the land masses around the pole, Greenland for instance, and the weather there, cause the breakdown and this is what happened here, the vortex broke letting the cold air contained within to spill out.
When this happens the resulting southward moving air blasts through the warmer air and disrupts all kinds of things and can form into little low pressure vortex storms like what has hit the US east coast. These are not the polar vortex but the air that was once contained by the polar vortex. While they go south warm air has to replace it at the pole (warmer, not really all that warm) and then the next polar vortex forms and that air gets cold and eventually it all happens again.
The current cold snap coming to most of North America (Except Manitoba which is always this cold...) has been described by not just a few as the polar vortex. Which is partly true but mostly just wrong.
Some people even in the weather community have been saying that this is caused by the polar vortex, and while it is involved it's not a vortex of cold are screaming southward like a tornado as some people seem to think.
Our world spins and has two poles. The south one has mountains and glaciers so the winds don't form as much at the pole itself but as a ring of storms and wind off of the edge of Antarctica as well as a tight polar vortex.
The north pole has just ocean, aptly named the arctic ocean, where the winds form a tighter circle around the pole. This is the northern polar vortex; it keeps the coldest arctic air bottle up at the pole. And while it is stable it just whips around the pole because of the spin of the earth, sort of, plus some other stuff like heat transfer from the south. Every once in a while every spinning thing breaks down. An interference wave caused by the land masses around the pole, Greenland for instance, and the weather there, cause the breakdown and this is what happened here, the vortex broke letting the cold air contained within to spill out.
When this happens the resulting southward moving air blasts through the warmer air and disrupts all kinds of things and can form into little low pressure vortex storms like what has hit the US east coast. These are not the polar vortex but the air that was once contained by the polar vortex. While they go south warm air has to replace it at the pole (warmer, not really all that warm) and then the next polar vortex forms and that air gets cold and eventually it all happens again.
Sunday, January 05, 2014
Ice Quakes (Baddly named)
Lots of news about ice quakes lately but what are they you ask?
When it gets cold the water in the top layers of ground freeze. Typically in Ontario this is the top 2 or 3 feet of soil. This is why you have to put posts, concrete footings and the like down 3 feet or so (depending on your local municipality rules and codes.)
When it gets really cold after a wet spell this water freezes fast and water expands when it freezes. The resulting expansion of the soil causes it to buckle and heave causing the "quakes."
They are generally very localized and multiple reports from an area will be for multiple ice quakes which are too small and being in only the top 3 feet of soil won't affect much of an area. On a lake the cracks can be miles long but in soil the variability of the soil tends to make them shorter and while they can be noisy if right beside your house generally harmless.
The scientific name for the phenomenon is cryoseism, also called frost quakes.
This has nothing to do with earth quakes as they are in the rock and not the soil. Earth quakes are caused by the bedrock or lower rock layers moving or buckling due to plate tectonics (generally but that's another post later.)
Freezing the surface layer of soil does not affect earth quakes nor do earth quakes generally affect ice quakes as they do not have a common factor in their cause.
What would be cool would be any one who has pictures of the results of an ice quake near them to post the images to Google plus and link them in the comments.
When it gets cold the water in the top layers of ground freeze. Typically in Ontario this is the top 2 or 3 feet of soil. This is why you have to put posts, concrete footings and the like down 3 feet or so (depending on your local municipality rules and codes.)
When it gets really cold after a wet spell this water freezes fast and water expands when it freezes. The resulting expansion of the soil causes it to buckle and heave causing the "quakes."
They are generally very localized and multiple reports from an area will be for multiple ice quakes which are too small and being in only the top 3 feet of soil won't affect much of an area. On a lake the cracks can be miles long but in soil the variability of the soil tends to make them shorter and while they can be noisy if right beside your house generally harmless.
The scientific name for the phenomenon is cryoseism, also called frost quakes.
This has nothing to do with earth quakes as they are in the rock and not the soil. Earth quakes are caused by the bedrock or lower rock layers moving or buckling due to plate tectonics (generally but that's another post later.)
Freezing the surface layer of soil does not affect earth quakes nor do earth quakes generally affect ice quakes as they do not have a common factor in their cause.
What would be cool would be any one who has pictures of the results of an ice quake near them to post the images to Google plus and link them in the comments.
Subscribe to:
Posts (Atom)
