In the history of the personal computer there have been instances of malware that have been notorious firsts for affects and compromises we thought would never happen. Starting with the first viruses that spread from system to system by attaching themselves to other programs. The early viruses were clunky and easy to spot and remove. Most of the early viruses just did things like take over your screen and make noises.
It didn't take long for them to start causing damage, deleting files or wiping hard drives. AV programs were new and quickly became popular. And then viruses not only were terminate stay resident and copying from system to system but they became stealthy. They started to hide in places like the MBR of a hard drive and start themselves before the OS did and became root kits but also self modifying to change their signature to stay one step ahead of the AV and OS companies.
Some of the first root kits were for Windows NT, the aptly named NTRootKit for instance.
Then malware started to spread by attaching to documents and worms were born. These were macros and not "real" programs but the damage was just as severe. The love bug was an early example of this. These Macro viruses spread faster and further than anything before them, love bug was thought to have caused $10 billion before it was finally defeated.
For a while malware got boring. Not a lot of new stuff happened until we got word of a virus that put itself into the Bios. We thought that the bios was safe, flashing a bios was an arduous process that you had to be very careful to do and if you messed it up you bricked your computer. But an unnamed virus in CHina was found that when the virus was detected the owners cleaned he hard drive and it came back, then removed the hard drive and it came back. Finally they checked the bios and there it was. Apparently it was a company competitor that knew what brand and model computor was being used in one company and made a virus to cause them damage and be a competitive advantage.
Next Stuxnet. They did a few things we thought no-one could do. They were the first notorious air gap jumping virus. With new information we can now say they did this by infecting the updates being delivered to the computers from the manufacturer as Stuxnet attacked those manufacturers first. They found a hole, a supplier that had privileged access and used that supplier to gain access to the air gapped network. new techniques for communicating with air gapped systems developed in the last year mean that if an air gap is breached then updating the malware is no longer impossible.
Malware then morphed into distributed computing to birth the botnet. Hundreds or thousands of infected computers all taking orders from a central set of command and control computers to send spam, do denial of service attacks (DDoS) and spread themselves even further. The bane of Windows XP and Windows Server.
The same family of malware as Stuxnet also produced some other firsts, the first time an industrial system was attacked on that large of a scale and they also used flaws in Microsoft's Windows Update to put viruses on computers using certificates to make the malware look like a legitimate patch through the OS update system. Flame/Duqu also were used to not just get information from computers but also information of the surroundings and people around those computers. They listened with microphones, used the cameras and wireless/bluetooth to find people, figure out their schedules and may have been used to target Iranian politicians and scientists for assassinations.
New malware happens all the time but for years a "real" virus, one that is binary, not a script, passes itself from machine to machine by infecting programs and is self replicating into different programs is rare. It is also rare to have a virus attack more than one operating system but last year there was one that while it was small in infections size and looked to me like a trial was detected. It infected Windows, Linux and reportedly Mac as they all use the same CPU family.
And then there are the hardware/malware attacks. When you plug a USB device into a computer the device and the computer talk so that the computer knows how to work with the device. But any USB device can be any type of device or even more than one at the same time. The first instance of this was not even looking like a USB device but an IPod dock. It was not only a dock and a set of speakers but also carried malware and infected the IPod/IPone and then installed malware. But any USB deice can do this. You could have a keyboard with a USB memory component and carry malware or a usb stick that is a regular stick and if there was malware in the memory could be cleaned but also in the USB firmware there could be a virus that cannot be cleaned. Or the firmware could also connect as a keyboard and issue commands or include a wireless wifi hub with no password required or just pulled data from the computer and broadcast it indiscriminately.
There are also reports of many devices with backdoors, extra hardware added by countries after things are shipped from companies either from within the country or as it passes through.
Malware can be firmware now.
A story we have been following is a German steel works that someone took control of the computers away from the staff and it caused the smelter to be completely damaged. They lost control of the computer and they were unable to shut down the smelter in a safe way. I just imagine that it just kept getting hotter and hotter until something broke and a flood of molten metal swept through the building. I still want to see pictures.
Then there are some notorious hacks. Sony has been hacked a number of times (you would think they would learn) and we can learn a few things from them. (Sorry Sony but I have to)
From the lulz-sec hacks we learned that a widely distributed company has som many different divisions that they can't keep track of them all so when lulz-sec found a sony network with no firewall they just couldn't resist. Yes one of the ways they got into PS Network was through credentials they got from a completely unprotected network. When the doors are thrown open and everything shared (they had windows shares with no security and rights set to everyone read) is that really a hack or is it authorized access when the access rights are everyone read? yes honest people would not have gone in but all firewalls are for now is keeping honest people honest. We all know that most "honest" people will still pick up the money dropped on the sidewalk. But I digress...
What we have learned from the latest Sony Pictures hack is even if you are doing most of all of the things you should do you can and probably will get compromised so you had better have a recovery plan in place. Sony Pictures scrambled to recover and even operate after their network was "burnt to the ground" and this is a new level. What is built into your network and procedures and culture to allow you to rebuild after everything is wiped clean. And if you have manufacturing or other processes what if your equipment is damaged or out of control.
Target showed us that you must segregate your networks. Don't put your must protect stuff on the same network as your general business network and certainly not on a network that external contractors/suppliers can get to.
All of these things have happened, the ways we protect things cannot possibly take all of them into account. Motherhood processes like patching have been turned against us. Air gaps don't even work so just keeping the system off of the network is not enough and may even be setting you up for a bigger crash.
Anti-virus hasn't worked for years, the new malware changes by the hour some times and signature files can't keep up. It does however allow us to stop all of the older versions of things so we still need to use it but don't rely on it.
Firewalls help keep out the lulzsec types and anonymous, mostly. But they are useless in the face of social engineering and driveby downloads.
A lot of people would say that most/all of the attacks above involved Windows (and they did) but switching to Linux or Mac would also switch the malware there once everyone switches but having a fair number of Linux systems on a network will make it more resilient.
Intrusion detection should work but none of the big attacks were ever caught by it until after the fact. IDS can't stop the Windows update attacks or any other new and evolving attack as they are again rule and or signature based.
There is no magic bullet for Cyber Security. There is only doing the things we all must do, perimeter protection, segregation, AV, patching, IDS (including honeypots and other diversionary tactics), running a firewall on every system, educating your users, vigilance and being prepared for when you will eventually be compromised.
Defense in depth and vigilance and be safe out there.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment