Wednesday, January 28, 2009

Bring in the troops

In recent weeks, the Conficker virus has been causing a lot of havoc everywhere – account lockouts, network congestion and a lot of headaches. People running Symantec anti-virus software know the same virus as “Downadup”, and that’s not the 1st time a Virus gets labeled differently by different companies. After all, there’s no single authority that investigates viruses, but that got me thinking – maybe it’s time we had one.

With things as they are now, it takes the anti-virus market some time to react to new viruses. Each AV vendor gets samples from its customers, analyzes them and issues signature updates to its product. Each vendor uses its own methodology to assign a priority, and as a result, some vendors take longer to react. In the Conficker case, for example, Symantec’s product is still unable to remove the infection today, almost 3 months since the virus’s first appearance. Even when an update is issued, it’s usually available only for customers of AV vendors, while users with AV software are stranded (We’ll discuss the stupidity of not having AV software on your computer another time).

When a new type of virus or disease appears in the real world, no one waits for Pfizer or Bayer to classify it and inform the public. In the USA, we have the Department of Health and Human Services and the CDC (Center for Disease Control), as well as other federal agencies like FEMA to help manage outbreaks. Since computer worms and viruses do have an economic impact, which could easily reach disastrous proportions (like in the case of worms such as MS Blaster, Code-Red and Sasser), I feel that this sort of thing should definitely be at-least shared by the governments of the world. A Federal Malware Research Center could bring some order to this wild field, and have the necessary resources to inform the public of new threats and how to manage them.

And another thing, while we're at it...we should stop giving worms "cool" and distinctive names. Maybe if the latest virus was called "The Dumbass 1", virus writers were a little less proud of themselves. Now seriously, a malware's name is not a big deal, but it's sad to say that the press today is still glorifying viruses, thereby encouraging low-self-esteemed jerks to write them. Writing a virus is stupid and detestable, and this message should be delivered clearly whenever the issue is discussed in the media - no discounts or exceptions.

Monday, January 19, 2009

Never take candy from strangers

Yesterday, my darling wife told me that she got a weird SMS about 9.99$ and she's not sure what it is. Turned out it was from some IQ-Test she took online on FaceBook. When she completed the test, she was asked for her phone, to which her score was sent, along with the message that she just subscribed to a 9.99$ a month service. Clearly, this is a scam, but my sweetheart never thought that something from such a reputable source like FaceBook could be harmful.

"This is exactly how the 1st nasty Viruses/worms started to spread", I told her. A worm would harvest his victims address book, and send itself to all of his recipients. The guy's poor friends and family members would think that this, coming from a friend or family member, must be legit, but of course, it wasn't. Later on, some worms got even cleverer, and spoofed the source address to be someone else from the list, so that the victims could not know who of their close-ones is really the source of the infection.

Luckily, some people have learned to beware of wolves in sheep's clothing, and others are protected by more secure software that wouldn't let them open attachments, but the success of that "service" and others like it shows that apparently, many people still fall for that old trick. Well, if you, or your close ones think that since FaceBook is a legitimate site, then everything on it is too, think again. Pretty much anybody can upload data to FaceBook or write an app for it, and although the site has a lot of security features, it's far from secure. This specific application gives you an IQ test comprised of 10 questions (I won't waste your time with explaining why such a test is closer to guessing your IQ that actually measuring it) and asks for your phone number. To that phone, it sends a confirmation code that you need to punch in to the website, which then sends you an SMS with your so-called IQ. By entering the code, you are actually agreeing to be subscribed to a service that charges 10$ a month. Although this is written both on the website and on the SMS message, some people might miss that, or misunderstand it. Many wouldn't notice another 10$ charge on their cell service bill, and some people are making millions on those people's back.

This type of story shows why information security is more about security than information. Although this is propagated by computers, it could just as easily be done via just the phone, through an interactive TV channel, and many others. Even if you don't like computers, or maybe ESPECIALLY if you don't like computers, this poses a real risk. Not only can you be billed, you can never know for sure where your info will end up in. Maybe tomorrow you'll be flooded with 20 SMSs a day, advertizing the current Viagra or Rolex, or maybe be part of an identity theft operation. The most important lesson here is this: FaceBook is NOT your friend, and neither are MySpace or any other web service. Always assume the worst about an information source, even if you've used it for years and it was great otherwise. The bad guys, or "evil doers" as W likes to call them, are all around, and they will keep on finding new ways to separate us and our money. Just make sure it's not you, and I might also suggest educating your friends and loved ones too.

Monday, January 12, 2009

The human factor

Many companies base a significant part of their manpower on outsourced workers, and this is an effective way to conveniently manage human resources that enabled financial efficiency in most cases. An aspect that many managers tend to forget is the issue of security. Are outsourced workers a source of danger to the company?

This post will anger many readers, I’m sure. After all, millions of people make an honest living as outsourced workers and many companies depend on them. However, the truth must be told, even if unpleasant. Outsourced workers could be a major security threat for the organization in many cases, and history records quite a few cases of serious damage suffered by companies that didn’t take the appropriate measures. No, I’m not saying outsourced workers are treacherous, bad or dangerous. In many cases this is exactly the opposite, because employees whose position is not secured as full-time employees will often outperform others to demonstrate their worthiness. However, the outsourcing model causes workers, esp. in the maintenance field, to be exposed to certain risks.

One problem stems from the fact that outsourced workers usually make a lot less money than FTEs. The economic pressure causes these employees to be an easy target for industrial espionage. For example, a known case involved a cleaner who was offered a significant amount in return for a daily visit to the floor-printers of his organization, and collecting the printed matter that was left there by other employees. These print-outs are of random content, but frequently include sensitive material, such as email correspondence, financial reports, future-product info etc. Such a random collection could be extremely valuable for hostile parties, both for industrial espionage and infrastructure penetration. The sum that was offered to that employee was larger than his monthly salary, and you’d be hard-pressed to find people who make 2000$ a month and can resist such a temptation. For some of them, this is a unique opportunity to finally get out of debt.

Another problem is that managers often ignore outsourced workers when thinking about their employees, and these workers are often excluded from routine activities. Often they don’t receive email that is sent to other employees (if they even have an account) or invited to events and lectures with the rest of the company. These employees might miss the companies’ procedures about information security, simply because these were never given to them in an orderly fashion. This is less obvious for technical staff, but in case of the cleaning crew, administration etc – these people are usually with the company for short periods and often do not receive thorough guidance about the procedures and guidelines. An FTE, for example, is often assigned a mentor or “buddy” for a while, who helps him get acquainted and learn what is permissible and what is not. A cleaner or security guard, on the other hand, often finds himself alone, trying to distinguish right from wrong by randomly asking co-workers or guessing. Such an employee might think that using another’s computer for surfing the web is a reasonable thing to do, just like making a phone call from someone’s phone is legitimate and common. In most companies, a phone call costs money, but is not dangerous. Web surfing, on the other hand, could introduce spyware or a virus to the computer, and that is less pleasant.

It’s important to stress once again that the purpose of this is not to impeach all outsourced workers, but to stress the great importance of them to the “system”. This requires that they be treated as equals. Even a temporary and low-ranking worker must receive a detailed guide, including the nuances of working at the company, and stressing the aspects of information security and security policies. Besides clarifying the importance of protecting the company values, such sharing of information could strengthen the bond between the employee and the employer, and reduce the temptation to cross the lines. Let’s not forget, by the way, the full timers could cross the same lines and there are many recorded incidents where even high-ranking officials succumbed to external pressure, or simply prepared a nest for a rainy day. This leads to one conclusion – there is no alternative to professional risk management procedures, which include identifying risk sources and plugging holes on a personal and systematic level.

Friday, January 2, 2009

Is it safe? Not if you're Jewish!

The fighting in Israel in the past days is having an impact on the cyber world as well. This time, two major Israeli sites - Ynet and Discount Bank have been defaced.

When the fighting between Israel and this-or-that Arab faction breaks out, as happens once every few months, national hackers from around the globe have an excuse to waging some cyber war. This time, a group of Morrocan hackers called "Team Evil" has mounted a successful attack against two major Israeli sites. The two sites are the site belonging to Discount Bank, one of Israel's largest banks, and the other is the English version of YNet, Israel's 2nd largest web portal, operated by Yedioth Aharonot, Israel's largest daily newspaper.

The defacement shows some graphic images of dead terrorists, accompanied by anti-Israeli text. At 1st, this was thought to be a simple deface, but turns out the hackers actually brute-forced the passwords to the accounts of the sites on the Israeli hosting provider and domain registrar DomainTheNet. this allowed the hackers to impersonate the account holders and modify the DNS records to point to another website, without ever actually penetrating the original website.

This sort of attack is much easier than cracking the original websites, which are very secure, but ironically, harder to resolve. DNS modifications take time to propagate throughout the world - as long as 48 hours, so it took quite a while until the hack got noticed. When it was fixed, again, it takes a while to propagate so currently, quite a lot of users will still get the defaced page and might continue to be affected for over a day.

This breach illustrates the importance of creating a complete security policy. A company can invest millions in securing it's web farm, but a minor overlooked password could lead to an effective attack. The lesson is simple - when securing a resource, we must take into consideration every aspect of its security. In this case, the person who created the domain account with DomainTheNet simply chose an insecure password (which is a secondary lesson in this case) but there are other, simpler ways to bypass security. For example, making changes to a domain directly with ISOC, Israel's Internet Society and main registrar involves submitting a request via a web form, and then completing the request by sending a fax. The web form has virtually no security, and forging a fax of this nature is also pretty easy. Another example: Many companies rely on Email a primary, or even the only way to communicate with customers. Hacking a user's mail account is usually pretty easy, either by using brute force or calling the ISP and resetting the password, and once you have someone's email, you can use that to reset passwords of most other accounts that the user has. In short, there's an old expression to keep in mind: The chain is only as strong as its weakest link!