Did You Visit The Huffington Post Web Site Last Week?

CNN is reporting that visitors to HuffPo and several other major sites last week might have caught a virus from malware infected Advertisements.

The malware only infected Windows PCs and only those running Internet Explorer 8 (does anyone really use IE any more?).  Even though IE11 is the current version of IE, according to CNN, IE8 is the most used version.

The ads were served by AOL’s ad network at least between December 31 and January 5, but may go back as far as October.

AOL refused to say how many times they served up the poison ads.  Perhaps they are worried about lawsuits, maybe?

BTW, you did not need to click on the ad to be infected.

The good news is that this malware does not actually encrypt your files, it just blocks your access to them, so there are ways to get your data back without paying the ransom.

This does point out some of the nasty side of online advertising.  The ad networks are moving so many ads and the ads are so dynamic that nobody is actually looking at the ads.  This particular piece of “malvertising” redirected the content 8 times until it arrived at a server in Poland that served up the malware.

Apparently, every single visitor to HuffPo during this time window was served up the ad.

Malvertising is becoming a bigger problem all the time and as people close down other attack vectors, this one may become more popular.

One reason it is such a problem is that most of the ads are active meaning code is executed when the ad is displayed without the user clicking on anything.  If the device is susceptible to the malware, it auto-magically becomes infected.  No muss, no fuss, no bother.

If the malvertising is covert, it could just lay in wait on your computer only doing something when told or when the computer is idle or at 2:00 in the morning or whatever.  You likely wouldn’t know unless you anti-malware software catches it.

Nice, huh?

NOTE: while HuffPo got caught up in this last week, this is not really a HuffPo problem but rather a general issue with online advertising.  The malware isn’t even resident on HuffPo’s site. Over the years, many sites have been the victim of this and it is only getting worse.  The sites are just trying to make a few bucks while giving away content.  There is nothing that HuffPo or anyone else is doing wrong;  it is something that the online advertising industry is going to have to figure out and other than going back to static, text based ads (can you say FAT CHANCE!), there is not an easy answer.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

The Cloud Conspiracy

Former Microsoft Security Advisor Caspar Bowden gave a presentation at 31C3, the hacker conference in Hamburg last month, that gave the conspiracy theorists some more ammunition.   An article on his presentation appears here, his slides are here, and a video of the talk is on YouTube here.

A quote from the article gives you a taste for where he is going:

Bowden served as Chief Privacy Officer at Microsoft for nine years, responsible for advising 40 National Technology Officers from different countries. During an internal strategy conference in 2011, with Microsoft deputy general counsel, cloud management personnel and the NTOs in attendance, Bowden warned, “If you sell Microsoft cloud computing to your own governments then this [FISA] law means that the NSA can conduct unlimited mass surveillance on that data.”
After that, Bowden said the deputy general counsel “turned green” and the room was dead silent. During the coffee break, Bowden was threatened with being fired. Two months later, Microsoft decided Bowden was redundant and fired him.

His basic premise is that the FISA act and it’s amendments give the government the right to surveil foreigners outside the U.S. and then minimize (but not eliminate) access on U.S. persons after collection.   A clause was added to the 2008 FISA reauthorization that added coverage for remote computing services, i.e. cloud computing.  Since the FISA court operates in complete secrecy and a provider would be in contempt if they even talk about things that they have done in support of FISA warrants, we don’t really know the extent of this.

Just to be clear, I am less concerned about what the NSA is doing.  There are likely abuses and hopefully the political processes will deal with that – eventually.  What I am more concerned about is that we should not think that what the NSA can do is unique.  If we don’t think that China, Russia and a handful of other countries don’t have hackers just as good as the ones we hire, then we are fooling ourselves.

But even if you are not ready to join the tin foil hat crowd, you might want to consider this.  If companies like Microsoft, Amazon and Google have added back doors to their cloud computing capabilities to support FISA warrants, do you really think that other state sponsored actors or even hackers will never discover these back doors?  That seems unlikely.

And, as I have said for years, the good hackers – state sponsored or otherwise – are never discovered.  Until they want to be.  The hackers inside Sony were likely there for many months before they went nuclear.  If they just wanted to steal information and use it for their own purposes, they likely would have never been discovered.

So the question becomes this:  does having this ability to spy on the people we want to spy on ultimately work for or against us?  Is it really possible to control this “spy genie” and keep it in the bottle?  My opinion – we cannot keep it in the bottle and it will likely come back to bite us.  Just my two cents.

Mitch

Facebooktwitterredditlinkedinmailby feather

Guilty Until Proven Innocent – Software Licensing

Lewitt, Hackman, Shapiro, Marshall and Harlan, a law firm based outside Los Angeles, has an interesting take on software licensing.  They don’t say whether they have been representing plaintiffs or defendants in software piracy lawsuits, so I don’t know if there is a bias in their blogging, but it is an interesting point of view.

They talk about the Business Software Alliance or BSA, an industry trade group made up of heavyweights like Microsoft, Adobe and Intel, that offers rewards to current or former employees to turn in their company if they suspect they are using pirated software.  Note they say “suspect” and not “have evidence of”.

The BSA investigates about 15,000 companies a year, starting by asking them to do a self audit and then “negotiating” for damages.  Having been on the wrong end of that deal once, we had to write a check with way too many zeros before the period.  Not fun.

That is old  news.  The BSA has been kicking this dog for a long time and they try to get the occasional large penalty in order to try and cut down piracy, which from their point of view is understandable.

Here is what is interesting.  According to Lewitt, Hackman, under the law, all the BSA or Microsoft or whoever has to do to prove infringement is the following:

  • That it owns the copyright for the software
  • That the (soon to be) defendant used the software

They don’t have to prove that you pirated it or that you are using more copies than you bought.  At this point, you are assumed to be guilty and have to prove your innocence, something that very few companies can do.

Your claim that you are using the software legally is a legal defense.

The law says, according to Lewitt, Hackman, that it is your burden to prove you have a license from the copyright owner.

I doubt there is any company on the planet that has zero disgruntled ex-employees and if reporting you, anonymously, to the BSA is a way to get both revenge and cash, I could see that some people might do that.  The BSA even runs ads in magazines suggesting pretty much this.

How many companies can show an invoice or check copy for every copy of Windows, Office, Photoshop or any other piece of software you have installed on any computer in the office.  By the way, whether you are using the software or not is irrelevant to your defense.  If it is installed and unlicensed, you are guilty.  Been there, have the scars.

So, one part of your business risk management program should be to keep copies of all software receipts, licenses and other records so that if the issue comes up you don’t have to recreate history.

Food for thought.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Enterprises Are Still Failing At The Security Basics

VentureBeat wrote an interesting item pointing out some of the obvious things that Target messed up.  Fixing these items won’t stop every attack, but it certainly would slow the attackers down.

According to a lawsuit filed in federal court recently Target missed the ball on a few things.  Of course, at this point, these are just claims, but they have been widely reported in the media and not disputed by Target corporate.

  • Target did not take written warnings from Visa seriously.
  • The attackers got in by compromising the credentials of a vendor.  The thieves gained too much information from Google searches.
  • The security problem grew due to weak security at that vendor. Target should have required better security procedures of their vendors.
  • Target IT staff gave security warnings to their superiors, which were ignored.
  • Target’s network was not properly segmented.  As a result, access with the vendor’s credentials to the vendor billing application gave the hackers way too much access.
  • Target did not use two factor authentication, which did slow down the attackers at JP Morgan Chase.  Except they found ONE server that did not have it installed.
  • Target used the FireEye security software which alerted Target’s security team to the presence of malware, but the team took no action.
  • Target failed to remove unused default accounts, which that attackers took advantage of.
  • Target used Symantec Endpoint protection, which also generated alerts that were not acted upon.
  • Target did not block traffic to cyber thief havens like Russia, which allowed the hackers to use a command and control attack server in eastern Europe.  My guess is that Target has no stores in Russia and probably does not ship clothing there either.  This one is hard with multinationals, but it can be done.

The article goes on to talk about Chase, Sony and basic human nature.  It provides some interesting food for thought.

So, as I have said for years, you have to take care of the basics before you worry about rocket science.

Mitch

Facebooktwitterredditlinkedinmailby feather

Mitigating Over-Enthusiastic Airport Security

Katie Moussouris, formerly an executive at Microsoft and Symantec and now an executive at HackerOne, which as best as I can tell manages bug coordination with third parties for very large, well respected companies, tells a story about an over enthusiastic security person at Charles de Gaulle airport in Paris.  She was tapped for secondary screening as her flight was boarding and the security agent asked her to turn on her laptop.  While this request is unusual, it is a standard security procedure to reduce the odds that your laptop case is not just a container for a bunch of high explosives.  This is a result of the  2010 actual bombs that were sent from Yemen, one found in the UK, the other in Dubai, both safely defused, thankfully.

What came next was the unusual part.  The security agent asked Katie to log in to her laptop.  According to Katie, customer’s very sensitive bug information was now exposed.  How exposed is unclear, but there are many things that you can do to mitigate this, depending on your level of paranoia.

The first and easiest thing to do is to create a guest login on your laptop with no privileges and no access to other data on the laptop.  Likely, this very simple solution would have protected Katie’s customer information since the laptop remained in her control and possession.

Next, especially when traveling internationally, consider how much information you really need to travel with and remove (and overwrite) unneeded information.  You can put it back when you return.

Another option is to use a program like Truecrypt, Veracrypt or ciphershed or some similar program that allows you to create additional encrypted volumes after you login.  These require an additional step of mounting an extra drive letter after you log in, but they keep your stuff isolated.  Depending on your needs, you could create more than one volume for different purposes and only mount what you need when you need it.  A couple of notes here.  The three programs above  are in different states of maturity and there are other programs that allow you to create secure containers, so these are just examples.  Also, make sure that you SHUTDOWN your computer before you head for the airport and not just sleep or hibernate it;  otherwise, when you turn the computer back on, those secret volumes will still be mounted.

Depending on your requirements, you may opt to make some trips without your laptop at all and just take your phone and/or tablet.  What you don’t have can’t be compromised.

Finally, for the especially sensitive and paranoid among us, some large companies have travel laptops that they give people that their IT staffs load with just the minimum amount of software and data when they are traveling to certain countries.   These laptops are wiped on return and if they have been out of the executives control in certain countries, they are crushed after being wiped.  Like I said  – depends on your level of paranoia.

Obviously, the same issues go for phones and tablets these days.

The important point is that this should be part of your risk management program and you should consciously review your policies and practices for employee’s use of electronic toys and mobile data.

 

Mitch

Facebooktwitterredditlinkedinmailby feather

The Problem Of Attribution Of Cyber Attacks

In some sense, cyber attacks are no different that physical world attacks;  in other ways, they are completely different.

Let’s assume that you did not physically catch some bad guys that broke into a building.  Do you know who broke in?  On rare occasions they leave something behind – there have been instances so rare that they make the news –  where a perpetrator drops a wallet or ID card behind.  Even then, how do you know the wallet that was dropped wasn’t stolen and then dropped.   Sometimes the police get a lead, find that person and they still have the stolen stuff – that’s pretty conclusive.  What if what was stolen was money?  You can’t say “that $20 bill over there looks like mine”.  Most of the time, you can rule out people who don’t live nearby.  It is reasonable to assume – and it is an assumption  – that someone is not going to travel from India to break into your house and steal your TV – the economics don’t work.

Cyber attacks are different.  It could be anyone with access to an Internet connection.  That narrows it down to say 2-3 billion people.  Easy job.  Since it is no harder to launch an attack on your company from 5,000 miles away than it is to launch it from 5 feet away, you can’t rule out anyone.

There are stupid cyber attacks just like there are stupid burglars, but in both cases they are likely to get caught, so I will dismiss those attacks.

The reason attribution is so important is that we want to catch the attackers.  If we cannot attribute the attack, it is hard to go after them.

The case in point is the Sony attack.  The FBI, based on forensic evidence, says it came from North Korea and it was sponsored by the North Korean government.  North Korea denies it.  Other people say it was Russia.  Still others say is was some former disgruntled Sony employees.  Others say it was a combination.  The U.S. decided to retaliate against North Korea because we don’t like them anyway, but in reality, the evidence is circumstantial.

Could some Russian hackers have reused  Korean code and servers?  Could the Russian government have paid North Korean hackers?  Were they even in North Korea?  Some people say the attackers were in Japan.

Since we don’t like North Korea anyway, it really is no big deal to us if we mis-attribute the attack to them, but what if the attack originated someplace else?  The FBI gets to claim credit, sort of (no one gets charged with a crime, gets convicted or spends time in jail). From what has been released to the media, we really don’t know who the actual attackers are.  If the attackers were in a country that we have a better relationship with, we are unlikely to issue sanctions against, say, Germany.  And, issuing sanctions doesn’t hurt the hackers – they go on their merry way.

The bottom line is that just like some murders are not solved, some cyber crimes are not solved either.  The difference is the percentage.  Especially for smaller cyber attacks, the police don’t have the resources to follow up on the attacks (they are not likely to fly to Ukraine to check up on a lead and the Ukrainian police have other things to do that are more important to them).  The reality is that many, if not most, cyber attacks are not solved.

If you have the right kind of cyber insurance it will help lessen the financial impact, but don’t count on the attackers being caught.  It just doesn’t happen very often.  Even for high profile attacks.  Have the Target attackers been caught?  What about the Home Depot attackers?  What about the J.P. Morgan Chase hackers?  Given that, how likely is it that the hacker that broke into some small or medium size business will be caught?  And, even if they are, then what?  Likely, they don’t have the money to pay for your damages.  And, that won’t repair your reputation.

In this sense, cyber attacks are quite different from physical attacks.  If someone steals your car and you have the right kind of insurance, you get a replacement car.  Yes, there is some hassle and time, but overall, it is pretty clean.  And, other than the few people you tell about it, no one knows about it.  And unless you left your key in the car, your reputation isn’t tarnished.

If someone takes down your website or defaces it or steals your customer data, it is much harder to hide the fact.  In most states, you are required by law to tell your customers, who tell the media, who tell the world.  And much harder to be made whole again.  Damage to your reputation is very difficult to repair.

You can hope that the hackers pass over you or you can spend some time and effort making it harder for them.  That time and effort could improve the odds that the hackers will looker for an easier target.

Remember, while the attack on Target was annoying, an attack on your home or business gets personal really quickly.

 

Mitch

 

 

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed