The Year of the Breach

As the year is coming to a close, news headlines were dominated by reports of high-profile security attacks, some launched by “hacktivists” such as Anonymous and LULZSEC.

But something  larger was brewing. Amidst hacktivists’ attacks on Sony, HBGary and NATO, highly sophisticated, clandestine attackers—the kind with the rarefied expertise, deep pockets and specialized resources typically only seen in nation-state adversaries—were actively infiltrating a broad range of targets.

These attacks were different: they were patient, stealthy and leveraged a potent combination of technical skill and social savvy.  Some used clever social engineering to get a foothold into their target organizations, while others used zero-day vulnerabilities—previously unknown holes in software—to penetrate defenses. 

While advanced attacks have happened for years, IT security experts observed recent attacks had grown bolder and more frequent. Recent attacks were also highly targeted, customized, well-researched and, in many cases, employed both technical and social
components.

The term used to describe such complex, sophisticated attacks was
“advanced persistent threats” (APTs), but as IT security experts quickly pointed out, APTs were only as advanced as they needed to be to get the job done. A concrete definition is elusive and, as cautioned, “Defining it could limit us and lead us to be blindsided. We need to constantly revisit the characteristics because they’re always changing.”

Much of the day’s focus was on the techniques of highly organized attackers. such
advanced threats, which include APTs, span from corporate espionage to hacktivism.

This article distills certain key insights from those discussions and
aspires to advance the industry’s dialog on advanced threats, spur disruptive innovation and disseminate some of our learnings from some of the most seasoned professionals in information security.

From a Cookie-Cutter Approach to Adaptive

In 2000, the I LOVE YOU worm crippled more than 50 million Pcs. The delivery mechanism was simple but effective: an e-mail showed up in your in-box with a subject line of “iloveyou.” When people clicked on the e-mail’s attachment, titled “love-leTTer-Foryou,” they were infected with a computer worm. while the damage was significant, a
partial solution to this problem came in the form of antivirus software: a signature could be deployed to antivirus agents that would identify the file as malicious and arrest its actions.                                                                          
Today, generic malware is still profuse but signature-based defenses, at either the network or host layer, can greatly decrease the odds of infection. What makes recent
advanced threats different is their defiance of a signature. In the world of advanced threats, malware evolves quickly, and security experts have  described several cases of special-purpose malware custom-developed specifically for their targets. Some were
compiled within hours of launching the attack.

It became clear that enterprises targeted by highly organized attackers cannot depend on signature-based “bread and butter” security tools as a sole means of defence. While the payloads of some advanced threats were fairly standard, entry strategies were often custom tailored.

Attackers typically used social networking sites to gather intelligence and identify specific users within an organization. Some of the main infection vectors that cited were  e-mail, Skype and instant messages with malware payloads in the form of PDFs, compressed HTML, script files, executables and attachments.
customization of attack techniques extend through data exfiltration.

Advanced threats often use sophisticated methods for compressing, encrypting and transmitting data to other compromised organizations, leaving little evidence of the origin of the attack or the destination for stolen information. This move from generic to tailored, from cookie-cutter to adaptive, means that security organizations need to think beyond signatures and re-evaluate how effective their current defenses are.

Remember that people, not technology, were the Achilles heel in most defensive strategies.

People are the Weakest Link 
“People are the weakest link” is perhaps the biggest cliché in information security. Security experts have long understood that users make bad choices, click on links they shouldn’t and install malware through simple ruses.

Corporate IT departments deploy multiple controls to help deal with this threat: e-mail filtering solutions catch many attacks before they make it to users, malicious links are blocked by the network, network scanners look for malicious content, and host-based antivirus (the last line of defense) tries to stop what slips through the cracks.

This process works well for generic, shotgun attacks in that signatures can be updated quickly to immunize users. Advanced attackers, however, are now creating highly credible scenarios in which they convince users to click on dialog boxes warning of fake software updates, retrieve content from quarantined areas and act (unknowingly) on behalf of the attacker.

Attackers have become dangerously adroit at using our weaknesses and behaviors against us. Attackers are creatively leveraging people inside the company to help accomplish their goals. “Internet scams are supposed to be sloppy, but they work.”

Advanced threats defy that stereotype. Experts put a fine  point on it: “The perimeter is not a firewall; it’s our users. They don’t treat their computer as an adversary; they treat it as a tool—an extension of themselves—so they don’t question what it tells them.”

Addressing the people problem will take more than technology. Organizations need to
drive a sense of personal responsibility for security among employees.

Attackers Aim for Advantage, Not Infamy

Advanced attacks are typically not the product of hobbyists. These attacks often require months of planning, mapping out internal networks by looking at the fringes.

The reconnaissance can go much further: targeting key employees, deconstructing their life by scouring social media, custom-crafting an attack so that it is stealthy, patient, and very effective.

Cybercriminals, the ones who look to steal credit card numbers and other
commoditized and sellable data, have become increasingly sophisticated but advanced
attacks are different. Increasingly, they focus on espionage—stealing specialized data
that may be of high value and strategic importance to the commissioning entity, which
can be foreign governments, rival corporations and organized crime groups. The entities behind advanced attacks literally mean business.

Also, entities perpetrating many advanced attacks are substantively different from the
hacktivists groups that have attracted attention in recent times. Hacktivists want to
embarrass and expose their targets’ activities, taking pride in publishing their conquests.

Many advanced attackers, in contrast, have the goal of stealth. They do not want to be
discovered or seek publicity.

Now some advanced threats are now masquerading as hacktivist attacks, with the goal being to confuse forensics and place blame on groups that are often eager to accept it. This pattern makes it difficult to size the scale of advanced threats: a willing scapegoat makes post-incident attribution particularly problematic.

The New Normal: Act as Though You Are Already Hacked  

The events of the year have shown that determined adversaries can always find exploits through people and in complex IT environments. It’s not realistic to keep
adversaries out. Organizations should plan and act as though they have already been breached.

Three foundational principles of security are compartmentalization, defense in depth and least privilege. in combination, these three tenets dictate that if one system (or person) is compromised, it should not result in a compromise of the entire system.

While simple in concept, these tenets have proven complicated to implement in practice. Organizations have long relied on the notion of a “perimeter,” where a big thick wall—in the form of firewalls and gateway defenses—guards the organization, with good guys (insiders) on one side of the wall and attackers on the other.

Security perimeters are now considered a construct of the past. Boundaries are nearly
impossible to define in modern organizations. The inclusion of partially trusted users
such as customers, suppliers, contractors, service providers, cloud vendors and others
have made organization boundaries very porous. Beyond the eradication of traditional
organizational boundaries, the consumerization of IT has brought a rash of unmanaged
devices into the enterprise and exposed the organization to services (and suppliers) that are opaque.

IT consumerization has also blurred the line between the business lives and
the personal lives of employees. We have moved from the illusion of a perimeter-driven defense to living in a state of compromise.

Accepting that some systems, some people, and some services may already be under the control of attackers changes information security strategy. it forces a return to the core principles of compartmentalization, defense-in-depth, and least privilege.

Organizations need to focus on closing the exposure window and limiting damage through efforts to compartmentalize systems, stop sensitive data egress and contain malfeasance. This new model also demands that we rethink old habits of sharing sensitive corporate information—such as source code, product plans and strategic roadmaps—using collaborative processes that presume perimeter defenses can keep attackers out.

Security improves through greater situational awareness: gaining the ability to
understand what’s happening beyond our network boundaries to detect threats on the horizon. Organizations get smarter by looking beyond their infrastructure and observing  the ecosystem. The ecosystem approach to security relies on organizations actively sharing information with other organizations about threats. It also demands greater visibility into the security of suppliers and service providers within one’s supply chain.

The key is to know what digital assets are important to protect, where they reside, who
has access to them and how to lock them down in the event of a breach. This ability to
tighten the net before and during an attack is key, and it requires a mature process for
incident handling. Incident response should not be considered exclusively a security
function. Instead, it is an organizational competency that must be developed and
continually honed well before an attack occurs. if organizations are planning responses
as an attack unfolds, they are too late. A competency approach allows remediation
activities to kick in automatically—like a reflex.

The Road Ahead

The reality of advanced threats demands a disruptive approach to defense—one where
enterprises can be agile and thrive in a contested environment. This approach must be
applied holistically: approaching advanced threat defense not as a discrete function but
as a natural consequence of robust but agile security.

Many of the holes that exist today come from an unmanageably complex iT infrastructure. Given that information security is a “weakest link” problem, only through understanding our assets, processes and endpoints do we have a chance at effective defense. Unraveling complexity and fielding a successful defense means that we also need to think creatively about the range of attacker motivations, which can extend far beyond data theft.

With every new technology, we have the ability to weave security into its fabric, to begin anew. We are at the start of an industry-wide move to cloud-based services and systems. We stand on the precipice of a sea-change in technology. There is a new mantra that goes within the industry saying “If we can’t get it right with cloud, shame on us.”

Today more than ever, security is an ecosystem problem in which every constituent has a responsibility. Attackers are collaborating, sharing information, going after the supply chain, co-opting careless insiders and evading our long relied-upon defenses. we need disruptive collaboration and innovation in defense. Through collaboration, information sharing and increasing our agility, we can successfully fend off APTs and other advanced threats.

Happy Holidays! And a blessed new year to all!

 

Social Engineering Techniques

Social Engineering, as defined in Wikipedia, is the act of manipulating  people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. Simply put, social engineering is one of the simpliest forms of hacking, wherein a social engineer does not need special technical skills or tools to get confidential information.

Few people know that social engineering is one of the biggest forms of hacking the IT industry is now facing. Why? People trust people they know and its easy for these people to give out confidential information to people they trust and know.

But it doesn’t matter how many locks you put on the door that is your security plan, because criminals who use social engineering techniques will still sail right in. Why bother breaking down the door if you can simply ask the person inside to let you in? There is an old adage here that says “most crimes are done by people who you know and let into your house.”, so its the same adage applied in social engineering. There is often a debate about what is more prevalent and more dangerous: Is it the outsider threat or the insider threat? Once you accept the success of social engineering, you will recognize there is no distinction anymore. If you have an outsider, and they use a social engineering technique, they become an insider.

Based on studies done on social engineering, there could be four (4) techniques in doing so, namely:

Alternative communication channels:

Scam artists make use of alternative channels of communication because they catch people off guard. Attackers find their victims are more susceptible to influence when the attacker engages them using a different medium than the victim is used to. An example of this scam that was noted used windshield flyers. The flyers alerted drivers that their car was “in violation of standard parking regulations” and asked them to log onto a site where they could get more information.If you got a spam message that said this, you probably would have disregarded it.  But when people got this notice in the physical world, outside of the normal channel they are used to being on guard in, they went to horribleparking.com and they saw some pictures of improperly parked cars in their own town. Of course, if they wanted to see their own vehicle parked improperly, they had to download this media player. If they downloaded it, they infected themselves with a fake antivirus tool. Of course there are also vishing scams, where victims receive voice mails asking them to contact their bank about fraudulent account activity as another variation of this kind of attack. People call the number and are prompted by a series of voice commands to enter sensitive information, or they are connected with someone claiming to be a bank representative.  USB keys are another example of an alternative-channel exploit. There was a recent attack using USB keys that spread the Conficker worm, and noted that victims are often not suspicious of USB keys and put them right into the machine without a second thought. While it used to be standard for computer users to scan floppy disks for problems, the same protocol does not exist with USB keys.

Personality relevant messaging:

People don’t want to just get e-mail, they want me-mail. A me-mail is an e-mail message that is more personally interesting is going to get more attention, and criminals know that. A variation on this kind of scam involves spoofing messages to look like they come from a trusted source. One common attack lately uses delivery company UPS (or United Parcel Services) as the scapegoat. The message from “UPS” claims there was a failed attempt to deliver a package, and asks the victim to print out an invoice to take to the UPS center to pick it up. If I print it, it’s probably going to be a malicious executable or a malicious PDF file, and that’s how they are going to get  you. How do we tell our users not to open attachments from people they don’t know? It’s not very useful advice anymore. Because the messages that come to them are from people they are likely to know.

Social Compliance:

It is human nature that people want to do what others are doing. And our tendency to follow the crowd can also make us social engineering victims. Criminals know you will be more inclined to trust something that is popular, or recommended by trusted sources.It’s this kind of psychology that lead to the success of the recent ‘likejacking’ or “clickjacking” attacks on Facebook.  Facebook users were fooled into ‘liking’ websites that claimed to have information about celebrity secrets or photos. Instead, victims found themselves clicking on a maliciously-created website produced by hackers who had hidden an invisible button under the mouse. Clicking on the website hijacked the mouse click and secretly caused users to ‘like’ the webpage. This activity was then published the victim’s Facebook page, and gave the malicious page legitimacy, causing others to also ‘like’ it.Criminals have also exploited social compliance by uploading malicious software onto a file sharing site where software junkies go to find the latest and greatest products. The worm then kept hitting the download to artificially inflate the counter so the file would float to the top and appeared as the most popular download. If other people like it and download it, I want to see what others download and I download it.”

Reliance on Security Mechanisms

Because we are so used to certain security mechanisms, and often take them for granted, they are no longer protecting us. There was this story that featured a social engineer dressed as a police officer who comes into a store. He tells the clerk there have been counterfeit bills passed in the area, and gives the clerk a special pen, which he says can be used to verify real or fake money and will turn red on bills that aren’t legitimate.Later, someone else comes in and passes a fake bill. The clerk flags the bill as possibly fake and uses the pen. But the ink turns green, which indicates it’s OK. But in reality, the pen itself was fake, too, and would never have uncovered a fake bill in the first place. But the clerk’s trust in the police makes this con work.

The same holds true for the many security updates computer users have become accustomed to getting. Flash updates, for example, have been used in this type of exploit. You go to site, you get an error message that says you need to download the latest version of Flash. The victim has no way of knowing if they are downloading a legitimate tool, and in many cases they are not.

So how to we keep them out?

What do these four strategies mean for security? That the outsider can very easily become an insider.  And so far, training people and employees to be aware of social engineering has failed. When we look at our security architecture, we need to start thinking less, and focusing less, on external barriers. Focus more on what goes on inside the organization. We need to be putting more focus on internal segmentation of resources and internal monitoring of traffic that goes within and outside of your environment . And focus on giving your users as little privilege as they need. Not because you don’t trust them, but because you know they can easily be scammed and you are trying to protect them.

Remember, it’s just as easy as someone you know who works with you, calling you and getting your login and password and getting access to your financial and customer files.

 

How to Protect Against Firesheep

Every minute, there are growing users of Firesheep, for there are millions of Firefox users out there which are trying to get their hands on this utility every minute, we have decided to put in some simple steps on how you can protect yourself from this concerning threat.

Since Firesheep’s payload is on http on Wifi as we have mentioned on our last blog article, the following are just simple steps that a user can do to avoid being victimized by an unscrupulous Firesheep user:

1. Avoid public Wi-Fi networks that are unencrypted and are using a basic password protection.

2. For Mozilla Firefox users, use Firefox’s https-everywhere. You can google it and set it up as an add-in to your Firefox browser. You may need to set it up manually for it only works with a defined list of sites, including Twitter, Facebook, PayPal and Google.

Unfortunately, IE, Google Chrome, Opera and Safari users do not have this feature, so they are left out in the cold and better do suggestion 1.

3. If you cannot avoid using the Internet in a public place, better bring with you your own Internet connectivity modem kit such as Smart Bro, Globe Tattoo or Sun Cellular’s modem (i forgot the brand name). It would be more secure than using a public Wifi network for you would have a different IP address than those people who are in that unsecured public Wifi. It may be that tad slow, but it is better to be slow than to be unsecure.

These are the suggestions that I can think as of now. For sure, Firesheep can trigger other simple hacking tools in the future.  Going forward, the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all. But for now, all IT security experts are worried about this.