[T]he… sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the F.B.I. and the Pentagon.
The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components.
Cisco routers are everywhere. According to Cisco’s web site, “Cisco is the leading supplier of networking equipment and network management for the Internet.” The likelihood that you received this web page over one or more Cisco routers is extremely high.
Also, what if this wasn’t just counterfeiting?
The F.B.I. is still not certain whether the ring’s actions were for profit or part of a state-sponsored intelligence effort.
It’s one thing if largely used networking components get compromised through a flaw to allow “back door”, privilege escalation, or other nefarious access to data which flows across them. It’s an entirely different thing if these devices were (re-)engineered with villainous intentions. Such additions could be nearly impossible to detect. One more quote from the NY Times story:
The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor by altering the data file on a chip with nearly 1.8 million circuits used in automated manufacturing equipment…
“It’s very difficult to detect and discover these issues,” said Ted Vucurevich, the chief technology officer of Cadence Design Systems, a company that provides design tools for chip makers. Modern integrated circuits have billions of components, he said: “Adding a small number that do particular functions in particular cases is incredibly hard to detect.”
Hackers pulled off an attack that had a physical effect when they found a way to post flashing images on an epilepsy forum. Some users of the site experienced migraines and “near-seizure reactions.”
The attack happened when hackers exploited a security hole in the foundation’s publishing software that allowed them to quickly make numerous posts and overwhelm the site’s support forums.
I remember learning in my computer ethics class about bad programming practices that led to physical injuries and even death. Lax security can have all sorts of effects, and when you see someone intentionally trying to bring physical harm to a group of people, you get an idea of the type of person we’re working against.
I’m sure many people have already seen that data was recovered from a Columbia (shuttle) hard drive. Yes, this was the shuttle that blew up on reentry back in 2003. Needless to say, the drive would be expected to be quite physically destroyed. There was some quite important research data on the drive, and the drive was sent to OnTrack Data Recovery Services for an attempt at recovery. Well, they were able to recover 99% of the data off of the drive.
Now, admittedly, the details on the actual data recovery were slim. How well was it protected inside the shuttle’s hull? What kind of temperatures was it exposed to? What kind of impact did it have? How much did it cost (both in time and money)? But, that’s just impressive. (And it just confirmed that I will continue to buy Seagate drives!)
What does that mean for us mere mortals? Bashing a Seagate drive with a hammer is not enough for “Data destruction”. Incineration may not even be enough for complete and total data destruction. Some of the things we’ve taken for granted about destroying hard drives have been turned on their head. I used to recommend that people open up their hard drives and leave fingerprints all over the platters as a method of making them unreadable. Maybe this isn’t the case any more.
This type of article makes the case for disk encryption, whether full disk or at least the data. Then even if the drive does survive re-entry, the only data that’s recovered is garbage to anyone without the key. On the flip side – remember that the full disk encryption will probably render your data unrecoverable should you actually need it recovered. (That’s what backups are for people!)
In a recent case in Arkansas, a registered nurse has pleaded guilty to violating HIPAA rules by disclosing confidential patient information for personal gain. No one should be surprised that things like this happen.
Every industry has laws, regulations and penalties set up for the purpose of consumer (and business) protection. In the health care industry, there is and has been an enormous amount of money spent to bring processes and systems into compliance with regulations like HIPAA to try to protect patient confidentiality. You can lock down electronic systems as much as you want, but nothing can ever be truly secured, because of one simple fact – these systems are owned and operated by people.
A “weakest link” analogy that’s popular in the security industry is the concept of putting deadbolts, latches, chains, and bars on a door while leaving the window next to it open. This is usually used to make a case to bring an insecure area up to par, or to discourage spending a lot of money on one aspect of a system when there’s another module in dire need of attention. Social engineering attacks, like the one in the article, are the “unclosable window” in the proverbial computer security house.
Now, this isn’t an argument against trying to secure electronic systems as much as reasonable or possible, or that laws and regulations are a waste of time. Keeping out as many attackers as possible from as many angles as possible is a “good thing”. Social engineering is just one of those things that makes a security professional occasionally throw their hands up in the air and wonder why they’re trying at all. It’s an insidious type of attack that no one can ever plan for, and, despite all efforts to the contrary, will never, ever go away. Unfortunately, despite the lofty goals that legislation like HIPAA aspires to accomplish, nobody’s data will ever be truly safe.
I’ve recently heard talks of security researchers using the distributed nature of a botnet to remove existing malware. More specifically, the issue was raised after researchers over at TippingPoint Technologies managed to isolate and reverse engineer a client of the Kraken trojan botnet.
“By reverse-engineering the list of names and successfully registering some of the subdomains Kraken is looking for, we can emulate a server and begin to infiltrate the network zombie by zombie. Stated simply, Kraken-infected systems worldwide start to connect to a server we control.
...
We have the ability to successfully redirect infected systems. We have the ability to provide an ‘update’ through the existing Kraken protocol that can simply remove the Kraken zombie.”
This presents an interesting ethical issue— is it or is it not a good idea? From a professional standpoint, I can certainly see how it would be wrong; executing unrequested code on someone else’s computer, no matter what the reason, is a violation of their privacy. It’s technically no different from the malware itself, so there is definitely a liability issue to take into consideration.
On the other hand, for people who are unaware that they have an infected computer (or who don’t know how to fix the problem themselves), using the botnet to clean infected computers might be appreciated. It could be good in a vigilante sort of way.
But then there’s the argument that a good number of those computers that would be “cleaned” by the modified botnet would just get reinfected by the next wave of malware anyway. Maybe it’s really not even worth the risk…
Identity theft can originate from a couple sources, you the individual, either by stealing your credit card information, phishing information via a fake online retailer, or through junk mail, or through the businesses that handle your information either from online transactions, or the credit card companies themselves via data breaches, lost or stolen laptops with accounts, etc.
This is costing businesses and tax payers billions of dollars each year.
Businesses in general have are being hit hard because of these issues. Especially with the recently enacted federal identity protection laws, back in January. Any business that handles customer records — social security numbers, billing addresses or credit card and bank account information — has until Nov. 1 to implement an identity theft prevention program. This mostly only applies to breaches that originate from within the work place.
I would hope that most major banks and credit card companies are already well into meeting the demands of the new law though. I think the main burden at this point is from repercussions of an incident originating from the individual. Banks and credit card companies have to pay back the individuals when something does happen, then try and track down the thief, mind you most of this is outsourced, but it’s not cheap.
Attacks on individuals seem to happen so commonly one would almost think that the individual doesn’t even care. They figure if something does happen, all they need to do is call and dispute the charges, wait a few weeks, and everything is peachy again. Meanwhile it’s costing the credit card company thousands per incident.
So what is a business to do. On top of having to deal with federal mandates and laws, ramp up internal security, train employees, they also have to figure out how to do the duties of their clients. Some companies have started adding technology to the mix, in the form of RFID chips in the credit card, this is a start, sadly it’s already being breached, and even opening up other holes. Also stepping up the way they monitor spending of the users is becoming a major part of the credit card business, as large unusual purchases are being flagged, and usually resulting in contacting the customer directly, though some users find this to be an annoyance, it’s pretty much a MUST DO these days. I think the process for creating a new account should also be stepped up, a large majority if theft is done on accounts that people don’t even know they have, as a result of junk mail applications being stolen. Simply spamming out credit card applications to anyone probably isn’t the safest concept for the users either, as it’s actually helping fuel the problem.
In the end, something needs to change, otherwise the burden on companies is only going to increase, but as a user, I’m sure I’ll see that burdon passed down to myself in some way or another.
Most corporate users are bombarded with guidelines and regulations on how to set good passwords. Users are forced to remember rules they don’t want to, leading to password fatigue. Administrators are given the sense that passwords are secure and users feel the same way if they’re following the rules.
People know that a password has to be 8 characters, but they really don’t know why – here are some surefire ways to be certain you (and your users) are picking weak passwords, despite length and complexity requirements.
1 Make It Up Yourself – Most users are going to come up with a ‘familiar base’, then add simple numbers and symbols (1 and !) to make their passwords compliant. Make good use and recommend some decent random password generators to your users.
2 Use Your Personal Account Passwords – Password change requirements are a good at keeping this problem under control (which is why your company should enforce them). Users using the same network password that is used for their personal email, social networking, or other less secure websites can place hidden vulnerabilities in your security architecture.
3 Change Your Password with Predictable Increments – Sure you have to change your password every 45 days, but do you just change all of the numbers from 111 to 222? Does Bob123! change to Bob234!?
Refer to #1, use randomly generated passwords.
It’s a good thing that machines can force password complexity and length requirements, but don’t let your users hack around them.
Please visit our brand new re-launched website for Gemini Security Solutions. The new site has whitepapers, security tools, and a lot more information about what we can do for you.
