Social Engineering Even Exists in the Animal World

OK, so we have all read about birds that social engineer other birds into raising their young, and maybe you’ve even seen the TV special about it. But, this picture brings to mind a lesson in social engineering, thanks to our friends in the animal world. It all comes down to confidence, doesn’t it? :)

I am pretty sure that one of these things is not like the other. Would your security team spot the difference? How about your users?

Credit: The first time I saw the pic, it was here, just in case you want to use it for awareness training. — Thanks to @robertjbennett for the pic!

NewImage

ATM Attacks are WEIRD

So this week, while doing some TigerTrax research for a client, I ran into something that was “new to me”, but apparently is old hat for the folks focused on ATM security. The attacks against ATMs run from the comical, like when would-be thieves leave behind cell phones, license plates or get knocked out by their own sledge hammers during their capers to the extremely violent – attacks with explosives, firearms and dangerous chemicals. But, this week, my attention caught on an attack called “Plofkraak”. 

In this attack, which is apparently spreading around the world from its birth in Eastern Europe, an ATM is injected with high levels of flammable gas. The attackers basically tape up all of the areas where the gas could easily leak out, and then fill the empty spaces inside the ATM with a common flammable gas. Once the injection is completed, the gas is fired by the attacker, causing an explosion that emanates from INSIDE the ATM.

The force of the explosion tears the ATM apart, and if the attackers are lucky, cracks open the safe that holds the money, allowing them to make off with the cash and deposits. Not all attackers are lucky though, and some get injured in the blast, fail to open the safe and even torch the money they were seeking. However, the attack is cheap, fast, and if the ATM doesn’t have adequate safeguards, effective.

The collateral damage from an attack of this type can be pretty dangerous. Fires, other explosions and structural damages have been linked to the attack. Here is an example of what one instance looked like upon discovery. 

Some ATM vendors have developed counter measures for the attack, including gas sensors/neutralizing chemical systems, additional controls to prevent injection into the core of the machine, hardening techniques for the safe against explosions and other tricks of the trade. However, given the age of ATM machines in the field and their widespread international deployment, it is obvious that a number of vulnerable systems are likely to be available for the criminals to exploit.

While this is a weird and interesting technique, it did give me some reminders about just how creative and ambitious criminals can be. Even extending that into Information Security, it never ceases to amaze me how creative people will get to steal. Spend some time today thinking about that. What areas of your organization might be vulnerable to novel attacks? Where are the areas that a single failure of a security control could cause immense harm? Make a note of those, and include them in your next risk assessment, pen-test or threat modeling exercise.

Don’t forget, that just like the inventors of Plofkraa”, attackers around the world are working on the odd, novel and unexpected attack vector. Vigilance is a necessary skill, and one we need more of, in infosec. As always, thanks for reading, and stay safe out there! 

Spend Your First Hour Back the Right Way – Go Malware Hunting!

So, you’ve been out of the office for a quick holiday break or vacation. Now you face a mountain of emails and whole ton of back-logged tasks. Trust me, put them aside for one hour.

Instead of smashing through emails and working trouble tickets, spend an hour and take a look around your environment – go hunting – target malware, bots and backdoors. At a macro level, not a micro level. Were there an abnormal number of trouble tickets, outbound connections, AV alerts, IDS and log entries while you were gone? What does egress look like during that period? Were there any abnormal net flows, DNS anomalies or network issues that would indicate scans, probes or tampering on a larger scale?

Spend an hour and look for high level issues before you dig into the micro. Read some logs. See what might be getting lost in your return to work overwhelm. It is not all that uncommon for attackers to use holidays and vacations as windows of opportunity to do their nasty business.

Don’t fall victim to the expected overwhelm. Instead, use it as a lens to look for items or areas that correlate to deeper concerns. You might just find that hour invested to be the one that makes (or breaks) your career in infosec.

Good luck and happy hunting!

PS – Thanks to Lee C. for the quick edits on 7/4/14.

CMHSecLunch is July 14th @ Tuttle Mall

Just a quick reminder to save the date for CMHSecLunch this month. It is July 14th at 11:30am at the Tuttle Mall Food Court. We are usually pretty close to the giant germ ball fountain, and the Tuttle event is usually pretty well attended. 

Come out and beat the summer heat, hang out, meet old and new friends and have some food.

We hope to see you there! 

As always, you can RSVP if desired (not needed) or learn more by clicking here. 

Bring a friend, attendance is FREE and open to everyone!

Touchdown Task for June: Document Cleanup

With the beginning of a new fiscal year on the immediate horizon for many, it reminds us that it’s time to clean up our books and our filing. And by that we mean both our digital and physical files! If you don’t already have a written document retention policy, one needs to be drafted. It should be tailored to your business needs and meet the requirements identified in local, state or federal laws and regulations that apply to your particular industry. 

As a part of your document retention plan, you will establish a document retention schedule of what to keep and for how long. Once you have this identified, it’s time to dive into the files, both paper and electronic, to see what should be properly destructed. 

It is critical that paper documents are either incinerated or shredded. Electronic files must be properly sanitized and purged. Purging can be accomplished a variety of secure erasing tools. A quick Google will turn up several free or low cost solutions. Clearing electronic data is often accomplished by overwriting existing data using software that incorporates a fixed sequence of characters. 
Whatever the processes are that you elect to perform, it is imperative that you stick to the schedule and destroy your documents per your written guidelines in your document retention policy.

Thanks to Teresa West for this post.

The Big Three Part 2: Incident Detection

Did you know that less than one out of five security incidents are detected by the organization being affected? Most organizations only find out they’ve experienced an information security incident when law enforcement comes knocking on their door, if they find out about it at all, that is. And what is more, security compromises often go undetected for months and months before they are finally discovered. This gives attackers plenty of time to get the most profit possible out of your stolen information, not to mention increasing their opportunities for further compromising your systems and the third party systems they are connected to.

Of the Big Three strategies for fighting modern cyber-crime, (incident detection, incident response and user education and awareness), incident detection is by far the hardest one to do well. This is because information security incident detection is not a simple process. No one software package or technique, no matter how expensive and sophisticated, is going to detect all security events (or even most of them to be completely honest). To be just adequate to the task, incident detection requires a lot of input from a lot of systems, it requires knowledge of what’s supposed to be on your network and how it works, it requires different types of security incident detection software packages working together harmoniously and, most importantly, it requires human attention and analysis.

First of all, you need complete sources of information. Even though it can seem to be overwhelming, it behooves us to turn on logging for everything on the network that is capable of it. Many organizations don’t log at the workstation level for example. And you can see their point; most of the action happens at the server and database level. But the unfortunate reality is that serious security compromises very often begin with simple hacks of user machines and applications.

Next, you need to be aware of all the software, firmware and hardware that are on your network at any given time. It is very difficult to monitor and detect security incidents against network resources that you aren’t even aware exist. In fact, I’ll go a step further and state that you can improve your chances of detection significantly by removing as much network clutter as possible. Only allow the devices, applications and services that are absolutely necessary for business purposes to exist on your network. The less “stuff” you have, the fewer the attack surfaces cyber-criminals have to work with and the easier it is to detect security anomalies.

The third thing that helps make information security incident detection more manageable is tuning and synchronizing the security software applications and hardware in your environment. We often see organizations that have a number of security tools in place on their networks, but we seldom see one in which all of the output and capabilities of these tools have been explored and made to work together. It is an unfortunate fact that organizations generally buy tools or subscribe to services to address particular problems that have been brought to their attention by auditors or regulators. But then the situation changes and those tools languish on the network without anyone paying much attention to them or exploring their full capabilities. Which brings to the most important factor in security incident detection: human attention and analysis.

No tool or set of tools can equal the organizational skills and anomaly detection capabilities of the human brain. That is why it is so important to have humans involved with and truly interested in information security matters. It takes human involvement to ensure that the security tools that are available are adequate to the task and are configured correctly. It takes human involvement to monitor and interpret the various outputs of those tools. And it takes human involvement to coordinate information security efforts among the other personnel employed by the organization. So if it comes down to spending money on the latest security package or on a trained infosec professional, I suggest hiring the human every time! 

—Thanks to John Davis for this post!

3 Tips for BYOD

I wanted to take a few moments to talk about 3 quick wins you can do to help better deal with the threats of BYOD. While much has been said about products and services that are emerging around this space, I wanted to tack back to 3 quick basics that can really help, especially in small and mid-size organizations.

1. Get them off the production networks - an easy and often cheap quick win is to stand up a wireless network or networks that are completely (logically and physically) separated from your production networks. Just giving folks an easy and secure way to use their devices at the office may be enough to get keep them off of your production networks. Back this up with a policy and re-issue reminders periodically about the “guest network”. Use best practices for security around the wifi and egress, and you get a quick and dirty win. In our experience, this has reduced the BYOD traffic on production segments by around 90% within 30 days. The networks have been built using consumer grade equipment in a few hours and with less than $500.00 in hardware.

2. Teach people about mobile device security – I know, awareness is hard and often doesn’t produce. But, it is worth it in this case. Explain to them the risks, threats and issues with business data on non-company owned devices. Teach them what you expect of them, and have a policy that backs it up. Create a poster-child punishment if needed, and you will see the risks drop for some time. Keep at it and it just might make a difference. Switch your media periodically – don’t be afraid to leverage video, audio, posters, articles and emails. Keep it in their face and you will be amazed at what happens in short term bursts.

3. Use what you already have to your advantage – There are hundreds of vendor white papers and configuration guides out there and it is quite likely that some of the technologies that you already have in place (network gear, AD Group Policy Objects, your DHCP & DNS architectures, etc.) can be configured to increase their value to you when considering BYOD policies and processes. Quick Google searches turned up 100’s of Cisco, Microsoft, Aruba Networks, Ayaya, etc.) white papers and slide decks. Talk to your vendors about leveraging the stuff you already have in the server room to better help manage and secure BYOD implementations. You might save money, and more importantly, you might just save your sanity. :)

BYOD is a challenge for many organizations, but it is not the paradigm shift that the media and the hype cycle make it out to be. Go back to the basics, get them right, and make rational choices around prevention, detection and response. Focus on the quick wins if you lack a long term strategy or large budget. With the right approach through rapid victories, you can do your team proud!

The Big Three

Information security techniques certainly are improving. The SANS Top Twenty Critical Controls, for example, are constantly improving and are being adopted by more and more organizations. Also, security hardware devices and software applications are getting better at a steady rate. But the question we have to ask ourselves is: are these improvements outpacing or even keeping up with the competition? I think a strong argument can be made that the answer to that question is NO! Last year there were plenty of high profile data loss incidents such as the Target debacle. Over 800 million records were compromised that we know of, and who knows how many other unreported security breaches of various types occurred?

So how are we going to get on top of this situation? I think the starkly realistic answer to that question is that we arent going to get on top it. The problem is the age old dilemma of defense versus attack; attackers will always have the advantage over entrenched defenders. The attackers know where you are, what you have and how you defend it. All they have to do is figure out one way to get over, under or around your defenses and they are successful. We, on the other hand, dont know who the attackers are, where theyre at or exactly how they will come at us. We have to figure out a way to stop them each and every time a daunting task to say the least! Sure, we as defenders can turn the tables on the information thieves and go on the attack; that is one way we can actually win the fight. But I dont think the current ethical and legal environment will allow that strategy to be broadly implemented.

Despite this gloomy prognosis, I dont think we should just sit on our hands and keep going along as we have been. I think we should start looking at the situation more realistically and shift the focus of our efforts into strategies that have a real chance of improving the situation. And to me those security capabilities that are most likely to bear fruit are incident detection, incident response and user education and awareness; the Big Three. Over the next several months I intend to expand upon these ideas in a series of blog posts that will delve tactics and means, so stay tuned if this piques your interest! 

Thanks to John Davis for writing this entry.

SoS Video Post Number 1: TigerTrax M&A & Threat Intel

Today, we started trying to record our first attempt at a video blog post. Check it out and let us know what you think.

You can download it from here.

As always, thanks for reading, listening or watching… Stay safe out there! 

You can give us feedback, jeers or encouragement on Twitter (@lbhuston or @microsolved).

How I learned to quit worrying and love the NSA

 

And I have….

The film “Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb” is a 60′s era satire on the cold war. A fantastic Peter Sellers / Stanley Kubrick film that I heartily recommend.

Armageddon is unleashed and the world is about to be fried by automatic nuclear retaliation doomsday devices.

But for some there is a positive spin. Quoting from the Wikipedia article:

 

“..within ten months of the activation of the doomsday device, the surface of the earth will be uninhabitable. Dr. Strangelove recommends that the President gather several hundred thousand people, with a female-to-male ratio of 10 to 1, to live in deep mineshafts in order to escape the radiation, and to then institute a breeding program to allow the United States to repopulate the surface after a hundred years have passed.”

So – an alternate definition of the 1% (male, of course) who may have reason to “love” the bomb.

I was at a recent ISSA conference here in Columbus, Ohio and of course the topic of NSA spying activities came up in one of the presentations. And of course they are frightening – particular to me as an American with a fundamental belief in personal privacy and individual rights. The notion of an American agency with a pervasive presence in network infrastructure around the planet was unsettling.

But then I thought of Dr. Stangelove… and Rhode Island and Alabama.

Imagine if every coastal state of the United States was independently responsible for coastal defense.

Texas’s navy would be brimming with every conceivable missile, rocket, ship and plane… Rhode Island and Alabama… maybe not so much. As a naval commander planning an invasion I would avoid Texas. After we invaded Alabama we’d work our way over to Texas.

And that’s pretty much where we are as a nation when it comes to cyber-defense.

Like it or not, it may be time to stop worrying and accept that the NSA – or whatever it mutates into – is required in this new world we have hurriedly constructed to coordinate the defense of America’s Internet boundary. By that I mean pervasive monitoring for cyberattack, and federal building and zoning codes for all new construction.

The concept of “nation” is being redefined – it extends beyond the physical frontier. If we do not rely on a central agency to coordinate the defense of our new frontier…. well, they’ll always be an Alabama or Rhode Island. Or maybe an HVAC vendor with unintended access to your point of sale systems.

So quit worrying and accept the fact that the “pornography delivery system” of the Internet that has now evolved into something we have made integral to our lives requires a national defense organization.

Put on your cowboy hat, America, and embrace your fear. Learn to love the NSA.

To quote Slim Pickens in Dr. Stangelove as he makes that grand nuclear descent….. Yee Haw!

Dr._Strangelove_-_Riding_the_Bomb

 Note: Looks like the title I chose is something of a pre-existing meme.

Google: “How I learned to quit worrying and love the NSA”

The hive mind resonates.