December 22, 2024

Linux Foundation to Host Open Encryption Project

Posted on April 9, 2015 by in Security

Linux Foundation to Host Let’s Encrypt, Project to Bring Free SSL Certs to Websites

An Internet where most websites use security certificates and encrypt data by default is no longer just a dream. A consortium of Internet and technology companies and organizations are banding together to make it easier for website owners to obtain and setup security certificates.

The Let’s Encrypt project is a free and automated security certificate authority which will simplify the process of obtaining a security certificate for websites, the Linux Foundation and the Internet Security Research Group said Thursday. It’s increasingly clear the only way to have reliable security online is to have every website be encrypted, served over Transport Layer Security (TLS), so that people’s information is protected from snoops, the Linux Foundation said. The goal is to make it easier for website owners to apply for and install a security certificate on their domains.

Let's Encrypt Logo“Encryption should be the default for the web,” Josh Aas, executive director of ISRG, told SecurityWeek. Let’s Encrypt will help “increase TLS usage on the Web,” he said.

Data such as login credentials, financial information, browser cookies, and other types of sensitive or personal information travel from user computers to websites, or across multiple websites. All this information can easily be intercepted by eavesdroppers, but not if the Web application encrypts the information before sending it through the network. “A secure Internet benefits everyone,” Jim Zemlin, executive director at The Linux Foundation, told SecurityWeek.

Let’s Encrypt takes the world a step closer to a time when more websites would use a certificate and TLS would be the default across the Web, rather than the present where most sites do not even have a valid certificate, Aas said. The free and simple process should take no longer than a few minutes to complete.

Currently, it is difficult for website owners to obtain the certificate because the process may be too complicated or too expensive. Owners may also be overwhelmed with different types and not know which one to pick, Aas said. Let’s Encrypt automates the process so that certificates are issued automatically. Let’s Encrypt will also manage the certificate, so that if the certificate is nearing its expiration date, the system will handle renewals. There was no reason renewing a certificate had to remain a manual process. Let’s Encrypt will also handle installation and configuration on supported servers, which will likely handle most major server software, so that there will be no misconfigured certificates deployed on servers, Aas said.

Let’s Encrypt will be issuing Domain Validation certificates since this type of certificate can be automatically issued and managed, Aas said. Other types of certificates cannot be issued or managed automatically. Let’s Encrypt will also be focusing on elliptic curve cryptography—ECC—because it is the most effective at protecting online users today, he said.

Let’s Encrypt will be working closely with major hosting providers to offer TLS to all customers, following a model similar to what CloudFlare currently does for its customers, Aas said. Any CloudFlare customer has access to SSL certificates for their domains, for free. Let’s Encrypt will not be working directly with website owners, but act as the back-end for hosting providers interested in offering free DV certificates to their customers, Aas said. While individual will be able to get a certificate directly from Let’s Encrypt, the bulk of certificates will likely be issued through a major hosting provider.

“While the web has been a part of our lives for decades now, the data shared across networks is still at risk,” Zemlin said in a statement.

The Linux Foundation will host the Internet Security Research Group and Let’s Encrypt as a Linux Foundation Collaborative Project, which are independently funded software projects working on innovative programs which will have wide-ranging benefits and impact across industries, Zemlin said. The sponsor companies include Akamai, Cisco, Electronic Frontier Foundation, and Mozilla as founding Platinum members, IndenTrust as a Gold member, and Automattic (maker of WordPress) as the Silver member.

“By hosting this important encryption project in a neutral forum we can accelerate the work towards a free, automated and easy security certification process that benefits millions of people around the world,” Zemlin said in a statement.

Hosting in this context means the Linux Foundation will take on much of the business aspects of running Let’s Encrypt. The Linux Foundation provides the essential collaborative and organizational framework for projects, such as making sure there is money in the bank, hiring and providing benefits to employees, and even setting up a secure data center, so that members of the project can focus on actually building, Zemlin said.

“The Linux Foundation is in the business of supporting brilliant people working on innovative projects,” Zemlin said, noting hundreds of millions of dollars have been invested across various Collaborative Projects.

In this case, ISRG already has made its own arrangements for Let’s Encrypt infrastructure, Aas said, but was careful to note that ISRG is not dismissing the possibility of someday moving to Linux Foundation’s infrastructure.

“We want to build. We don’t want to have to worry about accounting, who is getting paid. I am not good at any of that, but Linux Foundation is,” Aas said, explaining why the relationship works for ISRG.

Let’s Encrypt is not trying to replace traditional certificate authorities. While the project will focus its efforts on getting free certificates out to website owners in a secure and open way, Aas sees the project as something working alongside CAs to get to a world where everyone is using encryption by default.

“The only reliable strategy for making sure that everyone’s private data and information is protected while in transit over the web is to encrypt everything, Aas in a statement.

Related: Why “Let’s Encrypt” Won’t Make the Internet More Trustworthy

Subscribe to the SecurityWeek Email Briefing

view counter

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed

Feedback Friday: Reactions to White House Cybersecurity Information Sharing Initiative

Posted on February 14, 2015 by in Security

Obama Signs Executive Order After an Address at Stanford University

During the White House Summit on Cybersecurity and Consumer Protection at Stanford University on Friday, President Barack Obama signed an executive order to promote cybersecurity information sharing between private sector companies and the U.S. Government.

The executive order, signed by the President on stage after addressing a large audience, outlines an information sharing framework that would help companies work together, along with the federal government, to more effectively identify and protect against cyber threats.

“This has to be a shared mission,” Obama said during his speech. “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats.”

Overall, industry professionals applauded the steps by the White House, but indicated this is just a small step in addressing serious threats. An executive order can only go so far and more is needed than just information sharing to combat sophisticated cyber attacks, experts said.

Feedback On White House Information Sharing Initiatve

And the feedback begins…

Phil Smith, SVP of Government Solutions and Special Investigations at Trustwave:

“The President’s remarks at today’s summit are a great beginning, especially when he explained today’s threat landscape as a ‘cyber arms race.’ That statement is significant because it puts organizations and individuals on notice that cybersecurity is a national security and public safety issue. Sharing threat intelligence across government agencies, law enforcement and the private sector is a critical component of strengthening data protection however it will not work without safe harbor protections for companies that participate.

An executive order can only go so far. It takes Congressional action to mandate information sharing on a national level that includes liability protection. Without that protection, we will not see the level of participation required for information sharing to be successful.

When organizations share information they produce actionable threat intelligence that helps them stay ahead of the criminals and build defenses to block their next move.”

 Ken Xie, CEO of Fortinet:

“During the White House’s Cybersecurity Summit, there was a lot of great discussion around information sharing. The biggest obstacle is that our industry is extremely shorthanded: it’s estimated we can only fulfillne in every 20 technology positions needed in the cybersecurity space. Who will mitigate the threat? Where and who are the cyber swat teams? Who will train the responders? Answers to these questions remain unanswered, though the conversation is a step in the right direction.”

Nate Fick, CEO of Endgame:

“Much of the talk in the room is about information sharing. In security, the advantage often goes to the team with better, more usable data. So any steps to encourage faster sharing are meaningful progress.”

Tomer Weingarten, CEO of SentinelOne:

“Information sharing is a good start. However, it needs to be handled in a way that preserves the privacy of affected organizations and prevents data from being “leaked”. In the wrong hands, this intelligence would let attackers know that their operation has been compromised, could reveal attack binaries that can be re-used and expose companies that have been breached which may lead to more attacks against them. Also, sharing data and intelligence will do little to mitigate carefully crafted attacks since they often do not demonstrate any previously seen indicators.”

Mike Brown, VP and GM Public Sector for RSA:

“It isn’t just information sharing that is needed. We have some valuable avenues to share information. What we need is liability relief and clarity about the type and format of information that needs to be shared. That is also critical so that information that is shared is actually actionable.”

Tal Klein, CMO for Adallom:

“The fact that the President is addressing the issues of cyber security is a good thing – we definitely need more awareness. That stated, I am less excited about specific directives that may offset the financial incentive for companies to be in the business of cyber security. Information sharing is good, but if a security company makes their money researching threats and then is expected to turn over their research to the public domain as soon as its complete, then the value of that research diminishes.

 

I don’t think the government should be in the business of regulating the information security industry. What I suspect is that we are close to the age of the “cyber lobby” (dare I say “cyber subsidies”) – and I’m not sure that will benefit anyone other than the companies that pay to influence policy. So, I would prefer the President’s agenda would begin and end with “awareness” and avoid tinkering with the economic  dynamics of the information security market.”

Ivan Shefrin, VP of Security Solutions at TaaSera:

“Voluntary sharing of cybersecurity intelligence can be an important step – provided it’s accompanied by appropriate liability and privacy constraints. The benefits are clear: last year’s United Parcel Service breach was in fact discovered as a direct result of threat intelligence sharing between the government and private sector.

 

Sharing cyber intelligence can have a positive impact if information sharing is made actionable. To accomplish this, security professionals should assume they’re already compromised, and implement policies, tools and budgets to balance breach prevention with pre-breach detection and response.”

Marc Gaffan, CEO & Co-Founder of Incapsula:

“President Obama is taking a bold stance be visiting with tech companies in silicon valley this week to talk about his proposed cybersecurity legislation, right on the heels of his cybersecurity agency announcement earlier this week. In the past, the sale and use of botnets, which have the potential to overwhelm a site or network with malicious activity, was surrounded by legal ambiguities and grey areas. Obama’s new legislation removes all ambiguity so for the first time companies can prosecute the so-called “bot-herders” that try to do them harm.”

Ron Gula, CEO, Tenable Network Security:

“It’s important to applaud this administration for its attention to cyber security. It’s been long overdue and at the rapid pace technology is evolving, we are already behind the curve. Executive orders such as this, while not a substitute for good security practices, raise awareness for the need to invest more heavily when it comes to cyber security.

Information sharing won’t solve the bigger problems we face in the industry, but it’s a good place to start. Everyone in IT is realizing the scale and saving from centralizing command and control. Once consolidated, the information shared will provide greater context, allowing for organizations to be more agile in mitigating sophisticated attacks.”

Ryan Shaw, Director of Research and Development at Foreground Security:

“The President’s intention to issue an Executive Order (EO) promoting government and private sector cybersecurity information sharing is an important acknowledgement of the current deficiencies in our country’s current cybersecurity defense capability. Unfortunately, EOs and new agencies will not be able to resolve the sharing challenges that have existed for years.  These challenges include:

· Lack of trust between the parties involved

· COTS cybersecurity tools (e.g. SIEM, NSM, Web Proxies, ID/PS, Next-gen Firewalls) that are ill-equipped to deal with large quantities of multi-source, non-normalized threat indicators

· Shortfall of skilled cyber-threat analysts or source-agnostic platforms to manage the deluge of threat indicators

· Multiple sharing vehicles and taxonomies (these are a portion of the Voluntary Standards for ISAOs that the President will speak of)”

John Dickson, principal at software security firm Denim Group:

 “There is no mention of increased liability protection for companies in the today’s briefing sheet.  Absent of increased protection, or at least clarity, for the corporate liability question will likely result in a lukewarm reception from industry.  Couple that with remaining post-Snowden doubts that remain over working with government and law enforcement, then you have a potential non-starter here.

The focus on strong privacy and civil liberty protections misses the point here – that’s not hurdle in more information sharing, liability protection is. Cooperation with the Congress is an imperative. My contacts in the US Capitol say these initiatives are coming out with little consultation with Congress, which also brings up the question of the measures’ ultimate implementation.”

Jeff Williams, CTO, Contrast Security:

 “I’m encouraged by all the talk about public-private partnerships that bring security to the forefront for government, large businesses, small businesses, and consumers. The panelists were right about the problems of speed and scale that cybersecurity involves.  I was thrilled to see that there is awareness of the complexity and importance of the problem at the highest levels of government and business.

 

However, the overwhelming theme of the summit was that the way forward is to focus on the threats and that communication will enable us to stop attacks.  I have serious doubts as to whether chasing the threat will have any effect whatsoever – the attribution problem is so significant in cyberattacks that after months we still have no resolution to the Sony attack, much less Anthem or others.

The worst part is that spending all this effort chasing our tails takes away from time we should be focused on building secure code and strong defenses. The fact that we are still producing code with SQL injection after almost two decades is embarrassing. The government can and should play a role in encouraging the software market to produce secure code. But with a confusing patchwork of agencies, agendas, and responsibilities, government has fallen far behind the financial industry in their ability to secure their own house.”

Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:

 “The White House is pushing a lot of recommendations that don’t seem to have gone through a vetting process by experienced technologists. The effort to weaken encryption will ultimately have the opposite of the desired effect. There are new rules that impact security researchers and will lead to less secure systems, because it will be illegal for researchers to test those systems.

 

The positive results will be the increased visibility and discussion about these issues. For me, if the US government really wanted to improve security they would be at the forefront of data sharing and making it easier for researchers to contribute, not harder.”

Dan Waddell, Director of Government Affairs, (ISC)2:

“It’s important that the American public put this issue into perspective.  As mentioned by Lisa Monaco, the White House’s top aide for counterterrorism and homeland security, the cyber threat is becoming more diverse, sophisticated and dangerous. The actions of cyber attackers, while seldom seen played out online, are potentially as egregious on many different levels including economically, militarily, and in regards to the public’s day-to-day safety.

Overall, I think it’s a positive sign that we’re having these discussions at the highest levels of both the public and private sectors as well as academia.  CEOs, CISOs, government leaders and educators are all saying the same thing – cybersecurity is an absolute necessity to help protect our nation’s interests. It has an impact on every aspect of our lives – from homeland security, to defense, to the economy, to energy and critical infrastructure, to health, etc.  Everyone shares a common interest: We need to secure information of the people, for the people.”

Chris Wysopal, CTO & co-founder at Veracode:

 “The challenge for the tech industry is they need to retain the trust of their users or they can’t grow their businesses which require more and more intimate data be stored and processed by them.  That is why after many years of security professionals complaining of the lack of SSL usage by majo7r tech companies it wasn’t until the Snowden revelations that it was finally enforced by the big players.  

 

“The federal government has to convince the people using Google, Yahoo, Apple, etc., not the executives from those companies, that their data is safe from wholesale snooping or the information sharing they want is going to be a struggle.” 

Ken Westin, Security Analyst Tripwire:

“This Order and the informatPion sharing initiatives are a step in the right direction, however the challenge will be in the implementation where citizens’ privacy and civil liberties are protected, as well as making any intelligence gathered through these initiatives relevant and actionable for government agencies as well as private industry. In order to make these initiatives effective, secure and manageable, will require strong oversight and properly allocated resources to implement, not just initially, but also over the next few years as the program evolves. There needs to be constant vigilance and review of processes, data collected and effectiveness of the program in order to ensure agencies do not overreach and that the program itself remains useful to industry and agencies alike.

The devil is truly in the details, although I believe the spirit and intentions of the Order is good, it will be critical that there is transparency and oversight regarding its implementation. The government is breaking new ground and it is important to tread carefully, as there is a lot to learn in the process of developing a system of this scale and depth. I sincerely hope that the government will be involving not just law makers and political thinkers, but also technologists and security experts from both private industry and the government to ensure the program is implemented efficiently, securely and meets established requirements for the program.” 

*Additional reporting by Eduard Kovacs

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Complexity is the Enemy of Security

Posted on February 11, 2015 by in Security

We’ve likely all heard the phrase “complexity is the enemy of security” many times. It’s an oft-used sound bite, but what can we learn from this concept to improve our respective security postures? Although there are many angles one could approach this concept from, I’d like to examine it from a security operations and incident response perspective.

Simplicity in Collection and Analysis

Most enterprises instrument their network to collect many different, highly specialized forms of data. For example, an organization may collect netflow data, firewall logs, DNS logs, and a variety of other specialized forms of data. This creates a stream of various different data types and formats that complicates and clouds the operational workflow. Unfortunately, the first question when performing analysis or incident response is often “Where do I go to get the data I need?” rather than “What questions do I need to ask of the data?”

In addition to the variety and complexity of these specialized forms of data, the volume of data they create often overwhelms enterprises. These huge quantities of data result in shorter retention periods and longer query times. This perfect storm of circumstances creates a very real operational challenge.

Security Data Collection

Fortunately, organizations can address this challenge by seeking out fewer, more generalized collection technologies that provides the required level of visibility with greatly reduced complexity and volume. Continuing with the above example, in lieu of many different highly specialized network data sources, an organization could consider one layer 7 enriched meta-data source.

Simplicity in Detection

Wikipedia defines an Indicator of Compromise (IOC) as “an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.” Associated contextual information is also usually included along with the artifact and helps an organization to properly leverage the IOC. Context most often includes, among other things, information regarding to which attack stage an indicator is relevant. Attack stages can be broken up into three main families, each of which contains one or more attack stages:

• Pre-infection: reconnaissance, exploit, re-direct

• Infection: payload delivery

• Post-infection: command and control, update, drop, staging, exfiltration

It is well known that many organizations struggle with excessive amounts of false positives and low signal-to-noise ratios in their alert queues. There are several different angles from which an organization can approach this problem, and in fact, I have previously written about some of them. Another such approach, which can be used in combination with the others, is to go for the “money shot”.

At some point, when an organization wants to watch for and alert on a given attack, intrusion, or activity of concern, that organization will need to select one or more IOCs for this purpose. Going for the “money shot” involves selecting the highest fidelity, most reliable, least false-positive prone IOC or IOCs for a given attack, intrusion, or activity of concern. For example, if we look at a typical web-based re-direct attack, it may involve the following stages:

• Compromise of a legitimate third party site to re-direct to a malicious exploit site

• Exploitation of the system from the malicious exploit site

• Delivery of the malicious code

• Command and control, along with other post-infection activity

Although it is possible to use IOCs from all four of the above attack stages, using IOCs from the first three stages presents some challenges:

• Compromised legitimate third party sites likely number in the millions, meaning we would need millions of IOCs to identify just this one attack at this stage. Further, there is no guarantee that the attempted re-direct would succeed (e.g., if it were blocked by the proxy). An unsuccessful re-direct means that there was no attempt to exploit. In other words, for our purposes, a false positive.

• Exploits don’t always succeed, and as such, alerting on attempted exploits can often generate thousands upon thousands of false positives.

• If we see a malicious payload being delivered, that is certainly of concern. But what if the malicious payload does not successfully transfer, install, execute, and/or persist? We have little insight into whether a system is infected, unless of course, we see command and control or other post-infection activity.

Command and control (C2) and other post-infection activity, on the other hand, is always post-infection. That means that if we can distill a high fidelity, reliable IOC for this attack stage, we can identify malicious code infections immediately after they happen with a very low false positive rate. Obviously, preventing an attack is always preferable, but as we all know, this is not always possible. The next best option is timely and reliable detection.

Simplicity in O&M

When people began moving from the cities to the suburbs in the post-war United States in the 1950s, new infrastructure was built to serve the shifting population. The infrastructure served its population well for 50 years or so, until the 2000s, when the physical lifetime of water mains, electric power lines, and other infrastructure was reached. What people quickly realized is that although money and resources had been allocated to build and deploy infrastructure, money and resources had not been allocated to operate and maintain the infrastructure for the long term. In other words, O&M would be required to repair or replace the aging infrastructure, but the resources for that O&M would have to be found elsewhere.

Similarly, in the information security realm, as new business needs arise, new security technologies are often deployed to address them. Enterprises often forget to include O&M when calculating total cost. Another way to think of this is that each new security technology requires people to properly deploy, operate, and maintain it. If head count were increased each time a new security technology was deployed, the model would work quite well. However, as those of us in the security world know, head count seldom grows in parallel with new business needs. This presents a big challenge to the enterprise.

O&M cost (including the human resources required to properly deploy, maintain, and operate technology) is an important cost to keep in mind during the technology lifecycle. O&M cost is a large part of the overall cost of technology, but it is one that is often overlooked or underestimated. In an effort to lower total overall O&M costs, and building on the collection and analysis discussion above, it pays to take a moment to think about the purpose of each technology. Is this specific technology a highly specialized technology for a highly specialized purpose? Could I potentially retain the functionality and visibility provided by several specialized technologies through the use of a single, more generalized technology?

If the answer to these two questions is yes, it pays to think about consolidating security technologies through an exercise I like to call “shrinking the rack”. Shrinking the rack can be a great option, provided it doesn’t negatively affect security operations. Fewer specialized security technologies mean fewer resources to properly deploy, maintain, and operate them. That, in turn, means lower overall O&M costs. Lower O&M costs are always a powerful, motivating factor to consider.

The concept of simplicity is one that we can apply directly to security operations and incident response. This piece touches on just some of the variety of lessons we can learn from this topic. Although the phrase “complexity is the enemy of security” is a popular sound bite, if we dig a level deeper, we see that there is a great deal we can learn from the concept.

Subscribe to the SecurityWeek Email Briefing

view counter

Joshua Goldfarb (Twitter: @ananalytical) is Chief Security Strategist of the Enterprise Forensics Group at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.

Previous Columns by Joshua Goldfarb:


SecurityWeek RSS Feed

What CISOs, InfoSec Pros Have on Their 2015 Wish Lists

Posted on January 7, 2015 by in Security

CISO Wish List for 2015

Security experts weigh in on what they would like to see in 2015 to make their jobs wrangling users, infrastructure, and data easier.

The new year ahead is a good time to reflect on what infosec professionals need to keep users and data safe—before the inevitable race to stay ahead of the crises and firefighting begins in earnest. In previous years, SecurityWeek asked experts to talk about their security resolutions. This year, security experts weigh in on their 2015 wish list—things they would like to see happen in their organization and the security industry as a whole.

Information security is a tough job. There is an element of fortune telling to figure out where the next threats will come from, as well as continuous gate keeping to monitor everything that comes in and out of the organization.

Intent and motives matter, since the same action can be malicious, negligent, or benign based on the circumstances. Locking things down annoys users, so there has to be controls in place to let users do what they want while still maintaining a certain level of protection. When something goes wrong, such as the case of a failed compliance audit, regulatory investigation, data breach, cyber-attack, or data theft, there is always finger pointing and recriminations.

Faced with these challenges, what do CSOs/CISOs, information security practitioners, and other experts wish for? The gamut of responses ranged from the serious (implementing new controls) to humorous (a time machine). At the heart of all the responses was the recognition that security is visible and their jobs are on the line when things go wrong.

“If I was a practicing CISO right now, the very first thing on my wish list would be a ‘keep me from getting fired’ gift card,” said Eric Cowperthwaite, vice-president of advanced security and strategy at Core Security and the former CISO of Provident Health and Services. The card would be something CISOs can hand to the CEO after the inevitable attack, breach and theft of critical assets and say, “can’t fire me this time,” he said.

CISOs should demand access to the CEO and support of the senior executives in the company to define and protect the crown jewels, said Renee Guttmann, vice president of information risk management and member of the Accuvant Office of the CISO. Most CISOs want more attention and funding from the executive team—and a seat at the executive table to provide updates periodicall, said Guttmann, who formerly served as CISO at Coca-Cola. CISOs also want to be recognized as playing as critical a role within the organization as the CFO or COO.

CISO Board Access

“In 2015, CISOs will be asking for a corner office, with a view,” said Michael Daly, the CTO of Cybersecurity & Special Missions at Raytheon.

Talking to a Board Which ‘Gets’ Security

Most CISOs would love to switch the conversation with the board of directors from the whys of security to the hows. Even after the past year of almost non-stop breaches, it’s clear that the need to proactively implement good security is poorly understood—or simply ignored—at the highest levels of business, said Geoff Webb, senior director of solution strategy at NetIQ.

“If I could give every CISO on the planet a New Year’s wish, it would be to have that conversation changed from ‘Why should I invest in security’ to ‘How do we get the job done,’” said Webb.

CISOs want the support of their executive management to put in place the level of security consistent with the amount of risk the organization is willing to accept, said Marc Maiffret, CTO of BeyondTrust.

> Request an Invitation to the 2015 CISO Forum

Having the Industry Step Up

Several of the experts expressed their frustration on the state of the information security industry. “It’s clear that after Target, JPMC, Sony and many other highly publicized, massive attacks perpetuated in 2014, the industry needs new tools to find these attackers before they are able to successfully complete their damage,” said Mike Mumcuoglu, CTO and co-founder of LightCyber.

For years, CISO have been promised more effective security technology was on the way, and that they just needed to spend “just a little bit more” to significantly improve their security. “It hasn’t quite worked out the way it’s been promised,” said Ken Levine, CEO of Digital Guardian. CISOs should be asking for technology that works better than what’s been delivered to date for a price that reflects its actual value, he said. And that doesn’t mean yet another piece of technology blasting millions of alerts since it’s not possible to process them all.

“Memo to the security industry, giving me hundreds of thousands, if not millions of alerts is about as effective as giving me none,” Levine said. “Will you please tell me which alerts I need to worry most about!”

There is a lot of conversation about security analytics, but it’s still just a lot of promises and not enough reality. “This is all vendor hype as none of the technologies integrate enough of the products in my environment to make the data useful without me having to put asterisks next to the data in my presentations,” said Mike Davis, CTO of CounterTack.

It would be nice to have security reports that show the state of the organization that “don’t put people to sleep,” said Gil Zimmermann, CEO and co-founder of CloudLock.

It’s not just technology that needs to change—the way the industry treats standards also need to change as well, so that standards are actually treated as something that works across platforms and organizations. “Too many standards that aren’t interoperable between products prevents me from deploying different tools,” Davis said.

Along with standards, the industry needs to define security and risk metrics for making informed decisions and managing a security program. Other c-level executives have a set of metrics they can use to explain what they are doing and what the effects to the business are. At the moment, there is no consensus on key performance indicators or a widely adopted set of quantifiable metrics, so cyber-security decisions are “perceived as mere guess work by boards of directors and other corporate executives,” said Jonathan Trull, CISO of Qualys and former CISO of Colorado. The lack of trust in CSOs and security community as a whole is a major barrier to obtaining additional funding and resources.

“CISOs must be able to answer the question: For x amount of money spent on cyber security, what will be the return?” Trull said.

Cool Tools That Need to Exist

Along with asking for better security technology to make the day-to-day operations as well as overall risk management possible, security professionals have their own list of products that would make their jobs easier—and more fun.

Zimmerman said a “one-year paid membership to tech gadgets of the month club” would be a good thing for a CISO to have.

“A time machine so I can go back in time and make a bunch of different investment choices,” said Core Security’s Cowperthwaite.

“’X-Ray Data Goggles’ to give me a deep look into the network to determine where my critical or sensitive data is, what assets support the data, and what controls keep the data safe,” said Arlie Hartman, a consultant at Rook Security.

“’Information Security Pocket Translator’ to refine my message to the board, to speak their language, and enable the business to work within acceptable risks,” said Randy Wray, a consultant with Rook Security.

Having Necessary Tools on Hand

CISOs want to be able to proactively track specific adversaries as they “walk” their way through the network, said Rick Howard, CSO of Palo Alto Networks. By identifying indicators of compromise as part of an attack, CISOs will be able to determine their response. “In my perfect fantasy world, I would like to be able to track adversaries — criminals, spies, hacktivists, and ankle biters — by watching for sets of Indicators of Compromise at every link in the Kill Chain,” he said.

CISOs need the attacker profile, not the actual identity. If the attacker is a spy out to steal mergers and acquisitions documents, and those documents are on the organization’s network, then the internal security team should be on high alert. Otherwise, the team can deal with the threat without turning this into an emergency firefighting situation, he said.

Failing that perfect scenario, CSOs and CISOs should have technology configured correctly—oftentimes organizations discover too late the settings they thought they were getting weren’t turned on when the technology was initially turned on. “We spend gazillions of dollars to buy the latest and greatest, and yet fail to squeeze as much efficiency out of it as possible,” said Howard. While it may be more interesting to talk about nation-state attacks, CSOs need to focus on device configuration. “We should at least get that right before we move on to the sexy stuff.”

Target has set a very public precedent for financial liability in the case of a targeted attack on personal financial information. As a result, every major financial, retail, and online entity will be looking into cyber-insurance, said Mike Mumcuoglu, CTO and co-founder of LightCyber. Cost-effective data breach insurance will be on many CISO wish lists this year, he said.

Effective Collaboration With Others

Security is much more visible in that people are more aware and pay attention when something goes wrong, but it’s not yet viewed as a joint effort. There is still the sense that users do their own thing while the security folks in the backroom keep things humming. There needs to be formal agreements between business, IT, and security teams to integrate information security into the process instead of treating it as an add-on commodity, said Chris Blow, a consultant with Rook Security.

“It would be nice to have an IT team and user base that cares about security as much as the security team,” Zimmermann said. “Or being included in conversations about new technology developments, purchases, or deployments before final decisions are made.”

It would also help the CSO to have “better clarity from legal on what a breach is, what an incident is, and what we can safely ignore,” Davis said.

IT should “actually follow the security guidelines we built instead of always getting a risk waiver,” added Davis. The waiver means IT essentially says it understands the risks and doesn’t have to implement the proper controls or take specific tasks to resolve an issue. This doesn’t help the organization’s overall security. Vendors also need to think about security—whether it’s in their software development cycle, the patching system, or even maintaining their cloud infrastructure. “Tired of getting vendor software that isn’t secure and I can’t make secure,” he said.

Speaking of software development, proper tools are critical. All developers should have security training so that they think about security right from the design phase, said Steven Lipner, chairman of SAFECode and partner director of program management at Microsoft’s Trustworthy Computing group. Each developer in the organization should receive a full toolbox for static analysis, current compilers, and fuzzing tools to build code that contains even fewer vulnerabilities, and make it even harder to exploit any that remain, he said.

Legions of Experienced Folks

The biggest challenge for CISOs is not fighting for the ideal infosec budget, but finding and hiring employees with necessary skills and experience. CISOs want a “proper staff” of experienced and knowledgeable security professionals and are looking for the right people to handle the security fundamentals, Maiffret said.

CISOs want to hire staff who are focused on analytics and risk, not just running firewalls, Cowperthwaite said. This echoed CounterTack’s Davis, who noted that universities tend to focus on network security, not realizing that network security is not the same as IT security.

“It is only one slice of the problem,” Davis said.

Turning Wishes into Reality

As the old saying goes, “If wishes were horses…” CISOs may have a long list for what they would like to see, but they can’t just sit back and wait for their wishes to be granted. CISOs should make a New Year’s resolution to become a corporate business leader, said Trull. CISOs need to become more integrated into c-suite conversations, focus on the integration between DevOps and security teams, learn the business and understand the financials, and learn to speak the language of other executives including the ability to calculate and demonstrate a return on investment for cybersecurity spending.

Security leaders must align themselves more closely to business strategy and “operationalize on the fundamentals of good IT,” said Rafal Los, director of solutions research and member of the Accuvant Office of the CISO. The goal is to get business leaders to see security as a strategic asset and not a drag on the budget.

CISOs must “resolve to be more than a technical security professional and to take responsibility for making difficult risk-benefit decisions that drive the business forward,” Trull said.

All of these wish list items sounded reasonable, but there was a sense of frustration among security experts about the obstacles in their way. The technology was not available, other C-suite executives and the board remained uninterested, or the integration with IT was too tense. Would 2015 be the year when information security professionals would get a seat at the table and be able to work with the organization to improve security?

If the wish list items were too much to ask for, “would you consider coming up with some sort of solution that would allow CISOs to take Sundays off?” Levine said.

Related Event: Request an Invitation to the 2015 CISO Forum

Subscribe to the SecurityWeek Email Briefing

view counter

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed

Industry Reactions to Devastating Sony Hack

Posted on December 5, 2014 by in Security

The systems of entertainment giant Sony have been hacked once again, and although the full extent of the breach is not yet known, the incident will likely be added to the list of most damaging cyberattacks.

Feedback Friday for December 5, 2014

A group of hackers called GOP (Guardians of Peace) has taken credit for the attack and they claim to have stolen terabytes of files. Sony admitted that a large amount of information has been stolen, including business and personnel files, and even unreleased movies.

On Friday, security firm Identity Finder revealed that the attackers leaked what appears to be sensitive personal data on roughly 47,000 individuals, including celebrities.

North Korea is considered a suspect, but the country’s officials have denied any involvement, and Sony representatives have not confirmed that the attack was traced back to the DPRK.

Researchers from various security firms have analyzed a piece of malware that appears to have been used in the Sony hack. The threat is designed to wipe data from infected systems.

The FBI launched an investigation and sent out a memo to a limited number of organizations, warning them about a destructive piece of malware that appears to be the same as the one used in the attack against Sony.

Some experts believe the FBI sent out the alert only to a few organizations that were likely to be affected. Others have pointed out that the FBI doesn’t appear to have a good incident response plan in place.

And the Feedback Begins…

Cody Pierce, Director of Vulnerability Research at Endgame:

“The latest FBI ‘flash’ report warning U.S. businesses about potentially destructive attacks references malware that is not highly advanced. Initial reports associate the alert with malware that overwrites user data and critical boot information on the hard drive, rendering the computer effectively useless. Based on analysis of the assumed malware sample, no technology exists within the sample that would warrant a larger alert to corporations. Additional information, either present in the malware–like IP address or host information–or during the investigation, also likely made it clear who required advance notification. Because of the malware’s low level of sophistication as well as the reportedly targeted nature of the attacks, it is entirely reasonable that the FBI would only inform a small number of companies.

The goal of these coordinated alerts is to raise awareness to the most likely targets so that they can ensure their security readiness, without unnecessary burden to those unlikely to be affected. In this case, because the malware is targeted and not sufficiently advanced, the FBI’s approach is justified. Conversely, in the event that more sophisticated malware or a new attack vector had been discovered, greater communication would have been necessary. Based on the information available, the FBI made the right decision in issuing this particular alert.” 

Mark Parker, Senior Product Manager, iSheriff:

 “For many organizations in the midst of breach investigation, decisions are often made very quickly. Without the luxury of planning meetings and impact analysis, some of the things are done in a ‘from the cuff’ manner based upon the evidence in hand, which may in fact be incomplete. In the case of the FBI memo that was sent out, it was done in a manner that was clearly done hastily. The threat posed by the malware was significant and a quick decision was made to send out an alert.

 

While I wasn’t in the room, I am fairly certain from having been in similar rooms, and in similar situations, that a list of who should receive the alert was not a very long conversation, and the point was to get the information out as soon as possible. What this demonstrates is that both Sony and the FBI do not have a good incident response plan in place for this type of incident. All organizations should have an incident response plan in place that lays out this sort of information in advance so that time is not spent on such issues. A clear process for key decisions is a very important part of any incident response plan, as is a list of who should be contacted in different situations.”

Steve Lowing, Director of Product Management, Promisec:

“Given that Sony Pictures is releasing a movie next month that satirizes assassinating North Korea’s supreme leader Kim Jong-Un, and after learning about this release last June declared war on the company, it’s widely held that the North Korean government is behind the attack. It’s likely that this is true at least at a sponsorship level given the number of attacks on South Korean banks and various businesses over the course of the last year, with the likely attackers being the country’s cyber warfare army known as unit 121.

Unit 121 is believed to be operating out of a Shenyang China luxury hotel giving them easy access to the world with being an arm’s reach from North Korea. The main reason for this is China’s close proximity to North Korea, North Korea’s almost non-existent internet access and China’s far superior network and cyber hacking resources. This is yet another example of State sponsored hacktivism targeting companies directly.”

Jonathan Carter, Technical Director, Arxan Technologies:

“So far, the evidence seems to suggest that the Sony hack was accomplished via execution of malicious malware. Hackers typically conduct these attacks by somehow tricking the user into executing something that is malicious in nature from within a system that is sensitive in nature. The recent iOS Masque and WireLurker vulnerabilities clearly illustrate that the delivery and execution of malicious code can take some very clever approaches. In light of these recent revelations, it is reasonable to expect to see a rise in distribution of malware (disguised as legitimate B2E apps that have been modified) via mobile devices owned by employees that have access to sensitive backend systems.”

Vijay Basani, CEO of EiQ Networks:

“It is possible that the hackers accessed not only unreleased movies, but also gained access to user accounts, celebrity passport details, sensitive trade secrets and know how. This demonstrates that in spite significant investments in traditional and next-gen security technologies, any network can be compromised. What is truly required is a total commitment from the senior management to building a comprehensive security program that delivers pro-active and reactive security and continuous security posture.”

Craig Williams, Senior Technical Leader and Security Outreach Manager for Cisco’s Talos team: 

“The recent FBI ‘flash alert’ was published covering the dangers of a new wiper Trojan that has received quite a bit of media attention. There are a few key facts that seem to be overlooked by many of the early news accounts of this threat:

Cisco’s Talos team has historic examples of this type of malware going back to 1998.  Data *is* the new target, this should not surprise anyone – yet it is also not the end of the world.  Recent examples of malware effectively “destroying” data – putting it out of victims’ reach – also include Cryptowall, and Cryptolocker, common ransomware variants delivered by exploit kits and other means.

Wiping systems is also an effective way to cover up malicious activity and make incident response more difficult, such as in the case of the DarkSeoul malware in 2013.

Any company that introduced proper back-up plans in response to recent ransomware like Cryptolocker or Cryptowall should already be protected to a degree against these threats detailed by the FBI.  Defense-in-depth can also detect and defeat this type of threat.”

Carl Wright, general manager at TrapX Security:

“The FBI and other national government organizations have an alerting process that we are sure they followed to the letter. It is important for them to provide an early warning system for these types of attacks, especially in the case of the Sony breach, because of the severe damage that could ultimately be used against our nation’s critical infrastructure.

Timely information sharing must be completely reciprocal in nature, meaning, corporations also have to be willing to share their cyber intelligence with the government.

 

When we look at the significant incidents of 2014 and in particular Sony, we see that most enterprises are focusing efforts and investments on breach prevention. 2014 has clearly highlighted the need for corporations and government to include additional technological capabilities that better detect and interdict breaches before they can spread within an organization.”

Ian Amit, Vice President, ZeroFOX:

“The Sony breach is a tricky situation. How it occurred is still up for debate – possibly nation state? Possibly an insider? Possibly a disgruntled employee? Regardless, it’s clear the breach goes very deep. It has gotten to the point that Sony is outright shutting down its network. This means even the backups are either nonexistent or compromised, and the hackers likely got just about everything, making this one of the worst breaches ever at an organization of this size. The attack touches anyone involved with Sony – auditors, consultants, screenwriters, contractors, actors and producers. The malware might be contained on Sony’s servers, but the data loss is much further reaching. Make no mistake, this breach is a big one.

I am skeptical this attack is nation state-level attack. The idea that North Korea is retaliating against Sony for an upcoming film is a wildly sensationalist explanation. Hackers regularly cover their trails by leaving red herrings for the cleanup crew – indications that the Russians, Chinese, Israelis, North Koreans and your grandmother were all involved. A small script of Korean language is hardly damning evidence. Code can be pulled from a variety of sources and there is no smoking gun (yet) in the case of the Sony breach.”

Oliver Tavakoli, CTO, Vectra Networks:

“Any malware that destroys its host will have limited impact unless it is part of a larger coordinated attack. One or two laptops being wiped at Sony would be a nuisance, but large numbers of devices being wiped all at once is devastating. The latter style of attack requires an attacker to achieve a persistent network-level compromise of the organization before the wiper malware even becomes relevant.

The information released as part of the FBI alert bears this out. The malware sample detailed in the alert was compiled only days before it was used. This is a strong sign that Sony was compromised well before the time the malware was built, and the wiper malware was the coup de grâce at the end of the breach.

This is particularly significant when evaluating the FBI alert. Sharing indicators of compromise (IoC) is a good thing, and the industry needs more of this sharing. But we need to keep in mind that these particular indicators represent the absolute tail end of a much longer and widespread attack. In fact, some of the IoCs detailed in the alert are only observable once the wiper malware has begun destroying data. Obviously, this sort of indicator is much too late in the game, but too often is the only indicator that is available. What the industry needs badly are indicators of attack that reveal the compromise of the organization’s network at a point when security teams can still prevent damage.”

Kenneth Bechtel, Tenable Network Security’s Malware Research Analyst:

 “This type attack is not new, it’s been around for a long time, with multiple examples. The most recent similarity is the ransomware that’s been attacking systems. These attacks are often difficult to detect prior to the execution of the payload. The best thing is a good backup scheme as part of your response. Many times the answer to modern malware infections is to reimage the system. In case this occurs on your system, a reimage is often the best response. The only thing that reimaging would not solve is having most current data like documents and spreadsheet. It’s this combination of reimaging and restoring backups that is the most efficient response to the attack. While this ‘fixes’ the host, network forensics should be done to identify the attack and create defenses against the attack in the future.”

Jon Oberheide, CTO, Duo Security:

“I don’t believe that the limited distribution of the FBI warning was improper. But, I think the scope and focus on data-destroying malware was a bit misguided.

 

Certainly data loss can have a big impact on the operations of a business. We saw that big time back in 2012 with the Saudi Aramco attack by data-wiping malware. But, regardless of whether the data loss is intentional or inadvertent, it’s vital to have proper disaster recovery and business continuity processes in place to be able to recover and continue operation. However, when considering a sophisticated cyber-attack, disaster recovery processes must assume that an attacker has more capabilities and reach than standard inadvertent data loss events. For example, an attacker may have access to your data backup infrastructure and be able to destroy backups as well. So, modern organizations may have to revisit their DR/BC models and take into account these new threat models.

The real impact of the Sony breach is not the destruction of data, but the longer term effects of confidentiality and integrity of their data and infrastructure. Rebuilding all their infrastructure post-breach in a trusted environment is an incredibly challenging and arduous task. The disclosure of credentials, infrastructure, critical assets, employee PII, and even things like RSA SecurID token seeds will have a much longer-term, but more under-the-radar, impact on Sony’s business.

Most importantly, in the modern day, breaches don’t only impact the directly-affected organization, but they tend to sprawl out and negatively impact the security of all organizations and the Internet ecosystem as a whole. A breach doesn’t happen in a vacuum: stolen credentials are re-used to gain footholds in other organizations, stolen source code is used to find vulnerabilities to assist future attacks, and information and experience is gleaned by attackers to hone their tactics, techniques, and procedures.”

Idan Tendler, CEO of Fortscale:

“The traditional concept for security was to keep the most important resources, i.e. the vaults with the cash (or in Sony’s case, films) safe. What we’re seeing with breaches of this magnitude is that the harm now goes far beyond any immediate and limited capital damage. Leaked sensitive information regarding employee salary and healthcare has the potential to cause enormous reputational harm and internal turmoil within a workforce. Revealing that kind of data can lead to jealousy, resentment and distrust among workers and create a very toxic work environment.

With news of passwords to sensitive documents also being leaked, Sony will need to be more vigilant in securing user access to resources by constantly monitoring and analyzing user activity for possible credential abuse.”

Clinton Karr, Senior security specialist at Bromium:

“These attacks are troublesome, but not surprising. Earlier this year we witnessed Code Spaces shutdown after a successful attack destroyed its cloud back-ups. Likewise, the evolution of crypto-ransomware suggests attackers are targeting the enterprise with destructive attacks. These attacks are unlike the “cat burglary” of Trojan attacks, but much more brute force like a smash-and-grab or straight vandalism.”

Ariel Dan, Co-Founder and Executive VP, Porticor:

“Reporting the technical details of a specific attack is a sensitive topic. Attack details can and will be used by new hackers against new targets. On the other hand, companies can’t do much to defend against a type of attack they know very little about. One relevant example of such a potential attack was around a severe security bug in the Xen virtualization system that exposed cloud users of Amazon Web Services, Rackspace and other cloud providers. The cloud vendors had stealthily patched affected systems, issued a vague notification to their users of an immediate restart action, and only after it was all done was the attack realized and publicized. Reporting the bug prior to fixing the problem would have a devastating effect on cloud users.

 

Back to the Sony attack: I personally believe that reporting the entire details of a security breach can do more harm than good, but there should be a way to communicate enough meaningful information without empowering the bad guys. Blogs like KrebsonSecurity provided additional details, including a snort signature to detect this specific attack. Such data is meaningful for the defender and does not help an attacker. From this information we learned that organizations should embrace an “encrypt everything” approach as we step into 2015. We should be able to guarantee that data is not exposed even if an organization has been infiltrated.”

Tim Keanini, CTO at Lancope:

“I think the question being asked here is a great opportunity to describe the threats of yesterday versus the threats we face today.  In the past, broad advisories on technical flaws were effective mainly because the problem was universal.  Attackers would automate tools to go after technical flaws and there was no distinction between exploitation of a large corporation or your grandmother. If the vulnerability existed, the exploitation was successful.  In the case of Sony, we are talking about a specific adversary (Guardians of Peace) targeting Sony Pictures and with specific extortion criteria.  With this type of advanced threat, warnings sent out by the FBI on the investigation itself will be less prescriptive and more general making its timeliness less of a priority. 

From everything we have seen disclosed so far, it is difficult to assess and advise on the information security practice when some of the flaws exploited seem to suggest very little security was in place.  The analogy would be: it would be hard to assess how the locks where compromised when the doors to host the locks were not even present.   For example, some of the disclosure on reddit earlier in the week suggests that some files named ‘passwords’ were simply in the clear and stored unencrypted in txt and xls files.  The investigation will determine the true nature of all of this speculation but I use this as an example because the FBI could issue a warning every day of the week that said “Don’t do stupid things” and be just as effective.

The lesson learned here is that if you are connected to the Internet in any shape or form, this type of security breach happening to you and your company is a very real risk.  Step up your game before you become the subject of another story just like this.  It would be weird but Sony Pictures should write a movie on how a cybercrime group completely comprised and held an entertainment company for cyber extortion – categorized under non-fiction horror.”

Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at Venafi:

“As the FBI, DHS and others investigating the Sony hack work furiously to uncover the details and the threat actors behind this breach, it’s important that we recognize the attack patterns that are right in front of our face: cybercriminals are and will continue to use the same attack blueprint over and over again. Why? Because they use what works.

In April 2011, Sony’s PlayStation Network was breached where asymmetric keys were stolen, compromising the security of 77 million users’ accounts. Now, nearly four years later, Sony is still facing the same threat — only this time it’s directed on Sony Pictures Entertainment. In this latest breach, cybercriminals successfully gained access to dozens of SSH private keys – the same way they stole private keys in the Mask, Crouching Yeti and APT18 attacks. Once these keys are stolen, the attackers can get access to other systems — and then it just goes from bad to worse. It’s critical that incident response and security teams realize that the only way that the attackers can *truly* be stopped from accessing these systems is by replacing the keys and certificates. Until then, they will continue to wreak havoc and cause more damage with elevated privileges, the ability to decrypt sensitive data in transit, and spoof systems and administrators. All it takes is one compromised key or vulnerable certificate to cause millions in damages. Hopefully, Sony will learn its lesson this go round.”

Until Next Friday… Have a Great Weekend!

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Feedback Friday: WireLurker Malware Targets Mac OS X, iOS – Industry Reactions

Posted on November 8, 2014 by in Security

Researchers at Palo Alto Networks identified a new piece of malware designed to target Mac OS X and iOS users. The threat, called WireLurker, has potentially affected hundreds of thousands of users, almost all of them located in China. 

Cybercriminals are distributing the threat by trojanizing OS X apps hosted on third party app stores. The 467 malicious apps uploaded to the Maiyadi App Store have been downloaded more than 350,000 times.

Feedback Friday: WireLurker Malware

Once it infects a Mac, the malware downloads other malicious iOS application to the infected machine. When victims connect their iPads, iPhones or iPods via USB to the infected device, WireLurker installs the downloaded iOS applications onto them. The mobile component of WireLurker is capable of stealing information from infected devices.

The latest version of WireLurker is interesting because it can infect not only jailbroken devices, but also ones that haven’t been jailbroken. The threat can install the malicious iOS apps on non-jailbroken devices by signing them with a stolen code signing certificate.

Shortly after Palo Alto Networks disclosed details on WireLurker, researchers identified an older variant of the threat apparently designed to target computers running Microsoft Windows. 

The command and control servers used by the malware are currently offline and Apple has revoked the certificate used by the malware authors. However, experts believe WireLurker once again shows that Apple devices are not immune to malware.

And the Feedback Begins…

Ian Amit, Vice President of ZeroFOX:

“It’s interesting to see how malware is getting more holistic from an attack vector approach, utilizing technical vulnerabilities and elements, as well as human ones. This isn’t the first malicious code that is designed to “hop” between connected platforms, examples date back to variants such as Stuxnet that infected Windows based computers, which in turn affected Siemens PLCs. This is an interesting turn of events, as Apple’s iPhone is commonly considered a safe platform as long as it isn’t jailbroken.

Beyond the already familiar abuse of social interactions that allow the malware to run in the first place – essentially, having the victim ‘knowingly’ install it, WireLurker also abuses the trust between the victim’s PC and the iPhone connected to it, which grants it full access to the phone and it’s applications – apps can be backed up over USB, then restored to the phone, after the malware has modified them and inserted a backdoor.”

Greg Martin, CTO of ThreatStream:

“Wirelurker is being distributed via a 3rd party app-store called Maiyadi that is out of control of Apple.

The danger with third-party app stores such as Maiyadi is that Apple and Google have no vetting control of what gets added to 3rd party app stores, severely limiting their ability to protect end-users from running malicious apps. In-fact nearly all cases of known malware for the iPhones have originated from 3rd party app stores such as Cydia (App store for jailbroken iPhones) and now new ones like Maiyadi.

Monitoring these 3rd party app stores for malicious apps will become an opportunity for cyber security companies to help provide intelligence back to Apple and Google on what’s happening outside of their control.”

Steve Bell, security consultant, BullGuard:

“The really interesting thing about the WireLurker malware is the scale of the infection and how it is promulgated.  Because of the proprietary nature of Apple devices and the fact that apps are checked for malware before they go into the Apple store users have generally been protected in the past.

However, with an estimated 350,000 downloads of infected apps and the fact that the malware can also transfer via a USB port signals a serious notching up of hacker’s endeavours to hit Apple devices. In the US Apple users tend to stick to the Apple store which is wise. WireLurker shows precisely the danger of downloading apps from unregulated third party stores.

However, the use of a USB port to also transfer malware, while obvious and simple, could be potentially devastating. Without wishing to be alarmist, USB ports are an obvious vulnerability, and it’s not beyond the realms of possibility that hackers might use this to insert Trojans designed to lie dormant for a period. With Apple now putting its considerable weight behind Apple Pay, hackers have serious motivation.”

Carl Wright, General Manager for TrapX Security:

“What has enabled the success of the creators of WireLurker is the concept of transitive trust. This two-way approved relationship automatically created between parties has long been an Achilles heel to security professionals trying to ensure the validity of transactions on a more or less case by case bases.

This recent hack continues to illustrate the trade-off the end users must consider between that of maintaining security of the end point device and innovative new applications that may not be developed or certified by Apple.

In the end, the price may indeed be too extreme for corporations who desire to take advantage of end user BYOD.”

Jared DeMott, Security Researcher with Bromium Labs:

 “People still seem to think malware on the Mac is less likely than on Windows.  If this is true, it’s simply because attackers are less interested in Mac.  The relative attack surface is just as big (similar chance to find and exploit bugs) as on Windows or any other modern operating system.

In fact, my suspicion is that Macs really are exploited more than people realize.  But it’s either typically by better funded attackers, who know how to stay hidden, or because Apple in general does a better job at managing bad security press when compared to Windows.

This particular malware is distributed not in the form of an exploit, but in the form of pirated software.  China in particular, is known to run a lot of illegal software.  Thus, it’s not surprising the Chinese took the brunt of this round, considering the deployment mechanism.”

Mark Parker, Senior Product Manager, iSheriff:

“Wirelurker introduces a new threat vector in a place that was thought to be secure. The concept of using trojan software to download new threats is not new, that is something that has been in practice for many years. However, up to this point the software on iOS devices has been considered secure since the only software on the device would come through the heavily vetted Apple App Store.

By using the workstation’s USB connection as an avenue to surreptitiously install the Trojan applications, the protection afforded by the App Store is leap frogged in an effective manner. Since it has shown success, there is sure to be more advancement and copycats. The introduction of the mobile phone as a method of payment will increase the potential for attacks. Wherever there is money, there is always going to be Malware built to try to get access to that money.

This approach of using the workstation USB connection to another device could also be used in other “closed system” environments. Examples of this could be physical security system maintenance, or point-of-sale terminals that can only be maintained via a workstation USB connection, or similar method. It is always important to ensure that all workstations, even those of workers off-site, are protected from endpoint, web, and email based attacks at all times. The need for security doesn’t stop when the device leaves the network, especially in cases of workers that will be connecting to these types of devices.”

Kenneth Bechtel, Malware Research Analyst, Tenable Network Security:

 “With a resurgent BlackEnergy now targeting network routers and WireLurker spreading like wildfire across China’s iOS devices, this has been an interesting week to be in the malware business. But the thing to keep in mind is that despite the hype, neither of these threats herald an impending Internet apocalypse, though both deserve to be taken seriously.

WireLurker infects iOS through compromised OS X machines. Following successful malware trends, it is modular and updateable, having 467 applications hosted on the Maiyadi App Store (a third-party store hosted in China). This threat can now infect non-jail broken iOS devices simply by connecting an iPhone/ iPad/ iPod to a computer to sync the calendar or contacts list. This concept is very frightening to many users, and means it won’t be long before it spreads to countries outside of China.”

Michael Sutton, VP of Security Research for Zscaler:

 “We keep waiting for mobile malware to eclipse traditional PC malware but it turns out that we’re waiting for the wrong thing. We’ll never see the drive by downloads and fast spreading device to device malware that we’ve become accustomed to in the Windows world, due to the differing architectures of Windows vs Mobile operating systems. That doesn’t however mean that malware on mobile devices isn’t a concern, it just means that malware is being forced to evolve and adapt to a more restrictive environment.

This is especially true for iOS devices and WireLurker represents a new advance on that front. Whether or not Apple designed their Walled Garden for security purposes or not, the fact that iOS apps must primarily be installed only from the iOS App Store, where they can first be vetted by Apple, has made malicious apps on non-jailbroken devices a rare commodity. WireLurker took advantage of an exception to this rule.

WireLurker abuses the fact that there is another way to get apps onto non-jailbroken devices. Apple allows enterprise development teams to leverage Enterprise Provisioning as a means to push homegrown apps to employees without the hassle of hosting them in the App Store. The process is still restricted and requires the use of an Apple supplied code signing certificate and provisioning profiles pushed to devices, but it does provide an alternative. The authors of WireLurker appear to have stolen a legitimate code signing certificate from Hunan Langxiong Advertising Decoration Engineering Co. Ltd., in order to pushed apps to non-jailbroken devices via provisioning profiles.”

Steve Hultquist, chief evangelist at RedSeal:

“Trust. It’s the first requirement for security, but seldom considered by consumers. In the case of WireLurker, existing trust between an iOS device and a Mac becomes the surrogate for malware to infect the devices. When the Mac user mistakenly places trust in a third-party app site to only offer uninfected applications for download, it opens the door to infection of the Mac and then the iOS devices.

This is another example of the sophistication and automation of attacks that are growing inexorably into the future. Attackers are both more subtle and more capable than ever before. This attack resulted in over a quarter of a million infected downloads, in all likelihood impacting thousands of people and devices, all because of misplaced trust.

This attack and others that will follow underscore the need for proactive security efforts, from application design-for-security to trust architectures and automated analysis of potential access paths. Without automated proactive prevention, attacks will continue to grow in volume and impact. Enterprises need to take notice, since these consumer attacks are merely the ice above the water. The enterprise and governmental attacks are the bulk under the sea.”

Until Next Friday…Have a Great Weekend!

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Feedback Friday: Hackers Infiltrate White House Network – Industry Reactions

Posted on November 3, 2014 by in Security

Welcome back to Feedback Friday! An unclassified computer network at the White House was breached recently and the main suspects are hackers allegedly working for the Russian government.

Feedback Friday: White House Network Breached

The incident came to light earlier this week when an official said they had identified “activity of concern” on the unclassified network of the Executive Office of the President (EOP) while assessing recent threats. The official said the attackers didn’t cause any damage, but some White House users were temporarily disconnected from the network while the breach was dealt with.

Experts have pointed out that while the attackers breached an unclassified network, it doesn’t necessarily mean that they haven’t gained access to some useful data, even if it’s not classified. They have also outlined the methods and strategies used by both the attackers and the defenders in such a scenario.

And the Feedback Begins…

Amit Yoran, President at RSA:

“The breach underscores the constant siege of attacks on our government and businesses. Fortunately — by definition — information with grave or serious impact to national security is classified and would not be found on an unclassified network. That said, there is most likely information on unclassified networks that the White House would not like public or for 3rd party consumption.

As for the profile of the adversary, the White House uses the latest security technologies making them a very challenging target to breach. Top secret clearances are required for access to networks and personnel are continuously and rigorously vetted. As such — and acknowledging that until a thorough investigation is completed, speculation can be dangerous — a standard botnet or phishing malware is a less likely scenario than a focused adversary with time and expertise in developing customized exploits, malware and campaigns.”

Mark Orlando, director of cyber operations at Foreground Security. Orlando previously worked at the EOP where he led a contract team responsible for building and managing the EOP Security Operations Center under the Office of Administration:

“Sophisticated attackers constantly alter their approach so as to evade detection and they will eventually succeed. The best a defender can do in this case is to identify and respond to the attack as quickly and effectively as possible. It isn’t at all unusual for an attack like this one to be discovered only after a malicious email has been identified, analyzed, and distilled into indicators of compromise (subject lines, source addresses, file names, and related data elements) used to hunt for related messages or attacks that were initially missed. White House defenders routinely exchange this kind of data with analysts across the Federal Government to facilitate those retrospective investigations. That may have been how this compromise was discovered and that doesn’t amount to a ‘miss’.

While the media points to outages or delays in major services like email at the White House, this is also not an unusual side effect of proper containment and eradication of a threat like this one- especially if there are remote users involved. Incidents exactly like this one occur all over the Federal government and increasingly in the private sector as well; the only thing different about this attack that makes it more newsworthy than those other incidents is that it occurred at EOP.”

Tom Kellermann, Trend Micro chief cybersecurity officer and former commissioner on The Commission on Cyber Security for the 44th Presidency:

“Geopolitical tensions are now manifested through cyberattacks. The enemies of the state conduct tremendous reconnaissance on their targets granting them situational awareness as to our defenses in real time. This reality allows for elite patriotic hackers to bypass our defenses.”

Irene Abezgauz, VP Product Management, Quotium:

“Security, cyber or physical, relies heavily on risk management. With a large operation, it is difficult to secure everything on the same level, priority is often given to the more sensitive networks. In the case of the White House hack, the breached network was unclassified, meaning it probably has slightly different security measures than classified networks.

Government systems are prime targets for hackers. Even if the breached network is unclassified and no sensitive information was exposed, all government network breaches draw attention. In public opinion, attackers gaining access to government computer systems, no matter whether classified or not, reflects badly on the ability of the US to defend itself, especially when foreign nationals are suspected. In addition, availability and integrity must be maintained in systems that involve any kind of government decision making, more than in most other systems.

The bottom line is that high profile targets must maintain a high level of security on all networks. Hackers, private and state-funded, are continuously attempting attacks on these systems. Such attacks must be blocked in order to protect data within as well as assure the public of the ability of the government to protect its cyber systems.”

John Dickson, Principal at the Denim Group:

“Although initial reports emphasize the unclassified nature of the system and networks, security experts know that successful attacks against certain unclassified systems can, in fact, still be gravely serious. Given the fact this concerns perhaps the most high-visibility target in the world – the White House – and you potentially have a genuinely difficult situation.

On one hand, you have the issue of public confidence in our institutions of government. ‘If the attackers can compromise the White House, what else can the possibly get into?’ is a perfectly valid question from citizens who may not recognize the distinction between unclassified and classified systems. Also, sensitive information that is unclassified may traverse these systems and give attackers more context to allow them to put together a larger picture of what’s happening at the White House. Military folks call refer to this term as Operational Security, or OPSEC, and this is always a worry for those protecting the President, the White House, and the operations of the Executive Branch of government.

From a defensive standpoint, when you face a sophisticated attacker with substantial resources you have be constantly vigilant and assume certain systems will fail. It’s far too early to editorialize on theories of ‘what might have happened’ at the White House, but we always recommend a defense in depth approach to application and system design that ‘fails open,’ so that if an attacker compromises one type of defense, it doesn’t compromise the entire ecosystem.”

Ian Amit, Vice President at ZeroFOX:

“Much of the conversation surrounding the recent White House hack centers on the nature of the compromised network. The network is ‘unclassified,’ leading many people to believe the affected information is non-critical or innocuous. It’s important to note however that enough unclassified information, when aggregated and correlated, quickly becomes classified. Isolated data points might not mean much by themselves, but enough time spent passively listening to unclassified chatter can reveal some very sensitive intelligence.

So how much time was the hacker on the network? It’s difficult to tell. Security officials alerted on ‘suspicious activity.’ This phrase doesn’t give us much insight into how long the network was compromised. The hacker could have been active on the network for months without doing anything to sound the alarms. It’s one thing if a hacker is caught in the act of breaking in or stealing data. That kind of event information generally gives a clear indication of the attack timeline. Triggering on passive behavior makes this much more difficult.

With that said, it’s commendable that White House security officials are looking for behavioral cues rather than overt events to detect malicious activity. Soft indicators are much more difficult to detect and means the security officials are using some advanced tools to understand traffic on the network.”

Anup Ghosh, CEO of Invincea:

“The disclosure of breach from the White House this week was remarkable for its differences from a similar disclosure in 2012. It’s clear from recent press releases from security companies, that Russia is the New Black now. In fact, if you get hacked by the Chinese now, it’s almost embarrassing because they are considered less sophisticated than the Russians. So now, every breach seems to be attributed to Russians, though largely without any evidence.

A little more than two years ago in October 2012, the White House acknowledged a breach of its unclassified networks in the White House Military Office (which also manages the President’s nuclear ‘football’). The talking points at the time were: 1. Chinese threat, 2. Non-sophisticated attack method (spear-phish), 3. Unclassified network, so no harm. This week, the talking points are: 1. Russian government threat, 2. Sophisticated attack method (spear-phish), and 3. Deep concern over breach of unclassified network. The similarities between the two breaches are remarkable, but the reaction couldn’t be more different.

Before we indict the Russians for every breach now, it would be great to see some bar set for attribution to a particular group. It would also be great to not use “sophisticated” threat or Russians as a scape goat for not properly addressing spear-phishing threats with technology readily available off the shelf (and shipped with every Dell commercial device).”

Michael Sutton, VP of Security Reasearch for Zscaler:

“The breach of a compromised White House computer reported this week is simply the latest in ongoing and continual attacks on government networks. While such breaches periodically hit the headlines thanks to ‘unnamed sources’, it’s safe to assume that the general public only has visibility into the tip of the iceberg. White House officials admitted that this latest breach was discovered ‘in the course of assessing recent threats’, suggesting that following the trail of breadcrumbs for one attack led to another.

In September, there were reports of yet another successful attack, this one leveraging spear phishing and compromising a machine on an unclassified network and earlier this month, details of the Sandworm attacks emerged, which leveraged a then 0day Microsoft vulnerability to target NATO and EU government agencies. All of these recent attacks have been attributed to groups in Russia and it’s likely that they’re tied together. All Internet facing systems face constant attack, but the White House understandably presents a particularly attractive target.

While all G20 nations have advanced cyber warfare capabilities and conduct offensive operations, Russia and China have been particularly aggressive in recent years, often conducting bold campaigns that are sure to be uncovered at some point.”

Zach Lanier, Senior Security Researcher at Duo Security:

“U.S. government and defense networks are often the target of attackers — and the White House is without a doubt very high on that list, regardless of the breached network reportedly being ‘unclassified’. Everyone from hacktivists to foreign intelligence agencies have sought after access to these networks and systems, so this intrusion isn’t a huge surprise.” 

Carl Wright, General Manager of North America for TrapX Security:

“When it comes to our military, government and its supporting national defense industrial complex, the American public’s expectation is and should be significantly higher. The Senate Armed Services Committee (SASC) findings in September highlighted how nation-state actors were targeting contractors with relation to the federal government so it is to be expected that actual government bodies are also being targeted.

95 percent of the security market is signature based and thus will not detect a targeted zero-day. We must operate under the notion that networks are already compromised and focus defenses on monitoring lateral movements within data centers and private networks as that is how hackers escalate their attack and access. Unfortunately, existing security technologies focus from the outside in, trying to understand the entire world of cyber terrorists’ behaviors which inundate security teams with alerts and false-positives.

These breaches demonstrate how traditional security tools alone don’t do enough and both enterprises and government organizations need to constantly evaluate and improve their security posture to thwart today’s nation-states or crime syndicates whether foreign or domestic. With the United States President’s intranet being compromised, it truly shows the poor state of our national cyber defense capabilities.”

Nat Kausik, CEO at Bitglass:

“Organizations whose security models involve ‘trusted devices’ are naturally prone to breaches. Employees take their laptops on the go, get hacked at public WIFI networks, and come back to the office where the device is treated as trusted and allowed to connect to the network.

The compromised device enables the hacker to gain a broader and more permanent foothold inside the network. Government entities have long favored the ‘trusted devices’ model and are actually more prone to breaches than organizations that treat all user devices as suspect.”

Greg Martin, CTO at ThreatStream:

“It’s public knowledge that Russia has been very active in sponsored cyber espionage and attacks but have recently turned up the volume since both the Ukranian conflict and given the Snowden leaks which in my opinion have given Russian and China the open door to be even more bold in their offensive cyber programs.

Recent cyberattacks on retailers and financial institutions have been riddled with anti-US propaganda. This makes it increasingly difficult to pinpoint the backers as the activity is heavily blended threats between criminal actors, hack-tivist and state sponsored activity. As seen in the recent reports, Russia APT attacks have been prevalent in targeting U.S. interests including the financial sector.

ThreatStream believes organizations should accelerate their policy of sharing cyber threat information and look at how they currently leverage threat and adversary intelligence in their existing cyber defense strategies.”

Until Next Friday…Happy Happy Halloween and have a Great Weekend!

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Hackers Target Ukraine’s Election Website

Posted on October 26, 2014 by in Security

KIEV – Hackers attacked Ukraine’s election commission website Saturday on the eve of parliamentary polls, officials said, but they denied Russian reports that the vote counting system itself had been put out of action.

The www.cvk.gov.ua site, run by the commission in charge of organising Sunday’s election, briefly shut down. Ukrainian security officials blamed a denial-of-service (DDoS) attack, a method that can slow down or disable a network by flooding it with communications requests.

“There is a DDoS attack on the commission’s site,” the government information security service said on its Facebook page.

The security service said the attack was “predictable” and that measures had been prepared in advance to ensure that the election site could not be completely taken down.

“If a site runs slowly, that doesn’t mean it has been destroyed by hackers,” the statement said.

A report on Russia’s state news agency RIA Novosti quoted a statement on the personal website of the Ukrainian prosecutor general saying that the electronic vote counting system was out of order and that Sunday’s ballots would have to be counted by hand.

The commission spokesman, Kostyantyn Khivrenko, called the RIA Novosti report a “fake”.

“The Central Election Commission will issue preliminary results of the voting with the help of the Vybory information-analytical system. This system is working normally,” he said.

The Ukrainian Security Service (SBU), the country’s lead internal security agency, said that “the physical protection of the central server and its regional components has been ensured”.

“Any statements regarding the alleged successful unauthorised intrusions into the cyber space of the Central Election Commission or the elements of the elections systems do not correspond to the facts. Hackers are controlling nothing,” Markiyan Lubkivskyy, an adviser to the SBU chief, said.

An SBU spokeswoman told AFP that attacks on the election commission’s site began a week ago, “but so far we have dealt with them”.

Outdoor video screens hacked?

The cyber troubles came as Ukraine prepared for an election overshadowed by a bloody pro-Russian insurgency in the country’s east and the annexation by Russia of the Crimean province in the south.

Pro-Western and nationalist parties are expected to dominate the new parliament. In another possible sign of cyber tensions, the Ukrainska Pravda news website on Friday reported that outdoor video screens across Kiev were briefly hacked.

The screens, which are used for advertising, including pre-election political ads, reportedly started to display “scary and horrible images,” the report said.

Engineers went out “to physically unplug” the screens, according to the report.

The report could not be confirmed, but footage on YouTube purporting to capture the incident showed a street screen abruptly switching to footage of destroyed buildings and dead bodies, as well as the images of two nationalist politicians running for parliament, with the words “war criminals”.

© AFP 2013


SecurityWeek RSS Feed

Feedback Friday: ‘Shellshock’ Vulnerability – Industry Reactions

Posted on September 28, 2014 by in Security

The existence of a highly critical vulnerability affecting the GNU Bourne Again Shell (Bash) has been brought to light this week. The security flaw is considered by some members of the industry as being worse than the notorious Heartbleed bug.

Feedback Friday

GNU Bash is a command-line shell used in many Linux, Unix and Mac OS X operating systems. The vulnerability (CVE-2014-6271) has been dubbed “Bash Bug” or “Shellshock” and it affects not only Web servers, but also Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems.

By exploiting the security hole, an attacker can execute arbitrary commands and take over targeted machine. Symantec believes that the most likely route of attack is through Web servers that use CGI (Common Gateway Interface). There have already been reports of limited, targeted attacks exploiting the vulnerability.

A patch has been made available, but it’s incomplete. Until a permanent fix is rolled out, several organizations have launched Shellshock detection tools. Errata Security has started scanning the Web to find out how many systems are affected, and Symantec has published a video to demonstrate how the flaw can be exploited.

The security community warns that the vulnerability can have serious effects, and points out that it could take a long time until all systems are patched.

And the Feedback Begins…

Ian Pratt, Co-founder and EVP at Bromium:

 “The ‘shellshock’ bash vulnerability is a big deal. It’s going to impact large numbers of internet-facing Linux/Unix/OS X systems as bash has been around for many years and is frequently used as the ‘glue’ to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.

Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users. It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface — this likely won’t be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or use minimalist shells where required.”

 

Mark Parker, Senior Product Manager at iSheriff:

 “This bash vulnerability is going to prove to be a much bigger headache than Heartbleed was. In addition to the general Mac OS X, Linux and Unix systems that need to be patched, there are also thousands upon thousands of Internet connected Linux and Unix based embedded devices, such as DVRs, home automation systems, automotive entertainment systems, mobile phones, home routers, manufacturing systems and printers.

Most of these devices will be susceptible because most Linux based devices run bash, it is such an integral part of the Linux OS. I anticipate that we will be continue to see the fallout from this vulnerability for a long time to come.”

Carl Wright, General Manager of TrapX Security:

“We feel that industry will take this very seriously and come out with patches for this vulnerability ASAP. It could take us years to understand how many systems were compromised and how many were used to escalate privileges into systems without this vulnerability. The transitive trust nature of directory architectures and authentications systems could mean we are living with this far beyond patching the current systems if this exploit has been taken advantage of even at a small 1% level.”

Coby Sella, CEO of Discretix:

“This is the second time over the last six months when a key infrastructure component used by billions of connected things across a variety of industries has been compromised. We see this problem only getting worse as more and more unsecured or not adequately secured things are rolled out without any comprehensive security solution that reaches all the way down to the chipset. Real solutions to this problem must cover every layer from the chipset to the cloud enabling companies to remotely insert secrets into the chipset layer via secured connections within their private or cloud infrastructure.”

Nat Kausik, CEO, Bitglass:

“Enterprises with ‘trusted endpoint’ security models for laptops and mobile devices are particularly vulnerable to this flaw.  Malware can exploit this vulnerability on unix-based laptops such as Mac and Chromebook when the user is away from the office, and then spread inside the corporate network once the user returns to the office.”

Steve Durbin, Managing Director of the Information Security Forum:

“The Bash vulnerability simply stresses the point that there is no such thing as 100% security and that we all need to take a very circumspect and practical approach to how we make use of the devices that we use to share data both within and outside the home and our businesses. I have my doubts on whether or not this will lead to a wave of cyber-attacks, but that is not to say that the vulnerability shouldn’t be taken seriously. It is incumbent upon all of us as users to guard our data and take all reasonable precautions to ensure that we are protecting our information as best as we are realistically able.”

Steve Lowing, Director of Product Management, Promisec:

 “Generally, the Bash vulnerability could be really bad for systems, such as smart devices including IP cameras, appliances, embedded web servers on routers, etc… which are not updated frequently. The exposure for most endpoints is rapidly being addressed in the form of patches to all flavors of UNIX including Redhat and OS X. Fortunately for Microsoft, they avoid much of this pain since most Windows systems do not have Bash installed on them.

For vulnerable systems, depending on how they are leveraging the Bash shell the results could be grave. For example, a webserver that uses CGI for example would likely be configured to use Bash as the shell for executing commands and compromising this system via this vulnerability is fairly straightforward. The consequences could be to delete all web content which could mean Service level agreements (SLA)s are not met because of complete outage or deface the site which tarnishes your brand or even to be a point of infiltration for a targeted attack which could mean IP and/or sensitive customer information loss.

The IoT is the likely under the biggest risk since many of these devices and appliances are not under subject to frequent software updates like a desktop or laptop or server would be. This could result in many places for an attacker to break into and lay wait for sensitive information to come their way.”

Jason Lewis, Chief Collection and Intelligence Officer, Lookingglass Cyber Solutions:

 “The original vulnerability was patched by CVE-2014-6271. Unfortunately this patch did not completely fix the problem. This means even patched systems are vulnerable.

 

Several proof of concepts have been released.  The exploit has the ability to turn into a worm, so someone could unleash an exploit to potentially infect a huge number of hosts.”

Ron Gula, Chief Executive Officer and Chief Technical Officer, Tenable Network Security: 

 “Auditing systems for ShellShock will not be like scanning for Heartbleed. Heartbleed scans could be completed by anyone with network access with high accuracy. With ShellShock, the highest form of accuracy to test for this is to perform a patch audit. IT auditing shops that don’t have mature relationships with their IT administrators may not be able to audit for this.

 

Detecting the exploit of this is tricky. There are network IDS rules to detect the attack on unencrypted (non-SSL) web servers, but IDS rules to look for this attack over SSL or SSH won’t work. Instead, solutions which can monitor the commands run by servers and desktops can be used to identify commands which are new, anomalistic and suspect.”

Mike Spanbauer, Managing Director of Research, NSS Labs:

“Bash is an interpretive shell that makes a series of commands easy to implement on a Unix derivative. Linux is quite prevalent today throughout the Web, both as commerce platform and as commercial website platform. It happens to be the default script shell for Unix, Linux, well… you get the picture.

The core issue is that while initially the vulnerability highlights the ease with which an attacker might take over a Web server running CGI scripting, and ultimately, ‘get shell’ which offers the attacker the means to reconfigure the access environment, get to sensitive data or compromise the victim machine in many ways.

As we get to the bottom of this issue, it will certainly be revealed just how bad this particular discovery is – but there is a chance it’s bigger than Heartbleed, and that resulted in thousands of admin hours globally applying patches and fixes earlier this year.”

Contrast Security CTO and co-founder Jeff Williams:

 “This is a pretty bad bug. The problem happens because bash supports a little used syntax for ‘exported functions’ – basically a way to define a function and make it available in a child shell.   There’s a bug that continues to execute commands that are defined after the exported function.

So if you send an HTTP request with a referrer header that looks like this: Referer:() { :; }; ping -c 1 11.22.33.44. The exported function is defined by this crazy syntax () { :; };  And the bash interpreter will just keep executing commands after that function.  In this case, it will attempt to send a ping request home, thus revealing that the server is susceptible to the attack.

Fortunately there are some mitigating factors.  First, this only applies to systems that do the following things in order: 1) Accept some data from an untrusted source, like an HTTP request header, 2) Assign that data to an environment variable, 3) Execute a bash shell (either directly or through a system call).

If they send in the right data, the attacker will have achieved the holy grail of application security: ‘Remote Command Execution.’  An RCE basically means they have completely taken over the host.

Passing around data this way is a pretty bad idea, but it was the pattern back in the CGI days.  Unfortunately, there are still a lot of servers that work that way.  Even worse, custom applications may have been programmed this way, and they won’t be easy to scan for.  So we’re going to see instances of this problem for a long long time.”

Tal Klein, Vice President of Strategy at Adallom:

 “What I don’t like to see is people comparing Shellshock to Heartbleed. Shellshock is exponentially more dangerous because it allows remote code execution, meaning a successful attack could lead to the zombification of hosts. We’ve already seen one self-replicating Shellshock worm in the wild, and we’ve already seen one patch circumvention technique that requires patched Bash to be augmented in order to be ‘truly patched’. What I’m saying is that generally I hate people who wave the red flag about vulnerabilities, but this is a 10 out of 10 on the awful scale and poses a real threat to core infrastructure. Take it seriously.”

Michael Sutton, Vice President of Security Research at Zscaler:

 “Robert Graham has called the ‘Shellshock’ vulnerability affecting bash ‘bigger than Heartbleed.’ That’s a position we could defend or refute, it all depends upon how you define bigger. Will more systems be affected? Definitely. While both bash and OpenSSL, which was impacted by Heartbleed, are extremely common, bash can be found on virtually all *nix system, while the same can’t be said for OpenSSL as many systems simply would require SSL communication. That said, we must also consider exploitability and here is where I don’t feel that the risk posed by Shellshock will eclipse Heartbleed.

Exploiting Heartbleed was (is) trivially easy. The same simple malformed ‘heartbeat’ request would trigger data leakage on virtually any vulnerable system. This isn’t true for Shellshock as exploitation is dependent upon influencing bash environment variables. Doing so remotely will depend upon the exposed applications that interact with bash. Therefore, this won’t quite be a ‘one size fits all’ attack. Rather, the attacker will first need to probe servers to determine not only those that are vulnerable, but also how they can inject code into bash environment variables.

The difference here is that we have to take application logic into account with Shellshock and that was not required with Heartbleed. That said, we’re in very much in the same boat having potentially millions of vulnerable machines, many of which will simply never be patched. Shellshock, like Heartbleed, will live on indefinitely.”

Mamoon Yunus, CEO of Forum Systems: 

“The Bash vulnerability has the potential to be much worse than Heartbleed. Leaking sensitive data is obviously bad but the Bash vulnerability could lead to losing control of your entire system.

The Bash vulnerability is a prime example of why it’s critical to take a lockdown approach to open, free-for-all shell access, a practice that is all too common for on-premise and cloud-based servers. Mobile applications have caused an explosion in the number of services being built and deployed. Such services are hosted on vanilla Linux OS variants with little consideration given to security and are typically close to the corporate edge. Furthermore, a large number of vendors use open Linux OSes, install their proprietary functionality, and package commercial network devices that live close to the network edge at Tier 0. They do so with full shell access instead of building a locked-down CLI for configuration.

The Bash vulnerability is a wake-up call for corporations that continue to deploy business functionality at the edge without protecting their services and API with hardened devices that do not provide a shell-prompt for unfettered access to OS internals for anyone to exploit.”

Jody Brazil, CEO of FireMon:

“This is the kind of vulnerability that can be exploited by an external attacker with malicious intent. So, how do those from the Internet, partner networks or other outside connection gain access to this type of exposure?

An attack vector analysis that considers network access through firewalls and addresses translation can help identify which systems are truly exposed. Then, determine if it’s possible to mitigate the risk by blocking access, even temporarily. In those cases where this is not an option, prioritizing patching is essential. In other cases where, for example, where there is remote access to a vulnerable system that is not business-critical, access can be denied using existing firewalls.

This helps security organizations focus their immediate patching efforts and maximize staffing resources. It’s critical to identify the greatest risk and then prioritize remediation activities accordingly. Those are key best practices to address Bash or any vulnerability of this nature.”

Mark Stanislav, Security Researcher at Duo Security:

“While Heartbleed eventually became an easy vulnerability to exploit, it was ultimately time consuming, unreliable and rarely resulted in ‘useful’ data output. Shell Shock, however, effectively gives an attacker remote code execution on any impacted host with a much easier means to exploit than Heartbleed and greater potential results for criminals.

Once a web application or similarly afflicted application is found to be vulnerable, an attacker can do anything from download software, to read/write system files, to escalating privilege on the host or across internal networks. More damning, of course, is that the original patch to this issue seems to be flawed and now it’s a race to get a better patch released and deployed before attackers leverage this critical bug.”

Rob Sadowski, Director of Technology Solutions at RSA:

“This is a very challenging vulnerability to manage because the scope of potentially affected systems is very large, and can be exploited in a wide variety of forms across multiple attack surfaces. Further, there is no single obvious signature to help comprehensively detect attempts to exploit the vulnerability, as there are so many apps that access BASH in many different ways.

Because many organizations had to recently manage a vulnerability with similar broad scope in Heartbleed, they may have improved their processes to rapidly identify and remediate affected systems which they can leverage in their efforts here.” 

Joe Barrett, Senior Security Consultant, Foreground Security:

 “Right now, Shellshock is making people drop everything and scramble to fix patches. Security experts are still expanding the scope of vulnerability, finding more devices and more methods in which this vulnerability can be exploited. But no one has gotten hacked and been able to turn around and point and say ‘It was because of shellshock’ that I’ve seen.

 

If you have a Linux box, patch it. Now. Do you have a Windows box using Cygwin? Update Cygwin to patch it. And then start trying to categorize all of the ‘other’ devices on the network and determining if they might be vulnerable. Because chances are a lot of them are.

Unfortunately, vendors probably will never release patches to solve this for most appliances, because most [Internet-connected] appliances don’t even provide a way to apply such an update. But for the most part all you can do is try to identify affected boxes and move them behind firewalls and out of the way of anyone’s ability to reach them. Realistically, we’ll probably still be exploiting this bug in penetration tests in 8 years. Not to mention all of the actual bad guys who will be exploiting this.”

Until Next Friday…Have a Great Weekend!

Related Reading: What We Know About Shellshock So Far, and Why the Bash Bug Matters

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

FireEye Unveils On Demand Security Service, Threat Intelligence Suite

Posted on September 20, 2014 by in Security

Threat protection firm FireEye has announced new offerings designed to provide customers with on-demand access to its cyber defense technology, intelligence, and analysts expertise on a subscription basis.

Designed to help enterprises scale their defense strategies, the new offerings provide customers with a single point of contact to meet their needs before, during or after a security incident.

The new FireEye as a Service offering is an on-demand security management offering that allows organizations to leverage FireEye’s technology, intelligence and expertise to discover and thwart cyber attacks.

The second new offering, FireEye Advanced Threat Intelligence, provides access to threat data and analytical tools that help identify attacks and provide context about the tactics and motives of specific threat actors, FireEye said.

Combined, the solutions are designed to equip enterprise security teams so they can implement an Adaptive Defense security model, an approach for defending against advanced threat actors that scales up or down based on the unique needs of each security organization.

“The new FireEye Advanced Threat Intelligence offering adds two new capabilities to complement FireEye’s existing Dynamic Threat Intelligence subscription,” the company explained in its announcement. “First, when the FireEye Threat Prevention Platform identifies an attack, users will now be able to view intelligence about the attackers and the malware. Security teams will be able to see who the associated threat actor is, what their likely motives are, and get information about the malware and other indicators they can use to search for the attackers.”

Additionally, a new threat intelligence research service allows customers to subscribe to ongoing research including dossiers, trends, news and analysis on advanced threat groups as well as profiles of targeted industries, including information about the types of data that threat groups target.

Other highlights of FireEye as a Service include:

Detection of Adversaries and their Actions – FireEye analysts staff an around the clock global network of security operations centers to hunt for attackers in an environment using FireEye technology and advanced analytics that identifies outliers and correlates them with behaviors of known attackers. By finding high-risk threats at the earliest stages of an attack, FireEye minimizes the risk of a breach.

Ability to Pivot to Incident Response – With FireEye as a Service, organizations can quickly engage a Mandiant incident response team when needed.

Access to Personalized Intelligence Reports — FireEye as a Service customers get access to key intelligence findings and judgments specific to their organization from the FireEye intelligence team. This includes identification of attackers specifically targeting their industry, typical attack methodologies used by relevant adversaries, and key business or financial data that motivates attackers to target your organization.

“We need to analyze the environment to address the attacks that penetrate an organization’s perimeter and bypass preventive measures,” FireEye COO, Kevin Mandia, wrote in a blog post. “And then ultimately, when we understand an attack well enough, contain it to get back to normal business operations. To succeed in today’s cyber-threat environment this cycle must shrink – from alert to fix in months, to alert to fix in minutes – in order to eliminate the consequences of a security breach.”

With FireEye as a Service, customers have the option to manage their own security operations, offload security operations to FireEye, or co-manage operations with FireEye or a FireEye partner.

Both new offerings are available as a subscription to customers that have purchased FireEye products. Pricing for ongoing monitoring starts at $ 10,000 per month for smaller clients needing full support and. For larger organizations the price is much higher.

Organizations pay a subscription fee and account for the service as an operational expense or pay up front and account for it as a capital expense, FireEye said.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed