December 22, 2024

Feedback Friday: Lenovo Preinstalled Superfish Adware on Laptops – Reactions

Posted on February 22, 2015 by in Security

For a period of several months, Lenovo shipped numerous laptop models with a piece of adware that broke HTTPS browsing and put users at risk. Now, the company has apologized to customers and provided them with instructions on how to remove the application.

Lenovo preloaded the WindowShopper browser add-on from Superfish thinking that customers would enjoy its features. However, many users were annoyed by it and started complaining on the Chinese manufacturer’s forums. After security researchers analyzed the software, they realized that it poses serious risks.

The adware injects ads into web pages by using a local proxy and a self-signed root certificate. Superfish actually replaces legitimate certificates with its own, making connections that should be secure untrusted.

Industry reactions to Superfish incident

Even more worrying is the fact that researchers have managed to extract the certificate’s private key. The private key can be used to sign potentially malicious websites and software that would be trusted on affected Lenovo notebooks.

Industry professionals pointed out that Lenovo should have known better not to install such software on its computers. Experts also noted that while this is a common practice, they hope that manufacturers will learn from the Superfish incident.

And the feedback begins…

Martijn Grooten, Editor at Virus Bulletin:

“Like most people working in security, I’m not very keen on the idea of ads in general and running third-party code on your computer or inside your browser in particular. But then, I accept that ads are part of the ecosystem and that pre-installing software that, as it is euphemistically called, “enhances user experience” makes laptops significantly cheaper.

Now injecting ads into a browser is bad enough, doing so by running an HTTPS proxy on the machine is a lot worse. HTTPS shouldn’t be touched unless it is for a very good reason – inserting ads is never a good reason.

But what makes it still orders of magnitude worse than that, is that their proxy uses the same certificate on all affected (or, perhaps more accurate, infected) PCs. Hence anyone can obtain the private key of the certificate – which, as people have already showed, isn’t rocket science – and use this to man-in-the-middle HTTPS traffic without the Lenovo user being aware.

The industry of bundled apps and programs is a complicated one and finding out what all the programs installed on the PCs you sell are up to might not be as easy as security researchers may suggest. But Lenovo should have been able to detect Superfish adding a SSL root certificate to the computer, as well as it running an HTTPS proxy on the local machine.”

George Baker, Director of Professional Services at Foreground Security:

“This was clearly a questionable design decision by Lenovo. Trusted manufacturers should know that building in a ‘man-in-the-middle’ feature is just that… highly questionable, regardless of the claimed benefit. And weak protection on the Superfish software’s own private key further undermines the system’s root of trust. If the software is present and trusted by the operating system, a knowledgeable attacker can exploit it at will.

That said, it’s good that it was caught early, after four months of production, and that Lenovo is taking some action. That should at least limit the number of users – and the amount of their private data – who are exposed.”

ThreatStream CTO Greg Martin:

“The latest Superfish debacle highlights the current strategy for device manufacturers across the electronics ecosystem looking to get their slice of the billion-dollar advertising revenue market that has made Google and others so successful. Unfortunately, like the case with Lenovo and many others, users’ privacy and security are compromised – often in secret – leaving them extremely vulnerable to malicious hackers who leverage the this type of tracking technology against them.

Unfortunately this won’t be the last we see of this type of story, but hopefully the publicity from Superfish will be enough to warn other like-minded manufacturers to take a more transparent approach and offer their users opt-out capabilities on future products that include embedded ad-tracking tech. Because Superfish was developed and licensed to Lenovo, it will be interesting to find out which other manufacturers are leveraging the Superfish technology in their products.”

Patrick Belcher, Director of Security Analytics, Invincea:

“The Lenovo and Superfish unwanted software debacle should serve as notice that there are dozens of ad companies that push spyware and toolbars, many of which exhibit rootkit-like properties and siphon off local user information to sell to advertising companies.

These programs are delivered like Trojan horses, bundled into innocuous applications with the sole intent of spying on and generating revenue at the expense of the user’s privacy. The ad companies purchase this siphoned data to deliver targeted advertising, and sometimes, malvertising to specific groups of users of the Internet.”

Ian Amit, Vice President at ZeroFOX:

“The Lenovo laptops that shipped with “Superfish” adware capable of snooping through the user’s encrypted web traffic are a very tangible threat to consumers and companies. People posting about their new Lenovo laptop on social media makes it easy for attackers to find them. Consequently, mapping those users’ home, work, and local coffee shops enables attackers to confidently launch man-in-the-middle attacks by abusing how Superfish allows snooping of encrypted web traffic (i.e. online banking, shopping, email, VPNs, etc).

We recommend that companies ensure their threat intelligence provide contextual data on their exposure as related to this vulnerability (employees, partners, locations, etc).”

Simon Crosby, CTO and co-founder of Bromium:

“It is high time for PC OEMs to accept that adware and other junk software installed in consumer devices is precisely the opposite of what their customers want, and that delivering a secure, non-intrusive, high quality product is valued by consumers. The Microsoft Surface Pro 3 is perhaps the antidote to the foolish behavior of PC vendors. It delivers the best that Microsoft offers, with no hidden scams.”

Grayson Milbourne, Webroot Security Intelligence Director:

“Sadly this is common practice in the industry. Customers aren’t informed this type of software is installed, leaving many users wondering how they have an infection on their brand new laptop when an anti-virus program picks it up. Consequently, this breeds a level of mistrust between the offending company and its customer base. In this case, users have aired their frustrations over social media channels – and it’s completely distracting from the quality products Lenovo manufactures.

In the past couple weeks, Lenovo has been forced to expend valuable time and resources managing backlash from the security community and customers. Undoubtedly, this is hurting the company’s bottom line and opening the door for competitors to claim privacy superiority.

If there’s a silver lining, it’s that this story will be a wake-up call for consumers. Whether its unwanted adware from the manufacture or hackers using malicious apps, they need to take precautions to know who is watching them on their own device.”

Steve Lowing, Director of Product Development at Promisec:

“Preinstalled software, such as adware like Superfish, must go through the same scrutiny as the shipping company (in this case Lenovo) would do for their own software in order to prevent these kinds of brand impacting missteps from happening. While it’s not exactly uncommon to see adware or promotional-ware software on new laptops these days, the times have changed where these once opt-in based services are not forced on us by default.

Coupling this tactic with poorly designed software that can carry out a “man-in-the-middle” attack on what is expected to be secured data is a potential lawsuit waiting to happen. Companies like Lenovo should know better than to pre-install this kind of software in the first place.”

Mark Parker, Senior Product Manager, iSheriff:

“The practice of pre-installing 3rd party software on PCs delivered to retail establishments, and direct shipped to business customers, presents a considerable risk. Given the choice, most consumers and businesses would choose not to have the 3rd party software installed. In the case of Lenovo and Superfish, we see an indication of exactly how dangerous that can be.

The man-in-the-middle certificate used made it such that every secure session was no longer private. In a day and age where corporate breaches are increasing, we should be seeking ways to limit our exposure, not pre-installing software that can create an attack vector.”

Chris Schweigert, Security Operations Director at EiQ Networks:

“The recent discovery of the Superfish application on Lenovo PC’s brings up the old best practices of installing a known, respectable copy of an operating system on your computer when you take it out of the box. Commercial off-the-shelf (COTS) applications have long been scrutinized by major enterprise environments and you simply cannot trust what you get from a manufacturer.

As a best practice, organizations should have a gold build install of all the authorized software for each new computer that comes in. You have to nuke the manufacturer installed applications and then re-install what you know to be trusted. Another advantage here is the ability to more easily identify changes to that baseline configuration on all your systems.”

Randy Abrams, Research Director at NSS Labs:

“It is disconcerting that virtually no anti-malware products were detecting Superfish, however the difference between malicious adware and acceptable adware is not ‘black and white.’ Not all behaviors are expected to be detected without a level of inspection that is not possible with the amount of malware being released daily. Vendors like Superfish employ teams of researchers to evade anti-malware products.

There are very likely many other adware products performing the exact same activities as Superfish. The primary motivation Superfish has is advertising revenue. This could have gone much worse for Lenovo if theft was the motivation for backdoors in third party software.

It is incumbent upon C-Level IT professionals to make sure there are well-defined processes and procedures for releasing third-party software on any medium. This must include tracking and auditing of third party vendors, monitoring their reputations and malware scanning with multiple products.

Coincidentally, the newly-formed Clean Software Alliance (CSA) will help in preventing this type of adware to go undetected. The CSA is a coalition of antimalware vendors, download bundlers and other members of the ‘adware’ ecosystem that are cooperating to set meaningful standards for ‘adware.’ Superfish’s conduct would preclude CSA approval.”

Muddu Sudhakar, Caspida CEO:

“U.S. computer manufacturers are getting a lot of push back from other countries for their hardware sales after scrutiny from incidents like those tied to the NSA and Snowden. Hardware vendors need to show beyond reasonable doubt that they are shipping high quality, highly secure products, eliminating backdoors in hardware and operating systems.

We need new third party certifications for hardware vendors who ship desktops/laptops or servers such as Lenovo, IBM, HP, and Apple. The third party certification should be robust and should be done independently of vendor companies and independently of government agencies.”

John Hultquist, Senior Manager, Cyber Espionage Threat Intelligence at iSIGHT Partners:

“We have noticed a trend affecting the software supply chain. The places people go to download applications or updates have been compromised on several occasions recently by cyber espionage actors who trojanize the software with their own malware. Chinese and Russian operators have swapped out everything from SCADA software to computer games, targeting very specific users as well as some opportunistic victims.”

John Pirc, Chief Strategy Office and Co-founder of Bricata:

“Based on the information surfacing about Superfish, administrators should inspect for where this application is installed and remove it. If you are using cloud based applications such as Microsoft Office 365 for Business or Google Apps for Work, enabling 2-step authentication offers additional protection in case your log-in credentials have been exposed. In the event someone is able to get your username and password they might try and log-in from another system; 2-step authentication would protect you from becoming further compromised.

This could also complicate matters for the Lenovo install base if they have a significant footprint within the U.S. government or federal contractors. My same recommendations for businesses apply in these sectors. However, I would strongly recommend that anyone in the USG and contractor community who uses a Lenovo PC and is involved with any sensitive projects should have their system checked for Superfish. Having the app installed may not mean they are compromised, but again, the main objective is reducing your risk.

Lenovo is a great company and it is unlikely they would knowingly place ‘malware’ on a system. Lenovo should have caught the Superfish issues earlier, via discussions in their user forums and I’m sure they are addressing the matter. Still, this does not discount the risk facing those who are at risk of a man-in-the-middle attack.”

Greg Hoffer, senior director of engineering, Globalscape:

“We put a lot of trust in technology, but this event is a reminder for everyone: take nothing for granted, and remain ever vigilant with the products you develop, integrate and purchase. There are ample industry standards available for security development and testing, independent security experts available to validate performance, and well-established protocols for production and operations. Assume nothing and put into action the old axiom, ‘Trust, but verify.’”

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Feedback Friday: Reactions to White House Cybersecurity Information Sharing Initiative

Posted on February 14, 2015 by in Security

Obama Signs Executive Order After an Address at Stanford University

During the White House Summit on Cybersecurity and Consumer Protection at Stanford University on Friday, President Barack Obama signed an executive order to promote cybersecurity information sharing between private sector companies and the U.S. Government.

The executive order, signed by the President on stage after addressing a large audience, outlines an information sharing framework that would help companies work together, along with the federal government, to more effectively identify and protect against cyber threats.

“This has to be a shared mission,” Obama said during his speech. “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats.”

Overall, industry professionals applauded the steps by the White House, but indicated this is just a small step in addressing serious threats. An executive order can only go so far and more is needed than just information sharing to combat sophisticated cyber attacks, experts said.

Feedback On White House Information Sharing Initiatve

And the feedback begins…

Phil Smith, SVP of Government Solutions and Special Investigations at Trustwave:

“The President’s remarks at today’s summit are a great beginning, especially when he explained today’s threat landscape as a ‘cyber arms race.’ That statement is significant because it puts organizations and individuals on notice that cybersecurity is a national security and public safety issue. Sharing threat intelligence across government agencies, law enforcement and the private sector is a critical component of strengthening data protection however it will not work without safe harbor protections for companies that participate.

An executive order can only go so far. It takes Congressional action to mandate information sharing on a national level that includes liability protection. Without that protection, we will not see the level of participation required for information sharing to be successful.

When organizations share information they produce actionable threat intelligence that helps them stay ahead of the criminals and build defenses to block their next move.”

 Ken Xie, CEO of Fortinet:

“During the White House’s Cybersecurity Summit, there was a lot of great discussion around information sharing. The biggest obstacle is that our industry is extremely shorthanded: it’s estimated we can only fulfillne in every 20 technology positions needed in the cybersecurity space. Who will mitigate the threat? Where and who are the cyber swat teams? Who will train the responders? Answers to these questions remain unanswered, though the conversation is a step in the right direction.”

Nate Fick, CEO of Endgame:

“Much of the talk in the room is about information sharing. In security, the advantage often goes to the team with better, more usable data. So any steps to encourage faster sharing are meaningful progress.”

Tomer Weingarten, CEO of SentinelOne:

“Information sharing is a good start. However, it needs to be handled in a way that preserves the privacy of affected organizations and prevents data from being “leaked”. In the wrong hands, this intelligence would let attackers know that their operation has been compromised, could reveal attack binaries that can be re-used and expose companies that have been breached which may lead to more attacks against them. Also, sharing data and intelligence will do little to mitigate carefully crafted attacks since they often do not demonstrate any previously seen indicators.”

Mike Brown, VP and GM Public Sector for RSA:

“It isn’t just information sharing that is needed. We have some valuable avenues to share information. What we need is liability relief and clarity about the type and format of information that needs to be shared. That is also critical so that information that is shared is actually actionable.”

Tal Klein, CMO for Adallom:

“The fact that the President is addressing the issues of cyber security is a good thing – we definitely need more awareness. That stated, I am less excited about specific directives that may offset the financial incentive for companies to be in the business of cyber security. Information sharing is good, but if a security company makes their money researching threats and then is expected to turn over their research to the public domain as soon as its complete, then the value of that research diminishes.

 

I don’t think the government should be in the business of regulating the information security industry. What I suspect is that we are close to the age of the “cyber lobby” (dare I say “cyber subsidies”) – and I’m not sure that will benefit anyone other than the companies that pay to influence policy. So, I would prefer the President’s agenda would begin and end with “awareness” and avoid tinkering with the economic  dynamics of the information security market.”

Ivan Shefrin, VP of Security Solutions at TaaSera:

“Voluntary sharing of cybersecurity intelligence can be an important step – provided it’s accompanied by appropriate liability and privacy constraints. The benefits are clear: last year’s United Parcel Service breach was in fact discovered as a direct result of threat intelligence sharing between the government and private sector.

 

Sharing cyber intelligence can have a positive impact if information sharing is made actionable. To accomplish this, security professionals should assume they’re already compromised, and implement policies, tools and budgets to balance breach prevention with pre-breach detection and response.”

Marc Gaffan, CEO & Co-Founder of Incapsula:

“President Obama is taking a bold stance be visiting with tech companies in silicon valley this week to talk about his proposed cybersecurity legislation, right on the heels of his cybersecurity agency announcement earlier this week. In the past, the sale and use of botnets, which have the potential to overwhelm a site or network with malicious activity, was surrounded by legal ambiguities and grey areas. Obama’s new legislation removes all ambiguity so for the first time companies can prosecute the so-called “bot-herders” that try to do them harm.”

Ron Gula, CEO, Tenable Network Security:

“It’s important to applaud this administration for its attention to cyber security. It’s been long overdue and at the rapid pace technology is evolving, we are already behind the curve. Executive orders such as this, while not a substitute for good security practices, raise awareness for the need to invest more heavily when it comes to cyber security.

Information sharing won’t solve the bigger problems we face in the industry, but it’s a good place to start. Everyone in IT is realizing the scale and saving from centralizing command and control. Once consolidated, the information shared will provide greater context, allowing for organizations to be more agile in mitigating sophisticated attacks.”

Ryan Shaw, Director of Research and Development at Foreground Security:

“The President’s intention to issue an Executive Order (EO) promoting government and private sector cybersecurity information sharing is an important acknowledgement of the current deficiencies in our country’s current cybersecurity defense capability. Unfortunately, EOs and new agencies will not be able to resolve the sharing challenges that have existed for years.  These challenges include:

· Lack of trust between the parties involved

· COTS cybersecurity tools (e.g. SIEM, NSM, Web Proxies, ID/PS, Next-gen Firewalls) that are ill-equipped to deal with large quantities of multi-source, non-normalized threat indicators

· Shortfall of skilled cyber-threat analysts or source-agnostic platforms to manage the deluge of threat indicators

· Multiple sharing vehicles and taxonomies (these are a portion of the Voluntary Standards for ISAOs that the President will speak of)”

John Dickson, principal at software security firm Denim Group:

 “There is no mention of increased liability protection for companies in the today’s briefing sheet.  Absent of increased protection, or at least clarity, for the corporate liability question will likely result in a lukewarm reception from industry.  Couple that with remaining post-Snowden doubts that remain over working with government and law enforcement, then you have a potential non-starter here.

The focus on strong privacy and civil liberty protections misses the point here – that’s not hurdle in more information sharing, liability protection is. Cooperation with the Congress is an imperative. My contacts in the US Capitol say these initiatives are coming out with little consultation with Congress, which also brings up the question of the measures’ ultimate implementation.”

Jeff Williams, CTO, Contrast Security:

 “I’m encouraged by all the talk about public-private partnerships that bring security to the forefront for government, large businesses, small businesses, and consumers. The panelists were right about the problems of speed and scale that cybersecurity involves.  I was thrilled to see that there is awareness of the complexity and importance of the problem at the highest levels of government and business.

 

However, the overwhelming theme of the summit was that the way forward is to focus on the threats and that communication will enable us to stop attacks.  I have serious doubts as to whether chasing the threat will have any effect whatsoever – the attribution problem is so significant in cyberattacks that after months we still have no resolution to the Sony attack, much less Anthem or others.

The worst part is that spending all this effort chasing our tails takes away from time we should be focused on building secure code and strong defenses. The fact that we are still producing code with SQL injection after almost two decades is embarrassing. The government can and should play a role in encouraging the software market to produce secure code. But with a confusing patchwork of agencies, agendas, and responsibilities, government has fallen far behind the financial industry in their ability to secure their own house.”

Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:

 “The White House is pushing a lot of recommendations that don’t seem to have gone through a vetting process by experienced technologists. The effort to weaken encryption will ultimately have the opposite of the desired effect. There are new rules that impact security researchers and will lead to less secure systems, because it will be illegal for researchers to test those systems.

 

The positive results will be the increased visibility and discussion about these issues. For me, if the US government really wanted to improve security they would be at the forefront of data sharing and making it easier for researchers to contribute, not harder.”

Dan Waddell, Director of Government Affairs, (ISC)2:

“It’s important that the American public put this issue into perspective.  As mentioned by Lisa Monaco, the White House’s top aide for counterterrorism and homeland security, the cyber threat is becoming more diverse, sophisticated and dangerous. The actions of cyber attackers, while seldom seen played out online, are potentially as egregious on many different levels including economically, militarily, and in regards to the public’s day-to-day safety.

Overall, I think it’s a positive sign that we’re having these discussions at the highest levels of both the public and private sectors as well as academia.  CEOs, CISOs, government leaders and educators are all saying the same thing – cybersecurity is an absolute necessity to help protect our nation’s interests. It has an impact on every aspect of our lives – from homeland security, to defense, to the economy, to energy and critical infrastructure, to health, etc.  Everyone shares a common interest: We need to secure information of the people, for the people.”

Chris Wysopal, CTO & co-founder at Veracode:

 “The challenge for the tech industry is they need to retain the trust of their users or they can’t grow their businesses which require more and more intimate data be stored and processed by them.  That is why after many years of security professionals complaining of the lack of SSL usage by majo7r tech companies it wasn’t until the Snowden revelations that it was finally enforced by the big players.  

 

“The federal government has to convince the people using Google, Yahoo, Apple, etc., not the executives from those companies, that their data is safe from wholesale snooping or the information sharing they want is going to be a struggle.” 

Ken Westin, Security Analyst Tripwire:

“This Order and the informatPion sharing initiatives are a step in the right direction, however the challenge will be in the implementation where citizens’ privacy and civil liberties are protected, as well as making any intelligence gathered through these initiatives relevant and actionable for government agencies as well as private industry. In order to make these initiatives effective, secure and manageable, will require strong oversight and properly allocated resources to implement, not just initially, but also over the next few years as the program evolves. There needs to be constant vigilance and review of processes, data collected and effectiveness of the program in order to ensure agencies do not overreach and that the program itself remains useful to industry and agencies alike.

The devil is truly in the details, although I believe the spirit and intentions of the Order is good, it will be critical that there is transparency and oversight regarding its implementation. The government is breaking new ground and it is important to tread carefully, as there is a lot to learn in the process of developing a system of this scale and depth. I sincerely hope that the government will be involving not just law makers and political thinkers, but also technologists and security experts from both private industry and the government to ensure the program is implemented efficiently, securely and meets established requirements for the program.” 

*Additional reporting by Eduard Kovacs

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Anti-Fraud Firm InfoArmor Acquires IntelCrawler

Posted on January 28, 2015 by in Security

InfoArmor, a provider of fraud and identify theft protection services, has acquired cybercrime research firm IntelCrawler for an undisclosed sum.

With IntelCrawler under its belt, Scottsdale, Arizona-based InfoArmor plans to form a new Enterprise Threat Intelligence unit that will help customers discover and block attacks targeting intellectual property.

Founded in 2013 by Dan Clements and Andrew Komarov, IntelCrawler offers threat intelligence, data and security research services to large corporate and government clients.

 

Komarov previously worked for Russian cybercrime research firm Group-IB.

IntelCrawler has uncovered a number of cybercrime operators and malware, including a claim back in Jan. 2014 when the company said it had discovered someone they believe was tied to the malware known as Kaptoxa or BlackPOS, which was used in the high-profile attacks against Target.

“InfoArmor is thrilled about joining forces with Dan, Andrew and the IntelCrawler team,” said John Schreiber, InfoArmor’s president, adding that IntelCrawler’s data, intelligence and research capabilities are beneficial for its clients, who are pushing for threat identification, assessment, and attribution. 

“Using IntelCrawler’s context-aware intelligence and operative human intelligence, we will now be able to connect even more dots between cyber intelligence and emerging enterprise threats,” said Drew Smith, CEO of InfoArmor.

The cash and stock transaction was completed on Jan. 23, 2015.

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Industry Reactions to Devastating Sony Hack

Posted on December 5, 2014 by in Security

The systems of entertainment giant Sony have been hacked once again, and although the full extent of the breach is not yet known, the incident will likely be added to the list of most damaging cyberattacks.

Feedback Friday for December 5, 2014

A group of hackers called GOP (Guardians of Peace) has taken credit for the attack and they claim to have stolen terabytes of files. Sony admitted that a large amount of information has been stolen, including business and personnel files, and even unreleased movies.

On Friday, security firm Identity Finder revealed that the attackers leaked what appears to be sensitive personal data on roughly 47,000 individuals, including celebrities.

North Korea is considered a suspect, but the country’s officials have denied any involvement, and Sony representatives have not confirmed that the attack was traced back to the DPRK.

Researchers from various security firms have analyzed a piece of malware that appears to have been used in the Sony hack. The threat is designed to wipe data from infected systems.

The FBI launched an investigation and sent out a memo to a limited number of organizations, warning them about a destructive piece of malware that appears to be the same as the one used in the attack against Sony.

Some experts believe the FBI sent out the alert only to a few organizations that were likely to be affected. Others have pointed out that the FBI doesn’t appear to have a good incident response plan in place.

And the Feedback Begins…

Cody Pierce, Director of Vulnerability Research at Endgame:

“The latest FBI ‘flash’ report warning U.S. businesses about potentially destructive attacks references malware that is not highly advanced. Initial reports associate the alert with malware that overwrites user data and critical boot information on the hard drive, rendering the computer effectively useless. Based on analysis of the assumed malware sample, no technology exists within the sample that would warrant a larger alert to corporations. Additional information, either present in the malware–like IP address or host information–or during the investigation, also likely made it clear who required advance notification. Because of the malware’s low level of sophistication as well as the reportedly targeted nature of the attacks, it is entirely reasonable that the FBI would only inform a small number of companies.

The goal of these coordinated alerts is to raise awareness to the most likely targets so that they can ensure their security readiness, without unnecessary burden to those unlikely to be affected. In this case, because the malware is targeted and not sufficiently advanced, the FBI’s approach is justified. Conversely, in the event that more sophisticated malware or a new attack vector had been discovered, greater communication would have been necessary. Based on the information available, the FBI made the right decision in issuing this particular alert.” 

Mark Parker, Senior Product Manager, iSheriff:

 “For many organizations in the midst of breach investigation, decisions are often made very quickly. Without the luxury of planning meetings and impact analysis, some of the things are done in a ‘from the cuff’ manner based upon the evidence in hand, which may in fact be incomplete. In the case of the FBI memo that was sent out, it was done in a manner that was clearly done hastily. The threat posed by the malware was significant and a quick decision was made to send out an alert.

 

While I wasn’t in the room, I am fairly certain from having been in similar rooms, and in similar situations, that a list of who should receive the alert was not a very long conversation, and the point was to get the information out as soon as possible. What this demonstrates is that both Sony and the FBI do not have a good incident response plan in place for this type of incident. All organizations should have an incident response plan in place that lays out this sort of information in advance so that time is not spent on such issues. A clear process for key decisions is a very important part of any incident response plan, as is a list of who should be contacted in different situations.”

Steve Lowing, Director of Product Management, Promisec:

“Given that Sony Pictures is releasing a movie next month that satirizes assassinating North Korea’s supreme leader Kim Jong-Un, and after learning about this release last June declared war on the company, it’s widely held that the North Korean government is behind the attack. It’s likely that this is true at least at a sponsorship level given the number of attacks on South Korean banks and various businesses over the course of the last year, with the likely attackers being the country’s cyber warfare army known as unit 121.

Unit 121 is believed to be operating out of a Shenyang China luxury hotel giving them easy access to the world with being an arm’s reach from North Korea. The main reason for this is China’s close proximity to North Korea, North Korea’s almost non-existent internet access and China’s far superior network and cyber hacking resources. This is yet another example of State sponsored hacktivism targeting companies directly.”

Jonathan Carter, Technical Director, Arxan Technologies:

“So far, the evidence seems to suggest that the Sony hack was accomplished via execution of malicious malware. Hackers typically conduct these attacks by somehow tricking the user into executing something that is malicious in nature from within a system that is sensitive in nature. The recent iOS Masque and WireLurker vulnerabilities clearly illustrate that the delivery and execution of malicious code can take some very clever approaches. In light of these recent revelations, it is reasonable to expect to see a rise in distribution of malware (disguised as legitimate B2E apps that have been modified) via mobile devices owned by employees that have access to sensitive backend systems.”

Vijay Basani, CEO of EiQ Networks:

“It is possible that the hackers accessed not only unreleased movies, but also gained access to user accounts, celebrity passport details, sensitive trade secrets and know how. This demonstrates that in spite significant investments in traditional and next-gen security technologies, any network can be compromised. What is truly required is a total commitment from the senior management to building a comprehensive security program that delivers pro-active and reactive security and continuous security posture.”

Craig Williams, Senior Technical Leader and Security Outreach Manager for Cisco’s Talos team: 

“The recent FBI ‘flash alert’ was published covering the dangers of a new wiper Trojan that has received quite a bit of media attention. There are a few key facts that seem to be overlooked by many of the early news accounts of this threat:

Cisco’s Talos team has historic examples of this type of malware going back to 1998.  Data *is* the new target, this should not surprise anyone – yet it is also not the end of the world.  Recent examples of malware effectively “destroying” data – putting it out of victims’ reach – also include Cryptowall, and Cryptolocker, common ransomware variants delivered by exploit kits and other means.

Wiping systems is also an effective way to cover up malicious activity and make incident response more difficult, such as in the case of the DarkSeoul malware in 2013.

Any company that introduced proper back-up plans in response to recent ransomware like Cryptolocker or Cryptowall should already be protected to a degree against these threats detailed by the FBI.  Defense-in-depth can also detect and defeat this type of threat.”

Carl Wright, general manager at TrapX Security:

“The FBI and other national government organizations have an alerting process that we are sure they followed to the letter. It is important for them to provide an early warning system for these types of attacks, especially in the case of the Sony breach, because of the severe damage that could ultimately be used against our nation’s critical infrastructure.

Timely information sharing must be completely reciprocal in nature, meaning, corporations also have to be willing to share their cyber intelligence with the government.

 

When we look at the significant incidents of 2014 and in particular Sony, we see that most enterprises are focusing efforts and investments on breach prevention. 2014 has clearly highlighted the need for corporations and government to include additional technological capabilities that better detect and interdict breaches before they can spread within an organization.”

Ian Amit, Vice President, ZeroFOX:

“The Sony breach is a tricky situation. How it occurred is still up for debate – possibly nation state? Possibly an insider? Possibly a disgruntled employee? Regardless, it’s clear the breach goes very deep. It has gotten to the point that Sony is outright shutting down its network. This means even the backups are either nonexistent or compromised, and the hackers likely got just about everything, making this one of the worst breaches ever at an organization of this size. The attack touches anyone involved with Sony – auditors, consultants, screenwriters, contractors, actors and producers. The malware might be contained on Sony’s servers, but the data loss is much further reaching. Make no mistake, this breach is a big one.

I am skeptical this attack is nation state-level attack. The idea that North Korea is retaliating against Sony for an upcoming film is a wildly sensationalist explanation. Hackers regularly cover their trails by leaving red herrings for the cleanup crew – indications that the Russians, Chinese, Israelis, North Koreans and your grandmother were all involved. A small script of Korean language is hardly damning evidence. Code can be pulled from a variety of sources and there is no smoking gun (yet) in the case of the Sony breach.”

Oliver Tavakoli, CTO, Vectra Networks:

“Any malware that destroys its host will have limited impact unless it is part of a larger coordinated attack. One or two laptops being wiped at Sony would be a nuisance, but large numbers of devices being wiped all at once is devastating. The latter style of attack requires an attacker to achieve a persistent network-level compromise of the organization before the wiper malware even becomes relevant.

The information released as part of the FBI alert bears this out. The malware sample detailed in the alert was compiled only days before it was used. This is a strong sign that Sony was compromised well before the time the malware was built, and the wiper malware was the coup de grâce at the end of the breach.

This is particularly significant when evaluating the FBI alert. Sharing indicators of compromise (IoC) is a good thing, and the industry needs more of this sharing. But we need to keep in mind that these particular indicators represent the absolute tail end of a much longer and widespread attack. In fact, some of the IoCs detailed in the alert are only observable once the wiper malware has begun destroying data. Obviously, this sort of indicator is much too late in the game, but too often is the only indicator that is available. What the industry needs badly are indicators of attack that reveal the compromise of the organization’s network at a point when security teams can still prevent damage.”

Kenneth Bechtel, Tenable Network Security’s Malware Research Analyst:

 “This type attack is not new, it’s been around for a long time, with multiple examples. The most recent similarity is the ransomware that’s been attacking systems. These attacks are often difficult to detect prior to the execution of the payload. The best thing is a good backup scheme as part of your response. Many times the answer to modern malware infections is to reimage the system. In case this occurs on your system, a reimage is often the best response. The only thing that reimaging would not solve is having most current data like documents and spreadsheet. It’s this combination of reimaging and restoring backups that is the most efficient response to the attack. While this ‘fixes’ the host, network forensics should be done to identify the attack and create defenses against the attack in the future.”

Jon Oberheide, CTO, Duo Security:

“I don’t believe that the limited distribution of the FBI warning was improper. But, I think the scope and focus on data-destroying malware was a bit misguided.

 

Certainly data loss can have a big impact on the operations of a business. We saw that big time back in 2012 with the Saudi Aramco attack by data-wiping malware. But, regardless of whether the data loss is intentional or inadvertent, it’s vital to have proper disaster recovery and business continuity processes in place to be able to recover and continue operation. However, when considering a sophisticated cyber-attack, disaster recovery processes must assume that an attacker has more capabilities and reach than standard inadvertent data loss events. For example, an attacker may have access to your data backup infrastructure and be able to destroy backups as well. So, modern organizations may have to revisit their DR/BC models and take into account these new threat models.

The real impact of the Sony breach is not the destruction of data, but the longer term effects of confidentiality and integrity of their data and infrastructure. Rebuilding all their infrastructure post-breach in a trusted environment is an incredibly challenging and arduous task. The disclosure of credentials, infrastructure, critical assets, employee PII, and even things like RSA SecurID token seeds will have a much longer-term, but more under-the-radar, impact on Sony’s business.

Most importantly, in the modern day, breaches don’t only impact the directly-affected organization, but they tend to sprawl out and negatively impact the security of all organizations and the Internet ecosystem as a whole. A breach doesn’t happen in a vacuum: stolen credentials are re-used to gain footholds in other organizations, stolen source code is used to find vulnerabilities to assist future attacks, and information and experience is gleaned by attackers to hone their tactics, techniques, and procedures.”

Idan Tendler, CEO of Fortscale:

“The traditional concept for security was to keep the most important resources, i.e. the vaults with the cash (or in Sony’s case, films) safe. What we’re seeing with breaches of this magnitude is that the harm now goes far beyond any immediate and limited capital damage. Leaked sensitive information regarding employee salary and healthcare has the potential to cause enormous reputational harm and internal turmoil within a workforce. Revealing that kind of data can lead to jealousy, resentment and distrust among workers and create a very toxic work environment.

With news of passwords to sensitive documents also being leaked, Sony will need to be more vigilant in securing user access to resources by constantly monitoring and analyzing user activity for possible credential abuse.”

Clinton Karr, Senior security specialist at Bromium:

“These attacks are troublesome, but not surprising. Earlier this year we witnessed Code Spaces shutdown after a successful attack destroyed its cloud back-ups. Likewise, the evolution of crypto-ransomware suggests attackers are targeting the enterprise with destructive attacks. These attacks are unlike the “cat burglary” of Trojan attacks, but much more brute force like a smash-and-grab or straight vandalism.”

Ariel Dan, Co-Founder and Executive VP, Porticor:

“Reporting the technical details of a specific attack is a sensitive topic. Attack details can and will be used by new hackers against new targets. On the other hand, companies can’t do much to defend against a type of attack they know very little about. One relevant example of such a potential attack was around a severe security bug in the Xen virtualization system that exposed cloud users of Amazon Web Services, Rackspace and other cloud providers. The cloud vendors had stealthily patched affected systems, issued a vague notification to their users of an immediate restart action, and only after it was all done was the attack realized and publicized. Reporting the bug prior to fixing the problem would have a devastating effect on cloud users.

 

Back to the Sony attack: I personally believe that reporting the entire details of a security breach can do more harm than good, but there should be a way to communicate enough meaningful information without empowering the bad guys. Blogs like KrebsonSecurity provided additional details, including a snort signature to detect this specific attack. Such data is meaningful for the defender and does not help an attacker. From this information we learned that organizations should embrace an “encrypt everything” approach as we step into 2015. We should be able to guarantee that data is not exposed even if an organization has been infiltrated.”

Tim Keanini, CTO at Lancope:

“I think the question being asked here is a great opportunity to describe the threats of yesterday versus the threats we face today.  In the past, broad advisories on technical flaws were effective mainly because the problem was universal.  Attackers would automate tools to go after technical flaws and there was no distinction between exploitation of a large corporation or your grandmother. If the vulnerability existed, the exploitation was successful.  In the case of Sony, we are talking about a specific adversary (Guardians of Peace) targeting Sony Pictures and with specific extortion criteria.  With this type of advanced threat, warnings sent out by the FBI on the investigation itself will be less prescriptive and more general making its timeliness less of a priority. 

From everything we have seen disclosed so far, it is difficult to assess and advise on the information security practice when some of the flaws exploited seem to suggest very little security was in place.  The analogy would be: it would be hard to assess how the locks where compromised when the doors to host the locks were not even present.   For example, some of the disclosure on reddit earlier in the week suggests that some files named ‘passwords’ were simply in the clear and stored unencrypted in txt and xls files.  The investigation will determine the true nature of all of this speculation but I use this as an example because the FBI could issue a warning every day of the week that said “Don’t do stupid things” and be just as effective.

The lesson learned here is that if you are connected to the Internet in any shape or form, this type of security breach happening to you and your company is a very real risk.  Step up your game before you become the subject of another story just like this.  It would be weird but Sony Pictures should write a movie on how a cybercrime group completely comprised and held an entertainment company for cyber extortion – categorized under non-fiction horror.”

Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at Venafi:

“As the FBI, DHS and others investigating the Sony hack work furiously to uncover the details and the threat actors behind this breach, it’s important that we recognize the attack patterns that are right in front of our face: cybercriminals are and will continue to use the same attack blueprint over and over again. Why? Because they use what works.

In April 2011, Sony’s PlayStation Network was breached where asymmetric keys were stolen, compromising the security of 77 million users’ accounts. Now, nearly four years later, Sony is still facing the same threat — only this time it’s directed on Sony Pictures Entertainment. In this latest breach, cybercriminals successfully gained access to dozens of SSH private keys – the same way they stole private keys in the Mask, Crouching Yeti and APT18 attacks. Once these keys are stolen, the attackers can get access to other systems — and then it just goes from bad to worse. It’s critical that incident response and security teams realize that the only way that the attackers can *truly* be stopped from accessing these systems is by replacing the keys and certificates. Until then, they will continue to wreak havoc and cause more damage with elevated privileges, the ability to decrypt sensitive data in transit, and spoof systems and administrators. All it takes is one compromised key or vulnerable certificate to cause millions in damages. Hopefully, Sony will learn its lesson this go round.”

Until Next Friday… Have a Great Weekend!

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

FireEye Unveils On Demand Security Service, Threat Intelligence Suite

Posted on September 20, 2014 by in Security

Threat protection firm FireEye has announced new offerings designed to provide customers with on-demand access to its cyber defense technology, intelligence, and analysts expertise on a subscription basis.

Designed to help enterprises scale their defense strategies, the new offerings provide customers with a single point of contact to meet their needs before, during or after a security incident.

The new FireEye as a Service offering is an on-demand security management offering that allows organizations to leverage FireEye’s technology, intelligence and expertise to discover and thwart cyber attacks.

The second new offering, FireEye Advanced Threat Intelligence, provides access to threat data and analytical tools that help identify attacks and provide context about the tactics and motives of specific threat actors, FireEye said.

Combined, the solutions are designed to equip enterprise security teams so they can implement an Adaptive Defense security model, an approach for defending against advanced threat actors that scales up or down based on the unique needs of each security organization.

“The new FireEye Advanced Threat Intelligence offering adds two new capabilities to complement FireEye’s existing Dynamic Threat Intelligence subscription,” the company explained in its announcement. “First, when the FireEye Threat Prevention Platform identifies an attack, users will now be able to view intelligence about the attackers and the malware. Security teams will be able to see who the associated threat actor is, what their likely motives are, and get information about the malware and other indicators they can use to search for the attackers.”

Additionally, a new threat intelligence research service allows customers to subscribe to ongoing research including dossiers, trends, news and analysis on advanced threat groups as well as profiles of targeted industries, including information about the types of data that threat groups target.

Other highlights of FireEye as a Service include:

Detection of Adversaries and their Actions – FireEye analysts staff an around the clock global network of security operations centers to hunt for attackers in an environment using FireEye technology and advanced analytics that identifies outliers and correlates them with behaviors of known attackers. By finding high-risk threats at the earliest stages of an attack, FireEye minimizes the risk of a breach.

Ability to Pivot to Incident Response – With FireEye as a Service, organizations can quickly engage a Mandiant incident response team when needed.

Access to Personalized Intelligence Reports — FireEye as a Service customers get access to key intelligence findings and judgments specific to their organization from the FireEye intelligence team. This includes identification of attackers specifically targeting their industry, typical attack methodologies used by relevant adversaries, and key business or financial data that motivates attackers to target your organization.

“We need to analyze the environment to address the attacks that penetrate an organization’s perimeter and bypass preventive measures,” FireEye COO, Kevin Mandia, wrote in a blog post. “And then ultimately, when we understand an attack well enough, contain it to get back to normal business operations. To succeed in today’s cyber-threat environment this cycle must shrink – from alert to fix in months, to alert to fix in minutes – in order to eliminate the consequences of a security breach.”

With FireEye as a Service, customers have the option to manage their own security operations, offload security operations to FireEye, or co-manage operations with FireEye or a FireEye partner.

Both new offerings are available as a subscription to customers that have purchased FireEye products. Pricing for ongoing monitoring starts at $ 10,000 per month for smaller clients needing full support and. For larger organizations the price is much higher.

Organizations pay a subscription fee and account for the service as an operational expense or pay up front and account for it as a capital expense, FireEye said.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed