What’s the worst that could happen?

By now most of the security industry has heard the rumors and threats that Anonymous intends to flood the 13 DNS servers throughout the world in a attempt to blackout the internet for a unknown period of time. This attack is the result of politically fueled opinions of some of today’s most influential hacktivists. According to a post on pastebin.com the attack will essentially involve the use of a Reflective Amplification or ‘ramp’ toolkit to DDoS the root DNS servers which will stop them from responding to DNS resolution requests and thus stop users from accessing websites via DNS names i.e. ‘www.google.com’, ‘www.facebook.com’, etc.

This attack is under great scrutiny by professionals and hackers across the web. Some say it may be possible other say at best it will be very limited and do minimal damage while the rest say that Anonymous has its information all wrong. Does this threat have any substance or is it only another empty threat? Only time will tell as the attack date of March 31, 2012 grows nearer.

Historically, years before this attack and hacking group even rose to popularity, in a post on the ICANN Blog, Kim Davies attempts to dispel any and all rumors that there are even 13 lone DNS servers around the world. In a more recent blog post by Errata Security, blogger Robert Graham presents even more reasons why the attack will not be possible. One blogger even goes as far as calling Anonymous’ actions some kind of April fools joke.

Among the non-believers lies a handful of fearful individuals that see this brazen threat as an indicator of worse things to come. Boy Genius Report recently published a story outlining the underlying fears of U.S. officials in lieu of Anonymous’ growth and increased threat potential to U.S. national security. It is no mystery that the U.S.’s cyber infrastructure is much weaker than most people think it is. We lack a structured cyber army and choose to hinder those with the potential to protect us in the event of a cyber war. I agree with Misha Glenny’s ideas in his TED talk last year where he discussed an alternative to punishing hackers and instead setting up reform programs to bring these individuals back from the criminal world and get them on the good guys team again.

The bottom line is that progress remains slow when dealing with cyber attacks. The governments approach of allowing less and less freedom and availability to these cyber miscreants only seems to frustrate them further. Top agents in charge of cyber security are beginning to get beaten down by the constant threats and attacks in addition to the constant failures of consideration for better funding by higher ups in government. The only hope in the fight against cyber crime and an impending cyber war will be not only an increase in IT security budgets but also a change in the mindset that all hackers are our enemies. These rouge hackers possess important skills and knowledge that the government cannot afford to lose to the dark side.

Those interested in a first hand look into the health status of DNS servers during this weekends ‘attack’ can check it out on Team CYMRUs website dedicated to tracking the health of DNS servers around the world.

2012
03/29
POSTED BY
CATEGORY
Technology
Comments Off

We Won’t…er…Will Get Fooled Again

As if Android security controls weren’t bad enough it seems even more malicious software applications have made their way onto users devices. This new breed of malware is unlike any other. With the increasing power and capabilities of Smartphone’s, soon to include quad core processing power, attackers have begun to broaden their focus on exploiting desktop and laptop computers and are now targeting mobile devices for their Botnets.

Smartphone’s are the perfect target. They are small, powerful, mobile, and best of all thriving with connectivity. Their size and mobility make them great for spreading malware throughout multiple corporate and public areas, anywhere someone might travel to and connect to an open, unencrypted Wi-Fi network. Their increasing processing power has made them just as suitable as higher powered machines for running various attacks and malicious campaigns. Best of all, the connectivity and collaborative information we process through our devices allows malicious attackers to have a field day with our contacts and information.

Unlike most fully functional operating systems, mobile device operating systems are much more lightweight, and are also designed very differently than our traditional operating systems. Yes we still run various applications but many more exist on our mobile devices for specified purposes. On a standard PC, when you want to check your bank account balance or social networking, you generally log in through a browser. Smartphone application developers have simplified this process by allowing you access to specialized applications that will retain your login credentials for easy, efficient, instant access to these accounts.

What’s worse than writing down your passwords? I say it’s saving them for automatic logins in our applications, especially if these applications are infected with malware.

Picture this: You download an innocent looking banking or social networking application, one recommended by friends or one you have seen advertised on the web, through email, etc. You install the application and log in with your banking and/or social networking credentials. Expecting to see your account balance or messages from friends, you are surprised to find yourself now bombarded with spam advertisements, false banking information, and not a friend to be seen. To make matters worse your credit card has now run up a few hundred dollars worth of charges within a few minutes. Welcome to the new world of mobile malware.

The applications infected by the Trojan virus in these two news stories, by Computerworld and ZDnet may not be for banking or social networking, but in an application rich environment we must always consider the impact of fraudulent applications making their way to our most trusted environments. If they can trick us with fraudulent websites then there is no doubt they can trick us with fraudulent applications.

2012
01/31
POSTED BY
CATEGORY
Technology
Comments Off

Fool me once shame on you fool me twice shame on you


It looks as though 2012 is not only gearing up to be the year of cloud computing and healthcare information security concerns but also the year of continued phishing attacks and scams. Here is my most recently received scams (among the many other banking phishing attacks that roll in on a daily basis). It seems

I have won the Texas Lottery, again!


These scams are much simpler to spot than some of the most sophisticated phishing scams I have seen. Take a look at a few of the key indicators:

  1. In this cyber world I guess it only makes sense that they begin running a lottery based on email addresses, right?
  2. I am addressed as Stake Winner – You would think that my winning $800,000.00 would at least warrant a name look up by the Texas Lottery Commission.
  3. Google Translate is getting pretty good but not good enough to correct the grammar in this awkward message.
  4. Wait a minute this isn’t Texas – I’m not even a resident of Texas, nor have I entered the Texas lottery lately.
  5. Oh of course, that makes perfect sense, a Texas lotto claims agent, located in the United Kingdom, with only a Gmail email account.
  6. Dr. Roseline Morgan, Director of the Texas Lottery Commission? Yes absolutely, I sure wouldn’t trust my lotto commissioners to hold anything less than a doctorate (hmm odd, she seems to enjoy signing her name “Morgan Lewis”)

 

Although this is a weak example of an online scam, the excitement of a lotto winning can sometimes cause all logic to go out the window. Check back as I’ll be updating you periodically on this year’s newest phishing attacks and how to avoid being duped.

2012
01/25
POSTED BY
CATEGORY
Technology
Comments Off

Biography uncovers secrets of iGeneration mastermind

“Oh wow. Oh wow. Oh wow.”

These were the last words of the legendary Steve Jobs, according to his sister, Mona Simpson.

They were Jobs’ last words but my first words after reading his biography by Walter Isaacson titled, “Steve Jobs.”

This book gives incredible insight into the inner workings of the genius that I believe is behind much of today’s technology.

It is the story of a college dropout who built an empire and set the pace for future technological development.

Isaacson makes an incredible attempt to describe Steve Jobs’ every success and every failure.

Isaacson interviewed Jobs more than 40 times over the course of two years, enabling him to uncover the life of a man “whose passion for perfection and ferocious drive revolutionized six industries: personal computers, animated movies, music, phones, tablet computing, and digital publishing,” Isaacson said.

The book shares extensive details about the phases of Jobs’ life. It outlines family relationships, his business demeanor and some of his most personal secrets. It displays hidden characteristics about Jobs’ personality that explain why Apple devices have become the de facto standard in the industry.

There are stories that show how persuasive Jobs was to those around him. Some stories are humorous, such as the way Jobs got the president of PepsiCo, John Sculley, to work for Apple by asking him, “Do you want to spend the rest of your life selling sugared water, or do you want a chance to change the world?”

The biography begins with the story of Jobs’ parents’ difficult decision to put him up for adoption and segways into his childhood with his adoptive parents. From there, Isaacson uncovers Jobs’ mischief as a teenager, which propagated through his early-ended college career, in which he met Steve Wozniak, a fellow prankster who co-founded Apple.

Jobs’ brilliance comes to light when the story switches, talking about his entrepreneur attitude and the beginning of Apple, founded by two pranksters on April 1, 1976: Wozniak, the nerdy computer engineer, and Jobs, the innovative, future-thinking game-changer.

Their venture began in Jobs’ parents’ garage but soon evolved to a corporation eager for the big league.

On Dec. 12, 1980, Apple Computers went public with an initial public offering (IPO) in the stock market worth $1.8 billion. Jobs, at the age of 25, was worth $217 million after the IPO.

“I went from not worrying about money because I was pretty poor to not worrying about money because I had a lot of money, (and) was rich.” Jobs said.

Jobs was infamous for his outlook on money. The biography talks of Jobs’ modest lifestyle. He was a man who didn’t get caught up in material things. He understood what money could do after he witnessed the way it changed his co-workers’ attitudes and values.

“Being the richest man in the cemetery doesn’t matter to me,” Jobs said. “Going to bed at night saying we’ve done something wonderful, that’s what matters to me.”

The biography displays Jobs’ demanding expectations, his strive for perfection and his low tolerance for those who did not warp to his “reality distortion field.”

The concept of Job’s “reality distortion field” is infamous throughout the book. It was the definition given to describe his God complex and apparent ability to set impossible goals and actually get his team to accomplish them. He would bend reality to fit his best interests. If Jobs said something, no matter how ridiculous, it somehow became a reality.

The book ascends into Jobs’ obsessive attention to detail and harsh treatment of his co-workers, which eventually led to him being impeached from his CEO status.

After being kicked out of Apple, Jobs began his own ventures with NeXT Computers and Pixar Digital Animation Studios, but soon Apple came knocking at his door begging him to come back and save the company from its impending doom.

After returning to Apple, Jobs laid the groundwork for the future of Apple when he by developing the “Think Different” advertising slogan. This slogan became the status quo for Apple product design.

From the time of his return, Jobs’ products were at the forefront of the technology industry offering devices to the public they didn’t even know they wanted yet.

“People don’t know what they want until you show it to them,” Jobs said.

This mindset led to the triumph of revolutionary Apple products including the iPod, iPhone and iPad. Although the concepts for these products had been discussed, Jobs brought them all to fruition.

Taking these ideas and producing them was not enough for Jobs. Another of Jobs’ demanding characteristics was his drive for perfection.

Isaacson recalled Jobs’ story of building cabinets with his adopted father, where he learned the value of perfection and precision. No one would ever see the back of the cabinets, but his father insisted they be as flawless as the front. This explains why Apple products look like pieces of art. Not only the devices, but also the packaging was carefully designed and run through a guillotine of critiques by Jobs.

I believe Jobs’ values and ideas will continue to affect the future of technology, and this biography will keep his legacy alive for decades.

I recommend this book to anyone who has an entrepreneurial spirit with dreams of being a successful industry leader, and also to anyone with an interest in technology. I’d even suggest it to anyone who has ever owned or used an iPod, iPad, iPhone or Mac computer and wants to understand the rich history of how those devices were created and uncover the secrets of the man responsible for all of it.

2011
12/12
POSTED BY
CATEGORY
Book Review
Technology
Comments Off

Losing Steve Jobs, losing our minds

I heard a joke a few days ago that although clever and humorous, holds a truth that strikes deep into the heart of America’s economic issues. It goes something like this:

“Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash. Now, we’ve got no jobs, no hope and no cash.”

The tech industry as well as the business industry lost a visionary and creative genius this past week.

On Wednesday, Oct. 5, Steve Jobs, co-founder of Apple, passed away and left behind a legacy of technological innovations.

Jobs was a pioneer of the tech industry and one of the first to develop and shape our ideals of modern personal computing. His imagination and creative thinking paved the way for not only the tech industry, but also for the innovative business culture that drives America.

His death has come at a time when we cannot afford to lose a true innovator. Entrepreneurs such as Jobs are the backbone of this country. They are the ones responsible for generating new business, new jobs and more importantly, boosting the economy. It is important that new eager minds take over Jobs’ legacy and begin their own entrepreneurial ventures.

It used to be that in the past, one innovative mind could take a chance, become a leader and in the wake of their success, offer many followers a steady job. In today’s economy we can no longer rely on other business leaders and entrepreneurs to generate jobs for everyone else.

The Steve Jobs of our time is gone, literally and metaphorically. A paradigm shift must be made to transform the average American from an aimless job seeker to a powerful and innovative job creator.

I’ve been reading a book titled “Think” by Michael R. LeGault. In it, he says that the power of critical thinking and logical reasoning are praised over intuition and impulse decision-making. One of the most influential realizations I’ve made from this book has been the noticeable decline in the intellectual thought process by a majority of people today. That’s not to say we are all becoming less intelligent, but many of us have a tendency to choose the easy way out or make decisions based on insufficient research and insight.

My reasoning for this decline in human intellectual effort is the downturn of the economy and its burden on self-esteem. Everything seems to be in a downward spiral toward the next Great Depression. Many of us are working jobs we don’t like and are being forced to go back to school on someone else’s terms just to make enough money to get by. Why would we ever want to work harder to think about something we don’t even like?

Ironically, the only solution to overcoming our lack of creative thought is thinking itself. That thinking doesn’t have to be about your everyday job and your tough college classes. Instead, dig deep and think about something that really matters to you. Go for it, whatever it is.

The possibilities are endless if we all think outside of the box every once in a while. Many of Steve Jobs’ accomplishments were made by doing just that: taking the risk and thinking harder and longer about things that no one else was thinking about at the time.

2011
10/10
POSTED BY
CATEGORY
Technology
Comments Off

So much for the chain of trust

We all know digital certificates are meant to keep us safe while browsing the web. They are installed on our systems from birth, require digital signatures to be altered, and establish a supposedly unbreakable chain of trust. But what happens when that chain of trust is in fact compromised? What happens when a digital certificate falls into the wrong hands?

Hackers have recently obtained Google’s digital SSL certificate from DigiNotar, a Dutch certificate authority. Proof has already been flaunted on pastebin.com of this valuable takeover. It is still unclear how the certificate was obtained. There may have been a possible breach on DigiNotar’s website allowing access to the certificate or there may have been a lack of oversight by DigiNotar. Either way this event presents a significant security risk to users.

This certificate allows the hackers a trusted reputation for each of Google’s many services including Gmail, Google search, and Google Apps. This would easily allow them to poison DNS addresses and launch a massive spam attack which could relay back to false sites, then use these sites to compromise users accounts through a man-in-the-middle attack.

According to security professionals, based on the information posted on Pastebin, the certificate is in fact valid. This leaves endless possibilities for the hackers to exploit the certificate. Also, since the certificate is valid, users will not be displayed with a warning message, even if they are on a malicious site posing as Google.

Google has been expected to quickly patch Google Chrome’s certificate’s and will most likely urge Microsoft, Mozilla, Apple, and others to follow in their footsteps for the safety of the internet.

2011
08/30
POSTED BY
CATEGORY
Technology
Comments Off

Earthquakes, Hurricanes, and a Crumbling Infrastructure

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption . These effects are minor as compared to other major disasters. The most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those that are common for your area.

This also raises some questions regarding the placement of our disaster recovery providers. Chances are your disaster recovery provider has chosen a backup location that on a normal day is exposed to minimal risk of disaster. They probably claim this location has been chosen due to its low risk factor and generally safe environment. But as I just stated there is no end all be all safe haven for data and IT centers to set up shop. So what happens if your disaster recovery provider is knocked out by a natural disaster? Do you have a backup for your backup?

In another side of the story, the Tuesday quake may not have thrown any industries into disaster recovery mode but it did shed light on the aging infrastructure throughout cities along the East coast. Disaster recovery plans can help to rebuild and enable business continuity after a damaging event however, they do not generally take into account the fragility of the infrastructure currently in place. Many disaster recovery plans would be much less likely to be activated if the infrastructures they are set up for are solid and secure from the start.

With hurricane Irene bearing down on the East coast within the next week we can only hope the minor damage already done by the quake is not magnified by the hurricane. Be prepared, batten down the hatches, and have your disaster recovery and business continuity plans ready.

2011
08/24
POSTED BY
CATEGORY
Technology
Comments Off

Amazon takes aim at cloud compliance issues with GovCloud

Compliance is never easy and cloud computing only adds to the challenge of keeping up with standards and regulations. Until now U.S. government agencies have found it difficult if not impossible to get their sensitive information onto the cloud despite federal programs aimed at doing just that. The issue has always been with compliance and security. The management of sensitive data has strict regulatory requirements that must be followed in order to protect information.

A few of those important regulatory requirements are location and access control. Sensitive data from U.S. agencies is required to be stored within US boundaries and only be accessible by users residing within the U.S. With most cloud services spanning across a few continents the challenge of keeping that data contained is nearly impossible.

Amazon Web Services hopes to defeat this challenge with their newly announced GovCloud offering.

A description from Amazon Web Services about GovCloud:

AWS GovCloud is an AWS Region designed to allow US government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. Previously, government agencies with data subject to compliance regulations such as the International Trade and Arms Regulation (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons. Because AWS GovCloud is physically and logically accessible by U.S. persons only, government agencies can now manage more heavily regulated data in AWS while remaining compliant with strict federal requirements.

The new service is also compliant with FISMA, SAS-70, ISO 27001, FIPS 140-2 compliant end points, PCI DSS Level 1, and HIPAA. This will most definitely make compliance auditing far less taunting and increase security of data in the cloud. Hopefully this new service will lead more federal agencies to begin joining in the cloud movement and finally begin to fulfill goals outlined in  Vivek Kundr’s Federal Cloud Computing Strategy .

2011
08/18
POSTED BY
CATEGORY
Technology
Comments Off

Cloud Risk: Placing all of your eggs in one basket

It’s 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon’s EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers to keep in mind. You have been reminded time and time again during security training that proper cloud integration involves strict audits of your cloud service provider. These audits are sure to include disaster recovery and business continuity planning procedures. Having all this on paper is only one half of the equation for effective system resilience and reliability, the implementation of those procedures under pressure is the only test of true recovery performance.

This brings us to what many IT security professionals see as the most important aspect of disaster planning, having a backup. This can include file backups, virtual image backups, and even fully operational system backups (what many of us recognize as “hot sites”).  Most cloud service providers will offer you extensive features to include many of these protection services. Although bundling them all into the same provider may be more convenient it can also lead to further disaster in times of peril.

As we have seen by the abundance of cloud outages so far this year, bad things do happen to cloud services. The cloud will go down. This brings an increased importance to third party services to keep you running while your main cloud service provider gets back on their feet again. Just as it isn’t smart to “put all of your eggs in one basket,” it probably isn’t a good idea to place all of your computing power and resources in the hands of one provider.

2011
08/08
POSTED BY
CATEGORY
Technology
Comments Off

Break out the RAT traps, there is shady business afoot

Forget about LulzSec and Anonymous. Those political hacktivist groups are only amateur script kiddies compared to hackers recently revealed by McAfee. The newly discovered groups five year long attack, which struck at least 72 identified organizations, seems to have originated out of China, although no official location has been determined.

Dubbed Operation Shady RAT, which stands for remote administration tools, employs spear phishing techniques which mimic legitimate email messages (just as many other phishing attacks do), then once users open attachments their systems become infected with malware allowing them to be controlled by a command-and-control server hosted by the hackers. Unlike other attacks we have seen, this hacking group doesn’t seem to be out for laughs or a quick payout. It’s data mining they are after, and lots of it.

The longevity of their attacks has led to the compromise of petabytes worth of data thus far. The damage and loss of proprietary information is far more valuable than anyone would have predicted, and until the attackers are shut down, it is only expected to get worse.

This attack brings to light a concept being thrown at IT security professionals for quite some time now. Anyone who has been in IT security long enough has most definitely heard about Advanced Persistent Threats (APTs). This was the same attack approach used in the SCADA attacks on Iraq’s nuclear facilities and in Operation Aurora against Google and a dozen or more organizations. For those that need a brush up on APT attacks think of them as interactive, polymorphic attacks with the ability of their controllers to evolve and adapt to any security system. You build a wall, they knock it down, you dig a moat, they swim across it. APT attacks represent an new revolution of unstoppable cyber attacks.

The only way to stop an APT attack is to cut it off at its driving source, the C&C server. McAfee is working with a variety of US government agencies to shut down the C&C server however the attackers 5 year head start along with jurisdictional issues is sure to make this quite the challenging task.

Another issue is many organizations failure to report or admit a compromise, thus making these attacks even more difficult to follow. Security professionals must keep in mind that despite your organizations reputation or pride, you have a duty to disclose attacks to the proper authority. These attacks cannot be ignored and cannot be fought alone.

Microsoft has even started a program offering a $250,000 incentive to anyone who contributes outstanding solutions to these attacks in defense of the future of computing technology.

If your wondering if your organization could be a target then just ask yourself one question. Does my information hold any value whatsoever? I’m guessing that for 95% of organizations this answer is yes.

2011
08/04
POSTED BY
CATEGORY
Technology
Comments Off

Recent entry

Archive

Category