Security Blog

Your source for information security news and views.

Throwing Stones in a Glass Infrastructure

Posted by: Patrick Snyder

Tagged in: stuxnet , News , Egypt , cyber warfare

 

We must all understand that the net is fragile and it can be taken down. We have seen this 'kill switch' in action recently in Egypt. Libya is also taking its cue from Egypt and in spite of social unrest its government has also began shutting down network access. Things are slipping out of hand very quickly but Americans can breath a sigh of relief, or can we?

It seems our government is getting ahead of this situation before we meet a similar issue. Senators Joseph Lieberman and Susan Collins reintroduced legislation that prohibits this type of 'Internet Kill Switch' from being initiated by the president. A right to bear arms and a right to assemble lead into our right to the net.

One issue still remains, now that this type of mass Internet blackout technique has surfaced we must not only be concerned with the authorities doing it but everyone else who can now see that this capability does indeed exist.

Taking down the Internet is easier then you may think. The net has two fundamental services. First being a name and address service, this is handled through the Domain Name Service infrastructure and without it we don't have email, VoIP, web traffic or any web 2.0 technologies, including the growing Cloud infrastructure. The second service is routing. IP routers run software and can be attacked through a wide range of exploits. Last week, researchers at the University of Minnesota described a targeted DDoS attack that could knock out these services.

Another aspect the Egyptian outage showed us is that nation-states either already have or are aggressively building the tools to disrupt the internet. Think back to the Stuxnet attacks, Iran acknowledges that a joint effort between the United States and the Israelis caused serious damage to the Iranian power infrastructure by damaging centrifuges in their nuclear power plant. If we can attack their infrastructure and get away with it, why would we think they won't attack ours. Mass terrorism could very well go cyber sooner than we know it. Last week, the head of the National Security Agency said that the United States should expect to be attacked. Thats right, EXPECT it.

I think the message is clear, for Cloud computing and for general business continuity, resiliency and back up systems are not luxuries, they're mandatory!

 

~KWK

 


 

Mobile devices continue to become our main source of productivity throughout our lives. Making phone calls and checking email are one thing but now we can browse full web pages and even edit documents. Mobile apps make our lives easier and…well…more mobile.

In todays world it is hard to find a task that cannot be completed in the palm of your hand. We can now conduct entire business meetings from an iPad, monitor our servers remotely through our smartphones, and take care of our banking and finances all while on the run. This could be a fatal mistake if we are not careful. We need to slow down for a minute and consider some serious security implications of our mobile actions.

Physical security of these devices is key when talking about mobile security. As smartphones get smaller and smaller and our technology keeps up with Moore's Law, we must keep in mind that these devices now become more susceptible to theft. Just think of how easy it is to slip your phone into your pocket, this task is just as easy for criminals.

You may think that your smartphone doesn't carry very important information. This is a huge mistake in the mindset of security. Soon our smartphones will carry more than just our contacts, photos and web access. They will be our main form of identification, our car key, our credit card, and our login token. Google and Apple have already began work on this theory of eliminating passwords and using our mobile phones for complete authentication.

Failing to protect your mobile devices could also soon be hazardous to your health. As medial records continue to transition from paper to digital form we will soon be seeing all of our medical information flashing across our smartphone screens. This is not something you can afford to lose or have maliciously altered. 

Mobile apps still don't stop there. We all know that the banking industry has already taken a huge turn towards mobility. But have you heard you can even file your taxes on your smartphone? Intuit reports that as of February 2011 350,000 downloads of its SnapTax application are already in use by iPhone and Android customers. Thats right, you can even file your taxes on your smartphone. No more trips to the library or even to your computer. 

So what if you lose your phone or it gets stolen? There are options to secure yourself. These options include a growing list of mobile encryption programs. You may also want to check out Apple's Find My iPhone app as well as the beta third party Android version Mobile Defense. These apps, and many like them, are like LoJack for your mobile devices. Lost devices can be located, wiped and protected all from remote locations using these innovative security apps.

These topics barely break the surface of mobile security. Physical security is one small aspect of securing your smartphone. Stay tuned for more information on mobile app security including Cloud computing and how it will affect your smartphone security.

 


We are living in a world of cyber war. There isn't a single event now of days that doesn't involve the internet. From the malicious stuxnet attack on Iranian nuclear facilities, to Operation Payback's mass execution of the Low Orbit Ion Cannon botnet by thousands of pro-WikiLeaks supporters, even the Egyptian internet blackout, all related to some form of hacktivism or cyber warfare.

Computers and the internet have become a powerful weapon in todays world. Whether it be for financial gain, political activism, or malicious attacks. In properly trained hands a computer can be a more destructive weapon than any knife, gun, or bomb. Mind you not just anyone can walk into a gun shop and purchase a gun, but even young kids can walk into the nearest Best Buy and pick up a computer. With a click of a mouse and tap of a keyboard our worlds most valuable infrastructures can be shattered to bits. With the introduction of stuxnet we were introduced to the real life threat of SCADA system attacks which are able to strike far beyond our bank accounts and damage our much relied on power, nuclear, and utility facilities causing life threatening dangers.

On the banking end of things, for those who have not heard the rumors, the malicious and powerful offspring of the Zeus and SpyEye malware is now being released and is already in use by a few cybercriminals. Banks still fight off Zeus related attacks in attempts to protect customer credentials and prevent malicious transactions. The mutant malware boasts new skills regarding information harvesting and botnet capabilities.  It even offers a graphical user interface, similar to Windows interface, during remote control operations (talk about using our own technology against us).

As mentioned in an earlier entry, the enemy is cloning us bit by bit, byte by byte. With each advancement we make they mimic our actions following in our footsteps. For every piece of technology we release in the fight against cybercrime, malicious attackers have been able to reverse engineer it, thus the battle continues.

Within McAfee's release of the 2011 Threat Predictions we caught a glimpse of what criminals could very well have in mind for the unfolding year. Many of these threats we have already had a taste of in previous years. These threats include Exploiting Social Media, Mobile, Apple, Applications, Sophistication Mimics Legitimacy, Botnet Survival, Hacktivism, and Advanced Persistent Threats. Sounds like the enemy is targeting us for the war of a lifetime. In a nutshell the worst case scenario is that our enemies, for potentially political reasons, will be able to find us no matter where we are, hit us with crippling malware, which they will hide in applications we use and trust everyday, relentlessly strike over and over without fail, and closely monitor their chaos to ensure the most effective damage. Imagine a Stuxnet/Operation Payback attack, with a Zeus/SpyEye malware tool, capable of attacking our increasing array of mobile technologies, stealing our money, stealing our identities, maybe even stealing our lives, and never even giving us a chance to see it coming.

Well here is our chance. To look out beyond the enemy at our gates. We can see their plans and their weapons being built. It's time for us to adjust our game plan and defenses as well. We must use what we know about our enemies to build better strategies and stay on top of security. 

Cyberwar requires the same ideology as chess. A good chess player (our enemy) thinks one move ahead. But we can be that great chess player that thinks five moves ahead.

What are some of your opinions on this years upcoming cyber threats? How do you plan on staying five moves ahead?


 

Egypt has pulled the plug. This topic has been overtaking our news feeds this past week. It's time we take a look at the good, the bad, and the ugly of this situation.

 

In fear that social networking will allow protestors the opportunity to further organize their anti-government demonstration, the Egyptian government has ordered all internet services to shut down.

 

ISP services have disabled all wired communications. As of yesterday morning the final ISP service went down. What is surprisingly scary is how quickly these services can be shut down by an ISP. In a matter of minutes these companies can alter national router hub configurations and blackout the entire country. 

 

Will there be any light at the end of this dark tunnel? I guess you could assume no internet service, no internet security breaches, but then again, you can't. 

 

Without internet connectivity tech workers in Egypt are left with nearly nothing to do (except for a game or two of solitaire). Imagine if General Motors halted their automobile manufacturing, no cars, no work. Many companies that outsource to Egypt are also feeling the tension from the outage. Microsoft is threatening to pull out many of its services that they rely on Egypt's tech community to maintain. Egypt is slowly loosing its grip on the technology forefront. Not to mention the political unrest it is causing with many foreign policy leaders.

 

In making the best out of a bad situation, we may see some good come out of this in the world of technology innovation.

 

With the mobile phone towers kicking back on, Google has had the opportunity to push its voice services towards a new purpose. Tweet by voice, possible thanks to Google's recent purchase of the SayNow service. In a service which Google has "hacked" together, users are able to leave voicemails on designated international "speek-to-tweet" hotlines. These voicemails will then be posted to twitter with an #egypt tag. Quite the innovation considering it took Google only a few days to implement.

 

Users are also going to the sky for wireless connectivity. Ad-hoc networks are cropping up all over the country as users attempt any means of staying connected to each other. 

 

Though the events of the past week have had many devastating effects they are also striking up a surprising amount of innovation and adaptation in the technology world. This abrupt change has made voice communication and mobile networking a top priority. This could potentially push these two concepts to a whole new level never before seen by our generation.

 

Even an internet outage cannot stop the advancement of technology. Desperate times call for desperate measures.

 


Topics