Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts

February 21, 2018

From Malware To Malevolent People

So in virus protection on the computer, there are 2 common ways antivirus software works:

1) Signature Detection - There are known patterns of viruses and the antivirus software looks for a match against one of these. 

2) Behavior Detection - There are known patterns of normal behavior on the computer, and the antivirus software looks for deviations from this. 

Each has certain weaknesses:

- With signature detection, if there is a zero-day exploit (i.e. a virus that is new and therefore which has no known signature) then it will not be caught by a blacklist of known viruses.

- While with behavior detection, some viruses that are designed to look like normal network or application behavior will not be caught by heuristic/algorithm-based detection methods. 

For defense-in-depth then, we can see why employing a combination of both methods would work best to protect from malware. 

It's interesting that these same techniques for recognizing bad computer actors can be used for identifying bad or dangerous people. 

We can look for known signatures/patterns of evil, abusive, and violent behaviors and identify those people according to their bad actions.

Similarly, we generally know what "normal" looks like (within a range of standard deviations, of course) and people who behave outside those bounds could be considered as potentially dangerous to themselves or others. 

Yes, we can't jump to conclusions with people -- we don't want to misjudge anyone or be overly harsh with them, but at the same time, we are human beings and we have a survival instinct. 

So whether we're dealing with malware or malevolent individuals, looking at patterns of bad actors and significant deviations from the normal are helpful in protecting your data and your person. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

October 23, 2017

Cybersecurity Vulnerabilities Database

There is a very useful article in Bloomberg about how the U.S. is taking too long to publish cybersecurity vulnerabilities. 

And the longer we take to publish the vulnerabilities with the patch/fix, the more time the hackers have to exploit it!

Generally, the U.S. is lagging China in publishing the vulnerabilities by a whopping 20-days!

Additionally, China's database has thousands of vulnerabilities identified that don't appear in the U.S. version. 

Hence, hackers can find the vulnerabilities on the Chinese database and then have almost three weeks or more to target our unpatched systems before we can potentially catch up in not only publishing but also remediating them. 

Why the lag and disparity in reporting between their systems and ours?

China uses a "wider variety of sources and methods" for reporting, while the U.S. process focuses more on ensuring the reliability of reporting sources--hence, it's a "trade-off between speed and accuracy."

For reference: 

The Department of Commerce's National Institute of Standards and Technology publishes the vulnerabilities in the National Vulnerability Database (NVD).

And the NCD is built off of a "catalog of Common Vulnerabilities and Exposures (CVEs) maintained by the nonprofit Mitre Corp."

Unfortunately, when it comes to cybersecurity, speed is critical.

If we don't do vastly better, we can be cyber "dead right" before we even get the information that we were vulnerable and wrong in our cyber posture to begin with.  ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

October 19, 2017

Never Ever More Vulnerable

So we have never been more technology advanced. And at the same time, we have never been more vulnerable

As we all know, our cybersecurity have not kept near pace with our ever growing reliance on everything technology.

There is virtually nothing we do now-a-days that does not involve networks, chips, and bits and bytes. 

Energy
Transportation
Agriculture
Banking
Commerce
Health
Defense
Manufacturing
Telecommunications

If ANYTHING serious happens to cripple our technology base, we are toast!

From a crippling cyberattack that disables or hijacks our systems, steals or locks down our data, or creates massive chaotic misinformation flow to a EMP blast that simply fries all our electronic circuitry--we are at the mercy of our technology underpinnings. 

Don't think it cannot happen!

Whether it's Wannacry ransonware or the Equifax breach of our privacy data or the Kaspersky Labs hidden backdoor to our top secret files or North Korea threatening to hit us with an EMP--these are just a few of the recent cyber events of 2017!

Technology is both a blessing and a curse--we have more capability, more speed, more convenience, more cost-effectiveness than ever before, but also there is greater vulnerability to complete and utter death and destruction!

This is not just a risk that life could become more difficult or inconvenient--it is literally an existential threat, but who wants to think of it that way?

People, property, and our very society is at risk when our cybersecurity is not what it must be.

It's a race of defensive against offensive capability. 

And we can't just play defense, we had better actually win at this! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

November 15, 2016

Why Can't We Keep Our Secrets

Well after the now notorious email scandal and other information security mishaps galore, this advertisement in Washington, DC is really quite the rage. 
"Keeps classified data classified."

As parents tell their children about keeping private things private:
"If you can't keep it a secret, then how do you expect the other kids to keep it to themselves?"

There are lots of secrets in DC, but there are also a lot of big mouths, security negligence, and even corruption. 

This gives our adversaries the opportunities they need to get our countries vital information. 

We work too hard to develop the best intellectual property for national security and our economy as well as the critical policies for advancing human rights and democracy around the world to let it just be easy fodder for others to help themselves too. 

Technology won't solve the gap in certain big mouths and sloppy Joes around town. 

Only vigilant, smart people can protect the nations vital information that is the fuel for our success and survival. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

May 9, 2015

From Vintage to Modern Threats

Just wanted to share this short video captured of vintage fighter planes flying over the Washington Monument in D.C. on Friday, May 8.

This was in commemoration of 70th anniversary of Victory in Europe Day. 

My father (A'H) used to tell me about when he was in England during the war and the Nazi bombers would fly over and carpet bomb them in a blitzkrieg.

This happened night after night, and so adaptive as people are, they sort of got used to the bombardment, if that is possible to say. 

After a while, instead of taking safety behind closed doors at home, people returned to go to the movies and dancing at night, even while the buildings next door were still being blown up--to the right and the left of them. 

In the morning, those who survived would get up, and see what was knocked down and what still standing. 

Hard to imagine living that way!

Now with new more destructive weapons (WMD, ICBMs, EMPs, etc.), we can only imagine that the destructive aftermath of WW II would be nothing in comparison to what a round III would be like.

It is crucial that we maintain our innovativeness and military superiority and not only offensively to defeat the enemy, but defensively so that we can stop whatever is coming at us whether a dirty bomb in suitcase, an ebola-type virus in an infected person or food, a drone carrying anthrax, or malware over the network.

We have come a long way in the last 70 years technologically, but the risk and stakes have also never been higher. ;-)

(Source Video: Minna Blumenthal)
Share/Save/Bookmark

November 23, 2014

Data 4 Ransom

The future of cybercrime will soon become the almost routine taking of your personal and corporate data as hostage. 

Once the hacker has control of it, with or without exfiltration, they will attach malware to it--like a ticking time bomb.


A simple threat will follow:


"I have your data. Either you pay for your data back unharmed OR your data will become vaporware! You have one hour to decide. If you call the authorities, you data is history."


So how valuable is your data to you?  


- Your personal information--financial, medical, legal, sentimental things, etc.


- Your corporate information--proprietary trade secrets, customer lists, employee data, more.


How long would it take you to reconstitute if it's destroyed?  How about if instead it's sold and used for identity theft or to copy your "secret sauce" (i.e. competitive advantage) or maybe even to surpass you in the marketplace? 


Data is not just inert...it is alive!


Data is not just valuable...often it's invaluable!


Exposed in our networks or the cloud, data is at risk of theft, distortion, or even ultimate destruction. 


When the time comes, how much will you pay to save your data?


(Source Comic: Andy Blumenthal)

Share/Save/Bookmark

October 20, 2014

Shining A Light On Your Privacy


Check out this special report...

~Half a billion~ downloads of the top 10 Flashlights Apps--the ones we all have on our smartphones--and guess what?

All/most are malware/spyware from China, India, and Russia that are spying on you!

Your contacts, banking information, even your location, is being intercepted by hackers abroad,

The cybersecurity experts Snoopwall (that conducted this study and are offering a free opensource "privacy flashlight") are recommending that you don't just uninstall these flashlight apps, because they leave behind trojans that still are functioning behind the scene and capturing your information. 

So instead doing a backup of key information and then a factory reset of the smartphone is advised.

Pain in the you know what, but these flashlight apps are shining a light and compromising your personal information.

Snopes points out that the flashlight apps may be no more vulnerable to spyware than other apps you download and that perhaps the screening process from the app stores help to protect us somewhat.

When the cyber hackers decide to exploit those apps that are vulnerable, whether for political, military, or financial gain, it will likely be ugly and that flashlight or other app you use may prove much more costly than the download to get them. ;-)

(Thank you Betty Monoker for sharing this.)
Share/Save/Bookmark

March 21, 2014

Safely Detonate That Malware


I like the potential of the FireEye Malware Protection System (MPS).

Unlike traditional signature-based malware protections like antivirus, firewalls, and intrusion prevention systems (IPS), FireEye is an additional security layer that uses a dynamic Multi-Vector Virtual Execution (MVX) engine to detonate even zero-day attacks from suspicious files, web pages, and email attachments. 

According to Bloomberg Businessweek, Target's implementation of FireEye detected the malware attack on Nov 30, 2013 and it alerted security officials, but allegedly "Target stood by as as 40 million credit card numbers--and 70 million addresses, phone numbers, and other pieces of personal information--gushed out of its mainframes"over two weeks!

In fact, FireEye could've been set to "automatically delete [the] malware as it's detected" without human intervention, but "Target's team apparently "turned that function off."

FireEye works by "creating a parallel computer network on virtual machines," and before data reaches its endpoint, they pass through FireEye's technology.  Here they are "fooled into thinking they're in real computers," and the files can be scanned, and attacks spotted in safe "detonation chambers."

Target may have been way off target in the way they bungled their security breach, but using FireEye properly, it is good to know that attacks like this potentially can be thwarted in the future. ;-)

[Note: this is not an endorsement of any product or vendor]
Share/Save/Bookmark

March 6, 2014

Beware of Botnets



Interesting video demonstration of how botnets work and can literally take over your computer.

In essence, your computer becomes a zombie under the command and control of the botnet sender.

Computers get infected through a trojan or worm, and then the sender has you--they control your computer and information.

Generally, they do this to send spam, steal information, or send out other malware, all under anonymity. 

Once infected, the sender has complete control over your computer and can exfiltrate, delete, or change your data, turn on the keyboard lights, add a tail to your mouse, and even format your hard drive. 

The malware often can even disable your firewall.

The sender can turn on a keylogger and log your keystrokes, and capture your user ids and passwords to banking and financial institutions, and draw out your money. 

The video demos an example of botnets with a variant of the Zeus trojan. 

Worth a watch.

Makes me wonder whether our adversaries are infecting more and more computers, until they have almost everyone--eventually a virtual army.

Then at the time of their choosing, they can conduct one big massive attack, or incremental ones, logging into peoples accounts, stealing their identities and savings, sending out misinformation, destroying data and computers en masse. 

We need to be aware of what's possible, maybe even probable. 

Is your computer infected and you don't even know it yet?
Share/Save/Bookmark

September 28, 2013

Insuring Against Cyber Attacks

More and more, our technology is at risk of a cyber attack. 

In fact, just today the Wall Street Journal reported that Iran has hacked into the Navy's unclassified network. 

While we can fix the computers that were attacked, the damage done in terms of data exfiltration and malware infiltration is another matter.

To fix the computers, we can wipe them, swap out the drives, or actually replace the whole system. 

But the security breaches still often impose lasting damage, since you can't get the lost data or privacy information back or as they say "put the genie back in the bottle."

Also, you aren't always aware of hidden malware that can lie dormant, like a trojan horse, nor can you immediately contain the damage of a spreading computer virus, such as a zero-day attack. 

According to Federal Times, on top of more traditional IT security precautions (firewalls, antivirus, network scanning tools, security settings, etc.), many organizations are taking out cybersecurity insurance policies.

With insurance coverage, you transfer the risk of cybersecurity penetrations to cover the costs of compromised data and provide for things like "breach notification to victims, legal costs and forensics, and investigative costs to remedy the breach."

Unfortunately, because there is little actuarial data for calculating risks, catastrophic events such as "cyber espionage and attacks against SCADA industrial controls systems are usually not covered. 

DHS has a section on their website that promotes cybersecurity insurance where they state that the Department of Commerce views cybersecurity insurance as an "effective, market-driven way of increasing cybersecurity," because it promotes preventive measures and best practices in order to lower insurance premiums and limits company losses from an attack. 

Moreover, according to the DHS Cybersecurity Insurance Workshop Readout Report (November 2012) cybersecurity insurance or risk transfer is the fourth leg of a comprehensive risk management framework that starts with risk acceptance, risk mitigation, and risk avoidance. 

I really like the idea of cybersecurity insurance to help protect organizations from the impact of cybersecurity attacks and for promoting sound cybersecurity practices to begin with.  

With cyber attacks, like with other catastrophes (fire, flood, accident, illness, and so on), we will never be able to fully eliminate the risks, but we can prepare ourselves by taking out insurance to help cover the costs of reconstituting and recovery. 

Buying insurance for cybersecurity is not capitulating our security, but rather adding one more layer of constructive defense. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

June 19, 2013

Malware Through A Charger

Who would've thought you can get cyber attacked this way...

Forbes is reporting that Georgia Tech researchers have discovered an exploit where malware could be introduced to your computer through the plug in AC power charger. 

Based on their proof of concept, when you connect your computer and electrical plug, you could get more than an electrical charge to your Apple iOS computer--you could get hacked! 

The malicious charger has been named Mactans and in the future could be put together by inserting a miniature computer board (e.g. a BeagleBoard) right into the base of a charger plug (larger than the one shown above).

The hack attack is enabled by the USB port which is used for charging and doubles as a data port so that the malicious code would be surreptitiously inserted into your computer. 

So be careful what you plug into, because when you think you're just powering up your battery, you may end up powering down your whole computer device.

This sort of reminds me of the shoe bomber that forever changed how we view seemingly innocuous shoes at the airport.

A shoe may not just be for walking, and a AC charger may not be just a power source anymore.  ;-)

(Source Photo: here with attribution to Lee Bennett)
Share/Save/Bookmark

August 25, 2012

IT Security, The Frankenstein Way

Here's a riddle: When is a computer virus not a dangerous piece of malware? Answer: when it is hidden as Frankenstein code. 

The Economist (25 August 2012) describes how computer viruses are now being secretly passed into computers, by simply sending a blueprint for the virus rather than the harmful code itself into your computer--then the code is harvested from innocuous programs and assembled to form the virus itself. 

Like the fictional character, Frankenstein, that is stitched together out of scavenged body parts, the semantic blueprint pulls together code from host programs to form the viruses. 

This results is a polymorphic viruses, where based on the actual code being drawn from other programs, each virus ends up appearing a little different and can potentially mask itself--bypassing antivirus, firewall, and other security barriers. 

Flipping this strategy around, in a sense, Bloomberg Businessweek (20 June 2012) reports on a new IT security product by Bromium that prevents software downloads from entering the entire computer, and instead sets aside a virtual compartment to contain the code and ensure it is not malicious--and if the code is deemed dangerous, the cordoned-off compartment will dissolve preventing damage to the overall system.

So while on the offensive side, Frankenstein viruses stitch together parts of code to make a dangerous whole--here on the defensive side, we separate out dangerous code from potentially infecting the whole computer.  

Computer attacks are getting more sinister as they attempt to do an end-run around standardized security mechanisms, leading to continually evolving computer defenses to keep the Frankensteins out there, harmless, at bay.

(Source Photo: here with attribution to Dougal McGuire)

Share/Save/Bookmark

June 25, 2012

Security Advisory For Architecture Drawings

Dark Reading (21 June 2012) came out with security news of a AutoCAD Worm called ACAD/Medre.A that targets design documents.

I also found warnings about this vulnerability at PC magazine (24 June 2012).

This malware was discovered by computer security firm ESET

This is a serious exploitation in the industry leader for computer-aided design and drafting that is used to create most of our architectural blueprints.

Approximately 10,000 machines are said to have been affected in Peru and vicinity, with documents being siphoned off to email accounts in China. 

With information on our architectural structure and designs for skyscrapers, government building, military installations, bridges, power plants, dams, communication hubs, transportation facilities, and more, our critical infrastructure would be seriously jeopardized. 

This can even be used to steal intellectual property such as designs for innovations or even products pending patents. 

This new malware is another example of how cyber espionage is a scary new reality that can leave us completely exposed from the inside out.

Need any more reason to "air gap" sensitive information and systems?

(Source Photo: here with attribution to Wade Rockett)

Share/Save/Bookmark

May 29, 2012

A Cyber Security House Of Cards

Yesterday there were reports of a new "massive cyber attack" called the Flame.

A U.N. Spokesperson called it "the most powerful [cyber] espionage tool ever."

The Flame ups the cyber warfare ante and is "one of the most complex threats ever discovered"--20 times larger than Stuxnet--and essentially an "industrial vacuum cleaner for sensitive information."

Unlike prior cyber attacks that targeted computers to delete data ("Wiper"), steal data ("Duqu"), or to disrupt infrastructure ("Stuxnet"), this malware collects sensitive information. 

The malware can record audio, take screenshots of items of interest, log keyboard strokes, sniff the network, and even add-on additional malware modules as needed. 

Kaspersky Labs discovered the Flame visus, and there have been greater than 600 targets infected in more than 7 countries over the last 2 years with the greatest concentration in Iran. 

This is reminiscent of the Operation Shady Rat that was a 5-year cyber espionage attack discovered by McAfee in 2011--involving malware that affected more than 72 institutions in 14 countries. 

Separately, an attack on the U.S. Federal government's retirement investments--the Thrift Saving Plan --impacted the privacy and account information of 123,000 participants and "unathroized access"--and was reported just last week after being discovered as far back as July 2011.

Regardless of where the particular cyber attacks are initiating from, given the scale and potential impact of these, it is time to take cyber security seriously and adopt a more proactive rather than a reactive mode to it.

One can only wonder how many other cyber attacks are occuring that we don't yet know about, and perhaps never will.

We can't afford to fumble the countermeasures to the extraordinary risk we face in the playing fields of cyber warfare. 


We have to significantly strengthen our cyber defenses (and offenses) -- or else risk this "cyber house of cards" come crashing down. 

It's time for a massive infusion of funds, talent, tools, and leadership to turn this around and secure our nation's cyber infrastructure.   

(Source Photo: here with attribution to Dave Rogers)

Share/Save/Bookmark

April 28, 2012

Governing the Internet Commons

Recently, I've been watching a terrific series called America: The Story of Us (12 episodes)--from the History Channel. 

It is a beautiful portrayal of the the founding and history of America.

One theme though that repeats again and again is that as a nation, we use the common resources and deplete them until near exhaustion. 

The show portrays an America of lush forests with billions of trees that are chopped down for timber, herds of 30 million buffalo slaughtered for their hides, rollings plains of cotton for a thriving clothing industry that is over-planted, a huge whaling industry used for oil that is over-fished.  

Unfortunately, as we know, the story is not just historical, but goes on to modern-day times, with fisheries depleted, whole species of animals hunted to extinction, energy resources furiously pumped and mined to a foreseen depletion, city streets turned into slushy slums, and national forests carelessly burned down, and more. 

The point is what is called the "Tragedy of the Commons"--where items held in trust for everyone is misused, overused, and ultimately destroyed. With private property, people are caretakers with the incentive to maintain or raise the value to profit later. However, with common property, people grab whatever they can now, in order to profit from it before someone else gets it first. 

This phenomenon was first laid out in the Torah (Bible) with a law for a "Shabbath Year" called Shmita mandating that people let fields (i.e agriculture) lie fallow for a full year every 7 years and similarly, the law of Jubilee (i.e. Yovel), that slaves be freed and loans forgiven every 50 years. I think that the idea is to regulate our personal consumption habits and return what the historical 
"commons" back to its normal state of freedom from exploitation.  

This notion was echoed by ecologist Garrett Harden in the journal Science in 1968, where he described European herders overgrazing common land with their cows to maximize their short-term individual profits at the expense of longer-term term societal benefits. Harden suggested that regulation or privatization can help to solve the "Tragedy of the Commons." 

In the 21st century, we see the modern equivalent of the commons with the Internet, which is an open, shared networking resource for our computing and telecommunications.Without protection, we have the Wild West equivalent with things like spam, malware, and attacks proliferating--clogging up the network and causing disruptions and destruction, and where some people use more than their fair share 

Here are some examples of the Tragedy of the Internet:

- Symantec reports that even with spam decreasing with the shutdown of spam-hosting sites, in 2011, it is still 70% of all emails.

- McAfee reports that malware peaked as of the first half of 2010, with 10 million new pieces.

- Kaspersky reports that web-based attacks were up to 580 million in 2010--8 times the amount of the previous year.

- Verizon Wireless reports 3% of their users use 40% of their bandwidth.

If we value the Internet and want to continue using and enjoying it, then like with our other vital resources, we need to take care of it through effective governance and prudent resource management.  

This means that we do the following:

1) Regulation--manage the appropriate use of the Internet through incentives and disincentives for people to behave civilly online. For example, if someone is abusing the system sending out millions or billions of spam messages, charge them for it!

2) Privatization--create ownership over the Internet. For example, do an Internet IPO and sell shares in it--so everyone can proverbially, own a piece of it and share financially in it's success (or failures). 

3) Security Administration--enhance security of the Internet through public and private partnership with new tools, methods, and advanced skills sets. This is the equivalent of sending out the constable or sheriff to patrol the commons and ensure people are doing the right thing, and if not then depending on who the violating actor(s) are take appropriate law enforcement or military action.

Only by managing the Internet Commons, can we protect this vital resource for all to use, enjoy, and even profit by. 

(Source Photo: here)

Share/Save/Bookmark

February 19, 2012

Big Phish, Small Phish

Phishing is an attack whereby someone pretends to be a trustworthy entity, but is really trying to get your personal information in order to steal from you or an organization.
Phishing is a type of social engineering where fraudsters try to deceive and spoof their victims by sending email or instant messages (or even by calling) and pretending to be a legitimate private or public sector organization. They then either request personal information, provide links to fake websites, or even create unauthorized pop-ups from legitimate websites to get you to give them your personal data.

Additionally, phishing emails can contain attachments that infect recipient's computers with malware, creating a backdoor to control or compromise a system and its information.

In all of these cases, the intent of phishing is impersonate others and lure consumers into providing information that can be used to steal identities, money, or information.
The word phishing alludes to the technique of baiting people and like in real fishing, fooling at least some into biting and getting caught in the trap. 

In this fraudulent type, perpetrators pretend to be legitimate financial institutions, retailers, social media companies, and government agencies in an attempt to get you to divulge private information like date of birth, social security numbers, mother maiden names, account numbers, passwords and more.
Once criminals have this valuable information, they can commit identity theft, break into your accounts, and steal money or information.

Spear-phishing is a derivative of this scam that is targeted on specific people, and whaling is when the scam is perpetrated on organization executives or other high profile targets,  which can be especially compromising and harmful to themselves or the organizations they represent.
The first recorded phishing attack was in 1987.  Over the years, the prevalence of these attacks have steadily increased. According to the Anti-phishing Working Group (APWG), there were some 20,000-25,000 unique phishing campaigns every months through the first half of 2011, each targeting potentially millions of users.  Additionally, as of March 2011, there were as many as 38,000 phishing sites.  The most targeted industry continues to be financial services with 47% of the attacks.
There are a number of ways to protect yourself against phishing attacks.
  1. Delete email and messages that are unwarranted and ask for personal information
  2. Do not click on links, instead go directly to a website by using a search engine to locate it or copying the link and pasting it into the browser
  3. Configure your browser to block pop-ups
  4. Use anti-virus, firewalls, and anti-spam software
  5. Set up automatic security updates
  6. Input personal information only into secure sites, such as those that begin with "https"
  7. Only open attachments when you are expecting them and recognize where they are coming from
  8. Check financial statements upon receipt for any fraudulent activity
  9. If you are caught in a phishing scheme, notify law enforcement and credit reporting authorities immediately
  10. Always be cautious in giving out personal information
Whether you consider yourself a big fish or a small fish, beware of those trying to catch you up on the Internet--hook, line, and sinker.

Share/Save/Bookmark

October 20, 2011

Be Careful What You Point That At

By now many of you may or may not have pointed your smartphones at a QR ("Quick Response") code to get more information on products, places, events, and so forth.

A QR code is a barcode that that generally contains alphanumeric information and takes you to a website when you read the QR code with your smartphone (i.e. by taking a picture of it with a QR reader app).

QR codes remind me of the barcodes in the store at the checkout line, but QR codes look more like a squared-off roschach test compared to the barcodes on items you purchase which are rectangular straight lines from top to bottom.

By reading the QR code, you don't have to remember or type any information into your smartphone--your just zipped right off to wherever the QR points you (usually after you confirm on the screen that you are okay with going to the URL).

But QR codes like with any information technology, can be used for good or evil -- for some reason though people seemed to have been unsuspecting of the sort of innocuous looking QRs.

Kaspersky Lab has issued a warning on QR codes after finding consumers in Russia scammed when they thought they were downloading an Android app and where instead infected with malware that caused them to send SMS messages to a premium number that charged for each message sent.

So while QR codes can take a reader to a harmless website for information, like other computer code, they can contain instructions that cause you to send email, SMS messages, download applications, etc.

So unless you know what you are QR reading (i.e. you have a high-degree of confidence in whoever placed the advertisement with the QR code)--think twice before scanning that barcode, because you may get a surprise package in your smartphone that you weren't expecting causing infection of your device, loss of privacy to the information stored on it, or costing you money for things you never wanted or intended to spend on.

Scanning a QR code while as simple taking a picture of a sunset--may not have as beautiful consequences.

(Source Photo: here)

Share/Save/Bookmark

June 19, 2011

Crashing The Internet--Are We Prepared?


Almost week after week, I read and hear about the dangers of cyber attacks and whether "the big one" is coming.

The big one is what some experts have called a pending "digital Pearl Harbor."

Just last week, the Federal Times (13 June 2011) wrote that the "U.S. government computer networks are attacked about 1.8 billion times per month."


The Center for New American Security (CNAS) states that deterring and preventing cyber attacks will require "stronger and more proactive leadership."

Charles Dodd, a cyber security consultant in D.C. warns that "You've bought a stick to a gunfight, and you're arrogant about your capabilities."
So the question is--are we really paying attention to and being realistic about the probability and magnitude of the impact of the cyber threat out there?

Certainly, with so much critical infrastructure--from government, military, and private industry--dependent on the Internet, the effects of a concerted or prolonged cyber attack on our country would be devastating as documented most recently in The Lipman Report (October 2010) on "Threats to the Information Highway: Cyber Warfare, Cyber Terrorism, and Cyber Crime" as follows:

--"There is a great concern regarding the types of destructive attacks that are already occurring, but an even greater concern for the unknown that is yet to happen but is almost certainly even now in development. Cyberspace touches nearly every part of our daily lives."

It is in this regard that I read with serious concern today in ID Magazine (August 2011) that the University of Minnesota has "demonstrated in a simulation how an attack with a large botnet (a network of remotely-controlled PCs) could shut down the Internet."

And it took only 20 minutes to trigger the chain reaction in which "manipulated routers overloaded all other Internet routers worldwide...mak[ing] it impossible for Internet address to be found."
Granted it would take around 250,000 computers to carry out such an attack, but with the billions of people online with computer devices of all sorts...that does not seem like an inordinate amount to press forward with for a coordinated attack.

So the Internet in theory can be crashed!

Just think for a moment about how that would impact you and what you do every day...would anything be the same? Could we even function normally anymore?

As we move more and more of our applications, data, and infrastructure online to the cloud, we need to consider what additional risks does this bring to the individual, the organization, and the nation and how we can respond and recover should something happen to the Internet.

In the Federal government there are many agencies, commands, task forces, and groups working to secure the Internet, and at the same time, there are separate efforts to modernize and reform IT and reduce unnecessary expenditures, so what we need to do is better integrate the drive to the cloud with the urgency of securing our data, so that these efforts are strong and unified.
This is one of the things that I was trying to achieve when I created the CIO Support Services Framework in synthesizing the functions of IT Security with the other strategic CIO functions for Enterprise Architecture, IT Investment Management, Project Management, Customer Relationship Management, and Performance Management.

If the Internet can indeed be crashed, we had all better be prepared and make the right IT investment decisions now, so that we won't be sorry later.
(All opinions are my own)

(Source Photo: Heritage and History.com)

Share/Save/Bookmark

September 26, 2010

Now The Computer War Games Are Real

The Associated Press is reporting that the Iranian Bushehr Nuclear Plant has been hit with a sophisticated computer worm called Stuxnet.

The Iranian nuclear program hit has been claimed for civil nuclear power but has long been suspected of being a cover for making weapons, and Iran has been unabashedly vocal about its hostile intent to many nations, even going so far as to openly threaten some, especially Israel, with complete “annihilation.”

The technical aspects of Stuxnet as a weapon are fascinating, for this is the first computer program “specifically created to take over industrial control systems.” Another article in U.K.’s The Guardian quotes another source as saying it is “one of the most refined pieces of malware ever discovered.”

This worm works by exploiting Windows operating systems security holes and taking over critical infrastructure SCADA systems (AKA Supervisory Control And Data Acquisitions systems or industrial control systems).

What is maybe even more amazing than the technical feat of Stuxnet, is that for months or years, everyone has been focused on and hypothesizing about when a traditional military strike was going to occur to the ever menacing Iranian nuclear threat. However, instead of conventional planes and bombs making a big bang (remember “shock and awe”), we get a silent but “very sophisticated” cyber worm that no one seems to have expected.

So times have certainly changed and with it warfare. Prior military engagements occurred on land, sea, and air with kinetic “bang/boom” weapons. Today they have a new domain in cyberspace with bits and bytes that are just as impactful. But I think what hasn’t really hit home with most people is that cyber war is not just virtual, like playing a video game (like the SIMS) or acting out in virtual reality (like Second Life); cyberwarfare starts online but has real physical ramifications as we see with the Stuxnet worm. Industrial systems like nuclear plants or hosts of other critical infrastructure (in manufacturing, energy, telecommunications, etc.) can be taken out with cyber bombs just like with real bombs maybe even better, faster, cheaper, and cleaner (less collateral damage).

We had all better be prepared for the fight in this new realm as the potential damage is as real as any we have ever seen before.

Share/Save/Bookmark

May 15, 2010

What’s Lurking In The Update?

In defense, it is a well-known principle that you determine your critical infrastructure, and then harden those defenses—to protect it.

This is also called risk-based management, because you determine your high impact assets and the probability that they will be “hit” and deem those the high risks ones that need to be most protected.

In buttressing the defenses of our critical infrastructure, we make sure to only let in trusted agents. That’s what firewalls, anti-virus, spyware, and intrusion prevention systems are all about.

In so-called “social engineering” scams, we have become familiar with phony e-mails that contain links to devastating computer viruses. And we are on the lookout for whether these e-mails are coming from trusted agents or people we don’t know and are just trying to scam us.

What happens though when like the Trojan Horse in Greek times, the malware comes in from one of the very trusted agents that you know and rely on, for example, like from a software vendor sending you updates for your regular operating system or antivirus software?

ComputerWorld, 10 May 2010, reports that a “faulty update, released on April 21, [by McAfee] had corporate IT administrators scrambling when the new signatures [from a faulty antivirus update] quarantined a critical Windows systems file, causing some computers running Windows XP Service Pack 3 to crash and reboot repeatedly.”

While this particular flawed security file wasn’t the result of an action by a cyber-criminal, terrorist or hostile nation state, but rather a “failure of their quality control process,” it begs the question what if it was malicious rather than accidental?

The ultimate Trojan Horse for our corporate and personal computer systems are the regular updates we get from the vendors to “patch” or upgrade or systems. The doors of our systems are flung open to these updates. And the strategic placement of a virus into these updates that have open rein to our core systems could cause unbelievable havoc.

Statistics show that the greatest vulnerability to systems is by the “insider threat”—a disgruntled employee, a disturbed worker, or perhaps someone unscrupulous that has somehow circumvented or deceived their way past the security clearance process (or not) on employees and contractors and now has access from the inside.

Any well-placed “insider” in any of our major software providers could potentially place that Trojan Horse in the very updates that we embrace to keep our organizations secure.

Amrit Williams, the CTO of BIGFIX Inc. stated with regards to the faulty McAfee update last month, “You’re not talking about some obscure file from a random third party; you’re talking about a critical Windows file. The fact that it wasn’t found is extremely troubling.”

I too find this scenario unnerving and believe that our trusted software vendors must increase their quality assurance and security controls to ensure that we are not laid bare like the ancient city of Troy.

Additionally, we assume that the profit motive of our software vendors themselves will keep them as organizations “honest” and collaborative, but what if the “payoff” from crippling our systems is somehow greater than our annual license fees to them (e.g., terrorism)?

For those familiar with the science fiction television series BattleStar Galactica, what if there is a “Baltar” out there ready and willing to bring down our defenses to some lurking computer virus—whether for some distorted ideological reason, a fanatical drive to revenge, or a belief in some magnanimous payoff.

“Trust but verify” seems the operative principle for us all when it comes to the safety and security of our people, country and way of life—and this applies even to our software vendors who send us the updates we rely on.

Ideally, we need to get to the point where we have the time and resources to test the updates that we get prior to deploying them throughout our organizations.


Share/Save/Bookmark