Plenty of stuffs this week, as usual, we cannot start without talking about the
Royal Wedding
Today is the day, the royal wedding is coming and everyone is so excited that can’t stop himself from opening any email, link, search result or whatever related to the biggest event in human history . Ok may be a little too much but for sure the royal wedding event is moving tons of gadget, interest and cybercriminal activities online but how could not expect something like this, where media are so deeply involved? as a matter of fact several security vendors issued a warning about the spam and malware related activities around William and Kate’s day. Not sure this will be the biggest event in human history (but believe me I heard on TV that this will be the biggest event in the century…so I’m not the only one exaggerating a little bit ) but this week showed also other interesting events that captured my attention.
Did your mom tell you that playing video-games is dangerous?
“Don’t play too much, turn off that console …” used to tell me my savvy mom. I never understood the reason but now I know that she was right (as moms always use to be). And now I know also the bad symptoms’ associated in gaming: lost of identity, credit card number sharing, password stealing…. what? o yes you’re right I’m talking about Sony PlayStation network hack and the relative consequences. Is not just the 77 million identities stolen that were interesting, but for the 3 or 4 of you that follow this blog, is the progression and growing of this kind of activities in the last period of time. have you seen how many hacks I’ve reported from news lately? Cyber security is becoming a serious issue, and is incredibly odd that lot of people just do not realize how a layered and different approach is needed to address the new internet\cloud threat landscape. Do we need security? yes a new and better one, a connected world require a new approach to security that has to shift the usual techniques into something new (bad guys already did!).
FBI – Federal Botnet Intruders?
At least FBI realized how botnets are a serious issue and started to pursue an holy war against them. Is still early to say we will have results, but the aggressive method used by FBI to take control coreflood is something new and opens also some concerns, is anything allowed in order to fight back cybercrime? This is not a secondary question because the same techniques could be used not only by criminals but also by states to attack an enemy. At least those are claims that have been raised lately.
Iran under cyberattack (again)
or at least this is what they claim related to a new malware spread that, according to their statements, has been build to address specifically their nuclear projects. Although I have no evidences this sound familiar…remember stuxnet? So the cyber landscape is growing and the need to protect from malware and other cyber threats is quite evident. but security is not only malware protection but also management, uptime, performance, data protection and so on.
The falling clouds of Amazon
The recent outage of Amazon cloud services showed how difficult is to build up a secure and resilient infrastructure. At least two factor were interesting: the timeframe of the outage was incredibly big, and the fact Amazon declared some of the data were lost and they were not able to recover them. So even Amazon need a better network infrastructure, and new (and better) procedures. The key is, we still have to work on our networks, just good enough is not enough .
All for today Issue, but just to remind us that the cyber world is not everything let’s send our wishes to the Tornado victims the south of United States of America.
the changing face of the security landscape those days can be perceived mostly from security vendors reports and news article than from a real understanding of what has changed and what is going to change in the security landscape from security people. In the enterprise environment there are still the old fashioned procedures and the overall approach upon security needs is quite dated. But to be able to understand what we need to change and why we need to change our approach would be useful to understand what are all those changes about.
Once upon a time there was a cable
When the cyber security started to enter our world? basically when we started to deal with distributed computing, the introduction of PC shifted the data and it’s process from a single point (the mainframe) to several distributed entity (the PC’s). the first networks were barely security aware, at the end the need of security was not perceived as something important, the economic impact of the network was not so clear and so the network itself was not perceived as an asset, but mostly as a expense to live with. But while the OS and application were evolving also the economic impact of network started to change, the need of exchange data and the value of the exchanged data were rising and so the need of security. The security principles has been build ten on that kind of world. But how were made those networks? Well before the introduction of mobile computing (laptop and so on) most of the security were dealing with a sort of identity: user, computer and network address used to live on the same domain and they were quite exchangeable. A PC was given to a specific users, in a specific physical location (office and desk) and usually used a specific IP or a an IP coming from a specific range through DHCP. Since network security was dealing in an easier way with network addresses than with computers or users, the approach was to develop a security culture based on protocols. With the wide adoption of TcpIp and the internet this culture grown up and specialized. While security was working on network protocols another aspect was rising, virus comes to face IT world. The two aspects were quite distinct, and so dealing with viruses or dealing with networks were a completely different job. But this approach started to show it’s limit as internet and mobile computing were growing as importance. Laptops and internet have been a pain n the ass for lot of security administrators because they were breaking old habits and mostly the equation they always considered truthful security:=network protocols = pc =users. The introduction of internet and mobile computing forced the administrators to add to the equation at least another component: the Operating Systems and it’s potential flaws. So became quite common to talk about OS security outbreaks, most of them were TCPIP stack related. What this approach was missing was mainly applications and user behaviors, but since security was perceived as a network element while application and users were related to other process those words were not exchanging information.
What were those new user habits bringing in our networks?
While network administrators were trying to preserve their views of the world, user started to browse the internet, going around with laptops, application started to change and become more complex and pervasive, the amount of sensitive and valuable data were growing exponentially as their exchange. the old assumption that the computer, user, applications and it’s network address were the same started to vanish. But firewalls rules were still built on addresses, ports and protocols. With the growing importance of internet the applications started to change and web services and http becomes the man media to exchange data. Well this is understandable, the internet were the land of marketing, where you would be able to met more people at lesser costs. And the developers were not interested in security, it would make have made coding more complex, and besides the security and network guys were not giving any guidance on it. Users with laptop started to browse outside company network perimeter, adding personal applications and using the laptop for work and leisure. But mostly they started to work outside the IT perimeter, and to do so used to break the IT security rules that were created for a complete different world. As an example we can think about the email access, that originally was given only inside the perimeter. that the first webmail were coming out (who has not used Microsoft OWA?). But mail rules were so restrictive that people started to use personal account also for work needs. so if you were in need to exchange a big presentation or a file, or send or receive an exe file you were forced to use external webmail services to workaround limitation made by IT department. The misconception about security issues were leading to underestimate the impact of email, social engineering, social networking and so on. While the users and marketing were embracing the new the IT department were fighting the change, but changes are inevitable.
And there was the hacker
As the networks were expanding and opening a new player started to become familiar, the hacker. at the beginning a sort of romantic figure, a sort of lone hero that would prove his ability against the world breaking into systems. This naïve and quite untruthful misconception of hacking figure was used for a long time in order to underestimate the impact of network security in the IT environment. But with the growing economy related to personal computing the criminality started to understand that there were space to make money. So hacking form a naïve and heroic figure turned into the nowadays cyber criminals activities. While IT security people were still dealing with ports and protocols the cyber criminals were targeting something different: applications, data and users. SMTP, HTTP and HTTPS started to be the keyhole that were allowing to force security measures. Browsers and http mails become a security concerns just a little bit too late to address the growing cyber criminal economy. What was not understood (and still many do not have clearly understood) is that cyber criminal activities are driven by money, retaliation or political issue but the target were users. the network was just one part of the equation, not the final target. While criminality was exploiting new ways to hack data and make money IT infrastructure were quite static.
here comes the smartphone
The last hack to the usual security habits was the recent introduction of the smartphones with browsing capability. now the IT department started to face another issue, not only the number of OS were increasing, not only the point of access were unknown as it’s surrounding, but also the device used were not part of the IT infrastructure, but often privately purchased by the owner and used also for work tasks. If once there was at last a company laptop used to access company information’s, resources and data, now there is a plenty of device with heterogeneous OS, different security settings, different network entry points and geo location to make everything more complicated.
Security people still have to embrace the change, while cyber criminal already did
To realize that a firewall rule based on source IPport destination IPport and some other detail is not more enough is not an easy process. Bad habit are hard to leave. There is a series of misunderstanding that are related to old way of thinking that still affect security, if should be clear now that our network model has shifted form a border model to a borderless one the change in criminal behaviors on the internet should drive other significant changes. First of all we should rethink the idea that IP means host. Is a common mistake to consider an IP as a monolithic identity, the truth is that an IP could be vehicle of thousands of services, some compromised, some not. an IP is not bad per se, but some of the services is providing could be affected. Then we should realize that cyber attack tends to target the most easy way: http, https are, for example, good media to spread infection as smtp. a vulnerability, per se, does not means that we have an high risk, the majority of successful attack comes in forms of spear phishing, drive to download and so on. also dos attack usually try to leverage higher protocols and application behaviors more than the network per se. Mobile and home computing dramatically widen our attack surface and so our exposure to risks. the lower protection we gave to home and mobile computer facilitate cyber criminals work, allowing to find a big amount of easy target that can be used to generate more complex activities. this has been understood by the security environment after words as botnets and zombie become common terms in security literature and news articles. Just in those last two years press started to realize how big is the issue and started to write on this. we saw just the tip of the iceberg, but last years was officially the year of the botnet and finally security people realized that this is not a problem related to just home computers. The target is mostly the user and it’s way to use the devices. Quite all the recent attacks that raised the news attention, from RSA Hack to Epsilon one, just to name two, used humans as Trojan horse. the human component in the security process cannot be underestimated anymore. Concepts like user aware security rules, and context aware security rules should become common to anyone. This does not means that the old approach is useless, but simply that it was not enough.
What we should expect now?
Consumerisation of browsing devices, the enterprise use of personal device, the growing mobility needs of the workforce is a trend that would not be stopped. But there are two other breaking points that are coming and will give headache to security people: cloud adoption and IPv6. We can easily understand why cloud is a concern, it force us to rethink our monitoring process and rethink our procedures. who will manage my data, how my data will be secured, how I can avoid lock in, how easily I can change provider, how will cost the personalization… are all great question. what will bring IPv6 adoption is possibly even bigger, and will impact heavily networks. IPv6 require to rethink our IP networks, is not just a matter of the extension of the address space, that is a problem per se. Concepts like NAT and PAT will disappear, the coexistence of a dual stack (IPv4 and IPv6) have to be managed, migration of applications have to be considered. There is a wide impact also in performances, the management of the new headers is more difficult since it is not structured as it is in ipv4. And beside the fact IPv6 suggest the use of IPsec for node to node transaction is quite difficult to imagine that all internet transaction will use it. Not to mention how relevant will become DNS resolution inside and outside our networks. DNS I widely used for cyber attacks and it’s structure and lack of security has been underestimated for a long time. Even now most of the internet generation does not understand how relevant is DNS resolution in browsing experience (and timing). So we will have to rethink again our dogma on security and we will probably discover some other epidemic we were not considering.
Recent articles in the news remind me that anyone can be fooled by a good scam. the problem is always the trust we gave to the communication we received. is not just a financial problem (you remember the Madoff scam?) but a problem that can hit anyone, even expert guys can fall. The most recent was the hack occurs at Oak Ridge National Laboratory, but it is just the last of an infinite series. Also the RSA securID breach was prepared with spear phishing. What is spear phishing? Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. It is, in other words, a targeted phishing build to capture trust of a specific organization or group of people. Believe it or not it is highly effective but require some preparation. The mail has to be correctly formatted, and also the language used have to be the correct one. In other words it require a good knowledge of the target to be effective. As for financial scams that usually are perpetrated by apparently honest and trustworthy gentlemen spear phishing (but also phishing in general) need to present as an official communication coming form a trustworthy source. If this can also mention private fact or internal knowledge it is more effective. The way to collect those information is not so complicated: Facebook, as an example, is usually a great source of info, as well as LinkedIn and other social networks. But we can remember also blogs and forums. The first step is gathering information, the more the better. this could partially explain why there have been recently so many theft of personal data, as in the Epsilon case. more data I have the easier and more effective will be to create my scam. So even the most secure organization can be fooled. Can we protect ourselves? Well education, DLP and a great email-security engine would be of use as well as some web protection since the liaison between mail and web is always strong. but the best defense would be a little more awareness of the risk, and consider that anyone (yes me too) can be fooled. cheers Antonio
those days I’ve read on the news a lot of noise about an NSS test that were reporting a TCP handshake security hole (TCP Split Handshake Issue) in several commercial firewalls.
The question is interesting from several points of view: are IPS and firewall really secure?
is a vulnerability really a security issue?
how does this vulnerability affect me? http://portadiferro.blogspot.com/2011/04/tcp-split-handshake-issue.html
In this post, we’ll talk about some of the things to consider when securing IPv6 compared to IPv4. Before digging into this topic, however, it is important to remember that while IPv6 may have different security concerns than IPv4, it is not necessarily any more secure than IPv4. Furthermore, the post will focus on those aspects that are different or unique to IPv6, since many of the common best practices for IPv4 networks also apply to IPv6 networks.
“Don’t play too much, turn off that console …” used to tell me my savvy mom. I never understood the reason but now I know that she was right (as moms always use to be). And now I know also the bad symptoms’ associated in gaming: lost of identity, credit card number sharing, password stealing…. what? o yes you’re right I’m talking about Sony PlayStation network hack and the relative consequences.
The recent outage of Amazon cloud services showed how difficult is to build up a secure and resilient infrastructure. At least two factor were interesting: the timeframe of the outage was incredibly big, and the fact Amazon declared some of the data were lost and they were not able to recover them.
