Cyber Monday is dead.
At least that’s what NPR would have us believe, along with CNN, USA Today and countless other media outlets.
According to these sources, ubiquitous Internet availability, along with the ability to shop from smartphones and other mobile devices has closed the gap between Cyber Monday and the days on either side of it.
This is compounded by the fact that Black Friday no longer starts on Friday. Yours truly was in line at 6:30 PM Thursday night because Black Friday started at 9 PM on Thursday in my town. This has caused online retailers to follow suit – the online deals are available Thursday, too. Waiting until Monday will only get you disappointment.
Now this doesn’t mean that Cyber Monday is going away. In fact, sales for Cyber Monday are growing rapidly year over year, and 2012 is expected to trump year’s past by 16.8%.
The opportunities are boundless, for retailers and fraudsters.
But a dead or dying Cyber Monday could have both positive and negative effects for security awareness.
On one hand, a special day tends to generate special behaviors. I might argue that awareness is heightened on Cyber Monday because it has a name, the media promotes it, retailers advertise it, banks warn of it.
When one dies, so does the other.
But the reality it that your payment card information is just as likely to get jacked on Wacky Wednesday or Filthy Friday. Security is a process, not a moment in time.
So in the spirit of Cyber Monday, and all it may come to be, here are our Top Five Tips for safe online shopping:
- Only Use Secure Sites – Check for HTTPS, the lock and a valid certificate before you enter any information, and certainly before you check out.
- Only Use Reputable Sites – Just because #1 is true doesn’t make it safe, don’t give your money to a stranger just because they handle it properly.
- Only Use a Credit Card – Don’t use a debit card, it does not offer the same protections as a credit card, and if the number is stolen it’s one step closer to your bank account.
- Check Out as a Guest – Don’t create an account with online retailers unless you have to, this may help you avoid storing your payment card information online.
- Check Your Statements – As silly as this sounds, this is one of the easiest ways to tell if you’ve been compromised.
We all shop online. It’s convenient, easy and usually saves you some coin.
And if you’re careful, Cyber Monday doesn’t have to be as black as your Friday.
Earlier this month, security media were ablaze with news of the freshly discovered Flame malware toolkit, which according to reliable sources began infecting Iranian computers as early as 2008.
Since the first reports, we’ve learned more about Flame, its capabilities and intent. The results of this analysis have been impressive and sobering.
Like its alleged sibling, Stuxnet, Flame is highly sophisticated, purpose-built and effective. As someone who spent many years in software development, I appreciate what it takes to write code for many platforms and devices while minimizing flaws. The authors of Stuxnet and Flame deserve credit for this, if nothing else.
Unlike Stuxnet, Flame is a toolkit – a veritable Swiss Army knife – of attacks that can be activated remotely by its command and control operator. The Flame payload is delivered such that all of the modules are available and integrated into the initial assembly, with no additional download or communication required.
Bluetooth sniffing, keylogging, an Autorun infector, the ability to hijack the Windows AutoUpdate function and more – up to twenty unique modules – all nicely packaged in one nefarious kit.
With all of this, Flame may have supplanted Stuxnet as the most complex and sophisticated piece of weaponized software ever developed in the [known] history of mankind.
But as powerful as Flame seems, the economic ecosystem on which its built may be even more interesting.
For decades, Microsoft, Adobe, Google and Oracle have been recruiting, paying for and getting the absolute best and brightest software designers, architects and developers on the planet. Until now.
In this post-neo-infosec-challenged world that we live in, the uber-software Gods work for the bad guys.
You may not put it on your CV or LinkedIn profile, but if you want a fun, exciting, incredibly well-paying job writing the newest, coolest and most coveted code on the planet, move to Romania and hook up with a Russian cybergang.
And it gets worse. As these malicious international software factories become more successful, they get richer, they buy better people and the cycle repeats.
Over the past several weeks the FBI, Interpol and other international law enforcement agencies arrested twenty-four individuals suspected of various card fraud schemes and activities. Suspects were spread out across thirteen countries around the world. One of them was arrested less than 45 minutes from GreyCastle Security headquarters.
None of them were software developers.
The people most typically being arrested for online crime are the individuals using the tools, not the ones building them. No, these digital mercenaries are tucked safely away in their posh Baroque villas on the outskirts of some small town in Estonia, busy writing their next module and withdrawing laundered cash from untraceable bank accounts.
And the hits keep coming. And the fire burns brighter.
Flame may just be the spark that starts the inferno.
In May of 2011, the Desmond Hotel and Conference Center in Albany, NY was compromised by an as-yet-unnamed foreign entity. Very little has been made public about the incident, and it’s possible that we will never know the true extent of the damage.
What we do know is that the credit and debit card numbers of every hotel guest from May 2011 to March 2012 were potentially compromised. At least one patron had their bank account drained.
Otherwise, it was just like the countless other breaches we’ve witnessed recently.
First, The Desmond had been compromised for nearly a year and didn’t know it. The Secret Service discovered evidence of the Desmond breach during routine investigations of foreign hackers and notified the hotel of their findings. We can only assume that the compromise would still be going on today if this stroke of luck hadn’t occurred.
Second, The Desmond didn’t have an Incident Response Plan. This is an assumption on my part, but one that I am confident in, given the post-event fallout. The incident, which could likely have been better contained, grew quickly and became a public relations nightmare that lasted for days.
Third, they didn’t think this could happen to them.
This is not a smear piece. The Desmond is my favorite hotel in the area, and one that we hope to make a client someday. Unfortunately, they became long-hanging fruit. They were simply the next target in a long line of victims, a queue that grows daily.
The Desmond made the news. 99% of breaches don’t. And it seems that until an organization experiences their own incident, there is little compelling them to protect themselves.
The industry, our peers, the media, the company where you work – all are providing us an education, but we are not learning from our mistakes. Psychology 101 teaches that human beings learn best when content is relevant, entertaining and interactive. It would seem that major public data breaches tick all of these boxes.
For now it seems the only thing that’s ticked is The Desmond’s customers.
The Zappos hack this week made national headlines for a number of a reasons.
First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.
Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.
But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.
Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.
This is what I would do if I were Zappos:
- I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
- I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
- I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
- I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.
It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.
Maybe Zappos should start selling eyewear.
On Wednesday, January 11, as the USS John Stennis and three other carrier battlegroups arrived in the Gulf region, two anonymous hitmen rode up alongside the Peugeot 405 being driven by Mostafa Ahmadi-Roshan and “pasted” magnetic shape charges to the cabin exterior. They exploded seconds later, destroying the interior of the vehicle and leaving their surroundings untouched.
This bold, high-tech act comes on the heels of two other attacks, both aimed at disabling or stalling Iran’s nuclear capabilities.
The first is a series of suspicious explosions at Iran’s nuclear facilities, one of which killed another top scientist. These explosions were documented by US satellites which clearly demonstrate the origin and impact of the blasts. These explosions occurred “around the time” that Iran was found to have in its possession an RQ-170 stealth drone.
It is suggested that the Lockheed Martin RQ-170 Sentinel is designed primarily for reconnaissance. Of course it’s 66 feet wide and weighs close to 10,000 pounds. That’s one mighty big camera. Oh and it also has modular bays that can be adapted for “strike missions”.
The second is a high-tech operator that executed missions on the ground. Using covert tactics and the latest intelligence, this foot-soldier infiltrated Iran’s top-secret nuclear facilities and quietly disrupted core processing. Rapidly moving from reactor to reactor, this highly trained assassin combined speed, stealth technology and the latest weapons to sabotage Iran’s nuclear capabilities.
It wasn’t until the damage was done that this assassin was given a name.
We called him Stuxnet.
Now we can speculate whether or not Israel or the United States was behind Stuxnet, but one thing has become alarmingly clear – someone wants to destroy Iran’s ability to produce nuclear assets and weaponized software was a key component of the campaign.
Stuxnet, at its time hailed as the most sophisticated piece of malware ever conceived, dawned a new era. It was not the first time that cyberwar had been waged, but it was the first time that cyber was elevated to that rarefied ether of air, land, sea and space. Even the decompiled code was classified for a time.
Today, nation states are hard at work developing weaponized software that will disable their enemies’ critical infrastructure, destroy military intelligence and render nuclear and other traditional weaponry useless. Cyberwarfare is young, but maturing in dog years. Stuxnet already has one child, and they’re multiplying fast.
In October of 2011, it was made public that the United States Air Force experienced an outbreak of malware on a network associated with assets used to control drones in the Mideast. The origin of the malware was never declassified, nor was the resolution of the incident. Some of us thought that perhaps it was a US Government concoction once again targeting Iran that escaped the labs.
- Step 1: Build Malware
- Step 2: Infect Drone
- Step 3: Crash Flying USB Stick in Iran and Watch From Satellites as it Blows Up Nuclear Plant
Looking forward, it’s clear that software has become part of our military arsenal. We will continue to see more frequent headlines telling stories of cyberattacks on military installations, cyberespionage and weaponized software. Let’s remember that just as China and other countries have stolen our blueprints for drones, tanks and fighter aircraft, they have also built their own cyberweapons.
For now though, I’d turn down that job as an Iranian nuclear scientist.
Last week’s SC Congress in New York City was short and sweet. The one-day security conference focused on emerging threats and case studies, including Barnes and Noble, Tyco and HSBC. There were several hundred in attendance. The multi-grain tunafish box lunch was delightful.
Among my favorite presenters was Mark Clancey, the CISO for the Depository Trust and Clearing Corporation (DTCC). You’ve never heard of this organization, but you use them every day. In fact, we all do. DTCC provides clearing and settlement for equities, bonds and securities for the US and 121 other countries. In 2009, DTCC settled more than $1.48 quadrillion in securities transactions. Yes folks, that was not a misprint. The number is so big that they had to make up a name for it.
In his talk he described the information security challenges they face, which are understandably different from most. Asked what he considered to be his greatest security hurdle, he responded “information sharing”. He went on to describe DTCC’s relationship with the FBI, the FS-ISAC and other information sharing organizations, and the difficulties they face. We’ve seen this problem cited countless times before, including its roots in 9-11. He closed by saying that “hackers communicate better than we do”.
But is this why we’re losing the war on cybercrime? As I wandered off, deep in thought it occurred to me that there may be other areas where hackers are outperforming us. Perhaps it wasn’t their cunning, but rather their ability to understand business, strategy and process that was their advantage? Sitting and waiting for the coffee break I came up with the following possibilities:
- Hackers don’t burden themselves with compliance – It may sound silly, but there are entire industries causing victimized organizations to become distracted from the real goal. Compliance regulations have good intentions, but applied in the wrong context or culture they can be counter-productive. Hackers get the job done in the most efficient and cost-effective way, without cycles spent on annual reporting or scans.
- Hackers don’t rely on technology – The tools in use by today’s hackers are simple and effective and are geared towards ROI. While no doubt a successful attack my require a reliable rootkit, if the one they’re currently using doesn’t work, they’re not afraid to move to an alternative. Technology is a means to an end, not a religion. And it’s generally inexpensive to make and support.
- Hackers know their risks – Whether you’re a hacker, hacktivist or corporate spy, the priority is not getting caught and they put lots of wood behind this arrowhead. The numbers speak for themselves; today there are roughly three million people incarcerated in the US (it typically runs at 1% of the population). In 2011, the FBI caught (not convicted) but 17 US citizens for computer-related crimes (the total is a measly 35 globally). The value of banks being robbed by gun is dwarfed by the value of banks being robbed by computer. You do the math.
- Hackers don’t use default passwords – While I remember only bits and pieces of this story, the morale still rings true. The FBI, along with their foreign counterparts in Estonia were working to extradite an alleged cybercriminal, his laptops and other computer equipment. The suspect, after being worked over for weeks by the Federali, finally handed his laptop encryption password over – it was a passphrase nearly 300 characters long.
- Hackers don’t have sensitive data – Sure it’s true that they have an asset that they’re generally trying to protect, but if they lose it or it’s stolen they know where to get more. Besides, is it really sensitive if it’s not even theirs? In addition, there are no HR databases. No credit card transactions (not on their own cards, at least). Hackers could teach us CISSPs a thing or two about reducing our attack surface.
- Hackers don’t trust – Aliases. Onion routing. Offline couriers. Money mules. There is no trust in hacking. This is essential to their survival.
Now this list shouldn’t imply that there aren’t idiot hackers out there throwing up pictures of their new Porsche (complete with Russian license plates and geotags) on torrents once in a while, but we don’t hear about those incidents all that often. The reality is, when it comes to Operational Security (OPSEC), hackers are beating us like a барабанчик.
We often recommend to clients that they “think like hackers” when developing their security programs. The idea comes from Sun Tzu – in knowing their attacker, they can best develop their security measures.
Perhaps we should also suggest that clients look to hackers when developing their business plan.
This morning I exercised my true American right. I voted.
For some, voting is a delicate process that involves days of analysis, research and personal preference. For some, just having the ability to vote is more important than the outcome.
For some, however the election is a ruse. A rote, choreographed series of motions undermined by well-scripted television ads, slick marketing campaigns and overstated commitments.
For those who truly understand the global state of information security, it’s something altogether different.
In fact some believe that the new regime has already assumed power. This new guard isn’t a bunch of Harvard-educated attorneys and career politicians. They have no experience in legislative process, and they’ve never run a campaign. They are nameless and faceless. They’re 17 years old. They’re in their mid-thirties. They’re Russian, British and American.
And they control the world.
Using 100 million infected PCs globally, they can shut down power grids and cause financial chaos. Using weaponized software they can destroy intellectual property and control military networks. They own your credit card number and can listen to your mobile phone calls. They are CyberGods, and there are no term limits.
They have assumed control.
The world in which they operate is limited only by their imaginations, and their cyberwar is not bounded by rules of engagement. Their power is growing. Their reach is expanding. Their wealth is multiplying. Their armies have already overthrown nations in Africa and the Middle East. They are so much more than thieves. They are organized. They are evolving.
They are motivated.
On this Election Day, remember that the true ruling party – this legion – was not voted into power by throngs of rabid fans, they were implicitly elected by a movement of ignorance. An ethos of apathy.
Throughout history the people have risen up to unseat their oppressors, but not before tremendous hardship. A body in motion tends to stay in motion, as Newton once said, and geo-political movements have been no exception. Those in power will do their best to stay in power, and the cybercrimelords that are feasting on our negligence will find new, more deceptive ways to maintain their rule.
We have waited too long. Their momentum is too great. This global network of organized cybercriminals will not simply resign. The people will need to rise up. We will need to stand and fight.
It may take bloody revolution.
This past Saturday I woke up early and suddenly found myself running from bloody, muddy, brain-hungry zombies.
No, the world hadn’t suffered a raging viral infection. And no, I wasn’t a movie extra. It was the first annual Run for Your Lives Zombie 5K race near Baltimore, MD. There were thousands (OK maybe hundreds) of zombies to avoid, a dozen obstacles to overcome and endless fields of mud. There was blood. Whole pools of it. And there were several “teachable moments”.
Now in many ways, I feel like I’m better prepared than the next guy for the impending Zombie Apocalypse – my cardio level is above average, I prefer moving around at night and I love me some good baked beans. I also consider myself a bit of a survivalist, and I keep an ample supply of batteries, bleach and duct tape ready to go for when things get apocalyptic.
All that being said, this weekend’s events reminded me that there’s no way to prepare for everything. Despite the semi-lighthearted nature of the 3.1-mile obstacle course, I found myself surprised – even shocked – on several occasions. Midway through the race I found myself deciding between diving into a muddy lake filled with 55-degree water or being attacked by a crazed horde of killer undead. This particular teachable moment taught me that hypothermia may be for a while, but dead is for ever.
So what does all of this have to do with information security?
Just like the doomsday scenarios that scientists, religious zealots and Al Gore all predict for the human race, there is no way to prepare for everything in information security. In fact, the best preparation may be in preparing to be unprepared.
The harsh reality is, most businesses have already been compromised, whether they know it or not. Yesterday my company met with yet another organization who has been the victim of cybercrime. Not only did this business suffer major losses, but two months later they are still unsure if the money-stealing malware has been eradicated.
Having an Incident Response plan is an important part of running a successful business. Detection of malware and anomalies, containment of incidents and processes for forensics investigations and business resumption should be regular discussions for all management teams. If you haven’t already done so, add a chapter to your plan that accounts for the “unexpected”. Failing to plan is planning to fail.
Hindsight, as they say is 20/20. I’ve already thought of a few things that I’ll do differently to be better prepared for next year’s race. Luckily, it’ll only cost me $57 to learn from my mistakes.
If you’re a business without an Incident Response plan, it may be a little more expensive.
I’ve always loved haunted hayrides.
I’m not talking about hayrides where you sit freezing your candycorn off listening to some retired third-grade teacher drone on about the history of the early settlers who first farmed that land. I’m talking about the wretched ones, where one moment it’s pitch black and silent, anxiously waiting for the inevitable horror beyond the next graveyard, and the next moment it’s deafening, you’re screaming and choking on chainsaw exhaust, the cold steel of the neutered blade brushing your leg, fake blood spattering hay-strewn victims, only to be whisked away to a heavenly reprieve of cider donuts and hot chocolate.
People love to be scared. Whether it’s witches or zombies, Jason or Michael Myers, everyone loves that super-heightened sense of awareness from feeling like anything could happen.
It’s time we figure out how to bring a little bit of that feeling to our professional and personal lives.
Welcome to October, National CyberSecurity Awareness Month!
For many years now, we’ve known that people have been a major weakness in the cybersecurity chain. Of the significant databreaches that occurred in 2011, over 80% of them started with or incorporated some type of social engineering attack. This means that at some point along the way, people failed.
Interestingly, very few of these cases were situations where people acted in a malicious manner. In fact, nearly all of these cases were situations where there were accidental violations of policy, or where people had good intentions but violated policy to get their jobs done or where people had no idea that they had done anything wrong.
In these cases, the business failed.
Like Michael Myers, Freddie Kruger and other famous movie killers, cybercriminals don’t play by any rule book. They can strike anywhere, at anytime. This fluidity gives them a distinct advantage over the good guys – the bad guys only have to be right one time, the good guys have to be right every time. This imbalance asserts that a heightened sense of awareness is critical if Haddonfield is going to make it through another Halloween.
Luckily, there are a lot more good guys than bad guys, all we have to do is arm them. Jamie Lee Curtis
The beauty of horror movies is, we can turn them off if we want to. Not so for cybercrime. If we’re going to make it through this epic series, we need more good guys armed with sewing needles. We need more good guys with determination.
This October, as you’re shopping for peanut butter cups and Halloween decorations, do your home, business and planet some good and think about the role you play in cybersecurity. This ain’t no movie. The Michael Myers we’re fighting is real. He’s out there and he wants your identity. He wants your bank account.
He’s probably already got your credit card and SSN.
Think about this as your shopping for a costume.
I recommend the Laurie Strode.
“The definition of insanity is doing the same thing over and over and expecting different results.” – Albert Einstein
Is it possible that there are companies that deserve to experience a security incident?
Some may call this unproductive thinking, but it seems that some businesses are exposing themselves to repeat attack due to how incidents are being handled. Here are some examples of recent and common behaviors that are putting businesses at undue risk:
- Victims of cybercrime are not reporting their incidents. This lack of reporting may on the surface appear to protect the victimized organization, but that notion is short-sighted. By keeping the details of the attack and attackers private, we cannot learn from the event. This lack of detailed information about events makes it much harder to prevent, detect and correct them when they occur again. Our inability or unwillingness to share information becomes a critical weakness when fighting cybercrime – this is especially common among small businesses. Knowledge is power.
- Victims of cybercrime are settling out of court. Believing that they’re saving their reputations and wallets, victimized organizations avoid prosecution of attackers or malicious employees. Without prosecution, bad people never become criminals, and they simply move on to their next victim. Background checks against bad people are useless unless they have a criminal record, and criminal records don’t exist without prosecution. The same bad employee could end up working for the victimized company again and again if they were determined and understood how easy identity theft was.
- Victims of cybercrime aren’t collecting or using event evidence to strengthen their security programs. Actionable intelligence is the equivalent of sights on a handgun, without these you’re chances of hitting your target become much, much lower. Security devices – firewalls, intrusion prevention, monitoring, anti-malware – record mountains of activity data during a security incident. Leveraging this information can help ensure that you’re less vulnerable to the same attack again.
As human beings we are programmed for self-preservation, these reflexes have helped us survive for millennia. However, it is these same survival reflexes that cause us to trade long-term pain for short-term gain. It takes considerably more thought and patience to factor the complex network of cause and effect relationships into our security decisions, but the juice can be worth the squeeze.
And as a bonus, Einstein wouldn’t have you committed.