This is malware that lies in wait, and is harming. These are often referred to as Trojans. Often times it is triggered by a date. It can also be triggered by the simple launch of a program, or application – where it is embedded. In this case, from any systems’ point-of-view, a trusted user ends up launching the malware and granting its yield: That is, a user that has sanction within a system by virtue of login credentials, a corresponding set of system authorities and access, and consequently permission(s) to do various things with that system.
Recognize that that user can do things to the system, with the system, and through that system – thus the malware has the same enablements. The malware can do things to the system: changing it, disabling parts (or all) of it, modifying the system’s payloads and deliveries (stats, reports, etc.), render certain users’ or entities’ access useless, and on and on.
The malware can do things with the system: Using resources such as processor power, storage and bandwidth to blast information; to rip-off contacts for access to those, in assembling broadcast lists, to further distribute various content, even to further distribute and install malware.
In doing things through a system, malware can hide its true origins, making it appear that it is spawning its nefarious purposes and deliveries from your domain – and actually, it is.
Worse, Remote Access Trojans (RATs) open back doors to your resources, for purpose of remote control. Now, changes and updates are possible for “best” possible use and abuse of hacked resources.
Tomorrow, we’ll discuss another general area, Destructive Malware, and then we’ll delve into symptoms and a few more specifics.
Not all malware produces instances of horrendous harm. Some of it is simply a nuisance, in delivering unwanted content and add-ons – such as toolbars, or unwanted and even embarrassing content in the “real estate” dedicated to rotating ads on certain sites.
Spyware can rake a system for sensitive information, sending it back to the malware’s originator. This can inhibit system performance, and hence productivity, as the malware overtakes processing power, memory, possibly even storage, and bandwidth in surveying and shoveling information to those seeking it. Recognize too that there is yet peril here for other harm beyond nuisance: Identifying-information makes identity theft a potential, and in the case of organizations, sensitive business info can be ripped off and exploited: Business reputation is not easily recovered in many of these circumstances, and even when it is, it is of course a nuisance in the extreme to make that recovery.
Often times, malware is really nefarious in its nuisance-ness: There is nothing more discomfiting that not knowing exactly what is going on. A business colleague reported that his laptop had suffered an extreme degradation in performance: Looooong boot-up times [his routine became: 1) Start laptop, 2) Make and wait on a pot of coffee]; longer than usual sign-in time; then subsequent drive grinding. Launch of applications took about four times longer than usual, but this subsided after he’d been booted and logged on for 5 minutes or so – then performance was normal. The only other sign that something might be amiss, was a pop-up box that appeared for less than half a second – its appearance was so quick, in the center of the desktop, that you couldn’t read the title bar, but were able to see, or sense, an “OK” and a “Cancel” button – it disappeared to quickly to act on it.
He ran several utilities, but nothing seemed to help. Until: An update to his Norton utilities and a full-system sweep removed whatever it was – fortunately, after a few weeks’ hassle, he didn’t notice any ID theft or collateral systems’ breaches, such as the draining of bank accounts, PayPal, etc.
Keep all of your protections up-to-date. It bears repeating: An ounce of prevention is worth a pound of cure.
Next up: Controlling-malware
In continuing our awareness for cyber-crime, recognize that after an entity penetrates a network for access, far more than an episodic outcome can occur (such as a one-time theft of data or money, for example).
Beyond the sole-harming event type of experience, the insertion and ongoing residency of malware has to be considered. This represents a particularly gnarly problem, because ongoing control regarding systems can be manifested – and it may continue in the absence of an organization’s knowledge for quite some time – until various harming incidents stack up, or an accrual of thefts occur, until they gain a profile that bites hard enough to be noticed.
Resident malware can execute its code for particular outcomes, and recognition of these helps to monitor for them. In the next days, we’ll take a look at three basic types of malware:
Nuisance (perhaps delivering marketing-oriented spam, or provide for spying, etc.)
Controlling (to provide “back door” access, or takeover of systems by remote control)
Destructive (perhaps to destroy data, or plant false content, to harm reputation of the host. Destruction can also be used to remove evidence of intrusion).
NP: Joshua Redmond; Freedom in the Groove
No matter the nefarious goal of attack, subsequent entry, and exploitation, (such as those mentioned in articles below), there are basic steps for breaking your defenses, and taking advantage of the breach, that are common to all attacks.
- Exploration, or scouting, for potential targets: Breaching entities here are searching for networks and systems that have vulnerabilities. These vulnerabilities can include easily breached or guessed authenticating credentials, outdated and susceptible software, and missing or misconfigurated settings for both software and hardware. Recognize that in addition to hard, empirical, soft spots – such as easily hacked firewalls or default/too-simple login credentials, there is the liability of simple human failing. This is going to include an exploration for naiveté regarding phishing; that is, fraudulent e-mails that solicit sensitive data by posing as legitimate enterprise e-mail/authority. Also pharming, whereby fraudulent websites that pose as legitimate partnering/enhancing entities can glean registration, and thus make solicitation of sensitive data. Be aware too that once an outside entity establishes a relationship, any manner of “legitimate” download can be recommended and thus penetration made.
- Taking stock goes hand-in-hand with exploration, in expanding the knowledge gained regarding vulnerabilities. Correlation of known bugs regarding the software surveyed during exploration happens. Human error can be paired with what that person has access to, and breaching entities can then reference other people and specific knowledge in looking legitimate to others… climbing a ladder of access, into ever more rarified and sensitive circles…
- Penetration can be for any of the purposes mentioned in the day’s prior article, but also it can be to perpetrate simple Denial-of-Service (DoS) attacks, which will not only render networks and sites inoperable, but can also crash business reputation.
Next: The introduction of malware to the environment…
In continuing from yesterday, let’s examine cyber-crime in a bit more detail. Before we get into the actual mechanics of intrusions and rip-offs, let’s fully understand the true perils inherent in 2013’s modern environment – some important cyber awareness.
Most people think of cyber crime as identity theft, for purpose of stealing money from online accounts, or perhaps in order to pose as someone else online for whatever reason. Cyber bullying comes to many people’s minds That, and outright “hacks” into systems by breaching electronic perimeter defenses, and then exploiting whatever resources are within for the taking.
But there are a number of other nuances. Routine “spam” is bothersome, but spam also incentivizes other cyber-crime. Disseminators of spam aren’t particularly interested in paying for their own processing, broadband, and propagation means and infrastructures – and that’s where you (the individual or organization) comes in. If you’re insecure enough (from a systems and security perspective) to host, automate, and blast spam, then there are plenty of entities out there surveying for you and your associated vulnerabilities.
Credit fraud is big. A simple keystroke monitor can glean your, or an organization’s, credit card number and authenticating credentials – and away they go. Recognize that your SSN, address, bank account numbers, and all manner of other info and online accounts can be breached. Ouch.
There’s also the use of networks and resources for piracy, and the illegal transfer of data and information. You don’t want your company’s resources used for illegally passing music transfers, or other copyrighted material, for example. Nor do you or your organization want to be in the middle of electronic money laundering operations or tax evasion schemes.
Certainly government agencies are aware of cyber-terrorism, which can involve access for theft of secrets, flooding and disabling of critical systems, and breakage of systems through intrusion of malware. Too, false-information can replace legitimate content, confusing those people who rely on these sites for best information, best practices, and thus there is the subsequent hindering of allied cooperation between supporting/reinforcing agencies.
In 2013 and beyond, the stakes are too high to ignore the first step toward best-security postures: Modern Awareness.
For our first take-away in this series, recognize that Everyone with online presence should be a Security Officer of sorts. So, next, we’ll get to an awareness for both individuals and orgs.
As we enter 2013, many of us are excited by new projects, new enablements, and an expansion of systems and related capabilities. I always feel a sunny optimism when embarking on projects, and I anticipate the deliveries and related empowerments.
But there’s a corresponding dark side for every positive pursuit, and the tech realm is not sheltered from nefarious activities: The number of cyber-crimes grows with each passing month – we don’t have to wait for the turn of a year – and the result of bad outcomes is ever-more severe.
The beginning of the year is a nice time to focus and position ourselves in understanding some important things, so as to take effective action: The steps that cyber-criminals use to attack networks; basic types of malware utilized; and the things you need to use and do in order to stop attacks from being successful.
As we’ll see, we have to guard against reconnaissance (nefarious entities cruising around looking for vulnerabilities and easy marks to exploit), penetration (intrusion into the network/assets), insertion of malware (with resultant theft, corruption, exploitation, etc.), and in most instances, a protection of bad-activity by hiding the exploitation as it is going on, and covering tracks once done.
Here at the end of the year, how about a bit of frivolity? After all, throughout the bulk of the year, we’re quite serious about the technology we procure, use, progress – and on occasion replace. It takes quite a bit of effort staying informed, trained, and either performing the work ourselves or directing various staff and teams in doing it…
But what of Ms. Emma Orbach? She’s an Oxford grad who has pitched it all, essentially… having moved “off the grid” and into a mud house of her own design and effort. Ms. Orbach made the transition 13 years ago, moving into the Welsh mountains, where she grows her own food and fetches the water she needs from a nearby stream.
She has named her home “Tir Ysbrydol,” which is Welsh for “spirit land.” Ms. Orbach’s children do visit from time-to-time; they are in their 20s and 30s. However, being that the kids have not eschewed tech, even portable technology is barred from the home, and mobile phones, laptops, iPads, and any other devices are strictly verboten.
She’s not completely divorced from “the outside,” however. There is a commune not far away where she and a former husband had ties. Also, there are some nearby abodes in which she runs a “healing and retreat center” – there’s usually around half-a-dozen people staying there, presumably healing and retreating from… people like us and lives like ours?… (hey! I like my life! – lol), and these folks pay a “donation” – from which she is able to pay taxes, maintain the property, and purchase necessary grain.
Ms. Orbach doesn’t miss, in her words, “what is normally called reality.” She believes the quality of life in general is decreasing, even while the pace of modern life, and stress, is increasing.
Well… that may be. But ya know what? I was listening to some early Blues last evening, and I needed electricity. This is one of the best compilations, as a nice entry to Blues, that I’ve heard: Bessie Smith, Blind Lemon Jefferson, Mississippi John Hurt, Blind Willie Johnson, Bo Carter, Blind Willie McTell, Lonnie Johnson, Charley Patton, Leroy Carr, Josh White, Leadbelly, Peetie Wheatstraw, Robert Johnson, Blind Boy Fuller, Big Bill Broonzy, Memphis Minnie, Bukka White, Muddy Waters, Big Joe Williams, Son House, Washboard Sam and Sonny Boy Williamson.
I’m not moving into a mud hut any time soon. :^ ) But I admire this woman’s strength and conviction – it would be fun to talk to her.
Next up: I think I’ll spin the first Stones album.
Frankly: Why is this not 100%?
Almost every profession and discipline has been through, and continues to go through, embarrassing episodes due to “inside” personnel making exposures of information to the public, all-too-frequently through social media. A great example, local to me, is a large healthcare complex in town: Caregivers were discussing patients in a very critical manner on social media, and referring to them by name and room number. If professional people with special training, clearances, and access are falling prey to the temptation to gossip online, then imagine what juries are tempted to do, particularly absent firm direction and guidance regarding social media.
Note: This is not to say, or imply, that juries can’t be comprised of professional people. Nor is it to impugn very intelligent and savvy tradespeople, or intelligent, informed, homemakers and so forth; however, I don’t care how educated, trained, or experienced a potential jury member is in their area of occupation – absent appropriate care, concern, and caution regarding the discussion of cases on social media, that jury member is defective.
Many State Bar Associations and allied jury instruction committees have been releasing jury instructions for some time, in order to educate and remind members that the bar to discussing the case outside of court and outside of sanctioned jury deliberations, is strictly verboten – and of course this includes social media, e-mail, the internet, and anything else related, such as comment fields in news stories, live chats, and indeed “on the internet or on any electronic device including cell phones.” Hmmm… they might want to update that last with “mobile device.”
Judges are also well-advised to remind jurors of consequences such as mistrials and wasted time. Presently, abuse of social media will result in dismissal from the trial, but watch for that to change: Soon, I believe it is likely that discussion and divulgence of trial information to social and allied media by a juror will result in prosecution and punishment.
I’m hearing more and more stories of this nature: Of system ambiguities, breakages, confusions, outright dead-ends… paired with so-called “helpdesk” functions that are virtually no help at all. We spoke about an example here a few weeks ago.
It seems that the Treasury Department has a new online system for the purchase of “digital bonds.” According to Susan Tompor, personal finance columnist for the Detroit Free Press, this is the first Holiday season that paper U.S. savings bonds are not being sold at banks.
Not to worry: You can go to www.treasurydirect.gov for the digital bonds. The discontinuation of paper bonds is a cost cutting measure. However, it seems that the online system is cumbersome at best, downright confusing for the most part, and in many cases either leaves the potential purchaser exiting the system in total frustration (absent purchase), or worse, debits a purchaser’s card for more than anticipated for any particular bond.
Ms. Tompor has been in contact with readers who have had to e-mail the TreasuryDirect helpdesk several times in order to successfully navigate the system. One reader said he spent significant parts of three days trying to make purchases… and was never successful. Let’s recognize something obvious here, but extremely important: If you’re selling something, the absolute last thing you need is to have an ambiguous, obtuse, select-and-order system.
Apparently too there have been significant changes involving the amount of money required vis-à-vis the face value of bonds, but many customers, due no doubt to pesky system ambiguities, have found this out the hard way, racking up unanticipated debit amounts on their cards.
Making matters worse is something that I’m finding to be the rule these days, rather than the exception: Helpdesks that are inaccessible due to hold times that go on forever – literally.
It shouldn’t be that hard to craft systems that are relatively easy to use. Of course, broken systems and dysfunctional project teams are partly what keep yours truly in clover, but ultimately I tell everyone the same basic thing: Imagine you’re using the system you’ve just designed for the first time; look at it through a User’s eyes. Where are the ambiguous decision points and paths? Make clear where the user is to go, based on what they’re trying to do. Imagine yourself “going wrong” in the system – force yourself to look for areas where a new user can go astray – and then fix the potentials for, and liabilities of, bad outcomes.
Of course, this smoothing of systems should be going on during all points of the project; in initial design, but certainly through various iterations and versions of betas during testing. If, after due diligence, you, as the system designer, are not sure just how “user friendly” a system is – throw up a dialog box, some questions, and force the user down the correct fork in the road – as much as possible. We’ve all seen good systems and bad. Getting it right just requires a little care, concern, and imagination.
Just these two simple words, foremost in mind, can stave off all manner of problems:
Regular readers of this blog may know that I collect records – “vinyl,” “LPs,” “33s”, “78s,” “45s” – I even have Edison disks and cylinders (and the related players).
Mine is a formal record library, with sections for Rock, Jazz, Blues, Bluegrass, early Country, Classical, Folk – maybe a few other genres…
Recently I stumbled across a most interesting jazz album, recorded and released in 1959, entitled “One World Jazz.” It involves 15 leading jazzmen – but don’t mistake it for “Big Band” – it’s in the pocket of that nice late-‘50s/early’60s progressive jazz, of which I’m particularly fond.
But here’s the amazing thing: This session bridged three continents, and the cities are New York, Stockholm, Paris, and London – with musicians on one laying down tracks, with subsequent shipment of tapes to the second continent and addition of additional musicians, and then to the third continent, and… you get the idea.
Of course, today this would be a small feat: digital files can be swapped around the world almost immediately, for contributions and additions of all sorts. In fact, soon – if not already – it will be possible to be jammin’ live, in real time, with any number of people, dispersed around the globe. Imagine: Sitting in a room, either alone or with a few other players, and having some video and speaker monitors in the room – your intercontinental friends are in the band in a “virtual” sense, and you collaborate and lay down tracks. Pretty powerful.
For those interested, the LP is on Columbia, with catalog number WL 162. Musicians are:
In New York: J.J. Johnson, trombone; Ben Webster, tenor saxophone,Clark Terry, trumpet; Hank Jones; piano; Kenny Burrell, guitar; George Duvivier, bass; Jo Jones, drums.
In Stockholm: Ake Persson, trombone.
In Paris: Stephane Grappelly, violin; Martial Solal, piano; Roger Guerin, trumpet; Bob Garcia, tenor saxophone.
In London: Ronnie Ross, baritone saxophone; George Chisholm, trombone; Roy East, alto saxophone.
NP: One World Jazz, Columbia, WL 162