Security Corner


December 26, 2014  3:38 PM

Obama’s response to alleged N. Korea cyberattacks: Grandstanding, or truth?

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

Last Friday (12/20/2014), Barack Obama confirmed that the White House believed that North Korea engaged in a cyberattack against Sony Pictures.

They caused a lot of damage, and we will respond. We will respond proportionally, and we’ll respond in a place and time and manner that we choose.

I am not convinced that North Korea engaged in the attack against Sony. I see too many outpoints in the evidence (and lack of same) to convince me and I certainly have no trust whatsoever in the FBI. Mr. Obama seems to believe it (or maybe he’s just pretending), however, and issued a promise to retaliate. POTUS has engaged in a nice bit of grandstanding here, don’t you think? Unlike our late, former President Ronald Reagan, who was an actor, perhaps Mr. Obama should embrace such a career.

Regardless — or in spite — of the truth in this matter, and my own opinion notwithstanding, someone apparently took some sort of action to retaliate: North Korea was knocked completely off the internet on Monday. Is this just coincidence, or did the U.S. “respond in a place and time and manner that we choose?”

This is what we know for sure:

  • Sony was hacked and hacked data was released to the public
  • Hackers made some threats against movie theaters and mentioned 9/11/2001
  • The movie “The Interview” was withdrawn, then subsequently released and shown
  • The FBI blames North Korea for the attack on Sony
  • POTUS agrees with the FBI and issues a threat/promise to respond
  • North Korea’s internet connectivity was cut off on Monday

All the while, the media is making all sorts of noise, publishing hearsay and outright supposition as “facts” and generally confusing the issue as they always do.

We may never know the full truth but watching this story unfold has been quite entertaining so far.

December 25, 2014  5:38 PM

(Warning: Language) Is Elf on the Shelf a secret plot to brainwash children into accepting a surveillance state?

Ken Harthun Ken Harthun Profile: Ken Harthun
Christmas, NSA surveillance, Surveillance

Some people just can’t resist attempting to ruin Christmas by spreading FUD. To those people I dedicate the song “You’re A Mean One, Mr. Grinch.” Since when has the magic of Christmas and all things wondrous and imaginary connected with it become something to be concerned about? I just read three articles — I’m sure there are more — that raise questions and concerns about “The Elf on the Shelf” toy that has become wildly popular since 2005. For instance:

When parents and teachers bring The Elf on the Shelf into homes and classrooms, are they preparing a generation of children to accept, not question, increasingly intrusive (albeit whimsically packaged) modes of surveillance? – From: “The Elf on the Shelf” and the normalization of surveillance – See more at: https://www.policyalternatives.ca/publications/commentary/whos-boss#sthash.2FNUR8qB.dpuf

And this from The Creepy Surveillance of Elf on the Shelf:

The space of childhood is also the haven of  things unseen, magic, enchantment, and endless possibility. Monsters could exist under your bed. Santa can deliver gifts to all children in only one night. And now, magical elves can report your naughtiness, so you better be nice. Surveillance is a dominant force in our world, so why wouldn’t Santa be implicated? Santa and his helpers seem to make the erosion of privacy comfortable and normal. In the name of family tradition and good behavior, what does The Elf on the Shelf ™ teach our children? Someone’s always watching, so act accordingly.

And this from Santa Claus and the Surveillance State:

It’s not just the Elf on the Shelf; children have been taught for centuries that dangerous authorities are watching and judging them. [Including Santa Claus and let’s not forget God and the other mythical gods of past civilizations. – Ed.]

He sees you when you’re sleeping. He knows when you’re awake.

He’s everywhere.

And that’s the whole point of the Elf on the Shelf, the bright-eyed, Kewpie-esque doll that millions of parents display around their homes in December as a reminder to children to behave. The elf, the story goes, is an agent reporting back to Santa Claus, and he’s tasked with documenting any seasonal misdeeds for his jolly boss.

You know what really scares me, what I find so creepy? It’s that people would actually buy into this bullshit. I didn’t turn into a happy slave to the surveillance state by being taught about — and one time believing in — Santa Claus and whatever else these misguided, paranoid people are concerned about. And I bet you didn’t either. If anyone can show me an example of one person they know who, having had a normal childhood steeped in Western tradition, now accepts and condones the surveillance actions of our criminal government “security” agencies (excepting, of course, the very idiots who are employed by said agencies), then I *might* be mildly interested in giving the issue an iota of concern.

Merry Christmas!

I hope Santa has you on his “nice” list :-)


December 24, 2014  6:13 PM

ATM skimmer doesn’t work? No sweat, just blow it up!

Ken Harthun Ken Harthun Profile: Ken Harthun
ATM, Banking industry, NCR, Security

I guess it’s rather dark humor because it happens, but I find it funny how far these cyber-idiots will go to steal from an ATM.

From Krebs on Security: “According to quarterly reports from the European ATM Security Team (EAST), ATM attacks in which the fraudsters attempt to blast open the machine with explosive gas are on the rise.

atmgasattack

Explosive gas attack on ATM machine. Source: EAST via Krebs

Probably, this is more an act of desperation because of new security measures being deployed at ATM machine locations. ATM skimming devices sometimes require the criminals to cut a rather large opening to insert their device as shown in these photos:

ncr-decal-wiretap-600x283

Criminals cut a hole in an ATM to insert their skimmer, then cover it with a decal. Source: NCR via Krebs

Sometimes, they just can’t use regular tools to accomplish their crime.

NCR observed that crooks employing this attack are using a variety of methods to create the hole in the front of the ATM. Modern ATMs often now include sensors that can detect vibrations consistent with drilling or cutting tools, so some thieves have taken to melting the ATM fascia in some cases.

“Melting techniques have been observed which can circumvent seismic anti-drilling sensors,” NCR said.

And when a blowtorch won’t work, they blow it up!

Next thing you know, they’ll be using RPGs. Then again, probably not; the RPGs would cost more than the booty obtained from the heist.


December 24, 2014  6:09 PM

Apple Pushes out Security Update — HORRORS!

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Apple, Data, news, Security, Update, Windows

To hear Apple fanatics tell the story, the recent (and supposedly first ever) automatic security update marks the end of the company. Apple is doomed now that it has gone the way of MSFT and pushed out a software update over which users didn’t have any warning nor any control. It’s 1984 – but the bad guys have won!

Settle down. I wear my Apple badge proudly and sometimes (OFTEN) believe blindly in what the benefactors at Apple are doing on my behalf. This includes their releasing of new hardware, the changes in software and even the move to iCloud backups and that whole mess. I also use to be the first person to shout, “get a Mac” when friends complained about their slow or blue-screened PC.

Screen Shot 2014-12-24 at 1.07.55 PM

But is an automatic update such a big deal? Especially when you can’t walk down the street without seeing store after store experiencing data breaches or security hacks? Even Sony got the short end of the stick when the one IT guy in North Korea punched in ‘password’ and miraculously broke through the defenses of that movie studio.

I’m in favor of the auto update…this time. And when it makes security sense. I certainly don’t want Apple – or anyone – jumping to my defense on such a regular basis that it interferes with my daily life. Note that the same friends with blue screens of death would wait 45 minutes each Tuesday for their MSFT firmware and software to get updated.

Let’s be very clear that’s not the right way to do things. But the world is changing and we have to change with it. If I now need two-factor authentication to use my credit card online, that’s fine. If I now have to start remembering my first car and favorite teacher to pay my bills electronically or access my GoDaddy account – OK.

When it gets obtrusive is when it makes other options more attractive. As I said in the beginning, for me the Apple system and way of life is much more attractive than the other options. The only time that will change is if Apple starts making this a regular occurrence. Then, the better option is for them to rethink their programming and infrastructure to make things more secure at the base level so those of us out here with laptops, iPads and iPhones don’t have to worry.

Yes, if you have a MSFT device, you’re still on your own…or actually locked up in the MSFT big brother funny farm.

Have a great holiday. See you next week!


December 24, 2014  5:42 PM

Merry Christmas!

Ken Harthun Ken Harthun Profile: Ken Harthun
Christmas, holiday

I wish all my readers and all of the staff at ITKE a safe and Merry Christmas! However you celebrate this season, please keep the true meaning of the holidays in your thoughts: Peace on Earth and goodwill toward men.

merry_christmas_card1


December 16, 2014  10:06 PM

This ransomware is also a true virus

Ken Harthun Ken Harthun Profile: Ken Harthun
'Virus`, Ransomware, Security, Sophos

gremlinA new ransomware threat, which is detected and blocked by Sophos as W32/VirRnsm-A is actually a true virus, unlike most such malware. According to Sophos Labs:

The intriguing part of VirRansom is that as well as infecting your EXE (program) files, this new virus “infects” data files, too, such as ZIPSs, DOCs and JPGs.

Data files are encrypted, wrapped up into an EXE shell, and renamed so they end in .exe.

In a file viewer such as Explorer, you don’t see the infected extension .exe by default (and anyway the virus turns extensions off if you had them on).

Also, the virus sets the icon of the infected file to whatever it was before.

That means you could be excused for opening an infected file by mistake, because it looks as you’d expect.

And if you open an EXE file under the impression that it’s an image or a document, what you actually do it to execute it instead.

So, if you inadvertently open up an infected file, the virus runs, and then it:

  • Installs itself permanently on your hard disk (using random filenames unique to each infection).

  • Sets a registry entry so it will run again after you logout or reboot.

  • Activates itself by loading various processes into memory.

You can read all about it here. Just be on the lookout for it.


December 16, 2014  7:58 PM

Symantec: 91% increase in targeted attack campaigns in 2014

Ken Harthun Ken Harthun Profile: Ken Harthun
best practices, SANS, Security, Symantec

Symantec has released its Internet Security Threat Report for 2014. The report is based on an analysis of data from its Global Intelligence Network. You can obtain a copy of the report here: http://bit.ly/1GqCh04. In addition to the headline statistic, here are a few more highlights:

  • 62% increase in the number of breaches in 2013
  • Over 552M identities were exposed via breaches in 2013
  • 23 zero-day vulnerabilities discovered
  • 38% of mobile users have experienced mobile cybercrime in past 12 months
    Spam volume dropped to 66% of all email traffic
  • 1 in 392 emails contain a phishing attacks
  • Web-based attacks are up 23%
  • 1 in 8 legitimate websites have a critical vulnerability

The data are interesting in themselves, but reports like these always beg the question, “How do I apply this to my everyday life?” Symantec anticipated this question and provides information on best practices for business and consumer alike. They also provide a copy of the SANS Critical Security Controls.

Highly recommended!


December 15, 2014  5:15 PM

Microsoft pushes out badware

Ken Harthun Ken Harthun Profile: Ken Harthun
BADI, Microsoft Patch Tuesday, Security, Windows Updates

I'm fed up with Adobe!

It acts like malware, and if you’ve been affected by it, you’ll certainly think you have caught an infection. It’s not malware. It’s actually just “badware” (unintentionally bad software) that our friends at Microsoft were kind enough to push on us last Tuesday. One of the latest Patch Tuesday updates, KB 3004394, specifically, prevents certain graphics drivers from updating, wrecks USB 3.0 drivers and User Account Control (UAC) prompts have gone all gunklepucky (gnarly, sticky mess). According to Microsoft the update even prevents the installation of future Windows Updates.

But what’s really bad is that this update disables Windows Defender services — services designed to prevent malware infections.

You can read the whole, sad story here: Microsoft withdraws bad Windows 7 update that broke future Windows 7 updates.

You may be one of the lucky ones, like me, who didn’t get the bad stuff (because I don’t allow automatic updates), but if you did, the first thing you should do is remove KB 3004394. My further recommendation is that you disable automatic updates unless you are in an environment where your IT staff vets the updates prior to pushing them out. I have my update settings configured to “Check for updates but let me choose whether to download and install them.” Then, I wait at least a week before I give them the go-ahead. This allows time for people to discover the problems before I commit myself.

After you remove the bad update, you should get the patch for the patch, KB3024777, which is available directly from Windows Update.


December 15, 2014  5:05 PM

NFL Security Measures

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Data, football, Security, Storage

It’s nearly the end of the football season and I finally made it to an actual game instead of watching it on TV. The stadium was cold and rowdy fans were everywhere. Though I managed not to get beer spilled on me, I was surprised by how tight security has gotten at these facilities.

Screen Shot 2014-12-15 at 12.01.15 PM

Not unlike the gates at a government facility or high-tech company, the passage into the stadium was super secure. In addition to folks checking bags – we’ll talk about that in a second – there were friskers and wand wavers paired at every path into the stands.

Metal corrals directed us toward yellow-jacketed personnel who asked us questions, had us put our arms up and then they irradiated us with beeping plastic wands designed to find metal hidden on your body. Though it might be less efficient than having a simple door-frame metal detector, the personal touch made it a little more bearable.

As mentioned a second ago, the bag-check process and policy is insanity. What strikes me as a money grab and overreaction is the requirement that any bag that goes into the stadium with you be made of clear plastic and of a certain size. Interestingly, these bags are for sale at the concession stands and at NFL-operated stores. Presumably the bag requirement is to speed up entry into the ball park and to ensure security by allowing personnel to see exactly what you’re bringing with you to the ball-game.

Screen Shot 2014-12-15 at 12.02.47 PM

Needless to say, if you really wanted to carry a bunch of stuff in – food, a bat, drugs or other contraband – you could just wear cargo-style pants or have your child carry your stuff for you. I heard repeatedly while in line – yes, I picked the line where the person was being trained so it was extra-slow – “no need to scan or frisk kids.” That makes it clear that if you wanted to bring your own booze, nunchaku or other crazy items, just bring a kid with you.

OK, there are lessons to be learned about how the NFL does things. And it’s not all bad. First, think about your audience and who will be accessing your facility. Then make regulations that ensure proper access under the right circumstances.

If you run a pharmaceutical company that uses freelancers/contractors on a regular basis, set up IDs that identify these people as such and create a policy that they can’t be unaccompanied within the facility. Also ensure that for these people, bags, briefcases and purses are checked when these folks arrive and depart. For many organizations, the biggest cost of having visitors onsite is that they might leave with a thumb-drive of info or something proprietary on their person.

To that end, enlist IT and HR to set up systems so that drives and access to outside storage sites is limited to only fully provisioned personnel. There is no reason a visitor who is working for you onsite needs to have access to a dropbox account. If they require materials and input from outside sources, they can get these via a fulltime, provisioned employee. Further, if they are doing work for you offsite and onsite, there should be a clearing process for any documents, data and programs that cross the barrier between the two.

Lastly, just like the NFL does, you should have a plan in place in case events go south. At the stadium if there is a fight or spilled beer or anything untoward in the stands, guards immediately quell the situation. There are hundreds of people watching for incidents all game long and responding to anything unusual. You can do the same at your company by empowering all employees to act as gatekeepers to your valuable data and facilities. If they see something, they are authorized and encouraged to call for security, IT or the appropriate person to deal with a situation.

Business is sometimes less fun than watching your favorite football team win. But when things go right, the upside and the peace of mind you get from contributing to a secure and successful business can be quite rewarding.

What policies do you have at your office that make you feel secure? What policies do you think are a load of crap and a waste of time?

Chat next week!


December 9, 2014  6:42 PM

Internet privacy? Fuggedaboudit

Ken Harthun Ken Harthun Profile: Ken Harthun
online privacy, Security, Surveillance

The Internet has become a surveillance state–probably the whole world, too, but more on that later. Like it or not, we’re being tracked all the time. Google, Facebook, iPhones, iPads, and surveillance cameras are everywhere and every one of them tracks you in some way.

There was a time, in the early, formative years of the Internet, when you could expect a modicum of privacy; at least, you could do certain things to cloak yourself. These days, there are still things you can do–TOR, Private Browsing, sandboxing, virtual machines, using an alias, etc.–but there are so many ways you are being tracked that you can’t avoid them all.

Just thinking about it is a bit scary, but it’s even worse than you think. Read The Internet Is a Surveillance State by Bruce Schneier. As he puts it: “All of us being watched, all the time, and that data being stored forever.”

If you want to see how you are being tracked on the Internet, you can download Google Chrome and install Collusion. This app will show you all of the trackers watching you as you surf. It’s highly enlightening. I’ve used it and I can recommend it.

Bottom line: Get used to it. The dystopia of George Orwell’s 1984 has been realized–at least on the Internet–and it’s much worse than even he envisioned.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: