Social networking and internet privacy: from bad to worse.

Ever been paranoid about a government monitoring your internet activity? Well, I have some good and bad news for you. New York – an American family house was raided by the CIA after authorities discovered the family had run a Google search for the keywords “Backpack” and “Pressure cooker”, and it certainly didn’t help that the smallest child in the family had also been running a few searches related to the tragic Boston bombing. The mother had been searching for a new pressure cooker, the husband had been looking for a new back pack; and it all seems like a legitimate false positive (source: http://www.news.com.au/technology/american-family-raided-after-searching-backpacks-and-pressure-cookers-on-google/story-e6frfro0-1226690035517). However, this has now raised major worldwide concern. The good news is authorities can use this technology to stop terrorists well before their plans are executed. The bad news is every single person on the internet is now subject to screening.

Facebook has to be the best example of privacy invasion in modern history. The most recent Facebook features may be exposing your privacy, and the biggest problem is that people understand very little about the consequences. Facial recognition is a wonderful tool to help your friend’s auto tag you in photos from when you were at the pub at 3AM; and considering 80% of the population carry a smart phone, the photo would also be geo-tagged. So not only does Facebook (and everyone else privy to your privacy settings) know where you were last night, at exactly what time; but it also knows what you look like.

Facial recognition goes back to the early 60s, a team of American computer scientists were funded by an “unknown source”, to develop technology to identify human faces. There were mixed results, but technology has come a very long way since then. From a security standpoint, biometric identification is very reliable, and is much stronger than username and passwords as a form of authentication; however this adds complexity and complexity is kryptonite to any security model.

If you run a Google search on your name, what are the results? More than likely it’ll contain at least one picture from your LinkedIn or Facebook account; and if the results surprise you, then what other personal identifiable information is floating around the internet. Some of you may be familiar with the term “Google bomb” or “Googlewashing”, for those of you who are not; it’s effectively the practice of manipulating Google’s search-rank algorithm and flooding a search result with multiple links, causing a keyword result to return a desired website. Typically used for business, political or comedic purposes, the most famous Google bomb, occurred in 2007; when searching for the keyword “miserable failure” it would return results for George W. Bush.

My personal favorite, in terms of failed privacy are hash tags. I find them very annoying, and unnecessary; and regardless of my personal opinion, hash tags are incredibly dangerous. Hash tags are a data mining and marketing golden nugget, and effectively provides a very accurate pattern in assessing interest. Some of you may have Facebook friends who often share a status accompanied by a hash tag, examples include: #eatingsteak #needaholiday #enjoyingadrink. This then creates a channel (or thread) in which others who also use the same hash tag can view the shared information. Facebook has recently enabled clickable hash tags, making it even easier for other Facebook users to collaborate; however the shared hash tag is linked to an actually account, and this means strangers can personally identify who you are.

If there are any concern you are now feeling as a result of reading this article, I would strongly suggest you review your own and other family members’ social networking privacy settings. I would also encourage everyone to think twice when checking into locations; remember that others who also checked into the same location can also see that you are currently there. With the changes to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 in 2014, businesses should be very concerned about ensuring they are compliant, as heavy penalties apply for a privacy breach. Contact your trusted reputable security vendor and have a conversation about improving your security posture and privacy protection readiness.

Exploiting Software – Zero Day Attacks.

Zero-day vulnerabilities are something we all hear about often, and it’s usually related to enterprise grade software. Internet Explorer (Microsoft) and Java (Oracle) are two familiar names recently dominating IT security news headlines, and that’s all thanks to major vulnerabilities allowing attackers to obtain remote access to the end users’ machine. Before you decide to hide all your money under the mattress, let’s take a look at what this all means.

A zero-day attack means the attack is taking place “day zero” of awareness of the vulnerability, limiting the ability for developers to patch or address the security backdoor before end users are affected. Zero-day exploits are considered to be a golden nugget in terms of value and are often illegally sold on the black market for large amounts of money, while organizations such as ZDi (http://www.zerodayinitiative.com/) provide financial incentives for security researches to legally disclose newly discovered vulnerabilities. The US government paid $250,000 for an iOS exploit in 2012 and offer rewards of up to $200,000 for submitting Internet Explorer or Google Chrome vulnerabilities.

Electronic warfare is the 21^st century’s means of crippling adversaries, and government agencies are willing to take any measure to ensure top secret information systems are never compromised. Developed software is often subject to rigorous penetration testing, so you could imagine it’s not easy to discover dangerous exploits. More than 60% of exploits are discovered accidentally, and to put things into perspective; we’ve all faced the blue screen of death on a windows system and it’s a relatively harmless error message, and often it’s accompanied with a reason. 

Now imagine the exact same scenario was to occur for an internet based application; that would mean under a certain predictable condition the software fails, and based on how software is designed – if the application fails, everything hangs in the balance while the application is reset or closed, and It’s in this small window of time the application or system is open to an attack. The ability to take control of a system remotely is the goal, ultimately leading to the stealing of confidential information or inserting malware; the possibilities are vast.

Newly discovered zero-day exploits can be hidden from the public for months, dormant or active. It was discovered that a zero-day exploit had been used for at least 1 month to steal personal information and files from visitors to an aviation website. The intention was to steal confidential government files from employees of the air force, by compromising a non-government aviation website. This tells me that attacks are becoming more sophisticated and hacking groups are well structured. 

The most recent exploit discovered in Java Software, presented a particularly sensitive issue. Despite our preference of browsers, almost everyone has to use Java to access content rich websites. The exploit allows a remote attacker to execute arbitrary code on the victim’s machine, allowing the attacker access to the data on the machine, turning the machine into a zombie feeding a botnet. Basically the machine is completely under the control of the remote attacker, often used to attack other unsuspecting victims. The discoverer of the exploit had originally posted on a cyber-crime forum with the promise of: “weaponized and source code version of the exploit” starting at $5,000 each. By weaponizing the exploit, basically means it provides the attacker an interface and means to perform the attack, just like buying a gun for the bullets.

It’s not possible to completely safe guard your business from a zero-day attack, however updating software to latest vendor specification and ensuring IT security programs are up-to-date and enforced across all employees can help reduce the number of affected end users.

Encrypted Viruses - How Prepared is Your Business?

Encryption is the “good stuff” which protects information across an untrusted line of communication, and ensures confidentiality. Encryption has many positive applications and is used widely to protect critical data and information every day without any user awareness. Secure websites using HTTPS encrypt all communication between the end user’s browser and the website; this protects visitors to the website, and stops snoopers from stealing confidential information e.g. internet banking. 

If we take a look at the other side of the coin, encryption can be a real problem for people and organizations that legitimately need access to the encrypted data. For example, anti-virus vendors can detect a normal virus typically through a known signature or a more advance heuristics method, and this works great provided the anti-virus agent installed on the machine is updated regularly. However, if an encrypted virus infiltrates an information system, it can be a nightmare to detect.

A small number of clever virus writers are utilizing encryption in an attempt to bypass perimeter and endpoint protection software. How it works is simple, and a number of methods can be used to achieve this, some complicated and others not so “smart”. To put this into simple terms, if a man were to walk into a building with a semi-automatic assault rifle – the likelihood that someone would spot the dangerous man and alert the authorities is high, now if he were to walk in with the weapon concealed the chances of detecting the danger are significantly dropped. To juxtapose this with IT security, anti-virus software is the detection mechanism or security check point which X-RAYS everything entering the system.  

Encrypted viruses are normal viruses with the exception that the payload is garbled and unreadable; as a result increase the difficulty to detect the threat. The virus is effectively useless until it can be decrypted (or unpackaged).

Early virus writers had used a self-decrypting method embedded into the infected file, each line of code execution would subsequently decrypt the next line of execution. Anti-virus vendors caught onto this very quickly, and threats have evolved significantly since. One method first seen in the RDA.Fighter virus, the virus writer did not include the decryption key; instead the virus was designed to brute force itself. Encryption is tightly controlled by the US government, and the use of unknown encryption algorithms can result in serious gaol time, which is one of the reasons encrypted viruses are not as heavily developed, apart from the most obvious fact that developing such viruses/malware takes significantly longer.

An advance method named ‘Polymorphic code’ adds complexity to the virus structure and increases the difficulty in detection. It basically means “self-changing”, and requires little to no human intervention to perform the change. Think of it as the seasonal flu that most people catch each year. It’s not something that starts at a certain place or time; it’s more than likely to be same flu from last year just slightly mutated. The mutation occurs when the flu is passed from person to person eventually completing a full circle. Polymorphic code works in a similar method and has been utilized by virus writers since the beginning of information systems. Typical polymorphic behavior involves a virus or worm infiltrating a system, mutating and propagating itself. Coupled with encryption technology, it can pose a serious threat to any business, as samples are made redundant quickly and could send a vendor into a wild goose hunt.

It’s important to invest with a reputable and knowledgeable vendor who can provide the triage of defense: perimeter defense, cloud & endpoint. Providing protection before it hits the gateway, while at the gateway and after it enters the gateway. I genuinely believe that virus writers are only on the tip of the ice berg, and as programming languages evolve – so will the threat landscape. The best method to stay protected is to ensure technology is patched and updated to the latest vendor specification. It’s not possible to remove all chances of an attack, and there is no better means of protection than defense in depth.

Software – the growing need for a zero failure design.

A recent ‘glitch’ in the CityLink’s computer system had caused Melbourne road users serious frustration. Burnley and Domain tunnels were both shut down, and CityLink were unable to communicate with its incident detection and safety systems. The suspect cause has been narrowed down to network connectivity, with Engineers working diligently since 5:30AM to find the root cause.

Read more: http://www.itnews.com.au/News/317694,citylink-glitch-shuts-melbourne-tunnels.aspx

 

Most software is tested heavily before being released into production, often known as a ‘QA’ (Quality Assurance) process. Software Developers utilise Test Engineers who try to break the software to emulate real life scenarios such as over loading, typical user behaviour, power user behaviour and validation. Software Test Engineers also compensate for the risk of external factors which can also cause failure: For example, the outcome of a power source interruption or a network link outage.

In many cases, software has inbuilt capabilities and protection mechanisms to safeguard the data. If an ATM (Automatic Teller Machine) loses connection with the primary main frame, it will not alert the users of the outage or error, it will simply continue to dispense money and queue the transactions awaiting re-connectivity to the bank’s database. Customers would not be able to print receipts and online banking logs would not reflect the transactions until a later date, and banks have assessed this as an acceptable amount of risk at the cost of not inconveniencing the customer, and that’s great for me and you.

On the other hand, there are aspects of society in which there must be a 0% chance of failure. Life support systems and airport aeroplane towers are an example of sophisticated technology driven by defect free software design. A failure in either of these will lead to significant loss of human life, and at the end of the day that is the ultimate prices no one is willing to pay. Organisations invest heavily into ‘defect free software’, and the level of Engineering involved with developing such software takes approximately double the time.

In order for software developers to ensure that there is 0% chance of failure, each state space (or scenario) the software may execute under is tested for a predictable outcome. By minimizing the number of unpredictable outcomes to 0 it almost mitigates any chance of failure, and by ‘almost’ I mean external factors still need to be considered (backup power, natural disaster recovery etc.). 

Software Developers and Test Engineers are often under pressure and strict timelines to complete modules and this leads to more unpredictable outcomes (glitches), and I strongly believe the outcome of today’s gridlock and traffic chaos in Melbourne should be a testament for organisations to invest in more defect free software methodology.

Flame Malware used open source software to mislead security software.

This adds additional fuel to the already burning fire of the 'Flame Malware' (excuse the pun). Initial suspicions and investigations of the flame virus show sophisticated coding structure and functionality, typically the fruitful outcome of well-funded software development. Recent finds show that open source software had been used in an attempt for “evade” security mechanisms, and this should be very concerning for large enterprise organisations e.g. government agencies.

Additonal reading: http://www.itnews.com.au/News/315920,flame-malware-used-open-source-software.aspx