ESET Threat Blog

While serving in the Marine Corps, one activity that I felt was effective in preparing both myself and my unit to be able to handle real-world scenarios, was getting as much experience as possible from military training exercises. In most cases multiple branches worked together or, as in the case with NATO exercises, multiple countries worked together. The goal was always to prepare us for various potential scenarios as well as learning to quickly adapt due to the impossible-to-calculate number of permutations of attacker, weapons, target, collateral damage, etc. 

Today the Bipartisan Policy Center (BPC) held a simulated cyber attack against the United States. The goal was to take a group of former high-ranking Cabinet and national security officials and successfully complete the mission of advising the president throughout the crisis. Their responses will be in real-time as will be  the intelligence and news feeds. The full list of participants is available from the PRNewsWire press release (http://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html). 

The exercise began at 10 am EST and lasted for three hours. During that time, the attack escalated from cellular networks to electrical utilities. The exercise was designed by former CIA Director Michael Hayden in partnership with the BPC. 

To understand the scope and capabilities of the adversaries we are facing in today's connected world, I selected what I thought was a very applicable report: Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence. This report is from the congressional testimony on February 2, 2010, by US Director of National Intelligence, Dennis Blair. Below are samplings of his comments: 

"The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools."

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

The full testimony (PDF) is available here (http://www.dni.gov/testimonies/20100202_testimony.pdf)

This brings to mind the old adage, "fight fire with fire" – which is applicable when combating cybercrime and cyber attackers. Continually increasing global cooperation (for instance: laws, extradition agreements, criminal sentences) coupled with fast-paced innovation can have the direct impact of not only closing the gap, but also plain and simply putting them in a "hurt locker" (aka "world of hurt") since, in many cases, cybercriminals/attackers don't feel pain commensurate with the scale and scope of their crimes. 

I brought up cybercrime because a number of the tools and techniques are similar or identical between cybercriminals and those that would wage cyber warfare. In fact, if you were to follow the money trail of all cybercrime activity there is a very high probability that you will ultimately encounter an adversary that is planning, or conducting, cyber attacks against the United States.  

By now you can read about operation Cyber ShockWave from just about anywhere on the 'net. You can also go to the Bipartisan Policy Center's web site directly: http://www.bipartisanpolicy.org/events/cyber2010. This weekend CNN will be providing special coverage of Cyber ShockWave (Saturday February 20). 

Hopefully this exercise provided realistic attacks and the video coverage will show the decision-makers "making the call" in different scenarios. For obvious reasons, the "big gaping holes" shouldn't be exposed to the world, but at the very least, it does bring awareness to a problem that governments across the world face on a daily basis – how to handle the dynamic nature of threats as they continually evolve. 

Jeff Debrosse

Sr. Research Director

The BBC has reported (http://news.bbc.co.uk/1/hi/technology/8429233.stm) that Karsten Nohl has published details of the encryption algorithm used to encrypt mobile phonecalls made using GSM technology.

The topic has inspired much discussion following a talk at the Chaos Computer Congress in Berlin. The GSM Association seems, according to the BBC report, to be a little ambivalent about the affair, warning that "Mr Nohl's work would be "highly illegal" in the UK and many other countries."

However, the report goes on to say that: 

…the GSMA dismissed the worries, saying that "reports of an imminent GSM eavesdropping capability" were "common".

It said that there had been "a number" of academic papers outlining how A5/1 could be compromised but "none to date have led to a practical attack".

Well, it's too early to say how this will play out, certainly on the strength of this report. It does seem that the scope for intercepting conversations could be impressive, if Nohl's work translates into real attacks that have real impact in certain contexts (espionage, law-enforcement, and so on). However, in the data-driven world we now occupy, I wonder whether it carries quite the same importance as the interception of binary data, especially if it accelerates the take-up of A5/3. At the same time, doesn't this say something about the ultimate ineffectiveness of security that assumes that economically infeasible solutions are forever?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

• Data Breaches continue to be a huge problem: Eight-five percent of organizations surveyed had had at least 1 data breach in the last 12 months, demonstrating that there is no let up in breaches as this is consistent with 84 percent sited [sic] in the 2008 report. Companies suffering more than 5 data breaches rose to 22 percent in 2009 up from 13 percent in 2008.
• More than 70% have fully executed or just launched data encryption strategy in their organization. Once again data encryption strategies are being implemented across a majority of the respondent participants. The majority of organizations, 78 percent, have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in 2007.
• Encryption of data on mobile data-bearing devices used by employees is very important or important. More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices – a sign that organizations recognize that valuable data is more mobile than ever.
• On average a company will pay $202 per record compromised, and, in total an average of $6.6M should they experience a data breach.

• Domestic population (census.gov): 307M
• Personally-identifiable records involved in data breaches (privacy rights clearing house): 262.5M
• Domestic Internet penetration rate (internetworldstats.com): 74.4% (251M users)

One of the security best practices is to back up your data regularly. This is sound advice as it helps mitigate the damages from many different threats. Lots of people think of data loss when they think of viruses, but very few viruses actually tried to cause data loss. There have been a few that encrypt data in an attempt to extort ransom money so the user can get their data back, but this is relatively rare. Today, most of the threats are not about destroying data, they want to collect your data so they can steal your money or identity. Still, backing up your data may help reduce losses if you are wit with some malicious programs.

What else causes data loss? Sometimes improperly configured antivirus products themselves cause data loss. A couple of years ago one of the largest antivirus vendors in the world had a false positive problem that deleted many Microsoft office files. False positives happen to all of us from time to time, but files should be quarantined so that if it is a false positive the data can be recovered. The product in question was revised to make quarantine the default setting after so many of their customers who did not perform proper backups lost a lot of data.

Fingers are high up on the list. Did you ever accidentally delete something and not have a back up?

Hard drive failures can also cause massive data loss. A recent event that our own Aryeh Goretsky brought to my attention is what made me decide to write this blog entry. Hard drive failures are typically fairly rare, but there is a biggie out there now.

It seems that Seagate has released droves of 1 terabyte hard drives that have a problem causing them to die. Having good backups may be the only way to recover your data without spending a few thousand dollars in such a situation.  

There are about 18 pages of comments on a Seagate forum (as of this writing). The drives may be working fine for 3 months and then die instantly.

Below are a few links about the issue. The last link is the Seagate forum I mentioned.

http://www.techreport.com/discussions.x/16232

http://www.theinquirer.net/inquirer/news/374/1050374/seagate-barracudas-7200-11-failing 

http://www.dslreports.com/forum/r21737309-AVOID-seagate-ST31000340ASSD15-drives 

http://forums.seagate.com/stx/board/message?board.id=ata_drives&thread.id=3668&view=by_date_ascending&page=1

It is unfortunate that Seagate refuses to comment on the situation. Late last year it was discovered that Seagate had shipped about 1,800 brand new drives with malware on them.

If your data is important enough to put on a hard drive, be sure you back it up. There are many threats to your data, and viruses are the least of those threats.

Randy Abrams
Director of Technical Education

If sensitive information is stored on your hard drive (and if you don’t have -something- worth protecting on your system, you’re probably not reading this blog…), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks such as an escrow site going out of business and so on.

Consider (seriousl!) regularly backing up your data to a separate disk (as a bare minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original: if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer they’ll "all go together". In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what one site I know of did, and back up data to a server, but forget to back up the server itself.

I’m sure I don’t need to remind you to take care of your passwords as well, do I?

David Harley BA CISSP FBCS CITP

Well, not so much about punishment, but I’m sitting in the lounge with Andrew Davies’s version of Dr. Zhivago in the background, so I’m in a Russian mood…

My colleague Jeff Debrosse, Director of Research in our San Diego office, drew my attention to the latest FBI challenge at http://www.fbi.gov/page2/dec08/code_122908.html. Like many people in this business, I’m fascinated by encryption and decryption, but I don’t have a particular talent for it, so I probably won’t attempt the challenge. I was interested enough to follow this link, though, which is a short primer on "Analysis of Criminal Codes and Ciphers" by Daniel Olson, a cryptanalyst forensic examiner with the bureau. As an introduction to some basic cryptographic techniques with some real-life (criminal) applications, it looks very readable. If you’re interested in something a bit more comprehensive but not particularly technical/mathematical, Simon Singh’s "The Code Book" is also very readable. Bruce Schneier has written a couple of books that are still practical rather than theoretical, if you fancy something with a bit more meat to it…

Speaking of Jeff Debrosse, he was recently featured on Fox 5 News, talking about cybercrime. We posted a link here. Nice one, Jeff. And since we’re blowing our own trumpets here, thank you Paul Lilly for a very positive review of ESET Smart Security in MaximumPC.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence