Category Archives: Security

Meet the Hackers

Hackers… they’re a bunch of social misfits, loners, hoodie-wearing, energy drink slamming programming geeks, right? Well, no. They’re not. The bad guys with computers are not the sort to slide easily into media stereotypes. Most of them are members of criminal organizations or have nation-state backing. Awkward loners don’t fit in with the Russian Mob or the People’s Liberation Army. Gotta have team players in those groups.

Hackers don’t always use computers, either. Social engineering – also known as running a con job – is incredibly effective and simple to do. You’d be surprised how many people will give out their passwords when accused that they’re not strong enough. “Why, you better believe I got a secure password! It’s +O;66fg#3.>ha!” Hint: the password isn’t secure anymore if it’s been read out loud to someone else. It’s also not secure if it’s written on a notepad or post-it note.

Do you have someone that’s always asking questions about where things are on the network? That’s possibly social engineering. One guy did that at a company and learned where the financial data was stored. After a two month interval, a tiger team broke into the server room and stole that exact server. The thieves were caught and the connection to the inquisitive employee became evident. The people at that company were shocked to discover that a guy they all considered to be a cheerful, bumbling, balding co-worker was in fact in league with organized crime.

That guy, and others like him, are well-camouflaged. They blend in. They go to lunch with the rest of the gang. They have neither an excess, nor a deficit, of cool. They live in apartments and homes, they watch sports and reality teevee shows, they drink beer, they may not even know anything more technical than how to copy and paste and add an attachment to an email. Because, face it, if a guy copies a sensitive document and then sends it to someone that shouldn’t have access to it, that’s a data breach. A hack. And the guy that did it could have been a total shlub.

True, he could have been a more exotic chap, say, a soldier in an army unit responsible for espionage via computers. But that guy’s not working alone. He’s also not working on a short timetable. Guys like him or the organized crime types have all the time and patience in the world to find where the weaknesses are in an organization and then exploit them. They develop custom code, just like other corporations do, but their custom code is dedicated to undermining their target, rather than developing just-in-time strategic synergies. Most of what they do goes undetected for the simple reason that the vectors they use are either ones that haven’t been used before or their target isn’t looking where they’re active with .

If you like the shows with slick hackers with social flaws, keep on enjoying them, along with everything else that’s been Hollywood-ed up. But in your real life, the guy compromising your financial data is going to buy a case of beer and then have a trip to Disneyland. Be careful about the questions that you answer and hope that you’ve got a security team that has a data loss prevention tool in place, among other things.

The Myth of Efficiency

Would you like for your car to run faster? Well, it’s easy. Just shed excess weight on the vehicle. Get rid of the doors, seat cushions, seat belts, airbags, windows, the roof, electronic systems, and man! That car will MOVE!

What’s that I hear you say? It will be unsafe? Well, pardon me, but you wanted it to be faster. You said nothing about preserving the current level of safety.

And although I doubt that any sensible person would want to drive that vehicle at top speeds, we do precisely the same things with our Internet usage and our programs and apps. We want them to be as fast as possible and, if it means less security, we accept the higher risk by saying “I’ll be careful!” and then going forth to enjoy the higher efficiency without really being any sort of careful at all. Why?

It’s simple to my mind. Our brains are well aware of the possible bodily harm that can result from a car accident, so we reject a tradeoff of mayhem mitigation for super speed. But a computer application? A website? No physical harm can result from using those things, so why not worry less and enjoy them more? We simply don’t think of the potential financial and personal wreckage that could result from unsecured data transfers. We fail to see that the injuries from unsafe computing are very real and very damaging and very permanent. If we did see what could happen, we’d ask for the digital version of safety belts, every time.

I’ll point a finger at programmers and designers: they want their customers to have the smoothest experience possible. That smooth experience makes money or facilitates the making of money, so it’s no small thing. But, again, the blindness to the risks in the digital world mean that those designers and programmers aren’t necessarily thinking about the safety of that experience. This is particularly evident in the emerging area of “smart controls”. Smart controls basically turn a phone or a laptop into a giant remote control device for something that used to not be remotely controlled.

Even the idea of remote control doesn’t sound all that bad. Our teevee remote controls do just fine, don’t they? But would you maintain that benevolent attitude towards your teevee remote if some kid a mile away was able to interfere with your choices and put your channel choice on anything he wanted? It’s no mistake that a “nightmare scenario” in many a spy thriller or sci-fi flick involved The Bad Guy taking over the airwaves and forcing the world to watch whatever he dictated. Stuff like that really freaks us out. Well, how about a nightmare scenario in which The Bad Guy messes with your thermostat? Or forces you to order an extra gallon of milk? Or locks all the world’s ovens on cleaning mode?

OK, so those are all #firstworldproblems. But the ones that can hit the third world involve disruption of power grids or supply chains. How about a man-in-the-middle attack that scrapes a few pennies out of every bank account in India? In places where microcredit is embedded into the local economy, such an attack could destroy lives. Who would do such a thing? Well, there’s a Marxist insurgency in about a third of India, so there’s my first candidate to execute such a move.

A home with a closed, unlocked door offers more security than some of these highly efficient applications. I mean, at least the door is closed, so that someone has to make an effort to see what’s going on inside. Far too many apps send every transaction, back and forth, in plain text.

Now, there are some security measures that are as easy as locking a door. But there are also some security measures that are as difficult as putting on a suit of plate armor and mounting a horse. As one would expect, the more complete security measures are also those that involve the biggest drags on performance. But look at it this way: which vehicle would you rather operate, a unicycle with a solid-rocket booster engine, or a comprehensively-tested motor vehicle with excellent safety ratings from its excellent safety features? While the unicycle rocket will definitely move faster than that car, the car exposes its operator to a much shorter list of potential hazards. For example, “death due to improper aim at start of journey” is a biggie to consider with the unicycle, not so much with the car.

So it should be in the programming and development world. It’s my frustration as a security professional to see security treated as a cost that should be minimized. Too often, I’ve heard of businesses that refused to stand for a reduction in efficiency that later wound up with their doors shut for good within days of the major breach that happens in the early days of their existence. To treat security as a costly afterthought is tantamount to saying one or more of the following phrases:

“I’d like to have all my employees lose their job after a major breach, which is statistically bound to happen very soon.”

“I would prefer for my company’s intellectual property to be in the hands of my competitors, preferably without my knowledge or ability to get recourse through criminal and/or civil courts.”

“I feel much better knowing that, when my financial records are breached, the criminals involved will enjoy high levels of server uptime, plenty of bandwidth, and be ‘very satisfied’ with their experience in compromising my network.”

“Our company’s vision statement is: We will have synergies of poor security and high ease of use enable criminals to have first grab at our profits, even before we pay our fixed or variable costs.”

That last one might actually get shareholder attention.

But what to do? I’m not a C-something-O or a member of any board or anything like that. I can’t tell my company or any other company that there are areas where security is a joke, and that’s where to expect the next breach. Even if I was a CxO or chairman of the board, there’s no guarantee that I’d have all my company’s employees take security seriously enough to realize when they need to help implement it. This becomes a huge deal in major corporations, where employees tend to reject anything not done 100% by the book, and offer little or no help after making the rejection. Now, the “why” of that may have more to do with outsourcing and other heinous practices to control labor costs, but it does point up the old Machiavellian maxim that mercenaries aren’t going to protect you as passionately or as effectively as your own citizens.

So, if you want to predict where the next headline-grabbing breach will be, look for a major company with a massive contract labor pool in place of full-time employees, that also brags about how fast and effective its operations are. That’s where the money is and, chances are, also where the advanced persistent threats are already embedded in the system.

Who knows? Maybe even one of those threats is so embedded, it even has a section of actual employees tucked away somewhere that actually provide technical support for it. They file exemptions with anti-malware groups and open up firewall rules and away they go…

So, to sum up, efficiency without security is reckless endangerment. We should be ready to have things be at least a little slower so that we can enjoy a greater measure of security.

For more, feel free to visit and join up with http://www.networking-forums.com.