Cyber Threat Analysis for 30 Jun 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

On This Date In Cyber Doom History: An Example of Getting It So Wrong For So Long

At this year’s International Conference on Cyber Conflict in Estonia, Jason Healey of Columbia University argued, “For 25 years of the 75 since Pearl Harbour, we have been talking about a digital Pearl Harbour. It still hasn’t happened, so we are probably missing the point.” On the same day in 1996, CIA Director John Deutch testified before Congress that cyber attacks were the number two threat to the U.S. behind chemical, nuclear, or biological weapons. Later that same day, terrorists struck Khobar Towers in Saudi Arabia. They struck with a truck bomb. (Forbes)

What do you do after the third time the boy cries ‘wolf!’? Concerns about hype in cyber security have been long justified, but we’ve reached the point where the hype has caught up to reality (IoT, implantable devices). Yet those who warned of these very scenarios aren’t viewed as prescient but rambling crazy uncles. From the ‘very serious problems’ point of view it is hard to give things-cyber the same attention as things that are proving fatal to masses of people right now. The most dangerous bad actors in cyberspace don’t use it for destruction, and those who would wreak havoc in meat-space still value spilling blood over spilling bytes. Unfortunately, if things hold true to form, countering cyber threats will not become a front-burner issue until there are sufficient casualties.

Experts call energy infrastructure cybersecurity bill ‘shortsighted’

Some cybersecurity experts are skeptical of new legislation to address concerns of hacker attacks against the U.S. energy infrastructure. Much criticism of the bill is directed at a research recommendation that suggests replacing some advanced ICS components at energy-providing facilities with “retro,” offline and otherwise human-operated options. “By mandating analog controls you are in a sense already admitting defeat. Information security professionals will routinely say that it is not when, but if, you get compromised, at no time do we advocate that you return to pencils and paper because you are afraid of the big bad cyber threat.”  (Fed Scoop)

When security technology is just another avenue of attack, going analog can make a whole lot of sense. There would be no such thing as ‘CEO fraud’ if a little meat-space interaction were required. When we’re dealing with ICS, is including a function that cannot be remotely hacked a terrible idea? Especially when there are no security solutions that provide the kind of reliability and safety – two things most cyber security people don’t consider – required in an ICS environment? There is a difference between being able to automate everything (which would be inviting‘defeat’) and needing to automate everything. When it comes to critical infrastructure, keeping an authorized man-in-the-middle (so to speak) is arguably the superior defense against digital threats.

How your staff’s LinkedIn habits are exposing you to cyber security threats

A survey of 2,000 people by Intel Security discovered that almost a quarter of [those surveyed] had connected with somebody they did not know personally on LinkedIn, which could not only open them up to targeted cyber attacks, as criminals use personal information to tailor their approach, but also the companies they work for. (City AM)

Its not the strangers that get you, its what you exchange with them after connecting that’s dangerous. Depending on your role, its hard to argue against the importance of expanding your professional network. Having said that, fake profiles on social networks that are designed to elicit information are a thing. Ensuring that employees understand what good operational security is, and rewarding its effective practice, can help mitigate one of the oldest threats in the book: flattery.

Infamous Hacking Groups: 5 Things They Hope to Accomplish

Web hackers are certainly no strangers to grabbing the attention of the media and the general public. On an individual basis, hackers might have a litany of reasons why they want to hack your website; however, with the development of large hacking groups, their motives for attack may be more focused and goal-oriented.  (Tech Co)

To paraphrase Star Trek, the power of the many is greater than the power of any one. Nearly 20 years of observing hacker/defacement activity tells us that collective of talent can be more powerful than any individual, but today any individual with a modicum of talent can assemble the necessary components to punch far above their individual weight (force multiplication). The more significant danger is not simply a collective of technical talent, but a group of true believers. A zealot on the inside of a targeted institution can cause more damage alone – or amplify the impact of a digital attack originating from outside.

Microsoft proposes international code of conduct for cyberspace

At a time when the web is emerging as the new front for global conflicts, Microsoft has proposed a set of standards for how corporations and countries should engage in these digital battles. Microsoft is pushing for states and technology firms to team up to halt the lucrative sale of “zero-day” vulnerabilities that are used in cyberattacks or espionage operations. The report also calls on governments to stop demanding tech companies intentionally insert vulnerabilities, into products that would create access for intelligence and law enforcement agencies.(CS Monitor)

An admirable effort that will produce meaningful yet superficial results. Attempts to shoe-horn familiar political approaches into a digital context ignore the fact that cyberspace is almost nothing like the physical environment where the old-think worked. We need more cooperation between the good guys to deal with cyberspace problems. Even low-hanging fruit needs to be picked, so while this keeps honest people honest in the light of day, it does not address the fact that no nation is going to stop developing and using offensive capabilities. Such legacy futures impede our ability to generate and put forth novel ideas that might actually produce meaningful results.

Should the Careless Be Punished for Getting Hacked?

Nearly everyone with Internet access is harmed, at least indirectly, by digital criminals. Josephine Wolff, a professor at the Rochester Institute of Technology, believes cybersecurity policy would benefit from a debate about if and when it might be appropriate to punish careless computer users for their role in enabling those criminals.  (The Atlantic)

Well no wonder, look at the way she was dressed. If we are going to have a discussion about holding people responsible for vulnerabilities, let’s go to the source of the problem: developers. Consumers of technology demand functionality and usability, not security. Developers give the people what they want. This is not the 80s, when if you used IT outside of work you probably built it yourself; today users are far removed from the inner workings of the technology they use. Proportionate liability seems like a compelling path to take, but until security trumps functionality in IT, personal liability is a non-starter.

Medicos could be world’s best security bypassers, study finds

A university-backed study has revealed that nurses, doctors, and other medical workers will so often bypass information security controls in a bid to administer rapid health care that the shortcuts are taught to other staff. “We find, in fact, that workarounds to cyber security are the norm, rather than the exception,” the team writes. “They not only go unpunished, they go unnoticed in most settings — and often are taught as correct practice.   (The Register)

‘Secure systems or dead patients’ is a hard argument to counter. Having said that, this is less a failure of “security” as it is a failure of design. Patients in medical distress get access to sensitive “technology” (drugs) rapidly even though drugs are subject to strict security protocols. Threat models specific to the environment, and mechanisms suited to specific workflows, could go a long way towards ensuring medical IT is secure enough to provide effective care at minimal risk. This is a multi-disciplinary problem that requires a corresponding, coordinated level of effort.

Hackers Turn Computer Fans Into Snitches

Security researchers recently published a paper (PDF) detailing a new method to spy on a computer. It turns the computer’s fan into a signaling device. A computer fan is one thing you really can’t disconnect, and the fan can communicate subtly enough that you might not even recognize something is wrong. The researchers created malicious software called a Fansmitter that takes the CPU activity within a computer and uses that data to modulate the computer fan’s movement. It’s almost like turning a fan into a telegraph signaling device with Morse code. (How Stuff Works)

An interesting if niche capability of nominal concern to most of us. Every few years someone needs to re-discover Van Eck emissions, or the functional equivalent thereof. Potentially a high-threat  issue for high-security environments, but successfully compromising the vast majority of systems needs nothing so sophisticated.