return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Cybersecurity Public ]

Weaving together the chatter of intelligence and business

  #

Dan Farber does a fine job of looking past the "constant chatter among businesses and the intelligence community about insufficient budgets, technology complexity and regulatory compliance" to see that it is a distraction that "masks the underlying failure to inculcate a culture that can overcome those problems with a clear and strategic focus on identifying the key business levers and extracting the relevant data."

He goes on to say that the markers of this decline are only rarely of a 9-11 stature but rather an invisible (perhaps 'ignored under the press of daily threats' is a better phrase) accumulation of degrading capability. I concur with his comment that they rise "from the same source-a lack of essential insight and analysis."

As chance would have it, just moments before Farber's article crossed my desk so did a public list comment by Myron Tribus (a superb disciple of Deming and a gifted thinker in his own right):

"When Dr. Deming spoke of the need for an outside agent to cause a transformation, he was referring to the fact that the basic paradigm upon which the people in the system are acting is invisible to them. You have heard the phrase: "The fish is the last to discover water". A system has great difficulty understanding itself. Of course, people within a system can make changes -- that's understood. What they cannot do unaided is transform the system."

Think of Farber's comment applied to our intel agencies:

"Many companies suffer from this plague of data blindness, which ends up producing negative results. It's the major differentiator of the sickly, underperforming companies from those that lead and prosper. The leaders minimize surprises--and the associated reactionary behavior--because they have a better handle on extracting the meaningful information from the terabytes or petabytes of data."

"Without that focus, companies are doomed to live in the past and have a very uncertain future."

I have often said of such companies that, "They live at the sufferance of their competitors." The extension of that idea to our intel agencies, their data fusion, and subsequent dissemination to relevant consumers is not a sanguine thought.

Business blind spots can have devastating consequences
By Dan Farber,
Tech Update
April 16, 2004

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Strategic Risk Public  

discussion

  discuss this article

Patch stampede on Microsoft is a wonderful sign of awareness

  #

Maintaining that awareness is the first step to salvation, certainly preemption, I was overjoyed by the patch stampede on Microsoft -- and I dismiss any complaint over lacking infrastructure response as misplaced carping.

As DCI George Tenet said in his 14 April testimony to the 9/11 Commission amplifying his comment that it would take "[five] more years to rebuild the clandestine service":

"Well, sir, you know, you have an infrastructure, you have a recruiting framework, you have a quality control, you have a student- to-faculty ratio, and you have a big pipeline. We built all of that in to make sure we can get this done.

Nobody was paying attention to the plumbing. It's not sexy. You got to pay attention to the plumbing."

This time, millions of users were paying attention to their plumbing in excess of 50GB per second.

It is absolutely wonderful.

Microsoft took immediate note by adding CPU cycles to support the demand and observed that "the flood of users means more customers are worrying about security."

I trust that Microsoft saw tangible evidence that there is competitive advantage in safe code and that they will redouble their Trustworthy Computing initiative. 

That is the kind of "feature set" for which I will pay a premium.

Stampede for patches disrupts Microsoft update site
By
Robert Lemos
CNET News.com
April 14, 2004, 5:32 PM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Browsers as growing attack path for malware

  #

We are no stranger to web sites with malicious code as our open source investigations have taken us to fringe sites or to sites hijacked, in whole or in part, such that have one or more legitimate pages are replaced with hostile code and payloads. For that purpose, while IE is our standard browser, we maintain a single PC with an older, stripped down Netscape version, no email, etc., in order to minimize blowback. Now browser-based attacks are predicted to rise for the general web user as email vectors are terminated by better defenses. But what used to be a passive attack in that the unwary had to make their way to the malicious page or site on their own, the newer active attacks are using email containing links to hostile code:

"Because the attacks usually aren't launched until the user clicks on the link, many firewalls don't catch them. Traditional firewalls examine traffic coming into the network, but guarding against browser attacks requires that traffic leaving the network also be inspected."

As firewall vendors scramble to catch up, the security updates to IE can come none too soon as this attack vector enters the mainstream user population.

Concern grows over browser security
By
Marguerite Reardon
CNET News.com
April 12, 2004, 11:14 AM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

The DDoS attack of all time was in the cards

  #

Hackers penetrated and, for a period of time, took control of parts of the TeraGrid, a supercomputer network used for compute-intensive tasks such as weather forecasting. Even a single supercomputer on a broadband network is the equal of thousands of desktop PCs.

This is inspired in its analysis of critical path -- so that relatively few computers could launch the kind of digital Pearl Harbor that Dick Clarke spoke of but was pooh-poohed by many in industry.

In yet again another example of the bad guys operating inside our OODA Loop, the systems were apparently vulnerable due to recently discovered software faults. These computers were running Linux and Solaris OS variants -- not a Microsoft OS. It is interesting to think of us spending a packet to armor up Microsoft OS products and the bad guys take us down via key faults on Linux and Solaris OS. Talk about 'hitting us where we ain't.' My admiration and compliments to the perps. It will be interesting to see what seeps out as to their identity and/or nationality.

Change "could" to "must" in the following and you have it:

"This could be a wake-up call to what should be very, very secure computing environments, because these machines should never have been compromised."

Anything less than "must" and the follow-through it demands just leaves us booking seats in a future bipartisan commission trying to determine what went wrong.

I can only hope that this is setting off massive alarm bells in government, the OS providers, institutional management, and the sysadmins of TeraGrid.

Hackers Strike Advanced Computing Networks
By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, April 13, 2004; 5:40 PM

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Maximizing your defense against a Mini-DDoS attack

  #

How to shore up your defenses against a Mini-DDoS attack presents the "best of the available fixes" to the min-DDOS attack that I mentioned here. It is excellent advice for those of us below the ISP radar horizon of large, widely distributed  attacks:

How to shore up your defenses against a Mini-DDoS attack
By David Berlind,
Tech Update
March 25, 2004

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

This exploit tool is fearsome. It should be on your box

  #

Remember my comment that hackers are increasingly able to act (exploit script definition to loose in the wild) inside our OODA Loop? Now a loop trip of a matter of days and hours may be reduced to minutes,  From Security tool more harmful than helpful?:

"A recent report by market research firm Forrester into software security threats found that attacks "explode after unscrupulous hackers build scripted versions." Many critics agree, saying such exploit-testing scripts--which turn a highly technical vulnerability into code that can be run with a few commands--allow far too many people to become online attackers."

"The updated framework, known as Metasploit Framework 2.0, enables people to create standardized plug-ins for the tool so that they can legally hack into computers by manipulating the latest security holes. The tool already has 18 exploits and 27 different possible payloads."

Doomed you say? Suppress 'the tool' you say? Useless for you as even if this (legitimate) Metasploit tool were suppressed, the concept is now known and code is now being used. If Metasploit were suppressed, one or more illegitimate, perhaps covert, tools would take its place. The genie cannot be squeezed back into the bottle.

I submit the exact opposite: A tool such as Metasploit should be a common as a disk utility or a defragger. If a virus detection manufacturer were on their toes, they should incorporate this tool into their subscription service such that exploit signature (if it lands on your box) morphs into exploit detection (is my box vulnerable):

"Beyond those people, Lindstrom said, the tool could allow thousands of others to become hackers."

Yes, and you should be among them, instantly hacking your own system. And what happens if there is no cure yet available for the disease in question? Awareness is the first step to curing root cause. It won't take too many occurrences for large customers and ISPs to begin to demand corrections, first in code and then in design prior to an app's release, the exploit is run by the app's manufacturer before the app is ever released. It should become part of their QA process.

It could be added into a Sarbanes-Oxley compliance process, and I hope that it is, for if a risk is identified and documented and then not ameliorated, the officers of the firm could be open to suit for fiduciary breach.

"...anyone can already buy such a product from a handful of security companies. However, he acknowledges that the widespread use of such software may make some network administrators' jobs harder. If (you are) a system admin that only patches boxes, of course you aren't going to want to see any new exploit code," Moore said. But that doesn't mean the problem is going away, he added. "We can do anything we want to curb exploit releases--make it illegal in America--but they will still get released."

Metasploit should be a common as a vaccination. Firms will have to work out interim means of protection, which could entail automatically taking the system under attack off line. I would like to see automatic, redundant backup tools that at least protect my data and are resistant to hacking so that at least my data is safe. Then we are operating at or inside the OODA loop of the bad guys:

Security tool more harmful than helpful?
By
Robert Lemos
CNET News.com
April 8, 2004, 4:43 PM PT

Gordon Housworth


Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Building parasitic infections atop MyDoom

  #

As predicted, Doomjuice and Deadhat, two attacks against PCs already compromised by MyDoom, were soon released, i.e., if you contract either of these, your machine has MyDoom and you just don't know it. Three weeks after the MyDoom attack, which initially infected some 2,000,000 PCs, about 50,000 or 75,000 PCs remain infected. Doomjuice and Deadhat use that base as a launching point, but fortunately they are not particularly imaginative in their exploit targets at they continue the attack on Microsoft and SCO.

Let me lay out the scenario that I might use. (You can read the excellent article, "The Virus Underground" in the 8 February, 2004 New York Times to see where I would go to get some of my tools.) While the article has scrolled off into the archives, I have found it in PDF and text elsewhere.

As an average terrorist, I am less skilled that the average script kiddy that launches so many of the attacks. I need a source for skilled tools so I visit sites maintained by brilliant, often young thinkers that write them as an academic effort and post them to their websites -- which is where most of the script kiddies get them, along with a series of message boards that traffic in these things.

I read up on the writings of the good anti-virus and security writers, track the Black Hat conference proceedings (but don't attend as the feds monitor who shows up and tech firms try to recruit) and other sources, locate some of the many sources for thoughtful malware and autogenerators. Then I plan the architecture of the attack down to the social engineering aspects most attractive to my attack (if I am using a virus) as a worm runs by itself.

I study the infection paths and timing of other great releases. I look for the bugs that limited their spread (such as in MyDoom.b which greatly limited the DDOS attack on MS).

I would investigate the record of any target site in dealing with prior attacks and what level of sysadmin skills they have in dealing with computer threats. I may or may not probe a target site myself as I do not want to show my hand as, if the sysadmin is really good, they will watch me and see what I am up too while they try to identify me.

Then I sort out a primary and secondary, and with a little foresight, a third wave of infection. (After all, al Qaeda loves redundancy.) I download what I need from various sites, make minor modifications and I am ready. I may have even tested my attacks against a local net that is isolated by various hardware and software firewalls so that I can prevent infection to the outside world that would give away the element of surprise.

Of course, I will launch my secondary and tertiary attacks while the infection is still high on the first and so offers a larger launching platforms. My second attack could be against the anti-virus firms themselves (variation of the 'shoot the fireman' attack.)

Now the bad guys -- and you -- are off to the races. And another bite is taken out of infrastructure protection.

New viruses feed on MyDoom infections
By Robert Lemos
CNET News.com
February 9, 2004, 4:45 PM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Impact of 8 to 16 million MSBlast infections

  #

MSBlast infected 8 million PCs and possibly upwards of 16 million according to MS data derived from users connecting to Microsoft's Windows Update service . If this is even dimensionally correct it blows the top off previous estimates of those attacks. Look back at my 4 April note, Revisiting Clarke's six bleak IT trends from October 2003, and the costs go off the scale.

How much distraction and lost productivity is that? Could that not be construed as an attack against US interests, or, by some, as an effort to affect the US economic landscape and so the political landscape? Before you answer, remember that my favorite line from Aristotle is, "Though the boys throw rocks at the frogs in jest, the frogs die not in jest but in earnest." Frogs are dying here, regardless of the intent of the perps.

I would also take this time to say that I had forgotten the most important part of Clarke's cost impacts listed in his six trends, and that is, Who actually pays? As of now, it is still the consumer, commercial and individual, as software vendors have heretofore escaped liability suits.

When I read in this article about the redirection of MS staff to develop patches and interim releases, and then couple that with announced delays of something as important as the Longhorn beta in order to improve Windows XP security (and the eventual Longhorn beta will have certain planned features pruned, apparently for security concerns), I think that I see MS institutionalize a threat to itself. Either users will finally revolt and suits will rise to recover the costs of these attacks or users will vote with their feet to other platforms, perhaps both. Were I the federal government, I would be asking MS for a major step in this direction on national security grounds.

If a rank outsider as myself can see this coming, why should not MS given the wealth of data that it has in its hands?

P.S. I think that if MS can produce a genuinely "trustworthy" release or even be perceived as making a very substantial move in the direction of "trustworthy computing" that they can buy time and use that as a selling point to retain clients. As of now, I want a few features (notably in groupware and interoperability) but I very much want a secure environment for my firm and every other member of my critical path and our supply chain to our end-users.

MSBlast epidemic far larger than believed
By
Robert Lemos
CNET News.com
April 2, 2004, 5:02 PM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Revisiting Clarke's six bleak IT trends from October 2003

  #

While Clarke was often dismissed as a Cassandra, and a gloomy one at that, while cybersecurity czar, I would agree with his assertion that the cost of the So big attack justified taking his warnings more seriously. I absolutely feel that subsequent attacks have justified his assertions.

Clarke outlined six trends when he addressed the Gartner Symposium/Typo 2003 in October 2003:

  1. Rising vulnerabilities: Announced vulnerabilities doubled every year for the last three years (Wonder if Moore's Law will have an analog in Clarke's Law?)
  2. Rising patches: Patches for those vulnerabilities has doubled every year for the past three years. (Patch management is a sinkhole for both individuals and companies)
  3. Falling "time to exploit": "Time to exploit" has dropped from months to six hours (in late 2003). (This is the time for an exploit to reach hacker blogs and IRC rooms. "Time to the wild" -- that's us -- follows shortly thereafter)
  4. Rising rate of propagation: Attacks now quickly infect 300,000 to 400,000 machines
  5. Rising cost of cleanup: Worldwide cleanup cost for 2002 was $48 billion, rising to an estimated $119 billion to $145 billion for 2003)
  6. Rising identity theft: $99 billion cost in 2002 (and 2002 incidents were 1/3 of the last five years' total)

Status? We have done nothing as of today to ameliorate any of the six. As I mentioned in an earlier note, the bad guys are operating inside our decision loop:

Ex-cyber security czar Clarke issues gloomy report card
By David Berlind, Tech Update
October 22, 2003

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  

discussion

  discuss this article

Feeble cure for personal/small business DDoS attacks

  #

There is much of use In search of a cure for DDoS attacks. It starts with how vulnerable you are and how little recourse, technically or legally, that you as an individual or as a small(er) business have and what prosecution hurdles you have to jump. It points out some documentation steps such as insuring that your server can produce logs for possible forensic follow-up. It brings up the matter of which apps you connect to and how far they reveal your IP address. We use a good backbone provider which goes to reasonable lengths to keep bad things off its pipe and give away the minimum. Given that the tools are so easy to obtain, you might refrain from any "road-rage" comments that would draw an attack.

In search of a cure for DDoS attacks
By David Berlind,
Tech Update
March 18, 2004

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article

Prev 1  2  3  4  5  6  7  [8]  9  Next

You are on page 8

Items 71-80 of 89.


<<  |  May 2020  |  >>
SunMonTueWedThuFriSat
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456
view our rss feed