Welcome to the SecAware blog

I spy with my beady eye ...

20 Feb 2009

Military systems not immune to civil (or for that matter military) malware

News of the Conficker/Downadup worm rumble on. Britain's Daily Telegraph is relaying news from a French newspaper that a French naval network was infected, disrupting communications and hence military opertions as the network was isolated for disinfection. The same piece reports that a "report in the military review Defense Tech revealed that in the first days of January 2009 the British Defence Ministry had been attacked by a hybrid of the virus that had substantially and seriously infected the computer systems of more than 24 RAF bases and 75 per cent of the Royal Navy fleet including the aircraft carrier Ark Royal."

While the journalists and military PR people are typically at pains to point out that such events affect only unclassified or lowly-classified networks, the impacts sometimes appear to indicate otherwise - unless that is the French navy is in the habit of passing military orders over unclassified networks, which I doubt.

The reality of modern life is that most organizations are connected to the global Internet, and therefore they rely on network security controls to prevent "unauthorized traffic", including malware and hackers. Even those with no Internet connections remain vulnerable to malware infections by other routes, such as USB memory sticks in the French navy case. If even the highly controlled and well funded military are vulnerable to such nasties, what hope is there for other organizations, particularly large or diverse organizations with limited control over their IT systems and networks? I'm very conscious that our own small business remains vulnerable, despite the firewalls, antivirus software, network monitoring and so on, but at least we have security awareness on our side!

3 Feb 2009

Alleged Fannie Mae logic bomber denies charges

Reuters says:

"A 35-year-old computer programer pleaded not guilty on Friday to charges that he planted a computer virus designed to destroy all the data on 4,000 Fannie Mae computer servers the day he was fired from the company ..."

While we read about logic bombs in security textbooks, real world examples are relatively few and far between, in other words the probability of attack is quite low. The impacts could be significant, although in practice most attacks we read about have been thwarted while a proportion of successful attacks are likely either to be misdiagnosed as bugs, viruses, outsider attacks etc. or covered up by embarrassed managers. As so often when assessing information security risks, the true scale of the insider threat can only be surmised from imperfect data and hence contingency planning is sensible in case we miscalculate.

Disgruntled technically-competent insiders, usually IT professionals, get the blame for logic bombings. Logic bombs are but one example of the damage privileged insiders can cause, ranging from fraud and theft of intellectual property (personal or proprietary) to passive resistance such as faked incompetence and "accidental" damage to the IT systems and networks under their control. Last year's story of network administrator Terry Childs holding the city of San Francisco to ransom for the access password is another real-world example.

What controls would be useful to guard against this sort of situation? There's a wide choice including:
  • Management oversight - bosses keeping an eye on what their staff are doing (not so easy to arrange if the boss is the trouble maker and other bosses are incompetent to oversee or are simply unaware!);
  • Divisions of responsibility such that a lone cowboy cannot easily take advantage of his access (tricky again if he has system privileges and access to information, systems and processes that permit him to bypass or undermine standard access controls);
  • Laws, regulations, policies, standards, procedures and guidelines, not just to influence potential logic bombers (who, by their very nature, are unlikely to respect the rules) but also to establish and mandate the supporting/compensating procedural, technical and physical security controls;
  • Audits, whether periodic/planned/pre-notified or ad hoc/unannounced/surprise visits, plus management reviews and similar checkpoints, particularly when scoped and panned specifically to address this issue and performed by experts with prior experience in this area;
  • Technology-related controls such as air-tight change and configuration management processes; scans for unauthorized or inappropriate source code, malware and hacker tools on production systems; logical access controls as a whole; trustworthy backups; network intrusion detection and content management systems etc.;
  • Slick incident management processes to identify and respond rapidly and efficiently to potential incidents and thus limit the damage;
  • Liabilities on those responsible, whether employees or third parties, that are legally defined and practically enforceable in employment or service contracts (an after-the-fact contingency or corrective control);
  • Whistleblowers' hotline - a facility to encourage peers and co-workers (including managers and HR people dealing with clearly disgruntled staff) to report their concerns or suspicions in confidence for independent review;
  • Security awareness, training and educational activities, for instance promoting the whistleblower's hotline and policies, and training those who oversee IT operations in the symptoms of insider attack to watch out for (e.g. when logic bombers develop and test their evil schemes prior to the Big One);
  • Pre- and para-employment screening of employees in an attempt to locate and drop the bad apples, assuming that they can be identified as such (some believe that bad apples can be psychologically profiled but this practice is probably more art than science - merely being a social misfit or square-peg-in-a-round-hole is not in itself sufficient cause to track or sack somone, and such people can be extremely beneficial and creative if somewhat difficult to manage employees);
  • Sensible termination procedures, designed to remove possible hitches from a leaver's last few days or weeks on site (e.g. arranging for an "understudy" to shadow a leaver, both to pick up important new skills and to watch out for inappropriate activities);
  • Keeping employees gruntled, not disgruntled (!). Seriously, maintaining good employer-employee relations is a general baseline control against many forms of insider threat, and a particular challenge for management in an economic downturn. Procedural controls are particularly likely to suffer when people have other things on their mind than the organinization's best interests.

Botnets to watch in 2009

A news item about botnets from Secureworks includes some useful information about how botnets are used and protected. They are used to distribute spam (including money mule come-ons, fake pharmaceuticals, enlargement products, loans and more) and malware.

The estimated sizes of the botnets range up to about 175,000 compromised machines, with most being a few tens of thousands, well short of the millions that lurid mainstream news headlines sometimes claim. Still tens of thousands of broadband connected computers can do a lot of damage.

Website content integrity failure

While researching for our next awareness module on SCADA security, I came across the Omron PLC website and couldn't help laughing when I read their news items. They haven't been well translated from the original - at least I doubt anyone would seriously have meant to write "The reverend converts the broadcasting waves echolike backwards from the RFID attach into digital aggregation that crapper then be passed on to computers that crapper attain ingest of it.". Let's hope we make more sense of SCADA security in our awareness briefings!