Think Security « Giveaway of the Day Forums

Back to Giveaway of the Day

Giveaway of the Day Forums » Talks

Think Security

(3 posts) (2 voices)

Started 9 years ago by mikiem2
Latest reply from mikiem2

mikiem2
Moderator

There's a mildly security related app on GOTD today, Abylon Logon, & I found personally it was hard to comment on anything security related without going nuts trying to sound all sorts of alarms to maybe shock folks into paying more attention to the basics.

Fact is there's no way you can ensure absolutely 100% your PC or laptop is secure, & that's on the day you 1st turn it on. There are potential problems where something might be stuck in the firmware for many of the chipsets on-board [yes, many of the chips can have their own firmware]. The EUFI bios might be buggy or insecure or already exploited while on the company's servers. There have been cases where buggy & insecure code was added by the manufacturer to the bios, that then downloads questionable software from the manufacturer. And that's before you get to the OS like Windows, & it's updates, patches, & vulnerabilities.

Just as bad if not worse, most anything else that connects on-line can provide an open doorway to your network & thus your laptops & PCs. Network routers & modems have been around a long time, we know that they are a security concern, yet few update them, when it's even possible because manufacturers don't always stay on top of that stuff, & when they do, it's often only for current products.

Consider tablets, with maybe 50% of those running Android unsecured because of an older version of Android. Or smart watches designed without security in mind, or the Internet of Things where the response when you ask about security is usually "Huh?".

The good news is that all that potentially scary stuff is for the most part AFAIK in the realm of the potential. Bad guys that might someday want to hurt the country or community where you live are busy compromising systems running infrastructure & companies. Bad guys that want to steal money are going after the more than plentiful low hanging fruit. [I was shocked to read that most American who file their taxes on-line will do so over unsecured Wi-Fi.] The exceptions seem to be ransomware & bot collections with propagation & running/control more or less automated -- they hit anyone they can because often there is no value judgement made. Hopefully by following the rules, doing the stuff you're supposed to do, you might avoid them.

Number one is update -- The 2015 Verizon Data Breach Investigations Report (DBIR) says: "99.9 percent of exploited vulnerabilities had been compromised more than a year after a CVE was published and patched. Older vulnerabilities, some going back to 1999, were exploited in breaches in 2014, with a steady diet of CVEs from 2007, 2010 and 2011 at the forefront of breaches.". Verizon doesn't deal with small fry like you & I.

Run an ad blocker. Web sites often sell space to ad networks. Ad networks sell space to the highest bidder. Bad guys make the highest bids for placement on targeted sites because they provide the mostest bestest victims. Their ads are not checked -- if they were they'd find exploits that work the same as malware code injected into a hacked site's web pages. Any site running ads could be as bad potentially as the worst sites your browser might not let you load.

Check your router & modem -- Google/Bing the make/model looking for updates And exploits. You might be very unpleasantly surprised. Don't re-use passwords, don't use something found on those Worst Password Lists, run good security [anti virus etc.] software, keeping it up to date & turned on. Do Not ignore security warnings -- one big problem browser developers face is most people do in fact ignore stuff like invalid certificate warnings.

It is OK, even preferred, to be a bit paranoid. It is OK to check the message source for an e-mail, & it is OK to not trust Any link in Any e-mail, visiting the site directly instead. It's cool to visit a site & use their search, or preferably their index or site links -- bad guys buy Google rankings, so searching for info about taxes for example is likely to bring up legitimate looking but bogus sites with scams &/or malware. Windows 10's Task Mgr shows network activity per process -- Process Explorer does the same. You might want to check every so often to see what's running, & what's connecting, though it's not fool proof by any means since better malware can hide from that sort of easy detection.

Above all do not become complacent. It is possible for a system to be compromised & for that compromise to be virtually undetectable. Malware may turn off Windows defenses, &/or break security software to stay hidden -- if you want to run a scan, consider one of the site-based or downloadable apps or tools from security software companies. Don't just look for files -- malware code can be written to, stored in the registry. If you act as if your system has been breached, you'll likely be more careful, proactive in how you store & handle the stuff you want to keep secure, and that can be a good thing.

Posted 9 years ago #
ChrisS
Administrator

Hackers are generally depicted as technology savants who can type 250 lines of error-free code in 1.7 seconds. In reality, most just walk down main street rattling doorknobs looking for an unlocked door. But even the skilled ones will rattle doorknobs because "mom and pop" can get them past corporate firewalls via the sneaker net.

It is a bit alarming when you look at all of the installed security updates. But, do hackers really need to hack when they can find everything they need on Facebook?

Posted 9 years ago #
mikiem2
Moderator

I think you're very correct about rattling door knobs, Chris. The essence of crime in so many cases is wanting the benefits without doing the work. So it's only natural for many criminals to pick the easiest approach, while a larger group might work just like any other biz, focused on Return On Investment, or put another way, they might be just as cheap if not cheaper than the stingiest legitimate company. It costs less to pick low hanging fruit, to find the unlocked doors.

Supporting that, there's a market for exploit tools, & competition among the groups or companies selling them. Some might wonder about the very poorly written scam e-mails they get, like who are they kidding, expecting me to open that attachment? Some people might even wonder how anyone smart enough to write the mal-ware in that attachment could expect such a poorly written e-mail to ever work. Well there's a good chance they didn't write it, but used one of those exploit toolkits, filling in the blanks & checking boxes as required to generate their very own code. The ones that know what they're doing are the ones writing the toolkits.

Those that are really good at finding vulnerabilities & writing mal-ware/spyware I think often work for one of the more mercenary companies, staying out of jail because they allegedly only sell to the good guys, like governments widely known to repress their own people. Or like the company that sold the rootkit to Sony if you remember that. There will probably be more people with these sorts of specialized skills in the future I think -- the US & UK are both actively seeking recruits to train, & some experts have written that they expect many corporations will feel that they have to hire cyber mercenary groups with the idea that the best defense is a good offense.

RE: Security, Three things bother me the most...
One is that the part of the old fashioned work ethic, to do what you're supposed to do, has become so rare, so forgotten. I think deep down it's at the root of the problem with so many computer systems out of date, so much security software turned off or miss-configured, so many doors left unlocked. The US gov, for all it's propaganda about dangerous hackers & needs for regulation etc., can't even complete the study designed to tell them *IF* they need to look at their computer systems & how they control restricted entry into federal buildings. The bureaucrats are too busy buying toys & taking expensive trips to resorts & such to bother with doing their jobs, while some of the folks working for whatever company's IT Dept. are no better than the baggage handler who took a nap in the plane's cargo hold the other day, forcing it to return to the airport.

And of course if someone isn't going to follow the rules when their employer might at least make a show of trying to enforce them, they're even less likely to do what they should under their own initiative at home. So companies are free to design unsecured devices that connect to the network, because so few people care about that stuff sales will not suffer. To me it's really crazy how no one seems to care when it's discovered that millions of home/small biz routers have an actively exploited security flaw, & that's happened at least 3 times in the past 6 months!

The 2nd thing is that while I'm far, Far from sympathetic to conspiracy theorists, governments do very actively try to suppress any info that might make some folks working in government uncomfortable. And it just so happens that there's a great example from yesterday that saves me from worrying about posting anything approaching a rant. :) Moral of the story -- when it comes to security the gov doesn't want you to care either.
Update: Hacker on a Plane: FBI Seizes Researcher’s Gear
https://securityledger.com/2015/04/hacker-on-a-plane-fbi-seizes-researchers-gear/

The 3rd one is easier -- odds are multiplying every day that you'll be collateral damage. If you manage to avoid all the more general threats, e.g. you run AdBlock+ so you don't get hit via Malvertising, you could get hit more-or-less accidentally with something more sophisticated targeting someone(s) else. Or maybe a gov agency gets stuff wrong, picking up your data in a wider sweep, then being incompetent & confusing you with some bad guy. Or maybe someone(s) in the gov, again being incompetent, tracks whatever to where it was conveniently stored on your hdd by a cyber criminal, & holds you responsible. Or maybe the neighbor's kid targets you because you ratted him out to his mom or dad -- there are often very few safeguards, little if any vetting of alleged tips or complaints.

The list goes on, & *You* could prove your innocence, *IF* anyone will listen, but popular culture encourages everyone, including judges etc. to remain ignorant. You get hit with some more serious mal-ware because it leaked beyond the target [like the incident with US mal-ware in Pakistan], and you could put your system(s) back right. If someone(s) picks up on something like a backdoor installed by that mal-ware, & exploits it, securing your identity again might not be so easy, or cheap. The US & I assume its contractors make use of rather than report botnets they stumble upon, the same for China & other countries, & in some cases [e.g. allegedly China], criminal groups also work for the gov. Why wouldn't a criminal group exploit at least some of the PCs/laptops in a found botnet? Their already low risk would be even lower.

As the number of cyber criminals increases, so does the opportunity for conflict between them. Usually they cooperate & compete, & the only conflicts are between the operations in different countries. But as Kaspersky noted the other day, that's changing -- one group received a scam e-mail from another, & replied with their own. Conflicts, even wars between real world based criminal organizations is far from unknown -- why shouldn't we expect that from similar organizations based on cyber crime? And if you're part of one groups botnet, you'd be an easy, common sense target for an opposing group. One group could try to take control of anothers botnet, sure, engaging in a tug of war, or if you really wanted to hurt them, & instill fear, maybe you'd destroy those PCs/laptops. Their owners would reinstall Windows or buy new, & have a newfound focus on security, so good luck getting them back in your replacement botnet. That's an unfortunate way though for the victims to learn a lesson.

[That really might be a good way to hurt a rival group BTW. When Sony in Hollywood got hit the US president went on national TV all but guaranteeing there would be payback. Imagine the reaction if 10-12k PCs/laptops in a botnet were nuked. Take control of a rival groups command & control server(s), issue the command to download & execute a freely available wiper, mission accomplished. All the clues would lead back to that rival group, & who's going to listen when they try to explain they were hacked?]

Posted 9 years ago #

RSS feed for this topic

Reply

You must log in to post.