Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Following his discovery of 3 critical vulnerabilities in Microsoft Internet Explorer (IE) last month, Palo Alto Networks Researcher Bo Qu has identified another new vulnerability (CVE-2013-5052) in Internet Explorer, documented in Microsoft Security Bulletin MS13-97. This new critical vulnerability impacts IE version 7, potentially exposing a large population of users without the Microsoft patches or other protections released today.
Think of this vulnerability as a silent and effective method of delivering malware with a simple click on a link, or visit to a webpage. Gone are the days where users must click “Download” or “Accept” to install software, and when exploited, vulnerabilities like this can deliver attackers malware of choice to control system and infiltrate networks. The delivery methods usually center around “Drive-by” downloads or integration with sophisticated Web Attack Toolkits.
What can you do to protect yourself or your organization? Today, Palo Alto Networks released an IPS Vulnerability Protection update that ensures our customers are safe from the potentially thousands of exploits against this vulnerability, even without downloading the Microsoft patch. Palo Alto Networks has also released protections against 6 other critical vulnerabilities covered in the December 2013 Security Bulletin from Microsoft.
These vulnerabilities were disclosed to Microsoft as part of Palo Alto Network’s commitment to responsible disclosure guidelines. Furthermore, we participate in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities as well as allowing security vendors to create protections for new vulnerabilities to ensure that customers are protected as soon as the vulnerabilities are announced publicly.
Security researchers have discovered that Chinese computer hackers dangled the promise of nude photos of former French first lady Carla Bruni as bait to lure in targeted foreign ministries during a Group of 20 economic summit in Paris in 2011. And the scheme worked, for the most part.
According to a report published by computer security firm FireEye on Tuesday, cyberattackers homed in on the annual G-20 meeting of central bank governors and foreign ministries and breached senior officials’ high-priority computer networks via an email with the subject line “French First Lady nude photos!” The report also said the attack was not isolated and the hackers have been active since 2010.
The email contained malware code hidden in the link to the alleged photos. Once opened, the email was forwarded along to others.
However, investigators could not confirm the identity of the hackers or which specific files were breached.
“Beyond the fact they are Chinese, we don’t know who the attackers are or what their motivations might be,” Nart Villeneuve, a researcher for the FireEye report, told the Times.
The products are VMware Workstation, VMware Fusion and VMware ESXi and ESX. The vector for the attack is a VMware device driver LGTOSYNC.SYS. The file properties for this driver describe it as “VMware/Legato Sync Driver.”
The hypervisor itself is not exploitable through this vulnerability, but an unprivileged Windows process could elevate privilege under Windows. Presumably it could attain the privileges under which LGTOSYNC.SYS runs, but the advisory does not specify what level this is.
Updated versions may be downloaded at these pages:
As IT security practitioners struggle to defend against APTs (Advanced Persistent Threats), a new study by the Ponemon Institute finds malware installed via zero-day exploits presents the biggest threat to corporate data.
After surveying 755 IT security professionals who are involved in protecting organizations from targeted attacks, the Ponemon Institute found that current technology controls against APTs “are not working” and warned that the average cost to restore a company’s reputation following an APT attack is in the range of $9.4 million.
Not surprisingly, the Institute found that malware is almost always used as the source of an APT attack. More than half of the respondents (68%) say zero-day attacks that look to bypass firewalls, intrusion detection systems, and anti-malware programs are the greatest threats to an organization.
The security pros say third-party software from Oracle (Java) and Adobe (Reader) pose the most risk because these are the most difficult applications to ensure that all security patches have been fully implemented in a timely fashion.
According to the study, the security practitioners also complained about difficulties in managing security patches from Microsoft (Windows) and Adobe (Reader and Flash).
Despite these risks, 75% of those surveyed acknowledged that their company continued to use Java and Reader in the production environment knowing that vulnerabilities exist and a viable security patch is unavailable.
The security professionals explained that the company could not afford the cost of downtime waiting for the patch to be implemented; or they simply did not have the professional staff available to implement a security patch.
In the case of Oracle Java, the survey found that Java vulnerabilities are very difficult to fix (patch) or resolve. Sixty-one percent of respondents say that a realistic timeframe for patching Java in their organization is once per month or quarter. Despite the risk posed by Java, 55% of respondents say it is nearly impossible to replace it with a less risky alternative.
Although the main approaches to detecting APTs are intrusion detection systems (IDS), anti-malware software and intrusion prevention systems (IPS), more than half of the respondents say they discovered an APT by accident.
On average, it took about 225 days to detect APTs launched against an organization, according to the study.
Ryan is the host of the podcast series “Security Conversations – a podcast with Ryan Naraine“. He is the head of Kaspersky Lab’s Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.
For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.
Cyber Warfare: The Next Threat to National Security and What To Do About It (2010) by Richard Clarke and Robert Knake
This book covers a lot of ground. It’s essential to the cyber warrior who needs to understand the historical context around the evolution of defending any nation in cyber space. For international policy makers, it is a good place to start for a real discussion about substantive policies that the international community should consider.
For the commercial security folks, read this book if you want insight into how government policy makers frame the problem and what they would want to implement if they could. Even if you do not agree with the policies, you will come away with a better understanding of what they want. Richard Clarke and Robert Knake discuss the nature of cyber warfare, cyber espionage, cyber crime and cyber terrorism and provide specific examples of several.
In the last five years, we’ve seen a plethora of books on cyber warfare hit the market. I’ve read several, but I prioritized Clarke’s book because of his background. Before he retired from government service, he served three different US Presidents as the Special Assistant to the President for Global Affairs, the National Coordinator for Security and Counterterrorism and the Special Advisor to the President for Cybersecurity.
Clarke and Knake published “Cyber Warfare” in April 2010, just months short of when the public became aware of STUXNET. Some of the things Clarke suggests could have used the context of STUXNET – it was a game-changing event in the security community – but for the most part, I like what Clarke brings to the table.
Because of his background, this book is about policy and not really about how a nation might deploy assets in a cyber war. Specifically, it is about what the US should consider adopting going forward when considering the implications of an all-out cyber war.
He starts with a history of cyber events to demonstrate why we need the policy. He covers the usual suspects, but in some instances, the events Clarke cites aren’t really about cyber warfare at all. Two of them, Moonlight Maze and Titan Rain, are specifically about cyber espionage, and Eligible Receiver is about computer network defense. Others, including Estonia and Georgia, see, barely to meet Clarke’s own definition of cyber warfare:
“[T]he term “cyber war” … refers to actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”
What all of these events have in common, however, is that they shaped Clarke’s thoughts on what to do about cyber warfare. Eligible Receiver proved that Department of Defense networks are vulnerable. Even after a decade, there’s still evidence to suggest that DOD networks are as porous today as they were back in 1997.
Moonlight Maze was the proverbial wake-up call, however. The dictionary definition of asymmetry is a “Disproportion between two or more like parts.” Clarke says that when a nation sits on the high end of that equation (the US for example), they have a high degree of “cyber dependence.” In other words, that nation depends greatly on cyber for it to function. If that is out of balance, an asymmetric advantage develops and cyber defense becomes more important than cyber offense. Another event in the last decade, Titan Rain, proved again how weak the DOD networks were and how successful Chinese cybercriminals had been in pursuing their asymmetric vision.
From there, Clarke describes examples of how various nation states have experimented with cyber warfare in the past, particularly the US, Russia, Israel and North Korea. With this history lesson complete, Clarke makes the case that the US defenses against these kinds of attacks are weak, both for government networks and for commercial networks, and spends the rest of the book talking about what should be done about it.
Clarke’s bottom line is that, painful as it might be, the US will require sweeping new laws, regulations and policy in order to protect the nation from this threat. He points out that Cyber Command is responsible for defending the DOD networks and that the Department of Homeland Security is responsible for protecting the non-DOD government networks.
Nobody is responsible for protecting the commercial side. That might seems short sighted when you lay it out like that, but in truth, is there much love lost between the commercial side and the U.S. government, whose track record on security isn’t all that good? The standoff between the US government and the commercial sector has been going on for well over a decade. Clarke’s point is that enough is enough. Tough decisions are required.
Clarke’s Proposition
Clarke’s proposition is the Defense Triad Strategy:
Secure the US Backbone
Secure the US Power Grid
Install security best practices on all government networks (NIPRNET /SIPRNET /JWICS)
I totally agree with the first one. Today, the US Internet is a mix of commercial ISPs that interconnect with each other and the rest of the world based on business decisions. While all of the big ones cooperate with each other and with the US government, their first priority is to make money. If a large-scale attack on the financial system, for example, is launched from a foreign adversary, the US government has no first hand means to monitor the situation. They largely have to depend on the generosity of the commercial sector to share information.
Today, most of these commercial companies willingly share with the government, but the system is inefficient and will likely not prevent the first wave of attacks. Clarke’s point is that somebody from the government should be monitoring the US cyber perimeter. Privacy advocates will scream and detractors will point out that it is equally possible to launch an attack against the food system from within the US as it is from a foreign country. In his book, Clarke acknowledges those issues but advocates that just because they will be controversial does not mean we should not address them.
For Clarke’s second point, I was a little skeptical at first. Why single out power as the first priority among 18 different critical infrastructure sectors such as banking, and food? After further thought, though, it’s clear the reason the US is cyber dependent is because it has reliable power distributed across the entire nation. Take that out and the rest of the 18 critical infrastructure sectors come tumbling down after it.
For his last point, it is a little sad that in 2013 we have to suggest that the US Government should install basic best practice security measures (like need-to-know network segmentation, file encryption, and host-based intrusion detection technology) across all of its networks.
The fact that the government has not done this is a little scary, but it is my experience, having worked in and with federal government agencies for many years, that this is not an act of incompetence. It really comes down to cost. The US government networks are some of the largest in the world. To install all of that technology on every laptop and computer on three different networks is not cheap. In a world of limited resources, when you compare the trade-off between buying file encryption software to, say, buying body armor for deployed soldiers, file encryption is going to lose every time.
Clarke realizes that it is unlikely that any US leader will be able to push through these radical ideas from the start. In order to get there, he proposes six paths that the international community should work on in parallel:
Broad public dialogue about cyber war
Create the Defensive Triad
International cooperation on Cyber Crime
Cyber Arms Reduction beginning
R&D for more secure networks
President is required to make decision on Computer Network Attack (CNA)
Why Read It
I recommend this book, not least because of the debates it stokes. At the very least, an open and frank discussion of Clarke’s six parallel paths between international government leaders and commercial business leaders would not be a bad thing. Nothing can happen if we do not put everything on the table and discuss it. We can use a book like Clarke’s to get the conversation started.
