07.04.09

Euro-Cyberstrike! When Anti-Virus Attacks

Posted in Cyberterrorism at 8:56 am by George Smith

Updated

“IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attacked their core system files,” reported el Reg.

“Details are still coming in, but forums here and here show that it’s affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer’s 140 machines after they updated to the latest virus signature file.”

Anyone familiar with anti-virus warning screens and quarantining of files dubbed infected or malicious can imagine the hilarity hysteria that might result if the anti-virus program mistakenly targets the operating system.

DD covered the anti-virus industry model in yesterday’s post . It was called “Enumerating Badness,” the 24/7 process/arms race of cataloging all Internet Badness — viruses and malware — with the aim to detect and block. The nature of this solution guarantees regular and systematic failure as part of the overhead of conducting business on the Internet.

You see, the generation of malware is also guaranteed to be virtually infinite, and this creates the daily, sometimes hourly, need for continually updating your “Enumerative Badness” catalog, or anti-virus scanner. And with this there is always present a capacity for error, potentially massively distributed trouble, since anti-virus updating is, for most people and institutions, entirely automated.

And so it is unsurprising to see instances of worst-case potentials in reality, cases in which the computer is disabled by a mistake described in el Reg’s news piece.

Reading the story’s comments provides further opinion:

Epic FAIL… #

… was McAfee’s response — just take a look at user pk02137’s post at the McAfee support forums:

http://forums.mcafeehelp.com/showthread.php?t=231901&page=4

Pretty good story there; over 8,000 desktops and 150 servers. Ouch. These things do happen, but McAfee’s response could have had been better. Much better.


Cybersecurity – Diversity #
By Anonymous Coward Posted Saturday 4th July 2009 03:25 GMT

The are massive risks of catastrophic failure with any system monoculture. Those leading the cybersecurity initiatives recently announced by the US and UK governments are well advised to reflect on this.

A level of diversity in hardware/software platforms and security solutions must be encouraged and preserved. In a cyberwar, system diversity will limit the effects of friendly fire and vastly reduce the weak opponent’s chances of carrying out a “cyberspace spectacular.”


More here


And in the same vein from 2003 at Vmyths.

07.03.09

Theory of Stupidivity: Guaranteed to Fail

Posted in Cyberterrorism at 7:35 am by George Smith

Today’s cant on cybersecurity is news on ‘Einstein,’ the security system to be installed on all government computers to protect them from cyberspies.

“It is supposed to detect known types of cyberattacks and immediately alert the cybersecurity center,” reports the Wall Street Journal. “The problem: Like its predecessor, it still can’t detect or block sophisticated attacks that weren’t previously known, said Stewart Baker, a former senior Homeland Security Department official. Homeland Security is the only department using it so far.”

“Homeland Security Department first developed Einstein in 2003, adapting technology from a Pentagon program that monitored military networks … ” informs the WSJ.

In another manner of speaking, it uses the anti-virus software model of ‘security.’

Entrenched and solidified over decades, anti-virus software detects only malware that has already been submitted in samples and examples to its developer. That is, it can’t detect the newest attacks until someone else — hopefully not you — has been snared by them.

Over years and years, it has ensured an arms race between virus-writers and software developers, a process that is now locked in stone.

Last week, for example, an advertisement with malicious code in it threw three viruses at DD’s PC. Software caught two and I was left to net the third, which I caught when it tried to alter the system. I threw the virus into a directory I keep for unidentified malware and suspicious programs. A few days later, when the a-v software updated for the third or fourth time after the incident, it was detected. So someone, not just me, had been exposed to it and taken the time to send a sample to the company. And there were, invariably, some people who were screwed over by it.

Security expert Marcus Ranum discussed this at length some years ago in “The Six Dumbest Ideas in Computer Security.”

In essence, the Einstein software and plan for making government computers secure accumulates these ideas into one big ball. Let’s call it “The Theory of Stupidivity,” in honor of the Einstein software. Now don’t go off the rails here. The government isn’t the only guilty party. Almost everyone seems to practice most of the six dumbest ideas in computer security.

Notable among these flaws is the dumb idea Ranum called “Enumerating Badness.” It’s the definition of the anti-virus/anti-malware/anti-spyware industry.

Back in the good ol’ days when shit-happening wasn’t everywhere “security practitioners got into the habit of ‘Enumerating Badness’ — listing all the bad things that we know about. Once you list all the badness, then you can put things in place to detect it, or block it.”

“Why is ‘Enumerating Badness’ a dumb idea?” asks Ranum. “It’s a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness.”

“Enumerating Badness” goes hand in hand with “Penetrate and Patch.”

“One clear symptom that you’ve got a case of ‘Penetrate and Patch’ is when you find that your system is always vulnerable to the ‘bug of the week,” writes Ranum. “It means that you’ve put yourself in a situation where every time the hackers invent a new weapon, it works against you. Doesn’t that sound dumb? Your software and systems should be secure by design and should have been designed with flaw-handling in mind.”

Doesn’t that sound like common news from the cybersecurity beat? Rhetorical question.

Practically speaking, there’s not much hope of ‘secure by design’ anymore. And the current news about the Einstein software only underlines it.

Let’s return to the WSJ article. “Homeland Security is the only department using it so far,” it says.

This is not necessarily a bad thing. There’s really not much point in being forced into being an early adopter when something isn’t an improvement on what one already has. And is unknown in its bugs and weaknesses, and maybe worse.

Good advice could be to be ‘last in line’ for Einstein, version whatever, until everyone else has it sorted out.


In from the “Don’t blame China” desk:

In view of the current serious situation in frequent leak of secret in the secret information system, Xia Yong, director of the State Bureau of Secrecy, said on the afternoon of 22 June: China plans to enhance the encryption measures of secret information system.

He said: These measures include …

Technology will be adopted in protecting secret information system. The revised draft (of the Secrecy Law) stipulates: Secret information system should be installed with encryption facilities and equipment in accordance with the state encryption standards. Planning, building, and operating of encryption facilities and equipment should be synchronized with the secret information system. Before being put into operation, secret information system should pass the inspection of secrecy administration department at or above the city level, which sets up the system. — Xinhua News Agency, June 22


At SITREP.

07.02.09

Electronic Pearl Harbor Man unearthed: Put him back in ground, please

Posted in Cyberterrorism at 7:59 am by George Smith

Jack Goldsmith, a professor at Harvard Law School who was an assistant attorney general from 2003 to 2004, is writing a book on cyberwar, threatened a by-line on the op-ed pages of the NY Times yesterday. (Tip o’ the hat to bonze for pointing it out.)

Goldsmith, a lawyer from the Bush administration awarded a get-out-of-jail-free-card for his tell-all book on the ‘terror presidency’, joins other famous ex-government officials, who as soon as they’ve finished with their cash-ins, refashion themselves as seers of the techno-future and set about writing tomes which are part thriller, part warning, containing multitudes of allegedly new-fangled plots and actions against the country.

The most notable example is Richard A. Clarke. Clarke set to work writing security warnings/techno-thrillers. His first, “The Scorpion’s Gate,” was a success. The second novel, “Breakpoint,” on cyberterrorism, sank without much trace.

To paraphrase the opening line to the article referencing Clarke’s side career as a poor man’s Tom Clancy, for the purpose of stereotyping of the entire cohort: Is there no beginning to the talents of these men?

Continuing in the same vein:

However, it’s as silly to condemn the genre as it is to disrespect hotdogs as not proper food. Techno-thrillers have made up a necessary part of the book rack in supermarkets for the last few decades and many Americans probably wouldn’t buy anything with print in it if they didn’t see it near the checkout stand.

So, for the Times, Goldsmith emitted a bit of a teaser, casting himself as one of the new electronic Pearl Harbor men, a species in no short supply.

Goldsmith, probably now anathema to his old GOP cohorts, has newly discovered cybersecurity. For the Times, his opinion pieces furnishes the standard cliches and sincere hand-wringing concern on the menacing nature of it and what must be done. Just like the ten thousand or so before him over the last fifteen years.

In Goldsmith’s first graf, we get the blame China meme. Federal law now mandates it be inserted in every opinion piece on cyberwar.

OUR economy, energy supply, means of transportation and military defenses are dependent on vast, interconnected computer and telecommunications networks. These networks are poorly defended and vulnerable to theft, disruption or destruction by foreign states, criminal organizations, individual hackers and, potentially, terrorists. In the last few months it has been reported that Chinese network operations have found their way into American electricity grids, and computer spies have broken into the Pentagon’s Joint Strike Fighter project.

“The government should jump-start this [security] education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network,” he opines.

Good idea. Require licensing and vetting for everyone’s home and business desktop PC or refuse entry to the net. First step: Close down all the unregulated PC departments in consumer electronics stores like BestBuy. Second step: Decertify and refuse connection to all desktop and laptop PCs in use at public schools and at universities. Third step: Disallow all connection to the Internet by DSL, cable modem, wireless or dial-up from private residences, apartments and Internet cafes until all PCs are declared sanitized and impervious to penetration. Fourth: Raid and take out of business all big ISPs unable to guarantee their customers to be computer virus free. Last: Immediately put those damn kids always launching scripted UDP floods in jail.

Just pulling your leg. Tee-hee.


Hey, did you hear this new joke? I stole it from the GOP, sort of. What are the eight most dangerous and scary words you’ll hear from ex-officials put out to pasture: “I’m from Harvard and I’m here to help.”

07.01.09

Cyberfrequencing in Pasadena: Spam, spam, spam, spam!

Posted in Phlogiston at 12:49 pm by George Smith

When one does a show, a website or a blog with the word ‘cyber’ in its name, one ought to work a little harder to not appear adrift and without a paddle … in cyberspace.

KPCC in Pasadena, DD’s hometown, hosts Cyberfrequencies, a show and posting site devoted to covering celebrity news on the web. Its latest piece on famous showbiz blogger Nikki Finke is here.

Sadly, Cyberfrequencies is also a gold-plated spam magnet, its pages littered with comments from a variety of fraudsters hawking everything from cheap insurance and prescription drugs to erectile dysfunction medications. “Share thy Booty” is the unintentionally hilarious title of this post. Mouse over the links, note the uniquely and colorfully named domains. For fairly obvious reasons having to do with patterns of malicious misuse on the Internet, you won’t want to follow them.

And here’s another example.

About the only thing missing are links in Cyrillic and escort listings for prostitutes in India.

Hey, someone tell ’em their fly is way open in cyberspace. Be nice. They look very new to this.

Mirror Image

Posted in Cyberterrorism at 9:59 am by George Smith

Last week, DD wrote about Chinese journalists finally catching up with the practices of western cybersecurity beat reporters.

[This] year, for the first time, [DD began] to field questions from Chinese journalists, who are returning the favors long administered by their counterparts in the western English-speaking newsmedia. One could view it as a bit of tit-for-tat. That is, instead of wanting to talk about how their country is menacing US cyber-interests, paradoxically, they want to know about the US menacing the rest of the world’s cyber-interests.

“China has been the focal point of many U.S. cyber fears,” wrote a reporter at Federal Computer Week today. “We are concerned about our vulnerability to attacks — not only on government databases but also on our electrical grid and financial system — and many articles have highlighted the threat from China. Many Americans also fear that the government’s use of software created in China and other nations creates a risk … ”

“In that context, the article I came across in the English-language China Daily was an eye-opener. The title was ‘China at the mercy of global hackers.'”

The FCW reporter adds that a Chinese report opines: ” . . . President Barack Obama’s efforts to ‘find back doors into the digital fortresses of potential enemies’ could pose a risk.

“In other words, it sounds like China is afraid of the United States in about the same way the United States is afraid of China.”

From last week:

Chinese journalist: Will US wage cyber warfare against its enemies?


SITREP: Rule Number One: Always Blame China

Excerpt from the mails: I read this article and was appalled by what [you have] implied. That being that China and Russia pose little threat and claims that they do are ‘sexed up.’

« Previous Page « Previous Page Next entries »