Is the security industry up to the new challenges to come?

2014-04-02

Sorin Mustaca

Avira, Germany
Editor: Helen Martin

Abstract

Working both as a product manager and as an IT security expert and evangelist for an IT security company, Sorin Mustaca has seen that, with the technologies and products that we have available, we can't mitigate all the attack vectors used by today’s cybercriminals. He asks whether the security industry is up to the new challenges to come.


I decided to write this article as a reaction to the events of the past several months in the IT world.

Reading and monitoring the IT security news [1] has made me think a lot about the future of the security industry. For me, the IT security industry encompasses all companies and non-governmental associations that deal in one form or another with IT security and the privacy of data and individuals (anti-malware vendors are, of course, included).

For the past 25 years, the IT security industry has done a great job of protecting users against existing and emerging threats, in the form of files (copied, downloaded or emailed), streams of data (remember Code Red), and recently, even against common vulnerabilities in third-party software. We started with Windows, continued with MacOS and Linux, and lately we have extended the protection to mobile devices running various operating systems.

Working in a dual role – as a product manager and as an IT security expert and evangelist – for an IT security company, I have seen that with the technologies and products that we have available, we can’t mitigate all the attack vectors used by today’s cybercriminals, and thus we can’t fully protect our users against them.

The new threats I am referring to are: government surveillance; attacks against special devices; breaches of accounts or servers; and secret vulnerabilities that are not made known to the manufacturer of the software/hardware/system in question.

Government surveillance

In light of the recent disclosure of NSA (and other governmental) surveillance, people have started to ask how they can avoid being spied on. We don’t have a universal solution right now, but there are various possible mitigation techniques. Using Virtual Private Networks (VPNs) or the Tor network and its browser are ways to mask your IP address and the websites that you visit.

Another way to keep your data private is through the use of encryption (in the right places). A good start would be to encrypt back-ups [2] – especially those that are stored in the cloud. Encryption should also be used when browsing. Unfortunately, not all websites redirect to the HTTPS versions by default. This is where extensions like HTTPS Everywhere [3] can help. They force websites to respond by default with the HTTPS address, if the protocol is supported.

The most important thing here is to keep things simple. Encryption can be a complex topic, and it must be made usable for the masses.

Attacks against special devices

By ‘special devices’ I mean point-of-sale (POS) devices, printers, routers, switches, TVs and other devices that can be considered to be part of the Internet of Things. Wearable devices are a new category, as these are also seeing increasing use.

Attacks against special devices have multiple considerations. The devices contain vulnerabilities – which, when disclosed, can be exploited. The biggest problem here is that some of these devices are critical for the functioning of offices and businesses. Even if a patch is made available, a router or switch will probably not be patched at all, or will be patched too late, because its business function is so important that it can’t be interrupted. Of course, IT professionals may want to prioritize patching, but small business owners have a different view point. The same applies to printers (even if they are less important by far).

I keep thinking about what could have been done to avoid the recent attack against the POS of the retailer Target. The attack was certainly a very well prepared one, but I believe that in the future all attacks will be targeted and well prepared.

In the early weeks of January, Proofpoint announced [4] that it had monitored a spam wave being sent through all kinds of devices, ranging from routers, satellite receivers and NAS servers, to TVs and even a fridge (I leave aside the question of evidence for this). I’ve been asked [5] how consumers can protect themselves and their devices from such an attack. Without going into detail, there are not many possibilities, but a good start would be to change the default passwords of the devices to strong ones, and only to install extensions from trusted sources. But how can we protect against such an attack? Filtering on the gateway is one solution, but how many consumers can afford something like that?

Breaches of accounts or servers

Every week we hear about breaches of the social media or email accounts of high-profile individuals, ranging from actors to government officials. These cases all have something in common: either the accounts have extremely simple passwords, or their owners are unable to recognize a social engineering attack. The question that arises here is: whose responsibility is it to teach these people to use strong passwords and to detect a social engineering attack against them? Can we address this situation and create more awareness? Who’s going to pay for the publicity needed to reach these people?

Last year was definitely the year of the major server breach. We all know that this is just the tip of the iceberg, and that the breaches we heard and read about are only the few that were disclosed. There are multiple reasons why the breaches occurred:

  • there were vulnerabilities in the server software which remained unpatched

  • there was poor server security (including weak passwords)

  • social engineering was used to obtain credentials.

The problems usually don’t end with the server breach. In each reported case the purpose of the hack was to obtain information about the users of the services in question. The results of some of the hacks were disclosed, including harvested user credentials. This is how we discovered the disastrous security status of many of the servers involved. We’ve seen some very bad programming techniques, passwords stored in plaintext files, and no minimum security requirements for passwords (as a consequence of which, the passwords used by many users are just too simple and easy to guess).

Can we do anything to improve this situation? A standardized and/or unified way of managing credentials (such as OpenID), better patching software (maybe offered for free), and two-factor authentication are just a few ways of mitigating these problems.

By far the biggest breach to have been disclosed to date was the unprecedented hack of Adobe’s servers which resulted in the loss of the source code of many of the company’s products. In the breach, Adobe lost more than just the source code of some of its free products, it also lost its ability to keep the vulnerabilities present in the code private. Now, because the code is no longer known only to the company, the advantage of security through obscurity has been lost. We should expect a new category of exploits of vulnerabilities which are not known to Adobe and which are not going to be disclosed (at least not on purpose) either publicly or to Adobe.

Secret vulnerabilities

‘Secret’ vulnerabilities are a special category of vulnerabilities represented by those discovered in leaked or stolen source code and never disclosed. The best example is, of course, Adobe. An attacker who discovers a vulnerability in this situation will either keep it in order to use it himself, or will sell it to the highest bidder. The bidders may be other cybercriminals or even governmental institutions.

The only defence strategy against vulnerabilities that are unknown to the producer of the software is to protect the computer from the vulnerable program through a kind of sandbox, emulation or ‘shielding’ of the program(s) that are suspicious. But if we use these for all potentially vulnerable programs, we end up in the iOS and Android dilemma: both operating systems are built like this and both still suffer from all kinds of attacks – which either occur in the protected area, or else hackers find ways to break the protection. So we don’t really have a good solution for this case.

Conclusion

At first glance, it appears that the IT security industry is facing new challenges for which there are currently no good solutions. But history has shown us that, actually, we might not even need to find a single solution (as in the one that solves the whole problem in the most effective way). Individual solutions, even if they come from different vendors, mitigate some of the attacks, and if they work in tandem, they can cover a large part of the threat landscape. Sooner or later, as the intensity of the attacks increases, more and more producers will find value (business opportunity) in creating tailored protection solutions against them.

Bibliography

[1] Mustaca, S. IT Security News aggregated. http://itsecuritynews.info/.

[2] Mustaca, S. Duplicati: How to create your own secure online backup for free. Sorin Mustaca’s blog. http://sorin-mustaca.com/2014/01/17/duplicati/.

[3] HTTPS Everywhere. Electronic Frontier Foundation. https://www.eff.org/https-everywhere.

[4] Proofpoint Uncovers Internet of Things (IoT) Cyberattack. Proofpoint. http://www.proofpoint.com/ about-us/press-releases/01162014.php.

[5] Mustaca, S. Some thoughts about the spam attack sent through InternetOfThings (Proofpoint). Sorin Mustaca’s blog. http://sorin-mustaca.com/2014/01/25/thoughts-spam-attack-internetofthings-proofpoint/.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.