Why Hyping Cyber Threats is Counterproductive & not knowing is never good enough. Plus the malware that targets Hotel visitors, FreeNAS themed questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

“Do Diligence”? Why, not knowing is safer…

• “As I travel around speaking, performing network assessments, and discussing security with various corporate leaders, I often hear a fairly consistent and disturbing mantra.”
• “If you find vulnerabilities and risks in our environment, then we will have to fix it.”
• The problem seems to be, especially in larger more bureaucratic organizations, that if you know about a problem and do not fix it, you are at fault; but if you didn’t know there was a problem, you are blameless
• At some point, in order for security to actually be advanced, people need to take responsibility.
• The CTO/CIO/CSO didn’t know that that “might be a problem” and that it “needed to be investigated”, or that the 3rd party vendor access to our “secure” network was a gaping back door, then the person who hired that C*O should be fired, for hiring an incompetent person
• I am not saying that a breach is the fault of the security officer, but if there is no plan in place about what to do in the event of a breach (because it is a question of WHEN it will happen, not IF), then that is the fault of the security officer
• “The old adage comes to mind, “ignorance of the law is no excuse” and this holds true in information security as well.”
• “A common perspective is that cyber security is primarily the responsibility of the IT department. If a data breach incident occurred, the senior IT executive was the only one to take the fall, and usually only if there was incompetence involved vs. simply bad luck.”
• There is always going to be some adversary out there that is smarter than you, so you have to plan in advance. Defense in depth, early detection and isolation, mitigation and remediation, disaster recovery planning, disclosure and compliance procedures, and just generally having procedures to follow in times of crisis are just some of the things that can be done to handle these situations more gracefully

Schneier: Why Hyping Cyber Threats is Counterproductive

• Schneier highlights a pair of essays on the topic, and his blog has a number of interesting comments as well
• The first article details reasons why ‘Cyber-Angst’ rather than real critical thinking and problem solving, are likely to cause more problems
• OMG Cyber! Thirteen Reasons Why Hype Makes For Bad Policy
• In 2014, the market for information-security spending topped $70 billion
• “Several parties think that overstating ‘cyber’ is in their own best interest. Security firms like a clearly stated threat in order to sell their security products. Contractors capitalise on fear to get funding from the executive branch. The Pentagon finds a bit of hype useful to keep the money coming in. The armed services each eye a larger slice of the budget pie. The White House love some good cyber-angst to nudge law-makers into action. Fear of Chinese cyber-attack makes it easier for members of Congress to relate to voters. Reporting cyber-war means that journalists sell more copy. Academics get quotations and attention from the buzz. Hype up cyber, and everybody wins”
• Hype Creates Confusion
• Hype Limits Results
• Hype Betrays Purpose
• Hype Erodes Talent
• Hype Creates Friction
• Hype Breeds Cynicism
• Hype Degrades Quality
• Hype Weakens Products
• Hype Clouds Analysis
• Hype Kills Nuance
• Hype Escalates Conflict
• Hype Feeds Hypocrisy
• Hype Undermines Trust
• A few other great headlines and quotes in the article:
• Most journalists writing about leaked documents do not understand their limitations
• Hype damages the public’s trust and confidence in the Internet
• “in the bureaucratic setup of a large intelligence agency, presentation skills can become more valuable than coding skills. It gets worse once it dawns on ‘PowerPoint warriors’ that technical jargon works like magic on superiors who may not fully grasp the details”
• The second article Schneier links to makes similar points
• Enough! Stop hyping every new security threat
• “Here’s how it works these days: A security firm finds out about a vulnerability, then sends its PR folks into overdrive to promote it as the biggest of all time”
• It started with ‘code names’ for operations, like: Night Dragon, Project Aurora, and Operation Shady Rat, then it got into “proactive marketing of individual exploits with supercool names — Shellshock, Heartbleed, Sandworm — some of which even have logos”
• “Is this the new norm? You find a vulnerability, then get your PR team and graphic designers involved to gin up the most hype that can possibly be created?”
• “I understand why these firms are doing this. They want to get maximum exposure to sell their products and services, like ambulance-chasing lawyers. But McAfee and Symantec made billions after Code Red, Slammer, and Blaster without creating and pushing logos”
• The tone of the article is somewhat dampened by the inline advertisement for other Infoworld articles: “Watch out for 11 signs you’ve been hacked — and learn how to fight back, in InfoWorld’s PDF special report. | Discover how to secure your systems with InfoWorld’s Security newsletter.”
• And I couldn’t help but pull this quote: “Can you imagine how a real “big one” will be marketed in the future? Cue the operatic music and overlay graphics. Will it be like the Weather Channel’s “Storm of the Century” full-time news cycle with cyber security pros blown around in heavy winds, showing crying website widows holding wet cat GIFs among digital portal ruins?”

DarkHotel APT – Infecting Corporate travellers since 2007

• Kaspersky Labs details a newly disclosed Advanced Persistent Threat that targets executives that stay in high end hotels
• “This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics.”
• The APT takes over the WiFi networks of hotels, using a Man-In-the-Middle style attack tricks guests using the wifi into installing a “software update” or other such thing “required to access the internet”
• “… they delegitimize Certificate Authorities to further their attacks. They abuse weakly implemented digital certificates to sign their malcode. The actor abused the trust of at least ten CAs in this manner. Currently they are stealing and re-using other legitimate certificates to sign their mostly static backdoor and infostealer toolset.”
• The updates look legitimate because they are digitally signed, so even corporate security software that blocks unsigned applications is ineffective
• Once the malware is installed, it can start stealing sensitive documents, and keep doing so even after the guest leaves the hotel
• “The more interesting travelling targets include top executives from the US and Asia doing business and investment in the APAC region.” including victims in a number of industries:
• Very large electronics manufacturing
• Investment capital and private equity
• Pharmaceuticals
• Cosmetics and chemicals manufacturing offshoring and sales
• Automotive manufacturer offshoring services
• Automotive assembly, distribution, sales, and services
• Defense industrial base
• Law enforcement and military services
• Non-governmental organizations
• “When Kaspersky Lab researchers visited Darkhotel incident destinations with honeypot machines they did not attract Darkhotel attacks, which suggests the APT acts selectively. Further work demonstrated just how careful these attackers were to hide their activity – as soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status”

Feedback:

• New FreeNAS plugins available

• Building a server for FreeNAS and could use some help!

Round Up:

• Unscheduled Windows update kills critical security bug under active attack
• Post Mortem on Azure Storage outage
• Linux Kernel 3.2 has bad performance, it should be avoided, 2.6 best or 3.13 or later the best of the 3.x
• Cricket, one of the US telcos blocking STARTSSL named and shamed
• US spies on mobile phones from the sky, report says
• Computer scientists claim to have developed software that not only detects and eradicates never-before-seen viruses and other malware, but also automatically repairs damage caused by them
• US Cert issues advisory about iOS Masque flaw