Posts tagged breach

Mutually-Assured Destruction in Cyberspace

Public accounts of intrusions conducted or supported by state actors highlight the importance that military organizations are placing on cyber warfare. Those without access to privileged information have been debating when “real-world” warfare will find its way to the Internet, without realizing that such activities have been ongoing for at least several years.

Intrusions initiated by nation states against companies and governments of other countries are motivated by political and economic reasons, much like the traditional form of warfare. My hypothesis is that a country looking to safeguard its own cyber interests has to engage in a systemic campaign to compromise IT assets of its adversaries. The logical goal of such offensive operations is the state of mutually-assured destruction that deters each party in the conflict from taking advantage of the IT assets it compromised.

Here’s why I believe this might be the case:

  1. There is presently no practical way to defend IT infrastructure of any nation state against intrusions, be they commercial or government assets. If there was, we wouldn’t be experiencing so many breaches.
  2. As the result, a country needs to assume that an adversarial nation state will be able to successfully compromise a significant number of the country’s critical IT assets. Many of these intrusions will be undetected.
  3. Therefore, the country will need to find a way to deter the adversary from taking aggressive action against a significant number of the IT assets it illicitly controls.
  4. One way to accomplish this is for the country to compromise a meaningful amount of the adversary’s critical IT infrastructure, creating the situation of a mutually-assured destruction.

The idea of mutually-assured destruction in cyberspace isn’t novel. It was brought up at an RSA Conference panel in February 2012. According to the Threatpost’s article discussing that panel:

"Deterrence will play an important role in avoiding conflict, as it did in the Cold War with Russia. The Chinese military appreciates that both it and the U.S. have cyber offensive capabilities and defensive vulnerabilities - ‘big stones, and plate glass windows,’ said Lewis. ‘We’re back to mutually assured destruction.’"

A June 2012 article in the New York Times discusses several cyber warfare initiatives that appear to have been conducted by the U.S. and highlights some of the challenges of achieving cyber warfare dominance and reaching the state of mutually-assured destruction.

Nations with the interest, expertise and budget to conduct offensive cyber activities are probably busy hacking each other to avoid being outpaced in this process by their adversaries. They are doing this to achieve the state of mutually-assured destruction as a way of deterring each other from launching a full-scale cyber war. Just a theory.

Lenny Zeltser

Be doubly vigilant after a physical break-in. Don’t just look for what’s missing, but what might have been left behind.
Paul Ducklin, discussing the practice of some cyber-criminals to install a keylogger after breaking into victims’ offices and stores.

Some Facts and Conjecture About the VeriSign Data Breach

The web is abuzz with stories about the 2010 data breach that VeriSign reported in its Oct 28, 2011, 10-Q statement. The document devotes a couple of paragraphs to the breach and includes the following:

"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (‘DNS’) network. Information stored on the compromised corporate systems was exfiltrated."

VeriSign further explains that its information security team detected and responded to the incident. That in itself isn’t a big deal, as successful attacks occur on regular basis among companies large and small. If this were the full the extent of the situation, it wouldn’t be worth including in as part of the 10-Q filing. SEC disclosure guidelines published in October 2011 state that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”

VeriSign’s mention of the breach in 10-Q implies that the incident was significant, probably because of the kind of data that was compromised. This theory is supported by VeriSign highlighting that although it “is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.”

VeriSign’s disclosure further states that “given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information.”

This description sounds like the company believes they were dealing with an APT-style attack. One of the characteristics of APT incidents is that it is very difficult to remove the adversary’s presence from the corporate network. Such efforts may take years and tend to be very expensive.

There is much conjecture regarding what occurred at VeriSign, given how few details the company released to the public. My hope is that VeriSign will do a better job than RSA did at providing a frank and comprehensive explanation of the affected products or services in a timely manner.

Other articles about the 2010 VeriSign breach from across the web:

From a more general perspective, I suspect we’ll be hearing more about such breaches due to the relatively recent guidelines published on breach reporting by SEC. How many large critical infrastructure haven’t been compromised at this point? How many of them actually know that this has happened?

Lenny Zeltser

2012 may well become known as the year the criminal underground started getting a clue about how to better index and use all of its stolen data.
Brian Krebs, discussing the search engine that “aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.”
The timeframe and method of discovery are almost always dictated by the criminal.

5 Events in 2011 That Challenged Online Security and Trust Assumptions

2011 is only three-quarters through. Yet, so much has already happened in the world of infosec this year that I’d like to start thinking about the events that have challenged our online security and trust assumptions.

  • Data breach at RSA allowed attackers to compromise aspects of the SecurID product and led to compromises of defense contractors and possibly other firms. Until this incident, the effectiveness of SecurID specifically and token-based authentication in general as a security control was rarely, if ever, questioned.
  • A surge in MacDefender malware for OS X, and the ease with which this rogue antivirus program spread demonstrated that OS X was also vulnerable to infections. While Apple issued software updates in attempts to curtail the spread of MacDefender, the company’s arguably slow response hinted on the company’s relative inexperience at dealing with such incidents.
  • The appearance of ZeuS malware modules for mobile devices allowed attackers to intercept SMS authentication codes. By infecting both the victim’s PC and mobile phone, the attackers obtains victims’ banking logon credentials from the infected computer and could collect one-time authentication codes transmitted to their phones. This development highlighted the limitation of relying on the phone as the foolproof authentication token.
  • The re-emergence of malicious hacking groups that compromised data for political and other causes or just for fun highlighted the diversity and vulnerability of potential targets. (Anonymous and LulzSec are the most prominent examples of such groups.) Their attack campaigns have caused many organizations that were complacent in their perspective on information security to reexamine their infosec posture.

These events are acting as catalysts for changing the threat models we use to secure data, networks and applications. If there were other critical events that I failed to list, please leave a comment. What will the remainder of 2011 bring? We’ll know soon enough.

Hand-picked related items:

Lenny Zeltser

Psychological Similarities Between Shoplifting and Malicious Hacking

I’d like to better understand what drives people to engage in malicious hacking activities on the Internet. It’s a complex topic, of course, which incorporates the dimensions of money, fame politics and other facets of human life and psyche. One way to gain insight into the psychology of hacking might be to learn about another illegal fringe activity: shoplifting.

Commonality of Shoplifting

Shoplifting is more common than most people realize. According to When Consumer Behavior Goes Bad: An Investigation of Adolescent Shoplifting by Cox, Cox and Moschis, “as many as 60 percent of consumers have shoplifted at some time in their lives.” In fact,

"Although a few shoplifters are professional thieves, the vast majority appear to be amateurs in that their activity is sporadic, they typically have no known history of criminal activity, and they steal for their own consumption rather than for resale."

The situation seems to resemble the malicious hacking scene. Though I don’t have the data to prove it, my sense is that a fair number of people have dabbled in some form of hacking activities that would be construed as unethical or malicious.

Shoplifting as a Cinematic Crime

Some people who engage in shoplifting view it as a “cinematic crime,” as discussed in The Steal: A Cultural History of Shoplifting by Shteir. There seems to be a certain amount of mystique and coolness about shoplifting for some people. Some might even view it as a victimless crime. Some use it as a way to judge others: “I don’t trust anybody who hasn’t shoplifted,” said one former shoplifter according to Shteir.

Some shoplifters report feeling excited from the adrenalin rush when they were preparing for or in the process of stealing merchandise, talking about the crime as a love affair. Shteir explains:

"Shoplifters enjoy stealing. The objects mean something to them, but taking them feels dirty. Shoplifting is a spasm or a seizure. The lesson they learn from the crime—yes, I can!—they might apply to other areas of life. Shoplifting gives them courage to take chances."

The book also brings up examples of shoplifters like the feeling of superiority over the store clerk after a successful run. Even when they know they are doing something wrong—or perhaps because of it—they enjoy belonging to a seemingly exclusive club of shoplifters.

All these aspects: The feeling of excitement, superiority and belonging seem relevant to the emotions associated with malicious hacking activities as well.

Shoplifting Inclinations and Psychological Disorders

Studies suggest that some people who engage in compulsive shoplifting behavior might be diagnosed with psychological disorders. I don’t know enough about such conditions to say much about them, beyond quoting from Shoplifting: A Review of the Literature by Krasnovsky and Lane:

"Whether seen as simply a crime or a multifaceted disorder, shoplifting is an increasingly frequent problem in our society. For many offenders, it seems that shoplifting is just one among a group of antisocial acttivities engaged in, due to anger, excitement, or profit."

Similarly, different people engage in malicious hacking activities on the Internet for various reasons. What drives such individuals, what is their frame of mind and what, if anything, can be done to modify their behavior warrants a closer look. Perhaps understanding the psychology of shoplifting can shed some light on this complex topic. What do you think?

If you found this post interesting, you might also enjoy Similarities Between Riots and Modern Internet Hacktivism.

Lenny Zeltser

How a Data Security Breach Can Be Used for Good PR

Hershey Corporation sent an email to its customers, notifying them that Hershey’s website experienced a data security breach. This incident was picked up by many online publications after the report surfaced on the Consumerist blog. People were fascinated to learn that the attacker only modified a single baking recipe, leaving the rest of the site untouched. I am interested in this incident because it presents an opportunity to learn from Hershey’s smart PR response to the breach.

Potential Effects on Consumer Data

According to Hershey’s notice, the compromised web server stored “consumer website registration information, including email addresses, birthdates and street addresses as well as passwords used to enter some of our sites.” This is probably the reason why the company notified the public about the breach.

Hershey has “no indication that any of this consumer information was compromised.” It’s very hard for an organization to definitively say that no sensitive data was compromised, which is why this form of describing the scope of the breach is often seen in breach notification reports. The implication is that the company went through reasonable efforts to determine what data may have been affected.

Highlighting the Importance of Recipes

While acknowledging the concerns over the security of consumer information, Hershey’s notice does a great job highlighting the strange circumstances of the breach, where the intruder altered only a single recipe on the compromised website:

"As you know, Hershey’s recipes are built on our legacy of offering the highest-quality products for more than 100 years. Consumers rely on us for this information, and we take the quality of our baking and cooking recipes very seriously. We have corrected the issue and taken steps to enhance the security of this information. We have thoroughly investigated the situation and reviewed the recipes on this site to ensure their quality."

From a marketing and PR perspective, Hershey is focusing the message on the integrity of its recipes. The implication is that if someone were to bother modifying them, then there’s something truly special about their contents—something that Hershey’s customers have been benefiting-from for more than a century.

Sample headlines related to the breach read:

I see the contents of Hershey’s breach notification notice as an excellent example of how companies can use a potentially negative event, such as a data security breach, for strengthening its brand. The approach of focusing the messaging on the modified recipe—seems to be paying off for Hershey, as the media’s coverage of the incident seems to be emphasizing on that strange aspect of the breach.

Hand-picked related posts:

Lenny Zeltser

Security is not about marketing until it fails.
We’ve always lived with some degree of infrastructure compromise on the Internet (and previously, X.25), but until an open black market emerged for the data gained by illicit access, it was mostly harmless.