Its that time of year again -- the Annual Cisco Security Review. We decided to feature a whole show on this one -- which makes it fun but also of course brings a fair set of challenges. As good as we are…we can’t cover it all. You MUST read the report. It is quite good.
So where did we go with it?
We brought in some friends and fun with a few topics as well -- notes are below…but let us know your favorites!
Segment 1: Good News, Bad News
Sylvia Hooks and Fred Kost review primary findings. The bubble chart used here is really helpful for nailing some of the higher level milestones -- tracking movement over time so we know where to focus our energies.
Segment 2: Persistent Threats
This was really two little segments -- a solo from myself as well as from Jimmy Ray. I chose Stuxnet as my focus due to how re-defining I felt it was (is). It really is a sign of the times.
When it comes to ‘security news’ it always puzzling what gets reported. As viewers of this show, you know there is a very regular rhythm of security issues that are always bubbling just below the surface and it takes something profound to grab the public’s attention. Well one new threat making the rounds did have the right mix of ingredients last summer: STUXNET. It makes sense -- Computer Attacks, Nuclear Power, Foreign Governments, Sabatoge, Spy vs. Spy… But how much of it is real? Enough to say it is a ‘Sign of the Times’
As with all good threats, the details will continue to evolve…I do think there are Five items worth paying attention to here:
- Non-Trivial Distribution: Primarily spread via USB sticks -- think non-Internet connected systems that then propagate by escalating privilege levels through ‘zero day exploits’. True Zero’s are special…only valuable for a short time and are very expensive/hard to come by.
- Sophistication: its an intelligent worm initially targeting windows computers where it even installs its own drivers…using a stolen ‘legitimate’ certificate. The offending certificate gets revoked of course..but then another one gets added within 24 hours.
- Modular Coding: This thing can get new tires while still on the road -- multiple control servers, first in Malaysia then Denmark, now more -- including peer to peer. In fact, when two run into each other, they compare versions and make sure they are both updated.
- Unique Target: Windows is just the intermediary…the friend of the friend -- Stuxnet is looking for a particular model of PLC -- Programmable Logic Controller…which is technically not SCADA as is often reported. These are small embedded industrial control systems that run all sorts of automated processes -- from factories to oil refineries to Nuclear Power Plants. Stuxnet will leverage a vulnerability in the controller software to reach in and change very specific bits of data. Shut things off, don’t grease a bearing, don’t sound an alarm for 10 minutes… This is really unique knowledge…respectable coding skills that imply a higher level of patience, good funding, resources.
- Motive. Stuxnet does not threaten, it performs sabotage. It really has no criminal focus…does not spread indiscriminately, steal credit card information or login credentials, it does not recruit systems into a botnet, it targets ‘infrastructure.’ Our most essential necessities like power, water, safety and much much more. These are older, very established systems generally run with a mentality of ‘if it ain’t broke, don’t fix it’. These things don’t get watched over and patched by technical handlers who understand these kind of things. Not yet anyway.
So stay tuned. This one is not done. We all have a lot to learn and somebody is working hard to teach us.
Jimmy Ray broke down some extremely interesting tips and tricks for .pdf threats.
Big shout to Sid Steward for materials used in building this one…also check out PDF Toolkit and PDF Hacks (the book)
Thorsten Holz, co-author of ‘Virtual Honeypots‘ and the Honey Blog
Adobe Sand-boxing Technology
Segment 3: Social Insecurity
I have re-printed my Open Letter to Koobface -- just in case the humor was missed in the video…or you wanted to pick apart my writing that much further. If you are reading this and have not seen the video -- darn you…go watch it.
Dear Koobface. Can I still call you Koob?
You have been a wonderful friend, I remember how we first met.
Got a message from one of my old friends…click here ‘can’t believe your face in this video’ or something…you know me, I love seeing myself on camera, … wait. I am apparently missing a required component… a ‘video codec’ I think it said..well I’m this far, I like video stuff…lets get that sucker loaded.
Wow. I did not realize what had happened right away….but I was bitten. ‘Socially Infected’ if you will.
To be fair, your not a one friend kind of friend… Social infection has taken on a whole new meaning in the last year thanks to this ‘Gratuitous link-sharing behavior’ I have heard it called. Social Networks are the Place to be! And you my friend, are the expert at making money on this! Hats off to you Koob!
Well that video component you said I needed was actually an executable file that kicked off a whole bunch of activities.
Can I be honest? You had me at ‘click here.’ But you were not done were you?
At first I thought you were just bragging -- “Gotta check in” you said I should have seen the signs -- Command and control, a central feature of every budding botnet. Turns out you were just casing my place, logging my social activities and sites, I know I made it easy, all those cookies laying around -- fair enough.
You were measuring windows and checking out the floor plan…making room for your tools.. Very specific tools it turns out. Now, I appreciate the effort actually, no sense hauling in tools you don’t need -- you could see what I was doing. Now, my friends are your friends! And convenient too, since they now think all these new messages from you are coming from me.
With no extra work on my part, you even helped me become a webserver. I’ve never been a webserver! Now I got to act as proxy or provide relay services for all our little koobface friends -- in fact, and I love this one, I did not even have to break my own CAPTCHA’s anymore. I never liked those things! I mean why prove I am human if I have friends that will do it for me? Great little service. And downright neighborly!
Thats when things started to go wrong Koob. You know why. It was the money. I was already impressed with your social media propogation parlour tricks…but you showed your true colors. You know money is what ruins most relationships.
Your modularity should have tipped me off -- the fact that you could sell yourself on a ‘pay per infection’ basis to those suspicious looking friends of yours -- SEARCH HIJACKERS -- ready and willing to lead my browsing preferences right into those worthless click-fraud sites…DATA STEALERS…what kind of friends are these? Nice try convincing me it was just a creative back up strategy. But the final straw, the ROGUE ANTI-VIRUS INSTALLERS…those guys are so old school….I can’t believe you still hang with them. ‘Click here to protect yourself’. It does still pay I guess.
You know Koob. Enough was enough. You are who you hang out with.
That is why I unfriended you
Sylvia and Scott Olechowski continued our ‘Social Infection’ with the infamous Robin Sage scam, fake friend requests, and the seven deadly weaknesses of password security.
Segment 4: Upwardly Mobile
Sylvia and Patrick Peterson show the opportunities that now abound for hackers because of the proliferation of smartphones and other mobile devices.
ZeuS Goes Mobile -- Targets Online Banking Two Factor Authentication
Segment 5: Money Mules
Jimmy Ray and Henry Stern detail in depth how cyberthieves convert digital booty to cold, hard cash and why this might be a weak link in the chain.
- What is a Money Mule?,
- ‘Money Mules’ Help Haul Cyber Criminals’ Loot
- Brian Krebs:FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms
- Money Mules help haul Cyber Criminal Loot
- The Zeus Money Mules
- Five Alleged Money Mules indicted
- 419 Scam
Segment 6: Security Services
Learn what the hundreds of hard-working folks in Cisco Security Intelligence Operations (SIO) are doing to protect you from threats today and tomorrow.
Segment 7: The Wrap
Get your complimentary copy of the Cisco 2010 Annual Security Report and turn the information into action.
The Cuckoo’s Egg (by Cliff Stoll)
Buy the Book
Thanks for watching!