Security Blog

Your source for information security news and views.

In the trenches of 21st century Cyberwar

Posted by: Patrick Snyder

Tagged in: hack , cyberwar , cyber attack

The U.S. government, in statements by the Pentagon, now classifies cyber attacks on our nations infrastructure as acts of war and is implementing a strategy which will allow for military retaliation in the event of a cyber attack on the U.S.

Paul Sand, Vice President, IP3 Inc. says: 
"Declaring cyber attacks as acts of war is an unnecessary escalation. While I imagine that the Pentagon is striving to achieve a deterrence effect, traditional military retaliation to a cyber attack faces some big challenges. First and foremost, attribution is a problem.  Attribution is assigning responsibility for the attack to the appropriate party.  With spoofing and masquerading exploits so readily available and easy to use, an attacker will be hard to identify and may just be aiming to trigger retaliation against a third party. So, retaliation is a  path filled with significant chances for profound mistakes."

This statement by Paul Sand is understandable considering most cyberattacks and hacking incidents are not formulated by a governing body. They are generally run by a small group of rouge individuals acting independent of any government. Take for instance the group "Anonymous", which is nothing more than a large informal collection of hackers spanning across various continents. How will a target be decided in the event of an attack from multiple locations? Also keep in mind that most hackers are still in their teens. Are we to expect our government to discharge nuclear weapons on an innocent country because some adolescent hacked into one of our government sites from a computer in his basement?

Paul Sand continues:
"Further, cyber attacks that are “war-like” are not likely to be independent attacks.  The 2011 OECD report “Reducing Systemic Cybersecurity Risk” lays out a strong argument that cyber attacks will be coincident with conventional “kinetic” military actions. In that event, this new doctrine of response to the cyber attack is not necessary … existing doctrine governing the response to the kinetic attack will be sufficient and is much less susceptible to problems with accurately attributing the act to the true attacker."
"All in all, the Pentagon has not made the cyber world any safer by concluding that cyber attacks are an act of war."


In other news:

Lockheed Martin has acknowledged a significant cyberattack on their infrastructure. Evidence has surfaced linking this attack to the recent hack of RSA and the theft of RSAs SecureID authentication tokens. These tokens were used in an attack on Lockheed Martin in an attempt to obtain sensitive information from the security and defense company. Luckily Lockheed was able to thwart the attack very quickly after it propagated on their systems and assures everyone that no data was stolen. 

This attack on Lockheed Martin arrives on the landscape with an abundance of other cyberattacks including those on broadcaster PBS, EMC Corp.'s RSA security unit, Epsilon Data Management, LLC, and Sony Corp.'s PlayStation Network.

Todays networks are erupting with cyberattacks and cyberwarfare and governing bodies are struggling to keep a hold on their authority. Though the litigation is still unclear, the message should be clear to hackers. You've been warned! The next time you press enter and launch that malicious code, you could end up with a USAF B-52 Bomber over your head.

Since when does innovation call for imitation of security? In todays world users demand portability. This involves designing devices and services to operate on much smaller platforms. Which means taking that 15 inch laptop from the office and crushing it down to a 4 inch pocket sized supercomputer, not only that but also taking those web browsers and applications and stripping them down to their minimal aspects to ensure lightweight, simple operation. In the process of stripping down these devices we are leaving out an important aspect, the security.

Although the convenience of having a pocket sized computer seems to trump most of our performance concerns we are actually giving up more than we can afford. Full sized devices offer us many integral features which we now take for granted. These features include security checks and warnings which are key to our safe networking.

For example, while using a standard full sized browser it is clear to see within the URL bar when a user is accessing a secure site. You are generally presented with the SSL security lock, or some other form of green light identifiers which assure you that the page you are currently accessing is encrypting your information and is safe. 

Our strive for mobile simplicity has led us to throw out these security checks and therefore opens the doors to spoofed websites which can potentially present us with false information and fake logins. There are only a handful of users with the knowledge to detect such websites on our mobile devices. We are making the prediction that phishing attacks relate to this type of mobile spoofing will become one of the most abundant threats in the upcoming years to mobile users.

Thankfully many mobile browsers now support SSL and https transmissions, however, that is only when the user chooses to use the securely protected website. Not many custom mobile sites have been designed to handle this type of security yet. Anyone who has accessed a full sized webpage on a mobile device knows how difficult it can be to read small text and press submit buttons. This makes custom built mobile sites the optimal choice for convenience but definitely not for security.

There is work being done to prevent mobile site spoofing. But until this type of security is optimized and becomes the new standard in the industry we will constantly be bombarded with fake login pages and spoofed sites.

On another note our mobile apps could also use a security overhaul. It is only a matter of time before cyber criminals begin implementing malicious app installations by fooling our mobile carriers into thinking their app is good then flipping a switch on a server and transforming the app into one that commits malicious tasks, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout.

Innovations in mobile computing and browsing should make no exceptions to the rules of security, no matter how convenient it may be for user performance. Users these days have it all wrong. For those of you demanding power and portability, take a step back and demand your security first!

The evolution of mobile apps has become a viral topic among technologists. Developers are rapidly transitioning their skills from PC based programming back to the minimalist programming seen in the early stages of computing where resources were limited. There are already an estimated 350,000 apps on the Android market and more than a half-million in the iOS App Store. With these mobile app environments growing so quickly, PC companies are struggling to keep up and searching for a beneficial solution.

Enterprises have been exploring the idea of virtualization of applications to allow functionality on various platforms for a long time now. Much of this development can already be seen today on mobile devices and PCs that run Java environments to power universal applications. What they are really searching for is a solution that allows for universal operation of applications that use little to no system resources. If these apps can run on less powerful smartphones then they should have potentially amazing capability on PC platforms.

Well now this solution is within reach. Bluestacks is currently developing technology that will allow Android apps to be run on a PC. Though this seems great for integrating our bulky yet powerful desktop and laptops in with our mobile devices, it should also be raising some red flags. 

According to research published by Juniper Networks, mobile malware on the Android operating system went up 400% in the six months prior to 2011. Thats should be a frightening statistic! Why would we ever want to allow these applications to run on our PCs?! As if our PCs didn't already have enough malware to defend against, we are going to add mobile malware into the equation.

The technology will be virtualized so there is an assumed level of security associated with such technologies. This security is usually provided through the use of a hypervisor to manage communications between software and hardware and also between the hosted operating systems themselves however, the technology pitched by Bluestacks seems like it will stray from this model. 

"End users don't have to toggle between operating systems. They can simply click on an icon for an Android application, for instance, to launch and use it." Rosen Sharma, president and CEO of Bluestacks said.

From a security standpoint, we find this methodology very risky. We expect to see malware propagating through this new attack vector very soon, you can count on it. "This will be the number one attack vector within a year!" Ken Kousky, president and CEO of IP3 Inc. said.