Security Blog

Lulz Security, a seemingly innocent name you may actually confuse for a legitimate security company, has rapidly been boosting their hacking reputation since early 2011. They have managed daily hacks on dozens of websites all across the internet and even managed to set up call forwarding attacks on many customer support lines. Some of the most notable being hacks of Sony, the US Senate, the FBI, and the CIA. Many of their attacks have been simple perimeter breaches of security, things that many security professionals should have secured a long time ago.

These hacks highlight the waste of time many security managers spend attempting to secure only their outer defenses. True security should live directly around your most precious assets. The security method deployed by most sites hit by LulzSec have been primarily perimeter based security. This type of security is like building a wall around your home yet leaving your doors unlocked and expecting only the wall to keep people out. As we can now see, that methodology is unacceptable and simply is not enough.

Though this group has caused some major disruptions in many networks they do not seem to have a truly malevolent motive in these attacks. They do not seem to be out for financial or political gain. As their tweets and even their name 'Lulz' (a reference to 'laughs') suggests, they are doing this simply for the entertainment and the sport of it. They have even been operating what I like to call a hack-by-request system where anyone is free to contact them with a target to be hacked. The truly surprising fact is that they have actually been able to hack nearly every target they are given whether it be a simple gaming forum or a high level government website. They are breaking through what should be the most secure websites on the internet using simple DDoS and packet flooding attacks.

Beyond exposing a lack of perimeter defenses their hacks have also brought to our attention many other security issues that most of us are still ignoring. Their hack on Sony revealed not only inadequate security defenses on Sony's part but also an astonishing amount of password reuse by users, which we all know is one of the most prevalent security flaws that exists.

Lets face it, these attacks have been happening for years and organizations have simply been able to keep quiet while sweeping the mess under the rug. LulzSec's public hacking escapade has finally brought these attacks to the attention of the general public. They are exposing many organization's security systems for what they really are, weak. There is no more ignoring our simple mistakes. It is time we all step up our security to the level it needs to be at in this world of cyber threats. This should be a true eye opener for security professionals. It may be your only chance to get things right before your information is truly at risk of theft and misuse that will indeed result in financial loss and legal liability.

No more than a week after the Pentagon's military threats in the event of a cyber attack, the U.S. receives its first test of might.

Paul Sand, Vice President, IP3 Inc., offered this statement:
“Last week, IP3 assessed the Pentagon’s decision to consider a cyber attack as an act of war. We clearly determined that there was no strong strategic or tactical benefit for doing so. Apparently, a cyber attack on the Atlanta InfraGard Chapter was launched in retaliation for the Pentagon’s aggressive stance.  Taking action that raises your profile without any clear benefit is usually a bad move.”

I'm sure most of you have heard the ancient Japanese proverb, "The nail that sticks out gets hammered down." The U.S. government may have just targeted themselves as that very nail. By introducing such a strong statement, we have invited other less agreeable entities to test our claims of military force.

Another phrase that comes to mind is the African proverb "Speak softly and carry a big stick." Which was popularized by Theodore Roosevelt in his Big Stick ideology regarding peaceful negotiations backed by the threat of military force. So what happens when that threat of force is tested? Is it truly customary to take out the big stick and start swinging? This will be the true test of something I will call "cyberwar policy." 

Cyber policies will soon become a very hot topic in lieu of recent events. One event being the government controlled network outages that began in Egypt, which now seem to be trending seeing as the Nigerian government has done the same. This caused questioning in the U.S. which led to the introduction of "kill switch" litigation now being passed throughout Congress. A second event was the Pentagon's consideration of cyber attacks as acts of war. 

These recent events have begun to outline rules of cyberwar. There are many questions to be asked and much policy to be drawn up regarding these and future events. One thing is certain, our representatives had better get a handle on this policy soon before things get out of control.

The U.S. government, in statements by the Pentagon, now classifies cyber attacks on our nations infrastructure as acts of war and is implementing a strategy which will allow for military retaliation in the event of a cyber attack on the U.S.

Paul Sand, Vice President, IP3 Inc. says: 

"Declaring cyber attacks as acts of war is an unnecessary escalation. While I imagine that the Pentagon is striving to achieve a deterrence effect, traditional military retaliation to a cyber attack faces some big challenges. First and foremost, attribution is a problem.  Attribution is assigning responsibility for the attack to the appropriate party.  With spoofing and masquerading exploits so readily available and easy to use, an attacker will be hard to identify and may just be aiming to trigger retaliation against a third party. So, retaliation is a  path filled with significant chances for profound mistakes."

This statement by Paul Sand is understandable considering most cyberattacks and hacking incidents are not formulated by a governing body. They are generally run by a small group of rouge individuals acting independent of any government. Take for instance the group "Anonymous", which is nothing more than a large informal collection of hackers spanning across various continents. How will a target be decided in the event of an attack from multiple locations? Also keep in mind that most hackers are still in their teens. Are we to expect our government to discharge nuclear weapons on an innocent country because some adolescent hacked into one of our government sites from a computer in his basement?

Paul Sand continues:

"Further, cyber attacks that are “war-like” are not likely to be independent attacks.  The 2011 OECD report “Reducing Systemic Cybersecurity Risk” lays out a strong argument that cyber attacks will be coincident with conventional “kinetic” military actions. In that event, this new doctrine of response to the cyber attack is not necessary … existing doctrine governing the response to the kinetic attack will be sufficient and is much less susceptible to problems with accurately attributing the act to the true attacker."

"All in all, the Pentagon has not made the cyber world any safer by concluding that cyber attacks are an act of war."

In other news:

Lockheed Martin has acknowledged a significant cyberattack on their infrastructure. Evidence has surfaced linking this attack to the recent hack of RSA and the theft of RSAs SecureID authentication tokens. These tokens were used in an attack on Lockheed Martin in an attempt to obtain sensitive information from the security and defense company. Luckily Lockheed was able to thwart the attack very quickly after it propagated on their systems and assures everyone that no data was stolen. 

This attack on Lockheed Martin arrives on the landscape with an abundance of other cyberattacks including those on broadcaster PBS, EMC Corp.'s RSA security unit, Epsilon Data Management, LLC, and Sony Corp.'s PlayStation Network.

Todays networks are erupting with cyberattacks and cyberwarfare and governing bodies are struggling to keep a hold on their authority. Though the litigation is still unclear, the message should be clear to hackers. You've been warned! The next time you press enter and launch that malicious code, you could end up with a USAF B-52 Bomber over your head.

Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

I wouldn't loose sleep over this or get worked up about Black Hat demonstrations. Compensating controls that continue to provide security in depth in this case would include network and host  IDS/IPS so that the keystroke log files might be found stored on the host or being transmitted out of the enterprise. In the case of a shared public lab, like the university cited, the common safeguard is to wipe and rebuild each machine on a daily basis.

I'd agree that this is another serious vulnerability that should help heighten our awareness of the potential dangers. 

The biggest danger I see in information assurance today is the belief that only good guys are finding these holes and the belief that sharing them at Black Hat educates the bad guys.

Anybody who has spent more than 10 minutes following the current exploits in the wild understands that the folks behind conflicker or the theft of the

F35 designs are very, very competent. They don't need Black Hat demos to find opportunities. They're finding more and better exploits on their own. 

WE need the demos to help wake up and inform management as to what we're up against and how insanely insecure many systems are today.

The Twitter ddos, F35 design theft, multi-million node botnets, massive penetration of our power grid and 90% of all email as malicious (I consider all fraudulent mail including spam as malicious) should be enough of a wake-up call but it doesn't seem to penetrate.

Regards

Ken Kousky