PHISH AND CHIPS: Cyber attackers are known to break into poorly secured computers and use those hijacked systems as proxies through which they can launch and route attacks worldwide.
Image: COURTESY OF ERWO1 VIA ISTOCKPHOTO.COM
-
The Best Science Writing Online 2012
Showcasing more than fifty of the most provocative, original, and significant online essays from 2011, The Best Science Writing Online 2012 will change the way...
Read More »
Cyber attacks may not be a new phenomenon but the recent successes scored against high-profile targets including CitiGroup, Google, RSA and government contractors such as Lockheed Martin underscore the targets' current failure to block security threats enabled by the Internet. Malicious hackers use the very same technology that enables online banking, entertainment and myriad other communication services to attack these very applications, steal user data, and then cover their own tracks.
One common practice that attackers employ to evade detection is to break into poorly secured computers and use those hijacked systems as proxies through which they can launch and route attacks worldwide. Although such attacks are an international problem, there is no international response, which frustrates local law enforcement seeking cooperation from countries where these proxy servers typically reside.
Address unknown
Every day seems to bring news of some new cyber attack. "We're seeing more reports on invasive attacks on a much more regular basis," says Chris Bronk, an information technology policy research fellow at Rice University's James A. Baker III Institute for Public Policy and a former U.S. State Department diplomat.
The hardest problem in finding the source of these attacks is attribution. Each data packet sent over the Internet contains information about its source and its destination. "The source field can be changed [spoofed] by an attacker to make it seem like it's coming from someplace it's not," says Sami Saydjari, president of the cyber-security consultancy Cyber Defense Agency and a former program manager of information assurance at the Defense Advanced Projects Agency (DARPA).
"If your network is under attack and you're trying to find out who's doing it, purely technical means are insufficient for that," says David Nicol, director of the Information Trust Institute at the University of Illinois, Urbana–Champaign. "The way that we assemble complicated networks of computers until recently hasn't been done at all with security in mind except in a cursory way, and that's the fundamental problem."
By way of example, Nicol points out that he uses a virtual private network that connects to a proxy server before connecting him to the Internet. This enables him to encrypt data he sends over the network and protect the identity of his own Internet protocol (IP) address. "I do this to thwart information harvesting that commercial Web sites usually have," he adds. "I've got nothing to hide but that doesn't mean I want information about me harvested and sold."
Unfortunately, such tactics are also employed for malicious purposes. Cyber attackers use viruses, worms and other malware to take control of Internet servers or even personal computers, creating a network of "zombie" computers (also called botnets) under their control that they can use to launch their attacks. As a result, an attack may appear to come from a particular server or computer, but this does not mean the attack originated at that device, Nicol says, adding that often a string of proxies located in different countries are used in an attack, "greatly complicating the legal process of trying to piece it all together."
See what we're tweeting about
18 Comments
Add CommentBasically, we need to get SERIOUS about security, and the security vendors have to get serious about providing equipment that can provide the capacity (processing power, memory and network bandwidth) to effectively process traffic. Also, we need organizations to develop serious security policies. No one in an IT organization has a business reason to be surfing porn, on Facebook, playing games, shopping, or reading personal email from a secured network. By the same token, "It's too much work to find out what our programmers' IP addresses are" is a bunch of nonsense, as well. Quit paying lip-service to - and outsourcing - your security.
Reply | Report Abuse | Link to thisWell at least 1 article bothers with a few technical terms. Its pretty easy for countries to isolate the origination of persistent attacks.
Reply | Report Abuse | Link to thisIts pretty easy to isolate within a "controlled" country where an attack is coming from no mater how many bounces/redirects and the traffics routes. Its pretty easy to isolate the location of spoofed traffic as well. The Ip address doesnt need to be used to localise a source. Same as the police can work out what car is being used as camoflague for a sniper rifleman inside shooting people. All you need is time.
Its almost impossible to isolate the origin of non-persistent (encrypted comms) that have pay-loads that come into effect from another system after a number of months.
The hacktivists use persistent methods to get in, so you can sure its easy for cooperating countries to localise attacks. China/Russia/Thailand/Italy..etc will never agree to cooperate so running through them is a good idea.
@JJJ1969 getting there.
Facebook employees would disagree twice.
Some backdoors are Microsoft flaws from months ago that havent been patched, there are even some backdoors that wont be patched for years in the internet at the moment.
To assume a company can have an up-to-date security system in place (that works) is assuming you have a lot of money and are in some sort of collaborative association with your government. Its impossible otherwise.
Its tantamount to a stupid judge saying the bank is not responsible for holding your money, when it gets flagged as a dodgy withdraw it lets it through.
No ones computer EVEN using the LATEST anti-virus, the LATEST anti-hacking tools cannot be hacked and have their bank accounts robbed. Criminals can cut through a computer systems security like a hot knife through butter.
Its stupid judges like this that let the system perpetuate and solely blame users...
Sure companies have the latest anti-virus...so what..peoples accounts have been drained dry even with the latest software.
The blame lies with the criminals, the bank holding the money if it is flagged for any reason as a bad transaction is the SOLE responsible person!
The JUDGE was wrong and should not be judging anyone in a technical capacity ever again. I hope anonymous/lulzsec finally discredit this abomination of a judge.
Perhaps one way to keep out infection would be to put vital parts of the operating system in ROM, making it impossible to be modified.
Reply | Report Abuse | Link to thisI find it both amazing and somewhat depressing that the first, most obvious, most practical and really simplest solution to being hacked/infected is almost never mentioned.
Reply | Report Abuse | Link to thisEliminate the vector/host. If a specific system is the vector for 99% of vulnerabilities, choose a different system.
The simple fact is that there are really no "computer" viruses/trojans/worms. To use the word "computer" as a class describing all such vulnerabilities is misleading and obscuring. These vulnerabilities are coupled to specific operating systems and/or specific applications run on those operating systems.
The overwhelming majority of compromises occur on Windows operating systems, and more often than not, using MS Office and/or MS Exchange.
In numerous such discourses I have never read the most sensible solutions:
1. Don't use Windows (use Mac or Linux)
2. Don't use MS Office (use OpenOffice)
3. Don't use Internet Explorer (use Firefox / Chrome)
4. Don't use Exchange (use Thunderbird)
And no, I am not advocating or bashing here. I am just amazed at the lack of investigative depth when it comes to computer "vulnerabilities" and solutions to the problem. In the same vein, if the counter- argument is "well, we use MS Office formats and thus shifting to other platforms is not feasibly", then I suppose you should get your just desserts. There are enough compelling and for practical purposes mutually compatible formats that anyone serious about considering workable alternatives would explore.
@debio— Surely it has been pointed out enough times that the relationship between Microsoft products and vulnerabilities is opportunistic. Hackers attack it because it of the huge market share, so that one successful exploit will net a big reward. Why attack the niche products where the rewards are proportionately smaller. Those who think they are immune from attack because they use a niche OS or application are living in a fool's paradise.
Reply | Report Abuse | Link to thisSecurity is a Chimera. Our culture of possession and consumption has reached a practical limit on returns. The Genie is out of the bottle, and dishonesty will not be easy to return to Pandora's Box. Yet for our future, there are few if any functioning alternatives.
Reply | Report Abuse | Link to thisThere are now viruses for UNIX. Many use SCUD files. As I understand it, the new Lion operating system for MACs will use LINUX for that reason. The virus writers will need to start all over again. By this point LINUX should be stable enough to put in ROM so a virus would not affect it. Still, I have no idea what will happen.
Reply | Report Abuse | Link to thisWe should have the option to turn on verification of packet origination. Any packets not confirmed to originate as specified would then be dropped. If we force the sources to be validly identified, then when that source is pegged as bad, we should be able to deny accepting anything from that source. We should also stop accepting anything from areas that do not clean up infected computers. Eventually we should start seeing less spoofing and be better able to track the true origins of malicious attacks and even SPAM. We can still allow anonymous sources, but not if sent to a destination that is requiring verification. As long as we continue to allow spoofing and anonymous transfers, we will never be able to clean up the internet.
Reply | Report Abuse | Link to thisWhat these articles always fail to mention is that the Internet is inherently insecure. The entire concept is a college prototype on steroids. It was originally designed to transport email between students and professors and little more. Security was never designed into be backbone structure.
Reply | Report Abuse | Link to thisBecause the address is part of the message, addresses can be spoofed. Therefore, you can never be sure where it actually originated from.
The typical message structure itself is a weakness. Many if not most of the security patches involve buffer overruns in which messages exceed expected length enabling malevolent code to be piggy-backed onto benign messages. A simple length field at the start of the message would have protected against such attacks but the designs failed to incorporate that.
All the "security" that the Internet has is bells, whistles, and tintinnabula hung off a fundamentally insecure structure. Virus scanners always operate behind the curve. By design they are generally forced to play catch-up with the hackers. Even with heuristics, they are limited by having to know what attacks have been used before they can protect against them.
Routers and firewalls provide some protection but they too can be breached. Cryptography can be cracked. VPNs transport private point-to-point messages over a broadcast network.
Unlike a telephone, which is a secure point-to-point network in which the address (phone number) is also the location (or at least user in the case of wireless), the Internet is a broadcast media. Messages are transmitted across multiple routers and may be seen (and presumably ignored) by multiple systems. Network interfaces operating in promiscuous mode can see traffic that is not addressed to them.
The Internet is, and until it is fundamentally redesigned will remain, a school project on which we have decided to place our trust for world commerce.
@dflaky
Reply | Report Abuse | Link to thisMicrosoft Windows may be attacked because of its large installed base or because its insecure, but that does not change debio's logic at all.
If you don't want to be attacked, get out of the way of the attacks, regardless of the reason for the attacks.
This is really about the Windows monoculture, instead of trying to find ways to secure that monoculture, we should be getting rid of it.
emk
Wikileaks showed clearly that were "good" hackers as well as bad ones.
Reply | Report Abuse | Link to thisSometimes our own news organizations (for political or monetary reasons) refuse to print the truth. Capitalism is alive and well within the news and the news media owners.
Stock market trades by insider traders, lobbyists gifting to politicians or weapons suppliers, politicians voting towards campaign contribution money, while ignoring their constituents and many other "under the radar" schemes.
Hackers find these schemes out. Nobel peace prize winning Wikileaks and similar organizations report them to the public, as it should be.
Whistle blowers and hackers are a necessary part of the internet. In many instances, it is good they they are hard to track. In many ways they are he "guardian angels" of the internet.
Just do what I do. Have one computer, dedicated to your online banking and shopping. No email allowed. Mine is on a network with no write privileges from other computers.
Reply | Report Abuse | Link to thisFor years I used a 1998 computer running (U guessed it, W98). With No anti-virus, no-firewall other than my router, no security software whatsoever. I did use Firefox with NoScript as an addon. Never a problem with that computer. Except it was slow on the Internet, especially with the banking sites. And couldn't get newer versions of Firefox to work on it.
Recently upgraded to a used 2008 with a new hard drive with XP freshly installed.
That should do me for another 15 years or so. And I will not let my grandchildren use it for playing games and surfing and facebook and what-not.
Just to change the subject - where did they get that stock photo of a computer keyboard? The "Y" and "Z" keys are interchanged! Try touch-typing on that!
Reply | Report Abuse | Link to thisYou are of course assuming Windows has the most vulnerabilities, that is not true. Apple has more, Linux has more and Windows is running close to last place for number of vulnerabilities. (See SANS.org)
Reply | Report Abuse | Link to thisLinux/apple based solutions deploy the OS with a ton of built in applications that also have hundreds of vulnerabilities. AS well as many are deployed with services enabled that are not even used.
When you look at OS vulnerabilities the numbers are rather telling, Microsoft is running last place with number of known, Linux and Apple are only ahead by about 15% to 20% more vulnerabilities. But when you add application vulnerabilities the number increase exponentially. And Microsoft is still in last place for number of known vulnerabilities. (Just plain and simple facts)
Increase the install base in the non-windows OS's and the attacks will only increase as installs increase. The non-windows systems aren't ready for prime time in incident management either. Almost everyone in IT can operate, troubleshoot and restore a Windows operating system to normal operations. The skill sets for these other operating systems are far fewer and harder to find in potential employees. As for the centralized management tools, they just don't exist or have the scale required to manage the systems on a global scale.
Also, no self-respecting, IT Professional is going to use open source or FreeWare applications to manage a real business. You have to have support, accountability and know the development paths of the products your business depends on to generate revenue. No company is going to take an unknown risk when it comes to revenue generation.
Your recommendations would certainly increase operating, support and training costs to unsustainable levels. A few years ago I took a look at what it would cost to replace our wintel systems with Apple and the applications it would require to do so for about 50,000 users. The cost was more than $150,000,000. Now considering we did a major project in 2002-2004 where we took advantage of centralized management, security and standards control for Wintel we managed to achieve an annual savings of $180,000,000 that continues to this day. There is no such possibility there for Apple or Linux. Manual costs would increase, support cost would increase and if you go apple, hardware cost more than double when you compare our Dell discount pricing to Apple’s.
Reply | Report Abuse | Link to thisCont...
Also take a closer look at some licensing you recommend. A lot of it is free for the individual but not for a profit making company. You also have to look at export compliance and what are the risks associated with deploying such solutions.
As a business, I can guarantee you will not find a CFO in a Fortune 1000 company will to take those risks. Nor will you find a CFO that is willing to flush $150,000,000 a year in savings for the illusion of a more secure OS.
Really debio:
Reply | Report Abuse | Link to this1. Don't use Windows (use Mac or Linux)
2. Don't use MS Office (use OpenOffice) Insecure
3. Don't use Internet Explorer (use Firefox / Chrome)
4. Don't use Exchange (use Thunderbird)
===========
I have been doing IT security in a Fortune 500 company now for over 14 years and have over 20 years of hands on, operational IT experience in a global enterprise.
Security isn't about eliminating vectors it is about managing risks to the business.
The purpose of every business is to be profitable; IT and IT security are to be enablers for the business.
My studies have shown that about 90% of malicious activity can be attributed to inappropriate usage by end users, including being socially engineered into doing something inappropriate.
When the attackers penetrate your network it is often as a result of a user being socially engineered – the HUMAN is not an operating system or application, the human is the weak link and no amount of training can stop people from behaving and acting human or just acting stupid for no apparent reason.
The "solution" you advocate is not practical or financially feasible. What you are recommending would bankrupt most companies or get you fired for being “…an idiot that doesn't understand the business first, then IT second.” as I have heard executives say.
Windows platforms may have the most actively exploited number of endpoints on the planet but they DO NOT have the greatest number of vulnerabilities per endpoint. The greatest number can be proudly attributed to MAC and the second greatest number are Linux OS', Windows comes in about 4th or 5th place and that fluctuates depending on the current number of unique vulnerabilities.
Also application vulnerabilities that run on windows also run on just about every major platform, and many exploits are independent of the OS completely. Application vulnerabilities are accounting for about 60% of current exploits replacing USB and Removable media as the number one source of infection.
Here are the current 3 year vulnerability (CVE) counts by OS from http://web.nvd.nist.gov
• MAC OS X – 1,170
• Windows – 1,453 (all supported versions)
o W7 – 777
o 2K8 Server – 299
o Windows Vista – 377
• Linux – 972
• FireFox – 379
• Chrome – 471
• IE – unable to get a single a count when searching for “IE” or “Internet Explorer”, the search terms are too vague.
Part 2:
Reply | Report Abuse | Link to thisOne of my friend’s at the FBI did a much deeper analysis of the CVE’s and found the Windows number is actually a lot lower. One exploit that impacts multiple Windows versions gets counted multiple times. The real number is significantly lower and he told me it was closer to 700 unique vulnerabilities.
I also did a financial assessment based on your exact argument a couple of years ago. To replace 40,000 PCs with MACs would have cost us over $180,000,000 in hardware, software, supporting infrastructure and licensing to run on the new OS and hardware. Also we would have run them in Dual boot because some BUSINESS applications simply are not supported on anything but Windows, so now we need windows licensing again, dual boot software licensing and we have to train all of our support staff to manage all of these new systems, infrastructure, processes and applications.
When you consider the amount of supporting infrastructure, (patch management, software distribution, change management, AV, and 30+ other very expensive products or services that would, for the most part, have to be scrapped before capitalization or replaced to support a new OS. That would run a company of 50,000 employees about $50 million. I would love to see that presented to my CFO.
At the same time I can replace every single piece of windows hardware with brand new, state of the art hardware, newest OS and newest applications; and I did it about 7 years ago for $32 million, on time and within $100,000 of the budget. The cost today would be higher but not much higher. Travel and shipping is more expensive than then but the hardware cost are half of what they were then as well.
How can you possibly justify the $150 million cost increase for the minimal amount of risk reduction? You do not get a 6 fold ROI from Mac or Linux. You just don't. I can spend $430,000 to do a FireEye deployment on a global scale and be done in a matter of weeks; I can also increase my protection for EVERY SINGLE OPERATING SYSTEM AVAILABLE on my network worldwide.
Any business is going to be far more willing to spend $430,000 to protect 90% of their assets than they would be willing to spend $180,000,000 to maybe protect 100% of their systems. I would love to see you propose that you want to spend an additional $179,570,000 to cover the final 10% of unprotected systems to my CFO or CIO. I would pay money to see that one.
Part 3:
Reply | Report Abuse | Link to thisI priced out systems at Dell compared to Apple. A fully stocked and licensed Dell laptop runs about $3,000 once all is said and done. This includes 24 hour response on-site support ANYWHERE IN THE WORLD, Apple just doesn’t have that ability beyond the United States and some European Countries, we asked and they cannot deliver or compete on the support model that Dell offers, Apple won’t even try. Dell was able to get to the North Slope in Alaska within 48 Hours; I would like to see any other vendor that can do that.
Average downtime for a user with a dell is 24 to 48 hours; Apple is 3 to 5 days (my dad has gone 7 to 10 days more than once, and he is a licensed Apple Dealer). You have to calculate that cost in as well. If you have a PHD scientist unable to work for 5 days versus 2 days, that can add up quick.
When all is said and done you can have a greater illusion of security with a MAC or Linux and an extremely high premium price, or you can stick with Microsoft and Windows for now and maintain are far less effort or cost a more secure environment that enables the business and helps to drive profit margins.
Windows is what we have to live with in Corporate America. So instead of living in a dream world where we just replace everything with infinite dollars and budgets we have to operate in the world we live in and deal with what is real and what is in front of us. Windows is here to stay and we are going to have to live with it. If Apple can take off in the market again, I will become a “Mac Guru” again (Showing my age) I still have my SE/30 Mac Cracker – how sad is that!!
Oh, and I am almost done with my White paper on why Defense in Depth, as practiced, is neither practical nor sustainable. That should go over well. That paper will be published by SANS in the next couple of months after peer review is completed.