2014-04-02
Abstract
Working both as a product manager and as an IT security expert and evangelist for an IT security company, Sorin Mustaca has seen that, with the technologies and products that we have available, we can't mitigate all the attack vectors used by today’s cybercriminals. He asks whether the security industry is up to the new challenges to come.
Copyright © 2014 Virus Bulletin
I decided to write this article as a reaction to the events of the past several months in the IT world.
Reading and monitoring the IT security news [1] has made me think a lot about the future of the security industry. For me, the IT security industry encompasses all companies and non-governmental associations that deal in one form or another with IT security and the privacy of data and individuals (anti-malware vendors are, of course, included).
For the past 25 years, the IT security industry has done a great job of protecting users against existing and emerging threats, in the form of files (copied, downloaded or emailed), streams of data (remember Code Red), and recently, even against common vulnerabilities in third-party software. We started with Windows, continued with MacOS and Linux, and lately we have extended the protection to mobile devices running various operating systems.
Working in a dual role – as a product manager and as an IT security expert and evangelist – for an IT security company, I have seen that with the technologies and products that we have available, we can’t mitigate all the attack vectors used by today’s cybercriminals, and thus we can’t fully protect our users against them.
The new threats I am referring to are: government surveillance; attacks against special devices; breaches of accounts or servers; and secret vulnerabilities that are not made known to the manufacturer of the software/hardware/system in question.
In light of the recent disclosure of NSA (and other governmental) surveillance, people have started to ask how they can avoid being spied on. We don’t have a universal solution right now, but there are various possible mitigation techniques. Using Virtual Private Networks (VPNs) or the Tor network and its browser are ways to mask your IP address and the websites that you visit.
Another way to keep your data private is through the use of encryption (in the right places). A good start would be to encrypt back-ups [2] – especially those that are stored in the cloud. Encryption should also be used when browsing. Unfortunately, not all websites redirect to the HTTPS versions by default. This is where extensions like HTTPS Everywhere [3] can help. They force websites to respond by default with the HTTPS address, if the protocol is supported.
The most important thing here is to keep things simple. Encryption can be a complex topic, and it must be made usable for the masses.
By ‘special devices’ I mean point-of-sale (POS) devices, printers, routers, switches, TVs and other devices that can be considered to be part of the Internet of Things. Wearable devices are a new category, as these are also seeing increasing use.
Attacks against special devices have multiple considerations. The devices contain vulnerabilities – which, when disclosed, can be exploited. The biggest problem here is that some of these devices are critical for the functioning of offices and businesses. Even if a patch is made available, a router or switch will probably not be patched at all, or will be patched too late, because its business function is so important that it can’t be interrupted. Of course, IT professionals may want to prioritize patching, but small business owners have a different view point. The same applies to printers (even if they are less important by far).
I keep thinking about what could have been done to avoid the recent attack against the POS of the retailer Target. The attack was certainly a very well prepared one, but I believe that in the future all attacks will be targeted and well prepared.
In the early weeks of January, Proofpoint announced [4] that it had monitored a spam wave being sent through all kinds of devices, ranging from routers, satellite receivers and NAS servers, to TVs and even a fridge (I leave aside the question of evidence for this). I’ve been asked [5] how consumers can protect themselves and their devices from such an attack. Without going into detail, there are not many possibilities, but a good start would be to change the default passwords of the devices to strong ones, and only to install extensions from trusted sources. But how can we protect against such an attack? Filtering on the gateway is one solution, but how many consumers can afford something like that?
Every week we hear about breaches of the social media or email accounts of high-profile individuals, ranging from actors to government officials. These cases all have something in common: either the accounts have extremely simple passwords, or their owners are unable to recognize a social engineering attack. The question that arises here is: whose responsibility is it to teach these people to use strong passwords and to detect a social engineering attack against them? Can we address this situation and create more awareness? Who’s going to pay for the publicity needed to reach these people?
Last year was definitely the year of the major server breach. We all know that this is just the tip of the iceberg, and that the breaches we heard and read about are only the few that were disclosed. There are multiple reasons why the breaches occurred:
there were vulnerabilities in the server software which remained unpatched
there was poor server security (including weak passwords)
social engineering was used to obtain credentials.
The problems usually don’t end with the server breach. In each reported case the purpose of the hack was to obtain information about the users of the services in question. The results of some of the hacks were disclosed, including harvested user credentials. This is how we discovered the disastrous security status of many of the servers involved. We’ve seen some very bad programming techniques, passwords stored in plaintext files, and no minimum security requirements for passwords (as a consequence of which, the passwords used by many users are just too simple and easy to guess).
Can we do anything to improve this situation? A standardized and/or unified way of managing credentials (such as OpenID), better patching software (maybe offered for free), and two-factor authentication are just a few ways of mitigating these problems.
By far the biggest breach to have been disclosed to date was the unprecedented hack of Adobe’s servers which resulted in the loss of the source code of many of the company’s products. In the breach, Adobe lost more than just the source code of some of its free products, it also lost its ability to keep the vulnerabilities present in the code private. Now, because the code is no longer known only to the company, the advantage of security through obscurity has been lost. We should expect a new category of exploits of vulnerabilities which are not known to Adobe and which are not going to be disclosed (at least not on purpose) either publicly or to Adobe.
‘Secret’ vulnerabilities are a special category of vulnerabilities represented by those discovered in leaked or stolen source code and never disclosed. The best example is, of course, Adobe. An attacker who discovers a vulnerability in this situation will either keep it in order to use it himself, or will sell it to the highest bidder. The bidders may be other cybercriminals or even governmental institutions.
The only defence strategy against vulnerabilities that are unknown to the producer of the software is to protect the computer from the vulnerable program through a kind of sandbox, emulation or ‘shielding’ of the program(s) that are suspicious. But if we use these for all potentially vulnerable programs, we end up in the iOS and Android dilemma: both operating systems are built like this and both still suffer from all kinds of attacks – which either occur in the protected area, or else hackers find ways to break the protection. So we don’t really have a good solution for this case.
At first glance, it appears that the IT security industry is facing new challenges for which there are currently no good solutions. But history has shown us that, actually, we might not even need to find a single solution (as in the one that solves the whole problem in the most effective way). Individual solutions, even if they come from different vendors, mitigate some of the attacks, and if they work in tandem, they can cover a large part of the threat landscape. Sooner or later, as the intensity of the attacks increases, more and more producers will find value (business opportunity) in creating tailored protection solutions against them.
[1] Mustaca, S. IT Security News aggregated. http://itsecuritynews.info/.
[2] Mustaca, S. Duplicati: How to create your own secure online backup for free. Sorin Mustaca’s blog. http://sorin-mustaca.com/2014/01/17/duplicati/.
[3] HTTPS Everywhere. Electronic Frontier Foundation. https://www.eff.org/https-everywhere.
[4] Proofpoint Uncovers Internet of Things (IoT) Cyberattack. Proofpoint. http://www.proofpoint.com/ about-us/press-releases/01162014.php.
[5] Mustaca, S. Some thoughts about the spam attack sent through InternetOfThings (Proofpoint). Sorin Mustaca’s blog. http://sorin-mustaca.com/2014/01/25/thoughts-spam-attack-internetofthings-proofpoint/.
