Stuxnet and duqu in perspective.
The net is buzzing about Stuxnet variant ‘duqu’. Let’s put it in perspective.
Stuxnet received a lot of attention because it was the first publicized case of malware targeting a physical control system, and anything that touches a nuclear reactor is a big deal. But this type of threat certainly wasn’t unforceen. The potential for malware and other network-centric threats to impact SCADA systems has been discussed within the security community for years. Stuxnet was simply the first to capture the spotlight.
The source code has been widely available online since July, so it’s no surprise that derivatives are starting to appear. Cyber criminals of all sorts have undoubtedly downloaded, modified, and experimented with it. The vast majority of malware created today is simply a derivative of existing malware; those capable of creating something completely new are far and few between. This new variant, code-named ‘duqu’, is probably the work of an individual or small group. A government or large criminal organization would not rework the Stuxnet code. They’d study it, learn from it, and then create something completely different to avoid detection.
Organizations with SCADA systems should be concerned about a much broader range of threats rather than focusing on Stuxnet or duqu. They need to ensure that their systems are adequately protected against malware and a long list of other insider and outsider threats.
More generally, rather than focusing on specific peices of malware, we should be asking why we continue to build systems that, from a security perspective, are fundamentally flawed. We continue to make the same mistakes over and over again, and then we’re surprised when a security breach occurs.
Don’t take photos you don’t want people to see
According to E!Online, Scarlet Johansson is “fighting mad” over some nude pics of her that ended up online. Let me offer some simple security advice:
If you don’t want people to see something, don’t photograph it.
If you have a look at the pics (Links: photo1 photo2) you’ll note that she appears to have taken them herself using her mobile phone. While I certainly don’t have any inside knowledge of the case, my bet would be that the sender or recipient’s email account was compromised, not the phone itself. Of course for that to be the case, she would have had to email the images to someone, which bring us to my next bit of advice:
Don’t email photos that you don’t want people to see.
Of course there’s always the publicity angle. Leak nude pics of yourself. Benefit from the exposure, but deny intent. Then play up the victim angle, collect some sympathy votes, and keep the story alive. Ah, Hollywood.
Added 2011-09-20: I linked to the photos in the original article because of their relevance to the story — they showed her holding the camera herself. I did not copy the images to avoid a copyright infringement. It appears that they have been taken offline or access blocked.
Patch Tuesday
Microsoft issued 13 security bulletins that address 22 vulnerabilities. Out of these vulnerabilities, three are rated critical by Microsoft.
“The DNS vulnerability could result in a complete system compromise,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Because no user interaction is needed, a vulnerable service simply needs to be up and running for the vulnerability to be exploited.”
“Internet Explorer is affected by two critical vulnerabilities being patched, both of which can be exploited by a drive-by download,” Talbot added. “The fact that vulnerabilities such as these continue to be so common is one reason why web-based attacks are so prevalent. There is a very large attack surface.”
“We haven’t seen nearly this many low profile patches – ones that primarily result in information-disclosure or cause denial-of-service conditions – in quite some time,” Talbot concluded. “Half of all the vulnerabilities patched this month are of that type, which is rare.”
Skype encryption flawed
University of North Carolina researchers have demonstrated that the encryption system used by Skype – and presumably other VoIP products – is flawed and leaks data. In summary, patterns in packet sizes appear to be sufficient to perform linguistic analysis. According to New Scientist, the researchers were able to decrypt 2.3 percent of conversations and accuracy is expected to increase.
There is good reason that high-end cryptographic devices offer features such as maintaining a constant data rate independent of the data being encrypted. It sounds like Skype might want to also incorporate some of those features.
Blame it on Amazon?
With Sony’s PlayStation Network offline since April 20 following what is being called the second largest breach in history, there has been plenty of time for rumours, speculation, and red herrings. The latest is Bloomberg’s report,
“Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said.”
While it’s mildly interesting that criminals choose to use Amazon servers, it’s not really surprising. Amazon Web Services offers great services at good prices, and attracts a wide range of customers – individuals, small business, and large enterprise all leverage their services. Given the alleged sophistication of the attack, EC2 is simply an obvious choice.
While a shift in attention to Amazon might be good for Sony, we should expect criminals to use EC2 like everyone else. Criminals also use rental vehicles, disposable mobile phones, and WiFi hotspots. They probably even purchase their computers the same places we do.
The Sony PlayStation Network data exposure has two causes:
- Security deficiencies at Sony. While we don’t know what the specific weaknesses were, the fact that information on PlayStation Network customers – including credit card information — was stolen across the Internet would make it pretty difficult for Sony to convince us that they had appropriate security controls in place.
- The criminals. Let us not forget that Sony was the victim of a crime.
Like TJ Max, the Sony security breach should be a wake-up call. Consumers often feel safer dealing with larger, more established companies. But it appears that some of them don’t have security right yet.
We also need to understand that tracking down cyber criminals is becoming increasingly difficult. Cloud-based services aren’t anonymous – while false identities can be used, criminals still need to connect to the cloud-based service from somewhere. However, with the widespread proliferation of free WiFi hotspots and disposable mobile phones and data devices, we need to accept the fact that tracing an attack back to the source may not be possible and that more traditional investigation methods – like following the money trail – remain important and techniques must be constantly updated.
Keep in Touch
Kudos
Recent Comments