Tag Archives: attack

Side effect of IoT growth – more attack platforms


Rapid growth brings many good things, but also drives how we manage risk. [Image: theconnectivist.com http://bit.ly/1owv1dp]

The rapid growth of the Internet of Things (IoT) phenomenon, along with its corresponding rapid growth in device count, has been the talk about town over the past year or so. While IoT promises many good things, more conversation is being directed toward the risk brought about by the Internet of Things. Often this is in the form of someone will hack your web cams, steal your FitBit health information, hijack your routers and printers, or monkey with your thermostat remotely. While all important risks and concerns, I think that the bigger IoT risk has more to do with the sheer numbers of devices.

IoT devices as attack enablers

In all of the hoopla and coolness and excitement of the Internet of Things, we can sometimes forget the underlying subtle and amazing thing that they are all networked computing devices, many with well known and well understood operating systems. So, for a moment, forget that cool thing that the IoT device does in its local environment (capture video, audio, biometric authentication information, health information, temperature, humidity, refrigerator status, air composition, etc) and just remember that they are networked computing devices — many of these with substantial computing resources.

What this means is that IoT devices are not just targets themselves, but can also act as attack enablers or attack platforms. This can occur via direct hack or by unwitting participation in a botnet.


Baku-Tbilisi-Ceyhan (BTC) pipeline near the eastern Turkish city of Erzincan on Aug. 7, 2008.

From this recent analysis of a 2008 Turkish pipeline hack and sabotage:

“As investigators followed the trail of the failed alarm system, they found the hackers’ point of entry was an unexpected one: the surveillance cameras themselves.

The cameras’ communication software had vulnerabilities the hackers used to gain entry and move deep into the internal network, according to the people briefed on the matter.

Once inside, the attackers found a computer running on a Windows operating system that was in charge of the alarm-management network, and placed a malicious program on it. That gave them the ability to sneak back in whenever they wanted.”

So, the networked computing presence of the cameras themselves were used as a stepping stone (aka attack point) into the larger network. Some weakness in the operating system (OS) of the camera devices themselves provided a point of entry (‘vector’ in geek speak) into the pipeline’s operational network.

Big numbers

So, if we look at the growth in the number of IoT devices and consider them, for now, only as networked computing devices capable of being compromised, that’s a lot of new stepping stones for attacks.

These growing number of devices can enable & assist attacks by:

1) providing many more attack platforms, which …
2) provides more opportunities for indirection in attack, which …
3) makes attribution more difficult

buttonsLet’s get transitive – Kauffman’s buttons

At the risk of being a little bit tangential, all this reminds me of another network phenomenon, dealing with botnets, that I believe occurs. It is one that is exacerbated by the rapid increase in networked computing nodes, eg from IoT growth and has to do with how quickly the character of a network can change under fairly simple conditions.

I’ve always been intrigued with this ‘toy problem’ that Stuart Kauffman describes in his book, At Home in the Universe. He says to imagine that you have a bunch of buttons on the floor and some pieces of thread. You arbitrarily pick two buttons and then connect them with a piece of thread, a button at each end. Then you arbitrarily pick two more buttons and connect those two. (The original buttons are not excluded; they are still contenders. ) Keep doing this. While doing so, create a graph and plot the thread to number of buttons ratio on the X axis and the size of the largest cluster on the Y axis.


Not too much happens at first. Early on, the largest button cluster stays pretty small. Then, at a certain point, the size of the largest cluster leaps. Logically, it’s not surprising. You can see how it happens. However, I still find myself staring at that big jump. That’s a real phase change for at least one aspect of that button network.


Quite a leap — https://keychests.com/media/bigdisk/pdf/16096.pdf


I think a similar thing happens with some botnets, particularly P2P botnets, as they grow in size. We can make the reasonable assumption that some botnet sizes are more effective than others at carrying out their varied nefarious tasks, eg 1000 is probably better than 10. While individual bots in botnets do not connect to all of the other bots on the network, they do connect to many.

IoT growth => More buttons

In this environment, I think Kauffman’s toy problem still applies. Namely, at some point, the largest cluster size grows very rapidly. Maybe not with the near-vertical drama of Kauffman’s problem where everything can be connected, but still with a significant acceleration in growth of the largest cluster once a critical point is reached. And if the largest cluster size suddenly meets or exceeds that putative optimal botnet size, well then, we’ve got ourselves an effective botnet.

So if the rapid growth in IoT provides many more buttons, then there are also many more buttons/potential botnet participants for the network. And the fact that these botnets can fairly suddenly (aka seemingly arbitrarily) reach their optimal effectiveness adds another air of uncertainty and difficult-to-predictness to the whole thing.

Not gloom & doom, but evolving risk picture

The sky is not falling and the Internet of Things holds much promise, but the way we look at risk will need to change. The advent and rapid growth of the Internet of Things will change some of the math on the Internet. More botnets will come online and they will do so in unpredictable ways. I’m not saying the end is near, but rather the way we look at risk will have to change.


armageddonweatherMega-disruptive economic phenomena, or ‘catastronomics’, were the topic of a Centre for Risk Studies seminar at the University of Cambridge last month. Large scale cyberattacks and logic bombs were included with other relatively-unlikely-but-high-impact events like flu pandemics, all out wars between China and Japan, large scale bioterrorism, and other general unpleasantness.

So, we’ve got that going for us.


[Image: http://supremecourtjester.blogspot.com/2012/12/friday-final-weather-forecast-wear.html]

Cybersecurity & Prussian pragmatics


Carl von Clausewitz

Carl von Clausewitz, Prussian General, famed war theorist, member of the OQBLRC (Often Quoted But Little Read Club), and author of On War makes this statement in Chapter 3 of On War:

“Our knowledge of circumstances has increased, but our uncertainty, instead of having diminished, has only increased. The reason of this is, that we do not gain all our experience at once, but by degrees; so our determinations continue to be assailed incessantly by fresh experience; and the mind, if we may use the expression, must always be under arms.”

Sounds a little bit like what we are trying to do today with information security and risk management, doesn’t it? In spite of massive amounts of information, we actually have more uncertainty. We’re less well-positioned to make good decisions and we’re less confident when we make those decisions.

In information security and risk management, we are constantly learning. While there is some common ground over time, this year is different from last year, this month is different from last month. There are relentlessly new attack techniques, new tools, new players, new alliances, new motivations, new targets, and new vulnerabilities. We are in the position of perpetual learning. In Clausewitz’ words, “we do not gain all our experience at once … [we] are assailed incessantly by fresh experience.” While a different context, I think we can heed Clausewitz’ advice that “the mind … must always be under arms” in our modern cybersecurity environment.

However, not to despair …

Reason for hope #1 — leadership & coup d’oeil

If we can extend the metaphor of kinetic battle a little bit further, Clausewitz tells us that, in the middle of the fur ball of confusion and uncertainty, there are moments of brief understanding of the greater gestalt, though, and that these moments are stepping stones to truth that can guide us in decision making. This has been called coup d’oeil by the French, Napoleon among others, — “There is a gift of being able to see at a glance the possibilities offered by the terrain…One can call it the coup d’œil militaire and it is inborn in great generals.”

I don’t know that we have ‘great generals’ in cyberwarfare, privacy, and business security yet, but I believe that this metaphor suggests that there could be. These are the few that simultaneously see more deeply, more broadly and are resolute in their decisions. Which brings us to ‘resolution’…

Reason for hope #2 — leadership and resolution

Clausewitz says that resolution is what removes “torments of doubt and the dangers of delay when there are no sufficient motives for guidance.” For those of us in the business of information security and managing risk, that is akin to acting with intention even while knowing that we have incomplete information. And we always have incomplete information. However, what often happens in the presence of partial information and the uncertainty that it generates, is that no action is taken or undirected action is taken.

Clausewitz is saying that having that capacity for coup d’oeil — that fleeting glimpse of the comprehensive picture — the great generals then act with intention and resolution to effect their purpose.

Maybe that will be the same with cybersecurity as well, that great generals and leadership will make the difference.


[Image: WikiCommons]

Channeling the ghost in the machine

acousticcryptanalyisA team of researchers has identified a way to extract full 4096-bit RSA decryption keys just by listening to (detecting) the sounds generated by a computer.  Sound patterns can be associated with particular processes occurring on the computer.  Of special interest are the unique sound patterns generated when cyphertext (text that has been encrypted) is in the process of being decrypted.  The researchers claim that in less than an hour a decryption key can be identified by analyzing sound patterns generated by decryption of particular cyphertexts. Interestingly, this is not sound generated by fans, hard drives, or speakers, but rather sound generated by electronic components such as inductors and capacitors.

Handling interference

Most of the information-yielding acoustics occur above the 10 KHz range.  Fan noise and typical room noise generally occurs at lower frequencies and can be filtered out.

Depending on the environment, some keys can be decrypted by using a smart phone within approximately 30 cm.  Ranges of up to 4 meters have been successful using specialized equipment such as parabolic microphones.


Different computers have different signatures, but distinct core computing operations such as the HLT (cpu sleep), MUL (integer multiplication), & FMUL (floating point multiplication) X86 instructions can be identified in each.

“Magic-touch” attack

Another variant is what the authors call a magic-touch attack. In this scenario, instead of detecting patterns in sound coming from the computer, variations in ground potential of the device can be analyzed.  As with the acoustic analysis, these voltage variations in the device’s ground can be also be correlated to specific processing patterns.  These ground-potential changes can be measured directly or even by simply touching the chassis with one’s hand and then measuring the variation in body potential. Another approach is to measure the ground potential on the far side of a cable that has a ground, such as a VGA cable.


I think the genie has escaped …

2014 attacks to be highly targeted & well-researched

Security provider Websense says that  while the volume of attacks will decrease, there will be an increased use of highly targeted, well-researched attacks. These attacks, in turn, will be used as a stepping stone for subsequent malicious activity after stealing user credentials.

The firm also predicts that a major data-destruction attack will occur in 2014.  Further, according to this Websense report (and with the caveat that the firm sells related services), there will be an increase of related ransomware attacks in SMB’s. Other predictions include ongoing Java exploits, increased focus on attacking data in the cloud, and increased reconnaissance activity on executives via professional social networks such as LinkedIn.  The report also speculated increased attacks on the vendors and contractors of large companies with the thought being that these ‘support’ companies will have less sophisticated cyber defenses than their larger partners.

The roof the roof the roof is on fire

Reminiscent of the delicate lyrics of Rock Master Scott and the Dynamic Three, there’s a lot of press about a number of different attacks right now on individuals, SMB’s, and large enterprises.  CryptoLocker ransomware, a Microsoft attack via images, and the  oldie-but-goodie of continued Java vulnerabilities.  It seems that the attacks are coming from all sides. And I believe they are. 

The CryptoLocker attack seemed interesting and fairly novel a few weeks ago, but I figured it would fade away pretty quickly as new anti-virus signatures or other patches caught up with it.  However, it appears to be on the rise.  CryptoLocker is a form of malware known as ransomware where the attacker encrypts your files and then demands a ransom for the key to unlock the files.  There have been reports of successful file unlocks after paying ransom, no file unlock after paying ransom, and also of the ransomware actor extending the due date.  US Cert has issued an alert regarding the rise in infections.

And then Microsoft has issued a security advisory regarding vulnerabilities in its graphics component and malicious TIFF files. Apparently, malicious code hidden in an image can execute and do arbitrary things.  So we’ve got that going for us. Affected systems include Office 2003, 2007, 2010, Server 2008, and Lync.  Microsoft offers a fixit/workaround here.

Finally, rounding out the happy news is the update from a Kaspersky report  that there were over 14 million attacks with Java exploits between 9/2012 and 8/2013, with more than 8 million of those in the second half of that period.  While chasing down some Java issues across several hundred machines myself last week, I counted over 200 Java fixes in the past year and that’s not counting new ‘features’.

It’s been said before, but the good guys are not winning this battle.  The general consensus is that it’s getting worse, not better.  What to do?  While no panacea, the basics apply — current anti-virus with daily updates, autoupdate on operating systems, good Internet hygiene — don’t open unknown mail, don’t download unknown things, keep a watchful eye for phishing attacks, use good passwords and don’t share them.  I think this will be our best/only approach for some time to come.

SMB’s operating under false sense of security

When I used to fly in the service, one of the safety concerns was ‘complacency’.  Complacency was letting down your guard because of a feeling of safety based on numerous previous flights where nothing bad had happened.  System X never failed, system Y hadn’t failed, system Z had failed a little bit, but there was a backup, etc.  Per a recent McAfee and Office Depot survey, small to medium sized businesses (SMB’s) are suffering from a similar thing.

From a study of over 1000 participants, a majority (66%) felt confident  that their devices and data were safe from hackers.  Further, 77% felt they had never been hacked. This feeling of security is inconsistent with the evidence of SMB’s increasingly being targets of cyber attacks.  According to a statement by Congressman Chris Collins, part of the reason for this complacency is that attacks on small and medium sized businesses typically don’t make the news.  However there are a lot of them, hence the long tail.  According to McAfee, another reason for the increasing malicious activity on SMB’s is that larger businesses have had some success in hardening their enterprises to cyberattack and that has shifted the effort-invested and payoff balance for cyber criminals.

The study also found that 45% of the SMB’s responding did not secure data on employee’s personal devices and 14% hadn’t implemented any security measures at all. 

Attack map

Digital Attack Map by Google and Arbor Networks.  Click for live link.

Digital Attack Map by Google and Arbor Networks. Click for live link.

Google and Arbor Networks have created a Digital Attack Map to show Distributed Denial of Service (DDOS) attacks in real time.  The release of the map comes at the same time as Google’s release of its Project Shield using Google’s “attack mitigation technology.” The service is currently invite-only.

Because DDOS attacks are often politically or ideologically motivated, Google intends the tool to be used to assist with protection of freedom of expression.