Dark Reading: Understanding & Defending Against Polymorphic Attacks

Posted on by
Reply

I first wrote about polymorphic malware four years ago. I recall having a hard time getting an editor to approve publication of my piece because he claimed none of his readers would be interested in the concept. Yet in the time since then, polymorphism has gone from virtually unknown to standard practice by malware writers. Indeed, it has become so common that most descriptions of attacks don’t even call it out specifically. Webroot in its annual threat assessment from earlier this year reported that almost all malware it has seen had demonstrated polymorphic properties. You can think of it as a chameleon of malware.

In this post for Dark Reading, I describe how polymorphism has gotten popular with both attackers and defenders alike, the different approaches that the vendors have taken, and some suggestions on keeping it out of your infrastructure.

What becomes an online museum most?

Posted on by
2

Those of you of a certain age might remember a print ad campaign for the Blackgama fur company that ran for many years, beginning in the 1960s with this image of Lauren Bacall wearing one of their mink coats.

4 R

I am riffing on this theme after visiting the National Cryptologic Museum outside the NSA offices in suburban Maryland this week. I remembered the ads because of my overall experience with the museum, and its relationship between its physical plant and the online and other publications that the historical arm of the NSA has produced.

As long-time readers recall, last summer I visited Bletchley Park in the UK. It was a great day spent at the complex and I learned a lot. Sadly, the NSA’s museum was a disappointment. And it made me realize that what makes a great museum when you first go to the actual building is part of what makes for a great online museum experience. Unfortunately, the NSA museum has neither.

Many of the world’s greatest museums have played catch-up when it comes to their websites. This is more than getting their catalogs digitized, then getting them redone with higher resolution or newer imaging technologies. It is more than organizing their collection for visitors, academics and other specialists that want to search them for their own research or just personal interests. It is also more than having something that is visually attractive to leverage the latest curatorial trends.

These great museums have also had to embrace technology in their actual buildings, something that I first wrote about for the NY Times when I visited the Abe Lincoln museum in Springfield, Ill. back in 2008. At that visit, I got to see first-hand a variety of things that are normally used in theatrical productions or rock concerts, such as spotlights, one-way mirrors and sophisticated sound systems to tell the story about Lincoln’s life and times. From this piece, I wrote for HPE’s blog about how the best code developers are learning to hone their craft and improve their user experience from these innovative museum designers. For example, augmenting the visuals with other sensory experiences, understanding the consequences of context switching when it comes to tell your story and so forth.

That is why the NSA museum stands out, but not in a good way. It is a subject that is near and dear to my heart, cryptology and its origins and use in the modern era. Check. It is located near the NSA, an interesting place in its own right. Check. It has plenty of classic stories about some key developments, going back to the Revolutionary War and how codes and encryption played a role in the birth of our country. Check. It has several Engima units on display, showing the evolution of the machine that you can actually touch. Check. It is dull as dishwater and has exhibits that looked like they were created back when the Apollo program was in its heyday. Big fail.

The best part of the museum wasn’t any of the exhibits but a tour that I happened upon led by a docent. Turns out he was a former Russian linguist that worked for the NSA for many years. His stories were great, and he answered all my questions with interesting personal insights (and correctly, I might add). I only wish he had a better physical plant to show his visitors.

For example, one exhibit is about how the Soviets bugged our buildings in Moscow. It begins with this object that is on display in the museum: it looks like a nicely crafted wooden replica of the US government seal. It was given to then U.S. Ambassador Averell Harriman back in 1945 as a gift from Soviet children. It hung in the Ambassador’s residence for seven years, until a bug was found inside the carving. While what is shown is a replica, you can open a special hinge that was installed by the museum so you can see where the bug was located.

This story was a nice precursor to a major operation that took place in the 1970s called The Gunman Project. At that time, we found out the Soviets had increased their bugging program and put technology into 16 different IBM typewriters in our Moscow embassy offices to record the documents that were being prepared. I saw the Great Seal replica (and engaged with opening and closing it) at the museum, I took home a pamphlet about Gunman that I read avidly on the flight home. I tried to find an online copy of this document, I did find the text here. The document was nicely produced and I learned a lot from it. Now contrast that information with this link to another Gunman story, this one produced by two private Dutch crypto enthusiasts. It actually is a much better explanation, and even with the pictures included in the original NSA pamphlet, this latter piece is 1000% better and more engaging.

So if you are interested in the history of crypto, my suggestion is to forgo the actual visit. The NSA is working on building a new museum, but that could take years. In the meantime, read some of the supporting materials on their website or better yet, check out other entries at the online Crypto Museum. Second, if you are going to design a new museum, think of how the online and actual physical presence have to work together to build the best visitor experience.

HP Enterprise.nxt: Ways to expose your business to ransomware

Posted on by
1


No computing professional wants to encounter a ransomware attack. But these six poor IT decisions can make that scenario more likely to occur. Ransoms are not the result of an isolated security incident but the consequence of a series of IT missteps. Moreover, it often exposes poor decision-making that indicates deeper management issues that must be fixed. In this article for HPE’s Enterprise.nxt website, I discuss how these missteps can be corrected before you are the subject to the next attack.

FIR B2B podcast episode #123: The differences between B2B and B2C marketing

Posted on by
Reply

This recent article in Forbes caught our attention because it neatly sums up some of the biggest differences between B2B and B2C marketing. Unlike many B2C decisions – which are based on emotion, preference or impulse – B2B decisions are practical, thoughtful and undergirded by data, or at least they should be. Among the implications of that:

  • Know the who, the why and the multiple decision makers in the chain;
  • Tell how you will make the business better;
  • Sell solutions, not features; and
  • Use personas and create a path to the purchase

Paul co-wrote a book a while back called Social Marketing to the Business Customer that touched on some of these points, and you might want to pick up a copy as they are still relevant.

One suggestion is to build an emotional attachment to the product, which isn’t always easy to do in B2B scenarios. However, buyers have a lot on the line, and that can give you an emotional connection.

ChiefMarketer.com tells how Caterpillar did that. Just because you sell big tractors doesn’t mean you can’t create a story that resonates with the community. People who drive tractors care about their work, so Caterpillar focused on the pride they take in what they do. Decisions aren’t just about features.

This story reminded us of this brilliant video Volvo produced several years ago to promote its tractor trailers. The appearance of Van Damme is unexpected, powerful and memorable, as evidenced by its 93 million views and the fact that we both recalled it eight years later.

Finally, one item that has nothing to do with trucks is the spillback a year after the implementation of the EU’s General Data Protection Regulation. A piece in eConsultancy talks about how the rules have benefited B2B marketers by helping them weed out bad practices, improve lead quality and better focus their companies’ marketing efforts.

Listen to our podcast here:

Picking the right tech isn’t always about the specs

Posted on by
5

I have been working in tech for close to 40 years, yet it took me until this week to realize an important truth: we have too many choices and too much tech in our lives, both personal and work. So much of the challenges about tech is picking the right product, and then realizing afterwards the key limitations about our choice and its consequences. I guess I shouldn’t complain, after all, I have had a great career out of figuring this stuff out.

But it really is a duh! moment. I don’t know why it has taken me so long to come to this brilliant deduction. I am not complaining, it is nice to help others figure out how to make these choices. Almost every day I am either writing, researching or discussing tech choices for others. But like the barefoot shoemaker’s children, my own tech choices are often fraught with plenty of indecisions, or worse yet, no decision. It is almost laughable.

I was involved in a phone call yesterday with a friend of mine who is as technical as they come: he helped create some of the Net’s early protocols. We both were commiserating about how quirky Webex is when trying to support a multiple-hundred conference call. Yes, Webex is fine for doing the actual video conference itself. The video and audio quality are both generally solid. But it is all the “soft” support that rests on the foibles of how we humans are applying the tech: doing the run-up practice session for the conference, notifying everyone about the call, distributing the slide deck under discussion and so forth. These things require real work to explain what to do to the call’s organizers and how to create standards to make the call go smoothly. It isn’t the tech per se – it is how we apply it.

Let me draw a line from that discussion to an early moment when I worked in the bowels of the end-user IT support department of the Gigantic Insurance company in the early 1980s. We were buying PCs by the truckload, quite literally, to place on the desks of the several thousand IT staffers that until then had a telephone and if they were lucky a mainframe terminal. Of course, we were buying IBM PCs – there was no actual discussion because back then that was the only choice for corporate America. Then Compaq came along and built something that IBM didn’t yet have: a “portable” PC. The reason for the quotes was that this thing was enormous. It weighed about 30 pounds and was an inch too big to put in the overhead bins of most planes.

As soon as Compaq announced this unit (which sold for more than $5000 back then), our executives were conflicted. Our IBM sales reps, who had invested many man-years in golf games with them, were trying to convince them to wait for a year before their own portable PC could come to market. But once we got our hands on an IBM prototype, we could see that Compaq was a superior machine: First, it was already available. It also was lighter and smaller and ran the same apps and had a compatible version of DOS. We gave Compaq our recommendation and started buying them in droves. That was the beginning of what was called the clone wars, unleashing a new era of technology choices to the corporate world. After IBM finally came out with their portable, Compaq already had put hard drives in their model so they stayed ahead of IBM on features.

My point in recounting this quaint history lesson is to point out something that hasn’t changed in nearly 40 years: how tech reviews tend to focus on the wrong things, which is why we get frustrated when we finally decide on a piece of tech and then live with the consequences.

Some of our choices seem easy: who wants to pay a thousand bucks for a stand to sit your monitor on? Of course, some things haven’t changed: the new Macs also sell for more than $5000. That is progress, I guess.

My moral for today: looking beyond the specs and understand how you are eventually going to use the intended tech. You may choose differently.

If we do our job, nothing happens

Posted on by
1

There is a line in a recent keynote speech by Mikko Hypponen, the CRO of F-Secure that goes something like this: “If we do our job in cyber security, then nothing happens.” It is so true, and made me think of the times when various corporate executives challenge their investments in cyber security, wanting to see something tangible. Mikko makes this point by asking them to look around at the conference room where these conversations are taking place, asking them if the rooms are cleaned to the satisfaction of the execs. If so, perhaps they should fire their cleaning staff, because they are no longer needed.

Now the difference between your security engineering staff and your janitors is obvious. You can’ t see all the virtual dirt that is building up across your network, the cruft of old software that needs updating and polishing, and the garbage that your users download on to their PCs that will leave them susceptible to attack. And that is part of the problem with cyber security: most things are invisible to mere mortals, and even some specialists can’t always agree on the best cyber hygiene techniques. Most of us have an innate sense that mopping the floor before dusting the shelves above is the wrong way to go about cleaning the room. That is because we all understand (at least on a basic level) how gravity operates. But when it comes to cyber, should we be changing our password regularly (some say yes, some say nay)? Or using complex strings of a certain length (some say 10 digits is fine, others say longer ones are needed)?

Mikko ends his talk by saying that we must assume that we are all targets by someone, whether they be a hacker who is still in high school or a government spy that is eager to get inside our company’s network. He says, “The times of building walls are over, because eventually someone will get in our enterprise. Breach detection is key, and we all have to get better at it.”

I agree with him completely. We must get better at seeing the virtual dirt on our networks. Building a better or bigger wall won’t stop everyone and will just foster a false sense of cyber security. And just because nothing happens, this doesn’t mean that cyber security folks aren’t hard at work. They are the cleaners that we don’t ever see, unless one day they leave someone’s mess behind.

 

FIR B2B Podcast Episode #122: Why techies make for great speakers

Posted on by
Reply

For technology companies, the conventional wisdom is wrong when it comes to pitching a conference or webinar session. Instead of having your CMO or other C-suite executive tell your story, trust the technical people in your shop. Your audiences will thank you for it.

Here are some of the reasons:

  • Audiences want black-and-white issues. CMOs usually see the world in nuance and infinite shades of gray. Techies value certainty. Think Sheldon Cooper’s character.
  • Facts are an endangered species these days.  So who better to deliver facts that a techie?
  • Audiences want to hear stories. First-person experience from people on the front lines can deliver authenticity and credibility that the audience relates to.
  • Techies steer clear of self-promotion, which is the fastest turnoff for an audience.
  • Techies can be more effective at reaching potential customers precisely because they don’t try to promote or sell.
  • Techies can be trained to be good and sometimes great speakers. We have some tips for how to do it.

I wrote more about this for Sam Whitmore’s Media Survey. It is normally gated, but today you can read the post here.

CSOonline: What is Magecart?

Posted on by
Reply

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information. This is known as a supply chain attack. The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT. I explain what this malware does, link to some of the more notable hacks of recent history, and also provide a few suggestions on how you can better protect your networks against it.

You can read my post for CSOonline here.

RSA blog: Risk analysis vs. assessment: understanding the key to digital transformation

Posted on by
Reply

When it comes to looking at risks, many corporate IT departments tend to get their language confused. This is especially true in understanding the difference between doing risk analysis, which is the raw materials that is used to collect data about your risks, with risk assessment, which contains the conclusions and resource allocation to do something about these risks. Let’s talk about the causes, challenges and why this confusion exists and how we can avoid them as we move along our various paths of digital transformation.

Part of this confusion has to do with the words we choose to use than any actual activity. When an IT person says some practice is risky, oftentimes what our users hear is us say is “No, you can’t do that.” That gets to the heart of the historical IT/user conflict. We must do a better job of moving away from being the “party of no” to understanding what our users want to do and enabling their success. This means if they are suggesting doing something that is inherently risky, we have to work with them and guide them to the more secure promised land.

IT also has to change its own vocabulary from techno-babble to start talking in the language of business – meaning talking about money and the financial impacts of their actions — if they want the rest of the company to really grok what they are talking about. Certainly, I am not the first (nor will I be the last) person to say this. This is a common complaint from David Froud when he talks to the C-suite: “If I can’t show how a risk to the assets at my level can affect an entire business at theirs, how can I possible expect them to understand what I’m talking about?”

Certainly, it isn’t just proper word choice, and many times users don’t necessarily see the risky consequences of their actions – nor should they, that really isn’t part of their job description. Here is a recent example. Look at this Tweet stream from SwiftOnSecurity about what is going on in one corporation. Their users pick evergreen user ID accounts for their VPN signons. Rather than have unique IDs that match a specific and actual person, they reuse the same account name (and of course, password) and pass it along to the various users that need access. Needlessly risky, right? The users don’t see it quite in this light. Instead, they do this because of a failure for IT to deliver a timely solution, and one that is convenient and simple. I imagine the thinking behind this decision went something like this:

IT person: “You have to use our VPN if you are going to connect to our network from a remote location. You need to fill out this form and get it approved by 13 people before we can assign you a new logon.”

User: “Ok, but that is too much work. I will just use Joe’s logon and password.”

Granted, IT security is often the enemy of the convenient, and that is a constant battle – which is why we have these reused passwords and why our adversaries can always rely on this flaw to infiltrate our networks. The onus is on us, as technologists, to make our protection methods as convenient and reduce risk at the same time.

There are some bright signs of how far we have all come. In the second Dell survey of digital transformation attitudes, a third of the subjects said that concerns about data privacy and security was their biggest obstacle towards digital progress. This was the top concern in this year’s survey – two years ago, it was much further down the list. Fortunately, security technology investments also topped the list of planned improvements in the survey too. Two years ago, these investments didn’t even make the top ten, which gets to the heightened awareness and priority that infosec has become. Nevertheless, half of the respondents feel they will continue to struggle to prove that they are a trustworthy organization.

So where do we go from here? Here are a few suggestions.

 

As I mentioned in my earlier blog post, Understanding the Trust Landscape, RSA CTO Dr. Zulfikar Ramzan advocates replacing the zero trust model with one focusing on managing zero risk.” That is an important distinction and gets to the reworking towards a common vocabulary that any business executive can understand.

 

Second, we must do a better job with sharing best practices between our IT security and risk management teams. Many companies deliberately keep these two groups separate, which can backfire if they start competing for budget and personnel.

 

Finally, listen carefully to what you are saying from your users’ perspective. “Technologists show up with a basket of cute little kittens to business leaders with a cat allergy,” said Salesforce VP Peter Coffee. Think carefully about how you assess risk and how you can sell managing its reduction in the language of money.

Taking control over your own health care: the rise of the Loopers

Posted on by
1

I have been involved in tech for most of my professional career, but only recently did I realize its role in literally saving my life. Maybe that is too dramatic. Let’s just say that nothing dire has happened to me, I am healthy and doing fine. This realization has come from taking a longer view of my recent past and the role that tech has played in keeping me healthy.

Let me tell you how this has come about. Not too long ago, I read this article in The Atlantic about people with type 1 diabetes who have taken to hacking the firmware and software running their glucose pumps, such as the one pictured here. For those of you that don’t know the background, T1D folks are typically dealing with their illness from an early age, hence they are usually called “juvenile diabetics.” This occurs with problems with their pancreas producing the necessary insulin to metabolize food.

T1D’s typically take insulin in one of two broad ways: either by injection or by using a pump that they wear 24/7. Monitoring their glucose levels is either done with manual chemical tests or by the pump doing the tests periodically.

Every T1D relies on a great deal of technology to manage their disease and their treatment. They have to be extremely careful with what they eat, when they eat, and how they exercise. A cup of coffee can ruin their day, and something else can literally put them in mortal danger.

That is what got me thinking of my own situation. As I said, my case is far less dire, but I never really looked at my overall health care. To take three instances: I take daily blood pressure meds, use a sleep apnea machine every night, and wear a hearing aid. All of these things are to manage various issues with my health. All of them are tech-related, and I am thankful that modern medicine has figured them out to mitigate my problems. I would not be as healthy as I am today without all of them. Sometimes I get sad about the various regimens, particularly as I have to lug the apnea machine aboard yet another international flight or remember to reorder my meds. Yet, I know that compared to T1D folks, my reliance on tech is far less than their situation.

I know a fair bit about T1D through an interesting story. It is actually how I met my wife Shirley many years ago: we were both volunteers at a JDRF bike fundraising event in Death Valley, even though neither of us has a direct family connection to the disease. I was supposed to ride the event and had raised a bunch of money (thanks to many of your kind donations, BTW) but broke my shoulder during a training ride. Fortunately, the JDRF folks running the event insisted that I should still come, and the rest, as they say, is history.

One of the T1D folks that I know is a former student of mine, who is part of the community of “loopers” that are hacking their insulin pumps. Over the past several months he has collected the necessary gear to get this to work. Let’s call him Adam (not his real name).

Why is looping better than just using the normal pump controls? Mainly because you have better feedback and more precise control over insulin doses. “If you literally sat and watched your blood sugar 24/7 and were constantly making adjustments, sure you could get great control over your insulin levels. But it’s far easier to let the software do it for you, because it checks your levels every five minutes. In reality, I’m feeding my pump’s computer small pieces of data that is very commonly used in the T1D community for diabetes management. So it is no big deal.”

Adam also told me he took about four days to get used to the setup and understand what the computer’s algorithms were doing for his insulin management. So much information is available online in various forums and documentation of different pieces of open source software that include projects such as Xdrip, Spike, OpenAPS, Nightscout, Loop, Tidepool, and Diasend. It is pretty remarkable what these folks are doing. As Adam says, “You need to be involved in your own care — but some of the stress in decision making is gone. Having a future prediction of your glucose level makes it easier to plan for the longer term and feel more confident.”

But looping has another big benefit, because it is monitoring you even when asleep. It also gives you a new perspective on your care, because you have to understand what the computer algorithms are doing in dispensing insulin. “The most powerful way to use an algorithm is when you combine the human and computer together — the algorithm is not learning. It’s just reusing well established rules, “ says Adam. “It’s pretty dumb without me and I’m way better off with it when we work together. That’s why I say that my setup is a thousand times better than what I had before. I have an astonishingly better tool in this fight.”

There are a few down sides: you do need to learn how to become your own system integrator, because there are different pieces you have to knit together. The pumps have firmware that could disable the looping: this was done for the patient’s protection, when it was found that some of them were hackable (at close distances, but still) and for their protection. If you upgrade your pump, your looping could be disabled.

You also need to have a paid Apple Developer account to put everything together, because the iPhone app that is used to connect his pump requires this developer-level access. “It is more than worth the $100 a year,” Adam told me. There are also Android solutions, but he has been an iPhone user for so long it didn’t make sense for him to switch.

Finally, looping is not legal, and not yet approved by the FDA. Many other countries have recognized this pattern of treatment, and the FDA is considering approval.

This is the way of the modern tech era, and how savvy patients have begun to take back control over their care. It is great that we can point to this example as a way that tech can literally save lives, and that patients today have such powerful tools at their disposal too. And the looping story hopefully should inspire you to take control over your own medical care.