Archive for July, 2009

Following this story, ShadowServer has an excellent write-up on the self-destructing nature of this botnet.  Interesting pieces of information:

  • The botnet size is around 200,000
  • Most of the compromised machines are in South Korea, although computers in four other countries were used
  • The botnet appeared virtually overnight
  • Compromised machines are set to begin overwriting essential files on their hard drives today, July 10, 2009

Cyberwar, according to the Rand Corporation, is about “disrupting or destroying information and communications systems”.

The term cyberwar has been ballyhoo’d by the media although it’s been in use for years along with ‘Netwar’; latest news from South Korean intelligence organs is that a North Korean Lab 110 was responsible.  If so, previous stories about a North Korean ‘Hacking Academy’ have substance, and with all it’s connotations, it is disturbing this  happened so quickly with specific geographic localization in origin and targeting.

From a Disaster Recovery/Business Continuity perspective, the advantages of distributed web hosting by providers such as Akamai is significant in mitigating DDoS attacks.

From a historical perspective, that approach was basically the original raison d’etre of the Internet when first conceived by DARPA and then ARPANET.  Protection from communications loss after nuclear attack by using distributed node computing.

This may be an early phase of a cyberwar campaign; it is at least an experiment of sorts, complete with the lab cleanup phase.   Pay attention to this story as more information becomes available ~ there will be applicable lessons for multiple perspectives.



Read Full Post »

I’ve been following the media interest in the recent and ongoing DDoS attacks against South Korean and U.S. government websites.  The alleged perpetrator is North Korea, but proving it absolutely will be difficult.  The current word is that a 100K node botnet was involved, with computers located in South Korea, China and the U.S.

John Bambenek from the SANS.org Internet Storm Center commented that ISPs and end-users bear partial responsibility for allowing/having un-patched systems, thereby enabling botnets.

While ISPs can do more to filter traffic to end-users,  part of the problem from the end-users in Asia is the prevalence of pirated copies of Windows XP & Vista, unable to use Windows Update for automated patching.

From the standpoint of information warfare, what might this mean?  A few things to consider as possibilities:

  1. It may or may not be North Korea.  It could easily be the Chinese military using North Korea as a proxy, knowing that we have little leverage against them, and using this attack as a ‘proof-of-concept’ for the future.  Test and refine after analyzing the response.
  2. If it is the Chinese military, what is their motivation other than tactical and strategic preparation?  Given the level of Chinese government ownership of U.S. debt, hurting our economy, for example, by disrupting the power grid, works against their economic interests, unless they deem it necessary in the future.
  3. If it is North Korea, what do they hope to accomplish?  The attacks didn’t take-down either the South Korean or U.S. governments, just a few websites overall.  Simple braggadocio or ‘testing-the-waters‘, like their missile launches and nuclear program?
  4. Could this be an exercise the U.S. government/military commissioned?  This scenario isn’t far-fetched and falls within the realm of FUD.  If your goal is to increase spending and awareness of information security in government, having a ‘straw man‘ somewhere else is useful.  Especially if they are known to be belligerent, rant frequently against us, and their ‘great leader’ appears somewhat psychotic.  A very convenient bogeyman.  The compromised targets were government agency websites including the U.S. Treasury and Federal Trade Commission, while the Pentagon and White House were unaffected.  Make smoke and noise, but no fire.
  5. Botnets are comparatively easy to rent for a specific time and purpose, in this case a DDoS against US. and South Korean government websites.  Conceivably, they may also be virtualized.  Think about cloud-level botnets available on-demand.

The story linked to above says that code is being analyzed by experts and foreign language-fluent investigators are roaming Internet chat rooms, looking for braggarts.  A strategy I’d expect to continue any dissemination of disinformation campaign would be to plant ‘talkers’ in the appropriate IRC channels; this furthers the promotion of the straw-man function and lends credence to the originating purpose.

Events may be exactly what they are purported to be, or something else entirely.  As information security professionals, think about the possibilities and motivations of any adversary’s  actions, beyond the obvious and easy answer.

Food for thought, and more to chew on later…


Read Full Post »

We’ve all read about how Security Awareness training is required and how it doesn’t seem to work too well.  A recent study by the Ponemon Institute lends credence to the latter aspect and underscores the need for more stringent Data Loss Prevention policies and procedures in organizations. The study, released on June 10th and sponsored by IronKey surveyed 967 individuals across a broad spectrum of industries.

From the IronKey website:


  • The majority of respondents admit to serious non-compliant workplace behaviors that place their companies at risk. Such behaviors include the insecure use of USB memory sticks, use of Web-based email, sharing passwords, turning off security settings and more.
  • According to the study, 69 percent of employees surveyed said that they copy confidential or sensitive business information onto USB devices, while only 13 percent of respondents said their companies have a policy that allows this, showing a 48 percent non-compliance rate.
  • 61 percent admitted to copying confidential or sensitive business information onto USB devices, and then transferring the information to another computer that is not part of the corporate network.
  • Over half of the respondents said that they download personal Internet software to their company computers, which significantly increases the risk of introducing viruses, worms and other malware into an organization’s network.
  • 58 percent of the respondents said that their companies do not provide adequate training about compliance with data security policies, and about the same number said the data security policies are ineffective.
  • Approximately half of the survey participants said their corporate data security policies are largely ignored by employees and management, and that the policies are too complex to understand.
  • Compared with a similar study conducted by Ponemon Institute in 2007, the rate of non-compliant employee behavior appears to be getting worse over time.

So, with these in mind, what is our take-away and what do we do to change this reality?

  1. Organizations must do more to educate employees and contractors about the critical value and essence of protecting corporate information, from the standpoint of compliance risk and cost, loss of public and client confidence in the organization, and support for the organization’s core values.
  2. Organizations must implement more effective and comprehensive Data Loss Prevention policies and procedures.  USB sticks, while very handy, shouldn’t be allowed to connect to client computers unless there is a confirmed business need, e.g., conference presentations, corporate travel, work in conjunction with another tool like a laptop or notebook in the field, etc.,  It’s far too easy for employees to use USB sticks as neo-sneakernet technology for telework.  Convenience must be trumped by Security here because the risks from device loss, data loss, and introduction of home-brought malware back to the organization are too great to ignore.
  3. Similarly, organizations must enact stringent endpoint controls, specifically user account rights, which prevent users from installing unauthorized software.  Too many users run as Local Admin on their desktop or laptop computers.  Establish a base operating system image for deployment across the organization,providing software tools to user groups via policy.  For example, an organization can provide an image for Windows XP or Vista which includes Office as a base, then selectively through Group Policy, allow certain users or groups to use additional software on an as-needed or per-use basis.
  4. Endeavor to educate users about the costs of compliance breaches during security awareness training.  Sharing organizational and industry-specific metrics about compliance cost can be eye-opening – Security Managers must do more to evangelize management about how expensive it is to be non-compliant.  Perhaps, tying corporate bonuses and raises to compliance breach awareness might be beneficial ~ when users have a financial stake in the outcome, they tend to pay more attention…
  5. The overall problem is getting worse and people are complacent.  Make security policies easier to understand by employees and friendlier to teach.  Seek out new and innovative ways to teach security awareness, for example, teach employees about the home vacation security guide by ISECOM and about how to keep their children safe online ~ in other words, make security awareness PERSONAL!  This consciousness-raising will transfer to the workplace if done correctly and compassionately.  Teach employees how to protect themselves and how to protect you, because you are their ‘bread & butter’.

There are a variety of security awareness training resources online; here are a few to consider:

As security managers and practitioners, the gauntlet has been thrown down! It’s up to us to raise awareness by management and help find new methods of providing security awareness training, ways that increase the stickiness of the subject across the audience spectrum.  We know we have to speak ‘business’ to management to help them understand why security is important, essential, and a cost-saver, not just a cost-center; now we have to find ways to do the same with awareness training, making it far more than just ‘checking the box’ each year.


Read Full Post »