Start today, secure tomorrow.
Another year has passed by, it has been an interesting one for me. Not only because of all the NSA files; much more the awareness it brought to people. It’s clear the NSA ‘scandals’ are the Number One Topic this year, but a lot of other activities happened as well.
DDOSing the world
We started this year with some massive DDOS attacks against Spamhaus using a new technique called a ‘DNS reflection attack’. Here’s the trick: if you send a DNS request from a spoofed server to a DNS server, you get a lot more response causing the spoofed server to receive a lot of data. This, in turn, results into a bandwidth problem on the internet connection. Last April ING suffered from DDOS attacks as well (in spite of their negative statements): the big question remains up until today what kind of attacks were executed (ING never declared anything about this). Since then most companies became aware and wanted solid protection against DDOS attacks, but have they? Is DDOS mitigation implemented? Are the risks divided or are the primary company processes still vulnerable?
General endpoint security
Java, PDF, Flash, IE etc. They still have their issues. On top of that: you can add Windows XP to this list, because it is EOL as of April 2014. All of them had a lot of exploit(kit)s in 2013 and their vulnerabilities are still abused to create botnets, steal credit card data and/or passwords. If you didn’t patch these applications in time, you sure are already infected, and the big question is: do you know where these vulnerabilities are?
And what about endpoints? Why are these still vulnerable? Well, first of all, it’s still a very easy target. Second, our ways of working are still fundamentally flawed: we don’t think of security as a necessary functionality and our customers believe security is only a secondary requirement (most of times, security feels like a nuisance). Please think twice about this: how will your customers respond if their personal data would be leaked? Introducing BYO (Bring Your Own) this issue became quite hot (mobile phones, but also unknown laptops/PC’s). The usage of privately owned systems is adding risks to organizations and I am still wondering whether these risks and incidents are known and mitigated. I’m afraid not.
Cloud or Fog?
During last year we have seen a lot of companies embracing “Cloud Services”, but few seem to be aware of “Cloud Security”. This is partly caused by the vendors who aren’t transparent enough. Looking at it from a customer perspective we need to ask more questions and we certainly don’t need to accept all the answers. This is why I think we are using “Fog Services”, because companies don’t see the true nature of most cloud services. And that’s a pity actually, because ‘the cloud’ can actually add to your security due to LCM and patch management. Just a detail: Microsoft Office 365 was suffering from some outages, but if I believe the security community did find some huge leaks. Does this ‘foggy cloud’ allow you to see whether your information was leaked? I don’t think so…
Secure application development
This keeps popping up during a lot of our pentests: we experience new developed applications who are vulnerable every day. I really don’t blame the developers: they can’t be blamed for creating functionality, but I think we would all benefit from more security awareness amongst them. Furthermore, most development-projects have no security requirements where it should be amongst the first to write down. I partly understand: security does ask for extra knowledge and resources, but the possible damage can be far more extensive.
We are totally addicted to technology: not a day goes by where we don’t use our smartphone to check our next appointment or need internet to make a payment at our local supermarket. All this technology made us more vulnerable in 2013 ranging from the ING DDOS attacks to the aviation industry which was rudely awakened by some vulnerabilities found last year. My advice would be to rethink our critical technology or at least have backups. Next to this, we need to ask our suppliers more questions: are they really living up to their security and continuity promises?
During 2013 we witnessed organizations implementing a “Responsible Disclosure” policy: a legit way for hackers to report vulnerabilities to the owner of the services. This is a very good initiative to my opinion. The telecom industry has adopted this widely and is very satisfied with the results. On a negative side, our Minister of Justice decided NOT to create this “hacker protection”, even when the hackers’ initiatives where sincerely. I’m afraid this will result in The Netherlands being more vulnerable, because hackers won’t reveal exploits any more: they (still) can be prosecuted.
Finally, the (Not so) Secret services
Well, to finish up this blog I can mention services like the NSA an GCHQ. But have you ever thought about your own local secret service?
Our national systems are fundamentally broken at the moment: every day we work with technology which can be infected with root kits or has inbuilt vulnerabilities to gain access to your data and information. What can you do? Well, first of all: give pressure to your political system. I know this is asking a lot, but if “they” don’t get the right questions, then “they” won’t act in the right way.
Also, try to use less obsolete technology and technology which is maintained under USA or UK laws and authorities. This is difficult, but think about this: if data isn’t owned under the protection of these laws, it’s much harder to gain access to it.
Last but not least, please keep your systems up to date and use a non-US or non-UK antivirus scanner: the better way to report anomalies imo.
Oh. And. In the meanwhile the ‘hacking community’ will think about new technologies which is harder to alter, infected or influenced. Still, it remains a cat and mouse game.
I do have a wish-list for 2014 on security:
- Please PATCH PATCH PATCH your systems and have your LCM in place.
- Awareness. Please train your people on security, not only your employees, but please also your customers, moms, dads, brothers, sisters, grandpas, grandmas, uncles and aunts.
- Use secure email, like PGP (or GPG).
- (Not so) secret services should be more transparent.
- Don’t get hung up to a single technology: make sure you have a backup and a replacement plan.
- Protect information and not only your infrastructure. Firewalls do block network connections, but do they also block already exploited clients?
Many thanks to my co-writer Bertwin for helping out on this blog.