Monthly Archives: September 2010

Sick of Stuxnet?

Even if you’re not thoroughly sick of the word Stuxnet, you may well be pretty confused as to what “the truth” about it is. I know I am…

I think it will probably be a while before we get the whole picture, though there are a couple of last minute presentations scheduled for the Virus Bulletin conference in Vancouver next week that should be very interesting indeed: well, for sad Geeks like me, anyway. (I hope to see some of you there, maybe at the pre-drinks reception.)

I’ve spent quite a lot of the past couple of weeks working with some colleagues from ESET on a Stuxnet paper (67 pages long, so you’d think I’d be all Stuxnetted out by now). While we can’t predict all the surprises those papers will unfold, there’s some fairly detailed analysis and some observations that go a little against the “cyberwar on Iran” flow. Stuxnet Under the Microscope, by Alexandr Matrosov, Eugene Rodionov, David Harley and Juraj Malcho, September 2010 is available on the ESET white papers page at http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

AVIEN Sponsors VB 2010

Virus Bulletin 2010

In honour of our 10th Anniversary here at AVIEN, we’re sponsoring the pre-dinner drinks reception at the 20th Virus Bulletin Conference in Vancouver next week. In case you didn’t know AVIEN was formed out of conversations held at Virus Bulletin in 2000, and the relationship has been a long and friendly one between the two companies. We’re proud to help bring a part of the conference to the attendees.

Andrew Lee
AVIEN CEO / CTO K7 Computing

One from the “Don’t send stupid emails” department

In a frankly bizarre incident, a young British teen has been banned (for life) from entering the USA, after sending an abusive and threatening email to the Whitehouse email account. The 17 year old escaped criminal prosecution, but will be denied the opportunity to ever visit the land of opportunity.

Though this lad probably just got a bit annoyed and did something silly, one thing this does show is that young people simply aren’t being taught how to act on the internet (though reading USENET would have shown you that not many people do, young or old). Surely citizenship classes should also include information on how to be a good netizen, and schools IT curricula should include at least a basic understanding of personal security and how email works.

Full report from the BBC News site is here http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-11296303

Andrew Lee
AVIEN CEO / CTO K7 Computing

Snakeoil Security

This is a really good article about how poor  security products can appear to work, but actually increase the problem:

http://ha.ckers.org/blog/20100904/the-effect-of-snakeoil-security/ *

The article also links to a good article about the ACUTrust product (which no longer exists) http://ha.ckers.org/acutrust/ – which contains the following quote

“like most systems that use cryptography it is not a vulnerable algorithm, but the system that uses it is”

This really does bear repeating as many times as possible. Just because a product claims to use cryptography – most will claim to be using AES256 – doesn’t mean they’re using it in a way that makes the system secure. Cryptography is all too often a security panacea, a ‘buzzword’ that makes the user feel like they’re safe, but the importance is, as always, in the implementation.

One of the best examples of this sort of failure I’ve seen recently is this http://gizmodo.com/5602445/the-200-biometric-lock-versus-a-paperclip. The incredibly secure biometrics in the lock mean nothing if the manual lock can be opened with a paperclip. Adding a stronger mechanism to a weaker one does not strengthen the system.

So why does this sort of failure happen so frequently? It really happens because security practitioners, as well as the people who buy security products, often don’t see the big picture. Security is about people, and what people will do (or not do) to the systems that they are presented with. A classic example is enforcing a strict ‘strong’ password policy that means that users write down their password, and stick it to the monitor so they don’t forget it.

Security isn’t really about products, or technologies – those can be enablers, but it is about seeing where the weaknesses are, understanding the risks, and taking what measures are possible to ensure those risks are minimised. Buying into ‘hot’ products is not a reasonable investment if you don’t understand what you are buying and why you’re buying it.

I personally am coming to believe that the greatest failure of security over the last 20 years is that we have failed to understand that we are securing (for and against) people not technologies, and people do the strangest things.

Andrew Lee
AVIEN CEO / CTO K7 Computing

* Thanks to @securityninja for the original link

HP Webscan opens a hole in your enterprise

In an interesting piece of research, Michael Sutton details the vulnerability opened up by leaving HP’s Webscan service enabled on your network attached scanner/printer devices.

http://research.zscaler.com/2010/08/corporate-espionage-for-dummies-hp.html

This really does highlight the fact that, when thinking about security, it is never good to assume anything. Any device attached to your network should be thoroughly examined, and the benefits considered.

Of course, it also is a big failure on the part of HP not to ensure such services are secured by default (or at least must be specifically enabled). Hopefully they’ll fix this, but for now, if you own an HP scanner/printer/fax device, then it’s worth checking you’re not exposing sensitive documents to the wrong people.

Andrew Lee
AVIEN CEO / CTO K7 Computing