I’ll Go You One Better

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

We have all been in the situation where we relate a story and someone has to jump in and relate a better story. If you don’t have one you can recall, here is one from Reddit:

We were going through the lunch line at the dining center of the dorms. Once we sit down, my then-boyfriend says “Hey, I got two pickles!” Because those were given to us by the servers and we usually get one per person.

His friend who was with us, an already notorious one-upper, says immediately “I usually get three pickles everyday,” (looks down at food tray) “in fact, I am surprised I only got one today.”

Good Guys Try to “One Up” The Bad Guys

Security is an ongoing battle between the good guys and the bad guys. The odds favor the bad guys because they only have to get it right once to succeed and the good guys have to get it right every time to win. Unfortunately for the good guys, many of the things they are responsible for are not under their complete control.

Software that is used to run the business can have bugs. Firewalls used to protect the network can have vulnerabilities. Endpoint protection software can have blind spots. To successfully defend the castle, the good guys need to find out about and ameliorate these shortcomings. Depending on the enterprise, that can be a daunting task. That job also includes helping end-users to understand the existing risks, how to minimize them and what to do when there is a problem. This does not take into account the efforts the bad guys make to attack the enterprise.

Back in the dark ages of ubiquitous computing, the attacks were differently motivated. One of the first major episodes was the Morris Worm of 1988. A few interesting points:

• It was not intentionally malicious
• The extreme propagation was due to a programming error in the worm’s code.
• It only attacked a specific variety of the Unix operating system.
• It affected about 10% of the computers connected to the Internet (about 6,000 computers)
• Damages were estimated to be in the millions of dollars
• Like today’s attacks, it was multi-vector, leveraging a backdoor in electronic mail and a bug in a Unix utility (finger).
• The creator sent out an apology and removal instructions. They weren’t delivered because of the problems caused by the worm.

All the damage that was done by the Morris worm was unintentional. It propagated so rapidly that it overwhelmed computers and brought operations to a crawl or even a complete halt. It took days to get things operational again.

From Test to Malicious Behavior

From episodes like Morris, we moved on to viruses and worms that were created with malicious intent. Some were designed to wipe files or in other ways cripple computers. Some were designed to demonstrate hacking skills or protest things the programmer was against. At each step of the battle, both sides learned something.

When viruses became the main attack vector, the good guys developed anti-virus software. It worked by looking at files and comparing them with known samples of previous viruses to see if a file was infected. The problem was new viruses were being invented by the minute. The result was that anti-virus could be said to be highly effective…yesterday. There were always new viruses to watch out for.

The bad guys went a step further with the introduction of polymorphic viruses. These programs modified themselves so that after they infected a machine, they no longer matched a previous signature. Other techniques for obfuscation followed. Detection by pattern matching soon became much less effective.

Phishing Comes Into Existence

The battle moved to getting computer users to click on a link and get infected or in some other way compromised by going to a website outside the control of the business. The phishing attack came into existence. This attack has been more successful as time has gone on. The old-style phishing emails were very easy to spot. They had grammatical errors, misspellings, and many other characteristics that made them obvious. Here is a verbatim quote from one in 2015:

I am Evelyn I. Curry  resident of Stone Mountain, Georgia USA, the winner of $120 million Mega Millions jackpot and I have decided to donate $650,000 USD to you and my sole purpose of doing this is to extend this blessing to others around the world such as NGO’s, Red Cross, corporate bodies. Humanitarian Organizations and individuals. I am doing this not to be famous, as a matter of fact, i am currently in my mother’s home town in India as a hide out on the cause of getting out of the sight of the public for some reasons. Please read  more of my winning story and the reason why i am hiding from the public in this news link below:

A Never-Ending Battle

The phishing emails of today are fluent, professional-looking, and incorporate company logos. Some phishers do reconnaissance to get specific information about their potential victim that will make an email all that more enticing. The goal is to collect usernames and passwords to allow unauthorized network access. The good guys need to work hard to help employees avoid these traps.

MFA (multi-factor authentication) has been developed to help mitigate password compromise. Bad guys have figured out ways to get around this like those mentioned here. Notice that phishing is still a major entry vector for the bad guys. Spam filters have been instituted but the bad guys have figured out ways to evade them and you can’t lock them down too tight or nothing gets through.

This will be a never-ending struggle. While defenses can be strengthened, you still have to allow traffic in and out of your business. You can filter it to some degree, but you still have to give employees access. The debate about security awareness training is ongoing, but the employee needs to know how to protect themselves and the business. Globally, the majority of businesses are expecting a cyber-attack in the next 12 months. For a peek at what kind of sneak attacks are out there, this article describes one that was very difficult to analyze.

Are you ready? Are your employees ready? If not, you may need to get ready to close up shop.  Contact Ashton Solutions at 216 397-4080 to schedule security awareness training for your company.