There was a general belief in the security community many years ago that user training was the only way to address security issues. Then we got slammed by tons of viruses and users all over clicked on links and ran attachments, basically doing exactly what we had all told them not to do. After spending weeks cleaning up the mess, the security community had a change of heart and basically took the stance that user training was a waste of time, and that we need better technology.

Well, it’s time to change this again. The technology doesn’t work. Sure, the technology is great for general threats. It’s good to keep certain applications from running. It keeps many network-based threats at bay. It can even be used to make the organization a bit more agile without too much risk.

However, it all comes down to one thing. No technology is smarter than a person, so everything we build tends to have a process somewhere that allows a person to override the security and effectively say “do it anyway”. Sure, we limit this ability to trusted people. Your executives’ time is highly valuable, so they may have local admin rights to avoid having to wait for help desk people. Your admins may need to bypass security controls to get their jobs done. There may not be many, but, in any organization, there are generally a few “special” people that are outside of the security system.

This makes the highly vulnerable to spear phishing attacks. All an attacker has to do is identify the special people, research them on the Internet, and send them an email that gets them to run something outside of the security controls. Then it’s all over.

There is only solution to threats that bypass the entire security system, and that is to build a new security layer to intercept the threat. Sadly, given the way people have to work, there is only one place to put this security… and that’s in their brains.

Any action that a high-profile person takes is, at minimum, reviewed and considered by their brain prior to it being done. Thus, the last layer in a security architecture has to be the people themselves.

No, don’t waste your time training the average user not to click on links or run attachments. Instead, deploy technology that makes these actions impossible. But then, when the executives explain to you why they are special and why they need to be exempt, your answer should be “sure, but you need training”.

Mitigate the risk with user training. Make sure that they know that they are being specifically targeted. Train them and document the training. Revisit them regularly.

If you are in a position of writing policy, try to build a system where you can test them on their training. If they fail the tests, they lose the rights to circumvent the security technologies.

Remember, the goal is to protect the business. The business, as well as the threats themselves are embodied in these “special” people. It is your job to protect them, even from themselves.

Related posts

• No related posts.

Imagine that you own a company.  You are responsible for the financial lives of hundreds of people.  If you make a mistake, you may have to let some of them go or, worse, lose the entire company and put them all out of a job.  This fact doesn’t really keep you up at night, but it is a valid concern, so when you receive an email that reads:

“High Priority:  Subpoena issued for YourCompany in case against YourClient”

Naturally, you’re a bit concerned as you do a lot of business with YourClient, and you open the email. Inside, you see your name, your business’s name, your address and phone number and a brief explanation that there is a disagreement between two of your clients and you have personally been asked to court. Then there is a link at the bottom that reads:

“For more information and to schedule your appearance at the trial, please click here.”

You’re probably going to click, aren’t you? After all, if you don’t show up, you could personally be found to be in contempt and in either case, your business will be impacted. It would make the most sense to click the link, get all the information you need and then call your lawyer, right?

Well, bad news. You’ve been spear phished. Some attacker found your information online and constructed an email filled with completely reasonable information all in an effort to fool you into clicking on that link. Sadly, now that you have, odds are that someone on the Internet has your passwords, access to confidential documents and yours (and possibly the company’s) bank accounts. Worse, this information is in the hands of someone that knew you well enough to hand craft an attack against you, so odds are that the information is going to be used.

This is the problem with spear phishing. It’s targeted to high-profile people. Odds are that it won’t get picked up by anti-spam filters, as it is designed to look completely legitimate. It also won’t pass by the security people’s view, as there are likely people who get email so confidential that even the security people can’t see it.

So, in effect, this is a threat that bypasses all of our checks. What are we going to do about it?

Related posts

• No related posts.

Most folks in my culture don’t know much about the bunyip.  That is, unless they saw Dot and the Kangroo as an impressionable youth, in which case they had nightmares for years… but I digress.

According to aboriginal legend, the bunyip lives in lakes and emerges at night to devour animals or people nearby.  Like many monsters of this type, people were warned to avoid the rousing the wrath of the bunyip, or they would be eaten alive.  In short, if you left it alone, it would leave you alone.

The thing, though, is that the lake has a bunyip in it.  You all know it.  You may be able to fool yourself into a false sense of safety, but you all know that to retain that false sense of safety, there are things that you must do (or not do).  In the case of the bunyip, it’s a simple matter of not going out at night and not going near water.  (The rules are different in the Dreamtime, but this blog doesn’t dive into the minutia of mythology (much)).

These days, most Western people disregard such monster stories. Our lives are such that we don’t need to invent such stories to explain away unknowns. When people vanish from our lives, they are much more likely to get hit by a car or die of old age then they are to mysteriously vanish in the night. This doesn’t mean, however, that we don’t make up stories. Quite the contrary, we make them up all the time, in exactly the same way.

How many times have you felt like your computer follows a strange set of rules? Maybe there is an incantation you go through to make something start (The desktop icon doesn’t work, so you click the start menu, navigate to programs, go to “Microsoft”, click on “Word”, cross your fingers and hope it starts). Maybe there are things that you do differently in your life (Don’t use that computer to access the Internet, it’s too slow, use the laptop from work instead.)  Maybe you just warn others away from that particular system.

Maybe there’s a monster in your PC.

In the security field, we assign all sorts of names to these monsters: virus, worm, trojan, rootkit, backdoor, etc. We do this because, as monster hunters, it helps us to know what sort of creature we may be facing. It makes it easier to communicate tracking and hunting techniques. And sadly, just as in the stories, the monsters often win. Just when we think we have them figured out they turn out to have friends or be aligned with a trickster of some sort, then they come after us in force. It can be quite demoralizing.

However, we’re the experts, if we are so often stymied, what can you possibly do to protect yourself?

The first step is to stop hiding in your huts cowering from the night. If your computer is making you change your behavior, there’s a problem. Maybe it’s broken, maybe the app is poorly written, or maybe there’s a monster in there. The thing is, if you let your computer control you, you’ll never know if there’s a monster in the lake or if it’s just a floating log.

The second step, and one that would help us all a lot, is to start locking the lakes. Simply put, if you live in a world with monsters (as we do), it’s kind of stupid to invite them in. If you’re not running an antimalware system of some sort, you’re leaving your system open to be colonized by monsters. Similarly, if you visit other lakes that are likely to be infested with monsters, they just might follow you home. Practically, this means avoiding porn and gambling sites.

Lastly, if you think there may be a monster lurking around, you might want to consider calling in an expert monster hunter. We may not be as cool as the people in the movies, but we’ve got a fighting chance at getting rid of them. And after all, it’s better than being eaten in the night.

Related posts

• No related posts.

Now, butterflies aren’t generally considered to be terrifying.  Nor, unless you were chased by one as a small child, are peacocks.  And, though five of the six ends of a tiger are pointy, the tail is also generally viewed to be fairly innocuous.

Interestingly, all of these generally harmless examples protect themselves through the use of eye spots.  Butterflies often have them on their wings, so when they are fully unfolded, they resemble a face.  Peacocks have them all over their tails, so when they are fully spread out, they resemble the eyes of many creatures.  The white spots on the back of a tiger’s ears resemble eyes as well.

The theory in all of these cases is that an attacker will think they are being observed and halt an attack.  It may only cause a brief pause, but that might be just enough for the eyespotted animal to get away.

The security lesson here is twofold.

First of all, it’s a generally good idea to let an attacker think you’re paying closer attention to them than you are.  That way the attacker is more likely to move on to a victim that would be a little bit easier to take on.  Perhaps one that is paying a bit less attention.  Practically, the technique only works when it takes fewer resources to mount a pseudo-defense than it does to to mount an actual one.  This is one of the reasons that fake surveillance cameras are popular.  If there are 10 cameras in a place, it’s a lot cheaper for 8 of them to be fake, so long as an attacker doesn’t know which ones are which. It would not make sense to create a fake IDS system that detects security incidents and fakes a response, as it would take just as much work to fake a response as it would to make a real one.

The second lesson is that you have to pay some attention. After all, attackers aren’t stupid. If they figure out that the butterfly with the weird eyes isn’t really watching, the butterfly will be lunch if it doesn’t fly away soon. A distraction technique, be they eyespots or fake cameras are only good so long as the real eyes and real cameras are being used.

How you can you fake out your attackers?

Related posts

• No related posts.

“Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”

That was the riddle asked by the Sphinx, a creature sent to Thebes to by Hera (or Ares).  When the riddle was answered incorrectly, the Sphinx would strangle and devour the challenger.  This went on for a while until Oedipus, who answered “man” and explained that the “time of day” was a metaphor for “time of life” and that the question refers to the stages of life: baby crawling, man walking, old man with a cane.  After this, the Sphinx (being unable to come up with another clever riddle) promptly killed herself.

Today’s myth is fairly transparently about password security.  The Sphinx made three basic errors that we can learn from:

Question/Answer Pairs

We’ve all seen the “security question” prompts.  They often ask about pets or parental surnames.  Sometimes they ask about special anniversaries.  In any event, if you are moderately findable online, a quick search of genealogy databases or photo-sharing sites can turn up answers to such questions.  To combat this, you can either hide all information relating to you, search it out online and remove it, visit public libraries and burn all the public records and brain-wipe all your friends… or you can answer the question nonsensically.  Just because the field says “mother’s maiden name”, doesn’t mean that you have to put that in there.  Maybe put in your favorite fruit instead.

Suppose the answer to the Sphinx’s riddle wasn’t “Man”, but was “Kiwi”?  Sure, the myth wouldn’t make much sense, and Oedipus would have become dinner rather than king, but the riddle would have much less guessable.

Short Answer

You know how irritating it is to have to have a password that is “at least 8 characters”?  Well, the reason is that there are people that can try all sorts of different words until they get in.  It’s as if someone in power (like, say, Oedipus) were sending numerous peasants to the Sphinx with random answers.  It would have gone something like this:

• Sphinx: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
• Peasant 1:  Umm, (checks list) an apple!
• Sphinx: Nope.  (strangle) (eat)
• Peasant 2: How about an eagle?
• Sphinx: Nope.  (strangle) (eat)
• Peasant 3: (looks about warilly) man?
• Sphinx: Close, but we just changed the answer in the previous section.  (strangle) (OM NOM NOM NOM)
• Peasant 4: (reads the previous section).  Kiwi!
• Sphinx: Drat!  (strangles self and throws body over cliff)
• Peasant 4: Yay!  I win.
• Oedipus: (strangles peasant 4) (looks around warilly) Yay! I win.

So, the Sphinx manages to survive a bit longer, but is still undone because the answer is short and guessable.  Let’s protect against that by changing the answer from “Kiwi” to “My favorite of all the fruits is the kiwi… the fruit that needs a shave!”  That’d be a lot harder to guess.  Hard enough the Oedipus might even run out of peasants before he gets to it.

Only One Question

Ah, but what if you have an exceptionally smart guesser.  Suppose they know something about the person choosing the password.  Even incredibly long passphrases have to be remembered, so odds are that a little bit of social engineering can be of use.  If we fully embrace anachronisms and have a Sphinx that is a Star Wars fan, odds are that the pass phrase would appear on the list of 30 Most Memorable ‘Star Wars’ Quotes. Similarly, if the Sphinx were known to enjoy Shakespeare, 200+ Famous Bardisms might be a good place to start. The point here is to pre-load the disposable peasants with likely answers, so that Oedipus can hit upon it while there is still a peasant to kill and claim the credit.

A clever Sphinx can protect herself by coming up with multiple riddles. In the security field, we’d call this multi-factor authentication, which we shorten to “know/have/are”. To extend our horribly-mistreated metaphor, the Sphinx would be highly secure if she:

1. Something you know:
   • Q: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
   • A: “My favorite of all the fruits is the kiwi… the fruit that needs a shave!”
2. Something you have:
   • Q: “Do you have the key that unlocks this super special box that I borrowed from Pandora?
   • A: (peasant offers a herring that has been painted plaid)
     • Remember, the answer should be nonsensical and nontrivial.  A plaid herring covers both requirements in most instances.  Besides, it’s generally best to leave Pandora’s box closed.
3. Something you are:
   • Q: “How do I know that you are truly you?”
   • A: (peasant shows the Sphinx that birthmark that Oedipus painted on his arm)
     • It’s very difficult to forge the “something you are” check, but it can be done if the verification technology is flawed, be it a fingerprint scanner that doesn’t check body temperature or a stupid Sphinx.

Thus, the only person that could get past the Sphinx would be someone that managed to prove their identity three different ways, which makes it extremely likely that the person allowed is the one authorized… or someone that has privileged information as to which questions will be asked and which answers are expected.  So, make sure that your questions and answers are reasonably secure, but also make sure that you don’t let anyone else know that they are.  Secrets are only good so long as they are kept secret.

That’s why the Sphinx had to kill herself, you know.

Related posts

• No related posts.