Much advice about avoiding malware revolves around only clicking links from trusted sources. Unfortunately, it gets harder all the time to determine who and what is a trusted source. Malware is more insidious than ever. Below, I’ve found some recent instances where malware was tricky to spot, and even nearly impossible to prevent.
How do you maintain an environment that is both open and secure? Many professionals who work in education cybersecurity have to answer this question, but it seems to be a catch-22. Typically, colleges and universities value a collaborative environment. At the same time, education is unlike nearly every other industry in the sheer volume of private information IT teams must safeguard. How can cybersecurity professionals balance education values with the safety of students and faculty?
Here’s a scenario: you’re asked to provide a report of unnecessary high bandwidth usage on your network. So you open your network monitoring tool and look for the top talkers. Maybe there are a couple of hosts that are consuming significantly more bandwidth than anyone else.
The problem is that you don’t have further context. There’s no way to identify whether those hosts are behaving normally or whether there’s a potential threat involved. What if the high bandwidth usage was due to a sales manager screen sharing on a call with a client? It wouldn’t do anyone any good to report him or her.
Can you say with certainty that none of your network devices have ever been pulled into a botnet army? If you don’t operate under the principal of least privilege, it’s likely that you can’t. This article will provide an overview of what least privilege means, and how it can help to relieve your IoT security headache.
What is Least Privilege?
Least privilege is not a new concept and any organization can adopt it. It’s simple: restrict the access of every user, device, program, etc. to only the minimum information and resources required to carry out its designated function.
For example, you may restrict the typical user from installing new software at their workstation beyond what the organization provides them to perform their tasks. Or a department may not be able to access the files and directories used by a different department. Basically, if they don’t need it, why give it to them?
As far as prevention goes, the benefits of least privilege in mitigating insider threats are clear. Because insider threats by their nature originate within your perimeter security, restricting access restricts damage. But what about external threats?
Least Privilege and the Internet of Things
While the IoT market booms, security professionals are biting their fingernails. So many vulnerable internet-connected devices exist, often due simply to a lack of diligence on the part of the manufacturer. All sorts of objects, from baby monitors to cars, have proven vulnerable to compromise. The security threat has become such a prominent concern that the Senate has deliberated whether to pass legislation on it.
According to an article by Dr. Phillip Hallam-Baker, however, part of the problem is that the code and operating systems of many IoT devices are needlessly complex. He says, “the more complex a system is, the harder it is to test, and the more likely it is that it will go wrong.” Furthermore, operating systems like Windows and Linux—which are cheap and fast to use in the development of IoT devices—suffer a large attack surface because their purpose is to be as flexible as possible.
This is where least privilege comes in. You don’t need your smart thermostat to be able to communicate with all of your systems; it just needs to regulate the darn temperature. Minimize the attack surface of single-function devices by only allowing them the resources needed for that one function.
Least Privilege and Network Traffic Analysis
Unfortunately, rules get broken. Even when you operate under least privilege, how do you know whether the everyone and everything is following the rules?
With a proper network traffic analysis system in place, it’s actually quite easy. If you know the single thing a device should be communicating with, it’s a red flag when you see traffic between any other source. Then you can begin to investigate the issue.
To try it out for yourself, check out the free trial of our network traffic analysis system.
There may be times when a computer infection elicits a chuckle before driving you to tear your hair out. Here, I’ll be discussing a few examples of weird malware I’ve come across (not from personal experience, thankfully). Keep in mind that some of these started out merely as a prank between friends—meaning it doesn’t take a criminal mastermind of a programmer to destroy your computer if you’re not cautious.
The Cookie Monster program was written in the late 1960s and is credited as being the world’s first computer virus. Students at Brown University created it just as a way to annoy their friends. When opened, it completely froze the computer and incessantly demanded cookies. Sounds pretty similar to modern-day ransomware, doesn’t it? But the user could unlock their computer easily—they just had to type in “cookie” to placate the malware and regain control.
Deriving its name from the Japanese words for “squid” and “octopus,” the Ika-Tako virus made headlines in 2010 when it infected between 20,000 and 50,000 computers. It disguised itself as music files; when users downloaded the files, the virus infected all the files stored on the user’s computer. Then it swapped all these files with pictures of an orange cartoon octopus.
The creator of Ika-Tako, Masato Nakatsuji, was arrested for property destruction. He had previously written the Pirlames Trojan that also destroyed files, but instead displayed images from the well-known anime Clannad. Pirlames led to a two-year prison sentence for violating copyright laws. Nakatsuji wrote Ika-Tako while on probation to “test how much [his] computer programming skills since the last time [he] was arrested.”
Rensenware, like Cookie Monster, gives the user a way to regain control—but it’s much, much harder to do.
This form of ransomware takes its name from the 12th installment of the wildly popular Touhou game series, Seirensen (in English, Undefined Fantastic Object). Instead of paying a ransom, the user has to score 200 million points on Undefined Fantastic Object’s hardest difficulty level, aptly called “lunatic mode.”
As a longtime appreciator with the Touhou games, I found this malware particularly interesting, though I know I would never stand a chance at unlocking my computer if infected by Rensenware. The games revolve around dodging thousands of deadly projectiles that come at you in various patterns, and on harder modes, they often completely obscure the screen. To get an idea of how difficult it would be to unlock your computer from Rensenware, check out Undefined Fantastic Object’s final stage on lunatic (the boss fight starts at 1:55):
Note that this video shows a perfect (no deaths) run, but it still doesn’t hit 200 million points.
The creator of Rensenware wrote the ransomware as a joke. He fell asleep after uploading it to GitHub, and awoke to find it had spread. It even infected his own computer. Asked whether he could score 200 million points, he replied, “Uh, oh… nope.” He immediately wrote software that neutralized Rensenware and released it to GitHub.
The takeaway here is that something you come across online doesn’t have to look sketchy to cause your computer harm. If you know any skilled programmers who are prone to boredom… be wary of any emails they send your way!
For more cybersecurity articles, follow @Plixer on Twitter.
In at least half of the many articles I read covering new cybersecurity threats, I see the same advice given: change your passwords! It’s good advice, of course. But when I try to take inventory of every account I have with some website or email provider or app that needs to be changed—and with fresh, unique passwords, no less—the task quickly evolves into a huge chore. (I already know that my workstation neighbor will read this and call over to me, “Use LastPass!” Sadly, Justin, LastPass is not impregnable.) Lately, however, a new solution has been growing in popularity, and promises to provide both security and convenience: biometric authentication.
Yesterday, it was disclosed that a currently unknown amount of data has been leaked from websites using the web performance and security company Cloudflare’s services. The issue quickly earned the name “Cloudbleed.”
A new Netflix scam infects those trying to create fake login credentials to the popular television streaming service.
Somewhere in the last two decades, television grew into a medium full of acclaimed, thoughtful content. Now there is so much content scattered across different vendors that we’re likely to subscribe to several streaming services, and the costs add up. Netflix, for instance, charges between eight and twelve dollars per month. Some viewers seek illegal ways around the subscription fees by downloading the content from illegitimate sources or by creating fake login accounts. This is where the new Netflix scam casts its net.
2016 was a doozy. As many security experts predicted, we’ve seen cyberattacks happening at greater frequency and greater size. From customer information exfiltration to DDoS attacks taking down major websites and even a portion of the internet, we’ve made it through a history-changing year. Here’s our countdown of the 10 biggest cyberattacks of 2016.