Last month, RealClear attended the excellent 44Con IT security conference in London. The conference highlighted many of the IT security threats that abound in today’s environment and the best defenses against them.
It only takes one photo to infect your computer
Phishing attacks are still prevalent and still successful
Phishing attacks (acquiring sensitive information masquerading as a trustworthy entity) are still working according to Michele Orru (of Browser Hacker’s Handbook fame). With cloud technology, phishing attacks can be executed easier than ever. For example, an infinite amount of IP addresses can now be bought on Amazon Web Services. The Telegraph (UK) newspaper tasked Orru with phishing one of their technology journalists, Sophie Curtis. (The mind boggles about the legal and ethical dimensions of this assignment, but that is another story). His attack started with a fake Linkedin invite which had a BeEf plugin surreptitiously attached to it. This helped reveal the target’s browser type, plug-ins and email client. Once these credentials had been determined, the payload could be customised. In this case, the payload included reverse HTTPS and DNS send-back mechanisms. This was all packaged up in a .RAR file (Gmail does not allow the sending of .exe files saved in .ZIP format). Then, using a file masquerading technique, the .RAR file was cloaked as a.PDF file. The next step was to send a cleverly crafted social engineering email with a subject matter which would have been of interest to the target. The email, in this case about human rights in Brazil, was sent using Sendgrid with SPF and DKIM authentication enabled to avoid the attention of spam filters. His Telegraph journalist target took the bait, opened the attachment and her computer was under this white-hat hackers control in the space of a few hours. The efficacy of this attack on a tech-savvy technology journalist was astounding.
UEFI – The backdoor to your Mac OS X and Windows systems
When most people talk about viruses or malicious code they assume that it lurks somewhere in the operating system. That assumption is mostly correct as most malicious code does reside at application or kernel level in the operating system. But most people forget that one level down from the operating system lies the UEFI (Unified Extensible Firmware Interface) which initialises when you first power on your computer. This could present a vulnerability to your Mac or Windows system as malcious code can be hidden at this level. This issue was raised in the presentation of professional “malware hunter” Pedro Vilaca. How many “in the wild” or “zero-day” UEFI rootkits are out there which have not been detected by security researchers?. It is worrying because malicious code at this level will persist across system re-installs, hard disk wiping and most dangerous of all – code at this level can circumvent full-disk encryption. As UEFI rootkits initialise before encryption applications, they can easily capture passwords as used by popular encryption applications such as FileVault, PGP and TrueCrypt. Vilaca stated “If we can’t trust hardware we are wasting a lot of time solving some software problems”.
Windows 10 – How secure is it?
There are many techniques in which you can evaluate the security of an operating system. One such lens is looking at the attack surface. This is the aggregation of all different points where an attacker can inject or extract data. Typically, the major attack surfaces on an operating system would be services and drivers. In the contexct of the latter two, James Forshaw, a researcher on Google’s Project Zero team decided to perform a comparison between Windows 7, 8 and 10. Not surprisingly perhaps, Windows 10 contains the most amount of drivers and services. But seeing that bare driver and service count can sometimes be a blunt metric for OS security evaluation, he decided to perform his analysis according to system privilege levels. Again, Windows 10 has the most number of services running at the highest system privilege level. But in terms of direct attack surface of Windows 10 drivers, he found it had the lowest area of attack.
Internet Explorer, has long been the security Achilles heel of Windows OS with the same amount of holes as a block of Emmental. Finally, Microsoft have replaced this dinosaur browser with a successor which they have called “Edge”. In short, Microsoft have taken the Trident rendering engine from IE and streamlined it. And to beef up security, they have now enabled enhanced protection mode in Edge by default. On the downside, it’s still using the ActiveX version of Flash.Does this now mean that Windows 10 is fully secure? “Windows is a complex operating system, you can always find something to break” said Forshaw.
What all of this means for your business or organisation
Good IT security no longer means that a firewall or anti-virus software gives you adequate protection. Far from it, to defeat modern threats, you need a layered approach to your security. This starts with you and your team having a awareness of risk and and a security mindset. It means having proper protection mechanisms such as firewalls and AV software in place and properly configured. It means having robust computer usage and data handling policies in your company or organisation. Should an attack occur, IT threats can be prevented or at least their damage mitigated. It also means that you can sleep at little bit sounder at night knowing your data and systems are protected.