Popular horror novelist Stephen King once said, “We make up horrors to help us cope with the real ones.” This couldn’t be more accurate in today’s globally connected world. Sure, ghouls, ghosts and goblins are terrifying but these do not compare to the agony of compromised privacy, cybercrime, or identity theft. The stuff of scary stories may threaten our sense of comfort, but hackers and cybercriminals make us fear for our sense of self.
For Halloween this year, Tripwire has assembled nine “scary” security stories for your perusal. We hope that you enjoy them—and aren’t too scared afterwards.
Beware the Un-educated User!
By Tyler Reguly, Manager of Security Research, Tripwire
When I think of spooky security stories, I’m draw to a story from a few years ago from New York. I seem to recall that someone managed to get into the New York Public Library without a library card. This is a great example of a physical security breach. I believe he was a green ghost named “Slimer”… hrm…. Now that I think about it, that may be the plot to the original Ghostbusters movie.
“Scary” and “spooky” are words that should be used cautiously in our industry. Everywhere we turn, security researchers looking to make names for themselves and naïve journalists without any tech background are spreading enough Fear, Uncertainty, and Doubt for all of us.
Ultimately, Halloween should be about the kids. Like these kids, who “hacked” an ATM using manuals they found online. Then there’s this video of a girl using a “bump” key to pick a lock, which went viral after it’s release. And let’s not forget all the kids who attend the HacKid Conference, where they learn about security, privacy, and other tech issues with their parents.
But these kids are exceptions to the rule. When it comes down to it, the scariest security fact out there today is the number of people who are uneducated when it comes to technology. They click on links in emails, visit URLs, and run programs all because someone puts it in front of them. They didn’t have the advantage of growing up around technology or learning about it afterwards.
Today is therefore a great day to talk about the kids who are educating themselves, who are learning about online privacy, who have an interest in technology beyond just posting Facebook status updates. The next generation is learning how to live with technology, how to become one with the gadget the way hippies learned to become one with nature.
For now at least, the scariest security issue is the end user because they are unpredictable. But hopefully our next generation will use their understanding of and experience with technology to help fix that.
Insidious Cybercriminal Incentives
By Lane Thames, Security Research Engineer, Tripwire
It wasn’t long ago that large-scale, disruptive Internet worms were common. Lots of research was conducted on modeling these types of cyberattacks, on understanding how they worked, on understanding how to prevent them, and on many other aspects of the phenomena.
However, it didn’t take long for Internet worms to abate, almost on their own accord. Why? Well, the threat landscape changed. And, in my opinion, it changed rapidly. Not because of the work being conducted by the good guys. The threat landscape changed because of a change in attacker incentives.
Internet-scale, disruptive worms such as SQL Slammer, Code Red, Nimda, etc. cause lots of noise. New incentives for the bad guys such as making money–and lots of it–via computer hacking, computer fraud, etc. shifted the landscape. Modern cyber attackers don’t want (in most cases) to cause a lot of noise. They want to be stealthy, for example, via advanced persistent threat (APT) attack vectors and such. Disruptive worms do not provide income for attackers. On the contrary, Internet worms have the potential disrupt the bad guys and their existing income streams.
So, for me, I’m not sure what is more scary: the fact that Internet worms with devastating outcomes could still surface via existing and future software bugs such as the recent Shellshock vulnerability, or the fact that large-scale Internet worms seldom occur rear their heads any longer.
Stalking ICS Networks
By Craig Young, Computer Security Researcher, Tripwire (VERT)
Instead of a story, how about some words on how scary it is that there are so many industrial control systems on the Internet with no password protection?
The Internet has connected the world in ways most people never would have imagined. This has been a tremendous blessing for the retail industry by providing the opportunity to reach consumers around the world, but this same connectivity has also opened doors into critical networks that were not previously exposed.
The scariest example of this would have to be the exposure of industrial control system (ICS) networks to the Internet. Even the least technical attacker can run scans of the Internet and quickly find hardware operating in power plants, oil pipelines, water treatment facilities, and other critical infrastructure. Many of these systems are completely unprotected with the password-less VNC remote access enabled, and many more likely have default or easy-to-guess credentials. This type of access enables attackers to anonymously interact with a controller as if they were standing in front of it.
In addition to the exposure of remote management services, more specialized scans of the Internet have also revealed thousands of systems using the ModBus and DNP3 protocols. These communication protocols were not designed for use on public networks, and although they have been augmented over the years to run on top of modern LANs, security has tended to be an optional feature rather than a core requirement. It would be foolish to think that adversaries have not already mapped out and even gained access to a number of these networks.
In the past, successful ICS attack campaigns such as Stuxnet have highlighted the ability for malicious code to cause physical damage by quietly tweaking commands sent to the hardware. Some of the systems relying on this technology are incredibly important and incredibly sensitive to change. Taking the US power grid as an example, the interconnected nature of this system means that a slight phase change from generators at a West Coast power plant could lead to overloaded transmission lines on the East Coast, causing a massive power outage like the 2003 northeast blackout.
It’s also important to remember that these systems can be abused for financial gain, as one unnamed US energy provider learned a few years back. In that case, systems were compromised through a targeted phishing campaign that made use of a 0day vulnerability in Microsoft’s DNS server implementation. The attackers monitored the pipeline activity to make money by speculating on the energy market.
Meddling with Medical Devices
By Chris Conacher, Manager of Security & Compliance Solutions, Tripwire
I would say the scariest thing is the hacking of medical devices. In 2011, IBM computer security bod Jay Radcliffe did research into the possibility of successful attacks against his personal insulin device. This research culminated in a presentation on how it could be manipulated to dispense a lethal dose. This work was developed further by McAfee’s Barnaby Jack, who demonstrated taking control of a device wirelessly, disabling the safety alert, and delivering a lethal dose at up to 300 feet away.
This research has since been extended, the implications of which now applying to other embedded medical devices, including pacemakers.
The Slinking Stuxnet Worm
By Ryan Dewhurst, Freelance Security Tester at Dewhurst Security
The “scariest” security incident in my opinion that I can remember must be the Stuxnet worm which was discovered in 2010. The reason I think it is the scariest is because of two reasons: first, the intended target; and second, the sophistication of the malware. The target was Iranian nuclear facilities with the express intent of extracting data and causing the centrifuges to malfunction. The sophistication of the malware comes from using two 0day Windows exploits, not to mention the amount of effort that must have gone into writing such the worm’s code.
Worse still, even though Stuxnet was sophisticated and had a clear target, it still managed to get out of hand and infect a limited number of non-targeted machines in other countries.
Creepy CryptoWall 2.0
By Stu Sjouwerman, CEO at KnowBe4
One of the scariest stories I’ve heard is about the CryptoWall 2.0 ransomware.
The folks at Proofpoint wrote a long blog post explaining exactly why Version 2.0 is so much worse. In a nutshell, the sites themselves were not compromised; rather, the advertising networks upon which they relied for dynamic content were inadvertently serving malware.
This enables attackers to infect users with so-called “drive-by-downloads,” where the user does not have to click on anything.
Recent data taken directly from the CryptoWall ransom payment server shows a total of just over one $1,000,000 had been paid from March through August 2014, and since then a further 205,000 new victims have been claimed.
Ransomware is on the rise, and it’s getting smarter. One can’t help but wonder: will there be a CryptoWall V3.0? And what would that possibly look like?
Every Port is Against You
Lamar Bailey, Director of Security R&D, Tripwire
It was a cold dark night in January 2003, and SQL Server databases around the world were being hit hard from a new threat. SQL_Slammer took the world by storm, devouring data and leaving the crushed souls of system admins and CISOs in its wake.
The vulnerability had been discussed the previous year at the Black Hat conference, and the patch had already been delivered from MS. The worm was small but deadly. It was tiny enough to reside in memory, and it did not have to be written to disk. The worm worked by generating random IP addresses and sending itself out to those addresses. If a selected address happened to belong to a host that was running an unpatched copy of Microsoft SQL Server Resolution Service listening on UDP port 1434, the host immediately became infected and began spraying the Internet with more copies of the worm program. This was deadly to routers, which could not handle all the traffic. These routers would fail, leading other routers to update the routing tables. Ultimately the routing issues propagated almost as fast as the worm.
Many security teams rallied to stomp out the worm. They used free tools to clean it from each system and network detection signatures to identify infected hosts. After the worm was eradicated, the teams protected the hosts with a patch that had been available for six months. In a few days, things were getting back to normal. It looked like the worm had been stamped out.
But we were wrong.
Heyoh Inc. had received the patch just one week after it was made available, but they needed to leave the lab machines unpatched for QA testing of their products. They therefore decided to monitor their machines and look for signs of infection.
Late one foggy night, the alarms went off. SQL_Slammer was loose in the lab. The security team grabbed their gear and spent the next few hours cleaning the lab and wiping out the infection. After four pots of coffee and a final sweep of the lab, everything looked safe, so they ran forensics. Patient 0 had been an internal address not in the lab, but all others systems had been patched. Everything looked safe.
At that very moment, the alarms went off again. SQL_Slammer was back at it. Another four hours passed, and the lab was once again clean. But the same IP address had once again been the cause. It was a DHCP IP on the corporate network, and the MAC address was not familiar to anyone.
Just as the team was working to block Patient 0 from the network, Attack Number Three hit the lab. The team mobilized, but JD was sent off with a pair of cable cutters to track down Patient 0. He traced the ports and connections in the wiring closet to the break room on the third floor. JD entered the room, but there were no computers in sight. Confused and tired, JD dug out a dollar to buy a Mountain Dew from the shinny new soda machine installed earlier that week. He needed a caffeine and sugar recharge. That’s when something caught his eye: a small green cable peeking out from behind machine.
JD moved the machine aside and discovered a network patch cable connecting it to a hidden cooperate network jack in the wall. To his surprise, the new soda machine had a small SQL Server database that recorded inventory in the machine and had the ability to call home and tell the service company how many of each product needed to be refilled, along with the sales stats. With a quick snap, the cable was severed. The company was safe…for now.
When it comes to security don’t trust anyone or anything. Even machines bearing Mountain Dew can turn on you in a second.
Terrifying Security Behavior
Early in my career, I worked in the airline industry as a sys-admin and software developer. In this role, I was exposed to physical and software security for the first time. I saw a fair bit of bad habits throughout the aircraft maintenance organization – mechanics and maintenance workers accessing our systems using shared credentials taped to the front of the terminals, our team short circuiting security controls to get a task done in a hurry to get an aircraft back in flight ASAP, etc. I saw lots of good things too, like how thorough everyone was when safety was concerned. But it seemed that security was always a hassle to people. It was always getting in their way.
Now keep in mind this was pre-911, and many things have changed since my time there, but that environment really set the tone for my position on security, both general and software-based. A lot of my co-workers took security quite seriously, and others were a bit paranoid and did some questionable things. One day I was talking to a mechanic about making a trip to an outlying city, and he suggested that this city (smaller than the location we worked at) was a bit dangerous and told me that whenever he had to fly there to perform maintenance, he would put a pistol in his portable toolbox and carry that on the plane.
That taught me a lot about security – the airline extended trust to this person, but its networks weren’t protected with defense-in-depth. This meant that he could walk onto the maintenance site with only a code to pass the main door. Once he had bypassed all physical security that the airport had in place, he could catch a shuttle to the terminal and hop on a plane with his gun close at hand in the cabin. That quite literally terrified me. I also reported this behavior to my superiors immediately.
Attackers Who Will Stop at Nothing
By Sarah Clarke, owner of Infosepctives & board member of GiveADay
Jenny Radcliffe (leading expert on negotiation, deception and people hacking) was employed to assess security for a facility with links to the military. They told her their security was sharp, and it was. Really sharp. Cars searched, bags searched, photo ID mandatory and verified. Still, when you throw a gauntlet down for someone like Jenny, you’d better watch your back.
She used her public profile to secure a meeting with procurement to discuss contract negotiation skills. BANG! There go the outer perimeter physical security controls. She was approved to be there as herself.
On arriving, between leaving the car and arriving at reception, she burst a blood capsule on her hand. “Oh my, I’ve cut my finger. Can I possibly use the bathroom?” Buzzed through security by the sympathetic receptionist, she headed not to the bathroom but towards the IT room down the hall. BANG! The inner perimeter security controls are gone.
In the IT room, Jenny looks faint and flustered. She asks, “Does anyone have a plaster?” “I do,” pipes up a concerned IT guy. “Trust the manager to be prepared,” she simpers. “I’m not the manager,” he says “He’s the manager”. “Sit down until you feel a bit better,” says the newly identified manager. BANG! There goes secure access to the internal IT room.
While sitting in the IT manager’s chair, Jenny plants a camera disguised as a water bottle above his desk. She then leaves, fully plastered and ready to go to her appointment. She then asks the kind receptionist to buzz her back through afterwards to pick up the water bottle she “stupidly” left behind.
Three days later, after deciphering low-res footage, Jenny is in possession of the master admin password for the company network. BANG goes all the layered IT defences, from perimeter to desktop.
These incidents are the scariest, the ones where you are targeted by an insider or someone who sits in a pub engaging disillusioned staff. Folks have little chance of stopping a determined attacker who can get next to their targets.
In the same way, this is the worst nightmare for security folk.